inital commit

author: William Joye <wjoye@cfa.harvard.edu> 2017-05-02 16:41:35 (GMT)
committer: William Joye <wjoye@cfa.harvard.edu> 2017-05-02 16:41:35 (GMT)
commit: 3d328008deedc58cd7a11c79063cefa7d662d4fc (patch)
tree: cb41a048885ce7b493f406360cf5f6edf689c468 /openssl/apps
parent: 0a2b8b8e0bc2e91a9f10659b30e2e4f5b79ce692 (diff)
download: blt-3d328008deedc58cd7a11c79063cefa7d662d4fc.zip
blt-3d328008deedc58cd7a11c79063cefa7d662d4fc.tar.gz
blt-3d328008deedc58cd7a11c79063cefa7d662d4fc.tar.bz2
113 files changed, 48098 insertions, 0 deletions
diff --git a/openssl/apps/CA.com b/openssl/apps/CA.com
new file mode 100644
index 0000000..2c0d465
--- /dev/null
+++ b/openssl/apps/CA.com
@@ -0,0 +1,236 @@
+$! CA - wrapper around ca to make it easier to use ... basically ca requires
+$!      some setup stuff to be done before you can use it and this makes
+$!      things easier between now and when Eric is convinced to fix it :-)
+$!
+$! CA -newca ... will setup the right stuff
+$! CA -newreq ... will generate a certificate request 
+$! CA -sign ... will sign the generated request and output 
+$!
+$! At the end of that grab newreq.pem and newcert.pem (one has the key 
+$! and the other the certificate) and cat them together and that is what
+$! you want/need ... I'll make even this a little cleaner later.
+$!
+$!
+$! 12-Jan-96 tjh    Added more things ... including CA -signcert which
+$!                  converts a certificate to a request and then signs it.
+$! 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+$!                 environment variable so this can be driven from
+$!                 a script.
+$! 25-Jul-96 eay    Cleaned up filenames some more.
+$! 11-Jun-96 eay    Fixed a few filename missmatches.
+$! 03-May-96 eay    Modified to use 'openssl cmd' instead of 'cmd'.
+$! 18-Apr-96 tjh    Original hacking
+$!
+$! Tim Hudson
+$! tjh@cryptsoft.com
+$!
+$!
+$! default ssleay.cnf file has setup as per the following
+$! demoCA ... where everything is stored
+$
+$ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
+$
+$ DAYS   = "-days 365"
+$ REQ    = openssl + " req " + SSLEAY_CONFIG
+$ CA     = openssl + " ca " + SSLEAY_CONFIG
+$ VERIFY = openssl + " verify"
+$ X509   = openssl + " x509"
+$ PKCS12 = openssl + " pkcs12"
+$ echo   = "write sys$Output"
+$ RET = 1
+$!
+$! 2010-12-20 SMS.
+$! Use a concealed logical name to reduce command line lengths, to
+$! avoid DCL errors on VAX:
+$!     %DCL-W-TKNOVF, command element is too long - shorten
+$! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate
+$! quickly.)
+$!
+$ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]"
+$ define /translation_attributes = concealed CATOP 'CATOP'
+$!
+$ on error then goto clean_up
+$ on control_y then goto clean_up
+$!
+$ CAKEY  = "CATOP:[private]cakey.pem"
+$ CACERT = "CATOP:[000000]cacert.pem"
+$
+$ __INPUT := SYS$COMMAND
+$!
+$ i = 1
+$opt_loop:
+$ if i .gt. 8 then goto opt_loop_end
+$
+$ prog_opt = F$EDIT(P'i',"lowercase")
+$
+$ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 
+$ THEN
+$   echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 
+$   goto clean_up
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-input")
+$ THEN
+$   ! Get input from somewhere other than SYS$COMMAND
+$   i = i + 1
+$   __INPUT = P'i'
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-newcert")
+$ THEN
+$   ! Create a certificate.
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
+$   REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
+$   RET=$STATUS
+$   echo "Certificate (and private key) is in newreq.pem"
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-newreq")
+$ THEN
+$   ! Create a certificate request
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
+$   REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
+$   RET=$STATUS
+$   echo "Request (and private key) is in newreq.pem"
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-newca")
+$ THEN
+$   ! If explicitly asked for or it doesn't exist then setup the directory
+$   ! structure that Eric likes to manage things.
+$   IF F$SEARCH( "CATOP:[000000]serial.") .EQS. ""
+$   THEN
+$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000]
+$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs]
+$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl]
+$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts]
+$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private]
+$
+$     OPEN /WRITE ser_file CATOP:[000000]serial. 
+$     WRITE ser_file "01"
+$     CLOSE ser_file
+$     APPEND /NEW_VERSION NL: CATOP:[000000]index.txt
+$
+$     ! The following is to make sure access() doesn't get confused.  It
+$     ! really needs one file in the directory to give correct answers...
+$     COPY NLA0: CATOP:[certs].;
+$     COPY NLA0: CATOP:[crl].;
+$     COPY NLA0: CATOP:[newcerts].;
+$     COPY NLA0: CATOP:[private].;
+$   ENDIF
+$!
+$   IF F$SEARCH( CAKEY) .EQS. ""
+$   THEN
+$     READ '__INPUT' FILE -
+       /PROMPT="CA certificate filename (or enter to create): "
+$     IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
+$     THEN
+$       COPY 'FILE' 'CAKEY'
+$       RET=$STATUS
+$     ELSE
+$       echo "Making CA certificate ..."
+$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
+$       REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS'
+$       RET=$STATUS
+$     ENDIF
+$   ENDIF
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-pkcs12")
+$ THEN
+$   i = i + 1
+$   cname = P'i'
+$   IF cname .EQS. "" THEN cname = "My certificate"
+$   PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' -
+     -out newcert.p12 -export -name "''cname'"
+$   RET=$STATUS
+$   goto clean_up
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-xsign")
+$ THEN
+$!
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
+$   CA -policy policy_anything -infiles newreq.pem
+$   RET=$STATUS
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
+$ THEN
+$!   
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
+$   CA -policy policy_anything -out newcert.pem -infiles newreq.pem
+$   RET=$STATUS
+$   type newcert.pem
+$   echo "Signed certificate is in newcert.pem"
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-signcert")
+$  THEN
+$!   
+$   echo "Cert passphrase will be requested twice - bug?"
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
+$   X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
+$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
+$   CA -policy policy_anything -out newcert.pem -infiles tmp.pem
+y
+y
+$   type newcert.pem
+$   echo "Signed certificate is in newcert.pem"
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-verify")
+$ THEN
+$!   
+$   i = i + 1
+$   IF (p'i' .EQS. "")
+$   THEN
+$     DEFINE /USER_MODE SYS$INPUT '__INPUT'
+$     VERIFY "-CAfile" 'CACERT' newcert.pem
+$   ELSE
+$     j = i
+$    verify_opt_loop:
+$     IF j .GT. 8 THEN GOTO verify_opt_loop_end
+$     IF p'j' .NES. ""
+$     THEN 
+$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
+$       __tmp = p'j'
+$       VERIFY "-CAfile" 'CACERT' '__tmp'
+$       tmp=$STATUS
+$       IF tmp .NE. 0 THEN RET=tmp
+$     ENDIF
+$     j = j + 1
+$     GOTO verify_opt_loop
+$    verify_opt_loop_end:
+$   ENDIF
+$   
+$   GOTO opt_loop_end
+$ ENDIF
+$!
+$ IF (prog_opt .NES. "")
+$ THEN
+$!   
+$   echo "Unknown argument ''prog_opt'"
+$   RET = 3
+$   goto clean_up
+$ ENDIF
+$
+$opt_loop_continue:
+$ i = i + 1
+$ GOTO opt_loop
+$
+$opt_loop_end:
+$!
+$clean_up:
+$!
+$ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then -
+   deassign /process CATOP
+$!
+$ EXIT 'RET'
diff --git a/openssl/apps/CA.pl b/openssl/apps/CA.pl
new file mode 100644
index 0000000..43c20b2
--- /dev/null
+++ b/openssl/apps/CA.pl
@@ -0,0 +1,188 @@
+#!/usr/bin/perl
+#
+# CA - wrapper around ca to make it easier to use ... basically ca requires
+#      some setup stuff to be done before you can use it and this makes
+#      things easier between now and when Eric is convinced to fix it :-)
+#
+# CA -newca ... will setup the right stuff
+# CA -newreq[-nodes] ... will generate a certificate request 
+# CA -sign ... will sign the generated request and output 
+#
+# At the end of that grab newreq.pem and newcert.pem (one has the key 
+# and the other the certificate) and cat them together and that is what
+# you want/need ... I'll make even this a little cleaner later.
+#
+#
+# 12-Jan-96 tjh    Added more things ... including CA -signcert which
+#                  converts a certificate to a request and then signs it.
+# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+#		   environment variable so this can be driven from
+#		   a script.
+# 25-Jul-96 eay    Cleaned up filenames some more.
+# 11-Jun-96 eay    Fixed a few filename missmatches.
+# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
+# 18-Apr-96 tjh    Original hacking
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+# 27-Apr-98 snh    Translation into perl, fix existing CA bug.
+#
+#
+# Steve Henson
+# shenson@bigfoot.com
+
+# default openssl.cnf file has setup as per the following
+# demoCA ... where everything is stored
+
+my $openssl;
+if(defined $ENV{OPENSSL}) {
+	$openssl = $ENV{OPENSSL};
+} else {
+	$openssl = "openssl";
+	$ENV{OPENSSL} = $openssl;
+}
+
+$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
+$DAYS="-days 365";	# 1 year
+$CADAYS="-days 1095";	# 3 years
+$REQ="$openssl req $SSLEAY_CONFIG";
+$CA="$openssl ca $SSLEAY_CONFIG";
+$VERIFY="$openssl verify";
+$X509="$openssl x509";
+$PKCS12="$openssl pkcs12";
+
+$CATOP="./demoCA";
+$CAKEY="cakey.pem";
+$CAREQ="careq.pem";
+$CACERT="cacert.pem";
+
+$DIRMODE = 0777;
+
+$RET = 0;
+
+foreach (@ARGV) {
+	if ( /^(-\?|-h|-help)$/ ) {
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
+	    exit 0;
+	} elsif (/^-newcert$/) {
+	    # create a certificate
+	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
+	    $RET=$?;
+	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"
+	} elsif (/^-newreq$/) {
+	    # create a certificate request
+	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
+	    $RET=$?;
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
+	} elsif (/^-newreq-nodes$/) {
+	    # create a certificate request
+	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
+	    $RET=$?;
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
+	} elsif (/^-newca$/) {
+		# if explicitly asked for or it doesn't exist then setup the
+		# directory structure that Eric likes to manage things 
+	    $NEW="1";
+	    if ( "$NEW" || ! -f "${CATOP}/serial" ) {
+		# create the directory hierarchy
+		mkdir $CATOP, $DIRMODE;
+		mkdir "${CATOP}/certs", $DIRMODE;
+		mkdir "${CATOP}/crl", $DIRMODE ;
+		mkdir "${CATOP}/newcerts", $DIRMODE;
+		mkdir "${CATOP}/private", $DIRMODE;
+		open OUT, ">${CATOP}/index.txt";
+		close OUT;
+		open OUT, ">${CATOP}/crlnumber";
+		print OUT "01\n";
+		close OUT;
+	    }
+	    if ( ! -f "${CATOP}/private/$CAKEY" ) {
+		print "CA certificate filename (or enter to create)\n";
+		$FILE = <STDIN>;
+
+		chop $FILE;
+
+		# ask user for existing CA certificate
+		if ($FILE) {
+		    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
+		    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+		    $RET=$?;
+		} else {
+		    print "Making CA certificate ...\n";
+		    system ("$REQ -new -keyout " .
+			"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
+		    system ("$CA -create_serial " .
+			"-out ${CATOP}/$CACERT $CADAYS -batch " . 
+			"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
+			"-extensions v3_ca " .
+			"-infiles ${CATOP}/$CAREQ ");
+		    $RET=$?;
+		}
+	    }
+	} elsif (/^-pkcs12$/) {
+	    my $cname = $ARGV[1];
+	    $cname = "My Certificate" unless defined $cname;
+	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
+			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
+			"-export -name \"$cname\"");
+	    $RET=$?;
+	    print "PKCS #12 file is in newcert.p12\n";
+	    exit $RET;
+	} elsif (/^-xsign$/) {
+	    system ("$CA -policy policy_anything -infiles newreq.pem");
+	    $RET=$?;
+	} elsif (/^(-sign|-signreq)$/) {
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+							"-infiles newreq.pem");
+	    $RET=$?;
+	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^(-signCA)$/) {
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+					"-extensions v3_ca -infiles newreq.pem");
+	    $RET=$?;
+	    print "Signed CA certificate is in newcert.pem\n";
+	} elsif (/^-signcert$/) {
+	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
+								"-out tmp.pem");
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+							"-infiles tmp.pem");
+	    $RET = $?;
+	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^-verify$/) {
+	    if (shift) {
+		foreach $j (@ARGV) {
+		    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
+		    $RET=$? if ($? != 0);
+		}
+		exit $RET;
+	    } else {
+		    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
+		    $RET=$?;
+	    	    exit 0;
+	    }
+	} else {
+	    print STDERR "Unknown arg $_\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+	    exit 1;
+	}
+}
+
+exit $RET;
+
+sub cp_pem {
+my ($infile, $outfile, $bound) = @_;
+open IN, $infile;
+open OUT, ">$outfile";
+my $flag = 0;
+while (<IN>) {
+	$flag = 1 if (/^-----BEGIN.*$bound/) ;
+	print OUT $_ if ($flag);
+	if (/^-----END.*$bound/) {
+		close IN;
+		close OUT;
+		return;
+	}
+}
+}
diff --git a/openssl/apps/CA.pl.in b/openssl/apps/CA.pl.in
new file mode 100644
index 0000000..3bf4c99
--- /dev/null
+++ b/openssl/apps/CA.pl.in
@@ -0,0 +1,188 @@
+#!/usr/local/bin/perl
+#
+# CA - wrapper around ca to make it easier to use ... basically ca requires
+#      some setup stuff to be done before you can use it and this makes
+#      things easier between now and when Eric is convinced to fix it :-)
+#
+# CA -newca ... will setup the right stuff
+# CA -newreq[-nodes] ... will generate a certificate request 
+# CA -sign ... will sign the generated request and output 
+#
+# At the end of that grab newreq.pem and newcert.pem (one has the key 
+# and the other the certificate) and cat them together and that is what
+# you want/need ... I'll make even this a little cleaner later.
+#
+#
+# 12-Jan-96 tjh    Added more things ... including CA -signcert which
+#                  converts a certificate to a request and then signs it.
+# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+#		   environment variable so this can be driven from
+#		   a script.
+# 25-Jul-96 eay    Cleaned up filenames some more.
+# 11-Jun-96 eay    Fixed a few filename missmatches.
+# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
+# 18-Apr-96 tjh    Original hacking
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+# 27-Apr-98 snh    Translation into perl, fix existing CA bug.
+#
+#
+# Steve Henson
+# shenson@bigfoot.com
+
+# default openssl.cnf file has setup as per the following
+# demoCA ... where everything is stored
+
+my $openssl;
+if(defined $ENV{OPENSSL}) {
+	$openssl = $ENV{OPENSSL};
+} else {
+	$openssl = "openssl";
+	$ENV{OPENSSL} = $openssl;
+}
+
+$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
+$DAYS="-days 365";	# 1 year
+$CADAYS="-days 1095";	# 3 years
+$REQ="$openssl req $SSLEAY_CONFIG";
+$CA="$openssl ca $SSLEAY_CONFIG";
+$VERIFY="$openssl verify";
+$X509="$openssl x509";
+$PKCS12="$openssl pkcs12";
+
+$CATOP="./demoCA";
+$CAKEY="cakey.pem";
+$CAREQ="careq.pem";
+$CACERT="cacert.pem";
+
+$DIRMODE = 0777;
+
+$RET = 0;
+
+foreach (@ARGV) {
+	if ( /^(-\?|-h|-help)$/ ) {
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
+	    exit 0;
+	} elsif (/^-newcert$/) {
+	    # create a certificate
+	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
+	    $RET=$?;
+	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"
+	} elsif (/^-newreq$/) {
+	    # create a certificate request
+	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
+	    $RET=$?;
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
+	} elsif (/^-newreq-nodes$/) {
+	    # create a certificate request
+	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
+	    $RET=$?;
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
+	} elsif (/^-newca$/) {
+		# if explicitly asked for or it doesn't exist then setup the
+		# directory structure that Eric likes to manage things 
+	    $NEW="1";
+	    if ( "$NEW" || ! -f "${CATOP}/serial" ) {
+		# create the directory hierarchy
+		mkdir $CATOP, $DIRMODE;
+		mkdir "${CATOP}/certs", $DIRMODE;
+		mkdir "${CATOP}/crl", $DIRMODE ;
+		mkdir "${CATOP}/newcerts", $DIRMODE;
+		mkdir "${CATOP}/private", $DIRMODE;
+		open OUT, ">${CATOP}/index.txt";
+		close OUT;
+		open OUT, ">${CATOP}/crlnumber";
+		print OUT "01\n";
+		close OUT;
+	    }
+	    if ( ! -f "${CATOP}/private/$CAKEY" ) {
+		print "CA certificate filename (or enter to create)\n";
+		$FILE = <STDIN>;
+
+		chop $FILE;
+
+		# ask user for existing CA certificate
+		if ($FILE) {
+		    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
+		    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+		    $RET=$?;
+		} else {
+		    print "Making CA certificate ...\n";
+		    system ("$REQ -new -keyout " .
+			"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
+		    system ("$CA -create_serial " .
+			"-out ${CATOP}/$CACERT $CADAYS -batch " . 
+			"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
+			"-extensions v3_ca " .
+			"-infiles ${CATOP}/$CAREQ ");
+		    $RET=$?;
+		}
+	    }
+	} elsif (/^-pkcs12$/) {
+	    my $cname = $ARGV[1];
+	    $cname = "My Certificate" unless defined $cname;
+	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
+			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
+			"-export -name \"$cname\"");
+	    $RET=$?;
+	    print "PKCS #12 file is in newcert.p12\n";
+	    exit $RET;
+	} elsif (/^-xsign$/) {
+	    system ("$CA -policy policy_anything -infiles newreq.pem");
+	    $RET=$?;
+	} elsif (/^(-sign|-signreq)$/) {
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+							"-infiles newreq.pem");
+	    $RET=$?;
+	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^(-signCA)$/) {
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+					"-extensions v3_ca -infiles newreq.pem");
+	    $RET=$?;
+	    print "Signed CA certificate is in newcert.pem\n";
+	} elsif (/^-signcert$/) {
+	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
+								"-out tmp.pem");
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+							"-infiles tmp.pem");
+	    $RET = $?;
+	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^-verify$/) {
+	    if (shift) {
+		foreach $j (@ARGV) {
+		    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
+		    $RET=$? if ($? != 0);
+		}
+		exit $RET;
+	    } else {
+		    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
+		    $RET=$?;
+	    	    exit 0;
+	    }
+	} else {
+	    print STDERR "Unknown arg $_\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+	    exit 1;
+	}
+}
+
+exit $RET;
+
+sub cp_pem {
+my ($infile, $outfile, $bound) = @_;
+open IN, $infile;
+open OUT, ">$outfile";
+my $flag = 0;
+while (<IN>) {
+	$flag = 1 if (/^-----BEGIN.*$bound/) ;
+	print OUT $_ if ($flag);
+	if (/^-----END.*$bound/) {
+		close IN;
+		close OUT;
+		return;
+	}
+}
+}
diff --git a/openssl/apps/CA.sh b/openssl/apps/CA.sh
new file mode 100644
index 0000000..7ad6b8c
--- /dev/null
+++ b/openssl/apps/CA.sh
@@ -0,0 +1,198 @@
+#!/bin/sh
+#
+# CA - wrapper around ca to make it easier to use ... basically ca requires
+#      some setup stuff to be done before you can use it and this makes
+#      things easier between now and when Eric is convinced to fix it :-)
+#
+# CA -newca ... will setup the right stuff
+# CA -newreq ... will generate a certificate request
+# CA -sign ... will sign the generated request and output
+#
+# At the end of that grab newreq.pem and newcert.pem (one has the key
+# and the other the certificate) and cat them together and that is what
+# you want/need ... I'll make even this a little cleaner later.
+#
+#
+# 12-Jan-96 tjh    Added more things ... including CA -signcert which
+#                  converts a certificate to a request and then signs it.
+# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+#                  environment variable so this can be driven from
+#                  a script.
+# 25-Jul-96 eay    Cleaned up filenames some more.
+# 11-Jun-96 eay    Fixed a few filename missmatches.
+# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
+# 18-Apr-96 tjh    Original hacking
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+# default openssl.cnf file has setup as per the following
+# demoCA ... where everything is stored
+cp_pem() {
+    infile=$1
+    outfile=$2
+    bound=$3
+    flag=0
+    exec <$infile;
+    while read line; do
+	if [ $flag -eq 1 ]; then
+		echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
+		if [ $? -eq 0 ] ; then
+			echo $line >>$outfile
+			break
+		else
+			echo $line >>$outfile
+		fi
+	fi
+
+	echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null
+	if [ $? -eq 0 ]; then
+		echo $line >$outfile
+		flag=1
+	fi
+    done
+}
+
+usage() {
+ echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
+}
+
+if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
+
+if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi	# 1 year
+CADAYS="-days 1095"	# 3 years
+REQ="$OPENSSL req $SSLEAY_CONFIG"
+CA="$OPENSSL ca $SSLEAY_CONFIG"
+VERIFY="$OPENSSL verify"
+X509="$OPENSSL x509"
+PKCS12="openssl pkcs12"
+
+if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
+CAKEY=./cakey.pem
+CAREQ=./careq.pem
+CACERT=./cacert.pem
+
+RET=0
+
+while [ "$1" != "" ] ; do
+case $1 in
+-\?|-h|-help)
+    usage
+    exit 0
+    ;;
+-newcert)
+    # create a certificate
+    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
+    RET=$?
+    echo "Certificate is in newcert.pem, private key is in newkey.pem"
+    ;;
+-newreq)
+    # create a certificate request
+    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
+    RET=$?
+    echo "Request is in newreq.pem, private key is in newkey.pem"
+    ;;
+-newreq-nodes) 
+    # create a certificate request
+    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
+    RET=$?
+    echo "Request (and private key) is in newreq.pem"
+    ;;
+-newca)
+    # if explicitly asked for or it doesn't exist then setup the directory
+    # structure that Eric likes to manage things
+    NEW="1"
+    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
+	# create the directory hierarchy
+	mkdir -p ${CATOP}
+	mkdir -p ${CATOP}/certs
+	mkdir -p ${CATOP}/crl
+	mkdir -p ${CATOP}/newcerts
+	mkdir -p ${CATOP}/private
+	touch ${CATOP}/index.txt
+    fi
+    if [ ! -f ${CATOP}/private/$CAKEY ]; then
+	echo "CA certificate filename (or enter to create)"
+	read FILE
+
+	# ask user for existing CA certificate
+	if [ "$FILE" ]; then
+	    cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
+	    cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
+	    RET=$?
+	    if [ ! -f "${CATOP}/serial" ]; then
+		$X509 -in ${CATOP}/$CACERT -noout -next_serial \
+		      -out ${CATOP}/serial
+	    fi
+	else
+	    echo "Making CA certificate ..."
+	    $REQ -new -keyout ${CATOP}/private/$CAKEY \
+			   -out ${CATOP}/$CAREQ
+	    $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
+			   -keyfile ${CATOP}/private/$CAKEY -selfsign \
+			   -extensions v3_ca \
+			   -infiles ${CATOP}/$CAREQ
+	    RET=$?
+	fi
+    fi
+    ;;
+-xsign)
+    $CA -policy policy_anything -infiles newreq.pem
+    RET=$?
+    ;;
+-pkcs12)
+    if [ -z "$2" ] ; then
+	CNAME="My Certificate"
+    else
+	CNAME="$2"
+    fi
+    $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
+	    -out newcert.p12 -export -name "$CNAME"
+    RET=$?
+    exit $RET
+    ;;
+-sign|-signreq)
+    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
+    RET=$?
+    cat newcert.pem
+    echo "Signed certificate is in newcert.pem"
+    ;;
+-signCA)
+    $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
+    RET=$?
+    echo "Signed CA certificate is in newcert.pem"
+    ;;
+-signcert)
+    echo "Cert passphrase will be requested twice - bug?"
+    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
+    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
+    RET=$?
+    cat newcert.pem
+    echo "Signed certificate is in newcert.pem"
+    ;;
+-verify)
+    shift
+    if [ -z "$1" ]; then
+	    $VERIFY -CAfile $CATOP/$CACERT newcert.pem
+	    RET=$?
+    else
+	for j
+	do
+	    $VERIFY -CAfile $CATOP/$CACERT $j
+	    if [ $? != 0 ]; then
+		    RET=$?
+	    fi
+	done
+    fi
+    exit $RET
+    ;;
+*)
+    echo "Unknown arg $i" >&2
+    usage
+    exit 1
+    ;;
+esac
+shift
+done
+exit $RET
diff --git a/openssl/apps/Makefile b/openssl/apps/Makefile
new file mode 100644
index 0000000..8c3297e
--- /dev/null
+++ b/openssl/apps/Makefile
@@ -0,0 +1,1059 @@
+#
+#  apps/Makefile
+#
+
+DIR=		apps
+TOP=		..
+CC=		cc
+INCLUDES=	-I$(TOP) -I../include $(KRB5_INCLUDES)
+CFLAG=		-g -static
+MAKEFILE=	Makefile
+PERL=		perl
+RM=		rm -f
+# KRB5 stuff
+KRB5_INCLUDES=
+LIBKRB5=
+
+PEX_LIBS=
+EX_LIBS= 
+EXE_EXT= 
+
+SHLIB_TARGET=
+
+CFLAGS= -DMONOLITH $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile makeapps.com install.com
+
+DLIBCRYPTO=../libcrypto.a
+DLIBSSL=../libssl.a
+LIBCRYPTO=-L.. -lcrypto
+LIBSSL=-L.. -lssl
+
+PROGRAM= openssl
+
+SCRIPTS=CA.sh CA.pl tsget
+
+EXE= $(PROGRAM)$(EXE_EXT)
+
+E_EXE=	verify asn1pars req dgst dh dhparam enc passwd gendh errstr \
+	ca crl rsa rsautl dsa dsaparam ec ecparam \
+	x509 genrsa gendsa genpkey s_server s_client speed \
+	s_time version pkcs7 cms crl2pkcs7 sess_id ciphers nseq pkcs12 \
+	pkcs8 pkey pkeyparam pkeyutl spkac smime rand engine ocsp prime ts srp
+
+PROGS= $(PROGRAM).c
+
+A_OBJ=apps.o
+A_SRC=apps.c
+S_OBJ=	s_cb.o s_socket.o
+S_SRC=	s_cb.c s_socket.c
+RAND_OBJ=app_rand.o
+RAND_SRC=app_rand.c
+
+E_OBJ=	verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o \
+	ca.o pkcs7.o crl2p7.o crl.o \
+	rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o \
+	x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o \
+	s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \
+	ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o \
+	spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o
+
+E_SRC=	verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \
+	pkcs7.c crl2p7.c crl.c \
+	rsa.c rsautl.c dsa.c dsaparam.c ec.c ecparam.c \
+	x509.c genrsa.c gendsa.c genpkey.c s_server.c s_client.c speed.c \
+	s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \
+	ciphers.c nseq.c pkcs12.c pkcs8.c pkey.c pkeyparam.c pkeyutl.c \
+	spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c srp.c
+
+SRC=$(E_SRC)
+
+EXHEADER=
+HEADER=	apps.h progs.h s_apps.h \
+	testdsa.h testrsa.h \
+	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	@(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all:	exe
+
+exe:	$(EXE)
+
+req: sreq.o $(A_OBJ) $(DLIBCRYPTO)
+	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
+		shlib_target="$(SHLIB_TARGET)"; \
+	fi; \
+	$(MAKE) -f $(TOP)/Makefile.shared -e \
+		APPNAME=req OBJECTS="sreq.o $(A_OBJ) $(RAND_OBJ)" \
+		LIBDEPS="$(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)" \
+		link_app.$${shlib_target}
+
+sreq.o: req.c 
+	$(CC) -c $(INCLUDES) $(CFLAG) -o sreq.o req.c
+
+openssl-vms.cnf: openssl.cnf
+	$(PERL) $(TOP)/VMS/VMSify-conf.pl < openssl.cnf > openssl-vms.cnf
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@set -e; for i in $(EXE); \
+	do  \
+	(echo installing $$i; \
+	 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+	 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+	 done;
+	@set -e; for i in $(SCRIPTS); \
+	do  \
+	(echo installing $$i; \
+	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+	 mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+	 done
+	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+links:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+update: openssl-vms.cnf local_depend
+
+depend: local_depend
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+local_depend:
+	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+	rm -f CA.pl
+
+clean:
+	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
+	rm -f req
+
+$(DLIBSSL):
+	(cd ..; $(MAKE) build_libssl)
+
+$(DLIBCRYPTO):
+	(cd ..; $(MAKE) build_libcrypto)
+
+$(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
+	$(RM) $(EXE)
+	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
+		shlib_target="$(SHLIB_TARGET)"; \
+	elif [ -n "$(FIPSCANLIB)" ]; then \
+	  FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; export CC FIPSLD_CC; \
+	fi; \
+	LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
+	$(MAKE) -f $(TOP)/Makefile.shared -e \
+		APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \
+		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
+		link_app.$${shlib_target}
+	@(cd ..; $(MAKE) rehash)
+
+progs.h: progs.pl
+	$(PERL) progs.pl $(E_EXE) >progs.h
+	$(RM) $(PROGRAM).o
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+app_rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+app_rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+app_rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+app_rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+app_rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+app_rand.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+app_rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+app_rand.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+app_rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+app_rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+app_rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+app_rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+app_rand.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+app_rand.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
+app_rand.o: app_rand.c apps.h
+apps.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+apps.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+apps.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+apps.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+apps.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+apps.o: ../include/openssl/engine.h ../include/openssl/err.h
+apps.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+apps.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+apps.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+apps.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+apps.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+apps.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
+apps.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+apps.o: ../include/openssl/sha.h ../include/openssl/stack.h
+apps.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+apps.o: ../include/openssl/ui.h ../include/openssl/x509.h
+apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h
+asn1pars.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+asn1pars.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+asn1pars.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+asn1pars.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+asn1pars.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+asn1pars.o: ../include/openssl/err.h ../include/openssl/evp.h
+asn1pars.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+asn1pars.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+asn1pars.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+asn1pars.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+asn1pars.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+asn1pars.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+asn1pars.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+asn1pars.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+asn1pars.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+asn1pars.o: asn1pars.c
+ca.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+ca.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ca.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ca.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ca.o: ../include/openssl/engine.h ../include/openssl/err.h
+ca.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+ca.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ca.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+ca.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ca.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ca.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+ca.o: ../include/openssl/sha.h ../include/openssl/stack.h
+ca.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+ca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ca.o: ../include/openssl/x509v3.h apps.h ca.c
+ciphers.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+ciphers.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+ciphers.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ciphers.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+ciphers.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+ciphers.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h
+ciphers.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+ciphers.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ciphers.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ciphers.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ciphers.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ciphers.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+ciphers.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ciphers.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ciphers.o: ../include/openssl/x509v3.h apps.h ciphers.c
+cms.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+cms.o: ../include/openssl/buffer.h ../include/openssl/cms.h
+cms.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+cms.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+cms.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+cms.o: ../include/openssl/engine.h ../include/openssl/err.h
+cms.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+cms.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+cms.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+cms.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+cms.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+cms.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+cms.o: ../include/openssl/sha.h ../include/openssl/stack.h
+cms.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+cms.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+cms.o: ../include/openssl/x509v3.h apps.h cms.c
+crl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+crl.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+crl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+crl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+crl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+crl.o: ../include/openssl/err.h ../include/openssl/evp.h
+crl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+crl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+crl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+crl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+crl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+crl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+crl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+crl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+crl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h crl.c
+crl2p7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+crl2p7.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+crl2p7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+crl2p7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+crl2p7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+crl2p7.o: ../include/openssl/err.h ../include/openssl/evp.h
+crl2p7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+crl2p7.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+crl2p7.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+crl2p7.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+crl2p7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+crl2p7.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+crl2p7.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+crl2p7.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+crl2p7.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+crl2p7.o: crl2p7.c
+dgst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+dgst.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+dgst.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+dgst.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+dgst.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+dgst.o: ../include/openssl/err.h ../include/openssl/evp.h
+dgst.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+dgst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dgst.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+dgst.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+dgst.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+dgst.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dgst.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+dgst.o: ../include/openssl/x509v3.h apps.h dgst.c
+dh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+dh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+dh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+dh.o: ../include/openssl/dh.h ../include/openssl/e_os2.h
+dh.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+dh.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+dh.o: ../include/openssl/err.h ../include/openssl/evp.h
+dh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+dh.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+dh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dh.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+dh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dh.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+dh.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+dh.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+dh.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dh.c
+dsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+dsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+dsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+dsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+dsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+dsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+dsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+dsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+dsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+dsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+dsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+dsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+dsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+dsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dsa.c
+dsaparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+dsaparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+dsaparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+dsaparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+dsaparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+dsaparam.o: ../include/openssl/engine.h ../include/openssl/err.h
+dsaparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+dsaparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dsaparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+dsaparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+dsaparam.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+dsaparam.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dsaparam.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dsaparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+dsaparam.o: ../include/openssl/ui.h ../include/openssl/x509.h
+dsaparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+dsaparam.o: dsaparam.c
+ec.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+ec.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+ec.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+ec.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+ec.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+ec.o: ../include/openssl/err.h ../include/openssl/evp.h
+ec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ec.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+ec.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ec.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ec.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ec.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ec.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ec.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+ec.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ec.c
+ecparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+ecparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ecparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ecparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ecparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ecparam.o: ../include/openssl/engine.h ../include/openssl/err.h
+ecparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+ecparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ecparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+ecparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ecparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ecparam.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+ecparam.o: ../include/openssl/sha.h ../include/openssl/stack.h
+ecparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+ecparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ecparam.o: ../include/openssl/x509v3.h apps.h ecparam.c
+enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+enc.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+enc.o: ../include/openssl/engine.h ../include/openssl/err.h
+enc.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+enc.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+enc.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+enc.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+enc.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h enc.c
+engine.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+engine.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+engine.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+engine.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+engine.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+engine.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+engine.o: ../include/openssl/err.h ../include/openssl/evp.h
+engine.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+engine.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+engine.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+engine.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+engine.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+engine.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+engine.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+engine.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+engine.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+engine.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+engine.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+engine.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+engine.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+engine.o: ../include/openssl/x509v3.h apps.h engine.c
+errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+errstr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+errstr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+errstr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+errstr.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+errstr.o: ../include/openssl/err.h ../include/openssl/evp.h
+errstr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+errstr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+errstr.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+errstr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+errstr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+errstr.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+errstr.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+errstr.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+errstr.o: ../include/openssl/x509v3.h apps.h errstr.c
+gendh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+gendh.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+gendh.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+gendh.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+gendh.o: ../include/openssl/engine.h ../include/openssl/err.h
+gendh.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+gendh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+gendh.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+gendh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+gendh.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+gendh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+gendh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+gendh.o: ../include/openssl/sha.h ../include/openssl/stack.h
+gendh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+gendh.o: ../include/openssl/ui.h ../include/openssl/x509.h
+gendh.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+gendh.o: gendh.c
+gendsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+gendsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+gendsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+gendsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+gendsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+gendsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+gendsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+gendsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+gendsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+gendsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+gendsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+gendsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+gendsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+gendsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+gendsa.o: gendsa.c
+genpkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+genpkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+genpkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+genpkey.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+genpkey.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+genpkey.o: ../include/openssl/err.h ../include/openssl/evp.h
+genpkey.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+genpkey.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+genpkey.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+genpkey.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+genpkey.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+genpkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+genpkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+genpkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+genpkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+genpkey.o: genpkey.c
+genrsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+genrsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+genrsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+genrsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+genrsa.o: ../include/openssl/engine.h ../include/openssl/err.h
+genrsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+genrsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+genrsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+genrsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+genrsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+genrsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
+genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+genrsa.o: ../include/openssl/ui.h ../include/openssl/x509.h
+genrsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+genrsa.o: genrsa.c
+nseq.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+nseq.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+nseq.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+nseq.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+nseq.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+nseq.o: ../include/openssl/err.h ../include/openssl/evp.h
+nseq.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+nseq.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+nseq.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+nseq.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+nseq.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+nseq.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+nseq.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+nseq.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+nseq.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h nseq.c
+ocsp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+ocsp.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ocsp.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ocsp.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+ocsp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ocsp.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ocsp.o: ../include/openssl/engine.h ../include/openssl/err.h
+ocsp.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ocsp.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ocsp.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ocsp.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+ocsp.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ocsp.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ocsp.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ocsp.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ocsp.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ocsp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ocsp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ocsp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+ocsp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ocsp.c
+openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+openssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+openssl.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+openssl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+openssl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+openssl.o: ../include/openssl/err.h ../include/openssl/evp.h
+openssl.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+openssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+openssl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+openssl.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+openssl.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+openssl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+openssl.o: openssl.c progs.h s_apps.h
+passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h
+passwd.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h
+passwd.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+passwd.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+passwd.o: ../include/openssl/err.h ../include/openssl/evp.h
+passwd.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+passwd.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+passwd.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+passwd.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+passwd.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+passwd.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+passwd.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+passwd.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+passwd.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+passwd.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+passwd.o: passwd.c
+pkcs12.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs12.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+pkcs12.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+pkcs12.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+pkcs12.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+pkcs12.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs12.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+pkcs12.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+pkcs12.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+pkcs12.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+pkcs12.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
+pkcs12.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+pkcs12.o: ../include/openssl/sha.h ../include/openssl/stack.h
+pkcs12.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+pkcs12.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+pkcs12.o: ../include/openssl/x509v3.h apps.h pkcs12.c
+pkcs7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs7.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+pkcs7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+pkcs7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+pkcs7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+pkcs7.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+pkcs7.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+pkcs7.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+pkcs7.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+pkcs7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+pkcs7.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+pkcs7.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+pkcs7.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+pkcs7.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+pkcs7.o: pkcs7.c
+pkcs8.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+pkcs8.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+pkcs8.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+pkcs8.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+pkcs8.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+pkcs8.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkcs8.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+pkcs8.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+pkcs8.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+pkcs8.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+pkcs8.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
+pkcs8.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+pkcs8.o: ../include/openssl/sha.h ../include/openssl/stack.h
+pkcs8.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+pkcs8.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+pkcs8.o: ../include/openssl/x509v3.h apps.h pkcs8.c
+pkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+pkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+pkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+pkey.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+pkey.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+pkey.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkey.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+pkey.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+pkey.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+pkey.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+pkey.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+pkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+pkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+pkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+pkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h pkey.c
+pkeyparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+pkeyparam.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+pkeyparam.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+pkeyparam.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+pkeyparam.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+pkeyparam.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkeyparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+pkeyparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+pkeyparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+pkeyparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+pkeyparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+pkeyparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+pkeyparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+pkeyparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+pkeyparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+pkeyparam.o: pkeyparam.c
+pkeyutl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+pkeyutl.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+pkeyutl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+pkeyutl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+pkeyutl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+pkeyutl.o: ../include/openssl/err.h ../include/openssl/evp.h
+pkeyutl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+pkeyutl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+pkeyutl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+pkeyutl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+pkeyutl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+pkeyutl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+pkeyutl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+pkeyutl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+pkeyutl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+pkeyutl.o: pkeyutl.c
+prime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+prime.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+prime.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+prime.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+prime.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+prime.o: ../include/openssl/engine.h ../include/openssl/evp.h
+prime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+prime.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+prime.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+prime.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+prime.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+prime.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+prime.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+prime.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+prime.o: prime.c
+rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+rand.o: ../include/openssl/err.h ../include/openssl/evp.h
+rand.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+rand.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+rand.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+rand.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+rand.o: ../include/openssl/sha.h ../include/openssl/stack.h
+rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+rand.o: ../include/openssl/x509v3.h apps.h rand.c
+req.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+req.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+req.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+req.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+req.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+req.o: ../include/openssl/engine.h ../include/openssl/err.h
+req.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+req.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+req.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+req.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+req.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+req.o: ../include/openssl/sha.h ../include/openssl/stack.h
+req.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+req.o: ../include/openssl/ui.h ../include/openssl/x509.h
+req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h req.c
+rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+rsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+rsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+rsa.o: ../include/openssl/engine.h ../include/openssl/err.h
+rsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+rsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+rsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h
+rsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+rsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+rsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h rsa.c
+rsautl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+rsautl.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+rsautl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+rsautl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+rsautl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+rsautl.o: ../include/openssl/err.h ../include/openssl/evp.h
+rsautl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+rsautl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+rsautl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+rsautl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+rsautl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+rsautl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+rsautl.o: ../include/openssl/sha.h ../include/openssl/stack.h
+rsautl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+rsautl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+rsautl.o: ../include/openssl/x509v3.h apps.h rsautl.c
+s_cb.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+s_cb.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+s_cb.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+s_cb.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+s_cb.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+s_cb.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_cb.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s_cb.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s_cb.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_cb.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_cb.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+s_cb.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+s_cb.o: s_apps.h s_cb.c
+s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_client.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_client.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_client.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_client.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_client.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+s_client.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s_client.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s_client.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_client.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+s_client.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+s_client.o: ../include/openssl/sha.h ../include/openssl/srp.h
+s_client.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_client.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+s_client.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+s_client.o: s_apps.h s_client.c timeouts.h
+s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_server.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+s_server.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s_server.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_server.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_server.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_server.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+s_server.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s_server.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s_server.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_server.o: ../include/openssl/srp.h ../include/openssl/srtp.h
+s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_server.o: ../include/openssl/ui.h ../include/openssl/x509.h
+s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+s_server.o: s_apps.h s_server.c timeouts.h
+s_socket.o: ../e_os.h ../e_os2.h ../include/openssl/asn1.h
+s_socket.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h
+s_socket.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s_socket.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s_socket.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_socket.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+s_socket.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_socket.o: ../include/openssl/x509v3.h apps.h s_apps.h s_socket.c
+s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+s_time.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+s_time.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+s_time.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+s_time.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+s_time.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_time.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s_time.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s_time.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_time.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_time.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_time.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+s_time.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_time.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_time.o: ../include/openssl/x509v3.h apps.h s_apps.h s_time.c
+sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+sess_id.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+sess_id.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+sess_id.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+sess_id.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h
+sess_id.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+sess_id.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+sess_id.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+sess_id.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+sess_id.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+sess_id.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+sess_id.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+sess_id.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+sess_id.o: ../include/openssl/x509v3.h apps.h sess_id.c
+smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+smime.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+smime.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+smime.o: ../include/openssl/err.h ../include/openssl/evp.h
+smime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+smime.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+smime.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+smime.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+smime.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+smime.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+smime.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+smime.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+smime.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+smime.o: smime.c
+speed.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+speed.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+speed.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+speed.o: ../include/openssl/camellia.h ../include/openssl/cast.h
+speed.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+speed.o: ../include/openssl/des.h ../include/openssl/des_old.h
+speed.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+speed.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+speed.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+speed.o: ../include/openssl/err.h ../include/openssl/evp.h
+speed.o: ../include/openssl/hmac.h ../include/openssl/idea.h
+speed.o: ../include/openssl/lhash.h ../include/openssl/md4.h
+speed.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+speed.o: ../include/openssl/modes.h ../include/openssl/obj_mac.h
+speed.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+speed.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+speed.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+speed.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+speed.o: ../include/openssl/rc4.h ../include/openssl/ripemd.h
+speed.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+speed.o: ../include/openssl/seed.h ../include/openssl/sha.h
+speed.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+speed.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+speed.o: ../include/openssl/ui_compat.h ../include/openssl/whrlpool.h
+speed.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+speed.o: ../include/openssl/x509v3.h apps.h speed.c testdsa.h testrsa.h
+spkac.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+spkac.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+spkac.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+spkac.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+spkac.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+spkac.o: ../include/openssl/err.h ../include/openssl/evp.h
+spkac.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+spkac.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+spkac.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+spkac.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+spkac.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+spkac.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+spkac.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+spkac.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+spkac.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+spkac.o: spkac.c
+srp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+srp.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+srp.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+srp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+srp.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+srp.o: ../include/openssl/engine.h ../include/openssl/err.h
+srp.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+srp.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+srp.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+srp.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+srp.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+srp.o: ../include/openssl/sha.h ../include/openssl/srp.h
+srp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+srp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+srp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h srp.c
+ts.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+ts.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ts.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ts.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ts.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ts.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ts.o: ../include/openssl/engine.h ../include/openssl/err.h
+ts.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+ts.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ts.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+ts.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ts.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ts.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+ts.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ts.o: ../include/openssl/sha.h ../include/openssl/stack.h
+ts.o: ../include/openssl/symhacks.h ../include/openssl/ts.h
+ts.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+ts.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ts.c
+verify.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+verify.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+verify.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+verify.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+verify.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+verify.o: ../include/openssl/err.h ../include/openssl/evp.h
+verify.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+verify.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+verify.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+verify.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+verify.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+verify.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+verify.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+verify.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+verify.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+verify.o: verify.c
+version.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+version.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+version.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+version.o: ../include/openssl/crypto.h ../include/openssl/des.h
+version.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h
+version.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+version.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+version.o: ../include/openssl/evp.h ../include/openssl/idea.h
+version.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+version.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+version.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+version.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+version.o: ../include/openssl/rc4.h ../include/openssl/safestack.h
+version.o: ../include/openssl/sha.h ../include/openssl/stack.h
+version.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+version.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+version.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+version.o: ../include/openssl/x509v3.h apps.h version.c
+x509.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+x509.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+x509.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+x509.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+x509.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+x509.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+x509.o: ../include/openssl/err.h ../include/openssl/evp.h
+x509.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+x509.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+x509.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+x509.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+x509.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+x509.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+x509.o: ../include/openssl/sha.h ../include/openssl/stack.h
+x509.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+x509.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+x509.o: ../include/openssl/x509v3.h apps.h x509.c
diff --git a/openssl/apps/app_rand.c b/openssl/apps/app_rand.c
new file mode 100644
index 0000000..7f40bba
--- /dev/null
+++ b/openssl/apps/app_rand.c
@@ -0,0 +1,217 @@
+/* apps/app_rand.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#define NON_MAIN
+#include "apps.h"
+#undef NON_MAIN
+#include <openssl/bio.h>
+#include <openssl/rand.h>
+
+static int seeded = 0;
+static int egdsocket = 0;
+
+int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
+{
+    int consider_randfile = (file == NULL);
+    char buffer[200];
+
+#ifdef OPENSSL_SYS_WINDOWS
+    RAND_screen();
+#endif
+
+    if (file == NULL)
+        file = RAND_file_name(buffer, sizeof buffer);
+    else if (RAND_egd(file) > 0) {
+        /*
+         * we try if the given filename is an EGD socket. if it is, we don't
+         * write anything back to the file.
+         */
+        egdsocket = 1;
+        return 1;
+    }
+    if (file == NULL || !RAND_load_file(file, -1)) {
+        if (RAND_status() == 0) {
+            if (!dont_warn) {
+                BIO_printf(bio_e, "unable to load 'random state'\n");
+                BIO_printf(bio_e,
+                           "This means that the random number generator has not been seeded\n");
+                BIO_printf(bio_e, "with much random data.\n");
+                if (consider_randfile) { /* explanation does not apply when a
+                                          * file is explicitly named */
+                    BIO_printf(bio_e,
+                               "Consider setting the RANDFILE environment variable to point at a file that\n");
+                    BIO_printf(bio_e,
+                               "'random' data can be kept in (the file will be overwritten).\n");
+                }
+            }
+            return 0;
+        }
+    }
+    seeded = 1;
+    return 1;
+}
+
+long app_RAND_load_files(char *name)
+{
+    char *p, *n;
+    int last;
+    long tot = 0;
+    int egd;
+
+    for (;;) {
+        last = 0;
+        for (p = name; ((*p != '\0') && (*p != LIST_SEPARATOR_CHAR)); p++) ;
+        if (*p == '\0')
+            last = 1;
+        *p = '\0';
+        n = name;
+        name = p + 1;
+        if (*n == '\0')
+            break;
+
+        egd = RAND_egd(n);
+        if (egd > 0)
+            tot += egd;
+        else
+            tot += RAND_load_file(n, -1);
+        if (last)
+            break;
+    }
+    if (tot > 512)
+        app_RAND_allow_write_file();
+    return (tot);
+}
+
+int app_RAND_write_file(const char *file, BIO *bio_e)
+{
+    char buffer[200];
+
+    if (egdsocket || !seeded)
+        /*
+         * If we did not manage to read the seed file, we should not write a
+         * low-entropy seed file back -- it would suppress a crucial warning
+         * the next time we want to use it.
+         */
+        return 0;
+
+    if (file == NULL)
+        file = RAND_file_name(buffer, sizeof buffer);
+    if (file == NULL || !RAND_write_file(file)) {
+        BIO_printf(bio_e, "unable to write 'random state'\n");
+        return 0;
+    }
+    return 1;
+}
+
+void app_RAND_allow_write_file(void)
+{
+    seeded = 1;
+}
diff --git a/openssl/apps/apps.c b/openssl/apps/apps.c
new file mode 100644
index 0000000..c487bd9
--- /dev/null
+++ b/openssl/apps/apps.c
@@ -0,0 +1,3279 @@
+/* apps/apps.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
+/*
+ * On VMS, you need to define this to get the declaration of fileno().  The
+ * value 2 is to make sure no function defined in POSIX-2 is left undefined.
+ */
+# define _POSIX_C_SOURCE 2
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <ctype.h>
+#include <errno.h>
+#include <assert.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs12.h>
+#include <openssl/ui.h>
+#include <openssl/safestack.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#include <openssl/bn.h>
+#ifndef OPENSSL_NO_JPAKE
+# include <openssl/jpake.h>
+#endif
+
+#define NON_MAIN
+#include "apps.h"
+#undef NON_MAIN
+
+#ifdef _WIN32
+static int WIN32_rename(const char *from, const char *to);
+# define rename(from,to) WIN32_rename((from),(to))
+#endif
+
+typedef struct {
+    const char *name;
+    unsigned long flag;
+    unsigned long mask;
+} NAME_EX_TBL;
+
+static UI_METHOD *ui_method = NULL;
+
+static int set_table_opts(unsigned long *flags, const char *arg,
+                          const NAME_EX_TBL * in_tbl);
+static int set_multi_opts(unsigned long *flags, const char *arg,
+                          const NAME_EX_TBL * in_tbl);
+
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
+/* Looks like this stuff is worth moving into separate function */
+static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file,
+                                   const char *key_descrip, int format);
+#endif
+
+int app_init(long mesgwin);
+#ifdef undef                    /* never finished - probably never will be
+                                 * :-) */
+int args_from_file(char *file, int *argc, char **argv[])
+{
+    FILE *fp;
+    int num, i;
+    unsigned int len;
+    static char *buf = NULL;
+    static char **arg = NULL;
+    char *p;
+
+    fp = fopen(file, "r");
+    if (fp == NULL)
+        return (0);
+
+    if (fseek(fp, 0, SEEK_END) == 0)
+        len = ftell(fp), rewind(fp);
+    else
+        len = -1;
+    if (len <= 0) {
+        fclose(fp);
+        return (0);
+    }
+
+    *argc = 0;
+    *argv = NULL;
+
+    if (buf != NULL)
+        OPENSSL_free(buf);
+    buf = (char *)OPENSSL_malloc(len + 1);
+    if (buf == NULL)
+        return (0);
+
+    len = fread(buf, 1, len, fp);
+    if (len <= 1)
+        return (0);
+    buf[len] = '\0';
+
+    i = 0;
+    for (p = buf; *p; p++)
+        if (*p == '\n')
+            i++;
+    if (arg != NULL)
+        OPENSSL_free(arg);
+    arg = (char **)OPENSSL_malloc(sizeof(char *) * (i * 2));
+    if (arg == NULL)
+        return 0;
+    *argv = arg;
+    num = 0;
+    p = buf;
+    for (;;) {
+        if (!*p)
+            break;
+        if (*p == '#') {        /* comment line */
+            while (*p && (*p != '\n'))
+                p++;
+            continue;
+        }
+        /* else we have a line */
+        *(arg++) = p;
+        num++;
+        while (*p && ((*p != ' ') && (*p != '\t') && (*p != '\n')))
+            p++;
+        if (!*p)
+            break;
+        if (*p == '\n') {
+            *(p++) = '\0';
+            continue;
+        }
+        /* else it is a tab or space */
+        p++;
+        while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n')))
+            p++;
+        if (!*p)
+            break;
+        if (*p == '\n') {
+            p++;
+            continue;
+        }
+        *(arg++) = p++;
+        num++;
+        while (*p && (*p != '\n'))
+            p++;
+        if (!*p)
+            break;
+        /* else *p == '\n' */
+        *(p++) = '\0';
+    }
+    *argc = num;
+    return (1);
+}
+#endif
+
+int str2fmt(char *s)
+{
+    if (s == NULL)
+        return FORMAT_UNDEF;
+    if ((*s == 'D') || (*s == 'd'))
+        return (FORMAT_ASN1);
+    else if ((*s == 'T') || (*s == 't'))
+        return (FORMAT_TEXT);
+    else if ((*s == 'N') || (*s == 'n'))
+        return (FORMAT_NETSCAPE);
+    else if ((*s == 'S') || (*s == 's'))
+        return (FORMAT_SMIME);
+    else if ((*s == 'M') || (*s == 'm'))
+        return (FORMAT_MSBLOB);
+    else if ((*s == '1')
+             || (strcmp(s, "PKCS12") == 0) || (strcmp(s, "pkcs12") == 0)
+             || (strcmp(s, "P12") == 0) || (strcmp(s, "p12") == 0))
+        return (FORMAT_PKCS12);
+    else if ((*s == 'E') || (*s == 'e'))
+        return (FORMAT_ENGINE);
+    else if ((*s == 'H') || (*s == 'h'))
+        return FORMAT_HTTP;
+    else if ((*s == 'P') || (*s == 'p')) {
+        if (s[1] == 'V' || s[1] == 'v')
+            return FORMAT_PVK;
+        else
+            return (FORMAT_PEM);
+    } else
+        return (FORMAT_UNDEF);
+}
+
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16) || defined(OPENSSL_SYS_NETWARE)
+void program_name(char *in, char *out, int size)
+{
+    int i, n;
+    char *p = NULL;
+
+    n = strlen(in);
+    /* find the last '/', '\' or ':' */
+    for (i = n - 1; i > 0; i--) {
+        if ((in[i] == '/') || (in[i] == '\\') || (in[i] == ':')) {
+            p = &(in[i + 1]);
+            break;
+        }
+    }
+    if (p == NULL)
+        p = in;
+    n = strlen(p);
+
+# if defined(OPENSSL_SYS_NETWARE)
+    /* strip off trailing .nlm if present. */
+    if ((n > 4) && (p[n - 4] == '.') &&
+        ((p[n - 3] == 'n') || (p[n - 3] == 'N')) &&
+        ((p[n - 2] == 'l') || (p[n - 2] == 'L')) &&
+        ((p[n - 1] == 'm') || (p[n - 1] == 'M')))
+        n -= 4;
+# else
+    /* strip off trailing .exe if present. */
+    if ((n > 4) && (p[n - 4] == '.') &&
+        ((p[n - 3] == 'e') || (p[n - 3] == 'E')) &&
+        ((p[n - 2] == 'x') || (p[n - 2] == 'X')) &&
+        ((p[n - 1] == 'e') || (p[n - 1] == 'E')))
+        n -= 4;
+# endif
+
+    if (n > size - 1)
+        n = size - 1;
+
+    for (i = 0; i < n; i++) {
+        if ((p[i] >= 'A') && (p[i] <= 'Z'))
+            out[i] = p[i] - 'A' + 'a';
+        else
+            out[i] = p[i];
+    }
+    out[n] = '\0';
+}
+#else
+# ifdef OPENSSL_SYS_VMS
+void program_name(char *in, char *out, int size)
+{
+    char *p = in, *q;
+    char *chars = ":]>";
+
+    while (*chars != '\0') {
+        q = strrchr(p, *chars);
+        if (q > p)
+            p = q + 1;
+        chars++;
+    }
+
+    q = strrchr(p, '.');
+    if (q == NULL)
+        q = p + strlen(p);
+    strncpy(out, p, size - 1);
+    if (q - p >= size) {
+        out[size - 1] = '\0';
+    } else {
+        out[q - p] = '\0';
+    }
+}
+# else
+void program_name(char *in, char *out, int size)
+{
+    char *p;
+
+    p = strrchr(in, '/');
+    if (p != NULL)
+        p++;
+    else
+        p = in;
+    BUF_strlcpy(out, p, size);
+}
+# endif
+#endif
+
+int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
+{
+    int num, i;
+    char *p;
+
+    *argc = 0;
+    *argv = NULL;
+
+    i = 0;
+    if (arg->count == 0) {
+        arg->count = 20;
+        arg->data = (char **)OPENSSL_malloc(sizeof(char *) * arg->count);
+        if (arg->data == NULL)
+            return 0;
+    }
+    for (i = 0; i < arg->count; i++)
+        arg->data[i] = NULL;
+
+    num = 0;
+    p = buf;
+    for (;;) {
+        /* first scan over white space */
+        if (!*p)
+            break;
+        while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n')))
+            p++;
+        if (!*p)
+            break;
+
+        /* The start of something good :-) */
+        if (num >= arg->count) {
+            char **tmp_p;
+            int tlen = arg->count + 20;
+            tmp_p = (char **)OPENSSL_realloc(arg->data,
+                                             sizeof(char *) * tlen);
+            if (tmp_p == NULL)
+                return 0;
+            arg->data = tmp_p;
+            arg->count = tlen;
+            /* initialize newly allocated data */
+            for (i = num; i < arg->count; i++)
+                arg->data[i] = NULL;
+        }
+        arg->data[num++] = p;
+
+        /* now look for the end of this */
+        if ((*p == '\'') || (*p == '\"')) { /* scan for closing quote */
+            i = *(p++);
+            arg->data[num - 1]++; /* jump over quote */
+            while (*p && (*p != i))
+                p++;
+            *p = '\0';
+        } else {
+            while (*p && ((*p != ' ') && (*p != '\t') && (*p != '\n')))
+                p++;
+
+            if (*p == '\0')
+                p--;
+            else
+                *p = '\0';
+        }
+        p++;
+    }
+    *argc = num;
+    *argv = arg->data;
+    return (1);
+}
+
+#ifndef APP_INIT
+int app_init(long mesgwin)
+{
+    return (1);
+}
+#endif
+
+int dump_cert_text(BIO *out, X509 *x)
+{
+    char *p;
+
+    p = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0);
+    BIO_puts(out, "subject=");
+    BIO_puts(out, p);
+    OPENSSL_free(p);
+
+    p = X509_NAME_oneline(X509_get_issuer_name(x), NULL, 0);
+    BIO_puts(out, "\nissuer=");
+    BIO_puts(out, p);
+    BIO_puts(out, "\n");
+    OPENSSL_free(p);
+
+    return 0;
+}
+
+static int ui_open(UI *ui)
+{
+    return UI_method_get_opener(UI_OpenSSL())(ui);
+}
+
+static int ui_read(UI *ui, UI_STRING *uis)
+{
+    if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
+        && UI_get0_user_data(ui)) {
+        switch (UI_get_string_type(uis)) {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+            {
+                const char *password =
+                    ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
+                if (password && password[0] != '\0') {
+                    UI_set_result(ui, uis, password);
+                    return 1;
+                }
+            }
+        default:
+            break;
+        }
+    }
+    return UI_method_get_reader(UI_OpenSSL())(ui, uis);
+}
+
+static int ui_write(UI *ui, UI_STRING *uis)
+{
+    if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
+        && UI_get0_user_data(ui)) {
+        switch (UI_get_string_type(uis)) {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+            {
+                const char *password =
+                    ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
+                if (password && password[0] != '\0')
+                    return 1;
+            }
+        default:
+            break;
+        }
+    }
+    return UI_method_get_writer(UI_OpenSSL())(ui, uis);
+}
+
+static int ui_close(UI *ui)
+{
+    return UI_method_get_closer(UI_OpenSSL())(ui);
+}
+
+int setup_ui_method(void)
+{
+    ui_method = UI_create_method("OpenSSL application user interface");
+    UI_method_set_opener(ui_method, ui_open);
+    UI_method_set_reader(ui_method, ui_read);
+    UI_method_set_writer(ui_method, ui_write);
+    UI_method_set_closer(ui_method, ui_close);
+    return 0;
+}
+
+void destroy_ui_method(void)
+{
+    if (ui_method) {
+        UI_destroy_method(ui_method);
+        ui_method = NULL;
+    }
+}
+
+int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
+{
+    UI *ui = NULL;
+    int res = 0;
+    const char *prompt_info = NULL;
+    const char *password = NULL;
+    PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;
+
+    if (cb_data) {
+        if (cb_data->password)
+            password = cb_data->password;
+        if (cb_data->prompt_info)
+            prompt_info = cb_data->prompt_info;
+    }
+
+    if (password) {
+        res = strlen(password);
+        if (res > bufsiz)
+            res = bufsiz;
+        memcpy(buf, password, res);
+        return res;
+    }
+
+    ui = UI_new_method(ui_method);
+    if (ui) {
+        int ok = 0;
+        char *buff = NULL;
+        int ui_flags = 0;
+        char *prompt = NULL;
+
+        prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
+        if (!prompt) {
+            BIO_printf(bio_err, "Out of memory\n");
+            UI_free(ui);
+            return 0;
+        }
+
+        ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
+        UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
+
+        if (ok >= 0)
+            ok = UI_add_input_string(ui, prompt, ui_flags, buf,
+                                     PW_MIN_LENGTH, bufsiz - 1);
+        if (ok >= 0 && verify) {
+            buff = (char *)OPENSSL_malloc(bufsiz);
+            if (!buff) {
+                BIO_printf(bio_err, "Out of memory\n");
+                UI_free(ui);
+                OPENSSL_free(prompt);
+                return 0;
+            }
+            ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
+                                      PW_MIN_LENGTH, bufsiz - 1, buf);
+        }
+        if (ok >= 0)
+            do {
+                ok = UI_process(ui);
+            }
+            while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
+
+        if (buff) {
+            OPENSSL_cleanse(buff, (unsigned int)bufsiz);
+            OPENSSL_free(buff);
+        }
+
+        if (ok >= 0)
+            res = strlen(buf);
+        if (ok == -1) {
+            BIO_printf(bio_err, "User interface error\n");
+            ERR_print_errors(bio_err);
+            OPENSSL_cleanse(buf, (unsigned int)bufsiz);
+            res = 0;
+        }
+        if (ok == -2) {
+            BIO_printf(bio_err, "aborted!\n");
+            OPENSSL_cleanse(buf, (unsigned int)bufsiz);
+            res = 0;
+        }
+        UI_free(ui);
+        OPENSSL_free(prompt);
+    }
+    return res;
+}
+
+static char *app_get_pass(BIO *err, char *arg, int keepbio);
+
+int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2)
+{
+    int same;
+    if (!arg2 || !arg1 || strcmp(arg1, arg2))
+        same = 0;
+    else
+        same = 1;
+    if (arg1) {
+        *pass1 = app_get_pass(err, arg1, same);
+        if (!*pass1)
+            return 0;
+    } else if (pass1)
+        *pass1 = NULL;
+    if (arg2) {
+        *pass2 = app_get_pass(err, arg2, same ? 2 : 0);
+        if (!*pass2)
+            return 0;
+    } else if (pass2)
+        *pass2 = NULL;
+    return 1;
+}
+
+static char *app_get_pass(BIO *err, char *arg, int keepbio)
+{
+    char *tmp, tpass[APP_PASS_LEN];
+    static BIO *pwdbio = NULL;
+    int i;
+    if (!strncmp(arg, "pass:", 5))
+        return BUF_strdup(arg + 5);
+    if (!strncmp(arg, "env:", 4)) {
+        tmp = getenv(arg + 4);
+        if (!tmp) {
+            BIO_printf(err, "Can't read environment variable %s\n", arg + 4);
+            return NULL;
+        }
+        return BUF_strdup(tmp);
+    }
+    if (!keepbio || !pwdbio) {
+        if (!strncmp(arg, "file:", 5)) {
+            pwdbio = BIO_new_file(arg + 5, "r");
+            if (!pwdbio) {
+                BIO_printf(err, "Can't open file %s\n", arg + 5);
+                return NULL;
+            }
+#if !defined(_WIN32)
+            /*
+             * Under _WIN32, which covers even Win64 and CE, file
+             * descriptors referenced by BIO_s_fd are not inherited
+             * by child process and therefore below is not an option.
+             * It could have been an option if bss_fd.c was operating
+             * on real Windows descriptors, such as those obtained
+             * with CreateFile.
+             */
+        } else if (!strncmp(arg, "fd:", 3)) {
+            BIO *btmp;
+            i = atoi(arg + 3);
+            if (i >= 0)
+                pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
+            if ((i < 0) || !pwdbio) {
+                BIO_printf(err, "Can't access file descriptor %s\n", arg + 3);
+                return NULL;
+            }
+            /*
+             * Can't do BIO_gets on an fd BIO so add a buffering BIO
+             */
+            btmp = BIO_new(BIO_f_buffer());
+            pwdbio = BIO_push(btmp, pwdbio);
+#endif
+        } else if (!strcmp(arg, "stdin")) {
+            pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+            if (!pwdbio) {
+                BIO_printf(err, "Can't open BIO for stdin\n");
+                return NULL;
+            }
+        } else {
+            BIO_printf(err, "Invalid password argument \"%s\"\n", arg);
+            return NULL;
+        }
+    }
+    i = BIO_gets(pwdbio, tpass, APP_PASS_LEN);
+    if (keepbio != 1) {
+        BIO_free_all(pwdbio);
+        pwdbio = NULL;
+    }
+    if (i <= 0) {
+        BIO_printf(err, "Error reading password from BIO\n");
+        return NULL;
+    }
+    tmp = strchr(tpass, '\n');
+    if (tmp)
+        *tmp = 0;
+    return BUF_strdup(tpass);
+}
+
+int add_oid_section(BIO *err, CONF *conf)
+{
+    char *p;
+    STACK_OF(CONF_VALUE) *sktmp;
+    CONF_VALUE *cnf;
+    int i;
+    if (!(p = NCONF_get_string(conf, NULL, "oid_section"))) {
+        ERR_clear_error();
+        return 1;
+    }
+    if (!(sktmp = NCONF_get_section(conf, p))) {
+        BIO_printf(err, "problem loading oid section %s\n", p);
+        return 0;
+    }
+    for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
+        cnf = sk_CONF_VALUE_value(sktmp, i);
+        if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
+            BIO_printf(err, "problem creating object %s=%s\n",
+                       cnf->name, cnf->value);
+            return 0;
+        }
+    }
+    return 1;
+}
+
+static int load_pkcs12(BIO *err, BIO *in, const char *desc,
+                       pem_password_cb *pem_cb, void *cb_data,
+                       EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
+{
+    const char *pass;
+    char tpass[PEM_BUFSIZE];
+    int len, ret = 0;
+    PKCS12 *p12;
+    p12 = d2i_PKCS12_bio(in, NULL);
+    if (p12 == NULL) {
+        BIO_printf(err, "Error loading PKCS12 file for %s\n", desc);
+        goto die;
+    }
+    /* See if an empty password will do */
+    if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0))
+        pass = "";
+    else {
+        if (!pem_cb)
+            pem_cb = (pem_password_cb *)password_callback;
+        len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
+        if (len < 0) {
+            BIO_printf(err, "Passpharse callback error for %s\n", desc);
+            goto die;
+        }
+        if (len < PEM_BUFSIZE)
+            tpass[len] = 0;
+        if (!PKCS12_verify_mac(p12, tpass, len)) {
+            BIO_printf(err,
+                       "Mac verify error (wrong password?) in PKCS12 file for %s\n",
+                       desc);
+            goto die;
+        }
+        pass = tpass;
+    }
+    ret = PKCS12_parse(p12, pass, pkey, cert, ca);
+ die:
+    if (p12)
+        PKCS12_free(p12);
+    return ret;
+}
+
+int load_cert_crl_http(const char *url, BIO *err,
+                       X509 **pcert, X509_CRL **pcrl)
+{
+    char *host = NULL, *port = NULL, *path = NULL;
+    BIO *bio = NULL;
+    OCSP_REQ_CTX *rctx = NULL;
+    int use_ssl, rv = 0;
+    if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl))
+        goto err;
+    if (use_ssl) {
+        if (err)
+            BIO_puts(err, "https not supported\n");
+        goto err;
+    }
+    bio = BIO_new_connect(host);
+    if (!bio || !BIO_set_conn_port(bio, port))
+        goto err;
+    rctx = OCSP_REQ_CTX_new(bio, 1024);
+    if (!rctx)
+        goto err;
+    if (!OCSP_REQ_CTX_http(rctx, "GET", path))
+        goto err;
+    if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host))
+        goto err;
+    if (pcert) {
+        do {
+            rv = X509_http_nbio(rctx, pcert);
+        }
+        while (rv == -1);
+    } else {
+        do {
+            rv = X509_CRL_http_nbio(rctx, pcrl);
+        } while (rv == -1);
+    }
+
+ err:
+    if (host)
+        OPENSSL_free(host);
+    if (path)
+        OPENSSL_free(path);
+    if (port)
+        OPENSSL_free(port);
+    if (bio)
+        BIO_free_all(bio);
+    if (rctx)
+        OCSP_REQ_CTX_free(rctx);
+    if (rv != 1) {
+        if (bio && err)
+            BIO_printf(bio_err, "Error loading %s from %s\n",
+                       pcert ? "certificate" : "CRL", url);
+        ERR_print_errors(bio_err);
+    }
+    return rv;
+}
+
+X509 *load_cert(BIO *err, const char *file, int format,
+                const char *pass, ENGINE *e, const char *cert_descrip)
+{
+    X509 *x = NULL;
+    BIO *cert;
+
+    if (format == FORMAT_HTTP) {
+        load_cert_crl_http(file, err, &x, NULL);
+        return x;
+    }
+
+    if ((cert = BIO_new(BIO_s_file())) == NULL) {
+        ERR_print_errors(err);
+        goto end;
+    }
+
+    if (file == NULL) {
+#ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
+        setvbuf(stdin, NULL, _IONBF, 0);
+# endif                         /* ndef OPENSSL_NO_SETVBUF_IONBF */
+#endif
+        BIO_set_fp(cert, stdin, BIO_NOCLOSE);
+    } else {
+        if (BIO_read_filename(cert, file) <= 0) {
+            BIO_printf(err, "Error opening %s %s\n", cert_descrip, file);
+            ERR_print_errors(err);
+            goto end;
+        }
+    }
+
+    if (format == FORMAT_ASN1)
+        x = d2i_X509_bio(cert, NULL);
+    else if (format == FORMAT_NETSCAPE) {
+        NETSCAPE_X509 *nx;
+        nx = ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509), cert, NULL);
+        if (nx == NULL)
+            goto end;
+
+        if ((strncmp(NETSCAPE_CERT_HDR, (char *)nx->header->data,
+                     nx->header->length) != 0)) {
+            NETSCAPE_X509_free(nx);
+            BIO_printf(err, "Error reading header on certificate\n");
+            goto end;
+        }
+        x = nx->cert;
+        nx->cert = NULL;
+        NETSCAPE_X509_free(nx);
+    } else if (format == FORMAT_PEM)
+        x = PEM_read_bio_X509_AUX(cert, NULL,
+                                  (pem_password_cb *)password_callback, NULL);
+    else if (format == FORMAT_PKCS12) {
+        if (!load_pkcs12(err, cert, cert_descrip, NULL, NULL, NULL, &x, NULL))
+            goto end;
+    } else {
+        BIO_printf(err, "bad input format specified for %s\n", cert_descrip);
+        goto end;
+    }
+ end:
+    if (x == NULL) {
+        BIO_printf(err, "unable to load certificate\n");
+        ERR_print_errors(err);
+    }
+    if (cert != NULL)
+        BIO_free(cert);
+    return (x);
+}
+
+X509_CRL *load_crl(const char *infile, int format)
+{
+    X509_CRL *x = NULL;
+    BIO *in = NULL;
+
+    if (format == FORMAT_HTTP) {
+        load_cert_crl_http(infile, bio_err, NULL, &x);
+        return x;
+    }
+
+    in = BIO_new(BIO_s_file());
+    if (in == NULL) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (infile == NULL)
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+    else {
+        if (BIO_read_filename(in, infile) <= 0) {
+            perror(infile);
+            goto end;
+        }
+    }
+    if (format == FORMAT_ASN1)
+        x = d2i_X509_CRL_bio(in, NULL);
+    else if (format == FORMAT_PEM)
+        x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
+    else {
+        BIO_printf(bio_err, "bad input format specified for input crl\n");
+        goto end;
+    }
+    if (x == NULL) {
+        BIO_printf(bio_err, "unable to load CRL\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+ end:
+    BIO_free(in);
+    return (x);
+}
+
+EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
+                   const char *pass, ENGINE *e, const char *key_descrip)
+{
+    BIO *key = NULL;
+    EVP_PKEY *pkey = NULL;
+    PW_CB_DATA cb_data;
+
+    cb_data.password = pass;
+    cb_data.prompt_info = file;
+
+    if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
+        BIO_printf(err, "no keyfile specified\n");
+        goto end;
+    }
+#ifndef OPENSSL_NO_ENGINE
+    if (format == FORMAT_ENGINE) {
+        if (!e)
+            BIO_printf(err, "no engine specified\n");
+        else {
+            if (ENGINE_init(e)) {
+                pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
+                ENGINE_finish(e);
+            }
+            if (!pkey) {
+                BIO_printf(err, "cannot load %s from engine\n", key_descrip);
+                ERR_print_errors(err);
+            }
+        }
+        goto end;
+    }
+#endif
+    key = BIO_new(BIO_s_file());
+    if (key == NULL) {
+        ERR_print_errors(err);
+        goto end;
+    }
+    if (file == NULL && maybe_stdin) {
+#ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
+        setvbuf(stdin, NULL, _IONBF, 0);
+# endif                         /* ndef OPENSSL_NO_SETVBUF_IONBF */
+#endif
+        BIO_set_fp(key, stdin, BIO_NOCLOSE);
+    } else if (BIO_read_filename(key, file) <= 0) {
+        BIO_printf(err, "Error opening %s %s\n", key_descrip, file);
+        ERR_print_errors(err);
+        goto end;
+    }
+    if (format == FORMAT_ASN1) {
+        pkey = d2i_PrivateKey_bio(key, NULL);
+    } else if (format == FORMAT_PEM) {
+        pkey = PEM_read_bio_PrivateKey(key, NULL,
+                                       (pem_password_cb *)password_callback,
+                                       &cb_data);
+    }
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
+    else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
+        pkey = load_netscape_key(err, key, file, key_descrip, format);
+#endif
+    else if (format == FORMAT_PKCS12) {
+        if (!load_pkcs12(err, key, key_descrip,
+                         (pem_password_cb *)password_callback, &cb_data,
+                         &pkey, NULL, NULL))
+            goto end;
+    }
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
+    else if (format == FORMAT_MSBLOB)
+        pkey = b2i_PrivateKey_bio(key);
+    else if (format == FORMAT_PVK)
+        pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback,
+                           &cb_data);
+#endif
+    else {
+        BIO_printf(err, "bad input format specified for key file\n");
+        goto end;
+    }
+ end:
+    if (key != NULL)
+        BIO_free(key);
+    if (pkey == NULL) {
+        BIO_printf(err, "unable to load %s\n", key_descrip);
+        ERR_print_errors(err);
+    }
+    return (pkey);
+}
+
+EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
+                      const char *pass, ENGINE *e, const char *key_descrip)
+{
+    BIO *key = NULL;
+    EVP_PKEY *pkey = NULL;
+    PW_CB_DATA cb_data;
+
+    cb_data.password = pass;
+    cb_data.prompt_info = file;
+
+    if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
+        BIO_printf(err, "no keyfile specified\n");
+        goto end;
+    }
+#ifndef OPENSSL_NO_ENGINE
+    if (format == FORMAT_ENGINE) {
+        if (!e)
+            BIO_printf(bio_err, "no engine specified\n");
+        else
+            pkey = ENGINE_load_public_key(e, file, ui_method, &cb_data);
+        goto end;
+    }
+#endif
+    key = BIO_new(BIO_s_file());
+    if (key == NULL) {
+        ERR_print_errors(err);
+        goto end;
+    }
+    if (file == NULL && maybe_stdin) {
+#ifdef _IONBF
+# ifndef OPENSSL_NO_SETVBUF_IONBF
+        setvbuf(stdin, NULL, _IONBF, 0);
+# endif                         /* ndef OPENSSL_NO_SETVBUF_IONBF */
+#endif
+        BIO_set_fp(key, stdin, BIO_NOCLOSE);
+    } else if (BIO_read_filename(key, file) <= 0) {
+        BIO_printf(err, "Error opening %s %s\n", key_descrip, file);
+        ERR_print_errors(err);
+        goto end;
+    }
+    if (format == FORMAT_ASN1) {
+        pkey = d2i_PUBKEY_bio(key, NULL);
+    }
+#ifndef OPENSSL_NO_RSA
+    else if (format == FORMAT_ASN1RSA) {
+        RSA *rsa;
+        rsa = d2i_RSAPublicKey_bio(key, NULL);
+        if (rsa) {
+            pkey = EVP_PKEY_new();
+            if (pkey)
+                EVP_PKEY_set1_RSA(pkey, rsa);
+            RSA_free(rsa);
+        } else
+            pkey = NULL;
+    } else if (format == FORMAT_PEMRSA) {
+        RSA *rsa;
+        rsa = PEM_read_bio_RSAPublicKey(key, NULL,
+                                        (pem_password_cb *)password_callback,
+                                        &cb_data);
+        if (rsa) {
+            pkey = EVP_PKEY_new();
+            if (pkey)
+                EVP_PKEY_set1_RSA(pkey, rsa);
+            RSA_free(rsa);
+        } else
+            pkey = NULL;
+    }
+#endif
+    else if (format == FORMAT_PEM) {
+        pkey = PEM_read_bio_PUBKEY(key, NULL,
+                                   (pem_password_cb *)password_callback,
+                                   &cb_data);
+    }
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
+    else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
+        pkey = load_netscape_key(err, key, file, key_descrip, format);
+#endif
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
+    else if (format == FORMAT_MSBLOB)
+        pkey = b2i_PublicKey_bio(key);
+#endif
+    else {
+        BIO_printf(err, "bad input format specified for key file\n");
+        goto end;
+    }
+ end:
+    if (key != NULL)
+        BIO_free(key);
+    if (pkey == NULL)
+        BIO_printf(err, "unable to load %s\n", key_descrip);
+    return (pkey);
+}
+
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
+static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file,
+                                   const char *key_descrip, int format)
+{
+    EVP_PKEY *pkey;
+    BUF_MEM *buf;
+    RSA *rsa;
+    const unsigned char *p;
+    int size, i;
+
+    buf = BUF_MEM_new();
+    pkey = EVP_PKEY_new();
+    size = 0;
+    if (buf == NULL || pkey == NULL)
+        goto error;
+    for (;;) {
+        if (!BUF_MEM_grow_clean(buf, size + 1024 * 10))
+            goto error;
+        i = BIO_read(key, &(buf->data[size]), 1024 * 10);
+        size += i;
+        if (i == 0)
+            break;
+        if (i < 0) {
+            BIO_printf(err, "Error reading %s %s", key_descrip, file);
+            goto error;
+        }
+    }
+    p = (unsigned char *)buf->data;
+    rsa = d2i_RSA_NET(NULL, &p, (long)size, NULL,
+                      (format == FORMAT_IISSGC ? 1 : 0));
+    if (rsa == NULL)
+        goto error;
+    BUF_MEM_free(buf);
+    EVP_PKEY_set1_RSA(pkey, rsa);
+    return pkey;
+ error:
+    BUF_MEM_free(buf);
+    EVP_PKEY_free(pkey);
+    return NULL;
+}
+#endif                          /* ndef OPENSSL_NO_RC4 */
+
+static int load_certs_crls(BIO *err, const char *file, int format,
+                           const char *pass, ENGINE *e, const char *desc,
+                           STACK_OF(X509) **pcerts,
+                           STACK_OF(X509_CRL) **pcrls)
+{
+    int i;
+    BIO *bio;
+    STACK_OF(X509_INFO) *xis = NULL;
+    X509_INFO *xi;
+    PW_CB_DATA cb_data;
+    int rv = 0;
+
+    cb_data.password = pass;
+    cb_data.prompt_info = file;
+
+    if (format != FORMAT_PEM) {
+        BIO_printf(err, "bad input format specified for %s\n", desc);
+        return 0;
+    }
+
+    if (file == NULL)
+        bio = BIO_new_fp(stdin, BIO_NOCLOSE);
+    else
+        bio = BIO_new_file(file, "r");
+
+    if (bio == NULL) {
+        BIO_printf(err, "Error opening %s %s\n", desc, file ? file : "stdin");
+        ERR_print_errors(err);
+        return 0;
+    }
+
+    xis = PEM_X509_INFO_read_bio(bio, NULL,
+                                 (pem_password_cb *)password_callback,
+                                 &cb_data);
+
+    BIO_free(bio);
+
+    if (pcerts) {
+        *pcerts = sk_X509_new_null();
+        if (!*pcerts)
+            goto end;
+    }
+
+    if (pcrls) {
+        *pcrls = sk_X509_CRL_new_null();
+        if (!*pcrls)
+            goto end;
+    }
+
+    for (i = 0; i < sk_X509_INFO_num(xis); i++) {
+        xi = sk_X509_INFO_value(xis, i);
+        if (xi->x509 && pcerts) {
+            if (!sk_X509_push(*pcerts, xi->x509))
+                goto end;
+            xi->x509 = NULL;
+        }
+        if (xi->crl && pcrls) {
+            if (!sk_X509_CRL_push(*pcrls, xi->crl))
+                goto end;
+            xi->crl = NULL;
+        }
+    }
+
+    if (pcerts && sk_X509_num(*pcerts) > 0)
+        rv = 1;
+
+    if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
+        rv = 1;
+
+ end:
+
+    if (xis)
+        sk_X509_INFO_pop_free(xis, X509_INFO_free);
+
+    if (rv == 0) {
+        if (pcerts) {
+            sk_X509_pop_free(*pcerts, X509_free);
+            *pcerts = NULL;
+        }
+        if (pcrls) {
+            sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
+            *pcrls = NULL;
+        }
+        BIO_printf(err, "unable to load %s\n",
+                   pcerts ? "certificates" : "CRLs");
+        ERR_print_errors(err);
+    }
+    return rv;
+}
+
+STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
+                           const char *pass, ENGINE *e, const char *desc)
+{
+    STACK_OF(X509) *certs;
+    if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
+        return NULL;
+    return certs;
+}
+
+STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
+                              const char *pass, ENGINE *e, const char *desc)
+{
+    STACK_OF(X509_CRL) *crls;
+    if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
+        return NULL;
+    return crls;
+}
+
+#define X509V3_EXT_UNKNOWN_MASK         (0xfL << 16)
+/* Return error for unknown extensions */
+#define X509V3_EXT_DEFAULT              0
+/* Print error for unknown extensions */
+#define X509V3_EXT_ERROR_UNKNOWN        (1L << 16)
+/* ASN1 parse unknown extensions */
+#define X509V3_EXT_PARSE_UNKNOWN        (2L << 16)
+/* BIO_dump unknown extensions */
+#define X509V3_EXT_DUMP_UNKNOWN         (3L << 16)
+
+#define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \
+                         X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION)
+
+int set_cert_ex(unsigned long *flags, const char *arg)
+{
+    static const NAME_EX_TBL cert_tbl[] = {
+        {"compatible", X509_FLAG_COMPAT, 0xffffffffl},
+        {"ca_default", X509_FLAG_CA, 0xffffffffl},
+        {"no_header", X509_FLAG_NO_HEADER, 0},
+        {"no_version", X509_FLAG_NO_VERSION, 0},
+        {"no_serial", X509_FLAG_NO_SERIAL, 0},
+        {"no_signame", X509_FLAG_NO_SIGNAME, 0},
+        {"no_validity", X509_FLAG_NO_VALIDITY, 0},
+        {"no_subject", X509_FLAG_NO_SUBJECT, 0},
+        {"no_issuer", X509_FLAG_NO_ISSUER, 0},
+        {"no_pubkey", X509_FLAG_NO_PUBKEY, 0},
+        {"no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
+        {"no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
+        {"no_aux", X509_FLAG_NO_AUX, 0},
+        {"no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
+        {"ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
+        {"ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
+        {"ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
+        {"ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
+        {NULL, 0, 0}
+    };
+    return set_multi_opts(flags, arg, cert_tbl);
+}
+
+int set_name_ex(unsigned long *flags, const char *arg)
+{
+    static const NAME_EX_TBL ex_tbl[] = {
+        {"esc_2253", ASN1_STRFLGS_ESC_2253, 0},
+        {"esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
+        {"esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
+        {"use_quote", ASN1_STRFLGS_ESC_QUOTE, 0},
+        {"utf8", ASN1_STRFLGS_UTF8_CONVERT, 0},
+        {"ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0},
+        {"show_type", ASN1_STRFLGS_SHOW_TYPE, 0},
+        {"dump_all", ASN1_STRFLGS_DUMP_ALL, 0},
+        {"dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0},
+        {"dump_der", ASN1_STRFLGS_DUMP_DER, 0},
+        {"compat", XN_FLAG_COMPAT, 0xffffffffL},
+        {"sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK},
+        {"sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK},
+        {"sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK},
+        {"sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK},
+        {"dn_rev", XN_FLAG_DN_REV, 0},
+        {"nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
+        {"sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
+        {"lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
+        {"align", XN_FLAG_FN_ALIGN, 0},
+        {"oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
+        {"space_eq", XN_FLAG_SPC_EQ, 0},
+        {"dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
+        {"RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
+        {"oneline", XN_FLAG_ONELINE, 0xffffffffL},
+        {"multiline", XN_FLAG_MULTILINE, 0xffffffffL},
+        {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
+        {NULL, 0, 0}
+    };
+    if (set_multi_opts(flags, arg, ex_tbl) == 0)
+        return 0;
+    if ((*flags & XN_FLAG_SEP_MASK) == 0)
+        *flags |= XN_FLAG_SEP_CPLUS_SPC;
+    return 1;
+}
+
+int set_ext_copy(int *copy_type, const char *arg)
+{
+    if (!strcasecmp(arg, "none"))
+        *copy_type = EXT_COPY_NONE;
+    else if (!strcasecmp(arg, "copy"))
+        *copy_type = EXT_COPY_ADD;
+    else if (!strcasecmp(arg, "copyall"))
+        *copy_type = EXT_COPY_ALL;
+    else
+        return 0;
+    return 1;
+}
+
+int copy_extensions(X509 *x, X509_REQ *req, int copy_type)
+{
+    STACK_OF(X509_EXTENSION) *exts = NULL;
+    X509_EXTENSION *ext, *tmpext;
+    ASN1_OBJECT *obj;
+    int i, idx, ret = 0;
+    if (!x || !req || (copy_type == EXT_COPY_NONE))
+        return 1;
+    exts = X509_REQ_get_extensions(req);
+
+    for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
+        ext = sk_X509_EXTENSION_value(exts, i);
+        obj = X509_EXTENSION_get_object(ext);
+        idx = X509_get_ext_by_OBJ(x, obj, -1);
+        /* Does extension exist? */
+        if (idx != -1) {
+            /* If normal copy don't override existing extension */
+            if (copy_type == EXT_COPY_ADD)
+                continue;
+            /* Delete all extensions of same type */
+            do {
+                tmpext = X509_get_ext(x, idx);
+                X509_delete_ext(x, idx);
+                X509_EXTENSION_free(tmpext);
+                idx = X509_get_ext_by_OBJ(x, obj, -1);
+            } while (idx != -1);
+        }
+        if (!X509_add_ext(x, ext, -1))
+            goto end;
+    }
+
+    ret = 1;
+
+ end:
+
+    sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+
+    return ret;
+}
+
+static int set_multi_opts(unsigned long *flags, const char *arg,
+                          const NAME_EX_TBL * in_tbl)
+{
+    STACK_OF(CONF_VALUE) *vals;
+    CONF_VALUE *val;
+    int i, ret = 1;
+    if (!arg)
+        return 0;
+    vals = X509V3_parse_list(arg);
+    for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+        val = sk_CONF_VALUE_value(vals, i);
+        if (!set_table_opts(flags, val->name, in_tbl))
+            ret = 0;
+    }
+    sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+    return ret;
+}
+
+static int set_table_opts(unsigned long *flags, const char *arg,
+                          const NAME_EX_TBL * in_tbl)
+{
+    char c;
+    const NAME_EX_TBL *ptbl;
+    c = arg[0];
+
+    if (c == '-') {
+        c = 0;
+        arg++;
+    } else if (c == '+') {
+        c = 1;
+        arg++;
+    } else
+        c = 1;
+
+    for (ptbl = in_tbl; ptbl->name; ptbl++) {
+        if (!strcasecmp(arg, ptbl->name)) {
+            *flags &= ~ptbl->mask;
+            if (c)
+                *flags |= ptbl->flag;
+            else
+                *flags &= ~ptbl->flag;
+            return 1;
+        }
+    }
+    return 0;
+}
+
+void print_name(BIO *out, const char *title, X509_NAME *nm,
+                unsigned long lflags)
+{
+    char *buf;
+    char mline = 0;
+    int indent = 0;
+
+    if (title)
+        BIO_puts(out, title);
+    if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
+        mline = 1;
+        indent = 4;
+    }
+    if (lflags == XN_FLAG_COMPAT) {
+        buf = X509_NAME_oneline(nm, 0, 0);
+        BIO_puts(out, buf);
+        BIO_puts(out, "\n");
+        OPENSSL_free(buf);
+    } else {
+        if (mline)
+            BIO_puts(out, "\n");
+        X509_NAME_print_ex(out, nm, indent, lflags);
+        BIO_puts(out, "\n");
+    }
+}
+
+X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath)
+{
+    X509_STORE *store;
+    X509_LOOKUP *lookup;
+    if (!(store = X509_STORE_new()))
+        goto end;
+    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+    if (lookup == NULL)
+        goto end;
+    if (CAfile) {
+        if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
+            BIO_printf(bp, "Error loading file %s\n", CAfile);
+            goto end;
+        }
+    } else
+        X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
+
+    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
+    if (lookup == NULL)
+        goto end;
+    if (CApath) {
+        if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
+            BIO_printf(bp, "Error loading directory %s\n", CApath);
+            goto end;
+        }
+    } else
+        X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
+
+    ERR_clear_error();
+    return store;
+ end:
+    X509_STORE_free(store);
+    return NULL;
+}
+
+#ifndef OPENSSL_NO_ENGINE
+/* Try to load an engine in a shareable library */
+static ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
+{
+    ENGINE *e = ENGINE_by_id("dynamic");
+    if (e) {
+        if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
+            || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
+            ENGINE_free(e);
+            e = NULL;
+        }
+    }
+    return e;
+}
+#endif
+
+ENGINE *setup_engine(BIO *err, const char *engine, int debug)
+{
+    ENGINE *e = NULL;
+
+#ifndef OPENSSL_NO_ENGINE
+    if (engine) {
+        if (strcmp(engine, "auto") == 0) {
+            BIO_printf(err, "enabling auto ENGINE support\n");
+            ENGINE_register_all_complete();
+            return NULL;
+        }
+        if ((e = ENGINE_by_id(engine)) == NULL
+            && (e = try_load_engine(err, engine, debug)) == NULL) {
+            BIO_printf(err, "invalid engine \"%s\"\n", engine);
+            ERR_print_errors(err);
+            return NULL;
+        }
+        if (debug) {
+            ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, err, 0);
+        }
+        ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
+        if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+            BIO_printf(err, "can't use that engine\n");
+            ERR_print_errors(err);
+            ENGINE_free(e);
+            return NULL;
+        }
+
+        BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e));
+    }
+#endif
+    return e;
+}
+
+void release_engine(ENGINE *e)
+{
+#ifndef OPENSSL_NO_ENGINE
+    if (e != NULL)
+        /* Free our "structural" reference. */
+        ENGINE_free(e);
+#endif
+}
+
+int load_config(BIO *err, CONF *cnf)
+{
+    static int load_config_called = 0;
+    if (load_config_called)
+        return 1;
+    load_config_called = 1;
+    if (!cnf)
+        cnf = config;
+    if (!cnf)
+        return 1;
+
+    OPENSSL_load_builtin_modules();
+
+    if (CONF_modules_load(cnf, NULL, 0) <= 0) {
+        BIO_printf(err, "Error configuring OpenSSL\n");
+        ERR_print_errors(err);
+        return 0;
+    }
+    return 1;
+}
+
+char *make_config_name()
+{
+    const char *t = X509_get_default_cert_area();
+    size_t len;
+    char *p;
+
+    len = strlen(t) + strlen(OPENSSL_CONF) + 2;
+    p = OPENSSL_malloc(len);
+    if (p == NULL)
+        return NULL;
+    BUF_strlcpy(p, t, len);
+#ifndef OPENSSL_SYS_VMS
+    BUF_strlcat(p, "/", len);
+#endif
+    BUF_strlcat(p, OPENSSL_CONF, len);
+
+    return p;
+}
+
+static unsigned long index_serial_hash(const OPENSSL_CSTRING *a)
+{
+    const char *n;
+
+    n = a[DB_serial];
+    while (*n == '0')
+        n++;
+    return (lh_strhash(n));
+}
+
+static int index_serial_cmp(const OPENSSL_CSTRING *a,
+                            const OPENSSL_CSTRING *b)
+{
+    const char *aa, *bb;
+
+    for (aa = a[DB_serial]; *aa == '0'; aa++) ;
+    for (bb = b[DB_serial]; *bb == '0'; bb++) ;
+    return (strcmp(aa, bb));
+}
+
+static int index_name_qual(char **a)
+{
+    return (a[0][0] == 'V');
+}
+
+static unsigned long index_name_hash(const OPENSSL_CSTRING *a)
+{
+    return (lh_strhash(a[DB_name]));
+}
+
+int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
+{
+    return (strcmp(a[DB_name], b[DB_name]));
+}
+
+static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
+#undef BSIZE
+#define BSIZE 256
+BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai)
+{
+    BIO *in = NULL;
+    BIGNUM *ret = NULL;
+    MS_STATIC char buf[1024];
+    ASN1_INTEGER *ai = NULL;
+
+    ai = ASN1_INTEGER_new();
+    if (ai == NULL)
+        goto err;
+
+    if ((in = BIO_new(BIO_s_file())) == NULL) {
+        ERR_print_errors(bio_err);
+        goto err;
+    }
+
+    if (BIO_read_filename(in, serialfile) <= 0) {
+        if (!create) {
+            perror(serialfile);
+            goto err;
+        } else {
+            ret = BN_new();
+            if (ret == NULL || !rand_serial(ret, ai))
+                BIO_printf(bio_err, "Out of memory\n");
+        }
+    } else {
+        if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) {
+            BIO_printf(bio_err, "unable to load number from %s\n",
+                       serialfile);
+            goto err;
+        }
+        ret = ASN1_INTEGER_to_BN(ai, NULL);
+        if (ret == NULL) {
+            BIO_printf(bio_err,
+                       "error converting number from bin to BIGNUM\n");
+            goto err;
+        }
+    }
+
+    if (ret && retai) {
+        *retai = ai;
+        ai = NULL;
+    }
+ err:
+    if (in != NULL)
+        BIO_free(in);
+    if (ai != NULL)
+        ASN1_INTEGER_free(ai);
+    return (ret);
+}
+
+int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
+                ASN1_INTEGER **retai)
+{
+    char buf[1][BSIZE];
+    BIO *out = NULL;
+    int ret = 0;
+    ASN1_INTEGER *ai = NULL;
+    int j;
+
+    if (suffix == NULL)
+        j = strlen(serialfile);
+    else
+        j = strlen(serialfile) + strlen(suffix) + 1;
+    if (j >= BSIZE) {
+        BIO_printf(bio_err, "file name too long\n");
+        goto err;
+    }
+
+    if (suffix == NULL)
+        BUF_strlcpy(buf[0], serialfile, BSIZE);
+    else {
+#ifndef OPENSSL_SYS_VMS
+        j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix);
+#else
+        j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
+#endif
+    }
+#ifdef RL_DEBUG
+    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
+#endif
+    out = BIO_new(BIO_s_file());
+    if (out == NULL) {
+        ERR_print_errors(bio_err);
+        goto err;
+    }
+    if (BIO_write_filename(out, buf[0]) <= 0) {
+        perror(serialfile);
+        goto err;
+    }
+
+    if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) {
+        BIO_printf(bio_err, "error converting serial to ASN.1 format\n");
+        goto err;
+    }
+    i2a_ASN1_INTEGER(out, ai);
+    BIO_puts(out, "\n");
+    ret = 1;
+    if (retai) {
+        *retai = ai;
+        ai = NULL;
+    }
+ err:
+    if (out != NULL)
+        BIO_free_all(out);
+    if (ai != NULL)
+        ASN1_INTEGER_free(ai);
+    return (ret);
+}
+
+int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
+{
+    char buf[5][BSIZE];
+    int i, j;
+
+    i = strlen(serialfile) + strlen(old_suffix);
+    j = strlen(serialfile) + strlen(new_suffix);
+    if (i > j)
+        j = i;
+    if (j + 1 >= BSIZE) {
+        BIO_printf(bio_err, "file name too long\n");
+        goto err;
+    }
+#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
+#else
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);
+#else
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix);
+#endif
+#ifdef RL_DEBUG
+    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+               serialfile, buf[1]);
+#endif
+    if (rename(serialfile, buf[1]) < 0 && errno != ENOENT
+#ifdef ENOTDIR
+        && errno != ENOTDIR
+#endif
+        ) {
+        BIO_printf(bio_err,
+                   "unable to rename %s to %s\n", serialfile, buf[1]);
+        perror("reason");
+        goto err;
+    }
+#ifdef RL_DEBUG
+    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+               buf[0], serialfile);
+#endif
+    if (rename(buf[0], serialfile) < 0) {
+        BIO_printf(bio_err,
+                   "unable to rename %s to %s\n", buf[0], serialfile);
+        perror("reason");
+        rename(buf[1], serialfile);
+        goto err;
+    }
+    return 1;
+ err:
+    return 0;
+}
+
+int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
+{
+    BIGNUM *btmp;
+    int ret = 0;
+    if (b)
+        btmp = b;
+    else
+        btmp = BN_new();
+
+    if (!btmp)
+        return 0;
+
+    if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
+        goto error;
+    if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
+        goto error;
+
+    ret = 1;
+
+ error:
+
+    if (!b)
+        BN_free(btmp);
+
+    return ret;
+}
+
+CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
+{
+    CA_DB *retdb = NULL;
+    TXT_DB *tmpdb = NULL;
+    BIO *in = BIO_new(BIO_s_file());
+    CONF *dbattr_conf = NULL;
+    char buf[1][BSIZE];
+    long errorline = -1;
+
+    if (in == NULL) {
+        ERR_print_errors(bio_err);
+        goto err;
+    }
+    if (BIO_read_filename(in, dbfile) <= 0) {
+        perror(dbfile);
+        BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
+        goto err;
+    }
+    if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL)
+        goto err;
+
+#ifndef OPENSSL_SYS_VMS
+    BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile);
+#else
+    BIO_snprintf(buf[0], sizeof buf[0], "%s-attr", dbfile);
+#endif
+    dbattr_conf = NCONF_new(NULL);
+    if (NCONF_load(dbattr_conf, buf[0], &errorline) <= 0) {
+        if (errorline > 0) {
+            BIO_printf(bio_err,
+                       "error on line %ld of db attribute file '%s'\n",
+                       errorline, buf[0]);
+            goto err;
+        } else {
+            NCONF_free(dbattr_conf);
+            dbattr_conf = NULL;
+        }
+    }
+
+    if ((retdb = OPENSSL_malloc(sizeof(CA_DB))) == NULL) {
+        fprintf(stderr, "Out of memory\n");
+        goto err;
+    }
+
+    retdb->db = tmpdb;
+    tmpdb = NULL;
+    if (db_attr)
+        retdb->attributes = *db_attr;
+    else {
+        retdb->attributes.unique_subject = 1;
+    }
+
+    if (dbattr_conf) {
+        char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
+        if (p) {
+#ifdef RL_DEBUG
+            BIO_printf(bio_err,
+                       "DEBUG[load_index]: unique_subject = \"%s\"\n", p);
+#endif
+            retdb->attributes.unique_subject = parse_yesno(p, 1);
+        }
+    }
+
+ err:
+    if (dbattr_conf)
+        NCONF_free(dbattr_conf);
+    if (tmpdb)
+        TXT_DB_free(tmpdb);
+    if (in)
+        BIO_free_all(in);
+    return retdb;
+}
+
+int index_index(CA_DB *db)
+{
+    if (!TXT_DB_create_index(db->db, DB_serial, NULL,
+                             LHASH_HASH_FN(index_serial),
+                             LHASH_COMP_FN(index_serial))) {
+        BIO_printf(bio_err,
+                   "error creating serial number index:(%ld,%ld,%ld)\n",
+                   db->db->error, db->db->arg1, db->db->arg2);
+        return 0;
+    }
+
+    if (db->attributes.unique_subject
+        && !TXT_DB_create_index(db->db, DB_name, index_name_qual,
+                                LHASH_HASH_FN(index_name),
+                                LHASH_COMP_FN(index_name))) {
+        BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n",
+                   db->db->error, db->db->arg1, db->db->arg2);
+        return 0;
+    }
+    return 1;
+}
+
+int save_index(const char *dbfile, const char *suffix, CA_DB *db)
+{
+    char buf[3][BSIZE];
+    BIO *out = BIO_new(BIO_s_file());
+    int j;
+
+    if (out == NULL) {
+        ERR_print_errors(bio_err);
+        goto err;
+    }
+
+    j = strlen(dbfile) + strlen(suffix);
+    if (j + 6 >= BSIZE) {
+        BIO_printf(bio_err, "file name too long\n");
+        goto err;
+    }
+#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
+#else
+    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
+#endif
+#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
+#else
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
+#else
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
+#endif
+#ifdef RL_DEBUG
+    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
+#endif
+    if (BIO_write_filename(out, buf[0]) <= 0) {
+        perror(dbfile);
+        BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
+        goto err;
+    }
+    j = TXT_DB_write(out, db->db);
+    if (j <= 0)
+        goto err;
+
+    BIO_free(out);
+
+    out = BIO_new(BIO_s_file());
+#ifdef RL_DEBUG
+    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]);
+#endif
+    if (BIO_write_filename(out, buf[1]) <= 0) {
+        perror(buf[2]);
+        BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
+        goto err;
+    }
+    BIO_printf(out, "unique_subject = %s\n",
+               db->attributes.unique_subject ? "yes" : "no");
+    BIO_free(out);
+
+    return 1;
+ err:
+    return 0;
+}
+
+int rotate_index(const char *dbfile, const char *new_suffix,
+                 const char *old_suffix)
+{
+    char buf[5][BSIZE];
+    int i, j;
+
+    i = strlen(dbfile) + strlen(old_suffix);
+    j = strlen(dbfile) + strlen(new_suffix);
+    if (i > j)
+        j = i;
+    if (j + 6 >= BSIZE) {
+        BIO_printf(bio_err, "file name too long\n");
+        goto err;
+    }
+#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
+#else
+    j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
+#endif
+#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
+#else
+    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
+#else
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
+#else
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
+#else
+    j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix);
+#endif
+#ifdef RL_DEBUG
+    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", dbfile, buf[1]);
+#endif
+    if (rename(dbfile, buf[1]) < 0 && errno != ENOENT
+#ifdef ENOTDIR
+        && errno != ENOTDIR
+#endif
+        ) {
+        BIO_printf(bio_err, "unable to rename %s to %s\n", dbfile, buf[1]);
+        perror("reason");
+        goto err;
+    }
+#ifdef RL_DEBUG
+    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[0], dbfile);
+#endif
+    if (rename(buf[0], dbfile) < 0) {
+        BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile);
+        perror("reason");
+        rename(buf[1], dbfile);
+        goto err;
+    }
+#ifdef RL_DEBUG
+    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[4], buf[3]);
+#endif
+    if (rename(buf[4], buf[3]) < 0 && errno != ENOENT
+#ifdef ENOTDIR
+        && errno != ENOTDIR
+#endif
+        ) {
+        BIO_printf(bio_err, "unable to rename %s to %s\n", buf[4], buf[3]);
+        perror("reason");
+        rename(dbfile, buf[0]);
+        rename(buf[1], dbfile);
+        goto err;
+    }
+#ifdef RL_DEBUG
+    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[2], buf[4]);
+#endif
+    if (rename(buf[2], buf[4]) < 0) {
+        BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]);
+        perror("reason");
+        rename(buf[3], buf[4]);
+        rename(dbfile, buf[0]);
+        rename(buf[1], dbfile);
+        goto err;
+    }
+    return 1;
+ err:
+    return 0;
+}
+
+void free_index(CA_DB *db)
+{
+    if (db) {
+        if (db->db)
+            TXT_DB_free(db->db);
+        OPENSSL_free(db);
+    }
+}
+
+int parse_yesno(const char *str, int def)
+{
+    int ret = def;
+    if (str) {
+        switch (*str) {
+        case 'f':              /* false */
+        case 'F':              /* FALSE */
+        case 'n':              /* no */
+        case 'N':              /* NO */
+        case '0':              /* 0 */
+            ret = 0;
+            break;
+        case 't':              /* true */
+        case 'T':              /* TRUE */
+        case 'y':              /* yes */
+        case 'Y':              /* YES */
+        case '1':              /* 1 */
+            ret = 1;
+            break;
+        default:
+            ret = def;
+            break;
+        }
+    }
+    return ret;
+}
+
+/*
+ * subject is expected to be in the format /type0=value0/type1=value1/type2=...
+ * where characters may be escaped by \
+ */
+X509_NAME *parse_name(char *subject, long chtype, int multirdn)
+{
+    size_t buflen = strlen(subject) + 1; /* to copy the types and values
+                                          * into. due to escaping, the copy
+                                          * can only become shorter */
+    char *buf = OPENSSL_malloc(buflen);
+    size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
+    char **ne_types = OPENSSL_malloc(max_ne * sizeof(char *));
+    char **ne_values = OPENSSL_malloc(max_ne * sizeof(char *));
+    int *mval = OPENSSL_malloc(max_ne * sizeof(int));
+
+    char *sp = subject, *bp = buf;
+    int i, ne_num = 0;
+
+    X509_NAME *n = NULL;
+    int nid;
+
+    if (!buf || !ne_types || !ne_values || !mval) {
+        BIO_printf(bio_err, "malloc error\n");
+        goto error;
+    }
+
+    if (*subject != '/') {
+        BIO_printf(bio_err, "Subject does not start with '/'.\n");
+        goto error;
+    }
+    sp++;                       /* skip leading / */
+
+    /* no multivalued RDN by default */
+    mval[ne_num] = 0;
+
+    while (*sp) {
+        /* collect type */
+        ne_types[ne_num] = bp;
+        while (*sp) {
+            if (*sp == '\\') {  /* is there anything to escape in the
+                                 * type...? */
+                if (*++sp)
+                    *bp++ = *sp++;
+                else {
+                    BIO_printf(bio_err,
+                               "escape character at end of string\n");
+                    goto error;
+                }
+            } else if (*sp == '=') {
+                sp++;
+                *bp++ = '\0';
+                break;
+            } else
+                *bp++ = *sp++;
+        }
+        if (!*sp) {
+            BIO_printf(bio_err,
+                       "end of string encountered while processing type of subject name element #%d\n",
+                       ne_num);
+            goto error;
+        }
+        ne_values[ne_num] = bp;
+        while (*sp) {
+            if (*sp == '\\') {
+                if (*++sp)
+                    *bp++ = *sp++;
+                else {
+                    BIO_printf(bio_err,
+                               "escape character at end of string\n");
+                    goto error;
+                }
+            } else if (*sp == '/') {
+                sp++;
+                /* no multivalued RDN by default */
+                mval[ne_num + 1] = 0;
+                break;
+            } else if (*sp == '+' && multirdn) {
+                /*
+                 * a not escaped + signals a mutlivalued RDN
+                 */
+                sp++;
+                mval[ne_num + 1] = -1;
+                break;
+            } else
+                *bp++ = *sp++;
+        }
+        *bp++ = '\0';
+        ne_num++;
+    }
+
+    if (!(n = X509_NAME_new()))
+        goto error;
+
+    for (i = 0; i < ne_num; i++) {
+        if ((nid = OBJ_txt2nid(ne_types[i])) == NID_undef) {
+            BIO_printf(bio_err,
+                       "Subject Attribute %s has no known NID, skipped\n",
+                       ne_types[i]);
+            continue;
+        }
+
+        if (!*ne_values[i]) {
+            BIO_printf(bio_err,
+                       "No value provided for Subject Attribute %s, skipped\n",
+                       ne_types[i]);
+            continue;
+        }
+
+        if (!X509_NAME_add_entry_by_NID
+            (n, nid, chtype, (unsigned char *)ne_values[i], -1, -1, mval[i]))
+            goto error;
+    }
+
+    OPENSSL_free(ne_values);
+    OPENSSL_free(ne_types);
+    OPENSSL_free(buf);
+    OPENSSL_free(mval);
+    return n;
+
+ error:
+    X509_NAME_free(n);
+    if (ne_values)
+        OPENSSL_free(ne_values);
+    if (ne_types)
+        OPENSSL_free(ne_types);
+    if (mval)
+        OPENSSL_free(mval);
+    if (buf)
+        OPENSSL_free(buf);
+    return NULL;
+}
+
+int args_verify(char ***pargs, int *pargc,
+                int *badarg, BIO *err, X509_VERIFY_PARAM **pm)
+{
+    ASN1_OBJECT *otmp = NULL;
+    unsigned long flags = 0;
+    int i;
+    int purpose = 0, depth = -1;
+    char **oldargs = *pargs;
+    char *arg = **pargs, *argn = (*pargs)[1];
+    time_t at_time = 0;
+    char *hostname = NULL;
+    char *email = NULL;
+    char *ipasc = NULL;
+    if (!strcmp(arg, "-policy")) {
+        if (!argn)
+            *badarg = 1;
+        else {
+            otmp = OBJ_txt2obj(argn, 0);
+            if (!otmp) {
+                BIO_printf(err, "Invalid Policy \"%s\"\n", argn);
+                *badarg = 1;
+            }
+        }
+        (*pargs)++;
+    } else if (strcmp(arg, "-purpose") == 0) {
+        X509_PURPOSE *xptmp;
+        if (!argn)
+            *badarg = 1;
+        else {
+            i = X509_PURPOSE_get_by_sname(argn);
+            if (i < 0) {
+                BIO_printf(err, "unrecognized purpose\n");
+                *badarg = 1;
+            } else {
+                xptmp = X509_PURPOSE_get0(i);
+                purpose = X509_PURPOSE_get_id(xptmp);
+            }
+        }
+        (*pargs)++;
+    } else if (strcmp(arg, "-verify_depth") == 0) {
+        if (!argn)
+            *badarg = 1;
+        else {
+            depth = atoi(argn);
+            if (depth < 0) {
+                BIO_printf(err, "invalid depth\n");
+                *badarg = 1;
+            }
+        }
+        (*pargs)++;
+    } else if (strcmp(arg, "-attime") == 0) {
+        if (!argn)
+            *badarg = 1;
+        else {
+            long timestamp;
+            /*
+             * interpret the -attime argument as seconds since Epoch
+             */
+            if (sscanf(argn, "%li", &timestamp) != 1) {
+                BIO_printf(bio_err, "Error parsing timestamp %s\n", argn);
+                *badarg = 1;
+            }
+            /* on some platforms time_t may be a float */
+            at_time = (time_t)timestamp;
+        }
+        (*pargs)++;
+    } else if (strcmp(arg, "-verify_hostname") == 0) {
+        if (!argn)
+            *badarg = 1;
+        hostname = argn;
+        (*pargs)++;
+    } else if (strcmp(arg, "-verify_email") == 0) {
+        if (!argn)
+            *badarg = 1;
+        email = argn;
+        (*pargs)++;
+    } else if (strcmp(arg, "-verify_ip") == 0) {
+        if (!argn)
+            *badarg = 1;
+        ipasc = argn;
+        (*pargs)++;
+    } else if (!strcmp(arg, "-ignore_critical"))
+        flags |= X509_V_FLAG_IGNORE_CRITICAL;
+    else if (!strcmp(arg, "-issuer_checks"))
+        flags |= X509_V_FLAG_CB_ISSUER_CHECK;
+    else if (!strcmp(arg, "-crl_check"))
+        flags |= X509_V_FLAG_CRL_CHECK;
+    else if (!strcmp(arg, "-crl_check_all"))
+        flags |= X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL;
+    else if (!strcmp(arg, "-policy_check"))
+        flags |= X509_V_FLAG_POLICY_CHECK;
+    else if (!strcmp(arg, "-explicit_policy"))
+        flags |= X509_V_FLAG_EXPLICIT_POLICY;
+    else if (!strcmp(arg, "-inhibit_any"))
+        flags |= X509_V_FLAG_INHIBIT_ANY;
+    else if (!strcmp(arg, "-inhibit_map"))
+        flags |= X509_V_FLAG_INHIBIT_MAP;
+    else if (!strcmp(arg, "-x509_strict"))
+        flags |= X509_V_FLAG_X509_STRICT;
+    else if (!strcmp(arg, "-extended_crl"))
+        flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT;
+    else if (!strcmp(arg, "-use_deltas"))
+        flags |= X509_V_FLAG_USE_DELTAS;
+    else if (!strcmp(arg, "-policy_print"))
+        flags |= X509_V_FLAG_NOTIFY_POLICY;
+    else if (!strcmp(arg, "-check_ss_sig"))
+        flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
+    else if (!strcmp(arg, "-trusted_first"))
+        flags |= X509_V_FLAG_TRUSTED_FIRST;
+    else if (!strcmp(arg, "-suiteB_128_only"))
+        flags |= X509_V_FLAG_SUITEB_128_LOS_ONLY;
+    else if (!strcmp(arg, "-suiteB_128"))
+        flags |= X509_V_FLAG_SUITEB_128_LOS;
+    else if (!strcmp(arg, "-suiteB_192"))
+        flags |= X509_V_FLAG_SUITEB_192_LOS;
+    else if (!strcmp(arg, "-partial_chain"))
+        flags |= X509_V_FLAG_PARTIAL_CHAIN;
+    else if (!strcmp(arg, "-no_alt_chains"))
+        flags |= X509_V_FLAG_NO_ALT_CHAINS;
+    else if (!strcmp(arg, "-allow_proxy_certs"))
+        flags |= X509_V_FLAG_ALLOW_PROXY_CERTS;
+    else
+        return 0;
+
+    if (*badarg) {
+        if (*pm)
+            X509_VERIFY_PARAM_free(*pm);
+        *pm = NULL;
+        goto end;
+    }
+
+    if (!*pm && !(*pm = X509_VERIFY_PARAM_new())) {
+        *badarg = 1;
+        goto end;
+    }
+
+    if (otmp)
+        X509_VERIFY_PARAM_add0_policy(*pm, otmp);
+    if (flags)
+        X509_VERIFY_PARAM_set_flags(*pm, flags);
+
+    if (purpose)
+        X509_VERIFY_PARAM_set_purpose(*pm, purpose);
+
+    if (depth >= 0)
+        X509_VERIFY_PARAM_set_depth(*pm, depth);
+
+    if (at_time)
+        X509_VERIFY_PARAM_set_time(*pm, at_time);
+
+    if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0))
+        *badarg = 1;
+
+    if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0))
+        *badarg = 1;
+
+    if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc))
+        *badarg = 1;
+
+ end:
+
+    (*pargs)++;
+
+    if (pargc)
+        *pargc -= *pargs - oldargs;
+
+    return 1;
+
+}
+
+/*
+ * Read whole contents of a BIO into an allocated memory buffer and return
+ * it.
+ */
+
+int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
+{
+    BIO *mem;
+    int len, ret;
+    unsigned char tbuf[1024];
+    mem = BIO_new(BIO_s_mem());
+    if (!mem)
+        return -1;
+    for (;;) {
+        if ((maxlen != -1) && maxlen < 1024)
+            len = maxlen;
+        else
+            len = 1024;
+        len = BIO_read(in, tbuf, len);
+        if (len < 0) {
+            BIO_free(mem);
+            return -1;
+        }
+        if (len == 0)
+            break;
+        if (BIO_write(mem, tbuf, len) != len) {
+            BIO_free(mem);
+            return -1;
+        }
+        maxlen -= len;
+
+        if (maxlen == 0)
+            break;
+    }
+    ret = BIO_get_mem_data(mem, (char **)out);
+    BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
+    BIO_free(mem);
+    return ret;
+}
+
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value)
+{
+    int rv;
+    char *stmp, *vtmp = NULL;
+    stmp = BUF_strdup(value);
+    if (!stmp)
+        return -1;
+    vtmp = strchr(stmp, ':');
+    if (vtmp) {
+        *vtmp = 0;
+        vtmp++;
+    }
+    rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp);
+    OPENSSL_free(stmp);
+    return rv;
+}
+
+static void nodes_print(BIO *out, const char *name,
+                        STACK_OF(X509_POLICY_NODE) *nodes)
+{
+    X509_POLICY_NODE *node;
+    int i;
+    BIO_printf(out, "%s Policies:", name);
+    if (nodes) {
+        BIO_puts(out, "\n");
+        for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
+            node = sk_X509_POLICY_NODE_value(nodes, i);
+            X509_POLICY_NODE_print(out, node, 2);
+        }
+    } else
+        BIO_puts(out, " <empty>\n");
+}
+
+void policies_print(BIO *out, X509_STORE_CTX *ctx)
+{
+    X509_POLICY_TREE *tree;
+    int explicit_policy;
+    int free_out = 0;
+    if (out == NULL) {
+        out = BIO_new_fp(stderr, BIO_NOCLOSE);
+        free_out = 1;
+    }
+    tree = X509_STORE_CTX_get0_policy_tree(ctx);
+    explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
+
+    BIO_printf(out, "Require explicit Policy: %s\n",
+               explicit_policy ? "True" : "False");
+
+    nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
+    nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
+    if (free_out)
+        BIO_free(out);
+}
+
+#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
+
+static JPAKE_CTX *jpake_init(const char *us, const char *them,
+                             const char *secret)
+{
+    BIGNUM *p = NULL;
+    BIGNUM *g = NULL;
+    BIGNUM *q = NULL;
+    BIGNUM *bnsecret = BN_new();
+    JPAKE_CTX *ctx;
+
+    /* Use a safe prime for p (that we found earlier) */
+    BN_hex2bn(&p,
+              "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
+    g = BN_new();
+    BN_set_word(g, 2);
+    q = BN_new();
+    BN_rshift1(q, p);
+
+    BN_bin2bn((const unsigned char *)secret, strlen(secret), bnsecret);
+
+    ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret);
+    BN_free(bnsecret);
+    BN_free(q);
+    BN_free(g);
+    BN_free(p);
+
+    return ctx;
+}
+
+static void jpake_send_part(BIO *conn, const JPAKE_STEP_PART *p)
+{
+    BN_print(conn, p->gx);
+    BIO_puts(conn, "\n");
+    BN_print(conn, p->zkpx.gr);
+    BIO_puts(conn, "\n");
+    BN_print(conn, p->zkpx.b);
+    BIO_puts(conn, "\n");
+}
+
+static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx)
+{
+    JPAKE_STEP1 s1;
+
+    JPAKE_STEP1_init(&s1);
+    JPAKE_STEP1_generate(&s1, ctx);
+    jpake_send_part(bconn, &s1.p1);
+    jpake_send_part(bconn, &s1.p2);
+    (void)BIO_flush(bconn);
+    JPAKE_STEP1_release(&s1);
+}
+
+static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx)
+{
+    JPAKE_STEP2 s2;
+
+    JPAKE_STEP2_init(&s2);
+    JPAKE_STEP2_generate(&s2, ctx);
+    jpake_send_part(bconn, &s2);
+    (void)BIO_flush(bconn);
+    JPAKE_STEP2_release(&s2);
+}
+
+static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx)
+{
+    JPAKE_STEP3A s3a;
+
+    JPAKE_STEP3A_init(&s3a);
+    JPAKE_STEP3A_generate(&s3a, ctx);
+    BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
+    (void)BIO_flush(bconn);
+    JPAKE_STEP3A_release(&s3a);
+}
+
+static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx)
+{
+    JPAKE_STEP3B s3b;
+
+    JPAKE_STEP3B_init(&s3b);
+    JPAKE_STEP3B_generate(&s3b, ctx);
+    BIO_write(bconn, s3b.hk, sizeof s3b.hk);
+    (void)BIO_flush(bconn);
+    JPAKE_STEP3B_release(&s3b);
+}
+
+static void readbn(BIGNUM **bn, BIO *bconn)
+{
+    char buf[10240];
+    int l;
+
+    l = BIO_gets(bconn, buf, sizeof buf);
+    assert(l > 0);
+    assert(buf[l - 1] == '\n');
+    buf[l - 1] = '\0';
+    BN_hex2bn(bn, buf);
+}
+
+static void jpake_receive_part(JPAKE_STEP_PART *p, BIO *bconn)
+{
+    readbn(&p->gx, bconn);
+    readbn(&p->zkpx.gr, bconn);
+    readbn(&p->zkpx.b, bconn);
+}
+
+static void jpake_receive_step1(JPAKE_CTX *ctx, BIO *bconn)
+{
+    JPAKE_STEP1 s1;
+
+    JPAKE_STEP1_init(&s1);
+    jpake_receive_part(&s1.p1, bconn);
+    jpake_receive_part(&s1.p2, bconn);
+    if (!JPAKE_STEP1_process(ctx, &s1)) {
+        ERR_print_errors(bio_err);
+        exit(1);
+    }
+    JPAKE_STEP1_release(&s1);
+}
+
+static void jpake_receive_step2(JPAKE_CTX *ctx, BIO *bconn)
+{
+    JPAKE_STEP2 s2;
+
+    JPAKE_STEP2_init(&s2);
+    jpake_receive_part(&s2, bconn);
+    if (!JPAKE_STEP2_process(ctx, &s2)) {
+        ERR_print_errors(bio_err);
+        exit(1);
+    }
+    JPAKE_STEP2_release(&s2);
+}
+
+static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn)
+{
+    JPAKE_STEP3A s3a;
+    int l;
+
+    JPAKE_STEP3A_init(&s3a);
+    l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk);
+    assert(l == sizeof s3a.hhk);
+    if (!JPAKE_STEP3A_process(ctx, &s3a)) {
+        ERR_print_errors(bio_err);
+        exit(1);
+    }
+    JPAKE_STEP3A_release(&s3a);
+}
+
+static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn)
+{
+    JPAKE_STEP3B s3b;
+    int l;
+
+    JPAKE_STEP3B_init(&s3b);
+    l = BIO_read(bconn, s3b.hk, sizeof s3b.hk);
+    assert(l == sizeof s3b.hk);
+    if (!JPAKE_STEP3B_process(ctx, &s3b)) {
+        ERR_print_errors(bio_err);
+        exit(1);
+    }
+    JPAKE_STEP3B_release(&s3b);
+}
+
+void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
+{
+    JPAKE_CTX *ctx;
+    BIO *bconn;
+
+    BIO_puts(out, "Authenticating with JPAKE\n");
+
+    ctx = jpake_init("client", "server", secret);
+
+    bconn = BIO_new(BIO_f_buffer());
+    BIO_push(bconn, conn);
+
+    jpake_send_step1(bconn, ctx);
+    jpake_receive_step1(ctx, bconn);
+    jpake_send_step2(bconn, ctx);
+    jpake_receive_step2(ctx, bconn);
+    jpake_send_step3a(bconn, ctx);
+    jpake_receive_step3b(ctx, bconn);
+
+    BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+    if (psk_key)
+        OPENSSL_free(psk_key);
+
+    psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
+
+    BIO_pop(bconn);
+    BIO_free(bconn);
+
+    JPAKE_CTX_free(ctx);
+}
+
+void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
+{
+    JPAKE_CTX *ctx;
+    BIO *bconn;
+
+    BIO_puts(out, "Authenticating with JPAKE\n");
+
+    ctx = jpake_init("server", "client", secret);
+
+    bconn = BIO_new(BIO_f_buffer());
+    BIO_push(bconn, conn);
+
+    jpake_receive_step1(ctx, bconn);
+    jpake_send_step1(bconn, ctx);
+    jpake_receive_step2(ctx, bconn);
+    jpake_send_step2(bconn, ctx);
+    jpake_receive_step3a(ctx, bconn);
+    jpake_send_step3b(bconn, ctx);
+
+    BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+    if (psk_key)
+        OPENSSL_free(psk_key);
+
+    psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
+
+    BIO_pop(bconn);
+    BIO_free(bconn);
+
+    JPAKE_CTX_free(ctx);
+}
+
+#endif
+
+#ifndef OPENSSL_NO_TLSEXT
+/*-
+ * next_protos_parse parses a comma separated list of strings into a string
+ * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
+ *   outlen: (output) set to the length of the resulting buffer on success.
+ *   err: (maybe NULL) on failure, an error message line is written to this BIO.
+ *   in: a NUL termianted string like "abc,def,ghi"
+ *
+ *   returns: a malloced buffer or NULL on failure.
+ */
+unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
+{
+    size_t len;
+    unsigned char *out;
+    size_t i, start = 0;
+
+    len = strlen(in);
+    if (len >= 65535)
+        return NULL;
+
+    out = OPENSSL_malloc(strlen(in) + 1);
+    if (!out)
+        return NULL;
+
+    for (i = 0; i <= len; ++i) {
+        if (i == len || in[i] == ',') {
+            if (i - start > 255) {
+                OPENSSL_free(out);
+                return NULL;
+            }
+            out[start] = i - start;
+            start = i + 1;
+        } else
+            out[i + 1] = in[i];
+    }
+
+    *outlen = len + 1;
+    return out;
+}
+#endif                          /* ndef OPENSSL_NO_TLSEXT */
+
+void print_cert_checks(BIO *bio, X509 *x,
+                       const char *checkhost,
+                       const char *checkemail, const char *checkip)
+{
+    if (x == NULL)
+        return;
+    if (checkhost) {
+        BIO_printf(bio, "Hostname %s does%s match certificate\n",
+                   checkhost, X509_check_host(x, checkhost, 0, 0, NULL) == 1
+                   ? "" : " NOT");
+    }
+
+    if (checkemail) {
+        BIO_printf(bio, "Email %s does%s match certificate\n",
+                   checkemail, X509_check_email(x, checkemail, 0,
+                                                0) ? "" : " NOT");
+    }
+
+    if (checkip) {
+        BIO_printf(bio, "IP %s does%s match certificate\n",
+                   checkip, X509_check_ip_asc(x, checkip, 0) ? "" : " NOT");
+    }
+}
+
+/* Get first http URL from a DIST_POINT structure */
+
+static const char *get_dp_url(DIST_POINT *dp)
+{
+    GENERAL_NAMES *gens;
+    GENERAL_NAME *gen;
+    int i, gtype;
+    ASN1_STRING *uri;
+    if (!dp->distpoint || dp->distpoint->type != 0)
+        return NULL;
+    gens = dp->distpoint->name.fullname;
+    for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+        gen = sk_GENERAL_NAME_value(gens, i);
+        uri = GENERAL_NAME_get0_value(gen, &gtype);
+        if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) {
+            char *uptr = (char *)ASN1_STRING_data(uri);
+            if (!strncmp(uptr, "http://", 7))
+                return uptr;
+        }
+    }
+    return NULL;
+}
+
+/*
+ * Look through a CRLDP structure and attempt to find an http URL to
+ * downloads a CRL from.
+ */
+
+static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
+{
+    int i;
+    const char *urlptr = NULL;
+    for (i = 0; i < sk_DIST_POINT_num(crldp); i++) {
+        DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
+        urlptr = get_dp_url(dp);
+        if (urlptr)
+            return load_crl(urlptr, FORMAT_HTTP);
+    }
+    return NULL;
+}
+
+/*
+ * Example of downloading CRLs from CRLDP: not usable for real world as it
+ * always downloads, doesn't support non-blocking I/O and doesn't cache
+ * anything.
+ */
+
+static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
+{
+    X509 *x;
+    STACK_OF(X509_CRL) *crls = NULL;
+    X509_CRL *crl;
+    STACK_OF(DIST_POINT) *crldp;
+    x = X509_STORE_CTX_get_current_cert(ctx);
+    crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
+    crl = load_crl_crldp(crldp);
+    sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
+    if (!crl)
+        return NULL;
+    crls = sk_X509_CRL_new_null();
+    sk_X509_CRL_push(crls, crl);
+    /* Try to download delta CRL */
+    crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
+    crl = load_crl_crldp(crldp);
+    sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
+    if (crl)
+        sk_X509_CRL_push(crls, crl);
+    return crls;
+}
+
+void store_setup_crl_download(X509_STORE *st)
+{
+    X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
+}
+
+/*
+ * Platform-specific sections
+ */
+#if defined(_WIN32)
+# ifdef fileno
+#  undef fileno
+#  define fileno(a) (int)_fileno(a)
+# endif
+
+# include <windows.h>
+# include <tchar.h>
+
+static int WIN32_rename(const char *from, const char *to)
+{
+    TCHAR *tfrom = NULL, *tto;
+    DWORD err;
+    int ret = 0;
+
+    if (sizeof(TCHAR) == 1) {
+        tfrom = (TCHAR *)from;
+        tto = (TCHAR *)to;
+    } else {                    /* UNICODE path */
+
+        size_t i, flen = strlen(from) + 1, tlen = strlen(to) + 1;
+        tfrom = (TCHAR *)malloc(sizeof(TCHAR) * (flen + tlen));
+        if (tfrom == NULL)
+            goto err;
+        tto = tfrom + flen;
+# if !defined(_WIN32_WCE) || _WIN32_WCE>=101
+        if (!MultiByteToWideChar(CP_ACP, 0, from, flen, (WCHAR *)tfrom, flen))
+# endif
+            for (i = 0; i < flen; i++)
+                tfrom[i] = (TCHAR)from[i];
+# if !defined(_WIN32_WCE) || _WIN32_WCE>=101
+        if (!MultiByteToWideChar(CP_ACP, 0, to, tlen, (WCHAR *)tto, tlen))
+# endif
+            for (i = 0; i < tlen; i++)
+                tto[i] = (TCHAR)to[i];
+    }
+
+    if (MoveFile(tfrom, tto))
+        goto ok;
+    err = GetLastError();
+    if (err == ERROR_ALREADY_EXISTS || err == ERROR_FILE_EXISTS) {
+        if (DeleteFile(tto) && MoveFile(tfrom, tto))
+            goto ok;
+        err = GetLastError();
+    }
+    if (err == ERROR_FILE_NOT_FOUND || err == ERROR_PATH_NOT_FOUND)
+        errno = ENOENT;
+    else if (err == ERROR_ACCESS_DENIED)
+        errno = EACCES;
+    else
+        errno = EINVAL;         /* we could map more codes... */
+ err:
+    ret = -1;
+ ok:
+    if (tfrom != NULL && tfrom != (TCHAR *)from)
+        free(tfrom);
+    return ret;
+}
+#endif
+
+/* app_tminterval section */
+#if defined(_WIN32)
+double app_tminterval(int stop, int usertime)
+{
+    FILETIME now;
+    double ret = 0;
+    static ULARGE_INTEGER tmstart;
+    static int warning = 1;
+# ifdef _WIN32_WINNT
+    static HANDLE proc = NULL;
+
+    if (proc == NULL) {
+        if (check_winnt())
+            proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE,
+                               GetCurrentProcessId());
+        if (proc == NULL)
+            proc = (HANDLE) - 1;
+    }
+
+    if (usertime && proc != (HANDLE) - 1) {
+        FILETIME junk;
+        GetProcessTimes(proc, &junk, &junk, &junk, &now);
+    } else
+# endif
+    {
+        SYSTEMTIME systime;
+
+        if (usertime && warning) {
+            BIO_printf(bio_err, "To get meaningful results, run "
+                       "this program on idle system.\n");
+            warning = 0;
+        }
+        GetSystemTime(&systime);
+        SystemTimeToFileTime(&systime, &now);
+    }
+
+    if (stop == TM_START) {
+        tmstart.u.LowPart = now.dwLowDateTime;
+        tmstart.u.HighPart = now.dwHighDateTime;
+    } else {
+        ULARGE_INTEGER tmstop;
+
+        tmstop.u.LowPart = now.dwLowDateTime;
+        tmstop.u.HighPart = now.dwHighDateTime;
+
+        ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart) * 1e-7;
+    }
+
+    return (ret);
+}
+
+#elif defined(OPENSSL_SYS_NETWARE)
+# include <time.h>
+
+double app_tminterval(int stop, int usertime)
+{
+    double ret = 0;
+    static clock_t tmstart;
+    static int warning = 1;
+
+    if (usertime && warning) {
+        BIO_printf(bio_err, "To get meaningful results, run "
+                   "this program on idle system.\n");
+        warning = 0;
+    }
+
+    if (stop == TM_START)
+        tmstart = clock();
+    else
+        ret = (clock() - tmstart) / (double)CLOCKS_PER_SEC;
+
+    return (ret);
+}
+
+#elif defined(OPENSSL_SYSTEM_VXWORKS)
+# include <time.h>
+
+double app_tminterval(int stop, int usertime)
+{
+    double ret = 0;
+# ifdef CLOCK_REALTIME
+    static struct timespec tmstart;
+    struct timespec now;
+# else
+    static unsigned long tmstart;
+    unsigned long now;
+# endif
+    static int warning = 1;
+
+    if (usertime && warning) {
+        BIO_printf(bio_err, "To get meaningful results, run "
+                   "this program on idle system.\n");
+        warning = 0;
+    }
+# ifdef CLOCK_REALTIME
+    clock_gettime(CLOCK_REALTIME, &now);
+    if (stop == TM_START)
+        tmstart = now;
+    else
+        ret = ((now.tv_sec + now.tv_nsec * 1e-9)
+               - (tmstart.tv_sec + tmstart.tv_nsec * 1e-9));
+# else
+    now = tickGet();
+    if (stop == TM_START)
+        tmstart = now;
+    else
+        ret = (now - tmstart) / (double)sysClkRateGet();
+# endif
+    return (ret);
+}
+
+#elif defined(OPENSSL_SYSTEM_VMS)
+# include <time.h>
+# include <times.h>
+
+double app_tminterval(int stop, int usertime)
+{
+    static clock_t tmstart;
+    double ret = 0;
+    clock_t now;
+# ifdef __TMS
+    struct tms rus;
+
+    now = times(&rus);
+    if (usertime)
+        now = rus.tms_utime;
+# else
+    if (usertime)
+        now = clock();          /* sum of user and kernel times */
+    else {
+        struct timeval tv;
+        gettimeofday(&tv, NULL);
+        now = (clock_t)((unsigned long long)tv.tv_sec * CLK_TCK +
+                        (unsigned long long)tv.tv_usec * (1000000 / CLK_TCK)
+            );
+    }
+# endif
+    if (stop == TM_START)
+        tmstart = now;
+    else
+        ret = (now - tmstart) / (double)(CLK_TCK);
+
+    return (ret);
+}
+
+#elif defined(_SC_CLK_TCK)      /* by means of unistd.h */
+# include <sys/times.h>
+
+double app_tminterval(int stop, int usertime)
+{
+    double ret = 0;
+    struct tms rus;
+    clock_t now = times(&rus);
+    static clock_t tmstart;
+
+    if (usertime)
+        now = rus.tms_utime;
+
+    if (stop == TM_START)
+        tmstart = now;
+    else {
+        long int tck = sysconf(_SC_CLK_TCK);
+        ret = (now - tmstart) / (double)tck;
+    }
+
+    return (ret);
+}
+
+#else
+# include <sys/time.h>
+# include <sys/resource.h>
+
+double app_tminterval(int stop, int usertime)
+{
+    double ret = 0;
+    struct rusage rus;
+    struct timeval now;
+    static struct timeval tmstart;
+
+    if (usertime)
+        getrusage(RUSAGE_SELF, &rus), now = rus.ru_utime;
+    else
+        gettimeofday(&now, NULL);
+
+    if (stop == TM_START)
+        tmstart = now;
+    else
+        ret = ((now.tv_sec + now.tv_usec * 1e-6)
+               - (tmstart.tv_sec + tmstart.tv_usec * 1e-6));
+
+    return ret;
+}
+#endif
+
+/* app_isdir section */
+#ifdef _WIN32
+int app_isdir(const char *name)
+{
+    HANDLE hList;
+    WIN32_FIND_DATA FileData;
+# if defined(UNICODE) || defined(_UNICODE)
+    size_t i, len_0 = strlen(name) + 1;
+
+    if (len_0 > sizeof(FileData.cFileName) / sizeof(FileData.cFileName[0]))
+        return -1;
+
+#  if !defined(_WIN32_WCE) || _WIN32_WCE>=101
+    if (!MultiByteToWideChar
+        (CP_ACP, 0, name, len_0, FileData.cFileName, len_0))
+#  endif
+        for (i = 0; i < len_0; i++)
+            FileData.cFileName[i] = (WCHAR)name[i];
+
+    hList = FindFirstFile(FileData.cFileName, &FileData);
+# else
+    hList = FindFirstFile(name, &FileData);
+# endif
+    if (hList == INVALID_HANDLE_VALUE)
+        return -1;
+    FindClose(hList);
+    return ((FileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0);
+}
+#else
+# include <sys/stat.h>
+# ifndef S_ISDIR
+#  if defined(_S_IFMT) && defined(_S_IFDIR)
+#   define S_ISDIR(a)   (((a) & _S_IFMT) == _S_IFDIR)
+#  else
+#   define S_ISDIR(a)   (((a) & S_IFMT) == S_IFDIR)
+#  endif
+# endif
+
+int app_isdir(const char *name)
+{
+# if defined(S_ISDIR)
+    struct stat st;
+
+    if (stat(name, &st) == 0)
+        return S_ISDIR(st.st_mode);
+    else
+        return -1;
+# else
+    return -1;
+# endif
+}
+#endif
+
+/* raw_read|write section */
+#if defined(__VMS)
+# include "vms_term_sock.h"
+static int stdin_sock = -1;
+
+static void close_stdin_sock(void)
+{
+    TerminalSocket (TERM_SOCK_DELETE, &stdin_sock);
+}
+
+int fileno_stdin(void)
+{
+    if (stdin_sock == -1) {
+        TerminalSocket(TERM_SOCK_CREATE, &stdin_sock);
+        atexit(close_stdin_sock);
+    }
+
+    return stdin_sock;
+}
+#else
+int fileno_stdin(void)
+{
+    return fileno(stdin);
+}
+#endif
+
+int fileno_stdout(void)
+{
+    return fileno(stdout);
+}
+
+#if defined(_WIN32) && defined(STD_INPUT_HANDLE)
+int raw_read_stdin(void *buf, int siz)
+{
+    DWORD n;
+    if (ReadFile(GetStdHandle(STD_INPUT_HANDLE), buf, siz, &n, NULL))
+        return (n);
+    else
+        return (-1);
+}
+#elif defined(__VMS)
+#include <sys/socket.h>
+
+int raw_read_stdin(void *buf, int siz)
+{
+    return recv(fileno_stdin(), buf, siz, 0);
+}
+#else
+int raw_read_stdin(void *buf, int siz)
+{
+    return read(fileno_stdin(), buf, siz);
+}
+#endif
+
+#if defined(_WIN32) && defined(STD_OUTPUT_HANDLE)
+int raw_write_stdout(const void *buf, int siz)
+{
+    DWORD n;
+    if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE), buf, siz, &n, NULL))
+        return (n);
+    else
+        return (-1);
+}
+#else
+int raw_write_stdout(const void *buf, int siz)
+{
+    return write(fileno_stdout(), buf, siz);
+}
+#endif
diff --git a/openssl/apps/apps.h b/openssl/apps/apps.h
new file mode 100644
index 0000000..268863c
--- /dev/null
+++ b/openssl/apps/apps.h
@@ -0,0 +1,389 @@
+/* apps/apps.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_APPS_H
+# define HEADER_APPS_H
+
+# include "e_os.h"
+
+# include <openssl/bio.h>
+# include <openssl/x509.h>
+# include <openssl/lhash.h>
+# include <openssl/conf.h>
+# include <openssl/txt_db.h>
+# ifndef OPENSSL_NO_ENGINE
+#  include <openssl/engine.h>
+# endif
+# ifndef OPENSSL_NO_OCSP
+#  include <openssl/ocsp.h>
+# endif
+# include <openssl/ossl_typ.h>
+
+int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
+int app_RAND_write_file(const char *file, BIO *bio_e);
+/*
+ * When `file' is NULL, use defaults. `bio_e' is for error messages.
+ */
+void app_RAND_allow_write_file(void);
+long app_RAND_load_files(char *file); /* `file' is a list of files to read,
+                                       * separated by LIST_SEPARATOR_CHAR
+                                       * (see e_os.h).  The string is
+                                       * destroyed! */
+
+# ifndef MONOLITH
+
+#  define MAIN(a,v)       main(a,v)
+
+#  ifndef NON_MAIN
+CONF *config = NULL;
+BIO *bio_err = NULL;
+#  else
+extern CONF *config;
+extern BIO *bio_err;
+#  endif
+
+# else
+
+#  define MAIN(a,v)       PROG(a,v)
+extern CONF *config;
+extern char *default_config_file;
+extern BIO *bio_err;
+
+# endif
+
+# ifndef OPENSSL_SYS_NETWARE
+#  include <signal.h>
+# endif
+
+# ifdef SIGPIPE
+#  define do_pipe_sig()   signal(SIGPIPE,SIG_IGN)
+# else
+#  define do_pipe_sig()
+# endif
+
+# ifdef OPENSSL_NO_COMP
+#  define zlib_cleanup()
+# else
+#  define zlib_cleanup() COMP_zlib_cleanup()
+# endif
+
+# if defined(MONOLITH) && !defined(OPENSSL_C)
+#  define apps_startup() \
+                do_pipe_sig()
+#  define apps_shutdown()
+# else
+#  ifndef OPENSSL_NO_ENGINE
+#   define apps_startup() \
+                        do { do_pipe_sig(); CRYPTO_malloc_init(); \
+                        ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
+                        ENGINE_load_builtin_engines(); setup_ui_method(); } while(0)
+#   define apps_shutdown() \
+                        do { CONF_modules_unload(1); destroy_ui_method(); \
+                        OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \
+                        CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
+                        RAND_cleanup(); \
+                        ERR_free_strings(); zlib_cleanup();} while(0)
+#  else
+#   define apps_startup() \
+                        do { do_pipe_sig(); CRYPTO_malloc_init(); \
+                        ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
+                        setup_ui_method(); } while(0)
+#   define apps_shutdown() \
+                        do { CONF_modules_unload(1); destroy_ui_method(); \
+                        OBJ_cleanup(); EVP_cleanup(); \
+                        CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
+                        RAND_cleanup(); \
+                        ERR_free_strings(); zlib_cleanup(); } while(0)
+#  endif
+# endif
+
+# if defined(OPENSSL_SYSNAME_WIN32) || defined(OPENSSL_SYSNAME_WINCE)
+#  define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
+# else
+#  define openssl_fdset(a,b) FD_SET(a, b)
+# endif
+
+typedef struct args_st {
+    char **data;
+    int count;
+} ARGS;
+
+# define PW_MIN_LENGTH 4
+typedef struct pw_cb_data {
+    const void *password;
+    const char *prompt_info;
+} PW_CB_DATA;
+
+int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data);
+
+int setup_ui_method(void);
+void destroy_ui_method(void);
+
+int should_retry(int i);
+int args_from_file(char *file, int *argc, char **argv[]);
+int str2fmt(char *s);
+void program_name(char *in, char *out, int size);
+int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[]);
+# ifdef HEADER_X509_H
+int dump_cert_text(BIO *out, X509 *x);
+void print_name(BIO *out, const char *title, X509_NAME *nm,
+                unsigned long lflags);
+# endif
+int set_cert_ex(unsigned long *flags, const char *arg);
+int set_name_ex(unsigned long *flags, const char *arg);
+int set_ext_copy(int *copy_type, const char *arg);
+int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
+int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
+int add_oid_section(BIO *err, CONF *conf);
+X509 *load_cert(BIO *err, const char *file, int format,
+                const char *pass, ENGINE *e, const char *cert_descrip);
+X509_CRL *load_crl(const char *infile, int format);
+int load_cert_crl_http(const char *url, BIO *err,
+                       X509 **pcert, X509_CRL **pcrl);
+EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
+                   const char *pass, ENGINE *e, const char *key_descrip);
+EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
+                      const char *pass, ENGINE *e, const char *key_descrip);
+STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
+                           const char *pass, ENGINE *e,
+                           const char *cert_descrip);
+STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
+                              const char *pass, ENGINE *e,
+                              const char *cert_descrip);
+X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
+
+ENGINE *setup_engine(BIO *err, const char *engine, int debug);
+void release_engine(ENGINE *e);
+
+# ifndef OPENSSL_NO_OCSP
+OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
+                                 const char *host, const char *path,
+                                 const char *port, int use_ssl,
+                                 const STACK_OF(CONF_VALUE) *headers,
+                                 int req_timeout);
+# endif
+
+int load_config(BIO *err, CONF *cnf);
+char *make_config_name(void);
+
+/* Functions defined in ca.c and also used in ocsp.c */
+int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
+                   ASN1_GENERALIZEDTIME **pinvtm, const char *str);
+
+# define DB_type         0
+# define DB_exp_date     1
+# define DB_rev_date     2
+# define DB_serial       3      /* index - unique */
+# define DB_file         4
+# define DB_name         5      /* index - unique when active and not
+                                 * disabled */
+# define DB_NUMBER       6
+
+# define DB_TYPE_REV     'R'
+# define DB_TYPE_EXP     'E'
+# define DB_TYPE_VAL     'V'
+
+typedef struct db_attr_st {
+    int unique_subject;
+} DB_ATTR;
+typedef struct ca_db_st {
+    DB_ATTR attributes;
+    TXT_DB *db;
+} CA_DB;
+
+BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai);
+int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
+                ASN1_INTEGER **retai);
+int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix);
+int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
+CA_DB *load_index(char *dbfile, DB_ATTR *dbattr);
+int index_index(CA_DB *db);
+int save_index(const char *dbfile, const char *suffix, CA_DB *db);
+int rotate_index(const char *dbfile, const char *new_suffix,
+                 const char *old_suffix);
+void free_index(CA_DB *db);
+# define index_name_cmp_noconst(a, b) \
+        index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
+        (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
+int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
+int parse_yesno(const char *str, int def);
+
+X509_NAME *parse_name(char *str, long chtype, int multirdn);
+int args_verify(char ***pargs, int *pargc,
+                int *badarg, BIO *err, X509_VERIFY_PARAM **pm);
+void policies_print(BIO *out, X509_STORE_CTX *ctx);
+int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
+int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
+                 const char *algname, ENGINE *e, int do_param);
+int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
+                 STACK_OF(OPENSSL_STRING) *sigopts);
+int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
+                     STACK_OF(OPENSSL_STRING) *sigopts);
+int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
+                     STACK_OF(OPENSSL_STRING) *sigopts);
+# ifndef OPENSSL_NO_PSK
+extern char *psk_key;
+# endif
+# ifndef OPENSSL_NO_JPAKE
+void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
+void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
+# endif
+
+# ifndef OPENSSL_NO_TLSEXT
+unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
+# endif                         /* ndef OPENSSL_NO_TLSEXT */
+
+void print_cert_checks(BIO *bio, X509 *x,
+                       const char *checkhost,
+                       const char *checkemail, const char *checkip);
+
+void store_setup_crl_download(X509_STORE *st);
+
+# define FORMAT_UNDEF    0
+# define FORMAT_ASN1     1
+# define FORMAT_TEXT     2
+# define FORMAT_PEM      3
+# define FORMAT_NETSCAPE 4
+# define FORMAT_PKCS12   5
+# define FORMAT_SMIME    6
+# define FORMAT_ENGINE   7
+# define FORMAT_IISSGC   8      /* XXX this stupid macro helps us to avoid
+                                 * adding yet another param to load_*key() */
+# define FORMAT_PEMRSA   9      /* PEM RSAPubicKey format */
+# define FORMAT_ASN1RSA  10     /* DER RSAPubicKey format */
+# define FORMAT_MSBLOB   11     /* MS Key blob format */
+# define FORMAT_PVK      12     /* MS PVK file format */
+# define FORMAT_HTTP     13     /* Download using HTTP */
+
+# define EXT_COPY_NONE   0
+# define EXT_COPY_ADD    1
+# define EXT_COPY_ALL    2
+
+# define NETSCAPE_CERT_HDR       "certificate"
+
+# define APP_PASS_LEN    1024
+
+# define SERIAL_RAND_BITS        64
+
+int app_isdir(const char *);
+int fileno_stdin(void);
+int fileno_stdout(void);
+int raw_read_stdin(void *, int);
+int raw_write_stdout(const void *, int);
+
+# define TM_START        0
+# define TM_STOP         1
+double app_tminterval(int stop, int usertime);
+
+# define OPENSSL_NO_SSL_INTERN
+
+#endif
diff --git a/openssl/apps/asn1pars.c b/openssl/apps/asn1pars.c
new file mode 100644
index 0000000..0a6b990
--- /dev/null
+++ b/openssl/apps/asn1pars.c
@@ -0,0 +1,430 @@
+/* apps/asn1pars.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/*
+ * A nice addition from Dr Stephen Henson <steve@openssl.org> to add the
+ * -strparse option which parses nested binary structures
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+/*-
+ * -inform arg  - input format - default PEM (DER or PEM)
+ * -in arg      - input file - default stdin
+ * -i           - indent the details by depth
+ * -offset      - where in the file to start
+ * -length      - how many bytes to use
+ * -oid file    - extra oid description file
+ */
+
+#undef PROG
+#define PROG    asn1parse_main
+
+int MAIN(int, char **);
+
+static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf);
+
+int MAIN(int argc, char **argv)
+{
+    int i, badops = 0, offset = 0, ret = 1, j;
+    unsigned int length = 0;
+    long num, tmplen;
+    BIO *in = NULL, *out = NULL, *b64 = NULL, *derout = NULL;
+    int informat, indent = 0, noout = 0, dump = 0;
+    char *infile = NULL, *str = NULL, *prog, *oidfile = NULL, *derfile = NULL;
+    char *genstr = NULL, *genconf = NULL;
+    unsigned char *tmpbuf;
+    const unsigned char *ctmpbuf;
+    BUF_MEM *buf = NULL;
+    STACK_OF(OPENSSL_STRING) *osk = NULL;
+    ASN1_TYPE *at = NULL;
+
+    informat = FORMAT_PEM;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    if ((osk = sk_OPENSSL_STRING_new_null()) == NULL) {
+        BIO_printf(bio_err, "Memory allocation failure\n");
+        goto end;
+    }
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            derfile = *(++argv);
+        } else if (strcmp(*argv, "-i") == 0) {
+            indent = 1;
+        } else if (strcmp(*argv, "-noout") == 0)
+            noout = 1;
+        else if (strcmp(*argv, "-oid") == 0) {
+            if (--argc < 1)
+                goto bad;
+            oidfile = *(++argv);
+        } else if (strcmp(*argv, "-offset") == 0) {
+            if (--argc < 1)
+                goto bad;
+            offset = atoi(*(++argv));
+        } else if (strcmp(*argv, "-length") == 0) {
+            if (--argc < 1)
+                goto bad;
+            length = atoi(*(++argv));
+            if (length == 0)
+                goto bad;
+        } else if (strcmp(*argv, "-dump") == 0) {
+            dump = -1;
+        } else if (strcmp(*argv, "-dlimit") == 0) {
+            if (--argc < 1)
+                goto bad;
+            dump = atoi(*(++argv));
+            if (dump <= 0)
+                goto bad;
+        } else if (strcmp(*argv, "-strparse") == 0) {
+            if (--argc < 1)
+                goto bad;
+            sk_OPENSSL_STRING_push(osk, *(++argv));
+        } else if (strcmp(*argv, "-genstr") == 0) {
+            if (--argc < 1)
+                goto bad;
+            genstr = *(++argv);
+        } else if (strcmp(*argv, "-genconf") == 0) {
+            if (--argc < 1)
+                goto bad;
+            genconf = *(++argv);
+        } else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options] <infile\n", prog);
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, " -inform arg   input format - one of DER PEM\n");
+        BIO_printf(bio_err, " -in arg       input file\n");
+        BIO_printf(bio_err,
+                   " -out arg      output file (output format is always DER\n");
+        BIO_printf(bio_err, " -noout arg    don't produce any output\n");
+        BIO_printf(bio_err, " -offset arg   offset into file\n");
+        BIO_printf(bio_err, " -length arg   length of section in file\n");
+        BIO_printf(bio_err, " -i            indent entries\n");
+        BIO_printf(bio_err, " -dump         dump unknown data in hex form\n");
+        BIO_printf(bio_err,
+                   " -dlimit arg   dump the first arg bytes of unknown data in hex form\n");
+        BIO_printf(bio_err, " -oid file     file of extra oid definitions\n");
+        BIO_printf(bio_err, " -strparse offset\n");
+        BIO_printf(bio_err,
+                   "               a series of these can be used to 'dig' into multiple\n");
+        BIO_printf(bio_err, "               ASN1 blob wrappings\n");
+        BIO_printf(bio_err,
+                   " -genstr str   string to generate ASN1 structure from\n");
+        BIO_printf(bio_err,
+                   " -genconf file file to generate ASN1 structure from\n");
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+
+    in = BIO_new(BIO_s_file());
+    out = BIO_new(BIO_s_file());
+    if ((in == NULL) || (out == NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
+#ifdef OPENSSL_SYS_VMS
+    {
+        BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+        out = BIO_push(tmpbio, out);
+    }
+#endif
+
+    if (oidfile != NULL) {
+        if (BIO_read_filename(in, oidfile) <= 0) {
+            BIO_printf(bio_err, "problems opening %s\n", oidfile);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        OBJ_create_objects(in);
+    }
+
+    if (infile == NULL)
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+    else {
+        if (BIO_read_filename(in, infile) <= 0) {
+            perror(infile);
+            goto end;
+        }
+    }
+
+    if (derfile) {
+        if (!(derout = BIO_new_file(derfile, "wb"))) {
+            BIO_printf(bio_err, "problems opening %s\n", derfile);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if ((buf = BUF_MEM_new()) == NULL)
+        goto end;
+    if (!BUF_MEM_grow(buf, BUFSIZ * 8))
+        goto end;               /* Pre-allocate :-) */
+
+    if (genstr || genconf) {
+        num = do_generate(bio_err, genstr, genconf, buf);
+        if (num < 0) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    else {
+
+        if (informat == FORMAT_PEM) {
+            BIO *tmp;
+
+            if ((b64 = BIO_new(BIO_f_base64())) == NULL)
+                goto end;
+            BIO_push(b64, in);
+            tmp = in;
+            in = b64;
+            b64 = tmp;
+        }
+
+        num = 0;
+        for (;;) {
+            if (!BUF_MEM_grow(buf, (int)num + BUFSIZ))
+                goto end;
+            i = BIO_read(in, &(buf->data[num]), BUFSIZ);
+            if (i <= 0)
+                break;
+            num += i;
+        }
+    }
+    str = buf->data;
+
+    /* If any structs to parse go through in sequence */
+
+    if (sk_OPENSSL_STRING_num(osk)) {
+        tmpbuf = (unsigned char *)str;
+        tmplen = num;
+        for (i = 0; i < sk_OPENSSL_STRING_num(osk); i++) {
+            ASN1_TYPE *atmp;
+            int typ;
+            j = atoi(sk_OPENSSL_STRING_value(osk, i));
+            if (j == 0) {
+                BIO_printf(bio_err, "'%s' is an invalid number\n",
+                           sk_OPENSSL_STRING_value(osk, i));
+                continue;
+            }
+            tmpbuf += j;
+            tmplen -= j;
+            atmp = at;
+            ctmpbuf = tmpbuf;
+            at = d2i_ASN1_TYPE(NULL, &ctmpbuf, tmplen);
+            ASN1_TYPE_free(atmp);
+            if (!at) {
+                BIO_printf(bio_err, "Error parsing structure\n");
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+            typ = ASN1_TYPE_get(at);
+            if ((typ == V_ASN1_OBJECT)
+                || (typ == V_ASN1_BOOLEAN)
+                || (typ == V_ASN1_NULL)) {
+                BIO_printf(bio_err, "Can't parse %s type\n", ASN1_tag2str(typ));
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+            /* hmm... this is a little evil but it works */
+            tmpbuf = at->value.asn1_string->data;
+            tmplen = at->value.asn1_string->length;
+        }
+        str = (char *)tmpbuf;
+        num = tmplen;
+    }
+
+    if (offset >= num) {
+        BIO_printf(bio_err, "Error: offset too large\n");
+        goto end;
+    }
+
+    num -= offset;
+
+    if ((length == 0) || ((long)length > num))
+        length = (unsigned int)num;
+    if (derout) {
+        if (BIO_write(derout, str + offset, length) != (int)length) {
+            BIO_printf(bio_err, "Error writing output\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+    if (!noout &&
+        !ASN1_parse_dump(out, (unsigned char *)&(str[offset]), length,
+                         indent, dump)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    ret = 0;
+ end:
+    BIO_free(derout);
+    if (in != NULL)
+        BIO_free(in);
+    if (out != NULL)
+        BIO_free_all(out);
+    if (b64 != NULL)
+        BIO_free(b64);
+    if (ret != 0)
+        ERR_print_errors(bio_err);
+    if (buf != NULL)
+        BUF_MEM_free(buf);
+    if (at != NULL)
+        ASN1_TYPE_free(at);
+    if (osk != NULL)
+        sk_OPENSSL_STRING_free(osk);
+    OBJ_cleanup();
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf)
+{
+    CONF *cnf = NULL;
+    int len;
+    long errline = 0;
+    unsigned char *p;
+    ASN1_TYPE *atyp = NULL;
+
+    if (genconf) {
+        cnf = NCONF_new(NULL);
+        if (!NCONF_load(cnf, genconf, &errline))
+            goto conferr;
+        if (!genstr)
+            genstr = NCONF_get_string(cnf, "default", "asn1");
+        if (!genstr) {
+            BIO_printf(bio, "Can't find 'asn1' in '%s'\n", genconf);
+            goto err;
+        }
+    }
+
+    atyp = ASN1_generate_nconf(genstr, cnf);
+    NCONF_free(cnf);
+    cnf = NULL;
+
+    if (!atyp)
+        return -1;
+
+    len = i2d_ASN1_TYPE(atyp, NULL);
+
+    if (len <= 0)
+        goto err;
+
+    if (!BUF_MEM_grow(buf, len))
+        goto err;
+
+    p = (unsigned char *)buf->data;
+
+    i2d_ASN1_TYPE(atyp, &p);
+
+    ASN1_TYPE_free(atyp);
+    return len;
+
+ conferr:
+
+    if (errline > 0)
+        BIO_printf(bio, "Error on line %ld of config file '%s'\n",
+                   errline, genconf);
+    else
+        BIO_printf(bio, "Error loading config file '%s'\n", genconf);
+
+ err:
+    NCONF_free(cnf);
+    ASN1_TYPE_free(atyp);
+
+    return -1;
+
+}
diff --git a/openssl/apps/ca-cert.srl b/openssl/apps/ca-cert.srl
new file mode 100644
index 0000000..2c7456e
--- /dev/null
+++ b/openssl/apps/ca-cert.srl
@@ -0,0 +1 @@
+07
diff --git a/openssl/apps/ca-key.pem b/openssl/apps/ca-key.pem
new file mode 100644
index 0000000..3a520b2
--- /dev/null
+++ b/openssl/apps/ca-key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
+gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
+2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
+AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
+hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
+J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
+HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
+21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
+nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
+MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
+pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
+KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
+XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
+-----END RSA PRIVATE KEY-----
diff --git a/openssl/apps/ca-req.pem b/openssl/apps/ca-req.pem
new file mode 100644
index 0000000..77bf7ec
--- /dev/null
+++ b/openssl/apps/ca-req.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBmTCCAQICAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
+GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgx
+MDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgy
+bTsZDCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/d
+FXSv1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUe
+cQU2mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAKlk7
+cxu9gCJN3/iQFyJXQ6YphaiQAT5VBXTx9ftRrQIjA3vxlDzPWGDy+V5Tqa7h8PtR
+5Bn00JShII2zf0hjyjKils6x/UkWmjEiwSiFp4hR70iE8XwSNEHY2P6j6nQEIpgW
+kbfgmmUqk7dl2V+ossTJ80B8SBpEhrn81V/cHxA=
+-----END CERTIFICATE REQUEST-----
diff --git a/openssl/apps/ca.c b/openssl/apps/ca.c
new file mode 100644
index 0000000..4cea3cb
--- /dev/null
+++ b/openssl/apps/ca.c
@@ -0,0 +1,2915 @@
+/* apps/ca.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <sys/types.h>
+#include <openssl/conf.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/txt_db.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/objects.h>
+#include <openssl/ocsp.h>
+#include <openssl/pem.h>
+
+#ifndef W_OK
+# ifdef OPENSSL_SYS_VMS
+#  if defined(__DECC)
+#   include <unistd.h>
+#  else
+#   include <unixlib.h>
+#  endif
+# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
+#  include <sys/file.h>
+# endif
+#endif
+
+#include "apps.h"
+
+#ifndef W_OK
+# define F_OK 0
+# define X_OK 1
+# define W_OK 2
+# define R_OK 4
+#endif
+
+#undef PROG
+#define PROG ca_main
+
+#define BASE_SECTION            "ca"
+#define CONFIG_FILE             "openssl.cnf"
+
+#define ENV_DEFAULT_CA          "default_ca"
+
+#define STRING_MASK             "string_mask"
+#define UTF8_IN                 "utf8"
+
+#define ENV_NEW_CERTS_DIR       "new_certs_dir"
+#define ENV_CERTIFICATE         "certificate"
+#define ENV_SERIAL              "serial"
+#define ENV_CRLNUMBER           "crlnumber"
+#define ENV_PRIVATE_KEY         "private_key"
+#define ENV_DEFAULT_DAYS        "default_days"
+#define ENV_DEFAULT_STARTDATE   "default_startdate"
+#define ENV_DEFAULT_ENDDATE     "default_enddate"
+#define ENV_DEFAULT_CRL_DAYS    "default_crl_days"
+#define ENV_DEFAULT_CRL_HOURS   "default_crl_hours"
+#define ENV_DEFAULT_MD          "default_md"
+#define ENV_DEFAULT_EMAIL_DN    "email_in_dn"
+#define ENV_PRESERVE            "preserve"
+#define ENV_POLICY              "policy"
+#define ENV_EXTENSIONS          "x509_extensions"
+#define ENV_CRLEXT              "crl_extensions"
+#define ENV_MSIE_HACK           "msie_hack"
+#define ENV_NAMEOPT             "name_opt"
+#define ENV_CERTOPT             "cert_opt"
+#define ENV_EXTCOPY             "copy_extensions"
+#define ENV_UNIQUE_SUBJECT      "unique_subject"
+
+#define ENV_DATABASE            "database"
+
+/* Additional revocation information types */
+
+#define REV_NONE                0 /* No addditional information */
+#define REV_CRL_REASON          1 /* Value is CRL reason code */
+#define REV_HOLD                2 /* Value is hold instruction */
+#define REV_KEY_COMPROMISE      3 /* Value is cert key compromise time */
+#define REV_CA_COMPROMISE       4 /* Value is CA key compromise time */
+
+static const char *ca_usage[] = {
+    "usage: ca args\n",
+    "\n",
+    " -verbose        - Talk alot while doing things\n",
+    " -config file    - A config file\n",
+    " -name arg       - The particular CA definition to use\n",
+    " -gencrl         - Generate a new CRL\n",
+    " -crldays days   - Days is when the next CRL is due\n",
+    " -crlhours hours - Hours is when the next CRL is due\n",
+    " -startdate YYMMDDHHMMSSZ  - certificate validity notBefore\n",
+    " -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)\n",
+    " -days arg       - number of days to certify the certificate for\n",
+    " -md arg         - md to use, one of md2, md5, sha or sha1\n",
+    " -policy arg     - The CA 'policy' to support\n",
+    " -keyfile arg    - private key file\n",
+    " -keyform arg    - private key file format (PEM or ENGINE)\n",
+    " -key arg        - key to decode the private key if it is encrypted\n",
+    " -cert file      - The CA certificate\n",
+    " -selfsign       - sign a certificate with the key associated with it\n",
+    " -in file        - The input PEM encoded certificate request(s)\n",
+    " -out file       - Where to put the output file(s)\n",
+    " -outdir dir     - Where to put output certificates\n",
+    " -infiles ....   - The last argument, requests to process\n",
+    " -spkac file     - File contains DN and signed public key and challenge\n",
+    " -ss_cert file   - File contains a self signed cert to sign\n",
+    " -preserveDN     - Don't re-order the DN\n",
+    " -noemailDN      - Don't add the EMAIL field into certificate' subject\n",
+    " -batch          - Don't ask questions\n",
+    " -msie_hack      - msie modifications to handle all those universal strings\n",
+    " -revoke file    - Revoke a certificate (given in file)\n",
+    " -subj arg       - Use arg instead of request's subject\n",
+    " -utf8           - input characters are UTF8 (default ASCII)\n",
+    " -multivalue-rdn - enable support for multivalued RDNs\n",
+    " -extensions ..  - Extension section (override value in config file)\n",
+    " -extfile file   - Configuration file with X509v3 extentions to add\n",
+    " -crlexts ..     - CRL extension section (override value in config file)\n",
+#ifndef OPENSSL_NO_ENGINE
+    " -engine e       - use engine e, possibly a hardware device.\n",
+#endif
+    " -status serial  - Shows certificate status given the serial number\n",
+    " -updatedb       - Updates db for expired certificates\n",
+    NULL
+};
+
+#ifdef EFENCE
+extern int EF_PROTECT_FREE;
+extern int EF_PROTECT_BELOW;
+extern int EF_ALIGNMENT;
+#endif
+
+static void lookup_fail(const char *name, const char *tag);
+static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+                   const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
+                   STACK_OF(CONF_VALUE) *policy, CA_DB *db,
+                   BIGNUM *serial, char *subj, unsigned long chtype,
+                   int multirdn, int email_dn, char *startdate, char *enddate,
+                   long days, int batch, char *ext_sect, CONF *conf,
+                   int verbose, unsigned long certopt, unsigned long nameopt,
+                   int default_op, int ext_copy, int selfsign);
+static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+                        const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
+                        STACK_OF(CONF_VALUE) *policy, CA_DB *db,
+                        BIGNUM *serial, char *subj, unsigned long chtype,
+                        int multirdn, int email_dn, char *startdate,
+                        char *enddate, long days, int batch, char *ext_sect,
+                        CONF *conf, int verbose, unsigned long certopt,
+                        unsigned long nameopt, int default_op, int ext_copy,
+                        ENGINE *e);
+static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
+                         X509 *x509, const EVP_MD *dgst,
+                         STACK_OF(OPENSSL_STRING) *sigopts,
+                         STACK_OF(CONF_VALUE) *policy, CA_DB *db,
+                         BIGNUM *serial, char *subj, unsigned long chtype,
+                         int multirdn, int email_dn, char *startdate,
+                         char *enddate, long days, char *ext_sect, CONF *conf,
+                         int verbose, unsigned long certopt,
+                         unsigned long nameopt, int default_op, int ext_copy);
+static void write_new_certificate(BIO *bp, X509 *x, int output_der,
+                                  int notext);
+static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
+                   const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
+                   STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,
+                   char *subj, unsigned long chtype, int multirdn,
+                   int email_dn, char *startdate, char *enddate, long days,
+                   int batch, int verbose, X509_REQ *req, char *ext_sect,
+                   CONF *conf, unsigned long certopt, unsigned long nameopt,
+                   int default_op, int ext_copy, int selfsign);
+static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
+static int get_certificate_status(const char *ser_status, CA_DB *db);
+static int do_updatedb(CA_DB *db);
+static int check_time_format(const char *str);
+char *make_revocation_str(int rev_type, char *rev_arg);
+int make_revoked(X509_REVOKED *rev, const char *str);
+int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);
+static CONF *conf = NULL;
+static CONF *extconf = NULL;
+static char *section = NULL;
+
+static int preserve = 0;
+static int msie_hack = 0;
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    char *key = NULL, *passargin = NULL;
+    int create_ser = 0;
+    int free_key = 0;
+    int total = 0;
+    int total_done = 0;
+    int badops = 0;
+    int ret = 1;
+    int email_dn = 1;
+    int req = 0;
+    int verbose = 0;
+    int gencrl = 0;
+    int dorevoke = 0;
+    int doupdatedb = 0;
+    long crldays = 0;
+    long crlhours = 0;
+    long crlsec = 0;
+    long errorline = -1;
+    char *configfile = NULL;
+    char *md = NULL;
+    char *policy = NULL;
+    char *keyfile = NULL;
+    char *certfile = NULL;
+    int keyform = FORMAT_PEM;
+    char *infile = NULL;
+    char *spkac_file = NULL;
+    char *ss_cert_file = NULL;
+    char *ser_status = NULL;
+    EVP_PKEY *pkey = NULL;
+    int output_der = 0;
+    char *outfile = NULL;
+    char *outdir = NULL;
+    char *serialfile = NULL;
+    char *crlnumberfile = NULL;
+    char *extensions = NULL;
+    char *extfile = NULL;
+    char *subj = NULL;
+    unsigned long chtype = MBSTRING_ASC;
+    int multirdn = 0;
+    char *tmp_email_dn = NULL;
+    char *crl_ext = NULL;
+    int rev_type = REV_NONE;
+    char *rev_arg = NULL;
+    BIGNUM *serial = NULL;
+    BIGNUM *crlnumber = NULL;
+    char *startdate = NULL;
+    char *enddate = NULL;
+    long days = 0;
+    int batch = 0;
+    int notext = 0;
+    unsigned long nameopt = 0, certopt = 0;
+    int default_op = 1;
+    int ext_copy = EXT_COPY_NONE;
+    int selfsign = 0;
+    X509 *x509 = NULL, *x509p = NULL;
+    X509 *x = NULL;
+    BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
+    char *dbfile = NULL;
+    CA_DB *db = NULL;
+    X509_CRL *crl = NULL;
+    X509_REVOKED *r = NULL;
+    ASN1_TIME *tmptm;
+    ASN1_INTEGER *tmpser;
+    char *f;
+    const char *p;
+    char *const *pp;
+    int i, j;
+    const EVP_MD *dgst = NULL;
+    STACK_OF(CONF_VALUE) *attribs = NULL;
+    STACK_OF(X509) *cert_sk = NULL;
+    STACK_OF(OPENSSL_STRING) *sigopts = NULL;
+#undef BSIZE
+#define BSIZE 256
+    MS_STATIC char buf[3][BSIZE];
+    char *randfile = NULL;
+    char *engine = NULL;
+    char *tofree = NULL;
+    DB_ATTR db_attr;
+
+#ifdef EFENCE
+    EF_PROTECT_FREE = 1;
+    EF_PROTECT_BELOW = 1;
+    EF_ALIGNMENT = 0;
+#endif
+
+    apps_startup();
+
+    conf = NULL;
+    key = NULL;
+    section = NULL;
+
+    preserve = 0;
+    msie_hack = 0;
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-verbose") == 0)
+            verbose = 1;
+        else if (strcmp(*argv, "-config") == 0) {
+            if (--argc < 1)
+                goto bad;
+            configfile = *(++argv);
+        } else if (strcmp(*argv, "-name") == 0) {
+            if (--argc < 1)
+                goto bad;
+            section = *(++argv);
+        } else if (strcmp(*argv, "-subj") == 0) {
+            if (--argc < 1)
+                goto bad;
+            subj = *(++argv);
+            /* preserve=1; */
+        } else if (strcmp(*argv, "-utf8") == 0)
+            chtype = MBSTRING_UTF8;
+        else if (strcmp(*argv, "-create_serial") == 0)
+            create_ser = 1;
+        else if (strcmp(*argv, "-multivalue-rdn") == 0)
+            multirdn = 1;
+        else if (strcmp(*argv, "-startdate") == 0) {
+            if (--argc < 1)
+                goto bad;
+            startdate = *(++argv);
+        } else if (strcmp(*argv, "-enddate") == 0) {
+            if (--argc < 1)
+                goto bad;
+            enddate = *(++argv);
+        } else if (strcmp(*argv, "-days") == 0) {
+            if (--argc < 1)
+                goto bad;
+            days = atoi(*(++argv));
+        } else if (strcmp(*argv, "-md") == 0) {
+            if (--argc < 1)
+                goto bad;
+            md = *(++argv);
+        } else if (strcmp(*argv, "-policy") == 0) {
+            if (--argc < 1)
+                goto bad;
+            policy = *(++argv);
+        } else if (strcmp(*argv, "-keyfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keyfile = *(++argv);
+        } else if (strcmp(*argv, "-keyform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keyform = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-passin") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargin = *(++argv);
+        } else if (strcmp(*argv, "-key") == 0) {
+            if (--argc < 1)
+                goto bad;
+            key = *(++argv);
+        } else if (strcmp(*argv, "-cert") == 0) {
+            if (--argc < 1)
+                goto bad;
+            certfile = *(++argv);
+        } else if (strcmp(*argv, "-selfsign") == 0)
+            selfsign = 1;
+        else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+            req = 1;
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-outdir") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outdir = *(++argv);
+        } else if (strcmp(*argv, "-sigopt") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!sigopts)
+                sigopts = sk_OPENSSL_STRING_new_null();
+            if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
+                goto bad;
+        } else if (strcmp(*argv, "-notext") == 0)
+            notext = 1;
+        else if (strcmp(*argv, "-batch") == 0)
+            batch = 1;
+        else if (strcmp(*argv, "-preserveDN") == 0)
+            preserve = 1;
+        else if (strcmp(*argv, "-noemailDN") == 0)
+            email_dn = 0;
+        else if (strcmp(*argv, "-gencrl") == 0)
+            gencrl = 1;
+        else if (strcmp(*argv, "-msie_hack") == 0)
+            msie_hack = 1;
+        else if (strcmp(*argv, "-crldays") == 0) {
+            if (--argc < 1)
+                goto bad;
+            crldays = atol(*(++argv));
+        } else if (strcmp(*argv, "-crlhours") == 0) {
+            if (--argc < 1)
+                goto bad;
+            crlhours = atol(*(++argv));
+        } else if (strcmp(*argv, "-crlsec") == 0) {
+            if (--argc < 1)
+                goto bad;
+            crlsec = atol(*(++argv));
+        } else if (strcmp(*argv, "-infiles") == 0) {
+            argc--;
+            argv++;
+            req = 1;
+            break;
+        } else if (strcmp(*argv, "-ss_cert") == 0) {
+            if (--argc < 1)
+                goto bad;
+            ss_cert_file = *(++argv);
+            req = 1;
+        } else if (strcmp(*argv, "-spkac") == 0) {
+            if (--argc < 1)
+                goto bad;
+            spkac_file = *(++argv);
+            req = 1;
+        } else if (strcmp(*argv, "-revoke") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+            dorevoke = 1;
+        } else if (strcmp(*argv, "-valid") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+            dorevoke = 2;
+        } else if (strcmp(*argv, "-extensions") == 0) {
+            if (--argc < 1)
+                goto bad;
+            extensions = *(++argv);
+        } else if (strcmp(*argv, "-extfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            extfile = *(++argv);
+        } else if (strcmp(*argv, "-status") == 0) {
+            if (--argc < 1)
+                goto bad;
+            ser_status = *(++argv);
+        } else if (strcmp(*argv, "-updatedb") == 0) {
+            doupdatedb = 1;
+        } else if (strcmp(*argv, "-crlexts") == 0) {
+            if (--argc < 1)
+                goto bad;
+            crl_ext = *(++argv);
+        } else if (strcmp(*argv, "-crl_reason") == 0) {
+            if (--argc < 1)
+                goto bad;
+            rev_arg = *(++argv);
+            rev_type = REV_CRL_REASON;
+        } else if (strcmp(*argv, "-crl_hold") == 0) {
+            if (--argc < 1)
+                goto bad;
+            rev_arg = *(++argv);
+            rev_type = REV_HOLD;
+        } else if (strcmp(*argv, "-crl_compromise") == 0) {
+            if (--argc < 1)
+                goto bad;
+            rev_arg = *(++argv);
+            rev_type = REV_KEY_COMPROMISE;
+        } else if (strcmp(*argv, "-crl_CA_compromise") == 0) {
+            if (--argc < 1)
+                goto bad;
+            rev_arg = *(++argv);
+            rev_type = REV_CA_COMPROMISE;
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+#endif
+        else {
+ bad:
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+        const char **pp2;
+
+        for (pp2 = ca_usage; (*pp2 != NULL); pp2++)
+            BIO_printf(bio_err, "%s", *pp2);
+        goto err;
+    }
+
+    ERR_load_crypto_strings();
+
+        /*****************************************************************/
+    tofree = NULL;
+    if (configfile == NULL)
+        configfile = getenv("OPENSSL_CONF");
+    if (configfile == NULL)
+        configfile = getenv("SSLEAY_CONF");
+    if (configfile == NULL) {
+        const char *s = X509_get_default_cert_area();
+        size_t len;
+
+#ifdef OPENSSL_SYS_VMS
+        len = strlen(s) + sizeof(CONFIG_FILE);
+        tofree = OPENSSL_malloc(len);
+        if (!tofree) {
+            BIO_printf(bio_err, "Out of memory\n");
+            goto err;
+        }
+        strcpy(tofree, s);
+#else
+        len = strlen(s) + sizeof(CONFIG_FILE) + 1;
+        tofree = OPENSSL_malloc(len);
+        if (!tofree) {
+            BIO_printf(bio_err, "Out of memory\n");
+            goto err;
+        }
+        BUF_strlcpy(tofree, s, len);
+        BUF_strlcat(tofree, "/", len);
+#endif
+        BUF_strlcat(tofree, CONFIG_FILE, len);
+        configfile = tofree;
+    }
+
+    BIO_printf(bio_err, "Using configuration from %s\n", configfile);
+    conf = NCONF_new(NULL);
+    if (NCONF_load(conf, configfile, &errorline) <= 0) {
+        if (errorline <= 0)
+            BIO_printf(bio_err, "error loading the config file '%s'\n",
+                       configfile);
+        else
+            BIO_printf(bio_err, "error on line %ld of config file '%s'\n",
+                       errorline, configfile);
+        goto err;
+    }
+    if (tofree) {
+        OPENSSL_free(tofree);
+        tofree = NULL;
+    }
+
+    if (!load_config(bio_err, conf))
+        goto err;
+
+    e = setup_engine(bio_err, engine, 0);
+
+    /* Lets get the config section we are using */
+    if (section == NULL) {
+        section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
+        if (section == NULL) {
+            lookup_fail(BASE_SECTION, ENV_DEFAULT_CA);
+            goto err;
+        }
+    }
+
+    if (conf != NULL) {
+        p = NCONF_get_string(conf, NULL, "oid_file");
+        if (p == NULL)
+            ERR_clear_error();
+        if (p != NULL) {
+            BIO *oid_bio;
+
+            oid_bio = BIO_new_file(p, "r");
+            if (oid_bio == NULL) {
+                /*-
+                BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
+                ERR_print_errors(bio_err);
+                */
+                ERR_clear_error();
+            } else {
+                OBJ_create_objects(oid_bio);
+                BIO_free(oid_bio);
+            }
+        }
+        if (!add_oid_section(bio_err, conf)) {
+            ERR_print_errors(bio_err);
+            goto err;
+        }
+    }
+
+    randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");
+    if (randfile == NULL)
+        ERR_clear_error();
+    app_RAND_load_file(randfile, bio_err, 0);
+
+    f = NCONF_get_string(conf, section, STRING_MASK);
+    if (!f)
+        ERR_clear_error();
+
+    if (f && !ASN1_STRING_set_default_mask_asc(f)) {
+        BIO_printf(bio_err, "Invalid global string mask setting %s\n", f);
+        goto err;
+    }
+
+    if (chtype != MBSTRING_UTF8) {
+        f = NCONF_get_string(conf, section, UTF8_IN);
+        if (!f)
+            ERR_clear_error();
+        else if (!strcmp(f, "yes"))
+            chtype = MBSTRING_UTF8;
+    }
+
+    db_attr.unique_subject = 1;
+    p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);
+    if (p) {
+#ifdef RL_DEBUG
+        BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p);
+#endif
+        db_attr.unique_subject = parse_yesno(p, 1);
+    } else
+        ERR_clear_error();
+#ifdef RL_DEBUG
+    if (!p)
+        BIO_printf(bio_err, "DEBUG: unique_subject undefined\n");
+#endif
+#ifdef RL_DEBUG
+    BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
+               db_attr.unique_subject);
+#endif
+
+    in = BIO_new(BIO_s_file());
+    out = BIO_new(BIO_s_file());
+    Sout = BIO_new(BIO_s_file());
+    Cout = BIO_new(BIO_s_file());
+    if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL)) {
+        ERR_print_errors(bio_err);
+        goto err;
+    }
+
+        /*****************************************************************/
+    /* report status of cert with serial number given on command line */
+    if (ser_status) {
+        if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) {
+            lookup_fail(section, ENV_DATABASE);
+            goto err;
+        }
+        db = load_index(dbfile, &db_attr);
+        if (db == NULL)
+            goto err;
+
+        if (!index_index(db))
+            goto err;
+
+        if (get_certificate_status(ser_status, db) != 1)
+            BIO_printf(bio_err, "Error verifying serial %s!\n", ser_status);
+        goto err;
+    }
+
+        /*****************************************************************/
+    /* we definitely need a private key, so let's get it */
+
+    if ((keyfile == NULL) && ((keyfile = NCONF_get_string(conf,
+                                                          section,
+                                                          ENV_PRIVATE_KEY)) ==
+                              NULL)) {
+        lookup_fail(section, ENV_PRIVATE_KEY);
+        goto err;
+    }
+    if (!key) {
+        free_key = 1;
+        if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) {
+            BIO_printf(bio_err, "Error getting password\n");
+            goto err;
+        }
+    }
+    pkey = load_key(bio_err, keyfile, keyform, 0, key, e, "CA private key");
+    if (key)
+        OPENSSL_cleanse(key, strlen(key));
+    if (pkey == NULL) {
+        /* load_key() has already printed an appropriate message */
+        goto err;
+    }
+
+        /*****************************************************************/
+    /* we need a certificate */
+    if (!selfsign || spkac_file || ss_cert_file || gencrl) {
+        if ((certfile == NULL)
+            && ((certfile = NCONF_get_string(conf,
+                                             section,
+                                             ENV_CERTIFICATE)) == NULL)) {
+            lookup_fail(section, ENV_CERTIFICATE);
+            goto err;
+        }
+        x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
+                         "CA certificate");
+        if (x509 == NULL)
+            goto err;
+
+        if (!X509_check_private_key(x509, pkey)) {
+            BIO_printf(bio_err,
+                       "CA certificate and CA private key do not match\n");
+            goto err;
+        }
+    }
+    if (!selfsign)
+        x509p = x509;
+
+    f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE);
+    if (f == NULL)
+        ERR_clear_error();
+    if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
+        preserve = 1;
+    f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK);
+    if (f == NULL)
+        ERR_clear_error();
+    if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
+        msie_hack = 1;
+
+    f = NCONF_get_string(conf, section, ENV_NAMEOPT);
+
+    if (f) {
+        if (!set_name_ex(&nameopt, f)) {
+            BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
+            goto err;
+        }
+        default_op = 0;
+    } else
+        ERR_clear_error();
+
+    f = NCONF_get_string(conf, section, ENV_CERTOPT);
+
+    if (f) {
+        if (!set_cert_ex(&certopt, f)) {
+            BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f);
+            goto err;
+        }
+        default_op = 0;
+    } else
+        ERR_clear_error();
+
+    f = NCONF_get_string(conf, section, ENV_EXTCOPY);
+
+    if (f) {
+        if (!set_ext_copy(&ext_copy, f)) {
+            BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f);
+            goto err;
+        }
+    } else
+        ERR_clear_error();
+
+        /*****************************************************************/
+    /* lookup where to write new certificates */
+    if ((outdir == NULL) && (req)) {
+
+        if ((outdir = NCONF_get_string(conf, section, ENV_NEW_CERTS_DIR))
+            == NULL) {
+            BIO_printf(bio_err,
+                       "there needs to be defined a directory for new certificate to be placed in\n");
+            goto err;
+        }
+#ifndef OPENSSL_SYS_VMS
+        /*
+         * outdir is a directory spec, but access() for VMS demands a
+         * filename.  In any case, stat(), below, will catch the problem if
+         * outdir is not a directory spec, and the fopen() or open() will
+         * catch an error if there is no write access.
+         *
+         * Presumably, this problem could also be solved by using the DEC C
+         * routines to convert the directory syntax to Unixly, and give that
+         * to access().  However, time's too short to do that just now.
+         */
+# ifndef _WIN32
+        if (access(outdir, R_OK | W_OK | X_OK) != 0)
+# else
+        if (_access(outdir, R_OK | W_OK | X_OK) != 0)
+# endif
+        {
+            BIO_printf(bio_err, "I am unable to access the %s directory\n",
+                       outdir);
+            perror(outdir);
+            goto err;
+        }
+
+        if (app_isdir(outdir) <= 0) {
+            BIO_printf(bio_err, "%s need to be a directory\n", outdir);
+            perror(outdir);
+            goto err;
+        }
+#endif
+    }
+
+        /*****************************************************************/
+    /* we need to load the database file */
+    if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) {
+        lookup_fail(section, ENV_DATABASE);
+        goto err;
+    }
+    db = load_index(dbfile, &db_attr);
+    if (db == NULL)
+        goto err;
+
+    /* Lets check some fields */
+    for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
+        pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
+        if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) {
+            BIO_printf(bio_err,
+                       "entry %d: not revoked yet, but has a revocation date\n",
+                       i + 1);
+            goto err;
+        }
+        if ((pp[DB_type][0] == DB_TYPE_REV) &&
+            !make_revoked(NULL, pp[DB_rev_date])) {
+            BIO_printf(bio_err, " in entry %d\n", i + 1);
+            goto err;
+        }
+        if (!check_time_format((char *)pp[DB_exp_date])) {
+            BIO_printf(bio_err, "entry %d: invalid expiry date\n", i + 1);
+            goto err;
+        }
+        p = pp[DB_serial];
+        j = strlen(p);
+        if (*p == '-') {
+            p++;
+            j--;
+        }
+        if ((j & 1) || (j < 2)) {
+            BIO_printf(bio_err, "entry %d: bad serial number length (%d)\n",
+                       i + 1, j);
+            goto err;
+        }
+        while (*p) {
+            if (!(((*p >= '0') && (*p <= '9')) ||
+                  ((*p >= 'A') && (*p <= 'F')) ||
+                  ((*p >= 'a') && (*p <= 'f')))) {
+                BIO_printf(bio_err,
+                           "entry %d: bad serial number characters, char pos %ld, char is '%c'\n",
+                           i + 1, (long)(p - pp[DB_serial]), *p);
+                goto err;
+            }
+            p++;
+        }
+    }
+    if (verbose) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+        TXT_DB_write(out, db->db);
+        BIO_printf(bio_err, "%d entries loaded from the database\n",
+                   sk_OPENSSL_PSTRING_num(db->db->data));
+        BIO_printf(bio_err, "generating index\n");
+    }
+
+    if (!index_index(db))
+        goto err;
+
+        /*****************************************************************/
+    /* Update the db file for expired certificates */
+    if (doupdatedb) {
+        if (verbose)
+            BIO_printf(bio_err, "Updating %s ...\n", dbfile);
+
+        i = do_updatedb(db);
+        if (i == -1) {
+            BIO_printf(bio_err, "Malloc failure\n");
+            goto err;
+        } else if (i == 0) {
+            if (verbose)
+                BIO_printf(bio_err, "No entries found to mark expired\n");
+        } else {
+            if (!save_index(dbfile, "new", db))
+                goto err;
+
+            if (!rotate_index(dbfile, "new", "old"))
+                goto err;
+
+            if (verbose)
+                BIO_printf(bio_err,
+                           "Done. %d entries marked as expired\n", i);
+        }
+    }
+
+        /*****************************************************************/
+    /* Read extentions config file                                   */
+    if (extfile) {
+        extconf = NCONF_new(NULL);
+        if (NCONF_load(extconf, extfile, &errorline) <= 0) {
+            if (errorline <= 0)
+                BIO_printf(bio_err, "ERROR: loading the config file '%s'\n",
+                           extfile);
+            else
+                BIO_printf(bio_err,
+                           "ERROR: on line %ld of config file '%s'\n",
+                           errorline, extfile);
+            ret = 1;
+            goto err;
+        }
+
+        if (verbose)
+            BIO_printf(bio_err, "Successfully loaded extensions file %s\n",
+                       extfile);
+
+        /* We can have sections in the ext file */
+        if (!extensions
+            && !(extensions =
+                 NCONF_get_string(extconf, "default", "extensions")))
+            extensions = "default";
+    }
+
+        /*****************************************************************/
+    if (req || gencrl) {
+        if (outfile != NULL) {
+            if (BIO_write_filename(Sout, outfile) <= 0) {
+                perror(outfile);
+                goto err;
+            }
+        } else {
+            BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
+#ifdef OPENSSL_SYS_VMS
+            {
+                BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+                Sout = BIO_push(tmpbio, Sout);
+            }
+#endif
+        }
+    }
+
+    if ((md == NULL) && ((md = NCONF_get_string(conf,
+                                                section,
+                                                ENV_DEFAULT_MD)) == NULL)) {
+        lookup_fail(section, ENV_DEFAULT_MD);
+        goto err;
+    }
+
+    if (!strcmp(md, "default")) {
+        int def_nid;
+        if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
+            BIO_puts(bio_err, "no default digest\n");
+            goto err;
+        }
+        md = (char *)OBJ_nid2sn(def_nid);
+    }
+
+    if ((dgst = EVP_get_digestbyname(md)) == NULL) {
+        BIO_printf(bio_err, "%s is an unsupported message digest type\n", md);
+        goto err;
+    }
+
+    if (req) {
+        if ((email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf,
+                                                                 section,
+                                                                 ENV_DEFAULT_EMAIL_DN))
+                                != NULL)) {
+            if (strcmp(tmp_email_dn, "no") == 0)
+                email_dn = 0;
+        }
+        if (verbose)
+            BIO_printf(bio_err, "message digest is %s\n",
+                       OBJ_nid2ln(dgst->type));
+        if ((policy == NULL) && ((policy = NCONF_get_string(conf,
+                                                            section,
+                                                            ENV_POLICY)) ==
+                                 NULL)) {
+            lookup_fail(section, ENV_POLICY);
+            goto err;
+        }
+        if (verbose)
+            BIO_printf(bio_err, "policy is %s\n", policy);
+
+        if ((serialfile = NCONF_get_string(conf, section, ENV_SERIAL))
+            == NULL) {
+            lookup_fail(section, ENV_SERIAL);
+            goto err;
+        }
+
+        if (!extconf) {
+            /*
+             * no '-extfile' option, so we look for extensions in the main
+             * configuration file
+             */
+            if (!extensions) {
+                extensions = NCONF_get_string(conf, section, ENV_EXTENSIONS);
+                if (!extensions)
+                    ERR_clear_error();
+            }
+            if (extensions) {
+                /* Check syntax of file */
+                X509V3_CTX ctx;
+                X509V3_set_ctx_test(&ctx);
+                X509V3_set_nconf(&ctx, conf);
+                if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) {
+                    BIO_printf(bio_err,
+                               "Error Loading extension section %s\n",
+                               extensions);
+                    ret = 1;
+                    goto err;
+                }
+            }
+        }
+
+        if (startdate == NULL) {
+            startdate = NCONF_get_string(conf, section,
+                                         ENV_DEFAULT_STARTDATE);
+            if (startdate == NULL)
+                ERR_clear_error();
+        }
+        if (startdate && !ASN1_TIME_set_string(NULL, startdate)) {
+            BIO_printf(bio_err,
+                       "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
+            goto err;
+        }
+        if (startdate == NULL)
+            startdate = "today";
+
+        if (enddate == NULL) {
+            enddate = NCONF_get_string(conf, section, ENV_DEFAULT_ENDDATE);
+            if (enddate == NULL)
+                ERR_clear_error();
+        }
+        if (enddate && !ASN1_TIME_set_string(NULL, enddate)) {
+            BIO_printf(bio_err,
+                       "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
+            goto err;
+        }
+
+        if (days == 0) {
+            if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days))
+                days = 0;
+        }
+        if (!enddate && (days == 0)) {
+            BIO_printf(bio_err,
+                       "cannot lookup how many days to certify for\n");
+            goto err;
+        }
+
+        if ((serial = load_serial(serialfile, create_ser, NULL)) == NULL) {
+            BIO_printf(bio_err, "error while loading serial number\n");
+            goto err;
+        }
+        if (verbose) {
+            if (BN_is_zero(serial))
+                BIO_printf(bio_err, "next serial number is 00\n");
+            else {
+                if ((f = BN_bn2hex(serial)) == NULL)
+                    goto err;
+                BIO_printf(bio_err, "next serial number is %s\n", f);
+                OPENSSL_free(f);
+            }
+        }
+
+        if ((attribs = NCONF_get_section(conf, policy)) == NULL) {
+            BIO_printf(bio_err, "unable to find 'section' for %s\n", policy);
+            goto err;
+        }
+
+        if ((cert_sk = sk_X509_new_null()) == NULL) {
+            BIO_printf(bio_err, "Memory allocation failure\n");
+            goto err;
+        }
+        if (spkac_file != NULL) {
+            total++;
+            j = certify_spkac(&x, spkac_file, pkey, x509, dgst, sigopts,
+                              attribs, db, serial, subj, chtype, multirdn,
+                              email_dn, startdate, enddate, days, extensions,
+                              conf, verbose, certopt, nameopt, default_op,
+                              ext_copy);
+            if (j < 0)
+                goto err;
+            if (j > 0) {
+                total_done++;
+                BIO_printf(bio_err, "\n");
+                if (!BN_add_word(serial, 1))
+                    goto err;
+                if (!sk_X509_push(cert_sk, x)) {
+                    BIO_printf(bio_err, "Memory allocation failure\n");
+                    goto err;
+                }
+                if (outfile) {
+                    output_der = 1;
+                    batch = 1;
+                }
+            }
+        }
+        if (ss_cert_file != NULL) {
+            total++;
+            j = certify_cert(&x, ss_cert_file, pkey, x509, dgst, sigopts,
+                             attribs,
+                             db, serial, subj, chtype, multirdn, email_dn,
+                             startdate, enddate, days, batch, extensions,
+                             conf, verbose, certopt, nameopt, default_op,
+                             ext_copy, e);
+            if (j < 0)
+                goto err;
+            if (j > 0) {
+                total_done++;
+                BIO_printf(bio_err, "\n");
+                if (!BN_add_word(serial, 1))
+                    goto err;
+                if (!sk_X509_push(cert_sk, x)) {
+                    BIO_printf(bio_err, "Memory allocation failure\n");
+                    goto err;
+                }
+            }
+        }
+        if (infile != NULL) {
+            total++;
+            j = certify(&x, infile, pkey, x509p, dgst, sigopts, attribs, db,
+                        serial, subj, chtype, multirdn, email_dn, startdate,
+                        enddate, days, batch, extensions, conf, verbose,
+                        certopt, nameopt, default_op, ext_copy, selfsign);
+            if (j < 0)
+                goto err;
+            if (j > 0) {
+                total_done++;
+                BIO_printf(bio_err, "\n");
+                if (!BN_add_word(serial, 1))
+                    goto err;
+                if (!sk_X509_push(cert_sk, x)) {
+                    BIO_printf(bio_err, "Memory allocation failure\n");
+                    goto err;
+                }
+            }
+        }
+        for (i = 0; i < argc; i++) {
+            total++;
+            j = certify(&x, argv[i], pkey, x509p, dgst, sigopts, attribs, db,
+                        serial, subj, chtype, multirdn, email_dn, startdate,
+                        enddate, days, batch, extensions, conf, verbose,
+                        certopt, nameopt, default_op, ext_copy, selfsign);
+            if (j < 0)
+                goto err;
+            if (j > 0) {
+                total_done++;
+                BIO_printf(bio_err, "\n");
+                if (!BN_add_word(serial, 1))
+                    goto err;
+                if (!sk_X509_push(cert_sk, x)) {
+                    BIO_printf(bio_err, "Memory allocation failure\n");
+                    goto err;
+                }
+            }
+        }
+        /*
+         * we have a stack of newly certified certificates and a data base
+         * and serial number that need updating
+         */
+
+        if (sk_X509_num(cert_sk) > 0) {
+            if (!batch) {
+                BIO_printf(bio_err,
+                           "\n%d out of %d certificate requests certified, commit? [y/n]",
+                           total_done, total);
+                (void)BIO_flush(bio_err);
+                buf[0][0] = '\0';
+                if (!fgets(buf[0], 10, stdin)) {
+                    BIO_printf(bio_err,
+                               "CERTIFICATION CANCELED: I/O error\n");
+                    ret = 0;
+                    goto err;
+                }
+                if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) {
+                    BIO_printf(bio_err, "CERTIFICATION CANCELED\n");
+                    ret = 0;
+                    goto err;
+                }
+            }
+
+            BIO_printf(bio_err, "Write out database with %d new entries\n",
+                       sk_X509_num(cert_sk));
+
+            if (!save_serial(serialfile, "new", serial, NULL))
+                goto err;
+
+            if (!save_index(dbfile, "new", db))
+                goto err;
+        }
+
+        if (verbose)
+            BIO_printf(bio_err, "writing new certificates\n");
+        for (i = 0; i < sk_X509_num(cert_sk); i++) {
+            int k;
+            char *n;
+
+            x = sk_X509_value(cert_sk, i);
+
+            j = x->cert_info->serialNumber->length;
+            p = (const char *)x->cert_info->serialNumber->data;
+
+            if (strlen(outdir) >= (size_t)(j ? BSIZE - j * 2 - 6 : BSIZE - 8)) {
+                BIO_printf(bio_err, "certificate file name too long\n");
+                goto err;
+            }
+
+            strcpy(buf[2], outdir);
+
+#ifndef OPENSSL_SYS_VMS
+            BUF_strlcat(buf[2], "/", sizeof(buf[2]));
+#endif
+
+            n = (char *)&(buf[2][strlen(buf[2])]);
+            if (j > 0) {
+                for (k = 0; k < j; k++) {
+                    if (n >= &(buf[2][sizeof(buf[2])]))
+                        break;
+                    BIO_snprintf(n,
+                                 &buf[2][0] + sizeof(buf[2]) - n,
+                                 "%02X", (unsigned char)*(p++));
+                    n += 2;
+                }
+            } else {
+                *(n++) = '0';
+                *(n++) = '0';
+            }
+            *(n++) = '.';
+            *(n++) = 'p';
+            *(n++) = 'e';
+            *(n++) = 'm';
+            *n = '\0';
+            if (verbose)
+                BIO_printf(bio_err, "writing %s\n", buf[2]);
+
+            if (BIO_write_filename(Cout, buf[2]) <= 0) {
+                perror(buf[2]);
+                goto err;
+            }
+            write_new_certificate(Cout, x, 0, notext);
+            write_new_certificate(Sout, x, output_der, notext);
+        }
+
+        if (sk_X509_num(cert_sk)) {
+            /* Rename the database and the serial file */
+            if (!rotate_serial(serialfile, "new", "old"))
+                goto err;
+
+            if (!rotate_index(dbfile, "new", "old"))
+                goto err;
+
+            BIO_printf(bio_err, "Data Base Updated\n");
+        }
+    }
+
+        /*****************************************************************/
+    if (gencrl) {
+        int crl_v2 = 0;
+        if (!crl_ext) {
+            crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT);
+            if (!crl_ext)
+                ERR_clear_error();
+        }
+        if (crl_ext) {
+            /* Check syntax of file */
+            X509V3_CTX ctx;
+            X509V3_set_ctx_test(&ctx);
+            X509V3_set_nconf(&ctx, conf);
+            if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) {
+                BIO_printf(bio_err,
+                           "Error Loading CRL extension section %s\n",
+                           crl_ext);
+                ret = 1;
+                goto err;
+            }
+        }
+
+        if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER))
+            != NULL)
+            if ((crlnumber = load_serial(crlnumberfile, 0, NULL)) == NULL) {
+                BIO_printf(bio_err, "error while loading CRL number\n");
+                goto err;
+            }
+
+        if (!crldays && !crlhours && !crlsec) {
+            if (!NCONF_get_number(conf, section,
+                                  ENV_DEFAULT_CRL_DAYS, &crldays))
+                crldays = 0;
+            if (!NCONF_get_number(conf, section,
+                                  ENV_DEFAULT_CRL_HOURS, &crlhours))
+                crlhours = 0;
+            ERR_clear_error();
+        }
+        if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
+            BIO_printf(bio_err,
+                       "cannot lookup how long until the next CRL is issued\n");
+            goto err;
+        }
+
+        if (verbose)
+            BIO_printf(bio_err, "making CRL\n");
+        if ((crl = X509_CRL_new()) == NULL)
+            goto err;
+        if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
+            goto err;
+
+        tmptm = ASN1_TIME_new();
+        if (!tmptm)
+            goto err;
+        X509_gmtime_adj(tmptm, 0);
+        X509_CRL_set_lastUpdate(crl, tmptm);
+        if (!X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec,
+                              NULL)) {
+            BIO_puts(bio_err, "error setting CRL nextUpdate\n");
+            goto err;
+        }
+        X509_CRL_set_nextUpdate(crl, tmptm);
+
+        ASN1_TIME_free(tmptm);
+
+        for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
+            pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
+            if (pp[DB_type][0] == DB_TYPE_REV) {
+                if ((r = X509_REVOKED_new()) == NULL)
+                    goto err;
+                j = make_revoked(r, pp[DB_rev_date]);
+                if (!j)
+                    goto err;
+                if (j == 2)
+                    crl_v2 = 1;
+                if (!BN_hex2bn(&serial, pp[DB_serial]))
+                    goto err;
+                tmpser = BN_to_ASN1_INTEGER(serial, NULL);
+                BN_free(serial);
+                serial = NULL;
+                if (!tmpser)
+                    goto err;
+                X509_REVOKED_set_serialNumber(r, tmpser);
+                ASN1_INTEGER_free(tmpser);
+                X509_CRL_add0_revoked(crl, r);
+            }
+        }
+
+        /*
+         * sort the data so it will be written in serial number order
+         */
+        X509_CRL_sort(crl);
+
+        /* we now have a CRL */
+        if (verbose)
+            BIO_printf(bio_err, "signing CRL\n");
+
+        /* Add any extensions asked for */
+
+        if (crl_ext || crlnumberfile != NULL) {
+            X509V3_CTX crlctx;
+            X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
+            X509V3_set_nconf(&crlctx, conf);
+
+            if (crl_ext)
+                if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, crl_ext, crl))
+                    goto err;
+            if (crlnumberfile != NULL) {
+                tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
+                if (!tmpser)
+                    goto err;
+                X509_CRL_add1_ext_i2d(crl, NID_crl_number, tmpser, 0, 0);
+                ASN1_INTEGER_free(tmpser);
+                crl_v2 = 1;
+                if (!BN_add_word(crlnumber, 1))
+                    goto err;
+            }
+        }
+        if (crl_ext || crl_v2) {
+            if (!X509_CRL_set_version(crl, 1))
+                goto err;       /* version 2 CRL */
+        }
+
+        /* we have a CRL number that need updating */
+        if (crlnumberfile != NULL)
+            if (!save_serial(crlnumberfile, "new", crlnumber, NULL))
+                goto err;
+
+        if (crlnumber) {
+            BN_free(crlnumber);
+            crlnumber = NULL;
+        }
+
+        if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, sigopts))
+            goto err;
+
+        PEM_write_bio_X509_CRL(Sout, crl);
+
+        if (crlnumberfile != NULL) /* Rename the crlnumber file */
+            if (!rotate_serial(crlnumberfile, "new", "old"))
+                goto err;
+
+    }
+        /*****************************************************************/
+    if (dorevoke) {
+        if (infile == NULL) {
+            BIO_printf(bio_err, "no input files\n");
+            goto err;
+        } else {
+            X509 *revcert;
+            revcert = load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile);
+            if (revcert == NULL)
+                goto err;
+            if (dorevoke == 2)
+                rev_type = -1;
+            j = do_revoke(revcert, db, rev_type, rev_arg);
+            if (j <= 0)
+                goto err;
+            X509_free(revcert);
+
+            if (!save_index(dbfile, "new", db))
+                goto err;
+
+            if (!rotate_index(dbfile, "new", "old"))
+                goto err;
+
+            BIO_printf(bio_err, "Data Base Updated\n");
+        }
+    }
+        /*****************************************************************/
+    ret = 0;
+ err:
+    if (tofree)
+        OPENSSL_free(tofree);
+    BIO_free_all(Cout);
+    BIO_free_all(Sout);
+    BIO_free_all(out);
+    BIO_free_all(in);
+
+    if (cert_sk)
+        sk_X509_pop_free(cert_sk, X509_free);
+
+    if (ret)
+        ERR_print_errors(bio_err);
+    app_RAND_write_file(randfile, bio_err);
+    if (free_key && key)
+        OPENSSL_free(key);
+    BN_free(serial);
+    BN_free(crlnumber);
+    free_index(db);
+    if (sigopts)
+        sk_OPENSSL_STRING_free(sigopts);
+    EVP_PKEY_free(pkey);
+    if (x509)
+        X509_free(x509);
+    X509_CRL_free(crl);
+    NCONF_free(conf);
+    NCONF_free(extconf);
+    release_engine(e);
+    OBJ_cleanup();
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+static void lookup_fail(const char *name, const char *tag)
+{
+    BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
+}
+
+static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+                   const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
+                   STACK_OF(CONF_VALUE) *policy, CA_DB *db,
+                   BIGNUM *serial, char *subj, unsigned long chtype,
+                   int multirdn, int email_dn, char *startdate, char *enddate,
+                   long days, int batch, char *ext_sect, CONF *lconf,
+                   int verbose, unsigned long certopt, unsigned long nameopt,
+                   int default_op, int ext_copy, int selfsign)
+{
+    X509_REQ *req = NULL;
+    BIO *in = NULL;
+    EVP_PKEY *pktmp = NULL;
+    int ok = -1, i;
+
+    in = BIO_new(BIO_s_file());
+
+    if (BIO_read_filename(in, infile) <= 0) {
+        perror(infile);
+        goto err;
+    }
+    if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) {
+        BIO_printf(bio_err, "Error reading certificate request in %s\n",
+                   infile);
+        goto err;
+    }
+    if (verbose)
+        X509_REQ_print(bio_err, req);
+
+    BIO_printf(bio_err, "Check that the request matches the signature\n");
+
+    if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
+        BIO_printf(bio_err,
+                   "Certificate request and CA private key do not match\n");
+        ok = 0;
+        goto err;
+    }
+    if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) {
+        BIO_printf(bio_err, "error unpacking public key\n");
+        goto err;
+    }
+    i = X509_REQ_verify(req, pktmp);
+    EVP_PKEY_free(pktmp);
+    if (i < 0) {
+        ok = 0;
+        BIO_printf(bio_err, "Signature verification problems....\n");
+        ERR_print_errors(bio_err);
+        goto err;
+    }
+    if (i == 0) {
+        ok = 0;
+        BIO_printf(bio_err,
+                   "Signature did not match the certificate request\n");
+        ERR_print_errors(bio_err);
+        goto err;
+    } else
+        BIO_printf(bio_err, "Signature ok\n");
+
+    ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
+                 chtype, multirdn, email_dn, startdate, enddate, days, batch,
+                 verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
+                 ext_copy, selfsign);
+
+ err:
+    if (req != NULL)
+        X509_REQ_free(req);
+    if (in != NULL)
+        BIO_free(in);
+    return (ok);
+}
+
+static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+                        const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
+                        STACK_OF(CONF_VALUE) *policy, CA_DB *db,
+                        BIGNUM *serial, char *subj, unsigned long chtype,
+                        int multirdn, int email_dn, char *startdate,
+                        char *enddate, long days, int batch, char *ext_sect,
+                        CONF *lconf, int verbose, unsigned long certopt,
+                        unsigned long nameopt, int default_op, int ext_copy,
+                        ENGINE *e)
+{
+    X509 *req = NULL;
+    X509_REQ *rreq = NULL;
+    EVP_PKEY *pktmp = NULL;
+    int ok = -1, i;
+
+    if ((req =
+         load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile)) == NULL)
+        goto err;
+    if (verbose)
+        X509_print(bio_err, req);
+
+    BIO_printf(bio_err, "Check that the request matches the signature\n");
+
+    if ((pktmp = X509_get_pubkey(req)) == NULL) {
+        BIO_printf(bio_err, "error unpacking public key\n");
+        goto err;
+    }
+    i = X509_verify(req, pktmp);
+    EVP_PKEY_free(pktmp);
+    if (i < 0) {
+        ok = 0;
+        BIO_printf(bio_err, "Signature verification problems....\n");
+        goto err;
+    }
+    if (i == 0) {
+        ok = 0;
+        BIO_printf(bio_err, "Signature did not match the certificate\n");
+        goto err;
+    } else
+        BIO_printf(bio_err, "Signature ok\n");
+
+    if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
+        goto err;
+
+    ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
+                 chtype, multirdn, email_dn, startdate, enddate, days, batch,
+                 verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
+                 ext_copy, 0);
+
+ err:
+    if (rreq != NULL)
+        X509_REQ_free(rreq);
+    if (req != NULL)
+        X509_free(req);
+    return (ok);
+}
+
+static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
+                   const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
+                   STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,
+                   char *subj, unsigned long chtype, int multirdn,
+                   int email_dn, char *startdate, char *enddate, long days,
+                   int batch, int verbose, X509_REQ *req, char *ext_sect,
+                   CONF *lconf, unsigned long certopt, unsigned long nameopt,
+                   int default_op, int ext_copy, int selfsign)
+{
+    X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject =
+        NULL;
+    ASN1_UTCTIME *tm, *tmptm;
+    ASN1_STRING *str, *str2;
+    ASN1_OBJECT *obj;
+    X509 *ret = NULL;
+    X509_CINF *ci;
+    X509_NAME_ENTRY *ne;
+    X509_NAME_ENTRY *tne, *push;
+    EVP_PKEY *pktmp;
+    int ok = -1, i, j, last, nid;
+    const char *p;
+    CONF_VALUE *cv;
+    OPENSSL_STRING row[DB_NUMBER];
+    OPENSSL_STRING *irow = NULL;
+    OPENSSL_STRING *rrow = NULL;
+    char buf[25];
+
+    tmptm = ASN1_UTCTIME_new();
+    if (tmptm == NULL) {
+        BIO_printf(bio_err, "malloc error\n");
+        return (0);
+    }
+
+    for (i = 0; i < DB_NUMBER; i++)
+        row[i] = NULL;
+
+    if (subj) {
+        X509_NAME *n = parse_name(subj, chtype, multirdn);
+
+        if (!n) {
+            ERR_print_errors(bio_err);
+            goto err;
+        }
+        X509_REQ_set_subject_name(req, n);
+        req->req_info->enc.modified = 1;
+        X509_NAME_free(n);
+    }
+
+    if (default_op)
+        BIO_printf(bio_err,
+                   "The Subject's Distinguished Name is as follows\n");
+
+    name = X509_REQ_get_subject_name(req);
+    for (i = 0; i < X509_NAME_entry_count(name); i++) {
+        ne = X509_NAME_get_entry(name, i);
+        str = X509_NAME_ENTRY_get_data(ne);
+        obj = X509_NAME_ENTRY_get_object(ne);
+
+        if (msie_hack) {
+            /* assume all type should be strings */
+            nid = OBJ_obj2nid(ne->object);
+
+            if (str->type == V_ASN1_UNIVERSALSTRING)
+                ASN1_UNIVERSALSTRING_to_string(str);
+
+            if ((str->type == V_ASN1_IA5STRING) &&
+                (nid != NID_pkcs9_emailAddress))
+                str->type = V_ASN1_T61STRING;
+
+            if ((nid == NID_pkcs9_emailAddress) &&
+                (str->type == V_ASN1_PRINTABLESTRING))
+                str->type = V_ASN1_IA5STRING;
+        }
+
+        /* If no EMAIL is wanted in the subject */
+        if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
+            continue;
+
+        /* check some things */
+        if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
+            (str->type != V_ASN1_IA5STRING)) {
+            BIO_printf(bio_err,
+                       "\nemailAddress type needs to be of type IA5STRING\n");
+            goto err;
+        }
+        if ((str->type != V_ASN1_BMPSTRING)
+            && (str->type != V_ASN1_UTF8STRING)) {
+            j = ASN1_PRINTABLE_type(str->data, str->length);
+            if (((j == V_ASN1_T61STRING) &&
+                 (str->type != V_ASN1_T61STRING)) ||
+                ((j == V_ASN1_IA5STRING) &&
+                 (str->type == V_ASN1_PRINTABLESTRING))) {
+                BIO_printf(bio_err,
+                           "\nThe string contains characters that are illegal for the ASN.1 type\n");
+                goto err;
+            }
+        }
+
+        if (default_op)
+            old_entry_print(bio_err, obj, str);
+    }
+
+    /* Ok, now we check the 'policy' stuff. */
+    if ((subject = X509_NAME_new()) == NULL) {
+        BIO_printf(bio_err, "Memory allocation failure\n");
+        goto err;
+    }
+
+    /* take a copy of the issuer name before we mess with it. */
+    if (selfsign)
+        CAname = X509_NAME_dup(name);
+    else
+        CAname = X509_NAME_dup(x509->cert_info->subject);
+    if (CAname == NULL)
+        goto err;
+    str = str2 = NULL;
+
+    for (i = 0; i < sk_CONF_VALUE_num(policy); i++) {
+        cv = sk_CONF_VALUE_value(policy, i); /* get the object id */
+        if ((j = OBJ_txt2nid(cv->name)) == NID_undef) {
+            BIO_printf(bio_err,
+                       "%s:unknown object type in 'policy' configuration\n",
+                       cv->name);
+            goto err;
+        }
+        obj = OBJ_nid2obj(j);
+
+        last = -1;
+        for (;;) {
+            /* lookup the object in the supplied name list */
+            j = X509_NAME_get_index_by_OBJ(name, obj, last);
+            if (j < 0) {
+                if (last != -1)
+                    break;
+                tne = NULL;
+            } else {
+                tne = X509_NAME_get_entry(name, j);
+            }
+            last = j;
+
+            /* depending on the 'policy', decide what to do. */
+            push = NULL;
+            if (strcmp(cv->value, "optional") == 0) {
+                if (tne != NULL)
+                    push = tne;
+            } else if (strcmp(cv->value, "supplied") == 0) {
+                if (tne == NULL) {
+                    BIO_printf(bio_err,
+                               "The %s field needed to be supplied and was missing\n",
+                               cv->name);
+                    goto err;
+                } else
+                    push = tne;
+            } else if (strcmp(cv->value, "match") == 0) {
+                int last2;
+
+                if (tne == NULL) {
+                    BIO_printf(bio_err,
+                               "The mandatory %s field was missing\n",
+                               cv->name);
+                    goto err;
+                }
+
+                last2 = -1;
+
+ again2:
+                j = X509_NAME_get_index_by_OBJ(CAname, obj, last2);
+                if ((j < 0) && (last2 == -1)) {
+                    BIO_printf(bio_err,
+                               "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",
+                               cv->name);
+                    goto err;
+                }
+                if (j >= 0) {
+                    push = X509_NAME_get_entry(CAname, j);
+                    str = X509_NAME_ENTRY_get_data(tne);
+                    str2 = X509_NAME_ENTRY_get_data(push);
+                    last2 = j;
+                    if (ASN1_STRING_cmp(str, str2) != 0)
+                        goto again2;
+                }
+                if (j < 0) {
+                    BIO_printf(bio_err,
+                               "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",
+                               cv->name,
+                               ((str2 == NULL) ? "NULL" : (char *)str2->data),
+                               ((str == NULL) ? "NULL" : (char *)str->data));
+                    goto err;
+                }
+            } else {
+                BIO_printf(bio_err,
+                           "%s:invalid type in 'policy' configuration\n",
+                           cv->value);
+                goto err;
+            }
+
+            if (push != NULL) {
+                if (!X509_NAME_add_entry(subject, push, -1, 0)) {
+                    if (push != NULL)
+                        X509_NAME_ENTRY_free(push);
+                    BIO_printf(bio_err, "Memory allocation failure\n");
+                    goto err;
+                }
+            }
+            if (j < 0)
+                break;
+        }
+    }
+
+    if (preserve) {
+        X509_NAME_free(subject);
+        /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
+        subject = X509_NAME_dup(name);
+        if (subject == NULL)
+            goto err;
+    }
+
+    if (verbose)
+        BIO_printf(bio_err,
+                   "The subject name appears to be ok, checking data base for clashes\n");
+
+    /* Build the correct Subject if no e-mail is wanted in the subject */
+    /*
+     * and add it later on because of the method extensions are added
+     * (altName)
+     */
+
+    if (email_dn)
+        dn_subject = subject;
+    else {
+        X509_NAME_ENTRY *tmpne;
+        /*
+         * Its best to dup the subject DN and then delete any email addresses
+         * because this retains its structure.
+         */
+        if (!(dn_subject = X509_NAME_dup(subject))) {
+            BIO_printf(bio_err, "Memory allocation failure\n");
+            goto err;
+        }
+        while ((i = X509_NAME_get_index_by_NID(dn_subject,
+                                               NID_pkcs9_emailAddress,
+                                               -1)) >= 0) {
+            tmpne = X509_NAME_get_entry(dn_subject, i);
+            X509_NAME_delete_entry(dn_subject, i);
+            X509_NAME_ENTRY_free(tmpne);
+        }
+    }
+
+    if (BN_is_zero(serial))
+        row[DB_serial] = BUF_strdup("00");
+    else
+        row[DB_serial] = BN_bn2hex(serial);
+    if (row[DB_serial] == NULL) {
+        BIO_printf(bio_err, "Memory allocation failure\n");
+        goto err;
+    }
+
+    if (db->attributes.unique_subject) {
+        OPENSSL_STRING *crow = row;
+
+        rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
+        if (rrow != NULL) {
+            BIO_printf(bio_err,
+                       "ERROR:There is already a certificate for %s\n",
+                       row[DB_name]);
+        }
+    }
+    if (rrow == NULL) {
+        rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
+        if (rrow != NULL) {
+            BIO_printf(bio_err,
+                       "ERROR:Serial number %s has already been issued,\n",
+                       row[DB_serial]);
+            BIO_printf(bio_err,
+                       "      check the database/serial_file for corruption\n");
+        }
+    }
+
+    if (rrow != NULL) {
+        BIO_printf(bio_err, "The matching entry has the following details\n");
+        if (rrow[DB_type][0] == 'E')
+            p = "Expired";
+        else if (rrow[DB_type][0] == 'R')
+            p = "Revoked";
+        else if (rrow[DB_type][0] == 'V')
+            p = "Valid";
+        else
+            p = "\ninvalid type, Data base error\n";
+        BIO_printf(bio_err, "Type          :%s\n", p);;
+        if (rrow[DB_type][0] == 'R') {
+            p = rrow[DB_exp_date];
+            if (p == NULL)
+                p = "undef";
+            BIO_printf(bio_err, "Was revoked on:%s\n", p);
+        }
+        p = rrow[DB_exp_date];
+        if (p == NULL)
+            p = "undef";
+        BIO_printf(bio_err, "Expires on    :%s\n", p);
+        p = rrow[DB_serial];
+        if (p == NULL)
+            p = "undef";
+        BIO_printf(bio_err, "Serial Number :%s\n", p);
+        p = rrow[DB_file];
+        if (p == NULL)
+            p = "undef";
+        BIO_printf(bio_err, "File name     :%s\n", p);
+        p = rrow[DB_name];
+        if (p == NULL)
+            p = "undef";
+        BIO_printf(bio_err, "Subject Name  :%s\n", p);
+        ok = -1;                /* This is now a 'bad' error. */
+        goto err;
+    }
+
+    /* We are now totally happy, lets make and sign the certificate */
+    if (verbose)
+        BIO_printf(bio_err,
+                   "Everything appears to be ok, creating and signing the certificate\n");
+
+    if ((ret = X509_new()) == NULL)
+        goto err;
+    ci = ret->cert_info;
+
+#ifdef X509_V3
+    /* Make it an X509 v3 certificate. */
+    if (!X509_set_version(ret, 2))
+        goto err;
+#endif
+
+    if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
+        goto err;
+    if (selfsign) {
+        if (!X509_set_issuer_name(ret, subject))
+            goto err;
+    } else {
+        if (!X509_set_issuer_name(ret, X509_get_subject_name(x509)))
+            goto err;
+    }
+
+    if (strcmp(startdate, "today") == 0)
+        X509_gmtime_adj(X509_get_notBefore(ret), 0);
+    else
+        ASN1_TIME_set_string(X509_get_notBefore(ret), startdate);
+
+    if (enddate == NULL)
+        X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL);
+    else {
+        int tdays;
+        ASN1_TIME_set_string(X509_get_notAfter(ret), enddate);
+        ASN1_TIME_diff(&tdays, NULL, NULL, X509_get_notAfter(ret));
+        days = tdays;
+    }
+
+    if (!X509_set_subject_name(ret, subject))
+        goto err;
+
+    pktmp = X509_REQ_get_pubkey(req);
+    i = X509_set_pubkey(ret, pktmp);
+    EVP_PKEY_free(pktmp);
+    if (!i)
+        goto err;
+
+    /* Lets add the extensions, if there are any */
+    if (ext_sect) {
+        X509V3_CTX ctx;
+        if (ci->version == NULL)
+            if ((ci->version = ASN1_INTEGER_new()) == NULL)
+                goto err;
+        ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
+
+        /*
+         * Free the current entries if any, there should not be any I believe
+         */
+        if (ci->extensions != NULL)
+            sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free);
+
+        ci->extensions = NULL;
+
+        /* Initialize the context structure */
+        if (selfsign)
+            X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
+        else
+            X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
+
+        if (extconf) {
+            if (verbose)
+                BIO_printf(bio_err, "Extra configuration file found\n");
+
+            /* Use the extconf configuration db LHASH */
+            X509V3_set_nconf(&ctx, extconf);
+
+            /* Test the structure (needed?) */
+            /* X509V3_set_ctx_test(&ctx); */
+
+            /* Adds exts contained in the configuration file */
+            if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect, ret)) {
+                BIO_printf(bio_err,
+                           "ERROR: adding extensions in section %s\n",
+                           ext_sect);
+                ERR_print_errors(bio_err);
+                goto err;
+            }
+            if (verbose)
+                BIO_printf(bio_err,
+                           "Successfully added extensions from file.\n");
+        } else if (ext_sect) {
+            /* We found extensions to be set from config file */
+            X509V3_set_nconf(&ctx, lconf);
+
+            if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) {
+                BIO_printf(bio_err,
+                           "ERROR: adding extensions in section %s\n",
+                           ext_sect);
+                ERR_print_errors(bio_err);
+                goto err;
+            }
+
+            if (verbose)
+                BIO_printf(bio_err,
+                           "Successfully added extensions from config\n");
+        }
+    }
+
+    /* Copy extensions from request (if any) */
+
+    if (!copy_extensions(ret, req, ext_copy)) {
+        BIO_printf(bio_err, "ERROR: adding extensions from request\n");
+        ERR_print_errors(bio_err);
+        goto err;
+    }
+
+    /* Set the right value for the noemailDN option */
+    if (email_dn == 0) {
+        if (!X509_set_subject_name(ret, dn_subject))
+            goto err;
+    }
+
+    if (!default_op) {
+        BIO_printf(bio_err, "Certificate Details:\n");
+        /*
+         * Never print signature details because signature not present
+         */
+        certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
+        X509_print_ex(bio_err, ret, nameopt, certopt);
+    }
+
+    BIO_printf(bio_err, "Certificate is to be certified until ");
+    ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
+    if (days)
+        BIO_printf(bio_err, " (%ld days)", days);
+    BIO_printf(bio_err, "\n");
+
+    if (!batch) {
+
+        BIO_printf(bio_err, "Sign the certificate? [y/n]:");
+        (void)BIO_flush(bio_err);
+        buf[0] = '\0';
+        if (!fgets(buf, sizeof(buf) - 1, stdin)) {
+            BIO_printf(bio_err,
+                       "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
+            ok = 0;
+            goto err;
+        }
+        if (!((buf[0] == 'y') || (buf[0] == 'Y'))) {
+            BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED\n");
+            ok = 0;
+            goto err;
+        }
+    }
+
+    pktmp = X509_get_pubkey(ret);
+    if (EVP_PKEY_missing_parameters(pktmp) &&
+        !EVP_PKEY_missing_parameters(pkey))
+        EVP_PKEY_copy_parameters(pktmp, pkey);
+    EVP_PKEY_free(pktmp);
+
+    if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts))
+        goto err;
+
+    /* We now just add it to the database */
+    tm = X509_get_notAfter(ret);
+    row[DB_type] = OPENSSL_malloc(2);
+    row[DB_exp_date] = OPENSSL_malloc(tm->length + 1);
+    row[DB_rev_date] = OPENSSL_malloc(1);
+    row[DB_file] = OPENSSL_malloc(8);
+    row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
+    if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
+        (row[DB_rev_date] == NULL) ||
+        (row[DB_file] == NULL) || (row[DB_name] == NULL)) {
+        BIO_printf(bio_err, "Memory allocation failure\n");
+        goto err;
+    }
+
+    memcpy(row[DB_exp_date], tm->data, tm->length);
+    row[DB_exp_date][tm->length] = '\0';
+    row[DB_rev_date][0] = '\0';
+    strcpy(row[DB_file], "unknown");
+    row[DB_type][0] = 'V';
+    row[DB_type][1] = '\0';
+
+    if ((irow =
+         (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) {
+        BIO_printf(bio_err, "Memory allocation failure\n");
+        goto err;
+    }
+
+    for (i = 0; i < DB_NUMBER; i++) {
+        irow[i] = row[i];
+        row[i] = NULL;
+    }
+    irow[DB_NUMBER] = NULL;
+
+    if (!TXT_DB_insert(db->db, irow)) {
+        BIO_printf(bio_err, "failed to update database\n");
+        BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
+        goto err;
+    }
+    ok = 1;
+ err:
+    for (i = 0; i < DB_NUMBER; i++)
+        if (row[i] != NULL)
+            OPENSSL_free(row[i]);
+
+    if (CAname != NULL)
+        X509_NAME_free(CAname);
+    if (subject != NULL)
+        X509_NAME_free(subject);
+    if ((dn_subject != NULL) && !email_dn)
+        X509_NAME_free(dn_subject);
+    if (tmptm != NULL)
+        ASN1_UTCTIME_free(tmptm);
+    if (ok <= 0) {
+        if (ret != NULL)
+            X509_free(ret);
+        ret = NULL;
+    } else
+        *xret = ret;
+    return (ok);
+}
+
+static void write_new_certificate(BIO *bp, X509 *x, int output_der,
+                                  int notext)
+{
+
+    if (output_der) {
+        (void)i2d_X509_bio(bp, x);
+        return;
+    }
+#if 0
+    /* ??? Not needed since X509_print prints all this stuff anyway */
+    f = X509_NAME_oneline(X509_get_issuer_name(x), buf, 256);
+    BIO_printf(bp, "issuer :%s\n", f);
+
+    f = X509_NAME_oneline(X509_get_subject_name(x), buf, 256);
+    BIO_printf(bp, "subject:%s\n", f);
+
+    BIO_puts(bp, "serial :");
+    i2a_ASN1_INTEGER(bp, x->cert_info->serialNumber);
+    BIO_puts(bp, "\n\n");
+#endif
+    if (!notext)
+        X509_print(bp, x);
+    PEM_write_bio_X509(bp, x);
+}
+
+static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
+                         X509 *x509, const EVP_MD *dgst,
+                         STACK_OF(OPENSSL_STRING) *sigopts,
+                         STACK_OF(CONF_VALUE) *policy, CA_DB *db,
+                         BIGNUM *serial, char *subj, unsigned long chtype,
+                         int multirdn, int email_dn, char *startdate,
+                         char *enddate, long days, char *ext_sect,
+                         CONF *lconf, int verbose, unsigned long certopt,
+                         unsigned long nameopt, int default_op, int ext_copy)
+{
+    STACK_OF(CONF_VALUE) *sk = NULL;
+    LHASH_OF(CONF_VALUE) *parms = NULL;
+    X509_REQ *req = NULL;
+    CONF_VALUE *cv = NULL;
+    NETSCAPE_SPKI *spki = NULL;
+    X509_REQ_INFO *ri;
+    char *type, *buf;
+    EVP_PKEY *pktmp = NULL;
+    X509_NAME *n = NULL;
+    X509_NAME_ENTRY *ne = NULL;
+    int ok = -1, i, j;
+    long errline;
+    int nid;
+
+    /*
+     * Load input file into a hash table.  (This is just an easy
+     * way to read and parse the file, then put it into a convenient
+     * STACK format).
+     */
+    parms = CONF_load(NULL, infile, &errline);
+    if (parms == NULL) {
+        BIO_printf(bio_err, "error on line %ld of %s\n", errline, infile);
+        ERR_print_errors(bio_err);
+        goto err;
+    }
+
+    sk = CONF_get_section(parms, "default");
+    if (sk_CONF_VALUE_num(sk) == 0) {
+        BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
+        goto err;
+    }
+
+    /*
+     * Now create a dummy X509 request structure.  We don't actually
+     * have an X509 request, but we have many of the components
+     * (a public key, various DN components).  The idea is that we
+     * put these components into the right X509 request structure
+     * and we can use the same code as if you had a real X509 request.
+     */
+    req = X509_REQ_new();
+    if (req == NULL) {
+        ERR_print_errors(bio_err);
+        goto err;
+    }
+
+    /*
+     * Build up the subject name set.
+     */
+    ri = req->req_info;
+    n = ri->subject;
+
+    for (i = 0;; i++) {
+        if (sk_CONF_VALUE_num(sk) <= i)
+            break;
+
+        cv = sk_CONF_VALUE_value(sk, i);
+        type = cv->name;
+        /*
+         * Skip past any leading X. X: X, etc to allow for multiple instances
+         */
+        for (buf = cv->name; *buf; buf++)
+            if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
+                buf++;
+                if (*buf)
+                    type = buf;
+                break;
+            }
+
+        buf = cv->value;
+        if ((nid = OBJ_txt2nid(type)) == NID_undef) {
+            if (strcmp(type, "SPKAC") == 0) {
+                spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
+                if (spki == NULL) {
+                    BIO_printf(bio_err,
+                               "unable to load Netscape SPKAC structure\n");
+                    ERR_print_errors(bio_err);
+                    goto err;
+                }
+            }
+            continue;
+        }
+
+        if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
+                                        (unsigned char *)buf, -1, -1, 0))
+            goto err;
+    }
+    if (spki == NULL) {
+        BIO_printf(bio_err, "Netscape SPKAC structure not found in %s\n",
+                   infile);
+        goto err;
+    }
+
+    /*
+     * Now extract the key from the SPKI structure.
+     */
+
+    BIO_printf(bio_err,
+               "Check that the SPKAC request matches the signature\n");
+
+    if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
+        BIO_printf(bio_err, "error unpacking SPKAC public key\n");
+        goto err;
+    }
+
+    j = NETSCAPE_SPKI_verify(spki, pktmp);
+    if (j <= 0) {
+        EVP_PKEY_free(pktmp);
+        BIO_printf(bio_err,
+                   "signature verification failed on SPKAC public key\n");
+        goto err;
+    }
+    BIO_printf(bio_err, "Signature ok\n");
+
+    X509_REQ_set_pubkey(req, pktmp);
+    EVP_PKEY_free(pktmp);
+    ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
+                 chtype, multirdn, email_dn, startdate, enddate, days, 1,
+                 verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
+                 ext_copy, 0);
+ err:
+    if (req != NULL)
+        X509_REQ_free(req);
+    if (parms != NULL)
+        CONF_free(parms);
+    if (spki != NULL)
+        NETSCAPE_SPKI_free(spki);
+    if (ne != NULL)
+        X509_NAME_ENTRY_free(ne);
+
+    return (ok);
+}
+
+static int check_time_format(const char *str)
+{
+    return ASN1_TIME_set_string(NULL, str);
+}
+
+static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
+{
+    ASN1_UTCTIME *tm = NULL;
+    char *row[DB_NUMBER], **rrow, **irow;
+    char *rev_str = NULL;
+    BIGNUM *bn = NULL;
+    int ok = -1, i;
+
+    for (i = 0; i < DB_NUMBER; i++)
+        row[i] = NULL;
+    row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
+    bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL);
+    if (!bn)
+        goto err;
+    if (BN_is_zero(bn))
+        row[DB_serial] = BUF_strdup("00");
+    else
+        row[DB_serial] = BN_bn2hex(bn);
+    BN_free(bn);
+    if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
+        BIO_printf(bio_err, "Memory allocation failure\n");
+        goto err;
+    }
+    /*
+     * We have to lookup by serial number because name lookup skips revoked
+     * certs
+     */
+    rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
+    if (rrow == NULL) {
+        BIO_printf(bio_err,
+                   "Adding Entry with serial number %s to DB for %s\n",
+                   row[DB_serial], row[DB_name]);
+
+        /* We now just add it to the database */
+        row[DB_type] = (char *)OPENSSL_malloc(2);
+
+        tm = X509_get_notAfter(x509);
+        row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1);
+        memcpy(row[DB_exp_date], tm->data, tm->length);
+        row[DB_exp_date][tm->length] = '\0';
+
+        row[DB_rev_date] = NULL;
+
+        /* row[DB_serial] done already */
+        row[DB_file] = (char *)OPENSSL_malloc(8);
+
+        /* row[DB_name] done already */
+
+        if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
+            (row[DB_file] == NULL)) {
+            BIO_printf(bio_err, "Memory allocation failure\n");
+            goto err;
+        }
+        BUF_strlcpy(row[DB_file], "unknown", 8);
+        row[DB_type][0] = 'V';
+        row[DB_type][1] = '\0';
+
+        if ((irow =
+             (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) ==
+            NULL) {
+            BIO_printf(bio_err, "Memory allocation failure\n");
+            goto err;
+        }
+
+        for (i = 0; i < DB_NUMBER; i++) {
+            irow[i] = row[i];
+            row[i] = NULL;
+        }
+        irow[DB_NUMBER] = NULL;
+
+        if (!TXT_DB_insert(db->db, irow)) {
+            BIO_printf(bio_err, "failed to update database\n");
+            BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
+            goto err;
+        }
+
+        /* Revoke Certificate */
+        if (type == -1)
+            ok = 1;
+        else
+            ok = do_revoke(x509, db, type, value);
+
+        goto err;
+
+    } else if (index_name_cmp_noconst(row, rrow)) {
+        BIO_printf(bio_err, "ERROR:name does not match %s\n", row[DB_name]);
+        goto err;
+    } else if (type == -1) {
+        BIO_printf(bio_err, "ERROR:Already present, serial number %s\n",
+                   row[DB_serial]);
+        goto err;
+    } else if (rrow[DB_type][0] == 'R') {
+        BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
+                   row[DB_serial]);
+        goto err;
+    } else {
+        BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial]);
+        rev_str = make_revocation_str(type, value);
+        if (!rev_str) {
+            BIO_printf(bio_err, "Error in revocation arguments\n");
+            goto err;
+        }
+        rrow[DB_type][0] = 'R';
+        rrow[DB_type][1] = '\0';
+        rrow[DB_rev_date] = rev_str;
+    }
+    ok = 1;
+ err:
+    for (i = 0; i < DB_NUMBER; i++) {
+        if (row[i] != NULL)
+            OPENSSL_free(row[i]);
+    }
+    return (ok);
+}
+
+static int get_certificate_status(const char *serial, CA_DB *db)
+{
+    char *row[DB_NUMBER], **rrow;
+    int ok = -1, i;
+
+    /* Free Resources */
+    for (i = 0; i < DB_NUMBER; i++)
+        row[i] = NULL;
+
+    /* Malloc needed char spaces */
+    row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2);
+    if (row[DB_serial] == NULL) {
+        BIO_printf(bio_err, "Malloc failure\n");
+        goto err;
+    }
+
+    if (strlen(serial) % 2) {
+        /*
+         * Set the first char to 0
+         */ ;
+        row[DB_serial][0] = '0';
+
+        /* Copy String from serial to row[DB_serial] */
+        memcpy(row[DB_serial] + 1, serial, strlen(serial));
+        row[DB_serial][strlen(serial) + 1] = '\0';
+    } else {
+        /* Copy String from serial to row[DB_serial] */
+        memcpy(row[DB_serial], serial, strlen(serial));
+        row[DB_serial][strlen(serial)] = '\0';
+    }
+
+    /* Make it Upper Case */
+    for (i = 0; row[DB_serial][i] != '\0'; i++)
+        row[DB_serial][i] = toupper((unsigned char)row[DB_serial][i]);
+
+    ok = 1;
+
+    /* Search for the certificate */
+    rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
+    if (rrow == NULL) {
+        BIO_printf(bio_err, "Serial %s not present in db.\n", row[DB_serial]);
+        ok = -1;
+        goto err;
+    } else if (rrow[DB_type][0] == 'V') {
+        BIO_printf(bio_err, "%s=Valid (%c)\n",
+                   row[DB_serial], rrow[DB_type][0]);
+        goto err;
+    } else if (rrow[DB_type][0] == 'R') {
+        BIO_printf(bio_err, "%s=Revoked (%c)\n",
+                   row[DB_serial], rrow[DB_type][0]);
+        goto err;
+    } else if (rrow[DB_type][0] == 'E') {
+        BIO_printf(bio_err, "%s=Expired (%c)\n",
+                   row[DB_serial], rrow[DB_type][0]);
+        goto err;
+    } else if (rrow[DB_type][0] == 'S') {
+        BIO_printf(bio_err, "%s=Suspended (%c)\n",
+                   row[DB_serial], rrow[DB_type][0]);
+        goto err;
+    } else {
+        BIO_printf(bio_err, "%s=Unknown (%c).\n",
+                   row[DB_serial], rrow[DB_type][0]);
+        ok = -1;
+    }
+ err:
+    for (i = 0; i < DB_NUMBER; i++) {
+        if (row[i] != NULL)
+            OPENSSL_free(row[i]);
+    }
+    return (ok);
+}
+
+static int do_updatedb(CA_DB *db)
+{
+    ASN1_UTCTIME *a_tm = NULL;
+    int i, cnt = 0;
+    int db_y2k, a_y2k;          /* flags = 1 if y >= 2000 */
+    char **rrow, *a_tm_s;
+
+    a_tm = ASN1_UTCTIME_new();
+    if (a_tm == NULL)
+        return -1;
+
+    /* get actual time and make a string */
+    a_tm = X509_gmtime_adj(a_tm, 0);
+    a_tm_s = (char *)OPENSSL_malloc(a_tm->length + 1);
+    if (a_tm_s == NULL) {
+        cnt = -1;
+        goto err;
+    }
+
+    memcpy(a_tm_s, a_tm->data, a_tm->length);
+    a_tm_s[a_tm->length] = '\0';
+
+    if (strncmp(a_tm_s, "49", 2) <= 0)
+        a_y2k = 1;
+    else
+        a_y2k = 0;
+
+    for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
+        rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
+
+        if (rrow[DB_type][0] == 'V') {
+            /* ignore entries that are not valid */
+            if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
+                db_y2k = 1;
+            else
+                db_y2k = 0;
+
+            if (db_y2k == a_y2k) {
+                /* all on the same y2k side */
+                if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
+                    rrow[DB_type][0] = 'E';
+                    rrow[DB_type][1] = '\0';
+                    cnt++;
+
+                    BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
+                }
+            } else if (db_y2k < a_y2k) {
+                rrow[DB_type][0] = 'E';
+                rrow[DB_type][1] = '\0';
+                cnt++;
+
+                BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
+            }
+
+        }
+    }
+
+ err:
+
+    ASN1_UTCTIME_free(a_tm);
+    OPENSSL_free(a_tm_s);
+
+    return (cnt);
+}
+
+static const char *crl_reasons[] = {
+    /* CRL reason strings */
+    "unspecified",
+    "keyCompromise",
+    "CACompromise",
+    "affiliationChanged",
+    "superseded",
+    "cessationOfOperation",
+    "certificateHold",
+    "removeFromCRL",
+    /* Additional pseudo reasons */
+    "holdInstruction",
+    "keyTime",
+    "CAkeyTime"
+};
+
+#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
+
+/*
+ * Given revocation information convert to a DB string. The format of the
+ * string is: revtime[,reason,extra]. Where 'revtime' is the revocation time
+ * (the current time). 'reason' is the optional CRL reason and 'extra' is any
+ * additional argument
+ */
+
+char *make_revocation_str(int rev_type, char *rev_arg)
+{
+    char *other = NULL, *str;
+    const char *reason = NULL;
+    ASN1_OBJECT *otmp;
+    ASN1_UTCTIME *revtm = NULL;
+    int i;
+    switch (rev_type) {
+    case REV_NONE:
+        break;
+
+    case REV_CRL_REASON:
+        for (i = 0; i < 8; i++) {
+            if (!strcasecmp(rev_arg, crl_reasons[i])) {
+                reason = crl_reasons[i];
+                break;
+            }
+        }
+        if (reason == NULL) {
+            BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
+            return NULL;
+        }
+        break;
+
+    case REV_HOLD:
+        /* Argument is an OID */
+
+        otmp = OBJ_txt2obj(rev_arg, 0);
+        ASN1_OBJECT_free(otmp);
+
+        if (otmp == NULL) {
+            BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg);
+            return NULL;
+        }
+
+        reason = "holdInstruction";
+        other = rev_arg;
+        break;
+
+    case REV_KEY_COMPROMISE:
+    case REV_CA_COMPROMISE:
+
+        /* Argument is the key compromise time  */
+        if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) {
+            BIO_printf(bio_err,
+                       "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n",
+                       rev_arg);
+            return NULL;
+        }
+        other = rev_arg;
+        if (rev_type == REV_KEY_COMPROMISE)
+            reason = "keyTime";
+        else
+            reason = "CAkeyTime";
+
+        break;
+
+    }
+
+    revtm = X509_gmtime_adj(NULL, 0);
+
+    if (!revtm)
+        return NULL;
+
+    i = revtm->length + 1;
+
+    if (reason)
+        i += strlen(reason) + 1;
+    if (other)
+        i += strlen(other) + 1;
+
+    str = OPENSSL_malloc(i);
+
+    if (!str)
+        return NULL;
+
+    BUF_strlcpy(str, (char *)revtm->data, i);
+    if (reason) {
+        BUF_strlcat(str, ",", i);
+        BUF_strlcat(str, reason, i);
+    }
+    if (other) {
+        BUF_strlcat(str, ",", i);
+        BUF_strlcat(str, other, i);
+    }
+    ASN1_UTCTIME_free(revtm);
+    return str;
+}
+
+/*-
+ * Convert revocation field to X509_REVOKED entry
+ * return code:
+ * 0 error
+ * 1 OK
+ * 2 OK and some extensions added (i.e. V2 CRL)
+ */
+
+int make_revoked(X509_REVOKED *rev, const char *str)
+{
+    char *tmp = NULL;
+    int reason_code = -1;
+    int i, ret = 0;
+    ASN1_OBJECT *hold = NULL;
+    ASN1_GENERALIZEDTIME *comp_time = NULL;
+    ASN1_ENUMERATED *rtmp = NULL;
+
+    ASN1_TIME *revDate = NULL;
+
+    i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
+
+    if (i == 0)
+        goto err;
+
+    if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
+        goto err;
+
+    if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) {
+        rtmp = ASN1_ENUMERATED_new();
+        if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
+            goto err;
+        if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
+            goto err;
+    }
+
+    if (rev && comp_time) {
+        if (!X509_REVOKED_add1_ext_i2d
+            (rev, NID_invalidity_date, comp_time, 0, 0))
+            goto err;
+    }
+    if (rev && hold) {
+        if (!X509_REVOKED_add1_ext_i2d
+            (rev, NID_hold_instruction_code, hold, 0, 0))
+            goto err;
+    }
+
+    if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
+        ret = 2;
+    else
+        ret = 1;
+
+ err:
+
+    if (tmp)
+        OPENSSL_free(tmp);
+    ASN1_OBJECT_free(hold);
+    ASN1_GENERALIZEDTIME_free(comp_time);
+    ASN1_ENUMERATED_free(rtmp);
+    ASN1_TIME_free(revDate);
+
+    return ret;
+}
+
+int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
+{
+    char buf[25], *pbuf, *p;
+    int j;
+    j = i2a_ASN1_OBJECT(bp, obj);
+    pbuf = buf;
+    for (j = 22 - j; j > 0; j--)
+        *(pbuf++) = ' ';
+    *(pbuf++) = ':';
+    *(pbuf++) = '\0';
+    BIO_puts(bp, buf);
+
+    if (str->type == V_ASN1_PRINTABLESTRING)
+        BIO_printf(bp, "PRINTABLE:'");
+    else if (str->type == V_ASN1_T61STRING)
+        BIO_printf(bp, "T61STRING:'");
+    else if (str->type == V_ASN1_IA5STRING)
+        BIO_printf(bp, "IA5STRING:'");
+    else if (str->type == V_ASN1_UNIVERSALSTRING)
+        BIO_printf(bp, "UNIVERSALSTRING:'");
+    else
+        BIO_printf(bp, "ASN.1 %2d:'", str->type);
+
+    p = (char *)str->data;
+    for (j = str->length; j > 0; j--) {
+        if ((*p >= ' ') && (*p <= '~'))
+            BIO_printf(bp, "%c", *p);
+        else if (*p & 0x80)
+            BIO_printf(bp, "\\0x%02X", *p);
+        else if ((unsigned char)*p == 0xf7)
+            BIO_printf(bp, "^?");
+        else
+            BIO_printf(bp, "^%c", *p + '@');
+        p++;
+    }
+    BIO_printf(bp, "'\n");
+    return 1;
+}
+
+int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
+                   ASN1_GENERALIZEDTIME **pinvtm, const char *str)
+{
+    char *tmp = NULL;
+    char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
+    int reason_code = -1;
+    int ret = 0;
+    unsigned int i;
+    ASN1_OBJECT *hold = NULL;
+    ASN1_GENERALIZEDTIME *comp_time = NULL;
+    tmp = BUF_strdup(str);
+
+    if (!tmp) {
+        BIO_printf(bio_err, "memory allocation failure\n");
+        goto err;
+    }
+
+    p = strchr(tmp, ',');
+
+    rtime_str = tmp;
+
+    if (p) {
+        *p = '\0';
+        p++;
+        reason_str = p;
+        p = strchr(p, ',');
+        if (p) {
+            *p = '\0';
+            arg_str = p + 1;
+        }
+    }
+
+    if (prevtm) {
+        *prevtm = ASN1_UTCTIME_new();
+        if (!*prevtm) {
+            BIO_printf(bio_err, "memory allocation failure\n");
+            goto err;
+        }
+        if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) {
+            BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
+            goto err;
+        }
+    }
+    if (reason_str) {
+        for (i = 0; i < NUM_REASONS; i++) {
+            if (!strcasecmp(reason_str, crl_reasons[i])) {
+                reason_code = i;
+                break;
+            }
+        }
+        if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) {
+            BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
+            goto err;
+        }
+
+        if (reason_code == 7)
+            reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
+        else if (reason_code == 8) { /* Hold instruction */
+            if (!arg_str) {
+                BIO_printf(bio_err, "missing hold instruction\n");
+                goto err;
+            }
+            reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
+            hold = OBJ_txt2obj(arg_str, 0);
+
+            if (!hold) {
+                BIO_printf(bio_err, "invalid object identifier %s\n",
+                           arg_str);
+                goto err;
+            }
+            if (phold)
+                *phold = hold;
+        } else if ((reason_code == 9) || (reason_code == 10)) {
+            if (!arg_str) {
+                BIO_printf(bio_err, "missing compromised time\n");
+                goto err;
+            }
+            comp_time = ASN1_GENERALIZEDTIME_new();
+            if (!comp_time) {
+                BIO_printf(bio_err, "memory allocation failure\n");
+                goto err;
+            }
+            if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) {
+                BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
+                goto err;
+            }
+            if (reason_code == 9)
+                reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
+            else
+                reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
+        }
+    }
+
+    if (preason)
+        *preason = reason_code;
+    if (pinvtm)
+        *pinvtm = comp_time;
+    else
+        ASN1_GENERALIZEDTIME_free(comp_time);
+
+    ret = 1;
+
+ err:
+
+    if (tmp)
+        OPENSSL_free(tmp);
+    if (!phold)
+        ASN1_OBJECT_free(hold);
+    if (!pinvtm)
+        ASN1_GENERALIZEDTIME_free(comp_time);
+
+    return ret;
+}
diff --git a/openssl/apps/cert.pem b/openssl/apps/cert.pem
new file mode 100644
index 0000000..de4a77a
--- /dev/null
+++ b/openssl/apps/cert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBoDCCAUoCAQAwDQYJKoZIhvcNAQEEBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD
+VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw05NzA5MDkwMzQxMjZa
+Fw05NzEwMDkwMzQxMjZaMF4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0
+YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFzAVBgNVBAMT
+DkVyaWMgdGhlIFlvdW5nMFEwCQYFKw4DAgwFAANEAAJBALVEqPODnpI4rShlY8S7
+tB713JNvabvn6Gned7zylwLLiXQAo/PAT6mfdWPTyCX9RlId/Aroh1ou893BA32Q
+sggwDQYJKoZIhvcNAQEEBQADQQCU5SSgapJSdRXJoX+CpCvFy+JVh9HpSjCpSNKO
+19raHv98hKAUJuP9HyM+SUsffO6mAIgitUaqW8/wDMePhEC3
+-----END CERTIFICATE-----
diff --git a/openssl/apps/ciphers.c b/openssl/apps/ciphers.c
new file mode 100644
index 0000000..66636d2
--- /dev/null
+++ b/openssl/apps/ciphers.c
@@ -0,0 +1,239 @@
+/* apps/ciphers.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+#undef PROG
+#define PROG    ciphers_main
+
+static const char *ciphers_usage[] = {
+    "usage: ciphers args\n",
+    " -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
+    " -V          - even more verbose\n",
+    " -ssl2       - SSL2 mode\n",
+    " -ssl3       - SSL3 mode\n",
+    " -tls1       - TLS1 mode\n",
+    NULL
+};
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    int ret = 1, i;
+    int verbose = 0, Verbose = 0;
+#ifndef OPENSSL_NO_SSL_TRACE
+    int stdname = 0;
+#endif
+    const char **pp;
+    const char *p;
+    int badops = 0;
+    SSL_CTX *ctx = NULL;
+    SSL *ssl = NULL;
+    char *ciphers = NULL;
+    const SSL_METHOD *meth = NULL;
+    STACK_OF(SSL_CIPHER) *sk;
+    char buf[512];
+    BIO *STDout = NULL;
+
+    meth = SSLv23_server_method();
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+    STDout = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+    {
+        BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+        STDout = BIO_push(tmpbio, STDout);
+    }
+#endif
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-v") == 0)
+            verbose = 1;
+        else if (strcmp(*argv, "-V") == 0)
+            verbose = Verbose = 1;
+#ifndef OPENSSL_NO_SSL_TRACE
+        else if (strcmp(*argv, "-stdname") == 0)
+            stdname = verbose = 1;
+#endif
+#ifndef OPENSSL_NO_SSL2
+        else if (strcmp(*argv, "-ssl2") == 0)
+            meth = SSLv2_client_method();
+#endif
+#ifndef OPENSSL_NO_SSL3
+        else if (strcmp(*argv, "-ssl3") == 0)
+            meth = SSLv3_client_method();
+#endif
+#ifndef OPENSSL_NO_TLS1
+        else if (strcmp(*argv, "-tls1") == 0)
+            meth = TLSv1_client_method();
+#endif
+        else if ((strncmp(*argv, "-h", 2) == 0) || (strcmp(*argv, "-?") == 0)) {
+            badops = 1;
+            break;
+        } else {
+            ciphers = *argv;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+        for (pp = ciphers_usage; (*pp != NULL); pp++)
+            BIO_printf(bio_err, "%s", *pp);
+        goto end;
+    }
+
+    OpenSSL_add_ssl_algorithms();
+
+    ctx = SSL_CTX_new(meth);
+    if (ctx == NULL)
+        goto err;
+    if (ciphers != NULL) {
+        if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
+            BIO_printf(bio_err, "Error in cipher list\n");
+            goto err;
+        }
+    }
+    ssl = SSL_new(ctx);
+    if (ssl == NULL)
+        goto err;
+
+    if (!verbose) {
+        for (i = 0;; i++) {
+            p = SSL_get_cipher_list(ssl, i);
+            if (p == NULL)
+                break;
+            if (i != 0)
+                BIO_printf(STDout, ":");
+            BIO_printf(STDout, "%s", p);
+        }
+        BIO_printf(STDout, "\n");
+    } else {                    /* verbose */
+
+        sk = SSL_get_ciphers(ssl);
+
+        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
+            SSL_CIPHER *c;
+
+            c = sk_SSL_CIPHER_value(sk, i);
+
+            if (Verbose) {
+                unsigned long id = SSL_CIPHER_get_id(c);
+                int id0 = (int)(id >> 24);
+                int id1 = (int)((id >> 16) & 0xffL);
+                int id2 = (int)((id >> 8) & 0xffL);
+                int id3 = (int)(id & 0xffL);
+
+                if ((id & 0xff000000L) == 0x02000000L) {
+                    /* SSL2 cipher */
+                    BIO_printf(STDout, "     0x%02X,0x%02X,0x%02X - ", id1,
+                               id2, id3);
+                } else if ((id & 0xff000000L) == 0x03000000L) {
+                    /* SSL3 cipher */
+                    BIO_printf(STDout, "          0x%02X,0x%02X - ", id2,
+                               id3);
+                } else {
+                    /* whatever */
+                    BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0,
+                               id1, id2, id3);
+                }
+            }
+#ifndef OPENSSL_NO_SSL_TRACE
+            if (stdname) {
+                const char *nm = SSL_CIPHER_standard_name(c);
+                if (nm == NULL)
+                    nm = "UNKNOWN";
+                BIO_printf(STDout, "%s - ", nm);
+            }
+#endif
+            BIO_puts(STDout, SSL_CIPHER_description(c, buf, sizeof buf));
+        }
+    }
+
+    ret = 0;
+    if (0) {
+ err:
+        SSL_load_error_strings();
+        ERR_print_errors(bio_err);
+    }
+ end:
+    if (ctx != NULL)
+        SSL_CTX_free(ctx);
+    if (ssl != NULL)
+        SSL_free(ssl);
+    if (STDout != NULL)
+        BIO_free_all(STDout);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
diff --git a/openssl/apps/client.pem b/openssl/apps/client.pem
new file mode 100644
index 0000000..e7a47a7
--- /dev/null
+++ b/openssl/apps/client.pem
@@ -0,0 +1,52 @@
+subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Client Cert
+issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
+-----BEGIN CERTIFICATE-----
+MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6yMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
+VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG
+A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
+RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgQ2xpZW50IENlcnQw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0ranbHRLcLVqN+0BzcZpY
++yOLqxzDWT1LD9eW1stC4NzXX9/DCtSIVyN7YIHdGLrIPr64IDdXXaMRzgZ2rOKs
+lmHCAiFpO/ja99gGCJRxH0xwQatqAULfJVHeUhs7OEGOZc2nWifjqKvGfNTilP7D
+nwi69ipQFq9oS19FmhwVHk2wg7KZGHI1qDyG04UrfCZMRitvS9+UVhPpIPjuiBi2
+x3/FZIpL5gXJvvFK6xHY63oq2asyzBATntBgnP4qJFWWcvRx24wF1PnZabxuVoL2
+bPnQ/KvONDrw3IdqkKhYNTul7jEcu3OlcZIMw+7DiaKJLAzKb/bBF5gm/pwW6As9
+AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI
+AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
+BBSZHKyLoTh7Mb409Zn/mK1ceSDAjDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49
+hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAD0mL7PtPYgCEuDyOQSbLpeND5hVS
+curxQdGnrJ6Acrhodb7E9ccATokeb0PLx6HBLQUicxhTZIQ9FbO43YkQcOU6C3BB
+IlwskqmtN6+VmrQzNolHCDzvxNZs9lYL2VbGPGqVRyjZeHpoAlf9cQr8PgDb4d4b
+vUx2KAhHQvV2nkmYvKyXcgnRuHggumF87mkxidriGAEFwH4qfOqetUg64WyxP7P2
+QLipm04SyQa7ONtIApfVXgHcE42Py4/f4arzCzMjKe3VyhGkS7nsT55X/fWgTaRm
+CQPkO+H94P958WTvQDt77bQ+D3IvYaVvfil8n6HJMOJfFT0LJuSUbpSXJg==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAtK2p2x0S3C1ajftAc3GaWPsji6scw1k9Sw/XltbLQuDc11/f
+wwrUiFcje2CB3Ri6yD6+uCA3V12jEc4GdqzirJZhwgIhaTv42vfYBgiUcR9McEGr
+agFC3yVR3lIbOzhBjmXNp1on46irxnzU4pT+w58IuvYqUBavaEtfRZocFR5NsIOy
+mRhyNag8htOFK3wmTEYrb0vflFYT6SD47ogYtsd/xWSKS+YFyb7xSusR2Ot6Ktmr
+MswQE57QYJz+KiRVlnL0cduMBdT52Wm8blaC9mz50PyrzjQ68NyHapCoWDU7pe4x
+HLtzpXGSDMPuw4miiSwMym/2wReYJv6cFugLPQIDAQABAoIBAAZOyc9MhIwLSU4L
+p4RgQvM4UVVe8/Id+3XTZ8NsXExJbWxXfIhiqGjaIfL8u4vsgRjcl+v1s/jo2/iT
+KMab4o4D8gXD7UavQVDjtjb/ta79WL3SjRl2Uc9YjjMkyq6WmDNQeo2NKDdafCTB
+1uzSJtLNipB8Z53ELPuHJhxX9QMHrMnuha49riQgXZ7buP9iQrHJFhImBjSzbxJx
+L+TI6rkyLSf9Wi0Pd3L27Ob3QWNfNRYNSeTE+08eSRChkur5W0RuXAcuAICdQlCl
+LBvWO/LmmvbzCqiDcgy/TliSb6CGGwgiNG7LJZmlkYNj8laGwalNlYZs3UrVv6NO
+Br2loAECgYEA2kvCvPGj0Dg/6g7WhXDvAkEbcaL1tSeCxBbNH+6HS2UWMWvyTtCn
+/bbD519QIdkvayy1QjEf32GV/UjUVmlULMLBcDy0DGjtL3+XpIhLKWDNxN1v1/ai
+1oz23ZJCOgnk6K4qtFtlRS1XtynjA+rBetvYvLP9SKeFrnpzCgaA2r0CgYEA0+KX
+1ACXDTNH5ySX3kMjSS9xdINf+OOw4CvPHFwbtc9aqk2HePlEsBTz5I/W3rKwXva3
+NqZ/bRqVVeZB/hHKFywgdUQk2Uc5z/S7Lw70/w1HubNTXGU06Ngb6zOFAo/o/TwZ
+zTP1BMIKSOB6PAZPS3l+aLO4FRIRotfFhgRHOoECgYEAmiZbqt8cJaJDB/5YYDzC
+mp3tSk6gIb936Q6M5VqkMYp9pIKsxhk0N8aDCnTU+kIK6SzWBpr3/d9Ecmqmfyq7
+5SvWO3KyVf0WWK9KH0abhOm2BKm2HBQvI0DB5u8sUx2/hsvOnjPYDISbZ11t0MtK
+u35Zy89yMYcSsIYJjG/ROCUCgYEAgI2P9G5PNxEP5OtMwOsW84Y3Xat/hPAQFlI+
+HES+AzbFGWJkeT8zL2nm95tVkFP1sggZ7Kxjz3w7cpx7GX0NkbWSE9O+T51pNASV
+tN1sQ3p5M+/a+cnlqgfEGJVvc7iAcXQPa3LEi5h2yPR49QYXAgG6cifn3dDSpmwn
+SUI7PQECgYEApGCIIpSRPLAEHTGmP87RBL1smurhwmy2s/pghkvUkWehtxg0sGHh
+kuaqDWcskogv+QC0sVdytiLSz8G0DwcEcsHK1Fkyb8A+ayiw6jWJDo2m9+IF4Fww
+1Te6jFPYDESnbhq7+TLGgHGhtwcu5cnb4vSuYXGXKupZGzoLOBbv1Zw=
+-----END RSA PRIVATE KEY-----
diff --git a/openssl/apps/cms.c b/openssl/apps/cms.c
new file mode 100644
index 0000000..f9a63bc
--- /dev/null
+++ b/openssl/apps/cms.c
@@ -0,0 +1,1354 @@
+/* apps/cms.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+/* CMS utility function */
+
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+
+#ifndef OPENSSL_NO_CMS
+
+# include <openssl/crypto.h>
+# include <openssl/pem.h>
+# include <openssl/err.h>
+# include <openssl/x509_vfy.h>
+# include <openssl/x509v3.h>
+# include <openssl/cms.h>
+
+# undef PROG
+# define PROG cms_main
+static int save_certs(char *signerfile, STACK_OF(X509) *signers);
+static int cms_cb(int ok, X509_STORE_CTX *ctx);
+static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
+static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
+                                                *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
+                                                *rr_from);
+static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
+                              STACK_OF(OPENSSL_STRING) *param);
+
+# define SMIME_OP        0x10
+# define SMIME_IP        0x20
+# define SMIME_SIGNERS   0x40
+# define SMIME_ENCRYPT           (1 | SMIME_OP)
+# define SMIME_DECRYPT           (2 | SMIME_IP)
+# define SMIME_SIGN              (3 | SMIME_OP | SMIME_SIGNERS)
+# define SMIME_VERIFY            (4 | SMIME_IP)
+# define SMIME_CMSOUT            (5 | SMIME_IP | SMIME_OP)
+# define SMIME_RESIGN            (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
+# define SMIME_DATAOUT           (7 | SMIME_IP)
+# define SMIME_DATA_CREATE       (8 | SMIME_OP)
+# define SMIME_DIGEST_VERIFY     (9 | SMIME_IP)
+# define SMIME_DIGEST_CREATE     (10 | SMIME_OP)
+# define SMIME_UNCOMPRESS        (11 | SMIME_IP)
+# define SMIME_COMPRESS          (12 | SMIME_OP)
+# define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
+# define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP)
+# define SMIME_SIGN_RECEIPT      (15 | SMIME_IP | SMIME_OP)
+# define SMIME_VERIFY_RECEIPT    (16 | SMIME_IP)
+
+int verify_err = 0;
+
+typedef struct cms_key_param_st cms_key_param;
+
+struct cms_key_param_st {
+    int idx;
+    STACK_OF(OPENSSL_STRING) *param;
+    cms_key_param *next;
+};
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    int operation = 0;
+    int ret = 0;
+    char **args;
+    const char *inmode = "r", *outmode = "w";
+    char *infile = NULL, *outfile = NULL, *rctfile = NULL;
+    char *signerfile = NULL, *recipfile = NULL;
+    STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
+    char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
+    char *certsoutfile = NULL;
+    const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
+    CMS_ContentInfo *cms = NULL, *rcms = NULL;
+    X509_STORE *store = NULL;
+    X509 *cert = NULL, *recip = NULL, *signer = NULL;
+    EVP_PKEY *key = NULL;
+    STACK_OF(X509) *encerts = NULL, *other = NULL;
+    BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
+    int badarg = 0;
+    int flags = CMS_DETACHED, noout = 0, print = 0;
+    int verify_retcode = 0;
+    int rr_print = 0, rr_allorfirst = -1;
+    STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
+    CMS_ReceiptRequest *rr = NULL;
+    char *to = NULL, *from = NULL, *subject = NULL;
+    char *CAfile = NULL, *CApath = NULL;
+    char *passargin = NULL, *passin = NULL;
+    char *inrand = NULL;
+    int need_rand = 0;
+    const EVP_MD *sign_md = NULL;
+    int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
+    int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
+    char *engine = NULL;
+    unsigned char *secret_key = NULL, *secret_keyid = NULL;
+    unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
+    size_t secret_keylen = 0, secret_keyidlen = 0;
+
+    cms_key_param *key_first = NULL, *key_param = NULL;
+
+    ASN1_OBJECT *econtent_type = NULL;
+
+    X509_VERIFY_PARAM *vpm = NULL;
+
+    args = argv + 1;
+    ret = 1;
+
+    apps_startup();
+
+    if (bio_err == NULL) {
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+    }
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    while (!badarg && *args && *args[0] == '-') {
+        if (!strcmp(*args, "-encrypt"))
+            operation = SMIME_ENCRYPT;
+        else if (!strcmp(*args, "-decrypt"))
+            operation = SMIME_DECRYPT;
+        else if (!strcmp(*args, "-sign"))
+            operation = SMIME_SIGN;
+        else if (!strcmp(*args, "-sign_receipt"))
+            operation = SMIME_SIGN_RECEIPT;
+        else if (!strcmp(*args, "-resign"))
+            operation = SMIME_RESIGN;
+        else if (!strcmp(*args, "-verify"))
+            operation = SMIME_VERIFY;
+        else if (!strcmp(*args, "-verify_retcode"))
+            verify_retcode = 1;
+        else if (!strcmp(*args, "-verify_receipt")) {
+            operation = SMIME_VERIFY_RECEIPT;
+            if (!args[1])
+                goto argerr;
+            args++;
+            rctfile = *args;
+        } else if (!strcmp(*args, "-cmsout"))
+            operation = SMIME_CMSOUT;
+        else if (!strcmp(*args, "-data_out"))
+            operation = SMIME_DATAOUT;
+        else if (!strcmp(*args, "-data_create"))
+            operation = SMIME_DATA_CREATE;
+        else if (!strcmp(*args, "-digest_verify"))
+            operation = SMIME_DIGEST_VERIFY;
+        else if (!strcmp(*args, "-digest_create"))
+            operation = SMIME_DIGEST_CREATE;
+        else if (!strcmp(*args, "-compress"))
+            operation = SMIME_COMPRESS;
+        else if (!strcmp(*args, "-uncompress"))
+            operation = SMIME_UNCOMPRESS;
+        else if (!strcmp(*args, "-EncryptedData_decrypt"))
+            operation = SMIME_ENCRYPTED_DECRYPT;
+        else if (!strcmp(*args, "-EncryptedData_encrypt"))
+            operation = SMIME_ENCRYPTED_ENCRYPT;
+# ifndef OPENSSL_NO_DES
+        else if (!strcmp(*args, "-des3"))
+            cipher = EVP_des_ede3_cbc();
+        else if (!strcmp(*args, "-des"))
+            cipher = EVP_des_cbc();
+        else if (!strcmp(*args, "-des3-wrap"))
+            wrap_cipher = EVP_des_ede3_wrap();
+# endif
+# ifndef OPENSSL_NO_SEED
+        else if (!strcmp(*args, "-seed"))
+            cipher = EVP_seed_cbc();
+# endif
+# ifndef OPENSSL_NO_RC2
+        else if (!strcmp(*args, "-rc2-40"))
+            cipher = EVP_rc2_40_cbc();
+        else if (!strcmp(*args, "-rc2-128"))
+            cipher = EVP_rc2_cbc();
+        else if (!strcmp(*args, "-rc2-64"))
+            cipher = EVP_rc2_64_cbc();
+# endif
+# ifndef OPENSSL_NO_AES
+        else if (!strcmp(*args, "-aes128"))
+            cipher = EVP_aes_128_cbc();
+        else if (!strcmp(*args, "-aes192"))
+            cipher = EVP_aes_192_cbc();
+        else if (!strcmp(*args, "-aes256"))
+            cipher = EVP_aes_256_cbc();
+        else if (!strcmp(*args, "-aes128-wrap"))
+            wrap_cipher = EVP_aes_128_wrap();
+        else if (!strcmp(*args, "-aes192-wrap"))
+            wrap_cipher = EVP_aes_192_wrap();
+        else if (!strcmp(*args, "-aes256-wrap"))
+            wrap_cipher = EVP_aes_256_wrap();
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+        else if (!strcmp(*args, "-camellia128"))
+            cipher = EVP_camellia_128_cbc();
+        else if (!strcmp(*args, "-camellia192"))
+            cipher = EVP_camellia_192_cbc();
+        else if (!strcmp(*args, "-camellia256"))
+            cipher = EVP_camellia_256_cbc();
+# endif
+        else if (!strcmp(*args, "-debug_decrypt"))
+            flags |= CMS_DEBUG_DECRYPT;
+        else if (!strcmp(*args, "-text"))
+            flags |= CMS_TEXT;
+        else if (!strcmp(*args, "-nointern"))
+            flags |= CMS_NOINTERN;
+        else if (!strcmp(*args, "-noverify")
+                 || !strcmp(*args, "-no_signer_cert_verify"))
+            flags |= CMS_NO_SIGNER_CERT_VERIFY;
+        else if (!strcmp(*args, "-nocerts"))
+            flags |= CMS_NOCERTS;
+        else if (!strcmp(*args, "-noattr"))
+            flags |= CMS_NOATTR;
+        else if (!strcmp(*args, "-nodetach"))
+            flags &= ~CMS_DETACHED;
+        else if (!strcmp(*args, "-nosmimecap"))
+            flags |= CMS_NOSMIMECAP;
+        else if (!strcmp(*args, "-binary"))
+            flags |= CMS_BINARY;
+        else if (!strcmp(*args, "-keyid"))
+            flags |= CMS_USE_KEYID;
+        else if (!strcmp(*args, "-nosigs"))
+            flags |= CMS_NOSIGS;
+        else if (!strcmp(*args, "-no_content_verify"))
+            flags |= CMS_NO_CONTENT_VERIFY;
+        else if (!strcmp(*args, "-no_attr_verify"))
+            flags |= CMS_NO_ATTR_VERIFY;
+        else if (!strcmp(*args, "-stream"))
+            flags |= CMS_STREAM;
+        else if (!strcmp(*args, "-indef"))
+            flags |= CMS_STREAM;
+        else if (!strcmp(*args, "-noindef"))
+            flags &= ~CMS_STREAM;
+        else if (!strcmp(*args, "-nooldmime"))
+            flags |= CMS_NOOLDMIMETYPE;
+        else if (!strcmp(*args, "-crlfeol"))
+            flags |= CMS_CRLFEOL;
+        else if (!strcmp(*args, "-noout"))
+            noout = 1;
+        else if (!strcmp(*args, "-receipt_request_print"))
+            rr_print = 1;
+        else if (!strcmp(*args, "-receipt_request_all"))
+            rr_allorfirst = 0;
+        else if (!strcmp(*args, "-receipt_request_first"))
+            rr_allorfirst = 1;
+        else if (!strcmp(*args, "-receipt_request_from")) {
+            if (!args[1])
+                goto argerr;
+            args++;
+            if (!rr_from)
+                rr_from = sk_OPENSSL_STRING_new_null();
+            sk_OPENSSL_STRING_push(rr_from, *args);
+        } else if (!strcmp(*args, "-receipt_request_to")) {
+            if (!args[1])
+                goto argerr;
+            args++;
+            if (!rr_to)
+                rr_to = sk_OPENSSL_STRING_new_null();
+            sk_OPENSSL_STRING_push(rr_to, *args);
+        } else if (!strcmp(*args, "-print")) {
+            noout = 1;
+            print = 1;
+        } else if (!strcmp(*args, "-secretkey")) {
+            long ltmp;
+            if (!args[1])
+                goto argerr;
+            args++;
+            secret_key = string_to_hex(*args, &ltmp);
+            if (!secret_key) {
+                BIO_printf(bio_err, "Invalid key %s\n", *args);
+                goto argerr;
+            }
+            secret_keylen = (size_t)ltmp;
+        } else if (!strcmp(*args, "-secretkeyid")) {
+            long ltmp;
+            if (!args[1])
+                goto argerr;
+            args++;
+            secret_keyid = string_to_hex(*args, &ltmp);
+            if (!secret_keyid) {
+                BIO_printf(bio_err, "Invalid id %s\n", *args);
+                goto argerr;
+            }
+            secret_keyidlen = (size_t)ltmp;
+        } else if (!strcmp(*args, "-pwri_password")) {
+            if (!args[1])
+                goto argerr;
+            args++;
+            pwri_pass = (unsigned char *)*args;
+        } else if (!strcmp(*args, "-econtent_type")) {
+            if (!args[1])
+                goto argerr;
+            args++;
+            econtent_type = OBJ_txt2obj(*args, 0);
+            if (!econtent_type) {
+                BIO_printf(bio_err, "Invalid OID %s\n", *args);
+                goto argerr;
+            }
+        } else if (!strcmp(*args, "-rand")) {
+            if (!args[1])
+                goto argerr;
+            args++;
+            inrand = *args;
+            need_rand = 1;
+        }
+# ifndef OPENSSL_NO_ENGINE
+        else if (!strcmp(*args, "-engine")) {
+            if (!args[1])
+                goto argerr;
+            engine = *++args;
+        }
+# endif
+        else if (!strcmp(*args, "-passin")) {
+            if (!args[1])
+                goto argerr;
+            passargin = *++args;
+        } else if (!strcmp(*args, "-to")) {
+            if (!args[1])
+                goto argerr;
+            to = *++args;
+        } else if (!strcmp(*args, "-from")) {
+            if (!args[1])
+                goto argerr;
+            from = *++args;
+        } else if (!strcmp(*args, "-subject")) {
+            if (!args[1])
+                goto argerr;
+            subject = *++args;
+        } else if (!strcmp(*args, "-signer")) {
+            if (!args[1])
+                goto argerr;
+            /* If previous -signer argument add signer to list */
+
+            if (signerfile) {
+                if (!sksigners)
+                    sksigners = sk_OPENSSL_STRING_new_null();
+                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                if (!keyfile)
+                    keyfile = signerfile;
+                if (!skkeys)
+                    skkeys = sk_OPENSSL_STRING_new_null();
+                sk_OPENSSL_STRING_push(skkeys, keyfile);
+                keyfile = NULL;
+            }
+            signerfile = *++args;
+        } else if (!strcmp(*args, "-recip")) {
+            if (!args[1])
+                goto argerr;
+            if (operation == SMIME_ENCRYPT) {
+                if (!encerts)
+                    encerts = sk_X509_new_null();
+                cert = load_cert(bio_err, *++args, FORMAT_PEM,
+                                 NULL, e, "recipient certificate file");
+                if (!cert)
+                    goto end;
+                sk_X509_push(encerts, cert);
+                cert = NULL;
+            } else
+                recipfile = *++args;
+        } else if (!strcmp(*args, "-certsout")) {
+            if (!args[1])
+                goto argerr;
+            certsoutfile = *++args;
+        } else if (!strcmp(*args, "-md")) {
+            if (!args[1])
+                goto argerr;
+            sign_md = EVP_get_digestbyname(*++args);
+            if (sign_md == NULL) {
+                BIO_printf(bio_err, "Unknown digest %s\n", *args);
+                goto argerr;
+            }
+        } else if (!strcmp(*args, "-inkey")) {
+            if (!args[1])
+                goto argerr;
+            /* If previous -inkey arument add signer to list */
+            if (keyfile) {
+                if (!signerfile) {
+                    BIO_puts(bio_err, "Illegal -inkey without -signer\n");
+                    goto argerr;
+                }
+                if (!sksigners)
+                    sksigners = sk_OPENSSL_STRING_new_null();
+                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                signerfile = NULL;
+                if (!skkeys)
+                    skkeys = sk_OPENSSL_STRING_new_null();
+                sk_OPENSSL_STRING_push(skkeys, keyfile);
+            }
+            keyfile = *++args;
+        } else if (!strcmp(*args, "-keyform")) {
+            if (!args[1])
+                goto argerr;
+            keyform = str2fmt(*++args);
+        } else if (!strcmp(*args, "-keyopt")) {
+            int keyidx = -1;
+            if (!args[1])
+                goto argerr;
+            if (operation == SMIME_ENCRYPT) {
+                if (encerts)
+                    keyidx += sk_X509_num(encerts);
+            } else {
+                if (keyfile || signerfile)
+                    keyidx++;
+                if (skkeys)
+                    keyidx += sk_OPENSSL_STRING_num(skkeys);
+            }
+            if (keyidx < 0) {
+                BIO_printf(bio_err, "No key specified\n");
+                goto argerr;
+            }
+            if (key_param == NULL || key_param->idx != keyidx) {
+                cms_key_param *nparam;
+                nparam = OPENSSL_malloc(sizeof(cms_key_param));
+                if (!nparam) {
+                    BIO_printf(bio_err, "Out of memory\n");
+                    goto argerr;
+                }
+                nparam->idx = keyidx;
+                nparam->param = sk_OPENSSL_STRING_new_null();
+                nparam->next = NULL;
+                if (key_first == NULL)
+                    key_first = nparam;
+                else
+                    key_param->next = nparam;
+                key_param = nparam;
+            }
+            sk_OPENSSL_STRING_push(key_param->param, *++args);
+        } else if (!strcmp(*args, "-rctform")) {
+            if (!args[1])
+                goto argerr;
+            rctformat = str2fmt(*++args);
+        } else if (!strcmp(*args, "-certfile")) {
+            if (!args[1])
+                goto argerr;
+            certfile = *++args;
+        } else if (!strcmp(*args, "-CAfile")) {
+            if (!args[1])
+                goto argerr;
+            CAfile = *++args;
+        } else if (!strcmp(*args, "-CApath")) {
+            if (!args[1])
+                goto argerr;
+            CApath = *++args;
+        } else if (!strcmp(*args, "-in")) {
+            if (!args[1])
+                goto argerr;
+            infile = *++args;
+        } else if (!strcmp(*args, "-inform")) {
+            if (!args[1])
+                goto argerr;
+            informat = str2fmt(*++args);
+        } else if (!strcmp(*args, "-outform")) {
+            if (!args[1])
+                goto argerr;
+            outformat = str2fmt(*++args);
+        } else if (!strcmp(*args, "-out")) {
+            if (!args[1])
+                goto argerr;
+            outfile = *++args;
+        } else if (!strcmp(*args, "-content")) {
+            if (!args[1])
+                goto argerr;
+            contfile = *++args;
+        } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
+            continue;
+        else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL)
+            badarg = 1;
+        args++;
+    }
+
+    if (((rr_allorfirst != -1) || rr_from) && !rr_to) {
+        BIO_puts(bio_err, "No Signed Receipts Recipients\n");
+        goto argerr;
+    }
+
+    if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) {
+        BIO_puts(bio_err, "Signed receipts only allowed with -sign\n");
+        goto argerr;
+    }
+    if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) {
+        BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
+        goto argerr;
+    }
+
+    if (operation & SMIME_SIGNERS) {
+        if (keyfile && !signerfile) {
+            BIO_puts(bio_err, "Illegal -inkey without -signer\n");
+            goto argerr;
+        }
+        /* Check to see if any final signer needs to be appended */
+        if (signerfile) {
+            if (!sksigners)
+                sksigners = sk_OPENSSL_STRING_new_null();
+            sk_OPENSSL_STRING_push(sksigners, signerfile);
+            if (!skkeys)
+                skkeys = sk_OPENSSL_STRING_new_null();
+            if (!keyfile)
+                keyfile = signerfile;
+            sk_OPENSSL_STRING_push(skkeys, keyfile);
+        }
+        if (!sksigners) {
+            BIO_printf(bio_err, "No signer certificate specified\n");
+            badarg = 1;
+        }
+        signerfile = NULL;
+        keyfile = NULL;
+        need_rand = 1;
+    }
+
+    else if (operation == SMIME_DECRYPT) {
+        if (!recipfile && !keyfile && !secret_key && !pwri_pass) {
+            BIO_printf(bio_err,
+                       "No recipient certificate or key specified\n");
+            badarg = 1;
+        }
+    } else if (operation == SMIME_ENCRYPT) {
+        if (!*args && !secret_key && !pwri_pass && !encerts) {
+            BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
+            badarg = 1;
+        }
+        need_rand = 1;
+    } else if (!operation)
+        badarg = 1;
+
+    if (badarg) {
+ argerr:
+        BIO_printf(bio_err, "Usage cms [options] cert.pem ...\n");
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, "-encrypt       encrypt message\n");
+        BIO_printf(bio_err, "-decrypt       decrypt encrypted message\n");
+        BIO_printf(bio_err, "-sign          sign message\n");
+        BIO_printf(bio_err, "-verify        verify signed message\n");
+        BIO_printf(bio_err, "-cmsout        output CMS structure\n");
+# ifndef OPENSSL_NO_DES
+        BIO_printf(bio_err, "-des3          encrypt with triple DES\n");
+        BIO_printf(bio_err, "-des           encrypt with DES\n");
+# endif
+# ifndef OPENSSL_NO_SEED
+        BIO_printf(bio_err, "-seed          encrypt with SEED\n");
+# endif
+# ifndef OPENSSL_NO_RC2
+        BIO_printf(bio_err, "-rc2-40        encrypt with RC2-40 (default)\n");
+        BIO_printf(bio_err, "-rc2-64        encrypt with RC2-64\n");
+        BIO_printf(bio_err, "-rc2-128       encrypt with RC2-128\n");
+# endif
+# ifndef OPENSSL_NO_AES
+        BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
+        BIO_printf(bio_err,
+                   "               encrypt PEM output with cbc aes\n");
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+        BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
+        BIO_printf(bio_err,
+                   "               encrypt PEM output with cbc camellia\n");
+# endif
+        BIO_printf(bio_err,
+                   "-nointern      don't search certificates in message for signer\n");
+        BIO_printf(bio_err,
+                   "-nosigs        don't verify message signature\n");
+        BIO_printf(bio_err,
+                   "-noverify      don't verify signers certificate\n");
+        BIO_printf(bio_err,
+                   "-nocerts       don't include signers certificate when signing\n");
+        BIO_printf(bio_err, "-nodetach      use opaque signing\n");
+        BIO_printf(bio_err,
+                   "-noattr        don't include any signed attributes\n");
+        BIO_printf(bio_err,
+                   "-binary        don't translate message to text\n");
+        BIO_printf(bio_err, "-certfile file other certificates file\n");
+        BIO_printf(bio_err, "-certsout file certificate output file\n");
+        BIO_printf(bio_err, "-signer file   signer certificate file\n");
+        BIO_printf(bio_err,
+                   "-recip  file   recipient certificate file for decryption\n");
+        BIO_printf(bio_err, "-keyid         use subject key identifier\n");
+        BIO_printf(bio_err, "-in file       input file\n");
+        BIO_printf(bio_err,
+                   "-inform arg    input format SMIME (default), PEM or DER\n");
+        BIO_printf(bio_err,
+                   "-inkey file    input private key (if not signer or recipient)\n");
+        BIO_printf(bio_err,
+                   "-keyform arg   input private key format (PEM or ENGINE)\n");
+        BIO_printf(bio_err, "-keyopt nm:v   set public key parameters\n");
+        BIO_printf(bio_err, "-out file      output file\n");
+        BIO_printf(bio_err,
+                   "-outform arg   output format SMIME (default), PEM or DER\n");
+        BIO_printf(bio_err,
+                   "-content file  supply or override content for detached signature\n");
+        BIO_printf(bio_err, "-to addr       to address\n");
+        BIO_printf(bio_err, "-from ad       from address\n");
+        BIO_printf(bio_err, "-subject s     subject\n");
+        BIO_printf(bio_err,
+                   "-text          include or delete text MIME headers\n");
+        BIO_printf(bio_err,
+                   "-CApath dir    trusted certificates directory\n");
+        BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
+        BIO_printf(bio_err,
+                   "-crl_check     check revocation status of signer's certificate using CRLs\n");
+        BIO_printf(bio_err,
+                   "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
+# ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   "-engine e      use engine e, possibly a hardware device.\n");
+# endif
+        BIO_printf(bio_err, "-passin arg    input file pass phrase source\n");
+        BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
+                   LIST_SEPARATOR_CHAR);
+        BIO_printf(bio_err,
+                   "               load the file (or the files in the directory) into\n");
+        BIO_printf(bio_err, "               the random number generator\n");
+        BIO_printf(bio_err,
+                   "cert.pem       recipient certificate(s) for encryption\n");
+        goto end;
+    }
+    e = setup_engine(bio_err, engine, 0);
+
+    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+
+    if (need_rand) {
+        app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+        if (inrand != NULL)
+            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                       app_RAND_load_files(inrand));
+    }
+
+    ret = 2;
+
+    if (!(operation & SMIME_SIGNERS))
+        flags &= ~CMS_DETACHED;
+
+    if (operation & SMIME_OP) {
+        if (outformat == FORMAT_ASN1)
+            outmode = "wb";
+    } else {
+        if (flags & CMS_BINARY)
+            outmode = "wb";
+    }
+
+    if (operation & SMIME_IP) {
+        if (informat == FORMAT_ASN1)
+            inmode = "rb";
+    } else {
+        if (flags & CMS_BINARY)
+            inmode = "rb";
+    }
+
+    if (operation == SMIME_ENCRYPT) {
+        if (!cipher) {
+# ifndef OPENSSL_NO_DES
+            cipher = EVP_des_ede3_cbc();
+# else
+            BIO_printf(bio_err, "No cipher selected\n");
+            goto end;
+# endif
+        }
+
+        if (secret_key && !secret_keyid) {
+            BIO_printf(bio_err, "No secret key id\n");
+            goto end;
+        }
+
+        if (*args && !encerts)
+            encerts = sk_X509_new_null();
+        while (*args) {
+            if (!(cert = load_cert(bio_err, *args, FORMAT_PEM,
+                                   NULL, e, "recipient certificate file")))
+                goto end;
+            sk_X509_push(encerts, cert);
+            cert = NULL;
+            args++;
+        }
+    }
+
+    if (certfile) {
+        if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL,
+                                 e, "certificate file"))) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (recipfile && (operation == SMIME_DECRYPT)) {
+        if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL,
+                                e, "recipient certificate file"))) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (operation == SMIME_SIGN_RECEIPT) {
+        if (!(signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
+                                 e, "receipt signer certificate file"))) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (operation == SMIME_DECRYPT) {
+        if (!keyfile)
+            keyfile = recipfile;
+    } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) {
+        if (!keyfile)
+            keyfile = signerfile;
+    } else
+        keyfile = NULL;
+
+    if (keyfile) {
+        key = load_key(bio_err, keyfile, keyform, 0, passin, e,
+                       "signing key file");
+        if (!key)
+            goto end;
+    }
+
+    if (infile) {
+        if (!(in = BIO_new_file(infile, inmode))) {
+            BIO_printf(bio_err, "Can't open input file %s\n", infile);
+            goto end;
+        }
+    } else
+        in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+    if (operation & SMIME_IP) {
+        if (informat == FORMAT_SMIME)
+            cms = SMIME_read_CMS(in, &indata);
+        else if (informat == FORMAT_PEM)
+            cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
+        else if (informat == FORMAT_ASN1)
+            cms = d2i_CMS_bio(in, NULL);
+        else {
+            BIO_printf(bio_err, "Bad input format for CMS file\n");
+            goto end;
+        }
+
+        if (!cms) {
+            BIO_printf(bio_err, "Error reading S/MIME message\n");
+            goto end;
+        }
+        if (contfile) {
+            BIO_free(indata);
+            if (!(indata = BIO_new_file(contfile, "rb"))) {
+                BIO_printf(bio_err, "Can't read content file %s\n", contfile);
+                goto end;
+            }
+        }
+        if (certsoutfile) {
+            STACK_OF(X509) *allcerts;
+            allcerts = CMS_get1_certs(cms);
+            if (!save_certs(certsoutfile, allcerts)) {
+                BIO_printf(bio_err,
+                           "Error writing certs to %s\n", certsoutfile);
+                ret = 5;
+                goto end;
+            }
+            sk_X509_pop_free(allcerts, X509_free);
+        }
+    }
+
+    if (rctfile) {
+        char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r";
+        if (!(rctin = BIO_new_file(rctfile, rctmode))) {
+            BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile);
+            goto end;
+        }
+
+        if (rctformat == FORMAT_SMIME)
+            rcms = SMIME_read_CMS(rctin, NULL);
+        else if (rctformat == FORMAT_PEM)
+            rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
+        else if (rctformat == FORMAT_ASN1)
+            rcms = d2i_CMS_bio(rctin, NULL);
+        else {
+            BIO_printf(bio_err, "Bad input format for receipt\n");
+            goto end;
+        }
+
+        if (!rcms) {
+            BIO_printf(bio_err, "Error reading receipt\n");
+            goto end;
+        }
+    }
+
+    if (outfile) {
+        if (!(out = BIO_new_file(outfile, outmode))) {
+            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
+            goto end;
+        }
+    } else {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    }
+
+    if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
+        if (!(store = setup_verify(bio_err, CAfile, CApath)))
+            goto end;
+        X509_STORE_set_verify_cb(store, cms_cb);
+        if (vpm)
+            X509_STORE_set1_param(store, vpm);
+    }
+
+    ret = 3;
+
+    if (operation == SMIME_DATA_CREATE) {
+        cms = CMS_data_create(in, flags);
+    } else if (operation == SMIME_DIGEST_CREATE) {
+        cms = CMS_digest_create(in, sign_md, flags);
+    } else if (operation == SMIME_COMPRESS) {
+        cms = CMS_compress(in, -1, flags);
+    } else if (operation == SMIME_ENCRYPT) {
+        int i;
+        flags |= CMS_PARTIAL;
+        cms = CMS_encrypt(NULL, in, cipher, flags);
+        if (!cms)
+            goto end;
+        for (i = 0; i < sk_X509_num(encerts); i++) {
+            CMS_RecipientInfo *ri;
+            cms_key_param *kparam;
+            int tflags = flags;
+            X509 *x = sk_X509_value(encerts, i);
+            for (kparam = key_first; kparam; kparam = kparam->next) {
+                if (kparam->idx == i) {
+                    tflags |= CMS_KEY_PARAM;
+                    break;
+                }
+            }
+            ri = CMS_add1_recipient_cert(cms, x, tflags);
+            if (!ri)
+                goto end;
+            if (kparam) {
+                EVP_PKEY_CTX *pctx;
+                pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+                if (!cms_set_pkey_param(pctx, kparam->param))
+                    goto end;
+            }
+            if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
+                && wrap_cipher) {
+                EVP_CIPHER_CTX *wctx;
+                wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
+                EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL);
+            }
+        }
+
+        if (secret_key) {
+            if (!CMS_add0_recipient_key(cms, NID_undef,
+                                        secret_key, secret_keylen,
+                                        secret_keyid, secret_keyidlen,
+                                        NULL, NULL, NULL))
+                goto end;
+            /* NULL these because call absorbs them */
+            secret_key = NULL;
+            secret_keyid = NULL;
+        }
+        if (pwri_pass) {
+            pwri_tmp = (unsigned char *)BUF_strdup((char *)pwri_pass);
+            if (!pwri_tmp)
+                goto end;
+            if (!CMS_add0_recipient_password(cms,
+                                             -1, NID_undef, NID_undef,
+                                             pwri_tmp, -1, NULL))
+                goto end;
+            pwri_tmp = NULL;
+        }
+        if (!(flags & CMS_STREAM)) {
+            if (!CMS_final(cms, in, NULL, flags))
+                goto end;
+        }
+    } else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
+        cms = CMS_EncryptedData_encrypt(in, cipher,
+                                        secret_key, secret_keylen, flags);
+
+    } else if (operation == SMIME_SIGN_RECEIPT) {
+        CMS_ContentInfo *srcms = NULL;
+        STACK_OF(CMS_SignerInfo) *sis;
+        CMS_SignerInfo *si;
+        sis = CMS_get0_SignerInfos(cms);
+        if (!sis)
+            goto end;
+        si = sk_CMS_SignerInfo_value(sis, 0);
+        srcms = CMS_sign_receipt(si, signer, key, other, flags);
+        if (!srcms)
+            goto end;
+        CMS_ContentInfo_free(cms);
+        cms = srcms;
+    } else if (operation & SMIME_SIGNERS) {
+        int i;
+        /*
+         * If detached data content we enable streaming if S/MIME output
+         * format.
+         */
+        if (operation == SMIME_SIGN) {
+
+            if (flags & CMS_DETACHED) {
+                if (outformat == FORMAT_SMIME)
+                    flags |= CMS_STREAM;
+            }
+            flags |= CMS_PARTIAL;
+            cms = CMS_sign(NULL, NULL, other, in, flags);
+            if (!cms)
+                goto end;
+            if (econtent_type)
+                CMS_set1_eContentType(cms, econtent_type);
+
+            if (rr_to) {
+                rr = make_receipt_request(rr_to, rr_allorfirst, rr_from);
+                if (!rr) {
+                    BIO_puts(bio_err,
+                             "Signed Receipt Request Creation Error\n");
+                    goto end;
+                }
+            }
+        } else
+            flags |= CMS_REUSE_DIGEST;
+        for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
+            CMS_SignerInfo *si;
+            cms_key_param *kparam;
+            int tflags = flags;
+            signerfile = sk_OPENSSL_STRING_value(sksigners, i);
+            keyfile = sk_OPENSSL_STRING_value(skkeys, i);
+
+            signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
+                               e, "signer certificate");
+            if (!signer)
+                goto end;
+            key = load_key(bio_err, keyfile, keyform, 0, passin, e,
+                           "signing key file");
+            if (!key)
+                goto end;
+            for (kparam = key_first; kparam; kparam = kparam->next) {
+                if (kparam->idx == i) {
+                    tflags |= CMS_KEY_PARAM;
+                    break;
+                }
+            }
+            si = CMS_add1_signer(cms, signer, key, sign_md, tflags);
+            if (!si)
+                goto end;
+            if (kparam) {
+                EVP_PKEY_CTX *pctx;
+                pctx = CMS_SignerInfo_get0_pkey_ctx(si);
+                if (!cms_set_pkey_param(pctx, kparam->param))
+                    goto end;
+            }
+            if (rr && !CMS_add1_ReceiptRequest(si, rr))
+                goto end;
+            X509_free(signer);
+            signer = NULL;
+            EVP_PKEY_free(key);
+            key = NULL;
+        }
+        /* If not streaming or resigning finalize structure */
+        if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) {
+            if (!CMS_final(cms, in, NULL, flags))
+                goto end;
+        }
+    }
+
+    if (!cms) {
+        BIO_printf(bio_err, "Error creating CMS structure\n");
+        goto end;
+    }
+
+    ret = 4;
+    if (operation == SMIME_DECRYPT) {
+        if (flags & CMS_DEBUG_DECRYPT)
+            CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
+
+        if (secret_key) {
+            if (!CMS_decrypt_set1_key(cms,
+                                      secret_key, secret_keylen,
+                                      secret_keyid, secret_keyidlen)) {
+                BIO_puts(bio_err, "Error decrypting CMS using secret key\n");
+                goto end;
+            }
+        }
+
+        if (key) {
+            if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
+                BIO_puts(bio_err, "Error decrypting CMS using private key\n");
+                goto end;
+            }
+        }
+
+        if (pwri_pass) {
+            if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) {
+                BIO_puts(bio_err, "Error decrypting CMS using password\n");
+                goto end;
+            }
+        }
+
+        if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) {
+            BIO_printf(bio_err, "Error decrypting CMS structure\n");
+            goto end;
+        }
+    } else if (operation == SMIME_DATAOUT) {
+        if (!CMS_data(cms, out, flags))
+            goto end;
+    } else if (operation == SMIME_UNCOMPRESS) {
+        if (!CMS_uncompress(cms, indata, out, flags))
+            goto end;
+    } else if (operation == SMIME_DIGEST_VERIFY) {
+        if (CMS_digest_verify(cms, indata, out, flags) > 0)
+            BIO_printf(bio_err, "Verification successful\n");
+        else {
+            BIO_printf(bio_err, "Verification failure\n");
+            goto end;
+        }
+    } else if (operation == SMIME_ENCRYPTED_DECRYPT) {
+        if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
+                                       indata, out, flags))
+            goto end;
+    } else if (operation == SMIME_VERIFY) {
+        if (CMS_verify(cms, other, store, indata, out, flags) > 0)
+            BIO_printf(bio_err, "Verification successful\n");
+        else {
+            BIO_printf(bio_err, "Verification failure\n");
+            if (verify_retcode)
+                ret = verify_err + 32;
+            goto end;
+        }
+        if (signerfile) {
+            STACK_OF(X509) *signers;
+            signers = CMS_get0_signers(cms);
+            if (!save_certs(signerfile, signers)) {
+                BIO_printf(bio_err,
+                           "Error writing signers to %s\n", signerfile);
+                ret = 5;
+                goto end;
+            }
+            sk_X509_free(signers);
+        }
+        if (rr_print)
+            receipt_request_print(bio_err, cms);
+
+    } else if (operation == SMIME_VERIFY_RECEIPT) {
+        if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0)
+            BIO_printf(bio_err, "Verification successful\n");
+        else {
+            BIO_printf(bio_err, "Verification failure\n");
+            goto end;
+        }
+    } else {
+        if (noout) {
+            if (print)
+                CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
+        } else if (outformat == FORMAT_SMIME) {
+            if (to)
+                BIO_printf(out, "To: %s\n", to);
+            if (from)
+                BIO_printf(out, "From: %s\n", from);
+            if (subject)
+                BIO_printf(out, "Subject: %s\n", subject);
+            if (operation == SMIME_RESIGN)
+                ret = SMIME_write_CMS(out, cms, indata, flags);
+            else
+                ret = SMIME_write_CMS(out, cms, in, flags);
+        } else if (outformat == FORMAT_PEM)
+            ret = PEM_write_bio_CMS_stream(out, cms, in, flags);
+        else if (outformat == FORMAT_ASN1)
+            ret = i2d_CMS_bio_stream(out, cms, in, flags);
+        else {
+            BIO_printf(bio_err, "Bad output format for CMS file\n");
+            goto end;
+        }
+        if (ret <= 0) {
+            ret = 6;
+            goto end;
+        }
+    }
+    ret = 0;
+ end:
+    if (ret)
+        ERR_print_errors(bio_err);
+    if (need_rand)
+        app_RAND_write_file(NULL, bio_err);
+    sk_X509_pop_free(encerts, X509_free);
+    sk_X509_pop_free(other, X509_free);
+    if (vpm)
+        X509_VERIFY_PARAM_free(vpm);
+    if (sksigners)
+        sk_OPENSSL_STRING_free(sksigners);
+    if (skkeys)
+        sk_OPENSSL_STRING_free(skkeys);
+    if (secret_key)
+        OPENSSL_free(secret_key);
+    if (secret_keyid)
+        OPENSSL_free(secret_keyid);
+    if (pwri_tmp)
+        OPENSSL_free(pwri_tmp);
+    if (econtent_type)
+        ASN1_OBJECT_free(econtent_type);
+    if (rr)
+        CMS_ReceiptRequest_free(rr);
+    if (rr_to)
+        sk_OPENSSL_STRING_free(rr_to);
+    if (rr_from)
+        sk_OPENSSL_STRING_free(rr_from);
+    for (key_param = key_first; key_param;) {
+        cms_key_param *tparam;
+        sk_OPENSSL_STRING_free(key_param->param);
+        tparam = key_param->next;
+        OPENSSL_free(key_param);
+        key_param = tparam;
+    }
+    X509_STORE_free(store);
+    X509_free(cert);
+    X509_free(recip);
+    X509_free(signer);
+    EVP_PKEY_free(key);
+    CMS_ContentInfo_free(cms);
+    CMS_ContentInfo_free(rcms);
+    release_engine(e);
+    BIO_free(rctin);
+    BIO_free(in);
+    BIO_free(indata);
+    BIO_free_all(out);
+    if (passin)
+        OPENSSL_free(passin);
+    return (ret);
+}
+
+static int save_certs(char *signerfile, STACK_OF(X509) *signers)
+{
+    int i;
+    BIO *tmp;
+    if (!signerfile)
+        return 1;
+    tmp = BIO_new_file(signerfile, "w");
+    if (!tmp)
+        return 0;
+    for (i = 0; i < sk_X509_num(signers); i++)
+        PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
+    BIO_free(tmp);
+    return 1;
+}
+
+/* Minimal callback just to output policy info (if any) */
+
+static int cms_cb(int ok, X509_STORE_CTX *ctx)
+{
+    int error;
+
+    error = X509_STORE_CTX_get_error(ctx);
+
+    verify_err = error;
+
+    if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
+        && ((error != X509_V_OK) || (ok != 2)))
+        return ok;
+
+    policies_print(NULL, ctx);
+
+    return ok;
+
+}
+
+static void gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns)
+{
+    STACK_OF(GENERAL_NAME) *gens;
+    GENERAL_NAME *gen;
+    int i, j;
+    for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) {
+        gens = sk_GENERAL_NAMES_value(gns, i);
+        for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
+            gen = sk_GENERAL_NAME_value(gens, j);
+            BIO_puts(out, "    ");
+            GENERAL_NAME_print(out, gen);
+            BIO_puts(out, "\n");
+        }
+    }
+    return;
+}
+
+static void receipt_request_print(BIO *out, CMS_ContentInfo *cms)
+{
+    STACK_OF(CMS_SignerInfo) *sis;
+    CMS_SignerInfo *si;
+    CMS_ReceiptRequest *rr;
+    int allorfirst;
+    STACK_OF(GENERAL_NAMES) *rto, *rlist;
+    ASN1_STRING *scid;
+    int i, rv;
+    sis = CMS_get0_SignerInfos(cms);
+    for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) {
+        si = sk_CMS_SignerInfo_value(sis, i);
+        rv = CMS_get1_ReceiptRequest(si, &rr);
+        BIO_printf(bio_err, "Signer %d:\n", i + 1);
+        if (rv == 0)
+            BIO_puts(bio_err, "  No Receipt Request\n");
+        else if (rv < 0) {
+            BIO_puts(bio_err, "  Receipt Request Parse Error\n");
+            ERR_print_errors(bio_err);
+        } else {
+            char *id;
+            int idlen;
+            CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
+                                           &rlist, &rto);
+            BIO_puts(out, "  Signed Content ID:\n");
+            idlen = ASN1_STRING_length(scid);
+            id = (char *)ASN1_STRING_data(scid);
+            BIO_dump_indent(out, id, idlen, 4);
+            BIO_puts(out, "  Receipts From");
+            if (rlist) {
+                BIO_puts(out, " List:\n");
+                gnames_stack_print(out, rlist);
+            } else if (allorfirst == 1)
+                BIO_puts(out, ": First Tier\n");
+            else if (allorfirst == 0)
+                BIO_puts(out, ": All\n");
+            else
+                BIO_printf(out, " Unknown (%d)\n", allorfirst);
+            BIO_puts(out, "  Receipts To:\n");
+            gnames_stack_print(out, rto);
+        }
+        if (rr)
+            CMS_ReceiptRequest_free(rr);
+    }
+}
+
+static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns)
+{
+    int i;
+    STACK_OF(GENERAL_NAMES) *ret;
+    GENERAL_NAMES *gens = NULL;
+    GENERAL_NAME *gen = NULL;
+    ret = sk_GENERAL_NAMES_new_null();
+    if (!ret)
+        goto err;
+    for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) {
+        char *str = sk_OPENSSL_STRING_value(ns, i);
+        gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0);
+        if (!gen)
+            goto err;
+        gens = GENERAL_NAMES_new();
+        if (!gens)
+            goto err;
+        if (!sk_GENERAL_NAME_push(gens, gen))
+            goto err;
+        gen = NULL;
+        if (!sk_GENERAL_NAMES_push(ret, gens))
+            goto err;
+        gens = NULL;
+    }
+
+    return ret;
+
+ err:
+    if (ret)
+        sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
+    if (gens)
+        GENERAL_NAMES_free(gens);
+    if (gen)
+        GENERAL_NAME_free(gen);
+    return NULL;
+}
+
+static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
+                                                *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
+                                                *rr_from)
+{
+    STACK_OF(GENERAL_NAMES) *rct_to, *rct_from;
+    CMS_ReceiptRequest *rr;
+    rct_to = make_names_stack(rr_to);
+    if (!rct_to)
+        goto err;
+    if (rr_from) {
+        rct_from = make_names_stack(rr_from);
+        if (!rct_from)
+            goto err;
+    } else
+        rct_from = NULL;
+    rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from,
+                                    rct_to);
+    return rr;
+ err:
+    return NULL;
+}
+
+static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
+                              STACK_OF(OPENSSL_STRING) *param)
+{
+    char *keyopt;
+    int i;
+    if (sk_OPENSSL_STRING_num(param) <= 0)
+        return 1;
+    for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) {
+        keyopt = sk_OPENSSL_STRING_value(param, i);
+        if (pkey_ctrl_string(pctx, keyopt) <= 0) {
+            BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt);
+            ERR_print_errors(bio_err);
+            return 0;
+        }
+    }
+    return 1;
+}
+
+#endif
diff --git a/openssl/apps/crl.c b/openssl/apps/crl.c
new file mode 100644
index 0000000..c9c3a5f
--- /dev/null
+++ b/openssl/apps/crl.c
@@ -0,0 +1,442 @@
+/* apps/crl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG    crl_main
+
+#undef POSTFIX
+#define POSTFIX ".rvk"
+
+static const char *crl_usage[] = {
+    "usage: crl args\n",
+    "\n",
+    " -inform arg     - input format - default PEM (DER or PEM)\n",
+    " -outform arg    - output format - default PEM\n",
+    " -text           - print out a text format version\n",
+    " -in arg         - input file - default stdin\n",
+    " -out arg        - output file - default stdout\n",
+    " -hash           - print hash value\n",
+#ifndef OPENSSL_NO_MD5
+    " -hash_old       - print old-style (MD5) hash value\n",
+#endif
+    " -fingerprint    - print the crl fingerprint\n",
+    " -issuer         - print issuer DN\n",
+    " -lastupdate     - lastUpdate field\n",
+    " -nextupdate     - nextUpdate field\n",
+    " -crlnumber      - print CRL number\n",
+    " -noout          - no CRL output\n",
+    " -CAfile  name   - verify CRL using certificates in file \"name\"\n",
+    " -CApath  dir    - verify CRL using certificates in \"dir\"\n",
+    " -nameopt arg    - various certificate name options\n",
+    NULL
+};
+
+static BIO *bio_out = NULL;
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    unsigned long nmflag = 0;
+    X509_CRL *x = NULL;
+    char *CAfile = NULL, *CApath = NULL;
+    int ret = 1, i, num, badops = 0, badsig = 0;
+    BIO *out = NULL;
+    int informat, outformat, keyformat;
+    char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
+    int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout =
+        0, text = 0;
+#ifndef OPENSSL_NO_MD5
+    int hash_old = 0;
+#endif
+    int fingerprint = 0, crlnumber = 0;
+    const char **pp;
+    X509_STORE *store = NULL;
+    X509_STORE_CTX ctx;
+    X509_LOOKUP *lookup = NULL;
+    X509_OBJECT xobj;
+    EVP_PKEY *pkey;
+    int do_ver = 0;
+    const EVP_MD *md_alg, *digest = EVP_sha1();
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    if (bio_out == NULL)
+        if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
+            BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+            {
+                BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+                bio_out = BIO_push(tmpbio, bio_out);
+            }
+#endif
+        }
+
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+    keyformat = FORMAT_PEM;
+
+    argc--;
+    argv++;
+    num = 0;
+    while (argc >= 1) {
+#ifdef undef
+        if (strcmp(*argv, "-p") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!args_from_file(++argv, Nargc, Nargv)) {
+                goto end;
+            }
+        */}
+#endif
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-gendelta") == 0) {
+            if (--argc < 1)
+                goto bad;
+            crldiff = *(++argv);
+        } else if (strcmp(*argv, "-key") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keyfile = *(++argv);
+        } else if (strcmp(*argv, "-keyform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keyformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-CApath") == 0) {
+            if (--argc < 1)
+                goto bad;
+            CApath = *(++argv);
+            do_ver = 1;
+        } else if (strcmp(*argv, "-CAfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            CAfile = *(++argv);
+            do_ver = 1;
+        } else if (strcmp(*argv, "-verify") == 0)
+            do_ver = 1;
+        else if (strcmp(*argv, "-text") == 0)
+            text = 1;
+        else if (strcmp(*argv, "-hash") == 0)
+            hash = ++num;
+#ifndef OPENSSL_NO_MD5
+        else if (strcmp(*argv, "-hash_old") == 0)
+            hash_old = ++num;
+#endif
+        else if (strcmp(*argv, "-nameopt") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!set_name_ex(&nmflag, *(++argv)))
+                goto bad;
+        } else if (strcmp(*argv, "-issuer") == 0)
+            issuer = ++num;
+        else if (strcmp(*argv, "-lastupdate") == 0)
+            lastupdate = ++num;
+        else if (strcmp(*argv, "-nextupdate") == 0)
+            nextupdate = ++num;
+        else if (strcmp(*argv, "-noout") == 0)
+            noout = ++num;
+        else if (strcmp(*argv, "-fingerprint") == 0)
+            fingerprint = ++num;
+        else if (strcmp(*argv, "-crlnumber") == 0)
+            crlnumber = ++num;
+        else if (strcmp(*argv, "-badsig") == 0)
+            badsig = 1;
+        else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
+            /* ok */
+            digest = md_alg;
+        } else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        for (pp = crl_usage; (*pp != NULL); pp++)
+            BIO_printf(bio_err, "%s", *pp);
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+    x = load_crl(infile, informat);
+    if (x == NULL) {
+        goto end;
+    }
+
+    if (do_ver) {
+        store = X509_STORE_new();
+        lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+        if (lookup == NULL)
+            goto end;
+        if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM))
+            X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
+
+        lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
+        if (lookup == NULL)
+            goto end;
+        if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM))
+            X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
+        ERR_clear_error();
+
+        if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
+            BIO_printf(bio_err, "Error initialising X509 store\n");
+            goto end;
+        }
+
+        i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
+                                      X509_CRL_get_issuer(x), &xobj);
+        if (i <= 0) {
+            BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
+            goto end;
+        }
+        pkey = X509_get_pubkey(xobj.data.x509);
+        X509_OBJECT_free_contents(&xobj);
+        if (!pkey) {
+            BIO_printf(bio_err, "Error getting CRL issuer public key\n");
+            goto end;
+        }
+        i = X509_CRL_verify(x, pkey);
+        EVP_PKEY_free(pkey);
+        if (i < 0)
+            goto end;
+        if (i == 0)
+            BIO_printf(bio_err, "verify failure\n");
+        else
+            BIO_printf(bio_err, "verify OK\n");
+    }
+
+    if (crldiff) {
+        X509_CRL *newcrl, *delta;
+        if (!keyfile) {
+            BIO_puts(bio_err, "Missing CRL signing key\n");
+            goto end;
+        }
+        newcrl = load_crl(crldiff, informat);
+        if (!newcrl)
+            goto end;
+        pkey = load_key(bio_err, keyfile, keyformat, 0, NULL, NULL,
+                        "CRL signing key");
+        if (!pkey) {
+            X509_CRL_free(newcrl);
+            goto end;
+        }
+        delta = X509_CRL_diff(x, newcrl, pkey, digest, 0);
+        X509_CRL_free(newcrl);
+        EVP_PKEY_free(pkey);
+        if (delta) {
+            X509_CRL_free(x);
+            x = delta;
+        } else {
+            BIO_puts(bio_err, "Error creating delta CRL\n");
+            goto end;
+        }
+    }
+
+    if (num) {
+        for (i = 1; i <= num; i++) {
+            if (issuer == i) {
+                print_name(bio_out, "issuer=", X509_CRL_get_issuer(x),
+                           nmflag);
+            }
+            if (crlnumber == i) {
+                ASN1_INTEGER *crlnum;
+                crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL);
+                BIO_printf(bio_out, "crlNumber=");
+                if (crlnum) {
+                    i2a_ASN1_INTEGER(bio_out, crlnum);
+                    ASN1_INTEGER_free(crlnum);
+                } else
+                    BIO_puts(bio_out, "<NONE>");
+                BIO_printf(bio_out, "\n");
+            }
+            if (hash == i) {
+                BIO_printf(bio_out, "%08lx\n",
+                           X509_NAME_hash(X509_CRL_get_issuer(x)));
+            }
+#ifndef OPENSSL_NO_MD5
+            if (hash_old == i) {
+                BIO_printf(bio_out, "%08lx\n",
+                           X509_NAME_hash_old(X509_CRL_get_issuer(x)));
+            }
+#endif
+            if (lastupdate == i) {
+                BIO_printf(bio_out, "lastUpdate=");
+                ASN1_TIME_print(bio_out, X509_CRL_get_lastUpdate(x));
+                BIO_printf(bio_out, "\n");
+            }
+            if (nextupdate == i) {
+                BIO_printf(bio_out, "nextUpdate=");
+                if (X509_CRL_get_nextUpdate(x))
+                    ASN1_TIME_print(bio_out, X509_CRL_get_nextUpdate(x));
+                else
+                    BIO_printf(bio_out, "NONE");
+                BIO_printf(bio_out, "\n");
+            }
+            if (fingerprint == i) {
+                int j;
+                unsigned int n;
+                unsigned char md[EVP_MAX_MD_SIZE];
+
+                if (!X509_CRL_digest(x, digest, md, &n)) {
+                    BIO_printf(bio_err, "out of memory\n");
+                    goto end;
+                }
+                BIO_printf(bio_out, "%s Fingerprint=",
+                           OBJ_nid2sn(EVP_MD_type(digest)));
+                for (j = 0; j < (int)n; j++) {
+                    BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
+                               ? '\n' : ':');
+                }
+            }
+        }
+    }
+
+    out = BIO_new(BIO_s_file());
+    if (out == NULL) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    if (text)
+        X509_CRL_print(out, x);
+
+    if (noout) {
+        ret = 0;
+        goto end;
+    }
+
+    if (badsig)
+        x->signature->data[x->signature->length - 1] ^= 0x1;
+
+    if (outformat == FORMAT_ASN1)
+        i = (int)i2d_X509_CRL_bio(out, x);
+    else if (outformat == FORMAT_PEM)
+        i = PEM_write_bio_X509_CRL(out, x);
+    else {
+        BIO_printf(bio_err, "bad output format specified for outfile\n");
+        goto end;
+    }
+    if (!i) {
+        BIO_printf(bio_err, "unable to write CRL\n");
+        goto end;
+    }
+    ret = 0;
+ end:
+    if (ret != 0)
+        ERR_print_errors(bio_err);
+    BIO_free_all(out);
+    BIO_free_all(bio_out);
+    bio_out = NULL;
+    X509_CRL_free(x);
+    if (store) {
+        X509_STORE_CTX_cleanup(&ctx);
+        X509_STORE_free(store);
+    }
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
diff --git a/openssl/apps/crl2p7.c b/openssl/apps/crl2p7.c
new file mode 100644
index 0000000..0763817
--- /dev/null
+++ b/openssl/apps/crl2p7.c
@@ -0,0 +1,334 @@
+/* apps/crl2p7.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/*
+ * This was written by Gordon Chaffee <chaffee@plateau.cs.berkeley.edu> and
+ * donated 'to the cause' along with lots and lots of other fixes to the
+ * library.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+#include <openssl/objects.h>
+
+static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
+#undef PROG
+#define PROG    crl2pkcs7_main
+
+/*-
+ * -inform arg  - input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg      - input file - default stdin
+ * -out arg     - output file - default stdout
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    int i, badops = 0;
+    BIO *in = NULL, *out = NULL;
+    int informat, outformat;
+    char *infile, *outfile, *prog, *certfile;
+    PKCS7 *p7 = NULL;
+    PKCS7_SIGNED *p7s = NULL;
+    X509_CRL *crl = NULL;
+    STACK_OF(OPENSSL_STRING) *certflst = NULL;
+    STACK_OF(X509_CRL) *crl_stack = NULL;
+    STACK_OF(X509) *cert_stack = NULL;
+    int ret = 1, nocrl = 0;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    infile = NULL;
+    outfile = NULL;
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-nocrl") == 0) {
+            nocrl = 1;
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-certfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!certflst)
+                certflst = sk_OPENSSL_STRING_new_null();
+            if (!certflst)
+                goto end;
+            if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) {
+                sk_OPENSSL_STRING_free(certflst);
+                goto end;
+            }
+        } else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, " -inform arg    input format - DER or PEM\n");
+        BIO_printf(bio_err, " -outform arg   output format - DER or PEM\n");
+        BIO_printf(bio_err, " -in arg        input file\n");
+        BIO_printf(bio_err, " -out arg       output file\n");
+        BIO_printf(bio_err,
+                   " -certfile arg  certificates file of chain to a trusted CA\n");
+        BIO_printf(bio_err, "                (can be used more than once)\n");
+        BIO_printf(bio_err,
+                   " -nocrl         no crl to load, just certs from '-certfile'\n");
+        ret = 1;
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+
+    in = BIO_new(BIO_s_file());
+    out = BIO_new(BIO_s_file());
+    if ((in == NULL) || (out == NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (!nocrl) {
+        if (infile == NULL)
+            BIO_set_fp(in, stdin, BIO_NOCLOSE);
+        else {
+            if (BIO_read_filename(in, infile) <= 0) {
+                perror(infile);
+                goto end;
+            }
+        }
+
+        if (informat == FORMAT_ASN1)
+            crl = d2i_X509_CRL_bio(in, NULL);
+        else if (informat == FORMAT_PEM)
+            crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
+        else {
+            BIO_printf(bio_err, "bad input format specified for input crl\n");
+            goto end;
+        }
+        if (crl == NULL) {
+            BIO_printf(bio_err, "unable to load CRL\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if ((p7 = PKCS7_new()) == NULL)
+        goto end;
+    if ((p7s = PKCS7_SIGNED_new()) == NULL)
+        goto end;
+    p7->type = OBJ_nid2obj(NID_pkcs7_signed);
+    p7->d.sign = p7s;
+    p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data);
+
+    if (!ASN1_INTEGER_set(p7s->version, 1))
+        goto end;
+    if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
+        goto end;
+    p7s->crl = crl_stack;
+    if (crl != NULL) {
+        sk_X509_CRL_push(crl_stack, crl);
+        crl = NULL;             /* now part of p7 for OPENSSL_freeing */
+    }
+
+    if ((cert_stack = sk_X509_new_null()) == NULL)
+        goto end;
+    p7s->cert = cert_stack;
+
+    if (certflst)
+        for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
+            certfile = sk_OPENSSL_STRING_value(certflst, i);
+            if (add_certs_from_file(cert_stack, certfile) < 0) {
+                BIO_printf(bio_err, "error loading certificates\n");
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        }
+
+    sk_OPENSSL_STRING_free(certflst);
+
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    if (outformat == FORMAT_ASN1)
+        i = i2d_PKCS7_bio(out, p7);
+    else if (outformat == FORMAT_PEM)
+        i = PEM_write_bio_PKCS7(out, p7);
+    else {
+        BIO_printf(bio_err, "bad output format specified for outfile\n");
+        goto end;
+    }
+    if (!i) {
+        BIO_printf(bio_err, "unable to write pkcs7 object\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    ret = 0;
+ end:
+    if (in != NULL)
+        BIO_free(in);
+    if (out != NULL)
+        BIO_free_all(out);
+    if (p7 != NULL)
+        PKCS7_free(p7);
+    if (crl != NULL)
+        X509_CRL_free(crl);
+
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+/*-
+ *----------------------------------------------------------------------
+ * int add_certs_from_file
+ *
+ *      Read a list of certificates to be checked from a file.
+ *
+ * Results:
+ *      number of certs added if successful, -1 if not.
+ *----------------------------------------------------------------------
+ */
+static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
+{
+    BIO *in = NULL;
+    int count = 0;
+    int ret = -1;
+    STACK_OF(X509_INFO) *sk = NULL;
+    X509_INFO *xi;
+
+    in = BIO_new(BIO_s_file());
+    if ((in == NULL) || (BIO_read_filename(in, certfile) <= 0)) {
+        BIO_printf(bio_err, "error opening the file, %s\n", certfile);
+        goto end;
+    }
+
+    /* This loads from a file, a stack of x509/crl/pkey sets */
+    sk = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
+    if (sk == NULL) {
+        BIO_printf(bio_err, "error reading the file, %s\n", certfile);
+        goto end;
+    }
+
+    /* scan over it and pull out the CRL's */
+    while (sk_X509_INFO_num(sk)) {
+        xi = sk_X509_INFO_shift(sk);
+        if (xi->x509 != NULL) {
+            sk_X509_push(stack, xi->x509);
+            xi->x509 = NULL;
+            count++;
+        }
+        X509_INFO_free(xi);
+    }
+
+    ret = count;
+ end:
+    /* never need to OPENSSL_free x */
+    if (in != NULL)
+        BIO_free(in);
+    if (sk != NULL)
+        sk_X509_INFO_free(sk);
+    return (ret);
+}
diff --git a/openssl/apps/demoCA/cacert.pem b/openssl/apps/demoCA/cacert.pem
new file mode 100644
index 0000000..affbce3
--- /dev/null
+++ b/openssl/apps/demoCA/cacert.pem
@@ -0,0 +1,14 @@
+subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+-----BEGIN X509 CERTIFICATE-----
+
+MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
+BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz
+MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
+RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV
+BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3
+LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb
+/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0
+DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn
+IMs6ZOZB
+-----END X509 CERTIFICATE-----
diff --git a/openssl/apps/demoCA/index.txt b/openssl/apps/demoCA/index.txt
new file mode 100644
index 0000000..2cdd252
--- /dev/null
+++ b/openssl/apps/demoCA/index.txt
@@ -0,0 +1,39 @@
+R	980705233205Z	951009233205Z	01	certs/00000001	/CN=Eric Young
+E	951009233205Z		02	certs/00000002	/CN=Duncan Young
+R	980705233205Z	951201010000Z	03	certs/00000003	/CN=Tim Hudson
+V	980705233205Z		04	certs/00000004	/CN=Eric Young4
+V	980705233205Z		05	certs/00000004	/CN=Eric Young5
+V	980705233205Z		06	certs/00000004	/CN=Eric Young6
+V	980705233205Z		07	certs/00000004	/CN=Eric Young7
+V	980705233205Z		08	certs/00000004	/CN=Eric Young8
+V	980705233205Z		09	certs/00000004	/CN=Eric Young9
+V	980705233205Z		0A	certs/00000004	/CN=Eric YoungA
+V	980705233205Z		0B	certs/00000004	/CN=Eric YoungB
+V	980705233205Z		0C	certs/00000004	/CN=Eric YoungC
+V	980705233205Z		0D	certs/00000004	/CN=Eric YoungD
+V	980705233205Z		0E	certs/00000004	/CN=Eric YoungE
+V	980705233205Z		0F	certs/00000004	/CN=Eric YoungF
+V	980705233205Z		10	certs/00000004	/CN=Eric Young10
+V	980705233205Z		11	certs/00000004	/CN=Eric Young11
+V	980705233205Z		12	certs/00000004	/CN=Eric Young12
+V	980705233205Z		13	certs/00000004	/CN=Eric Young13
+V	980705233205Z		14	certs/00000004	/CN=Eric Young14
+V	980705233205Z		15	certs/00000004	/CN=Eric Young15
+V	980705233205Z		16	certs/00000004	/CN=Eric Young16
+V	980705233205Z		17	certs/00000004	/CN=Eric Young17
+V	961206150305Z		010C	unknown	/C=AU/SP=QLD/O=Mincom Pty. Ltd./OU=MTR/CN=Eric Young/Email=eay@mincom.oz.au
+V	961206153245Z		010D	unknown	/C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=Eric Young/Email=eay@mincom.oz.au
+V	970322074816Z		010E	unknown	/CN=Eric Young/Email=eay@mincom.oz.au
+V	970322075152Z		010F	unknown	/CN=Eric Young
+V	970322075906Z		0110	unknown	/CN=Eric Youngg
+V	970324092238Z		0111	unknown	/C=AU/SP=Queensland/CN=Eric Young
+V	970324221931Z		0112	unknown	/CN=Fred
+V	970324224934Z		0113	unknown	/C=AU/CN=eay
+V	971001005237Z		0114	unknown	/C=AU/SP=QLD/O=Mincom Pty Ltd/OU=MTR/CN=x509v3 test
+V	971001010331Z		0115	unknown	/C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test again - x509v3
+V	971001013945Z		0117	unknown	/C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=x509v3 test
+V	971014225415Z		0118	unknown	/C=AU/SP=Queensland/CN=test
+V	971015004448Z		0119	unknown	/C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test2
+V	971016035001Z		011A	unknown	/C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test64
+V	971016080129Z		011B	unknown	/C=FR/O=ALCATEL/OU=Alcatel Mobile Phones/CN=bourque/Email=bourque@art.alcatel.fr
+V	971016224000Z		011D	unknown	/L=Bedford/O=Cranfield University/OU=Computer Centre/CN=Peter R Lister/Email=P.Lister@cranfield.ac.uk
diff --git a/openssl/apps/demoCA/private/cakey.pem b/openssl/apps/demoCA/private/cakey.pem
new file mode 100644
index 0000000..48fb18c
--- /dev/null
+++ b/openssl/apps/demoCA/private/cakey.pem
@@ -0,0 +1,24 @@
+issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+-----BEGIN X509 CERTIFICATE-----
+
+MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
+BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz
+MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
+RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV
+BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3
+LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb
+/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0
+DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn
+IMs6ZOZB
+-----END X509 CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+
+MIIBPAIBAAJBALcsJdxJxa5rQ8UuQcEubZV6OqkDUXhFDyrRWNGI9p+PH9n9pYfe
+Kl0xW+4kZr/AVdv+cMUsOV9an6gI/CEG1U8CAwEAAQJAXJMBZ34ZXHd1vtgL/3hZ
+hexKbVTx/djZO4imXO/dxPGRzG2ylYZpHmG32/T1kaHpZlCHoEPgHoSzmxYXfxjG
+sQIhAPmZ/bQOjmRUHM/VM2X5zrjjM6z18R1P6l3ObFwt9FGdAiEAu943Yh9SqMRw
+tL0xHGxKmM/YJueUw1gB6sLkETN71NsCIQCeT3RhoqXfrpXDoEcEU+gwzjI1bpxq
+agiNTOLfqGoA5QIhAIQFYjgzONxex7FLrsKBm16N2SFl5pXsN9SpRqqL2n63AiEA
+g9VNIQ3xwpw7og3IbONifeku+J9qGMGQJMKwSTwrFtI=
+-----END RSA PRIVATE KEY-----
diff --git a/openssl/apps/demoCA/serial b/openssl/apps/demoCA/serial
new file mode 100644
index 0000000..69fa0ff
--- /dev/null
+++ b/openssl/apps/demoCA/serial
@@ -0,0 +1 @@
+011E
diff --git a/openssl/apps/demoSRP/srp_verifier.txt b/openssl/apps/demoSRP/srp_verifier.txt
new file mode 100644
index 0000000..ccae629
--- /dev/null
+++ b/openssl/apps/demoSRP/srp_verifier.txt
@@ -0,0 +1,6 @@
+# This is a file that will be filled by the openssl srp routine.
+# You can initialize the file with additional groups, these are
+# records starting with a I followed by the g and N values and the id.
+# The exact values ... you have to dig this out from the source of srp.c
+# or srp_vfy.c
+# The last value of an I is used as the default group for new users.  
diff --git a/openssl/apps/demoSRP/srp_verifier.txt.attr b/openssl/apps/demoSRP/srp_verifier.txt.attr
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/openssl/apps/demoSRP/srp_verifier.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/openssl/apps/dgst.c b/openssl/apps/dgst.c
new file mode 100644
index 0000000..bc2601e
--- /dev/null
+++ b/openssl/apps/dgst.c
@@ -0,0 +1,620 @@
+/* apps/dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/hmac.h>
+
+#undef BUFSIZE
+#define BUFSIZE 1024*8
+
+#undef PROG
+#define PROG    dgst_main
+
+int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
+          EVP_PKEY *key, unsigned char *sigin, int siglen,
+          const char *sig_name, const char *md_name,
+          const char *file, BIO *bmd);
+
+static void list_md_fn(const EVP_MD *m,
+                       const char *from, const char *to, void *arg)
+{
+    const char *mname;
+    /* Skip aliases */
+    if (!m)
+        return;
+    mname = OBJ_nid2ln(EVP_MD_type(m));
+    /* Skip shortnames */
+    if (strcmp(from, mname))
+        return;
+    /* Skip clones */
+    if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST)
+        return;
+    if (strchr(mname, ' '))
+        mname = EVP_MD_name(m);
+    BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n",
+               mname, mname);
+}
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL, *impl = NULL;
+    unsigned char *buf = NULL;
+    int i, err = 1;
+    const EVP_MD *md = NULL, *m;
+    BIO *in = NULL, *inp;
+    BIO *bmd = NULL;
+    BIO *out = NULL;
+#define PROG_NAME_SIZE  39
+    char pname[PROG_NAME_SIZE + 1];
+    int separator = 0;
+    int debug = 0;
+    int keyform = FORMAT_PEM;
+    const char *outfile = NULL, *keyfile = NULL;
+    const char *sigfile = NULL, *randfile = NULL;
+    int out_bin = -1, want_pub = 0, do_verify = 0;
+    EVP_PKEY *sigkey = NULL;
+    unsigned char *sigbuf = NULL;
+    int siglen = 0;
+    char *passargin = NULL, *passin = NULL;
+#ifndef OPENSSL_NO_ENGINE
+    char *engine = NULL;
+    int engine_impl = 0;
+#endif
+    char *hmac_key = NULL;
+    char *mac_name = NULL;
+    int non_fips_allow = 0;
+    STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
+
+    apps_startup();
+
+    if ((buf = (unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) {
+        BIO_printf(bio_err, "out of memory\n");
+        goto end;
+    }
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    /* first check the program name */
+    program_name(argv[0], pname, sizeof pname);
+
+    md = EVP_get_digestbyname(pname);
+
+    argc--;
+    argv++;
+    while (argc > 0) {
+        if ((*argv)[0] != '-')
+            break;
+        if (strcmp(*argv, "-c") == 0)
+            separator = 1;
+        else if (strcmp(*argv, "-r") == 0)
+            separator = 2;
+        else if (strcmp(*argv, "-rand") == 0) {
+            if (--argc < 1)
+                break;
+            randfile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                break;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-sign") == 0) {
+            if (--argc < 1)
+                break;
+            keyfile = *(++argv);
+        } else if (!strcmp(*argv, "-passin")) {
+            if (--argc < 1)
+                break;
+            passargin = *++argv;
+        } else if (strcmp(*argv, "-verify") == 0) {
+            if (--argc < 1)
+                break;
+            keyfile = *(++argv);
+            want_pub = 1;
+            do_verify = 1;
+        } else if (strcmp(*argv, "-prverify") == 0) {
+            if (--argc < 1)
+                break;
+            keyfile = *(++argv);
+            do_verify = 1;
+        } else if (strcmp(*argv, "-signature") == 0) {
+            if (--argc < 1)
+                break;
+            sigfile = *(++argv);
+        } else if (strcmp(*argv, "-keyform") == 0) {
+            if (--argc < 1)
+                break;
+            keyform = str2fmt(*(++argv));
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                break;
+            engine = *(++argv);
+            e = setup_engine(bio_err, engine, 0);
+        } else if (strcmp(*argv, "-engine_impl") == 0)
+            engine_impl = 1;
+#endif
+        else if (strcmp(*argv, "-hex") == 0)
+            out_bin = 0;
+        else if (strcmp(*argv, "-binary") == 0)
+            out_bin = 1;
+        else if (strcmp(*argv, "-d") == 0)
+            debug = 1;
+        else if (!strcmp(*argv, "-fips-fingerprint"))
+            hmac_key = "etaonrishdlcupfm";
+        else if (strcmp(*argv, "-non-fips-allow") == 0)
+            non_fips_allow = 1;
+        else if (!strcmp(*argv, "-hmac")) {
+            if (--argc < 1)
+                break;
+            hmac_key = *++argv;
+        } else if (!strcmp(*argv, "-mac")) {
+            if (--argc < 1)
+                break;
+            mac_name = *++argv;
+        } else if (strcmp(*argv, "-sigopt") == 0) {
+            if (--argc < 1)
+                break;
+            if (!sigopts)
+                sigopts = sk_OPENSSL_STRING_new_null();
+            if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
+                break;
+        } else if (strcmp(*argv, "-macopt") == 0) {
+            if (--argc < 1)
+                break;
+            if (!macopts)
+                macopts = sk_OPENSSL_STRING_new_null();
+            if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
+                break;
+        } else if ((m = EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+            md = m;
+        else
+            break;
+        argc--;
+        argv++;
+    }
+
+    if (keyfile != NULL && argc > 1) {
+        BIO_printf(bio_err, "Can only sign or verify one file\n");
+        goto end;
+    }
+
+    if (do_verify && !sigfile) {
+        BIO_printf(bio_err,
+                   "No signature to verify: use the -signature option\n");
+        goto end;
+    }
+
+    if ((argc > 0) && (argv[0][0] == '-')) { /* bad option */
+        BIO_printf(bio_err, "unknown option '%s'\n", *argv);
+        BIO_printf(bio_err, "options are\n");
+        BIO_printf(bio_err,
+                   "-c              to output the digest with separating colons\n");
+        BIO_printf(bio_err,
+                   "-r              to output the digest in coreutils format\n");
+        BIO_printf(bio_err, "-d              to output debug info\n");
+        BIO_printf(bio_err, "-hex            output as hex dump\n");
+        BIO_printf(bio_err, "-binary         output in binary form\n");
+        BIO_printf(bio_err, "-hmac arg       set the HMAC key to arg\n");
+        BIO_printf(bio_err, "-non-fips-allow allow use of non FIPS digest\n");
+        BIO_printf(bio_err,
+                   "-sign   file    sign digest using private key in file\n");
+        BIO_printf(bio_err,
+                   "-verify file    verify a signature using public key in file\n");
+        BIO_printf(bio_err,
+                   "-prverify file  verify a signature using private key in file\n");
+        BIO_printf(bio_err,
+                   "-keyform arg    key file format (PEM or ENGINE)\n");
+        BIO_printf(bio_err,
+                   "-out filename   output to filename rather than stdout\n");
+        BIO_printf(bio_err, "-signature file signature to verify\n");
+        BIO_printf(bio_err, "-sigopt nm:v    signature parameter\n");
+        BIO_printf(bio_err, "-hmac key       create hashed MAC with key\n");
+        BIO_printf(bio_err,
+                   "-mac algorithm  create MAC (not neccessarily HMAC)\n");
+        BIO_printf(bio_err,
+                   "-macopt nm:v    MAC algorithm parameters or key\n");
+#ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   "-engine e       use engine e, possibly a hardware device.\n");
+#endif
+
+        EVP_MD_do_all_sorted(list_md_fn, bio_err);
+        goto end;
+    }
+#ifndef OPENSSL_NO_ENGINE
+    if (engine_impl)
+        impl = e;
+#endif
+
+    in = BIO_new(BIO_s_file());
+    bmd = BIO_new(BIO_f_md());
+    if ((in == NULL) || (bmd == NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (debug) {
+        BIO_set_callback(in, BIO_debug_callback);
+        /* needed for windows 3.1 */
+        BIO_set_callback_arg(in, (char *)bio_err);
+    }
+
+    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+
+    if (out_bin == -1) {
+        if (keyfile)
+            out_bin = 1;
+        else
+            out_bin = 0;
+    }
+
+    if (randfile)
+        app_RAND_load_file(randfile, bio_err, 0);
+
+    if (outfile) {
+        if (out_bin)
+            out = BIO_new_file(outfile, "wb");
+        else
+            out = BIO_new_file(outfile, "w");
+    } else {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    }
+
+    if (!out) {
+        BIO_printf(bio_err, "Error opening output file %s\n",
+                   outfile ? outfile : "(stdout)");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if ((! !mac_name + ! !keyfile + ! !hmac_key) > 1) {
+        BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
+        goto end;
+    }
+
+    if (keyfile) {
+        if (want_pub)
+            sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
+                                 e, "key file");
+        else
+            sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
+                              e, "key file");
+        if (!sigkey) {
+            /*
+             * load_[pub]key() has already printed an appropriate message
+             */
+            goto end;
+        }
+    }
+
+    if (mac_name) {
+        EVP_PKEY_CTX *mac_ctx = NULL;
+        int r = 0;
+        if (!init_gen_str(bio_err, &mac_ctx, mac_name, impl, 0))
+            goto mac_end;
+        if (macopts) {
+            char *macopt;
+            for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) {
+                macopt = sk_OPENSSL_STRING_value(macopts, i);
+                if (pkey_ctrl_string(mac_ctx, macopt) <= 0) {
+                    BIO_printf(bio_err,
+                               "MAC parameter error \"%s\"\n", macopt);
+                    ERR_print_errors(bio_err);
+                    goto mac_end;
+                }
+            }
+        }
+        if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) {
+            BIO_puts(bio_err, "Error generating key\n");
+            ERR_print_errors(bio_err);
+            goto mac_end;
+        }
+        r = 1;
+ mac_end:
+        if (mac_ctx)
+            EVP_PKEY_CTX_free(mac_ctx);
+        if (r == 0)
+            goto end;
+    }
+
+    if (non_fips_allow) {
+        EVP_MD_CTX *md_ctx;
+        BIO_get_md_ctx(bmd, &md_ctx);
+        EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+    }
+
+    if (hmac_key) {
+        sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
+                                      (unsigned char *)hmac_key, -1);
+        if (!sigkey)
+            goto end;
+    }
+
+    if (sigkey) {
+        EVP_MD_CTX *mctx = NULL;
+        EVP_PKEY_CTX *pctx = NULL;
+        int r;
+        if (!BIO_get_md_ctx(bmd, &mctx)) {
+            BIO_printf(bio_err, "Error getting context\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (do_verify)
+            r = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
+        else
+            r = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
+        if (!r) {
+            BIO_printf(bio_err, "Error setting context\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (sigopts) {
+            char *sigopt;
+            for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
+                sigopt = sk_OPENSSL_STRING_value(sigopts, i);
+                if (pkey_ctrl_string(pctx, sigopt) <= 0) {
+                    BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
+                    ERR_print_errors(bio_err);
+                    goto end;
+                }
+            }
+        }
+    }
+    /* we use md as a filter, reading from 'in' */
+    else {
+        EVP_MD_CTX *mctx = NULL;
+        if (!BIO_get_md_ctx(bmd, &mctx)) {
+            BIO_printf(bio_err, "Error getting context\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (md == NULL)
+            md = EVP_md5();
+        if (!EVP_DigestInit_ex(mctx, md, impl)) {
+            BIO_printf(bio_err, "Error setting digest %s\n", pname);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (sigfile && sigkey) {
+        BIO *sigbio;
+        sigbio = BIO_new_file(sigfile, "rb");
+        siglen = EVP_PKEY_size(sigkey);
+        sigbuf = OPENSSL_malloc(siglen);
+        if (!sigbio) {
+            BIO_printf(bio_err, "Error opening signature file %s\n", sigfile);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (!sigbuf) {
+            BIO_printf(bio_err, "Out of memory\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        siglen = BIO_read(sigbio, sigbuf, siglen);
+        BIO_free(sigbio);
+        if (siglen <= 0) {
+            BIO_printf(bio_err, "Error reading signature file %s\n", sigfile);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+    inp = BIO_push(bmd, in);
+
+    if (md == NULL) {
+        EVP_MD_CTX *tctx;
+        BIO_get_md_ctx(bmd, &tctx);
+        md = EVP_MD_CTX_md(tctx);
+    }
+
+    if (argc == 0) {
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+        err = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
+                    siglen, NULL, NULL, "stdin", bmd);
+    } else {
+        const char *md_name = NULL, *sig_name = NULL;
+        if (!out_bin) {
+            if (sigkey) {
+                const EVP_PKEY_ASN1_METHOD *ameth;
+                ameth = EVP_PKEY_get0_asn1(sigkey);
+                if (ameth)
+                    EVP_PKEY_asn1_get0_info(NULL, NULL,
+                                            NULL, NULL, &sig_name, ameth);
+            }
+            if (md)
+                md_name = EVP_MD_name(md);
+        }
+        err = 0;
+        for (i = 0; i < argc; i++) {
+            int r;
+            if (BIO_read_filename(in, argv[i]) <= 0) {
+                perror(argv[i]);
+                err++;
+                continue;
+            } else
+                r = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
+                          siglen, sig_name, md_name, argv[i], bmd);
+            if (r)
+                err = r;
+            (void)BIO_reset(bmd);
+        }
+    }
+ end:
+    if (buf != NULL) {
+        OPENSSL_cleanse(buf, BUFSIZE);
+        OPENSSL_free(buf);
+    }
+    if (in != NULL)
+        BIO_free(in);
+    if (passin)
+        OPENSSL_free(passin);
+    BIO_free_all(out);
+    EVP_PKEY_free(sigkey);
+    if (sigopts)
+        sk_OPENSSL_STRING_free(sigopts);
+    if (macopts)
+        sk_OPENSSL_STRING_free(macopts);
+    if (sigbuf)
+        OPENSSL_free(sigbuf);
+    if (bmd != NULL)
+        BIO_free(bmd);
+    release_engine(e);
+    apps_shutdown();
+    OPENSSL_EXIT(err);
+}
+
+int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
+          EVP_PKEY *key, unsigned char *sigin, int siglen,
+          const char *sig_name, const char *md_name,
+          const char *file, BIO *bmd)
+{
+    size_t len;
+    int i;
+
+    for (;;) {
+        i = BIO_read(bp, (char *)buf, BUFSIZE);
+        if (i < 0) {
+            BIO_printf(bio_err, "Read Error in %s\n", file);
+            ERR_print_errors(bio_err);
+            return 1;
+        }
+        if (i == 0)
+            break;
+    }
+    if (sigin) {
+        EVP_MD_CTX *ctx;
+        BIO_get_md_ctx(bp, &ctx);
+        i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen);
+        if (i > 0)
+            BIO_printf(out, "Verified OK\n");
+        else if (i == 0) {
+            BIO_printf(out, "Verification Failure\n");
+            return 1;
+        } else {
+            BIO_printf(bio_err, "Error Verifying Data\n");
+            ERR_print_errors(bio_err);
+            return 1;
+        }
+        return 0;
+    }
+    if (key) {
+        EVP_MD_CTX *ctx;
+        BIO_get_md_ctx(bp, &ctx);
+        len = BUFSIZE;
+        if (!EVP_DigestSignFinal(ctx, buf, &len)) {
+            BIO_printf(bio_err, "Error Signing Data\n");
+            ERR_print_errors(bio_err);
+            return 1;
+        }
+    } else {
+        len = BIO_gets(bp, (char *)buf, BUFSIZE);
+        if ((int)len < 0) {
+            ERR_print_errors(bio_err);
+            return 1;
+        }
+    }
+
+    if (binout)
+        BIO_write(out, buf, len);
+    else if (sep == 2) {
+        for (i = 0; i < (int)len; i++)
+            BIO_printf(out, "%02x", buf[i]);
+        BIO_printf(out, " *%s\n", file);
+    } else {
+        if (sig_name) {
+            BIO_puts(out, sig_name);
+            if (md_name)
+                BIO_printf(out, "-%s", md_name);
+            BIO_printf(out, "(%s)= ", file);
+        } else if (md_name)
+            BIO_printf(out, "%s(%s)= ", md_name, file);
+        else
+            BIO_printf(out, "(%s)= ", file);
+        for (i = 0; i < (int)len; i++) {
+            if (sep && (i != 0))
+                BIO_printf(out, ":");
+            BIO_printf(out, "%02x", buf[i]);
+        }
+        BIO_printf(out, "\n");
+    }
+    return 0;
+}
diff --git a/openssl/apps/dh.c b/openssl/apps/dh.c
new file mode 100644
index 0000000..bb13fef
--- /dev/null
+++ b/openssl/apps/dh.c
@@ -0,0 +1,331 @@
+/* apps/dh.c */
+/* obsoleted by dhparam.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/opensslconf.h> /* for OPENSSL_NO_DH */
+#ifndef OPENSSL_NO_DH
+# include <stdio.h>
+# include <stdlib.h>
+# include <time.h>
+# include <string.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/bn.h>
+# include <openssl/dh.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+
+# undef PROG
+# define PROG    dh_main
+
+/*-
+ * -inform arg  - input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg      - input file - default stdin
+ * -out arg     - output file - default stdout
+ * -check       - check the parameters are ok
+ * -noout
+ * -text
+ * -C
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    DH *dh = NULL;
+    int i, badops = 0, text = 0;
+    BIO *in = NULL, *out = NULL;
+    int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
+    char *infile, *outfile, *prog;
+    char *engine;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    engine = NULL;
+    infile = NULL;
+    outfile = NULL;
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        }
+# ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+# endif
+        else if (strcmp(*argv, "-check") == 0)
+            check = 1;
+        else if (strcmp(*argv, "-text") == 0)
+            text = 1;
+        else if (strcmp(*argv, "-C") == 0)
+            C = 1;
+        else if (strcmp(*argv, "-noout") == 0)
+            noout = 1;
+        else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, " -inform arg   input format - one of DER PEM\n");
+        BIO_printf(bio_err,
+                   " -outform arg  output format - one of DER PEM\n");
+        BIO_printf(bio_err, " -in arg       input file\n");
+        BIO_printf(bio_err, " -out arg      output file\n");
+        BIO_printf(bio_err, " -check        check the DH parameters\n");
+        BIO_printf(bio_err,
+                   " -text         print a text form of the DH parameters\n");
+        BIO_printf(bio_err, " -C            Output C code\n");
+        BIO_printf(bio_err, " -noout        no output\n");
+# ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e     use engine e, possibly a hardware device.\n");
+# endif
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+
+    setup_engine(bio_err, engine, 0);
+
+    in = BIO_new(BIO_s_file());
+    out = BIO_new(BIO_s_file());
+    if ((in == NULL) || (out == NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (infile == NULL)
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+    else {
+        if (BIO_read_filename(in, infile) <= 0) {
+            perror(infile);
+            goto end;
+        }
+    }
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    if (informat == FORMAT_ASN1)
+        dh = d2i_DHparams_bio(in, NULL);
+    else if (informat == FORMAT_PEM)
+        dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
+    else {
+        BIO_printf(bio_err, "bad input format specified\n");
+        goto end;
+    }
+    if (dh == NULL) {
+        BIO_printf(bio_err, "unable to load DH parameters\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (text) {
+        DHparams_print(out, dh);
+# ifdef undef
+        printf("p=");
+        BN_print(stdout, dh->p);
+        printf("\ng=");
+        BN_print(stdout, dh->g);
+        printf("\n");
+        if (dh->length != 0)
+            printf("recommended private length=%ld\n", dh->length);
+# endif
+    }
+
+    if (check) {
+        if (!DH_check(dh, &i)) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (i & DH_CHECK_P_NOT_PRIME)
+            printf("p value is not prime\n");
+        if (i & DH_CHECK_P_NOT_SAFE_PRIME)
+            printf("p value is not a safe prime\n");
+        if (i & DH_UNABLE_TO_CHECK_GENERATOR)
+            printf("unable to check the generator value\n");
+        if (i & DH_NOT_SUITABLE_GENERATOR)
+            printf("the g value is not a generator\n");
+        if (i == 0)
+            printf("DH parameters appear to be ok.\n");
+    }
+    if (C) {
+        unsigned char *data;
+        int len, l, bits;
+
+        len = BN_num_bytes(dh->p);
+        bits = BN_num_bits(dh->p);
+        data = (unsigned char *)OPENSSL_malloc(len);
+        if (data == NULL) {
+            perror("OPENSSL_malloc");
+            goto end;
+        }
+        l = BN_bn2bin(dh->p, data);
+        printf("static unsigned char dh%d_p[]={", bits);
+        for (i = 0; i < l; i++) {
+            if ((i % 12) == 0)
+                printf("\n\t");
+            printf("0x%02X,", data[i]);
+        }
+        printf("\n\t};\n");
+
+        l = BN_bn2bin(dh->g, data);
+        printf("static unsigned char dh%d_g[]={", bits);
+        for (i = 0; i < l; i++) {
+            if ((i % 12) == 0)
+                printf("\n\t");
+            printf("0x%02X,", data[i]);
+        }
+        printf("\n\t};\n\n");
+
+        printf("DH *get_dh%d()\n\t{\n", bits);
+        printf("\tDH *dh;\n\n");
+        printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
+        printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
+               bits, bits);
+        printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
+               bits, bits);
+        printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
+        printf("\t\treturn(NULL);\n");
+        printf("\treturn(dh);\n\t}\n");
+        OPENSSL_free(data);
+    }
+
+    if (!noout) {
+        if (outformat == FORMAT_ASN1)
+            i = i2d_DHparams_bio(out, dh);
+        else if (outformat == FORMAT_PEM)
+            i = PEM_write_bio_DHparams(out, dh);
+        else {
+            BIO_printf(bio_err, "bad output format specified for outfile\n");
+            goto end;
+        }
+        if (!i) {
+            BIO_printf(bio_err, "unable to write DH parameters\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+    ret = 0;
+ end:
+    if (in != NULL)
+        BIO_free(in);
+    if (out != NULL)
+        BIO_free_all(out);
+    if (dh != NULL)
+        DH_free(dh);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+#else                           /* !OPENSSL_NO_DH */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/dh1024.pem b/openssl/apps/dh1024.pem
new file mode 100644
index 0000000..6eaeca9
--- /dev/null
+++ b/openssl/apps/dh1024.pem
@@ -0,0 +1,10 @@
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
+jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
+ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC
+-----END DH PARAMETERS-----
+
+These are the 1024 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
+Note that g is not a generator, but this is not a problem since p is a safe prime.
diff --git a/openssl/apps/dh2048.pem b/openssl/apps/dh2048.pem
new file mode 100644
index 0000000..dcd0b8d
--- /dev/null
+++ b/openssl/apps/dh2048.pem
@@ -0,0 +1,12 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV
+89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50
+T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb
+zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdX
+Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbT
+CD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwIBAg==
+-----END DH PARAMETERS-----
+
+These are the 2048 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
diff --git a/openssl/apps/dh4096.pem b/openssl/apps/dh4096.pem
new file mode 100644
index 0000000..1b35ad8
--- /dev/null
+++ b/openssl/apps/dh4096.pem
@@ -0,0 +1,18 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ
+l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt
+Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS
+Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98
+VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc
+alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM
+sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9
+ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte
+OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH
+AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL
+KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=
+-----END DH PARAMETERS-----
+
+These are the 4096 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
+Note that g is not a generator, but this is not a problem since p is a safe prime.
diff --git a/openssl/apps/dh512.pem b/openssl/apps/dh512.pem
new file mode 100644
index 0000000..200d16c
--- /dev/null
+++ b/openssl/apps/dh512.pem
@@ -0,0 +1,9 @@
+-----BEGIN DH PARAMETERS-----
+MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
+XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
+-----END DH PARAMETERS-----
+
+These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
+Note that g is not a generator, but this is not a problem since p is a safe prime.
diff --git a/openssl/apps/dhparam.c b/openssl/apps/dhparam.c
new file mode 100644
index 0000000..1210adb
--- /dev/null
+++ b/openssl/apps/dhparam.c
@@ -0,0 +1,544 @@
+/* apps/dhparam.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/opensslconf.h> /* for OPENSSL_NO_DH */
+#ifndef OPENSSL_NO_DH
+# include <stdio.h>
+# include <stdlib.h>
+# include <time.h>
+# include <string.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/bn.h>
+# include <openssl/dh.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+
+# ifndef OPENSSL_NO_DSA
+#  include <openssl/dsa.h>
+# endif
+
+# undef PROG
+# define PROG    dhparam_main
+
+# define DEFBITS 2048
+
+/*-
+ * -inform arg  - input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg      - input file - default stdin
+ * -out arg     - output file - default stdout
+ * -dsaparam  - read or generate DSA parameters, convert to DH
+ * -check       - check the parameters are ok
+ * -noout
+ * -text
+ * -C
+ */
+
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    DH *dh = NULL;
+    int i, badops = 0, text = 0;
+# ifndef OPENSSL_NO_DSA
+    int dsaparam = 0;
+# endif
+    BIO *in = NULL, *out = NULL;
+    int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
+    char *infile, *outfile, *prog;
+    char *inrand = NULL;
+    char *engine = NULL;
+    ENGINE *e = NULL;
+    int num = 0, g = 0;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    infile = NULL;
+    outfile = NULL;
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        }
+# ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+# endif
+        else if (strcmp(*argv, "-check") == 0)
+            check = 1;
+        else if (strcmp(*argv, "-text") == 0)
+            text = 1;
+# ifndef OPENSSL_NO_DSA
+        else if (strcmp(*argv, "-dsaparam") == 0)
+            dsaparam = 1;
+# endif
+        else if (strcmp(*argv, "-C") == 0)
+            C = 1;
+        else if (strcmp(*argv, "-noout") == 0)
+            noout = 1;
+        else if (strcmp(*argv, "-2") == 0)
+            g = 2;
+        else if (strcmp(*argv, "-5") == 0)
+            g = 5;
+        else if (strcmp(*argv, "-rand") == 0) {
+            if (--argc < 1)
+                goto bad;
+            inrand = *(++argv);
+        } else if (((sscanf(*argv, "%d", &num) == 0) || (num <= 0)))
+            goto bad;
+        argv++;
+        argc--;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options] [numbits]\n", prog);
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, " -inform arg   input format - one of DER PEM\n");
+        BIO_printf(bio_err,
+                   " -outform arg  output format - one of DER PEM\n");
+        BIO_printf(bio_err, " -in arg       input file\n");
+        BIO_printf(bio_err, " -out arg      output file\n");
+# ifndef OPENSSL_NO_DSA
+        BIO_printf(bio_err,
+                   " -dsaparam     read or generate DSA parameters, convert to DH\n");
+# endif
+        BIO_printf(bio_err, " -check        check the DH parameters\n");
+        BIO_printf(bio_err,
+                   " -text         print a text form of the DH parameters\n");
+        BIO_printf(bio_err, " -C            Output C code\n");
+        BIO_printf(bio_err,
+                   " -2            generate parameters using  2 as the generator value\n");
+        BIO_printf(bio_err,
+                   " -5            generate parameters using  5 as the generator value\n");
+        BIO_printf(bio_err,
+                   " numbits       number of bits in to generate (default 2048)\n");
+# ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e     use engine e, possibly a hardware device.\n");
+# endif
+        BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
+                   LIST_SEPARATOR_CHAR);
+        BIO_printf(bio_err,
+                   "               - load the file (or the files in the directory) into\n");
+        BIO_printf(bio_err, "               the random number generator\n");
+        BIO_printf(bio_err, " -noout        no output\n");
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+
+    e = setup_engine(bio_err, engine, 0);
+
+    if (g && !num)
+        num = DEFBITS;
+
+# ifndef OPENSSL_NO_DSA
+    if (dsaparam) {
+        if (g) {
+            BIO_printf(bio_err,
+                       "generator may not be chosen for DSA parameters\n");
+            goto end;
+        }
+    } else
+# endif
+    {
+        /* DH parameters */
+        if (num && !g)
+            g = 2;
+    }
+
+    if (num) {
+
+        BN_GENCB cb;
+        BN_GENCB_set(&cb, dh_cb, bio_err);
+        if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) {
+            BIO_printf(bio_err,
+                       "warning, not much extra random data, consider using the -rand option\n");
+        }
+        if (inrand != NULL)
+            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                       app_RAND_load_files(inrand));
+
+# ifndef OPENSSL_NO_DSA
+        if (dsaparam) {
+            DSA *dsa = DSA_new();
+
+            BIO_printf(bio_err,
+                       "Generating DSA parameters, %d bit long prime\n", num);
+            if (!dsa
+                || !DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL,
+                                               &cb)) {
+                if (dsa)
+                    DSA_free(dsa);
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+
+            dh = DSA_dup_DH(dsa);
+            DSA_free(dsa);
+            if (dh == NULL) {
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        } else
+# endif
+        {
+            dh = DH_new();
+            BIO_printf(bio_err,
+                       "Generating DH parameters, %d bit long safe prime, generator %d\n",
+                       num, g);
+            BIO_printf(bio_err, "This is going to take a long time\n");
+            if (!dh || !DH_generate_parameters_ex(dh, num, g, &cb)) {
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        }
+
+        app_RAND_write_file(NULL, bio_err);
+    } else {
+
+        in = BIO_new(BIO_s_file());
+        if (in == NULL) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (infile == NULL)
+            BIO_set_fp(in, stdin, BIO_NOCLOSE);
+        else {
+            if (BIO_read_filename(in, infile) <= 0) {
+                perror(infile);
+                goto end;
+            }
+        }
+
+        if (informat != FORMAT_ASN1 && informat != FORMAT_PEM) {
+            BIO_printf(bio_err, "bad input format specified\n");
+            goto end;
+        }
+# ifndef OPENSSL_NO_DSA
+        if (dsaparam) {
+            DSA *dsa;
+
+            if (informat == FORMAT_ASN1)
+                dsa = d2i_DSAparams_bio(in, NULL);
+            else                /* informat == FORMAT_PEM */
+                dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
+
+            if (dsa == NULL) {
+                BIO_printf(bio_err, "unable to load DSA parameters\n");
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+
+            dh = DSA_dup_DH(dsa);
+            DSA_free(dsa);
+            if (dh == NULL) {
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        } else
+# endif
+        {
+            if (informat == FORMAT_ASN1)
+                dh = d2i_DHparams_bio(in, NULL);
+            else                /* informat == FORMAT_PEM */
+                dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
+
+            if (dh == NULL) {
+                BIO_printf(bio_err, "unable to load DH parameters\n");
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        }
+
+        /* dh != NULL */
+    }
+
+    out = BIO_new(BIO_s_file());
+    if (out == NULL) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    if (text) {
+        DHparams_print(out, dh);
+    }
+
+    if (check) {
+        if (!DH_check(dh, &i)) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (i & DH_CHECK_P_NOT_PRIME)
+            printf("p value is not prime\n");
+        if (i & DH_CHECK_P_NOT_SAFE_PRIME)
+            printf("p value is not a safe prime\n");
+        if (i & DH_UNABLE_TO_CHECK_GENERATOR)
+            printf("unable to check the generator value\n");
+        if (i & DH_NOT_SUITABLE_GENERATOR)
+            printf("the g value is not a generator\n");
+        if (i == 0)
+            printf("DH parameters appear to be ok.\n");
+    }
+    if (C) {
+        unsigned char *data;
+        int len, l, bits;
+
+        len = BN_num_bytes(dh->p);
+        bits = BN_num_bits(dh->p);
+        data = (unsigned char *)OPENSSL_malloc(len);
+        if (data == NULL) {
+            perror("OPENSSL_malloc");
+            goto end;
+        }
+        printf("#ifndef HEADER_DH_H\n"
+               "#include <openssl/dh.h>\n" "#endif\n");
+        printf("DH *get_dh%d()\n\t{\n", bits);
+
+        l = BN_bn2bin(dh->p, data);
+        printf("\tstatic unsigned char dh%d_p[]={", bits);
+        for (i = 0; i < l; i++) {
+            if ((i % 12) == 0)
+                printf("\n\t\t");
+            printf("0x%02X,", data[i]);
+        }
+        printf("\n\t\t};\n");
+
+        l = BN_bn2bin(dh->g, data);
+        printf("\tstatic unsigned char dh%d_g[]={", bits);
+        for (i = 0; i < l; i++) {
+            if ((i % 12) == 0)
+                printf("\n\t\t");
+            printf("0x%02X,", data[i]);
+        }
+        printf("\n\t\t};\n");
+
+        printf("\tDH *dh;\n\n");
+        printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
+        printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
+               bits, bits);
+        printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
+               bits, bits);
+        printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
+        printf("\t\t{ DH_free(dh); return(NULL); }\n");
+        if (dh->length)
+            printf("\tdh->length = %ld;\n", dh->length);
+        printf("\treturn(dh);\n\t}\n");
+        OPENSSL_free(data);
+    }
+
+    if (!noout) {
+        if (outformat == FORMAT_ASN1)
+            i = i2d_DHparams_bio(out, dh);
+        else if (outformat == FORMAT_PEM) {
+            if (dh->q)
+                i = PEM_write_bio_DHxparams(out, dh);
+            else
+                i = PEM_write_bio_DHparams(out, dh);
+        } else {
+            BIO_printf(bio_err, "bad output format specified for outfile\n");
+            goto end;
+        }
+        if (!i) {
+            BIO_printf(bio_err, "unable to write DH parameters\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+    ret = 0;
+ end:
+    if (in != NULL)
+        BIO_free(in);
+    if (out != NULL)
+        BIO_free_all(out);
+    if (dh != NULL)
+        DH_free(dh);
+    release_engine(e);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+/* dh_cb is identical to dsa_cb in apps/dsaparam.c */
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
+{
+    char c = '*';
+
+    if (p == 0)
+        c = '.';
+    if (p == 1)
+        c = '+';
+    if (p == 2)
+        c = '*';
+    if (p == 3)
+        c = '\n';
+    BIO_write(cb->arg, &c, 1);
+    (void)BIO_flush(cb->arg);
+# ifdef LINT
+    p = n;
+# endif
+    return 1;
+}
+
+#else                           /* !OPENSSL_NO_DH */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/dsa-ca.pem b/openssl/apps/dsa-ca.pem
new file mode 100644
index 0000000..cccc142
--- /dev/null
+++ b/openssl/apps/dsa-ca.pem
@@ -0,0 +1,40 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQ
+PnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtel
+u+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcH
+Me36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLso
+hkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbu
+SXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7Y
+Mu0OArgCgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuHvSLw9YUrJahcBHmbpvt4
+94lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUqAylOVFJJJXuirVJ+o+0T
+tOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u3enxhqnDGQIUB78dhW77
+J6zsFbSEHaQGUmfSeoM=
+-----END DSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE REQUEST-----
+MIICUjCCAhECAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCQ0Ew
+ggG0MIIBKQYFKw4DAgwwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaW
+sxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5m
+rmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHk
+cJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVo
+bzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqR
+CZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxB
+F5WS6wG1c6Vqftgy7Q4CuAOBhAACgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuH
+vSLw9YUrJahcBHmbpvt494lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUq
+AylOVFJJJXuirVJ+o+0TtOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u
+3enxhqnDGaAAMAkGBSsOAwIbBQADMAAwLQIVAJGVuFsG/0DBuSZ0jF7ypdU0/G0v
+AhQfeF5BoMMDbX/kidUVpQ6gadPlZA==
+-----END CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE-----
+MIIBrjCCAWwCAQswCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE1MDIxNDI5WhcNOTcwNzE1MDIxNDI5WjBSMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJDQTCBkjAJBgUrDgMCDAUAA4GE
+AAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfsi4e9IvD1hSslqFwEeZum+3j3iUXi
+ALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj25SoDKU5UUkkle6KtUn6j7RO04UMh
+MQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17ry7d6fGGqcMZMAkGBSsOAwIbBQAD
+MQAwLgIVAJ4wtQsANPxHo7Q4IQZYsL12SKdbAhUAjJ9n38zxT+iai2164xS+LIfa
+C1Q=
+-----END CERTIFICATE-----
+
diff --git a/openssl/apps/dsa-pca.pem b/openssl/apps/dsa-pca.pem
new file mode 100644
index 0000000..d23774e
--- /dev/null
+++ b/openssl/apps/dsa-pca.pem
@@ -0,0 +1,46 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBvAIBAAKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQ
+PnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtel
+u+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcH
+Me36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLso
+hkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbu
+SXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7Y
+Mu0OArgCgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
+umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
+29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUCFQDNvrBz
+6TicfImU7UFRn9h00j0lJQ==
+-----END DSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE REQUEST-----
+MIICVTCCAhMCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAxMDUENB
+MIIBtTCCASkGBSsOAwIMMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2G
+lrMV4FMuj+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7O
+Zq5riDb77Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR
+5HCVW1DNSQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnl
+aG8w42nh5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6
+kQmdtvFNnFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15Als
+QReVkusBtXOlan7YMu0OArgDgYUAAoGBAKbtuR5AdW+ICjCFe2ixjUiJJzM2IKwe
+6NZEMXg39+HQ1UTPTmfLZLps+rZfolHDXuRKMXbGFdSF0nXYzotPCzi7GauwEJTZ
+yr27ZZjA1C6apGSQ9GzuwNvZ4rCXystVEagAS8OQ4H3D4dWS17Zg31ICb5o4E5r0
+z09o/Uz46u0VoAAwCQYFKw4DAhsFAAMxADAuAhUArRubTxsbIXy3AhtjQ943AbNB
+nSICFQCu+g1iW3jwF+gOcbroD4S/ZcvB3w==
+-----END CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE-----
+MIIC0zCCApECAQAwCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE0MjI1NDQ1WhcNOTcwNzE0MjI1NDQ1WjBTMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNQQ0EwggG1MIIBKQYFKw4DAgww
+ggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaWsxXgUy6P4FmCc5A+dTGZ
+R3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5mrmuINvvsKNzC16W75Sw5
+JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHkcJVbUM1JAhUA9wcx7fps
+BgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVobzDjaeHls12YuyiGSPze
+mQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqRCZ228U2cVA9YBu5JdAfO
+VX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxBF5WS6wG1c6Vqftgy7Q4C
+uAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
+umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
+29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUwCQYFKw4D
+AhsFAAMxADAuAhUAvtv6AkMolix1Jvy3UnVEIUqdCUICFQC+jq8P49mwrY9oJ24n
+5rKUjNBhSg==
+-----END CERTIFICATE-----
+
diff --git a/openssl/apps/dsa.c b/openssl/apps/dsa.c
new file mode 100644
index 0000000..4ed21d8
--- /dev/null
+++ b/openssl/apps/dsa.c
@@ -0,0 +1,369 @@
+/* apps/dsa.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
+#ifndef OPENSSL_NO_DSA
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include <time.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/dsa.h>
+# include <openssl/evp.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+# include <openssl/bn.h>
+
+# undef PROG
+# define PROG    dsa_main
+
+/*-
+ * -inform arg  - input format - default PEM (one of DER, NET or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg      - input file - default stdin
+ * -out arg     - output file - default stdout
+ * -des         - encrypt output if PEM format with DES in cbc mode
+ * -des3        - encrypt output if PEM format
+ * -idea        - encrypt output if PEM format
+ * -aes128      - encrypt output if PEM format
+ * -aes192      - encrypt output if PEM format
+ * -aes256      - encrypt output if PEM format
+ * -camellia128 - encrypt output if PEM format
+ * -camellia192 - encrypt output if PEM format
+ * -camellia256 - encrypt output if PEM format
+ * -seed        - encrypt output if PEM format
+ * -text        - print a text version
+ * -modulus     - print the DSA public key
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    int ret = 1;
+    DSA *dsa = NULL;
+    int i, badops = 0;
+    const EVP_CIPHER *enc = NULL;
+    BIO *in = NULL, *out = NULL;
+    int informat, outformat, text = 0, noout = 0;
+    int pubin = 0, pubout = 0;
+    char *infile, *outfile, *prog;
+    char *engine;
+    char *passargin = NULL, *passargout = NULL;
+    char *passin = NULL, *passout = NULL;
+    int modulus = 0;
+
+    int pvk_encr = 2;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    engine = NULL;
+    infile = NULL;
+    outfile = NULL;
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-passin") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargin = *(++argv);
+        } else if (strcmp(*argv, "-passout") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargout = *(++argv);
+        }
+# ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+# endif
+        else if (strcmp(*argv, "-pvk-strong") == 0)
+            pvk_encr = 2;
+        else if (strcmp(*argv, "-pvk-weak") == 0)
+            pvk_encr = 1;
+        else if (strcmp(*argv, "-pvk-none") == 0)
+            pvk_encr = 0;
+        else if (strcmp(*argv, "-noout") == 0)
+            noout = 1;
+        else if (strcmp(*argv, "-text") == 0)
+            text = 1;
+        else if (strcmp(*argv, "-modulus") == 0)
+            modulus = 1;
+        else if (strcmp(*argv, "-pubin") == 0)
+            pubin = 1;
+        else if (strcmp(*argv, "-pubout") == 0)
+            pubout = 1;
+        else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, " -inform arg     input format - DER or PEM\n");
+        BIO_printf(bio_err, " -outform arg    output format - DER or PEM\n");
+        BIO_printf(bio_err, " -in arg         input file\n");
+        BIO_printf(bio_err,
+                   " -passin arg     input file pass phrase source\n");
+        BIO_printf(bio_err, " -out arg        output file\n");
+        BIO_printf(bio_err,
+                   " -passout arg    output file pass phrase source\n");
+# ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e       use engine e, possibly a hardware device.\n");
+# endif
+        BIO_printf(bio_err,
+                   " -des            encrypt PEM output with cbc des\n");
+        BIO_printf(bio_err,
+                   " -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
+# ifndef OPENSSL_NO_IDEA
+        BIO_printf(bio_err,
+                   " -idea           encrypt PEM output with cbc idea\n");
+# endif
+# ifndef OPENSSL_NO_AES
+        BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
+        BIO_printf(bio_err,
+                   "                 encrypt PEM output with cbc aes\n");
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+        BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
+        BIO_printf(bio_err,
+                   "                 encrypt PEM output with cbc camellia\n");
+# endif
+# ifndef OPENSSL_NO_SEED
+        BIO_printf(bio_err,
+                   " -seed           encrypt PEM output with cbc seed\n");
+# endif
+        BIO_printf(bio_err, " -text           print the key in text\n");
+        BIO_printf(bio_err, " -noout          don't print key out\n");
+        BIO_printf(bio_err, " -modulus        print the DSA public value\n");
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+
+    e = setup_engine(bio_err, engine, 0);
+
+    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+        BIO_printf(bio_err, "Error getting passwords\n");
+        goto end;
+    }
+
+    in = BIO_new(BIO_s_file());
+    out = BIO_new(BIO_s_file());
+    if ((in == NULL) || (out == NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (infile == NULL)
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+    else {
+        if (BIO_read_filename(in, infile) <= 0) {
+            perror(infile);
+            goto end;
+        }
+    }
+
+    BIO_printf(bio_err, "read DSA key\n");
+
+    {
+        EVP_PKEY *pkey;
+
+        if (pubin)
+            pkey = load_pubkey(bio_err, infile, informat, 1,
+                               passin, e, "Public Key");
+        else
+            pkey = load_key(bio_err, infile, informat, 1,
+                            passin, e, "Private Key");
+
+        if (pkey) {
+            dsa = EVP_PKEY_get1_DSA(pkey);
+            EVP_PKEY_free(pkey);
+        }
+    }
+    if (dsa == NULL) {
+        BIO_printf(bio_err, "unable to load Key\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    if (text)
+        if (!DSA_print(out, dsa, 0)) {
+            perror(outfile);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+    if (modulus) {
+        fprintf(stdout, "Public Key=");
+        BN_print(out, dsa->pub_key);
+        fprintf(stdout, "\n");
+    }
+
+    if (noout)
+        goto end;
+    BIO_printf(bio_err, "writing DSA key\n");
+    if (outformat == FORMAT_ASN1) {
+        if (pubin || pubout)
+            i = i2d_DSA_PUBKEY_bio(out, dsa);
+        else
+            i = i2d_DSAPrivateKey_bio(out, dsa);
+    } else if (outformat == FORMAT_PEM) {
+        if (pubin || pubout)
+            i = PEM_write_bio_DSA_PUBKEY(out, dsa);
+        else
+            i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
+                                            NULL, 0, NULL, passout);
+# if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4)
+    } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
+        EVP_PKEY *pk;
+        pk = EVP_PKEY_new();
+        EVP_PKEY_set1_DSA(pk, dsa);
+        if (outformat == FORMAT_PVK)
+            i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
+        else if (pubin || pubout)
+            i = i2b_PublicKey_bio(out, pk);
+        else
+            i = i2b_PrivateKey_bio(out, pk);
+        EVP_PKEY_free(pk);
+# endif
+    } else {
+        BIO_printf(bio_err, "bad output format specified for outfile\n");
+        goto end;
+    }
+    if (i <= 0) {
+        BIO_printf(bio_err, "unable to write private key\n");
+        ERR_print_errors(bio_err);
+    } else
+        ret = 0;
+ end:
+    if (in != NULL)
+        BIO_free(in);
+    if (out != NULL)
+        BIO_free_all(out);
+    if (dsa != NULL)
+        DSA_free(dsa);
+    release_engine(e);
+    if (passin)
+        OPENSSL_free(passin);
+    if (passout)
+        OPENSSL_free(passout);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+#else                           /* !OPENSSL_NO_DSA */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/dsa1024.pem b/openssl/apps/dsa1024.pem
new file mode 100644
index 0000000..082dec3
--- /dev/null
+++ b/openssl/apps/dsa1024.pem
@@ -0,0 +1,9 @@
+-----BEGIN DSA PARAMETERS-----
+MIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQPnUx
+mUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtelu+Us
+OSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcHMe36
+bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLsohkj8
+3pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbuSXQH
+zlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7YMu0O
+Arg=
+-----END DSA PARAMETERS-----
diff --git a/openssl/apps/dsa512.pem b/openssl/apps/dsa512.pem
new file mode 100644
index 0000000..5f86d1a
--- /dev/null
+++ b/openssl/apps/dsa512.pem
@@ -0,0 +1,6 @@
+-----BEGIN DSA PARAMETERS-----
+MIGdAkEAnRtpjibb8isRcBmG9hnI+BnyGFOURgbQYlAzSwI8UjADizv5X9EkBk97
+TLqqQJv9luQ3M7stWtdaEUBmonZ9MQIVAPtT71C0QJIxVoZTeuiLIppJ+3GPAkEA
+gz6I5cWJc847bAFJv7PHnwrqRJHlMKrZvltftxDXibeOdPvPKR7rqCxUUbgQ3qDO
+L8wka5B33qJoplISogOdIA==
+-----END DSA PARAMETERS-----
diff --git a/openssl/apps/dsap.pem b/openssl/apps/dsap.pem
new file mode 100644
index 0000000..d4dfdb3
--- /dev/null
+++ b/openssl/apps/dsap.pem
@@ -0,0 +1,6 @@
+-----BEGIN DSA PARAMETERS-----
+MIGcAkEA+ZiKEvZmc9MtnaFZh4NiZ3oZS4J1PHvPrm9MXj5ntVheDPkdmBDTncya
+GAJcMjwsyB/GvLDGd6yGCw/8eF+09wIVAK3VagOxGd/Q4Af5NbxR5FB7CXEjAkA2
+t/q7HgVLi0KeKvcDG8BRl3wuy7bCvpjgtWiJc/tpvcuzeuAayH89UofjAGueKjXD
+ADiRffvSdhrNw5dkqdql
+-----END DSA PARAMETERS-----
diff --git a/openssl/apps/dsaparam.c b/openssl/apps/dsaparam.c
new file mode 100644
index 0000000..f2cf553
--- /dev/null
+++ b/openssl/apps/dsaparam.c
@@ -0,0 +1,467 @@
+/* apps/dsaparam.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
+/*
+ * Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code
+ */
+#ifdef OPENSSL_NO_DEPRECATED
+# undef OPENSSL_NO_DEPRECATED
+#endif
+
+#ifndef OPENSSL_NO_DSA
+# include <assert.h>
+# include <stdio.h>
+# include <stdlib.h>
+# include <time.h>
+# include <string.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/bn.h>
+# include <openssl/dsa.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+
+# undef PROG
+# define PROG    dsaparam_main
+
+/*-
+ * -inform arg  - input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg      - input file - default stdin
+ * -out arg     - output file - default stdout
+ * -noout
+ * -text
+ * -C
+ * -noout
+ * -genkey
+ *  #ifdef GENCB_TEST
+ * -timebomb n  - interrupt keygen after <n> seconds
+ *  #endif
+ */
+
+# ifdef GENCB_TEST
+
+static int stop_keygen_flag = 0;
+
+static void timebomb_sigalarm(int foo)
+{
+    stop_keygen_flag = 1;
+}
+
+# endif
+
+static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    DSA *dsa = NULL;
+    int i, badops = 0, text = 0;
+    BIO *in = NULL, *out = NULL;
+    int informat, outformat, noout = 0, C = 0, ret = 1;
+    char *infile, *outfile, *prog, *inrand = NULL;
+    int numbits = -1, num, genkey = 0;
+    int need_rand = 0;
+    char *engine = NULL;
+    ENGINE *e = NULL;
+# ifdef GENCB_TEST
+    int timebomb = 0;
+# endif
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    infile = NULL;
+    outfile = NULL;
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        }
+# ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+# endif
+# ifdef GENCB_TEST
+        else if (strcmp(*argv, "-timebomb") == 0) {
+            if (--argc < 1)
+                goto bad;
+            timebomb = atoi(*(++argv));
+        }
+# endif
+        else if (strcmp(*argv, "-text") == 0)
+            text = 1;
+        else if (strcmp(*argv, "-C") == 0)
+            C = 1;
+        else if (strcmp(*argv, "-genkey") == 0) {
+            genkey = 1;
+            need_rand = 1;
+        } else if (strcmp(*argv, "-rand") == 0) {
+            if (--argc < 1)
+                goto bad;
+            inrand = *(++argv);
+            need_rand = 1;
+        } else if (strcmp(*argv, "-noout") == 0)
+            noout = 1;
+        else if (sscanf(*argv, "%d", &num) == 1) {
+            /* generate a key */
+            numbits = num;
+            need_rand = 1;
+        } else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options] [bits] <infile >outfile\n", prog);
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, " -inform arg   input format - DER or PEM\n");
+        BIO_printf(bio_err, " -outform arg  output format - DER or PEM\n");
+        BIO_printf(bio_err, " -in arg       input file\n");
+        BIO_printf(bio_err, " -out arg      output file\n");
+        BIO_printf(bio_err, " -text         print as text\n");
+        BIO_printf(bio_err, " -C            Output C code\n");
+        BIO_printf(bio_err, " -noout        no output\n");
+        BIO_printf(bio_err, " -genkey       generate a DSA key\n");
+        BIO_printf(bio_err,
+                   " -rand         files to use for random number input\n");
+# ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e     use engine e, possibly a hardware device.\n");
+# endif
+# ifdef GENCB_TEST
+        BIO_printf(bio_err,
+                   " -timebomb n   interrupt keygen after <n> seconds\n");
+# endif
+        BIO_printf(bio_err,
+                   " number        number of bits to use for generating private key\n");
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+
+    in = BIO_new(BIO_s_file());
+    out = BIO_new(BIO_s_file());
+    if ((in == NULL) || (out == NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (infile == NULL)
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+    else {
+        if (BIO_read_filename(in, infile) <= 0) {
+            perror(infile);
+            goto end;
+        }
+    }
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    e = setup_engine(bio_err, engine, 0);
+
+    if (need_rand) {
+        app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+        if (inrand != NULL)
+            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                       app_RAND_load_files(inrand));
+    }
+
+    if (numbits > 0) {
+        BN_GENCB cb;
+        BN_GENCB_set(&cb, dsa_cb, bio_err);
+        assert(need_rand);
+        dsa = DSA_new();
+        if (!dsa) {
+            BIO_printf(bio_err, "Error allocating DSA object\n");
+            goto end;
+        }
+        BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
+                   num);
+        BIO_printf(bio_err, "This could take some time\n");
+# ifdef GENCB_TEST
+        if (timebomb > 0) {
+            struct sigaction act;
+            act.sa_handler = timebomb_sigalarm;
+            act.sa_flags = 0;
+            BIO_printf(bio_err,
+                       "(though I'll stop it if not done within %d secs)\n",
+                       timebomb);
+            if (sigaction(SIGALRM, &act, NULL) != 0) {
+                BIO_printf(bio_err, "Error, couldn't set SIGALRM handler\n");
+                goto end;
+            }
+            alarm(timebomb);
+        }
+# endif
+        if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, &cb)) {
+# ifdef GENCB_TEST
+            if (stop_keygen_flag) {
+                BIO_printf(bio_err, "DSA key generation time-stopped\n");
+                /* This is an asked-for behaviour! */
+                ret = 0;
+                goto end;
+            }
+# endif
+            ERR_print_errors(bio_err);
+            BIO_printf(bio_err, "Error, DSA key generation failed\n");
+            goto end;
+        }
+    } else if (informat == FORMAT_ASN1)
+        dsa = d2i_DSAparams_bio(in, NULL);
+    else if (informat == FORMAT_PEM)
+        dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
+    else {
+        BIO_printf(bio_err, "bad input format specified\n");
+        goto end;
+    }
+    if (dsa == NULL) {
+        BIO_printf(bio_err, "unable to load DSA parameters\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (text) {
+        DSAparams_print(out, dsa);
+    }
+
+    if (C) {
+        unsigned char *data;
+        int l, len, bits_p;
+
+        len = BN_num_bytes(dsa->p);
+        bits_p = BN_num_bits(dsa->p);
+        data = (unsigned char *)OPENSSL_malloc(len + 20);
+        if (data == NULL) {
+            perror("OPENSSL_malloc");
+            goto end;
+        }
+        l = BN_bn2bin(dsa->p, data);
+        printf("static unsigned char dsa%d_p[]={", bits_p);
+        for (i = 0; i < l; i++) {
+            if ((i % 12) == 0)
+                printf("\n\t");
+            printf("0x%02X,", data[i]);
+        }
+        printf("\n\t};\n");
+
+        l = BN_bn2bin(dsa->q, data);
+        printf("static unsigned char dsa%d_q[]={", bits_p);
+        for (i = 0; i < l; i++) {
+            if ((i % 12) == 0)
+                printf("\n\t");
+            printf("0x%02X,", data[i]);
+        }
+        printf("\n\t};\n");
+
+        l = BN_bn2bin(dsa->g, data);
+        printf("static unsigned char dsa%d_g[]={", bits_p);
+        for (i = 0; i < l; i++) {
+            if ((i % 12) == 0)
+                printf("\n\t");
+            printf("0x%02X,", data[i]);
+        }
+        printf("\n\t};\n\n");
+
+        printf("DSA *get_dsa%d()\n\t{\n", bits_p);
+        printf("\tDSA *dsa;\n\n");
+        printf("\tif ((dsa=DSA_new()) == NULL) return(NULL);\n");
+        printf("\tdsa->p=BN_bin2bn(dsa%d_p,sizeof(dsa%d_p),NULL);\n",
+               bits_p, bits_p);
+        printf("\tdsa->q=BN_bin2bn(dsa%d_q,sizeof(dsa%d_q),NULL);\n",
+               bits_p, bits_p);
+        printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n",
+               bits_p, bits_p);
+        printf
+            ("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n");
+        printf("\t\t{ DSA_free(dsa); return(NULL); }\n");
+        printf("\treturn(dsa);\n\t}\n");
+    }
+
+    if (!noout) {
+        if (outformat == FORMAT_ASN1)
+            i = i2d_DSAparams_bio(out, dsa);
+        else if (outformat == FORMAT_PEM)
+            i = PEM_write_bio_DSAparams(out, dsa);
+        else {
+            BIO_printf(bio_err, "bad output format specified for outfile\n");
+            goto end;
+        }
+        if (!i) {
+            BIO_printf(bio_err, "unable to write DSA parameters\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+    if (genkey) {
+        DSA *dsakey;
+
+        assert(need_rand);
+        if ((dsakey = DSAparams_dup(dsa)) == NULL)
+            goto end;
+        if (!DSA_generate_key(dsakey)) {
+            ERR_print_errors(bio_err);
+            DSA_free(dsakey);
+            goto end;
+        }
+        if (outformat == FORMAT_ASN1)
+            i = i2d_DSAPrivateKey_bio(out, dsakey);
+        else if (outformat == FORMAT_PEM)
+            i = PEM_write_bio_DSAPrivateKey(out, dsakey, NULL, NULL, 0, NULL,
+                                            NULL);
+        else {
+            BIO_printf(bio_err, "bad output format specified for outfile\n");
+            DSA_free(dsakey);
+            goto end;
+        }
+        DSA_free(dsakey);
+    }
+    if (need_rand)
+        app_RAND_write_file(NULL, bio_err);
+    ret = 0;
+ end:
+    if (in != NULL)
+        BIO_free(in);
+    if (out != NULL)
+        BIO_free_all(out);
+    if (dsa != NULL)
+        DSA_free(dsa);
+    release_engine(e);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb)
+{
+    char c = '*';
+
+    if (p == 0)
+        c = '.';
+    if (p == 1)
+        c = '+';
+    if (p == 2)
+        c = '*';
+    if (p == 3)
+        c = '\n';
+    BIO_write(cb->arg, &c, 1);
+    (void)BIO_flush(cb->arg);
+# ifdef LINT
+    p = n;
+# endif
+# ifdef GENCB_TEST
+    if (stop_keygen_flag)
+        return 0;
+# endif
+    return 1;
+}
+#else                           /* !OPENSSL_NO_DSA */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/ec.c b/openssl/apps/ec.c
new file mode 100644
index 0000000..d2263c8
--- /dev/null
+++ b/openssl/apps/ec.c
@@ -0,0 +1,365 @@
+/* apps/ec.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_EC
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/evp.h>
+# include <openssl/pem.h>
+
+# undef PROG
+# define PROG    ec_main
+
+/*-
+ * -inform arg    - input format - default PEM (one of DER, NET or PEM)
+ * -outform arg   - output format - default PEM
+ * -in arg        - input file - default stdin
+ * -out arg       - output file - default stdout
+ * -des           - encrypt output if PEM format with DES in cbc mode
+ * -text          - print a text version
+ * -param_out     - print the elliptic curve parameters
+ * -conv_form arg - specifies the point encoding form
+ * -param_enc arg - specifies the parameter encoding
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    int ret = 1;
+    EC_KEY *eckey = NULL;
+    const EC_GROUP *group;
+    int i, badops = 0;
+    const EVP_CIPHER *enc = NULL;
+    BIO *in = NULL, *out = NULL;
+    int informat, outformat, text = 0, noout = 0;
+    int pubin = 0, pubout = 0, param_out = 0;
+    char *infile, *outfile, *prog, *engine;
+    ENGINE *e = NULL;
+    char *passargin = NULL, *passargout = NULL;
+    char *passin = NULL, *passout = NULL;
+    point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
+    int new_form = 0;
+    int asn1_flag = OPENSSL_EC_NAMED_CURVE;
+    int new_asn1_flag = 0;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    engine = NULL;
+    infile = NULL;
+    outfile = NULL;
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-passin") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargin = *(++argv);
+        } else if (strcmp(*argv, "-passout") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargout = *(++argv);
+        } else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        } else if (strcmp(*argv, "-noout") == 0)
+            noout = 1;
+        else if (strcmp(*argv, "-text") == 0)
+            text = 1;
+        else if (strcmp(*argv, "-conv_form") == 0) {
+            if (--argc < 1)
+                goto bad;
+            ++argv;
+            new_form = 1;
+            if (strcmp(*argv, "compressed") == 0)
+                form = POINT_CONVERSION_COMPRESSED;
+            else if (strcmp(*argv, "uncompressed") == 0)
+                form = POINT_CONVERSION_UNCOMPRESSED;
+            else if (strcmp(*argv, "hybrid") == 0)
+                form = POINT_CONVERSION_HYBRID;
+            else
+                goto bad;
+        } else if (strcmp(*argv, "-param_enc") == 0) {
+            if (--argc < 1)
+                goto bad;
+            ++argv;
+            new_asn1_flag = 1;
+            if (strcmp(*argv, "named_curve") == 0)
+                asn1_flag = OPENSSL_EC_NAMED_CURVE;
+            else if (strcmp(*argv, "explicit") == 0)
+                asn1_flag = 0;
+            else
+                goto bad;
+        } else if (strcmp(*argv, "-param_out") == 0)
+            param_out = 1;
+        else if (strcmp(*argv, "-pubin") == 0)
+            pubin = 1;
+        else if (strcmp(*argv, "-pubout") == 0)
+            pubout = 1;
+        else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, " -inform arg     input format - "
+                   "DER or PEM\n");
+        BIO_printf(bio_err, " -outform arg    output format - "
+                   "DER or PEM\n");
+        BIO_printf(bio_err, " -in arg         input file\n");
+        BIO_printf(bio_err, " -passin arg     input file pass "
+                   "phrase source\n");
+        BIO_printf(bio_err, " -out arg        output file\n");
+        BIO_printf(bio_err, " -passout arg    output file pass "
+                   "phrase source\n");
+        BIO_printf(bio_err, " -engine e       use engine e, "
+                   "possibly a hardware device.\n");
+        BIO_printf(bio_err, " -des            encrypt PEM output, "
+                   "instead of 'des' every other \n"
+                   "                 cipher "
+                   "supported by OpenSSL can be used\n");
+        BIO_printf(bio_err, " -text           print the key\n");
+        BIO_printf(bio_err, " -noout          don't print key out\n");
+        BIO_printf(bio_err, " -param_out      print the elliptic "
+                   "curve parameters\n");
+        BIO_printf(bio_err, " -conv_form arg  specifies the "
+                   "point conversion form \n");
+        BIO_printf(bio_err, "                 possible values:"
+                   " compressed\n");
+        BIO_printf(bio_err, "                                 "
+                   " uncompressed (default)\n");
+        BIO_printf(bio_err, "                                  " " hybrid\n");
+        BIO_printf(bio_err, " -param_enc arg  specifies the way"
+                   " the ec parameters are encoded\n");
+        BIO_printf(bio_err, "                 in the asn1 der " "encoding\n");
+        BIO_printf(bio_err, "                 possible values:"
+                   " named_curve (default)\n");
+        BIO_printf(bio_err, "                                  "
+                   "explicit\n");
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+
+    e = setup_engine(bio_err, engine, 0);
+
+    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+        BIO_printf(bio_err, "Error getting passwords\n");
+        goto end;
+    }
+
+    in = BIO_new(BIO_s_file());
+    out = BIO_new(BIO_s_file());
+    if ((in == NULL) || (out == NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (infile == NULL)
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+    else {
+        if (BIO_read_filename(in, infile) <= 0) {
+            perror(infile);
+            goto end;
+        }
+    }
+
+    BIO_printf(bio_err, "read EC key\n");
+    if (informat == FORMAT_ASN1) {
+        if (pubin)
+            eckey = d2i_EC_PUBKEY_bio(in, NULL);
+        else
+            eckey = d2i_ECPrivateKey_bio(in, NULL);
+    } else if (informat == FORMAT_PEM) {
+        if (pubin)
+            eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, NULL);
+        else
+            eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL, passin);
+    } else {
+        BIO_printf(bio_err, "bad input format specified for key\n");
+        goto end;
+    }
+    if (eckey == NULL) {
+        BIO_printf(bio_err, "unable to load Key\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    group = EC_KEY_get0_group(eckey);
+
+    if (new_form)
+        EC_KEY_set_conv_form(eckey, form);
+
+    if (new_asn1_flag)
+        EC_KEY_set_asn1_flag(eckey, asn1_flag);
+
+    if (text)
+        if (!EC_KEY_print(out, eckey, 0)) {
+            perror(outfile);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+    if (noout) {
+        ret = 0;
+        goto end;
+    }
+
+    BIO_printf(bio_err, "writing EC key\n");
+    if (outformat == FORMAT_ASN1) {
+        if (param_out)
+            i = i2d_ECPKParameters_bio(out, group);
+        else if (pubin || pubout)
+            i = i2d_EC_PUBKEY_bio(out, eckey);
+        else
+            i = i2d_ECPrivateKey_bio(out, eckey);
+    } else if (outformat == FORMAT_PEM) {
+        if (param_out)
+            i = PEM_write_bio_ECPKParameters(out, group);
+        else if (pubin || pubout)
+            i = PEM_write_bio_EC_PUBKEY(out, eckey);
+        else
+            i = PEM_write_bio_ECPrivateKey(out, eckey, enc,
+                                           NULL, 0, NULL, passout);
+    } else {
+        BIO_printf(bio_err, "bad output format specified for " "outfile\n");
+        goto end;
+    }
+
+    if (!i) {
+        BIO_printf(bio_err, "unable to write private key\n");
+        ERR_print_errors(bio_err);
+    } else
+        ret = 0;
+ end:
+    if (in)
+        BIO_free(in);
+    if (out)
+        BIO_free_all(out);
+    if (eckey)
+        EC_KEY_free(eckey);
+    release_engine(e);
+    if (passin)
+        OPENSSL_free(passin);
+    if (passout)
+        OPENSSL_free(passout);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+#else                           /* !OPENSSL_NO_EC */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/ecparam.c b/openssl/apps/ecparam.c
new file mode 100644
index 0000000..a9bf489
--- /dev/null
+++ b/openssl/apps/ecparam.c
@@ -0,0 +1,661 @@
+/* apps/ecparam.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The elliptic curve binary polynomial software is originally written by
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_EC
+# include <assert.h>
+# include <stdio.h>
+# include <stdlib.h>
+# include <time.h>
+# include <string.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/bn.h>
+# include <openssl/ec.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+
+# undef PROG
+# define PROG    ecparam_main
+
+/*-
+ * -inform arg      - input format - default PEM (DER or PEM)
+ * -outform arg     - output format - default PEM
+ * -in  arg         - input file  - default stdin
+ * -out arg         - output file - default stdout
+ * -noout           - do not print the ec parameter
+ * -text            - print the ec parameters in text form
+ * -check           - validate the ec parameters
+ * -C               - print a 'C' function creating the parameters
+ * -name arg        - use the ec parameters with 'short name' name
+ * -list_curves     - prints a list of all currently available curve 'short names'
+ * -conv_form arg   - specifies the point conversion form
+ *                  - possible values: compressed
+ *                                     uncompressed (default)
+ *                                     hybrid
+ * -param_enc arg   - specifies the way the ec parameters are encoded
+ *                    in the asn1 der encoding
+ *                    possible values: named_curve (default)
+ *                                     explicit
+ * -no_seed         - if 'explicit' parameters are chosen do not use the seed
+ * -genkey          - generate ec key
+ * -rand file       - files to use for random number input
+ * -engine e        - use engine e, possibly a hardware device
+ */
+
+static int ecparam_print_var(BIO *, BIGNUM *, const char *, int,
+                             unsigned char *);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    EC_GROUP *group = NULL;
+    point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
+    int new_form = 0;
+    int asn1_flag = OPENSSL_EC_NAMED_CURVE;
+    int new_asn1_flag = 0;
+    char *curve_name = NULL, *inrand = NULL;
+    int list_curves = 0, no_seed = 0, check = 0,
+        badops = 0, text = 0, i, need_rand = 0, genkey = 0;
+    char *infile = NULL, *outfile = NULL, *prog;
+    BIO *in = NULL, *out = NULL;
+    int informat, outformat, noout = 0, C = 0, ret = 1;
+    char *engine = NULL;
+    ENGINE *e = NULL;
+
+    BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL,
+        *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
+    unsigned char *buffer = NULL;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-text") == 0)
+            text = 1;
+        else if (strcmp(*argv, "-C") == 0)
+            C = 1;
+        else if (strcmp(*argv, "-check") == 0)
+            check = 1;
+        else if (strcmp(*argv, "-name") == 0) {
+            if (--argc < 1)
+                goto bad;
+            curve_name = *(++argv);
+        } else if (strcmp(*argv, "-list_curves") == 0)
+            list_curves = 1;
+        else if (strcmp(*argv, "-conv_form") == 0) {
+            if (--argc < 1)
+                goto bad;
+            ++argv;
+            new_form = 1;
+            if (strcmp(*argv, "compressed") == 0)
+                form = POINT_CONVERSION_COMPRESSED;
+            else if (strcmp(*argv, "uncompressed") == 0)
+                form = POINT_CONVERSION_UNCOMPRESSED;
+            else if (strcmp(*argv, "hybrid") == 0)
+                form = POINT_CONVERSION_HYBRID;
+            else
+                goto bad;
+        } else if (strcmp(*argv, "-param_enc") == 0) {
+            if (--argc < 1)
+                goto bad;
+            ++argv;
+            new_asn1_flag = 1;
+            if (strcmp(*argv, "named_curve") == 0)
+                asn1_flag = OPENSSL_EC_NAMED_CURVE;
+            else if (strcmp(*argv, "explicit") == 0)
+                asn1_flag = 0;
+            else
+                goto bad;
+        } else if (strcmp(*argv, "-no_seed") == 0)
+            no_seed = 1;
+        else if (strcmp(*argv, "-noout") == 0)
+            noout = 1;
+        else if (strcmp(*argv, "-genkey") == 0) {
+            genkey = 1;
+            need_rand = 1;
+        } else if (strcmp(*argv, "-rand") == 0) {
+            if (--argc < 1)
+                goto bad;
+            inrand = *(++argv);
+            need_rand = 1;
+        } else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        } else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, " -inform arg       input format - "
+                   "default PEM (DER or PEM)\n");
+        BIO_printf(bio_err, " -outform arg      output format - "
+                   "default PEM\n");
+        BIO_printf(bio_err, " -in  arg          input file  - "
+                   "default stdin\n");
+        BIO_printf(bio_err, " -out arg          output file - "
+                   "default stdout\n");
+        BIO_printf(bio_err, " -noout            do not print the "
+                   "ec parameter\n");
+        BIO_printf(bio_err, " -text             print the ec "
+                   "parameters in text form\n");
+        BIO_printf(bio_err, " -check            validate the ec "
+                   "parameters\n");
+        BIO_printf(bio_err, " -C                print a 'C' "
+                   "function creating the parameters\n");
+        BIO_printf(bio_err, " -name arg         use the "
+                   "ec parameters with 'short name' name\n");
+        BIO_printf(bio_err, " -list_curves      prints a list of "
+                   "all currently available curve 'short names'\n");
+        BIO_printf(bio_err, " -conv_form arg    specifies the "
+                   "point conversion form \n");
+        BIO_printf(bio_err, "                   possible values:"
+                   " compressed\n");
+        BIO_printf(bio_err, "                                   "
+                   " uncompressed (default)\n");
+        BIO_printf(bio_err, "                                   "
+                   " hybrid\n");
+        BIO_printf(bio_err, " -param_enc arg    specifies the way"
+                   " the ec parameters are encoded\n");
+        BIO_printf(bio_err, "                   in the asn1 der "
+                   "encoding\n");
+        BIO_printf(bio_err, "                   possible values:"
+                   " named_curve (default)\n");
+        BIO_printf(bio_err, "                                   "
+                   " explicit\n");
+        BIO_printf(bio_err, " -no_seed          if 'explicit'"
+                   " parameters are chosen do not" " use the seed\n");
+        BIO_printf(bio_err, " -genkey           generate ec" " key\n");
+        BIO_printf(bio_err, " -rand file        files to use for"
+                   " random number input\n");
+        BIO_printf(bio_err, " -engine e         use engine e, "
+                   "possibly a hardware device\n");
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+
+    in = BIO_new(BIO_s_file());
+    out = BIO_new(BIO_s_file());
+    if ((in == NULL) || (out == NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (infile == NULL)
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+    else {
+        if (BIO_read_filename(in, infile) <= 0) {
+            perror(infile);
+            goto end;
+        }
+    }
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    e = setup_engine(bio_err, engine, 0);
+
+    if (list_curves) {
+        EC_builtin_curve *curves = NULL;
+        size_t crv_len = 0;
+        size_t n = 0;
+
+        crv_len = EC_get_builtin_curves(NULL, 0);
+
+        curves = OPENSSL_malloc((int)(sizeof(EC_builtin_curve) * crv_len));
+
+        if (curves == NULL)
+            goto end;
+
+        if (!EC_get_builtin_curves(curves, crv_len)) {
+            OPENSSL_free(curves);
+            goto end;
+        }
+
+        for (n = 0; n < crv_len; n++) {
+            const char *comment;
+            const char *sname;
+            comment = curves[n].comment;
+            sname = OBJ_nid2sn(curves[n].nid);
+            if (comment == NULL)
+                comment = "CURVE DESCRIPTION NOT AVAILABLE";
+            if (sname == NULL)
+                sname = "";
+
+            BIO_printf(out, "  %-10s: ", sname);
+            BIO_printf(out, "%s\n", comment);
+        }
+
+        OPENSSL_free(curves);
+        ret = 0;
+        goto end;
+    }
+
+    if (curve_name != NULL) {
+        int nid;
+
+        /*
+         * workaround for the SECG curve names secp192r1 and secp256r1 (which
+         * are the same as the curves prime192v1 and prime256v1 defined in
+         * X9.62)
+         */
+        if (!strcmp(curve_name, "secp192r1")) {
+            BIO_printf(bio_err, "using curve name prime192v1 "
+                       "instead of secp192r1\n");
+            nid = NID_X9_62_prime192v1;
+        } else if (!strcmp(curve_name, "secp256r1")) {
+            BIO_printf(bio_err, "using curve name prime256v1 "
+                       "instead of secp256r1\n");
+            nid = NID_X9_62_prime256v1;
+        } else
+            nid = OBJ_sn2nid(curve_name);
+
+        if (nid == 0)
+            nid = EC_curve_nist2nid(curve_name);
+
+        if (nid == 0) {
+            BIO_printf(bio_err, "unknown curve name (%s)\n", curve_name);
+            goto end;
+        }
+
+        group = EC_GROUP_new_by_curve_name(nid);
+        if (group == NULL) {
+            BIO_printf(bio_err, "unable to create curve (%s)\n", curve_name);
+            goto end;
+        }
+        EC_GROUP_set_asn1_flag(group, asn1_flag);
+        EC_GROUP_set_point_conversion_form(group, form);
+    } else if (informat == FORMAT_ASN1) {
+        group = d2i_ECPKParameters_bio(in, NULL);
+    } else if (informat == FORMAT_PEM) {
+        group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
+    } else {
+        BIO_printf(bio_err, "bad input format specified\n");
+        goto end;
+    }
+
+    if (group == NULL) {
+        BIO_printf(bio_err, "unable to load elliptic curve parameters\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (new_form)
+        EC_GROUP_set_point_conversion_form(group, form);
+
+    if (new_asn1_flag)
+        EC_GROUP_set_asn1_flag(group, asn1_flag);
+
+    if (no_seed) {
+        EC_GROUP_set_seed(group, NULL, 0);
+    }
+
+    if (text) {
+        if (!ECPKParameters_print(out, group, 0))
+            goto end;
+    }
+
+    if (check) {
+        BIO_printf(bio_err, "checking elliptic curve parameters: ");
+        if (!EC_GROUP_check(group, NULL)) {
+            BIO_printf(bio_err, "failed\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        BIO_printf(bio_err, "ok\n");
+
+    }
+
+    if (C) {
+        size_t buf_len = 0, tmp_len = 0;
+        const EC_POINT *point;
+        int is_prime, len = 0;
+        const EC_METHOD *meth = EC_GROUP_method_of(group);
+
+        if ((ec_p = BN_new()) == NULL || (ec_a = BN_new()) == NULL ||
+            (ec_b = BN_new()) == NULL || (ec_gen = BN_new()) == NULL ||
+            (ec_order = BN_new()) == NULL ||
+            (ec_cofactor = BN_new()) == NULL) {
+            perror("OPENSSL_malloc");
+            goto end;
+        }
+
+        is_prime = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
+
+        if (is_prime) {
+            if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a, ec_b, NULL))
+                goto end;
+        } else {
+            /* TODO */
+            goto end;
+        }
+
+        if ((point = EC_GROUP_get0_generator(group)) == NULL)
+            goto end;
+        if (!EC_POINT_point2bn(group, point,
+                               EC_GROUP_get_point_conversion_form(group),
+                               ec_gen, NULL))
+            goto end;
+        if (!EC_GROUP_get_order(group, ec_order, NULL))
+            goto end;
+        if (!EC_GROUP_get_cofactor(group, ec_cofactor, NULL))
+            goto end;
+
+        if (!ec_p || !ec_a || !ec_b || !ec_gen || !ec_order || !ec_cofactor)
+            goto end;
+
+        len = BN_num_bits(ec_order);
+
+        if ((tmp_len = (size_t)BN_num_bytes(ec_p)) > buf_len)
+            buf_len = tmp_len;
+        if ((tmp_len = (size_t)BN_num_bytes(ec_a)) > buf_len)
+            buf_len = tmp_len;
+        if ((tmp_len = (size_t)BN_num_bytes(ec_b)) > buf_len)
+            buf_len = tmp_len;
+        if ((tmp_len = (size_t)BN_num_bytes(ec_gen)) > buf_len)
+            buf_len = tmp_len;
+        if ((tmp_len = (size_t)BN_num_bytes(ec_order)) > buf_len)
+            buf_len = tmp_len;
+        if ((tmp_len = (size_t)BN_num_bytes(ec_cofactor)) > buf_len)
+            buf_len = tmp_len;
+
+        buffer = (unsigned char *)OPENSSL_malloc(buf_len);
+
+        if (buffer == NULL) {
+            perror("OPENSSL_malloc");
+            goto end;
+        }
+
+        ecparam_print_var(out, ec_p, "ec_p", len, buffer);
+        ecparam_print_var(out, ec_a, "ec_a", len, buffer);
+        ecparam_print_var(out, ec_b, "ec_b", len, buffer);
+        ecparam_print_var(out, ec_gen, "ec_gen", len, buffer);
+        ecparam_print_var(out, ec_order, "ec_order", len, buffer);
+        ecparam_print_var(out, ec_cofactor, "ec_cofactor", len, buffer);
+
+        BIO_printf(out, "\n\n");
+
+        BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n\t{\n", len);
+        BIO_printf(out, "\tint ok=0;\n");
+        BIO_printf(out, "\tEC_GROUP *group = NULL;\n");
+        BIO_printf(out, "\tEC_POINT *point = NULL;\n");
+        BIO_printf(out, "\tBIGNUM   *tmp_1 = NULL, *tmp_2 = NULL, "
+                   "*tmp_3 = NULL;\n\n");
+        BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_p_%d, "
+                   "sizeof(ec_p_%d), NULL)) == NULL)\n\t\t"
+                   "goto err;\n", len, len);
+        BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_a_%d, "
+                   "sizeof(ec_a_%d), NULL)) == NULL)\n\t\t"
+                   "goto err;\n", len, len);
+        BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_b_%d, "
+                   "sizeof(ec_b_%d), NULL)) == NULL)\n\t\t"
+                   "goto err;\n", len, len);
+        if (is_prime) {
+            BIO_printf(out, "\tif ((group = EC_GROUP_new_curve_"
+                       "GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)"
+                       "\n\t\tgoto err;\n\n");
+        } else {
+            /* TODO */
+            goto end;
+        }
+        BIO_printf(out, "\t/* build generator */\n");
+        BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_gen_%d, "
+                   "sizeof(ec_gen_%d), tmp_1)) == NULL)"
+                   "\n\t\tgoto err;\n", len, len);
+        BIO_printf(out, "\tpoint = EC_POINT_bn2point(group, tmp_1, "
+                   "NULL, NULL);\n");
+        BIO_printf(out, "\tif (point == NULL)\n\t\tgoto err;\n");
+        BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_order_%d, "
+                   "sizeof(ec_order_%d), tmp_2)) == NULL)"
+                   "\n\t\tgoto err;\n", len, len);
+        BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_cofactor_%d, "
+                   "sizeof(ec_cofactor_%d), tmp_3)) == NULL)"
+                   "\n\t\tgoto err;\n", len, len);
+        BIO_printf(out, "\tif (!EC_GROUP_set_generator(group, point,"
+                   " tmp_2, tmp_3))\n\t\tgoto err;\n");
+        BIO_printf(out, "\n\tok=1;\n");
+        BIO_printf(out, "err:\n");
+        BIO_printf(out, "\tif (tmp_1)\n\t\tBN_free(tmp_1);\n");
+        BIO_printf(out, "\tif (tmp_2)\n\t\tBN_free(tmp_2);\n");
+        BIO_printf(out, "\tif (tmp_3)\n\t\tBN_free(tmp_3);\n");
+        BIO_printf(out, "\tif (point)\n\t\tEC_POINT_free(point);\n");
+        BIO_printf(out, "\tif (!ok)\n");
+        BIO_printf(out, "\t\t{\n");
+        BIO_printf(out, "\t\tEC_GROUP_free(group);\n");
+        BIO_printf(out, "\t\tgroup = NULL;\n");
+        BIO_printf(out, "\t\t}\n");
+        BIO_printf(out, "\treturn(group);\n\t}\n");
+    }
+
+    if (!noout) {
+        if (outformat == FORMAT_ASN1)
+            i = i2d_ECPKParameters_bio(out, group);
+        else if (outformat == FORMAT_PEM)
+            i = PEM_write_bio_ECPKParameters(out, group);
+        else {
+            BIO_printf(bio_err, "bad output format specified for"
+                       " outfile\n");
+            goto end;
+        }
+        if (!i) {
+            BIO_printf(bio_err, "unable to write elliptic "
+                       "curve parameters\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (need_rand) {
+        app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+        if (inrand != NULL)
+            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                       app_RAND_load_files(inrand));
+    }
+
+    if (genkey) {
+        EC_KEY *eckey = EC_KEY_new();
+
+        if (eckey == NULL)
+            goto end;
+
+        assert(need_rand);
+
+        if (EC_KEY_set_group(eckey, group) == 0)
+            goto end;
+
+        if (!EC_KEY_generate_key(eckey)) {
+            EC_KEY_free(eckey);
+            goto end;
+        }
+        if (outformat == FORMAT_ASN1)
+            i = i2d_ECPrivateKey_bio(out, eckey);
+        else if (outformat == FORMAT_PEM)
+            i = PEM_write_bio_ECPrivateKey(out, eckey, NULL,
+                                           NULL, 0, NULL, NULL);
+        else {
+            BIO_printf(bio_err, "bad output format specified "
+                       "for outfile\n");
+            EC_KEY_free(eckey);
+            goto end;
+        }
+        EC_KEY_free(eckey);
+    }
+
+    if (need_rand)
+        app_RAND_write_file(NULL, bio_err);
+
+    ret = 0;
+ end:
+    if (ec_p)
+        BN_free(ec_p);
+    if (ec_a)
+        BN_free(ec_a);
+    if (ec_b)
+        BN_free(ec_b);
+    if (ec_gen)
+        BN_free(ec_gen);
+    if (ec_order)
+        BN_free(ec_order);
+    if (ec_cofactor)
+        BN_free(ec_cofactor);
+    if (buffer)
+        OPENSSL_free(buffer);
+    if (group != NULL)
+        EC_GROUP_free(group);
+    release_engine(e);
+    if (in != NULL)
+        BIO_free(in);
+    if (out != NULL)
+        BIO_free_all(out);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+static int ecparam_print_var(BIO *out, BIGNUM *in, const char *var,
+                             int len, unsigned char *buffer)
+{
+    BIO_printf(out, "static unsigned char %s_%d[] = {", var, len);
+    if (BN_is_zero(in))
+        BIO_printf(out, "\n\t0x00");
+    else {
+        int i, l;
+
+        l = BN_bn2bin(in, buffer);
+        for (i = 0; i < l - 1; i++) {
+            if ((i % 12) == 0)
+                BIO_printf(out, "\n\t");
+            BIO_printf(out, "0x%02X,", buffer[i]);
+        }
+        if ((i % 12) == 0)
+            BIO_printf(out, "\n\t");
+        BIO_printf(out, "0x%02X", buffer[i]);
+    }
+    BIO_printf(out, "\n\t};\n\n");
+    return 1;
+}
+#else                           /* !OPENSSL_NO_EC */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/enc.c b/openssl/apps/enc.c
new file mode 100644
index 0000000..8c8f1ef
--- /dev/null
+++ b/openssl/apps/enc.c
@@ -0,0 +1,713 @@
+/* apps/enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/rand.h>
+#include <openssl/pem.h>
+#ifndef OPENSSL_NO_COMP
+# include <openssl/comp.h>
+#endif
+#include <ctype.h>
+
+int set_hex(char *in, unsigned char *out, int size);
+#undef SIZE
+#undef BSIZE
+#undef PROG
+
+#define SIZE    (512)
+#define BSIZE   (8*1024)
+#define PROG    enc_main
+
+static void show_ciphers(const OBJ_NAME *name, void *bio_)
+{
+    BIO *bio = bio_;
+    static int n;
+
+    if (!islower((unsigned char)*name->name))
+        return;
+
+    BIO_printf(bio, "-%-25s", name->name);
+    if (++n == 3) {
+        BIO_printf(bio, "\n");
+        n = 0;
+    } else
+        BIO_printf(bio, " ");
+}
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    static const char magic[] = "Salted__";
+    char mbuf[sizeof magic - 1];
+    char *strbuf = NULL;
+    unsigned char *buff = NULL, *bufsize = NULL;
+    int bsize = BSIZE, verbose = 0;
+    int ret = 1, inl;
+    int nopad = 0;
+    unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+    unsigned char salt[PKCS5_SALT_LEN];
+    char *str = NULL, *passarg = NULL, *pass = NULL;
+    char *hkey = NULL, *hiv = NULL, *hsalt = NULL;
+    char *md = NULL;
+    int enc = 1, printkey = 0, i, base64 = 0;
+#ifdef ZLIB
+    int do_zlib = 0;
+    BIO *bzl = NULL;
+#endif
+    int debug = 0, olb64 = 0, nosalt = 0;
+    const EVP_CIPHER *cipher = NULL, *c;
+    EVP_CIPHER_CTX *ctx = NULL;
+    char *inf = NULL, *outf = NULL;
+    BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio =
+        NULL, *wbio = NULL;
+#define PROG_NAME_SIZE  39
+    char pname[PROG_NAME_SIZE + 1];
+    char *engine = NULL;
+    ENGINE *e = NULL;
+    const EVP_MD *dgst = NULL;
+    int non_fips_allow = 0;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    /* first check the program name */
+    program_name(argv[0], pname, sizeof pname);
+    if (strcmp(pname, "base64") == 0)
+        base64 = 1;
+#ifdef ZLIB
+    if (strcmp(pname, "zlib") == 0)
+        do_zlib = 1;
+#endif
+
+    cipher = EVP_get_cipherbyname(pname);
+#ifdef ZLIB
+    if (!do_zlib && !base64 && (cipher == NULL)
+        && (strcmp(pname, "enc") != 0))
+#else
+    if (!base64 && (cipher == NULL) && (strcmp(pname, "enc") != 0))
+#endif
+    {
+        BIO_printf(bio_err, "%s is an unknown cipher\n", pname);
+        goto bad;
+    }
+
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-e") == 0)
+            enc = 1;
+        else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            inf = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outf = *(++argv);
+        } else if (strcmp(*argv, "-pass") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passarg = *(++argv);
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+#endif
+        else if (strcmp(*argv, "-d") == 0)
+            enc = 0;
+        else if (strcmp(*argv, "-p") == 0)
+            printkey = 1;
+        else if (strcmp(*argv, "-v") == 0)
+            verbose = 1;
+        else if (strcmp(*argv, "-nopad") == 0)
+            nopad = 1;
+        else if (strcmp(*argv, "-salt") == 0)
+            nosalt = 0;
+        else if (strcmp(*argv, "-nosalt") == 0)
+            nosalt = 1;
+        else if (strcmp(*argv, "-debug") == 0)
+            debug = 1;
+        else if (strcmp(*argv, "-P") == 0)
+            printkey = 2;
+        else if (strcmp(*argv, "-A") == 0)
+            olb64 = 1;
+        else if (strcmp(*argv, "-a") == 0)
+            base64 = 1;
+        else if (strcmp(*argv, "-base64") == 0)
+            base64 = 1;
+#ifdef ZLIB
+        else if (strcmp(*argv, "-z") == 0)
+            do_zlib = 1;
+#endif
+        else if (strcmp(*argv, "-bufsize") == 0) {
+            if (--argc < 1)
+                goto bad;
+            bufsize = (unsigned char *)*(++argv);
+        } else if (strcmp(*argv, "-k") == 0) {
+            if (--argc < 1)
+                goto bad;
+            str = *(++argv);
+        } else if (strcmp(*argv, "-kfile") == 0) {
+            static char buf[128];
+            FILE *infile;
+            char *file;
+
+            if (--argc < 1)
+                goto bad;
+            file = *(++argv);
+            infile = fopen(file, "r");
+            if (infile == NULL) {
+                BIO_printf(bio_err, "unable to read key from '%s'\n", file);
+                goto bad;
+            }
+            buf[0] = '\0';
+            if (!fgets(buf, sizeof buf, infile)) {
+                BIO_printf(bio_err, "unable to read key from '%s'\n", file);
+                goto bad;
+            }
+            fclose(infile);
+            i = strlen(buf);
+            if ((i > 0) && ((buf[i - 1] == '\n') || (buf[i - 1] == '\r')))
+                buf[--i] = '\0';
+            if ((i > 0) && ((buf[i - 1] == '\n') || (buf[i - 1] == '\r')))
+                buf[--i] = '\0';
+            if (i < 1) {
+                BIO_printf(bio_err, "zero length password\n");
+                goto bad;
+            }
+            str = buf;
+        } else if (strcmp(*argv, "-K") == 0) {
+            if (--argc < 1)
+                goto bad;
+            hkey = *(++argv);
+        } else if (strcmp(*argv, "-S") == 0) {
+            if (--argc < 1)
+                goto bad;
+            hsalt = *(++argv);
+        } else if (strcmp(*argv, "-iv") == 0) {
+            if (--argc < 1)
+                goto bad;
+            hiv = *(++argv);
+        } else if (strcmp(*argv, "-md") == 0) {
+            if (--argc < 1)
+                goto bad;
+            md = *(++argv);
+        } else if (strcmp(*argv, "-non-fips-allow") == 0)
+            non_fips_allow = 1;
+        else if ((argv[0][0] == '-') &&
+                 ((c = EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) {
+            cipher = c;
+        } else if (strcmp(*argv, "-none") == 0)
+            cipher = NULL;
+        else {
+            BIO_printf(bio_err, "unknown option '%s'\n", *argv);
+ bad:
+            BIO_printf(bio_err, "options are\n");
+            BIO_printf(bio_err, "%-14s input file\n", "-in <file>");
+            BIO_printf(bio_err, "%-14s output file\n", "-out <file>");
+            BIO_printf(bio_err, "%-14s pass phrase source\n", "-pass <arg>");
+            BIO_printf(bio_err, "%-14s encrypt\n", "-e");
+            BIO_printf(bio_err, "%-14s decrypt\n", "-d");
+            BIO_printf(bio_err,
+                       "%-14s base64 encode/decode, depending on encryption flag\n",
+                       "-a/-base64");
+            BIO_printf(bio_err, "%-14s passphrase is the next argument\n",
+                       "-k");
+            BIO_printf(bio_err,
+                       "%-14s passphrase is the first line of the file argument\n",
+                       "-kfile");
+            BIO_printf(bio_err,
+                       "%-14s the next argument is the md to use to create a key\n",
+                       "-md");
+            BIO_printf(bio_err,
+                       "%-14s   from a passphrase.  One of md2, md5, sha or sha1\n",
+                       "");
+            BIO_printf(bio_err, "%-14s salt in hex is the next argument\n",
+                       "-S");
+            BIO_printf(bio_err, "%-14s key/iv in hex is the next argument\n",
+                       "-K/-iv");
+            BIO_printf(bio_err, "%-14s print the iv/key (then exit if -P)\n",
+                       "-[pP]");
+            BIO_printf(bio_err, "%-14s buffer size\n", "-bufsize <n>");
+            BIO_printf(bio_err, "%-14s disable standard block padding\n",
+                       "-nopad");
+#ifndef OPENSSL_NO_ENGINE
+            BIO_printf(bio_err,
+                       "%-14s use engine e, possibly a hardware device.\n",
+                       "-engine e");
+#endif
+
+            BIO_printf(bio_err, "Cipher Types\n");
+            OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
+                                   show_ciphers, bio_err);
+            BIO_printf(bio_err, "\n");
+
+            goto end;
+        }
+        argc--;
+        argv++;
+    }
+
+    e = setup_engine(bio_err, engine, 0);
+
+    if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
+        BIO_printf(bio_err,
+                   "AEAD ciphers not supported by the enc utility\n");
+        goto end;
+    }
+
+    if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)) {
+        BIO_printf(bio_err,
+                   "Ciphers in XTS mode are not supported by the enc utility\n");
+        goto end;
+    }
+
+    if (md && (dgst = EVP_get_digestbyname(md)) == NULL) {
+        BIO_printf(bio_err, "%s is an unsupported message digest type\n", md);
+        goto end;
+    }
+
+    if (dgst == NULL) {
+        dgst = EVP_md5();
+    }
+
+    if (bufsize != NULL) {
+        unsigned long n;
+
+        for (n = 0; *bufsize; bufsize++) {
+            i = *bufsize;
+            if ((i <= '9') && (i >= '0'))
+                n = n * 10 + i - '0';
+            else if (i == 'k') {
+                n *= 1024;
+                bufsize++;
+                break;
+            }
+        }
+        if (*bufsize != '\0') {
+            BIO_printf(bio_err, "invalid 'bufsize' specified.\n");
+            goto end;
+        }
+
+        /* It must be large enough for a base64 encoded line */
+        if (base64 && n < 80)
+            n = 80;
+
+        bsize = (int)n;
+        if (verbose)
+            BIO_printf(bio_err, "bufsize=%d\n", bsize);
+    }
+
+    strbuf = OPENSSL_malloc(SIZE);
+    buff = (unsigned char *)OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize));
+    if ((buff == NULL) || (strbuf == NULL)) {
+        BIO_printf(bio_err, "OPENSSL_malloc failure %ld\n",
+                   (long)EVP_ENCODE_LENGTH(bsize));
+        goto end;
+    }
+
+    in = BIO_new(BIO_s_file());
+    out = BIO_new(BIO_s_file());
+    if ((in == NULL) || (out == NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if (debug) {
+        BIO_set_callback(in, BIO_debug_callback);
+        BIO_set_callback(out, BIO_debug_callback);
+        BIO_set_callback_arg(in, (char *)bio_err);
+        BIO_set_callback_arg(out, (char *)bio_err);
+    }
+
+    if (inf == NULL) {
+#ifndef OPENSSL_NO_SETVBUF_IONBF
+        if (bufsize != NULL)
+            setvbuf(stdin, (char *)NULL, _IONBF, 0);
+#endif                          /* ndef OPENSSL_NO_SETVBUF_IONBF */
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+    } else {
+        if (BIO_read_filename(in, inf) <= 0) {
+            perror(inf);
+            goto end;
+        }
+    }
+
+    if (!str && passarg) {
+        if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
+            BIO_printf(bio_err, "Error getting password\n");
+            goto end;
+        }
+        str = pass;
+    }
+
+    if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) {
+        for (;;) {
+            char buf[200];
+
+            BIO_snprintf(buf, sizeof buf, "enter %s %s password:",
+                         OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
+                         (enc) ? "encryption" : "decryption");
+            strbuf[0] = '\0';
+            i = EVP_read_pw_string((char *)strbuf, SIZE, buf, enc);
+            if (i == 0) {
+                if (strbuf[0] == '\0') {
+                    ret = 1;
+                    goto end;
+                }
+                str = strbuf;
+                break;
+            }
+            if (i < 0) {
+                BIO_printf(bio_err, "bad password read\n");
+                goto end;
+            }
+        }
+    }
+
+    if (outf == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+#ifndef OPENSSL_NO_SETVBUF_IONBF
+        if (bufsize != NULL)
+            setvbuf(stdout, (char *)NULL, _IONBF, 0);
+#endif                          /* ndef OPENSSL_NO_SETVBUF_IONBF */
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    } else {
+        if (BIO_write_filename(out, outf) <= 0) {
+            perror(outf);
+            goto end;
+        }
+    }
+
+    rbio = in;
+    wbio = out;
+
+#ifdef ZLIB
+
+    if (do_zlib) {
+        if ((bzl = BIO_new(BIO_f_zlib())) == NULL)
+            goto end;
+        if (enc)
+            wbio = BIO_push(bzl, wbio);
+        else
+            rbio = BIO_push(bzl, rbio);
+    }
+#endif
+
+    if (base64) {
+        if ((b64 = BIO_new(BIO_f_base64())) == NULL)
+            goto end;
+        if (debug) {
+            BIO_set_callback(b64, BIO_debug_callback);
+            BIO_set_callback_arg(b64, (char *)bio_err);
+        }
+        if (olb64)
+            BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
+        if (enc)
+            wbio = BIO_push(b64, wbio);
+        else
+            rbio = BIO_push(b64, rbio);
+    }
+
+    if (cipher != NULL) {
+        /*
+         * Note that str is NULL if a key was passed on the command line, so
+         * we get no salt in that case. Is this a bug?
+         */
+        if (str != NULL) {
+            /*
+             * Salt handling: if encrypting generate a salt and write to
+             * output BIO. If decrypting read salt from input BIO.
+             */
+            unsigned char *sptr;
+            if (nosalt)
+                sptr = NULL;
+            else {
+                if (enc) {
+                    if (hsalt) {
+                        if (!set_hex(hsalt, salt, sizeof salt)) {
+                            BIO_printf(bio_err, "invalid hex salt value\n");
+                            goto end;
+                        }
+                    } else if (RAND_bytes(salt, sizeof salt) <= 0)
+                        goto end;
+                    /*
+                     * If -P option then don't bother writing
+                     */
+                    if ((printkey != 2)
+                        && (BIO_write(wbio, magic,
+                                      sizeof magic - 1) != sizeof magic - 1
+                            || BIO_write(wbio,
+                                         (char *)salt,
+                                         sizeof salt) != sizeof salt)) {
+                        BIO_printf(bio_err, "error writing output file\n");
+                        goto end;
+                    }
+                } else if (BIO_read(rbio, mbuf, sizeof mbuf) != sizeof mbuf
+                           || BIO_read(rbio,
+                                       (unsigned char *)salt,
+                                       sizeof salt) != sizeof salt) {
+                    BIO_printf(bio_err, "error reading input file\n");
+                    goto end;
+                } else if (memcmp(mbuf, magic, sizeof magic - 1)) {
+                    BIO_printf(bio_err, "bad magic number\n");
+                    goto end;
+                }
+
+                sptr = salt;
+            }
+
+            EVP_BytesToKey(cipher, dgst, sptr,
+                           (unsigned char *)str, strlen(str), 1, key, iv);
+            /*
+             * zero the complete buffer or the string passed from the command
+             * line bug picked up by Larry J. Hughes Jr. <hughes@indiana.edu>
+             */
+            if (str == strbuf)
+                OPENSSL_cleanse(str, SIZE);
+            else
+                OPENSSL_cleanse(str, strlen(str));
+        }
+        if (hiv != NULL) {
+            int siz = EVP_CIPHER_iv_length(cipher);
+            if (siz == 0) {
+                BIO_printf(bio_err, "warning: iv not use by this cipher\n");
+            } else if (!set_hex(hiv, iv, sizeof iv)) {
+                BIO_printf(bio_err, "invalid hex iv value\n");
+                goto end;
+            }
+        }
+        if ((hiv == NULL) && (str == NULL)
+            && EVP_CIPHER_iv_length(cipher) != 0) {
+            /*
+             * No IV was explicitly set and no IV was generated during
+             * EVP_BytesToKey. Hence the IV is undefined, making correct
+             * decryption impossible.
+             */
+            BIO_printf(bio_err, "iv undefined\n");
+            goto end;
+        }
+        if ((hkey != NULL) && !set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) {
+            BIO_printf(bio_err, "invalid hex key value\n");
+            goto end;
+        }
+
+        if ((benc = BIO_new(BIO_f_cipher())) == NULL)
+            goto end;
+
+        /*
+         * Since we may be changing parameters work on the encryption context
+         * rather than calling BIO_set_cipher().
+         */
+
+        BIO_get_cipher_ctx(benc, &ctx);
+
+        if (non_fips_allow)
+            EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
+
+        if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
+            BIO_printf(bio_err, "Error setting cipher %s\n",
+                       EVP_CIPHER_name(cipher));
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        if (nopad)
+            EVP_CIPHER_CTX_set_padding(ctx, 0);
+
+        if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) {
+            BIO_printf(bio_err, "Error setting cipher %s\n",
+                       EVP_CIPHER_name(cipher));
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        if (debug) {
+            BIO_set_callback(benc, BIO_debug_callback);
+            BIO_set_callback_arg(benc, (char *)bio_err);
+        }
+
+        if (printkey) {
+            if (!nosalt) {
+                printf("salt=");
+                for (i = 0; i < (int)sizeof(salt); i++)
+                    printf("%02X", salt[i]);
+                printf("\n");
+            }
+            if (cipher->key_len > 0) {
+                printf("key=");
+                for (i = 0; i < cipher->key_len; i++)
+                    printf("%02X", key[i]);
+                printf("\n");
+            }
+            if (cipher->iv_len > 0) {
+                printf("iv =");
+                for (i = 0; i < cipher->iv_len; i++)
+                    printf("%02X", iv[i]);
+                printf("\n");
+            }
+            if (printkey == 2) {
+                ret = 0;
+                goto end;
+            }
+        }
+    }
+
+    /* Only encrypt/decrypt as we write the file */
+    if (benc != NULL)
+        wbio = BIO_push(benc, wbio);
+
+    for (;;) {
+        inl = BIO_read(rbio, (char *)buff, bsize);
+        if (inl <= 0)
+            break;
+        if (BIO_write(wbio, (char *)buff, inl) != inl) {
+            BIO_printf(bio_err, "error writing output file\n");
+            goto end;
+        }
+    }
+    if (!BIO_flush(wbio)) {
+        BIO_printf(bio_err, "bad decrypt\n");
+        goto end;
+    }
+
+    ret = 0;
+    if (verbose) {
+        BIO_printf(bio_err, "bytes read   :%8ld\n", BIO_number_read(in));
+        BIO_printf(bio_err, "bytes written:%8ld\n", BIO_number_written(out));
+    }
+ end:
+    ERR_print_errors(bio_err);
+    if (strbuf != NULL)
+        OPENSSL_free(strbuf);
+    if (buff != NULL)
+        OPENSSL_free(buff);
+    if (in != NULL)
+        BIO_free(in);
+    if (out != NULL)
+        BIO_free_all(out);
+    if (benc != NULL)
+        BIO_free(benc);
+    if (b64 != NULL)
+        BIO_free(b64);
+#ifdef ZLIB
+    if (bzl != NULL)
+        BIO_free(bzl);
+#endif
+    release_engine(e);
+    if (pass)
+        OPENSSL_free(pass);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+int set_hex(char *in, unsigned char *out, int size)
+{
+    int i, n;
+    unsigned char j;
+
+    n = strlen(in);
+    if (n > (size * 2)) {
+        BIO_printf(bio_err, "hex string is too long\n");
+        return (0);
+    }
+    memset(out, 0, size);
+    for (i = 0; i < n; i++) {
+        j = (unsigned char)*in;
+        *(in++) = '\0';
+        if (j == 0)
+            break;
+        if ((j >= '0') && (j <= '9'))
+            j -= '0';
+        else if ((j >= 'A') && (j <= 'F'))
+            j = j - 'A' + 10;
+        else if ((j >= 'a') && (j <= 'f'))
+            j = j - 'a' + 10;
+        else {
+            BIO_printf(bio_err, "non-hex digit\n");
+            return (0);
+        }
+        if (i & 1)
+            out[i / 2] |= j;
+        else
+            out[i / 2] = (j << 4);
+    }
+    return (1);
+}
diff --git a/openssl/apps/engine.c b/openssl/apps/engine.c
new file mode 100644
index 0000000..f54631b
--- /dev/null
+++ b/openssl/apps/engine.c
@@ -0,0 +1,512 @@
+/* apps/engine.c */
+/*
+ * Written by Richard Levitte <richard@levitte.org> for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
+#include "apps.h"
+#include <openssl/err.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+# include <openssl/ssl.h>
+
+# undef PROG
+# define PROG    engine_main
+
+static const char *engine_usage[] = {
+    "usage: engine opts [engine ...]\n",
+    " -v[v[v[v]]] - verbose mode, for each engine, list its 'control commands'\n",
+    "               -vv will additionally display each command's description\n",
+    "               -vvv will also add the input flags for each command\n",
+    "               -vvvv will also show internal input flags\n",
+    " -c          - for each engine, also list the capabilities\n",
+    " -t[t]       - for each engine, check that they are really available\n",
+    "               -tt will display error trace for unavailable engines\n",
+    " -pre <cmd>  - runs command 'cmd' against the ENGINE before any attempts\n",
+    "               to load it (if -t is used)\n",
+    " -post <cmd> - runs command 'cmd' against the ENGINE after loading it\n",
+    "               (only used if -t is also provided)\n",
+    " NB: -pre and -post will be applied to all ENGINEs supplied on the command\n",
+    " line, or all supported ENGINEs if none are specified.\n",
+    " Eg. '-pre \"SO_PATH:/lib/libdriver.so\"' calls command \"SO_PATH\" with\n",
+    " argument \"/lib/libdriver.so\".\n",
+    NULL
+};
+
+static void identity(char *ptr)
+{
+    return;
+}
+
+static int append_buf(char **buf, const char *s, int *size, int step)
+{
+    if (*buf == NULL) {
+        *size = step;
+        *buf = OPENSSL_malloc(*size);
+        if (*buf == NULL)
+            return 0;
+        **buf = '\0';
+    }
+
+    if (strlen(*buf) + strlen(s) >= (unsigned int)*size) {
+        *size += step;
+        *buf = OPENSSL_realloc(*buf, *size);
+    }
+
+    if (*buf == NULL)
+        return 0;
+
+    if (**buf != '\0')
+        BUF_strlcat(*buf, ", ", *size);
+    BUF_strlcat(*buf, s, *size);
+
+    return 1;
+}
+
+static int util_flags(BIO *bio_out, unsigned int flags, const char *indent)
+{
+    int started = 0, err = 0;
+    /* Indent before displaying input flags */
+    BIO_printf(bio_out, "%s%s(input flags): ", indent, indent);
+    if (flags == 0) {
+        BIO_printf(bio_out, "<no flags>\n");
+        return 1;
+    }
+    /*
+     * If the object is internal, mark it in a way that shows instead of
+     * having it part of all the other flags, even if it really is.
+     */
+    if (flags & ENGINE_CMD_FLAG_INTERNAL) {
+        BIO_printf(bio_out, "[Internal] ");
+    }
+
+    if (flags & ENGINE_CMD_FLAG_NUMERIC) {
+        BIO_printf(bio_out, "NUMERIC");
+        started = 1;
+    }
+    /*
+     * Now we check that no combinations of the mutually exclusive NUMERIC,
+     * STRING, and NO_INPUT flags have been used. Future flags that can be
+     * OR'd together with these would need to added after these to preserve
+     * the testing logic.
+     */
+    if (flags & ENGINE_CMD_FLAG_STRING) {
+        if (started) {
+            BIO_printf(bio_out, "|");
+            err = 1;
+        }
+        BIO_printf(bio_out, "STRING");
+        started = 1;
+    }
+    if (flags & ENGINE_CMD_FLAG_NO_INPUT) {
+        if (started) {
+            BIO_printf(bio_out, "|");
+            err = 1;
+        }
+        BIO_printf(bio_out, "NO_INPUT");
+        started = 1;
+    }
+    /* Check for unknown flags */
+    flags = flags & ~ENGINE_CMD_FLAG_NUMERIC &
+        ~ENGINE_CMD_FLAG_STRING &
+        ~ENGINE_CMD_FLAG_NO_INPUT & ~ENGINE_CMD_FLAG_INTERNAL;
+    if (flags) {
+        if (started)
+            BIO_printf(bio_out, "|");
+        BIO_printf(bio_out, "<0x%04X>", flags);
+    }
+    if (err)
+        BIO_printf(bio_out, "  <illegal flags!>");
+    BIO_printf(bio_out, "\n");
+    return 1;
+}
+
+static int util_verbose(ENGINE *e, int verbose, BIO *bio_out,
+                        const char *indent)
+{
+    static const int line_wrap = 78;
+    int num;
+    int ret = 0;
+    char *name = NULL;
+    char *desc = NULL;
+    int flags;
+    int xpos = 0;
+    STACK_OF(OPENSSL_STRING) *cmds = NULL;
+    if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||
+        ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,
+                            0, NULL, NULL)) <= 0)) {
+# if 0
+        BIO_printf(bio_out, "%s<no control commands>\n", indent);
+# endif
+        return 1;
+    }
+
+    cmds = sk_OPENSSL_STRING_new_null();
+
+    if (!cmds)
+        goto err;
+    do {
+        int len;
+        /* Get the command input flags */
+        if ((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num,
+                                 NULL, NULL)) < 0)
+            goto err;
+        if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4) {
+            /* Get the command name */
+            if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num,
+                                   NULL, NULL)) <= 0)
+                goto err;
+            if ((name = OPENSSL_malloc(len + 1)) == NULL)
+                goto err;
+            if (ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name,
+                            NULL) <= 0)
+                goto err;
+            /* Get the command description */
+            if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num,
+                                   NULL, NULL)) < 0)
+                goto err;
+            if (len > 0) {
+                if ((desc = OPENSSL_malloc(len + 1)) == NULL)
+                    goto err;
+                if (ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc,
+                                NULL) <= 0)
+                    goto err;
+            }
+            /* Now decide on the output */
+            if (xpos == 0)
+                /* Do an indent */
+                xpos = BIO_puts(bio_out, indent);
+            else
+                /* Otherwise prepend a ", " */
+                xpos += BIO_printf(bio_out, ", ");
+            if (verbose == 1) {
+                /*
+                 * We're just listing names, comma-delimited
+                 */
+                if ((xpos > (int)strlen(indent)) &&
+                    (xpos + (int)strlen(name) > line_wrap)) {
+                    BIO_printf(bio_out, "\n");
+                    xpos = BIO_puts(bio_out, indent);
+                }
+                xpos += BIO_printf(bio_out, "%s", name);
+            } else {
+                /* We're listing names plus descriptions */
+                BIO_printf(bio_out, "%s: %s\n", name,
+                           (desc == NULL) ? "<no description>" : desc);
+                /* ... and sometimes input flags */
+                if ((verbose >= 3) && !util_flags(bio_out, flags, indent))
+                    goto err;
+                xpos = 0;
+            }
+        }
+        OPENSSL_free(name);
+        name = NULL;
+        if (desc) {
+            OPENSSL_free(desc);
+            desc = NULL;
+        }
+        /* Move to the next command */
+        num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE, num, NULL, NULL);
+    } while (num > 0);
+    if (xpos > 0)
+        BIO_printf(bio_out, "\n");
+    ret = 1;
+ err:
+    if (cmds)
+        sk_OPENSSL_STRING_pop_free(cmds, identity);
+    if (name)
+        OPENSSL_free(name);
+    if (desc)
+        OPENSSL_free(desc);
+    return ret;
+}
+
+static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
+                         BIO *bio_out, const char *indent)
+{
+    int loop, res, num = sk_OPENSSL_STRING_num(cmds);
+
+    if (num < 0) {
+        BIO_printf(bio_out, "[Error]: internal stack error\n");
+        return;
+    }
+    for (loop = 0; loop < num; loop++) {
+        char buf[256];
+        const char *cmd, *arg;
+        cmd = sk_OPENSSL_STRING_value(cmds, loop);
+        res = 1;                /* assume success */
+        /* Check if this command has no ":arg" */
+        if ((arg = strstr(cmd, ":")) == NULL) {
+            if (!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0))
+                res = 0;
+        } else {
+            if ((int)(arg - cmd) > 254) {
+                BIO_printf(bio_out, "[Error]: command name too long\n");
+                return;
+            }
+            memcpy(buf, cmd, (int)(arg - cmd));
+            buf[arg - cmd] = '\0';
+            arg++;              /* Move past the ":" */
+            /* Call the command with the argument */
+            if (!ENGINE_ctrl_cmd_string(e, buf, arg, 0))
+                res = 0;
+        }
+        if (res)
+            BIO_printf(bio_out, "[Success]: %s\n", cmd);
+        else {
+            BIO_printf(bio_out, "[Failure]: %s\n", cmd);
+            ERR_print_errors(bio_out);
+        }
+    }
+}
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    int ret = 1, i;
+    const char **pp;
+    int verbose = 0, list_cap = 0, test_avail = 0, test_avail_noise = 0;
+    ENGINE *e;
+    STACK_OF(OPENSSL_STRING) *engines = sk_OPENSSL_STRING_new_null();
+    STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null();
+    STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null();
+    int badops = 1;
+    BIO *bio_out = NULL;
+    const char *indent = "     ";
+
+    apps_startup();
+    SSL_load_error_strings();
+
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+    bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+    {
+        BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+        bio_out = BIO_push(tmpbio, bio_out);
+    }
+# endif
+
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strncmp(*argv, "-v", 2) == 0) {
+            if (strspn(*argv + 1, "v") < strlen(*argv + 1))
+                goto skip_arg_loop;
+            if ((verbose = strlen(*argv + 1)) > 4)
+                goto skip_arg_loop;
+        } else if (strcmp(*argv, "-c") == 0)
+            list_cap = 1;
+        else if (strncmp(*argv, "-t", 2) == 0) {
+            test_avail = 1;
+            if (strspn(*argv + 1, "t") < strlen(*argv + 1))
+                goto skip_arg_loop;
+            if ((test_avail_noise = strlen(*argv + 1) - 1) > 1)
+                goto skip_arg_loop;
+        } else if (strcmp(*argv, "-pre") == 0) {
+            argc--;
+            argv++;
+            if (argc == 0)
+                goto skip_arg_loop;
+            sk_OPENSSL_STRING_push(pre_cmds, *argv);
+        } else if (strcmp(*argv, "-post") == 0) {
+            argc--;
+            argv++;
+            if (argc == 0)
+                goto skip_arg_loop;
+            sk_OPENSSL_STRING_push(post_cmds, *argv);
+        } else if ((strncmp(*argv, "-h", 2) == 0) ||
+                   (strcmp(*argv, "-?") == 0))
+            goto skip_arg_loop;
+        else
+            sk_OPENSSL_STRING_push(engines, *argv);
+        argc--;
+        argv++;
+    }
+    /* Looks like everything went OK */
+    badops = 0;
+ skip_arg_loop:
+
+    if (badops) {
+        for (pp = engine_usage; (*pp != NULL); pp++)
+            BIO_printf(bio_err, "%s", *pp);
+        goto end;
+    }
+
+    if (sk_OPENSSL_STRING_num(engines) == 0) {
+        for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
+            sk_OPENSSL_STRING_push(engines, (char *)ENGINE_get_id(e));
+        }
+    }
+
+    for (i = 0; i < sk_OPENSSL_STRING_num(engines); i++) {
+        const char *id = sk_OPENSSL_STRING_value(engines, i);
+        if ((e = ENGINE_by_id(id)) != NULL) {
+            const char *name = ENGINE_get_name(e);
+            /*
+             * Do "id" first, then "name". Easier to auto-parse.
+             */
+            BIO_printf(bio_out, "(%s) %s\n", id, name);
+            util_do_cmds(e, pre_cmds, bio_out, indent);
+            if (strcmp(ENGINE_get_id(e), id) != 0) {
+                BIO_printf(bio_out, "Loaded: (%s) %s\n",
+                           ENGINE_get_id(e), ENGINE_get_name(e));
+            }
+            if (list_cap) {
+                int cap_size = 256;
+                char *cap_buf = NULL;
+                int k, n;
+                const int *nids;
+                ENGINE_CIPHERS_PTR fn_c;
+                ENGINE_DIGESTS_PTR fn_d;
+                ENGINE_PKEY_METHS_PTR fn_pk;
+
+                if (ENGINE_get_RSA(e) != NULL
+                    && !append_buf(&cap_buf, "RSA", &cap_size, 256))
+                    goto end;
+                if (ENGINE_get_DSA(e) != NULL
+                    && !append_buf(&cap_buf, "DSA", &cap_size, 256))
+                    goto end;
+                if (ENGINE_get_DH(e) != NULL
+                    && !append_buf(&cap_buf, "DH", &cap_size, 256))
+                    goto end;
+                if (ENGINE_get_RAND(e) != NULL
+                    && !append_buf(&cap_buf, "RAND", &cap_size, 256))
+                    goto end;
+
+                fn_c = ENGINE_get_ciphers(e);
+                if (!fn_c)
+                    goto skip_ciphers;
+                n = fn_c(e, NULL, &nids, 0);
+                for (k = 0; k < n; ++k)
+                    if (!append_buf(&cap_buf,
+                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
+                        goto end;
+
+ skip_ciphers:
+                fn_d = ENGINE_get_digests(e);
+                if (!fn_d)
+                    goto skip_digests;
+                n = fn_d(e, NULL, &nids, 0);
+                for (k = 0; k < n; ++k)
+                    if (!append_buf(&cap_buf,
+                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
+                        goto end;
+
+ skip_digests:
+                fn_pk = ENGINE_get_pkey_meths(e);
+                if (!fn_pk)
+                    goto skip_pmeths;
+                n = fn_pk(e, NULL, &nids, 0);
+                for (k = 0; k < n; ++k)
+                    if (!append_buf(&cap_buf,
+                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
+                        goto end;
+ skip_pmeths:
+                if (cap_buf && (*cap_buf != '\0'))
+                    BIO_printf(bio_out, " [%s]\n", cap_buf);
+
+                OPENSSL_free(cap_buf);
+            }
+            if (test_avail) {
+                BIO_printf(bio_out, "%s", indent);
+                if (ENGINE_init(e)) {
+                    BIO_printf(bio_out, "[ available ]\n");
+                    util_do_cmds(e, post_cmds, bio_out, indent);
+                    ENGINE_finish(e);
+                } else {
+                    BIO_printf(bio_out, "[ unavailable ]\n");
+                    if (test_avail_noise)
+                        ERR_print_errors_fp(stdout);
+                    ERR_clear_error();
+                }
+            }
+            if ((verbose > 0) && !util_verbose(e, verbose, bio_out, indent))
+                goto end;
+            ENGINE_free(e);
+        } else
+            ERR_print_errors(bio_err);
+    }
+
+    ret = 0;
+ end:
+
+    ERR_print_errors(bio_err);
+    sk_OPENSSL_STRING_pop_free(engines, identity);
+    sk_OPENSSL_STRING_pop_free(pre_cmds, identity);
+    sk_OPENSSL_STRING_pop_free(post_cmds, identity);
+    if (bio_out != NULL)
+        BIO_free_all(bio_out);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+#else
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/errstr.c b/openssl/apps/errstr.c
new file mode 100644
index 0000000..c2d4fde
--- /dev/null
+++ b/openssl/apps/errstr.c
@@ -0,0 +1,121 @@
+/* apps/errstr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/lhash.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+#undef PROG
+#define PROG    errstr_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    int i, ret = 0;
+    char buf[256];
+    unsigned long l;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    SSL_load_error_strings();
+
+    if ((argc > 1) && (strcmp(argv[1], "-stats") == 0)) {
+        BIO *out = NULL;
+
+        out = BIO_new(BIO_s_file());
+        if ((out != NULL) && BIO_set_fp(out, stdout, BIO_NOCLOSE)) {
+#ifdef OPENSSL_SYS_VMS
+            {
+                BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+                out = BIO_push(tmpbio, out);
+            }
+#endif
+            lh_ERR_STRING_DATA_node_stats_bio(ERR_get_string_table(), out);
+            lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), out);
+            lh_ERR_STRING_DATA_node_usage_stats_bio(ERR_get_string_table(),
+                                                    out);
+        }
+        if (out != NULL)
+            BIO_free_all(out);
+        argc--;
+        argv++;
+    }
+
+    for (i = 1; i < argc; i++) {
+        if (sscanf(argv[i], "%lx", &l)) {
+            ERR_error_string_n(l, buf, sizeof buf);
+            printf("%s\n", buf);
+        } else {
+            printf("%s: bad error code\n", argv[i]);
+            printf("usage: errstr [-stats] <errno> ...\n");
+            ret++;
+        }
+    }
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
diff --git a/openssl/apps/gendh.c b/openssl/apps/gendh.c
new file mode 100644
index 0000000..59484c2
--- /dev/null
+++ b/openssl/apps/gendh.c
@@ -0,0 +1,244 @@
+/* apps/gendh.c */
+/* obsoleted by dhparam.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/opensslconf.h>
+/*
+ * Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code
+ */
+#ifdef OPENSSL_NO_DEPRECATED
+# undef OPENSSL_NO_DEPRECATED
+#endif
+
+#ifndef OPENSSL_NO_DH
+# include <stdio.h>
+# include <string.h>
+# include <sys/types.h>
+# include <sys/stat.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/rand.h>
+# include <openssl/err.h>
+# include <openssl/bn.h>
+# include <openssl/dh.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+
+# define DEFBITS 2048
+# undef PROG
+# define PROG gendh_main
+
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    BN_GENCB cb;
+    DH *dh = NULL;
+    int ret = 1, num = DEFBITS;
+    int g = 2;
+    char *outfile = NULL;
+    char *inrand = NULL;
+    char *engine = NULL;
+    BIO *out = NULL;
+
+    apps_startup();
+
+    BN_GENCB_set(&cb, dh_cb, bio_err);
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    argv++;
+    argc--;
+    for (;;) {
+        if (argc <= 0)
+            break;
+        if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-2") == 0)
+            g = 2;
+/*-     else if (strcmp(*argv,"-3") == 0)
+                g=3; */
+        else if (strcmp(*argv, "-5") == 0)
+            g = 5;
+# ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+# endif
+        else if (strcmp(*argv, "-rand") == 0) {
+            if (--argc < 1)
+                goto bad;
+            inrand = *(++argv);
+        } else
+            break;
+        argv++;
+        argc--;
+    }
+    if ((argc >= 1) && ((sscanf(*argv, "%d", &num) == 0) || (num < 0))) {
+ bad:
+        BIO_printf(bio_err, "usage: gendh [args] [numbits]\n");
+        BIO_printf(bio_err, " -out file - output the key to 'file\n");
+        BIO_printf(bio_err, " -2        - use 2 as the generator value\n");
+        /*
+         * BIO_printf(bio_err," -3 - use 3 as the generator value\n");
+         */
+        BIO_printf(bio_err, " -5        - use 5 as the generator value\n");
+# ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e - use engine e, possibly a hardware device.\n");
+# endif
+        BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
+                   LIST_SEPARATOR_CHAR);
+        BIO_printf(bio_err,
+                   "           - load the file (or the files in the directory) into\n");
+        BIO_printf(bio_err, "             the random number generator\n");
+        goto end;
+    }
+    setup_engine(bio_err, engine, 0);
+
+    out = BIO_new(BIO_s_file());
+    if (out == NULL) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) {
+        BIO_printf(bio_err,
+                   "warning, not much extra random data, consider using the -rand option\n");
+    }
+    if (inrand != NULL)
+        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                   app_RAND_load_files(inrand));
+
+    BIO_printf(bio_err,
+               "Generating DH parameters, %d bit long safe prime, generator %d\n",
+               num, g);
+    BIO_printf(bio_err, "This is going to take a long time\n");
+
+    if (((dh = DH_new()) == NULL)
+        || !DH_generate_parameters_ex(dh, num, g, &cb))
+        goto end;
+
+    app_RAND_write_file(NULL, bio_err);
+
+    if (!PEM_write_bio_DHparams(out, dh))
+        goto end;
+    ret = 0;
+ end:
+    if (ret != 0)
+        ERR_print_errors(bio_err);
+    if (out != NULL)
+        BIO_free_all(out);
+    if (dh != NULL)
+        DH_free(dh);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
+{
+    char c = '*';
+
+    if (p == 0)
+        c = '.';
+    if (p == 1)
+        c = '+';
+    if (p == 2)
+        c = '*';
+    if (p == 3)
+        c = '\n';
+    BIO_write(cb->arg, &c, 1);
+    (void)BIO_flush(cb->arg);
+# ifdef LINT
+    p = n;
+# endif
+    return 1;
+}
+#else                           /* !OPENSSL_NO_DH */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/gendsa.c b/openssl/apps/gendsa.c
new file mode 100644
index 0000000..31510e6
--- /dev/null
+++ b/openssl/apps/gendsa.c
@@ -0,0 +1,285 @@
+/* apps/gendsa.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
+#ifndef OPENSSL_NO_DSA
+# include <stdio.h>
+# include <string.h>
+# include <sys/types.h>
+# include <sys/stat.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/bn.h>
+# include <openssl/dsa.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+
+# define DEFBITS 512
+# undef PROG
+# define PROG gendsa_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    DSA *dsa = NULL;
+    int ret = 1;
+    char *outfile = NULL;
+    char *inrand = NULL, *dsaparams = NULL;
+    char *passargout = NULL, *passout = NULL;
+    BIO *out = NULL, *in = NULL;
+    const EVP_CIPHER *enc = NULL;
+    char *engine = NULL;
+    ENGINE *e = NULL;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    argv++;
+    argc--;
+    for (;;) {
+        if (argc <= 0)
+            break;
+        if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-passout") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargout = *(++argv);
+        }
+# ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+# endif
+        else if (strcmp(*argv, "-rand") == 0) {
+            if (--argc < 1)
+                goto bad;
+            inrand = *(++argv);
+        } else if (strcmp(*argv, "-") == 0)
+            goto bad;
+# ifndef OPENSSL_NO_DES
+        else if (strcmp(*argv, "-des") == 0)
+            enc = EVP_des_cbc();
+        else if (strcmp(*argv, "-des3") == 0)
+            enc = EVP_des_ede3_cbc();
+# endif
+# ifndef OPENSSL_NO_IDEA
+        else if (strcmp(*argv, "-idea") == 0)
+            enc = EVP_idea_cbc();
+# endif
+# ifndef OPENSSL_NO_SEED
+        else if (strcmp(*argv, "-seed") == 0)
+            enc = EVP_seed_cbc();
+# endif
+# ifndef OPENSSL_NO_AES
+        else if (strcmp(*argv, "-aes128") == 0)
+            enc = EVP_aes_128_cbc();
+        else if (strcmp(*argv, "-aes192") == 0)
+            enc = EVP_aes_192_cbc();
+        else if (strcmp(*argv, "-aes256") == 0)
+            enc = EVP_aes_256_cbc();
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+        else if (strcmp(*argv, "-camellia128") == 0)
+            enc = EVP_camellia_128_cbc();
+        else if (strcmp(*argv, "-camellia192") == 0)
+            enc = EVP_camellia_192_cbc();
+        else if (strcmp(*argv, "-camellia256") == 0)
+            enc = EVP_camellia_256_cbc();
+# endif
+        else if (**argv != '-' && dsaparams == NULL) {
+            dsaparams = *argv;
+        } else
+            goto bad;
+        argv++;
+        argc--;
+    }
+
+    if (dsaparams == NULL) {
+ bad:
+        BIO_printf(bio_err, "usage: gendsa [args] dsaparam-file\n");
+        BIO_printf(bio_err, " -out file - output the key to 'file'\n");
+# ifndef OPENSSL_NO_DES
+        BIO_printf(bio_err,
+                   " -des      - encrypt the generated key with DES in cbc mode\n");
+        BIO_printf(bio_err,
+                   " -des3     - encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
+# endif
+# ifndef OPENSSL_NO_IDEA
+        BIO_printf(bio_err,
+                   " -idea     - encrypt the generated key with IDEA in cbc mode\n");
+# endif
+# ifndef OPENSSL_NO_SEED
+        BIO_printf(bio_err, " -seed\n");
+        BIO_printf(bio_err,
+                   "                 encrypt PEM output with cbc seed\n");
+# endif
+# ifndef OPENSSL_NO_AES
+        BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
+        BIO_printf(bio_err,
+                   "                 encrypt PEM output with cbc aes\n");
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+        BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
+        BIO_printf(bio_err,
+                   "                 encrypt PEM output with cbc camellia\n");
+# endif
+# ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e - use engine e, possibly a hardware device.\n");
+# endif
+        BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
+                   LIST_SEPARATOR_CHAR);
+        BIO_printf(bio_err,
+                   "           - load the file (or the files in the directory) into\n");
+        BIO_printf(bio_err, "             the random number generator\n");
+        BIO_printf(bio_err, " dsaparam-file\n");
+        BIO_printf(bio_err,
+                   "           - a DSA parameter file as generated by the dsaparam command\n");
+        goto end;
+    }
+    e = setup_engine(bio_err, engine, 0);
+
+    if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+
+    in = BIO_new(BIO_s_file());
+    if (!(BIO_read_filename(in, dsaparams))) {
+        perror(dsaparams);
+        goto end;
+    }
+
+    if ((dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL)) == NULL) {
+        BIO_printf(bio_err, "unable to load DSA parameter file\n");
+        goto end;
+    }
+    BIO_free(in);
+    in = NULL;
+
+    out = BIO_new(BIO_s_file());
+    if (out == NULL)
+        goto end;
+
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) {
+        BIO_printf(bio_err,
+                   "warning, not much extra random data, consider using the -rand option\n");
+    }
+    if (inrand != NULL)
+        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                   app_RAND_load_files(inrand));
+
+    BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(dsa->p));
+    if (!DSA_generate_key(dsa))
+        goto end;
+
+    app_RAND_write_file(NULL, bio_err);
+
+    if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout))
+        goto end;
+    ret = 0;
+ end:
+    if (ret != 0)
+        ERR_print_errors(bio_err);
+    if (in != NULL)
+        BIO_free(in);
+    if (out != NULL)
+        BIO_free_all(out);
+    if (dsa != NULL)
+        DSA_free(dsa);
+    release_engine(e);
+    if (passout)
+        OPENSSL_free(passout);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+#else                           /* !OPENSSL_NO_DSA */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/genpkey.c b/openssl/apps/genpkey.c
new file mode 100644
index 0000000..39dcef9
--- /dev/null
+++ b/openssl/apps/genpkey.c
@@ -0,0 +1,405 @@
+/* apps/genpkey.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+
+static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
+                            const char *file, ENGINE *e);
+static int genpkey_cb(EVP_PKEY_CTX *ctx);
+
+#define PROG genpkey_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    char **args, *outfile = NULL;
+    char *passarg = NULL;
+    BIO *in = NULL, *out = NULL;
+    const EVP_CIPHER *cipher = NULL;
+    int outformat;
+    int text = 0;
+    EVP_PKEY *pkey = NULL;
+    EVP_PKEY_CTX *ctx = NULL;
+    char *pass = NULL;
+    int badarg = 0;
+    int ret = 1, rv;
+
+    int do_param = 0;
+
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    outformat = FORMAT_PEM;
+
+    ERR_load_crypto_strings();
+    OpenSSL_add_all_algorithms();
+    args = argv + 1;
+    while (!badarg && *args && *args[0] == '-') {
+        if (!strcmp(*args, "-outform")) {
+            if (args[1]) {
+                args++;
+                outformat = str2fmt(*args);
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-pass")) {
+            if (!args[1])
+                goto bad;
+            passarg = *(++args);
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*args, "-engine") == 0) {
+            if (!args[1])
+                goto bad;
+            e = setup_engine(bio_err, *(++args), 0);
+        }
+#endif
+        else if (!strcmp(*args, "-paramfile")) {
+            if (!args[1])
+                goto bad;
+            args++;
+            if (do_param == 1)
+                goto bad;
+            if (!init_keygen_file(bio_err, &ctx, *args, e))
+                goto end;
+        } else if (!strcmp(*args, "-out")) {
+            if (args[1]) {
+                args++;
+                outfile = *args;
+            } else
+                badarg = 1;
+        } else if (strcmp(*args, "-algorithm") == 0) {
+            if (!args[1])
+                goto bad;
+            if (!init_gen_str(bio_err, &ctx, *(++args), e, do_param))
+                goto end;
+        } else if (strcmp(*args, "-pkeyopt") == 0) {
+            if (!args[1])
+                goto bad;
+            if (!ctx) {
+                BIO_puts(bio_err, "No keytype specified\n");
+                goto bad;
+            } else if (pkey_ctrl_string(ctx, *(++args)) <= 0) {
+                BIO_puts(bio_err, "parameter setting error\n");
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        } else if (strcmp(*args, "-genparam") == 0) {
+            if (ctx)
+                goto bad;
+            do_param = 1;
+        } else if (strcmp(*args, "-text") == 0)
+            text = 1;
+        else {
+            cipher = EVP_get_cipherbyname(*args + 1);
+            if (!cipher) {
+                BIO_printf(bio_err, "Unknown cipher %s\n", *args + 1);
+                badarg = 1;
+            }
+            if (do_param == 1)
+                badarg = 1;
+        }
+        args++;
+    }
+
+    if (!ctx)
+        badarg = 1;
+
+    if (badarg) {
+ bad:
+        BIO_printf(bio_err, "Usage: genpkey [options]\n");
+        BIO_printf(bio_err, "where options may be\n");
+        BIO_printf(bio_err, "-out file          output file\n");
+        BIO_printf(bio_err,
+                   "-outform X         output format (DER or PEM)\n");
+        BIO_printf(bio_err,
+                   "-pass arg          output file pass phrase source\n");
+        BIO_printf(bio_err,
+                   "-<cipher>          use cipher <cipher> to encrypt the key\n");
+#ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   "-engine e          use engine e, possibly a hardware device.\n");
+#endif
+        BIO_printf(bio_err, "-paramfile file    parameters file\n");
+        BIO_printf(bio_err, "-algorithm alg     the public key algorithm\n");
+        BIO_printf(bio_err,
+                   "-pkeyopt opt:value set the public key algorithm option <opt>\n"
+                   "                   to value <value>\n");
+        BIO_printf(bio_err,
+                   "-genparam          generate parameters, not key\n");
+        BIO_printf(bio_err, "-text              print the in text\n");
+        BIO_printf(bio_err,
+                   "NB: options order may be important!  See the manual page.\n");
+        goto end;
+    }
+
+    if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
+        BIO_puts(bio_err, "Error getting password\n");
+        goto end;
+    }
+
+    if (outfile) {
+        if (!(out = BIO_new_file(outfile, "wb"))) {
+            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
+            goto end;
+        }
+    } else {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    }
+
+    EVP_PKEY_CTX_set_cb(ctx, genpkey_cb);
+    EVP_PKEY_CTX_set_app_data(ctx, bio_err);
+
+    if (do_param) {
+        if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) {
+            BIO_puts(bio_err, "Error generating parameters\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    } else {
+        if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
+            BIO_puts(bio_err, "Error generating key\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (do_param)
+        rv = PEM_write_bio_Parameters(out, pkey);
+    else if (outformat == FORMAT_PEM)
+        rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, pass);
+    else if (outformat == FORMAT_ASN1)
+        rv = i2d_PrivateKey_bio(out, pkey);
+    else {
+        BIO_printf(bio_err, "Bad format specified for key\n");
+        goto end;
+    }
+
+    if (rv <= 0) {
+        BIO_puts(bio_err, "Error writing key\n");
+        ERR_print_errors(bio_err);
+    }
+
+    if (text) {
+        if (do_param)
+            rv = EVP_PKEY_print_params(out, pkey, 0, NULL);
+        else
+            rv = EVP_PKEY_print_private(out, pkey, 0, NULL);
+
+        if (rv <= 0) {
+            BIO_puts(bio_err, "Error printing key\n");
+            ERR_print_errors(bio_err);
+        }
+    }
+
+    ret = 0;
+
+ end:
+    if (pkey)
+        EVP_PKEY_free(pkey);
+    if (ctx)
+        EVP_PKEY_CTX_free(ctx);
+    if (out)
+        BIO_free_all(out);
+    BIO_free(in);
+    release_engine(e);
+    if (pass)
+        OPENSSL_free(pass);
+    return ret;
+}
+
+static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
+                            const char *file, ENGINE *e)
+{
+    BIO *pbio;
+    EVP_PKEY *pkey = NULL;
+    EVP_PKEY_CTX *ctx = NULL;
+    if (*pctx) {
+        BIO_puts(err, "Parameters already set!\n");
+        return 0;
+    }
+
+    pbio = BIO_new_file(file, "r");
+    if (!pbio) {
+        BIO_printf(err, "Can't open parameter file %s\n", file);
+        return 0;
+    }
+
+    pkey = PEM_read_bio_Parameters(pbio, NULL);
+    BIO_free(pbio);
+
+    if (!pkey) {
+        BIO_printf(bio_err, "Error reading parameter file %s\n", file);
+        return 0;
+    }
+
+    ctx = EVP_PKEY_CTX_new(pkey, e);
+    if (!ctx)
+        goto err;
+    if (EVP_PKEY_keygen_init(ctx) <= 0)
+        goto err;
+    EVP_PKEY_free(pkey);
+    *pctx = ctx;
+    return 1;
+
+ err:
+    BIO_puts(err, "Error initializing context\n");
+    ERR_print_errors(err);
+    if (ctx)
+        EVP_PKEY_CTX_free(ctx);
+    if (pkey)
+        EVP_PKEY_free(pkey);
+    return 0;
+
+}
+
+int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
+                 const char *algname, ENGINE *e, int do_param)
+{
+    EVP_PKEY_CTX *ctx = NULL;
+    const EVP_PKEY_ASN1_METHOD *ameth;
+    ENGINE *tmpeng = NULL;
+    int pkey_id;
+
+    if (*pctx) {
+        BIO_puts(err, "Algorithm already set!\n");
+        return 0;
+    }
+
+    ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
+
+#ifndef OPENSSL_NO_ENGINE
+    if (!ameth && e)
+        ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
+#endif
+
+    if (!ameth) {
+        BIO_printf(bio_err, "Algorithm %s not found\n", algname);
+        return 0;
+    }
+
+    ERR_clear_error();
+
+    EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
+#ifndef OPENSSL_NO_ENGINE
+    if (tmpeng)
+        ENGINE_finish(tmpeng);
+#endif
+    ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
+
+    if (!ctx)
+        goto err;
+    if (do_param) {
+        if (EVP_PKEY_paramgen_init(ctx) <= 0)
+            goto err;
+    } else {
+        if (EVP_PKEY_keygen_init(ctx) <= 0)
+            goto err;
+    }
+
+    *pctx = ctx;
+    return 1;
+
+ err:
+    BIO_printf(err, "Error initializing %s context\n", algname);
+    ERR_print_errors(err);
+    if (ctx)
+        EVP_PKEY_CTX_free(ctx);
+    return 0;
+
+}
+
+static int genpkey_cb(EVP_PKEY_CTX *ctx)
+{
+    char c = '*';
+    BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
+    int p;
+    p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
+    if (p == 0)
+        c = '.';
+    if (p == 1)
+        c = '+';
+    if (p == 2)
+        c = '*';
+    if (p == 3)
+        c = '\n';
+    BIO_write(b, &c, 1);
+    (void)BIO_flush(b);
+#ifdef LINT
+    p = n;
+#endif
+    return 1;
+}
diff --git a/openssl/apps/genrsa.c b/openssl/apps/genrsa.c
new file mode 100644
index 0000000..51dcfca
--- /dev/null
+++ b/openssl/apps/genrsa.c
@@ -0,0 +1,345 @@
+/* apps/genrsa.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/opensslconf.h>
+/*
+ * Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code
+ */
+#ifdef OPENSSL_NO_DEPRECATED
+# undef OPENSSL_NO_DEPRECATED
+#endif
+
+#ifndef OPENSSL_NO_RSA
+# include <stdio.h>
+# include <string.h>
+# include <sys/types.h>
+# include <sys/stat.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/bn.h>
+# include <openssl/rsa.h>
+# include <openssl/evp.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+# include <openssl/rand.h>
+
+# define DEFBITS 2048
+# undef PROG
+# define PROG genrsa_main
+
+static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    BN_GENCB cb;
+    ENGINE *e = NULL;
+    int ret = 1;
+    int i, num = DEFBITS;
+    long l;
+    const EVP_CIPHER *enc = NULL;
+    unsigned long f4 = RSA_F4;
+    char *outfile = NULL;
+    char *passargout = NULL, *passout = NULL;
+    char *engine = NULL;
+    char *inrand = NULL;
+    BIO *out = NULL;
+    BIGNUM *bn = BN_new();
+    RSA *rsa = NULL;
+
+    if (!bn)
+        goto err;
+
+    apps_startup();
+    BN_GENCB_set(&cb, genrsa_cb, bio_err);
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto err;
+    if ((out = BIO_new(BIO_s_file())) == NULL) {
+        BIO_printf(bio_err, "unable to create BIO for output\n");
+        goto err;
+    }
+
+    argv++;
+    argc--;
+    for (;;) {
+        if (argc <= 0)
+            break;
+        if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-3") == 0)
+            f4 = 3;
+        else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0)
+            f4 = RSA_F4;
+# ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+# endif
+        else if (strcmp(*argv, "-rand") == 0) {
+            if (--argc < 1)
+                goto bad;
+            inrand = *(++argv);
+        }
+# ifndef OPENSSL_NO_DES
+        else if (strcmp(*argv, "-des") == 0)
+            enc = EVP_des_cbc();
+        else if (strcmp(*argv, "-des3") == 0)
+            enc = EVP_des_ede3_cbc();
+# endif
+# ifndef OPENSSL_NO_IDEA
+        else if (strcmp(*argv, "-idea") == 0)
+            enc = EVP_idea_cbc();
+# endif
+# ifndef OPENSSL_NO_SEED
+        else if (strcmp(*argv, "-seed") == 0)
+            enc = EVP_seed_cbc();
+# endif
+# ifndef OPENSSL_NO_AES
+        else if (strcmp(*argv, "-aes128") == 0)
+            enc = EVP_aes_128_cbc();
+        else if (strcmp(*argv, "-aes192") == 0)
+            enc = EVP_aes_192_cbc();
+        else if (strcmp(*argv, "-aes256") == 0)
+            enc = EVP_aes_256_cbc();
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+        else if (strcmp(*argv, "-camellia128") == 0)
+            enc = EVP_camellia_128_cbc();
+        else if (strcmp(*argv, "-camellia192") == 0)
+            enc = EVP_camellia_192_cbc();
+        else if (strcmp(*argv, "-camellia256") == 0)
+            enc = EVP_camellia_256_cbc();
+# endif
+        else if (strcmp(*argv, "-passout") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargout = *(++argv);
+        } else
+            break;
+        argv++;
+        argc--;
+    }
+    if ((argc >= 1) && ((sscanf(*argv, "%d", &num) == 0) || (num < 0))) {
+ bad:
+        BIO_printf(bio_err, "usage: genrsa [args] [numbits]\n");
+        BIO_printf(bio_err,
+                   " -des            encrypt the generated key with DES in cbc mode\n");
+        BIO_printf(bio_err,
+                   " -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
+# ifndef OPENSSL_NO_IDEA
+        BIO_printf(bio_err,
+                   " -idea           encrypt the generated key with IDEA in cbc mode\n");
+# endif
+# ifndef OPENSSL_NO_SEED
+        BIO_printf(bio_err, " -seed\n");
+        BIO_printf(bio_err,
+                   "                 encrypt PEM output with cbc seed\n");
+# endif
+# ifndef OPENSSL_NO_AES
+        BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
+        BIO_printf(bio_err,
+                   "                 encrypt PEM output with cbc aes\n");
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+        BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
+        BIO_printf(bio_err,
+                   "                 encrypt PEM output with cbc camellia\n");
+# endif
+        BIO_printf(bio_err, " -out file       output the key to 'file\n");
+        BIO_printf(bio_err,
+                   " -passout arg    output file pass phrase source\n");
+        BIO_printf(bio_err,
+                   " -f4             use F4 (0x10001) for the E value\n");
+        BIO_printf(bio_err, " -3              use 3 for the E value\n");
+# ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e       use engine e, possibly a hardware device.\n");
+# endif
+        BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
+                   LIST_SEPARATOR_CHAR);
+        BIO_printf(bio_err,
+                   "                 load the file (or the files in the directory) into\n");
+        BIO_printf(bio_err, "                 the random number generator\n");
+        goto err;
+    }
+
+    ERR_load_crypto_strings();
+
+    if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto err;
+    }
+    e = setup_engine(bio_err, engine, 0);
+
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto err;
+        }
+    }
+
+    if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
+        && !RAND_status()) {
+        BIO_printf(bio_err,
+                   "warning, not much extra random data, consider using the -rand option\n");
+    }
+    if (inrand != NULL)
+        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                   app_RAND_load_files(inrand));
+
+    BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n",
+               num);
+# ifdef OPENSSL_NO_ENGINE
+    rsa = RSA_new();
+# else
+    rsa = RSA_new_method(e);
+# endif
+    if (!rsa)
+        goto err;
+
+    if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
+        goto err;
+
+    app_RAND_write_file(NULL, bio_err);
+
+    /*
+     * We need to do the following for when the base number size is < long,
+     * esp windows 3.1 :-(.
+     */
+    l = 0L;
+    for (i = 0; i < rsa->e->top; i++) {
+# ifndef SIXTY_FOUR_BIT
+        l <<= BN_BITS4;
+        l <<= BN_BITS4;
+# endif
+        l += rsa->e->d[i];
+    }
+    BIO_printf(bio_err, "e is %ld (0x%lX)\n", l, l);
+    {
+        PW_CB_DATA cb_data;
+        cb_data.password = passout;
+        cb_data.prompt_info = outfile;
+        if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,
+                                         (pem_password_cb *)password_callback,
+                                         &cb_data))
+            goto err;
+    }
+
+    ret = 0;
+ err:
+    if (bn)
+        BN_free(bn);
+    if (rsa)
+        RSA_free(rsa);
+    if (out)
+        BIO_free_all(out);
+    release_engine(e);
+    if (passout)
+        OPENSSL_free(passout);
+    if (ret != 0)
+        ERR_print_errors(bio_err);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb)
+{
+    char c = '*';
+
+    if (p == 0)
+        c = '.';
+    if (p == 1)
+        c = '+';
+    if (p == 2)
+        c = '*';
+    if (p == 3)
+        c = '\n';
+    BIO_write(cb->arg, &c, 1);
+    (void)BIO_flush(cb->arg);
+# ifdef LINT
+    p = n;
+# endif
+    return 1;
+}
+#else                           /* !OPENSSL_NO_RSA */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/install-apps.com b/openssl/apps/install-apps.com
new file mode 100755
index 0000000..7a553aa
--- /dev/null
+++ b/openssl/apps/install-apps.com
@@ -0,0 +1,107 @@
+$! INSTALL.COM -- Installs the files in a given directory tree
+$!
+$! Author: Richard Levitte <richard@levitte.org>
+$! Time of creation: 22-MAY-1998 10:13
+$!
+$! P1  root of the directory tree
+$! P2  "64" for 64-bit pointers.
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
+$ on error then goto tidy
+$ on control_c then goto tidy
+$!
+$ if (p1 .eqs. "")
+$ then
+$   write sys$output "First argument missing."
+$   write sys$output -
+     "It should be the directory where you want things installed."
+$   exit
+$ endif
+$!
+$ if (f$getsyi("cpu") .lt. 128)
+$ then
+$   arch = "VAX"
+$ else
+$   arch = f$edit( f$getsyi( "arch_name"), "upcase")
+$   if (arch .eqs. "") then arch = "UNK"
+$ endif
+$!
+$ archd = arch
+$!
+$ if (p2 .nes. "")
+$ then
+$   if (p2 .eqs. "64")
+$   then
+$     archd = arch+ "_64"
+$   else
+$     if (p2 .nes. "32")
+$     then
+$       write sys$output "Second argument invalid."
+$       write sys$output "It should be "32", "64", or nothing."
+$       exit
+$     endif
+$   endif
+$ endif
+$!
+$ root = f$parse( p1, "[]A.;0", , , "syntax_only, no_conceal") - "A.;0"
+$ root_dev = f$parse(root,,,"device","syntax_only")
+$ root_dir = f$parse(root,,,"directory","syntax_only") - -
+   "[000000." - "][" - "[" - "]"
+$ root = root_dev + "[" + root_dir
+$!
+$ define /nolog wrk_sslroot 'root'.] /trans=conc
+$ define /nolog wrk_sslxexe wrk_sslroot:['archd'_exe]
+$!
+$ if f$parse("wrk_sslroot:[000000]") .eqs. "" then -
+   create /directory /log wrk_sslroot:[000000]
+$ if f$parse("wrk_sslxexe:") .eqs. "" then -
+   create /directory /log wrk_sslxexe:
+$!
+$ exe := openssl
+$!
+$ exe_dir := [-.'archd'.exe.apps]
+$!
+$! Executables.
+$!
+$ i = 0
+$ loop_exe:
+$   e = f$edit(f$element( i, ",", exe), "trim")
+$   i = i + 1
+$   if e .eqs. "," then goto loop_exe_end
+$   set noon
+$   file = exe_dir+ e+ ".exe"
+$   if f$search( file) .nes. ""
+$   then
+$     copy /protection = w:re 'file' wrk_sslxexe: /log
+$   endif
+$   set on
+$ goto loop_exe
+$ loop_exe_end:
+$!
+$! Miscellaneous.
+$!
+$ set noon
+$ copy /protection = w:re ca.com wrk_sslxexe:ca.com /log
+$ copy /protection = w:re openssl-vms.cnf wrk_sslroot:[000000]openssl.cnf /log
+$ set on
+$!
+$ tidy:
+$!
+$ call deass wrk_sslroot
+$ call deass wrk_sslxexe
+$!
+$ exit
+$!
+$ deass: subroutine
+$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "")
+$ then
+$   deassign /process 'p1'
+$ endif
+$ endsubroutine
+$!
diff --git a/openssl/apps/makeapps.com b/openssl/apps/makeapps.com
new file mode 100644
index 0000000..97dff41
--- /dev/null
+++ b/openssl/apps/makeapps.com
@@ -0,0 +1,1184 @@
+$!
+$!  MAKEAPPS.COM
+$!  Written By:  Robert Byer
+$!               Vice-President
+$!               A-Com Computing, Inc.
+$!               byer@mail.all-net.net
+$!
+$!  Changes by Richard Levitte <richard@levitte.org>
+$!             Zoltan Arpadffy <zoli@polarhome.com>   
+$!
+$!  This command files compiles and creates all the various different
+$!  "application" programs for the different types of encryption for OpenSSL.
+$!  The EXE's are placed in the directory [.xxx.EXE.APPS] where "xxx" denotes
+$!  ALPHA, IA64 or VAX, depending on your machine architecture.
+$!
+$!  It was written so it would try to determine what "C" compiler to
+$!  use or you can specify which "C" compiler to use.
+$!
+$!  Specify DEBUG or NODEBUG as P1 to compile with or without debugger
+$!  information.
+$!
+$!  Specify which compiler at P2 to try to compile under.
+$!
+$!	   VAXC	 For VAX C.
+$!	   DECC	 For DEC C.
+$!	   GNUC	 For GNU C.
+$!
+$!  If you don't specify a compiler, it will try to determine which
+$!  "C" compiler to use.
+$!
+$!  P3, if defined, sets a TCP/IP library to use, through one of the following
+$!  keywords:
+$!
+$!	UCX		for UCX
+$!	SOCKETSHR	for SOCKETSHR+NETLIB
+$!	TCPIP		for TCPIP (post UCX)
+$!
+$!  P4, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!
+$!  P5, if defined, sets a choice of programs to compile.
+$!
+$!  P6, if defined, specifies the C pointer size.  Ignored on VAX.
+$!      ("64=ARGV" gives more efficient code with HP C V7.3 or newer.)
+$!      Supported values are:
+$!
+$!      ""       Compile with default (/NOPOINTER_SIZE)
+$!      32       Compile with /POINTER_SIZE=32 (SHORT)
+$!      64       Compile with /POINTER_SIZE=64[=ARGV] (LONG[=ARGV])
+$!               (Automatically select ARGV if compiler supports it.)
+$!      64=      Compile with /POINTER_SIZE=64 (LONG).
+$!      64=ARGV  Compile with /POINTER_SIZE=64=ARGV (LONG=ARGV).
+$!
+$!  P7, if defined, specifies a directory where ZLIB files (zlib.h,
+$!  libz.olb) may be found.  Optionally, a non-default object library
+$!  name may be included ("dev:[dir]libz_64.olb", for example).
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
+$!
+$ on control_c then goto exit
+$!
+$! Define A TCP/IP Library That We Will Need To Link To.
+$! (That Is, If We Need To Link To One.)
+$!
+$ TCPIP_LIB = ""
+$ ZLIB_LIB = ""
+$!
+$! Check What Architecture We Are Using.
+$!
+$ IF (F$GETSYI("CPU").LT.128)
+$ THEN
+$!
+$!  The Architecture Is VAX.
+$!
+$   ARCH = "VAX"
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  The Architecture Is Alpha, IA64 or whatever comes in the future.
+$!
+$   ARCH = F$EDIT( F$GETSYI( "ARCH_NAME"), "UPCASE")
+$   IF (ARCH .EQS. "") THEN ARCH = "UNK"
+$!
+$! End The Architecture Check.
+$!
+$ ENDIF
+$!
+$ ARCHD = ARCH
+$ LIB32 = "32"
+$ OPT_FILE = ""
+$ POINTER_SIZE = ""
+$!
+$! Define what programs should be compiled
+$!
+$ PROGRAMS := OPENSSL
+$!
+$! Check To Make Sure We Have Valid Command Line Parameters.
+$!
+$ GOSUB CHECK_OPTIONS
+$!
+$! Define The CRYPTO Library.
+$!
+$ CRYPTO_LIB := SYS$DISK:[-.'ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO'LIB32'.OLB
+$!
+$! Define The SSL Library.
+$!
+$ SSL_LIB := SYS$DISK:[-.'ARCHD'.EXE.SSL]SSL_LIBSSL'LIB32'.OLB
+$!
+$! Define The OBJ and EXE Directories.
+$!
+$ OBJ_DIR := SYS$DISK:[-.'ARCHD'.OBJ.APPS]
+$ EXE_DIR := SYS$DISK:[-.'ARCHD'.EXE.APPS]
+$!
+$! Specify the destination directory in any /MAP option.
+$!
+$ if (LINKMAP .eqs. "MAP")
+$ then
+$   LINKMAP = LINKMAP+ "=''EXE_DIR'"
+$ endif
+$!
+$! Add the location prefix to the linker options file name.
+$!
+$ if (OPT_FILE .nes. "")
+$ then
+$   OPT_FILE = EXE_DIR+ OPT_FILE
+$ endif
+$!
+$! Initialise logical names and such
+$!
+$ GOSUB INITIALISE
+$!
+$! Tell The User What Kind of Machine We Run On.
+$!
+$ WRITE SYS$OUTPUT "Host system architecture: ''ARCHD'"
+$!
+$! Check To See If The OBJ Directory Exists.
+$!
+$ IF (F$PARSE(OBJ_DIR).EQS."")
+$ THEN
+$!
+$!  It Dosen't Exist, So Create It.
+$!
+$   CREATE/DIRECTORY 'OBJ_DIR'
+$!
+$! End The OBJ Directory Check.
+$!
+$ ENDIF
+$!
+$! Check To See If The EXE Directory Exists.
+$!
+$ IF (F$PARSE(EXE_DIR).EQS."")
+$ THEN
+$!
+$!  It Dosen't Exist, So Create It.
+$!
+$   CREATE/DIRECTORY 'EXE_DIR'
+$!
+$! End The EXE Directory Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Have The Proper Libraries.
+$!
+$ GOSUB LIB_CHECK
+$!
+$! Check To See If We Have A Linker Option File.
+$!
+$ GOSUB CHECK_OPT_FILE
+$!
+$! Define The Application Files.
+$! NOTE: Some might think this list ugly.  However, it's made this way to
+$! reflect the E_OBJ variable in Makefile as closely as possible, thereby
+$! making it fairly easy to verify that the lists are the same.
+$!
+$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DH,DHPARAM,ENC,PASSWD,GENDH,ERRSTR,"+-
+	     	"CA,PKCS7,CRL2P7,CRL,"+-
+	      	"RSA,RSAUTL,DSA,DSAPARAM,EC,ECPARAM,"+-
+	      	"X509,GENRSA,GENDSA,GENPKEY,S_SERVER,S_CLIENT,SPEED,"+-
+	      	"S_TIME,APPS,S_CB,S_SOCKET,APP_RAND,VERSION,SESS_ID,"+-
+	      	"CIPHERS,NSEQ,PKCS12,PKCS8,PKEY,PKEYPARAM,PKEYUTL,"+ -
+	      	"SPKAC,SMIME,CMS,RAND,ENGINE,OCSP,PRIME,TS,SRP"
+$!
+$ LIB_OPENSSL = LIB_OPENSSL+ ",VMS_DECC_INIT,VMS_TERM_SOCK"
+$!
+$ TCPIP_PROGRAMS = ",,"
+$ IF COMPILER .EQS. "VAXC" THEN -
+     TCPIP_PROGRAMS = ",OPENSSL,"
+$!
+$! Setup exceptional compilations
+$!
+$ COMPILEWITH_CC2 = ",S_SOCKET,S_SERVER,S_CLIENT,"
+$!
+$ PHASE := LIB
+$!
+$ RESTART: 
+$!
+$!  Define An App Counter And Set It To "0".
+$!
+$ APP_COUNTER = 0
+$!
+$!  Top Of The App Loop.
+$!
+$ NEXT_APP:
+$!
+$!  Make The Application File Name
+$!
+$ CURRENT_APP = F$EDIT(F$ELEMENT(APP_COUNTER,",",PROGRAMS),"TRIM")
+$!
+$!  Create The Executable File Name.
+$!
+$   EXE_FILE = EXE_DIR + CURRENT_APP + ".EXE"
+$!
+$!  Check To See If We Are At The End Of The File List.
+$!
+$ IF (CURRENT_APP.EQS.",")
+$ THEN
+$   IF (PHASE.EQS."LIB")
+$   THEN
+$     PHASE := APP
+$     GOTO RESTART
+$   ELSE
+$     GOTO APP_DONE
+$   ENDIF
+$ ENDIF
+$!
+$!  Increment The Counter.
+$!
+$ APP_COUNTER = APP_COUNTER + 1
+$!
+$!  Decide if we're building the object files or not.
+$!
+$ IF (PHASE.EQS."LIB")
+$ THEN
+$!
+$!  Define A Library File Counter And Set It To "-1".
+$!  -1 Means The Application File Name Is To Be Used.
+$!
+$   LIB_COUNTER = -1
+$!
+$!  Create a .OPT file for the object files
+$!
+$   OPEN /WRITE OBJECTS 'EXE_DIR''CURRENT_APP'.OPT
+$!
+$!  Top Of The File Loop.
+$!
+$  NEXT_LIB:
+$!
+$!  O.K, Extract The File Name From The File List.
+$!
+$   IF LIB_COUNTER .GE. 0
+$   THEN
+$     FILE_NAME = F$EDIT(F$ELEMENT(LIB_COUNTER,",",LIB_'CURRENT_APP'),"TRIM")
+$   ELSE
+$     FILE_NAME = CURRENT_APP
+$   ENDIF
+$!
+$!  Check To See If We Are At The End Of The File List.
+$!
+$   IF (FILE_NAME.EQS.",")
+$   THEN
+$     CLOSE OBJECTS
+$     GOTO NEXT_APP
+$   ENDIF
+$!
+$!  Increment The Counter.
+$!
+$   LIB_COUNTER = LIB_COUNTER + 1
+$!
+$!  Create The Source File Name.
+$!
+$   SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C"
+$!
+$!  Create The Object File Name.
+$!
+$   OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ"
+$   ON WARNING THEN GOTO NEXT_LIB
+$!
+$!  Check To See If The File We Want To Compile Actually Exists.
+$!
+$   IF (F$SEARCH(SOURCE_FILE).EQS."")
+$   THEN
+$!
+$!    Tell The User That The File Dosen't Exist.
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Exit The Build.
+$!
+$     GOTO EXIT
+$!
+$!  End The File Exist Check.
+$!
+$   ENDIF
+$!
+$!  Tell The User What We Are Building.
+$!
+$   IF (PHASE.EQS."LIB")
+$   THEN
+$     WRITE SYS$OUTPUT "Compiling The ",FILE_NAME,".C File."
+$   ELSE
+$     WRITE SYS$OUTPUT "Building The ",FILE_NAME," Application Program."
+$   ENDIF
+$!
+$!  Compile The File.
+$!
+$   ON ERROR THEN GOTO NEXT_LIB
+$   IF COMPILEWITH_CC2 - FILE_NAME .NES. COMPILEWITH_CC2
+$   THEN
+$     CC2/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$   ELSE
+$     CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$   ENDIF
+$   WRITE OBJECTS OBJECT_FILE
+$!
+$   GOTO NEXT_LIB
+$ ENDIF
+$!
+$!  Check if this program works well without a TCPIP library
+$!
+$ IF TCPIP_LIB .EQS. "" .AND. TCPIP_PROGRAMS - CURRENT_APP .NES. TCPIP_PROGRAMS
+$ THEN
+$   WRITE SYS$OUTPUT CURRENT_APP," needs a TCP/IP library.  Can't link.  Skipping..."
+$   GOTO NEXT_APP
+$ ENDIF
+$!
+$! Link The Program.
+$!
+$ ON WARNING THEN GOTO NEXT_APP
+$!
+$! Don't Link With The RSAREF Routines And TCP/IP Library.
+$!
+$ LINK /'DEBUGGER' /'LINKMAP' /'TRACEBACK' /EXE='EXE_FILE' -
+  'EXE_DIR''CURRENT_APP'.OPT /OPTIONS, -
+  'SSL_LIB' /LIBRARY, -
+  'CRYPTO_LIB' /LIBRARY -
+  'TCPIP_LIB' -
+  'ZLIB_LIB' -
+  ,'OPT_FILE' /OPTIONS
+$!
+$! Go Back And Do It Again.
+$!
+$ GOTO NEXT_APP
+$!
+$! All Done With This File.
+$!
+$ APP_DONE:
+$ EXIT:
+$!
+$! All Done, Time To Clean Up And Exit.
+$!
+$ GOSUB CLEANUP
+$ EXIT
+$!
+$! Check For The Link Option FIle.
+$!
+$ CHECK_OPT_FILE:
+$!
+$! Check To See If We Need To Make A VAX C Option File.
+$!
+$ IF (COMPILER.EQS."VAXC")
+$ THEN
+$!
+$!  Check To See If We Already Have A VAX C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A VAX C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Against 
+! The Sharable VAX C Runtime Library.
+!
+SYS$SHARE:VAXCRTL.EXE/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The VAXC Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A GNU C Option File.
+$!
+$ IF (COMPILER.EQS."GNUC")
+$ THEN
+$!
+$!  Check To See If We Already Have A GNU C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A GNU C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Against 
+! The Sharable C Runtime Library.
+!
+GNU_CC:[000000]GCCLIB/LIBRARY
+SYS$SHARE:VAXCRTL/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The GNU C Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A DEC C Option File.
+$!
+$ IF (COMPILER.EQS."DECC")
+$ THEN
+$!
+$!  Check To See If We Already Have A DEC C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    Figure Out If We Need An AXP Or A VAX Linker Option File.
+$!
+$     IF ARCH.EQS."VAX"
+$     THEN
+$!
+$!      We Need A DEC C Linker Option File For VAX.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Against 
+! The Sharable DEC C Runtime Library.
+!
+SYS$SHARE:DECC$SHR.EXE/SHARE
+$EOD
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Create The non-VAX Linker Option File.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File For non-VAX To Link Against 
+! The Sharable C Runtime Library.
+!
+SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
+SYS$SHARE:CMA$OPEN_RTL/SHARE
+$EOD
+$!
+$!    End The DEC C Option File Check.
+$!
+$     ENDIF
+$!
+$!  End The Option File Search.
+$!
+$   ENDIF
+$!
+$! End The DEC C Check.
+$!
+$ ENDIF
+$!
+$!  Tell The User What Linker Option File We Are Using.
+$!
+$ WRITE SYS$OUTPUT "Using Linker Option File ",OPT_FILE,"."	
+$!
+$! Time To RETURN.
+$!
+$ RETURN
+$!
+$! Check To See If We Have The Appropiate Libraries.
+$!
+$ LIB_CHECK:
+$!
+$! Look For The Library LIBCRYPTO.OLB.
+$!
+$ IF (F$SEARCH(CRYPTO_LIB).EQS."")
+$ THEN
+$!
+$!  Tell The User We Can't Find The LIBCRYPTO.OLB Library.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "Can't Find The Library ",CRYPTO_LIB,"."
+$   WRITE SYS$OUTPUT "We Can't Link Without It."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Since We Can't Link Without It, Exit.
+$!
+$   EXIT
+$!
+$! End The Crypto Library Check.
+$!
+$ ENDIF
+$!
+$! Look For The Library LIBSSL.OLB.
+$!
+$ IF (F$SEARCH(SSL_LIB).EQS."")
+$ THEN
+$!
+$!  Tell The User We Can't Find The LIBSSL.OLB Library.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "Can't Find The Library ",SSL_LIB,"."
+$   WRITE SYS$OUTPUT "Some Of The Test Programs Need To Link To It."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Since We Can't Link Without It, Exit.
+$!
+$   EXIT
+$!
+$! End The SSL Library Check.
+$!
+$ ENDIF
+$!
+$! Time To Return.
+$!
+$ RETURN
+$!
+$! Check The User's Options.
+$!
+$ CHECK_OPTIONS:
+$!
+$! Check To See If P1 Is Blank.
+$!
+$ IF (P1.EQS."NODEBUG")
+$ THEN
+$!
+$!  P1 Is NODEBUG, So Compile Without Debugger Information.
+$!
+$   DEBUGGER  = "NODEBUG"
+$   LINKMAP = "NOMAP"
+$   TRACEBACK = "NOTRACEBACK" 
+$   GCC_OPTIMIZE = "OPTIMIZE"
+$   CC_OPTIMIZE = "OPTIMIZE"
+$   WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$   WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Check To See If We Are To Compile With Debugger Information.
+$!
+$   IF (P1.EQS."DEBUG")
+$   THEN
+$!
+$!    Compile With Debugger Information.
+$!
+$     DEBUGGER  = "DEBUG"
+$     LINKMAP = "MAP"
+$     TRACEBACK = "TRACEBACK"
+$     GCC_OPTIMIZE = "NOOPTIMIZE"
+$     CC_OPTIMIZE = "NOOPTIMIZE"
+$     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
+$     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
+$   ELSE
+$!
+$!    Tell The User Entered An Invalid Option.
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "    DEBUG    :  Compile With The Debugger Information."
+$     WRITE SYS$OUTPUT "    NODEBUG  :  Compile Without The Debugger Information."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Argument Check.
+$!
+$   ENDIF
+$!
+$! End The P1 Check.
+$!
+$ ENDIF
+$!
+$! Check P6 (POINTER_SIZE).
+$!
+$ IF (P6 .NES. "") .AND. (ARCH .NES. "VAX")
+$ THEN
+$!
+$   IF (P6 .EQS. "32")
+$   THEN
+$     POINTER_SIZE = " /POINTER_SIZE=32"
+$   ELSE
+$     POINTER_SIZE = F$EDIT( P6, "COLLAPSE, UPCASE")
+$     IF ((POINTER_SIZE .EQS. "64") .OR. -
+       (POINTER_SIZE .EQS. "64=") .OR. -
+       (POINTER_SIZE .EQS. "64=ARGV"))
+$     THEN
+$       ARCHD = ARCH+ "_64"
+$       LIB32 = ""
+$       IF (F$EXTRACT( 2, 1, POINTER_SIZE) .EQS. "=")
+$       THEN
+$!        Explicit user choice: "64" or "64=ARGV".
+$         IF (POINTER_SIZE .EQS. "64=") THEN POINTER_SIZE = "64"
+$       ELSE
+$         SET NOON
+$         DEFINE /USER_MODE SYS$OUTPUT NL:
+$         DEFINE /USER_MODE SYS$ERROR NL:
+$         CC /NOLIST /NOOBJECT /POINTER_SIZE=64=ARGV NL:
+$         IF ($STATUS .AND. %X0FFF0000) .EQ. %X00030000
+$         THEN
+$           ! If we got here, it means DCL complained like this:
+$           ! %DCL-W-NOVALU, value not allowed - remove value specification
+$           !  \64=\
+$           !
+$           ! If the compiler was run, logicals defined in /USER would
+$           ! have been deassigned automatically.  However, when DCL
+$           ! complains, they aren't, so we do it here (it might be
+$           ! unnecessary, but just in case there will be another error
+$           ! message further on that we don't want to miss)
+$           DEASSIGN /USER_MODE SYS$ERROR
+$           DEASSIGN /USER_MODE SYS$OUTPUT
+$         ELSE
+$           POINTER_SIZE = POINTER_SIZE + "=ARGV"
+$         ENDIF
+$         SET ON
+$       ENDIF
+$       POINTER_SIZE = " /POINTER_SIZE=''POINTER_SIZE'"
+$!
+$     ELSE
+$!
+$!      Tell The User Entered An Invalid Option.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", P6, -
+         " Is Invalid.  The Valid Options Are:"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT -
+         "    """"  :  Compile with default (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    32  :  Compile with 32-bit (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    64       :  Compile with 64-bit (long) pointers (auto ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=      :  Compile with 64-bit (long) pointers (no ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=ARGV  :  Compile with 64-bit (long) pointers (ARGV)."
+$       WRITE SYS$OUTPUT ""
+$! 
+$!      Time To EXIT.
+$!
+$       EXIT
+$!
+$     ENDIF
+$!
+$   ENDIF
+$!
+$! End The P6 (POINTER_SIZE) Check.
+$!
+$ ENDIF
+$!
+$! Set basic C compiler /INCLUDE directories.
+$!
+$ CC_INCLUDES = "SYS$DISK:[-],SYS$DISK:[-.CRYPTO]"
+$!
+$! Check To See If P2 Is Blank.
+$!
+$ IF (P2.EQS."")
+$ THEN
+$!
+$!  O.K., The User Didn't Specify A Compiler, Let's Try To
+$!  Find Out Which One To Use.
+$!
+$!  Check To See If We Have GNU C.
+$!
+$   IF (F$TRNLNM("GNU_CC").NES."")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     P2 = "GNUC"
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!  Check To See If We Have VAXC Or DECC.
+$!
+$     IF (ARCH.NES."VAX").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."")
+$     THEN 
+$!
+$!      Looks Like DECC, Set To Use DECC.
+$!
+$       P2 = "DECC"
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Looks Like VAXC, Set To Use VAXC.
+$!
+$       P2 = "VAXC"
+$!
+$!    End The VAXC Compiler Check.
+$!
+$     ENDIF
+$!
+$!  End The DECC & VAXC Compiler Check.
+$!
+$   ENDIF
+$!
+$!  End The Compiler Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Have A Option For P3.
+$!
+$ IF (P3.EQS."")
+$ THEN
+$!
+$!  Find out what socket library we have available
+$!
+$   IF F$PARSE("SOCKETSHR:") .NES. ""
+$   THEN
+$!
+$!    We have SOCKETSHR, and it is my opinion that it's the best to use.
+$!
+$     P3 = "SOCKETSHR"
+$!
+$!    Tell the user
+$!
+$     WRITE SYS$OUTPUT "Using SOCKETSHR for TCP/IP"
+$!
+$!    Else, let's look for something else
+$!
+$   ELSE
+$!
+$!    Like UCX (the reason to do this before Multinet is that the UCX
+$!    emulation is easier to use...)
+$!
+$     IF F$TRNLNM("UCX$IPC_SHR") .NES. "" -
+	 .OR. F$PARSE("SYS$SHARE:UCX$IPC_SHR.EXE") .NES. "" -
+	 .OR. F$PARSE("SYS$LIBRARY:UCX$IPC.OLB") .NES. ""
+$     THEN
+$!
+$!	Last resort: a UCX or UCX-compatible library
+$!
+$	P3 = "UCX"
+$!
+$!      Tell the user
+$!
+$       WRITE SYS$OUTPUT "Using UCX or an emulation thereof for TCP/IP"
+$!
+$!	That was all...
+$!
+$     ENDIF
+$   ENDIF
+$ ENDIF
+$!
+$! Set Up Initial CC Definitions, Possibly With User Ones
+$!
+$ CCDEFS = "MONOLITH"
+$ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
+$ CCEXTRAFLAGS = ""
+$ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
+$ CCDISABLEWARNINGS = "" !!! "MAYLOSEDATA3" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
+$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. ""
+$ THEN
+$     IF CCDISABLEWARNINGS .NES. THEN CCDISABLEWARNINGS = CCDISABLEWARNINGS + ","
+$     CCDISABLEWARNINGS = CCDISABLEWARNINGS + USER_CCDISABLEWARNINGS
+$ ENDIF
+$!
+$! Check To See If We Have A ZLIB Option.
+$!
+$ ZLIB = P7
+$ IF (ZLIB .NES. "")
+$ THEN
+$!
+$!  Check for expected ZLIB files.
+$!
+$   err = 0
+$   file1 = f$parse( "zlib.h", ZLIB, , , "SYNTAX_ONLY")
+$   if (f$search( file1) .eqs. "")
+$   then
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     WRITE SYS$OUTPUT "    Can't find header: ''file1'"
+$     err = 1
+$   endif
+$   file1 = f$parse( "A.;", ZLIB)- "A.;"
+$!
+$   file2 = f$parse( ZLIB, "libz.olb", , , "SYNTAX_ONLY")
+$   if (f$search( file2) .eqs. "")
+$   then
+$     if (err .eq. 0)
+$     then
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     endif
+$     WRITE SYS$OUTPUT "    Can't find library: ''file2'"
+$     WRITE SYS$OUTPUT ""
+$     err = err+ 2
+$   endif
+$   if (err .eq. 1)
+$   then
+$     WRITE SYS$OUTPUT ""
+$   endif
+$!
+$   if (err .ne. 0)
+$   then
+$     EXIT
+$   endif
+$!
+$   CCDEFS = """ZLIB=1"", "+ CCDEFS
+$   CC_INCLUDES = CC_INCLUDES+ ", "+ file1
+$   ZLIB_LIB = ", ''file2' /library"
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "ZLIB library spec: ", file2
+$!
+$! End The ZLIB Check.
+$!
+$ ENDIF
+$!
+$!  Check To See If The User Entered A Valid Parameter.
+$!
+$ IF (P2.EQS."VAXC").OR.(P2.EQS."DECC").OR.(P2.EQS."GNUC")
+$ THEN
+$!
+$!  Check To See If The User Wanted DECC.
+$!
+$   IF (P2.EQS."DECC")
+$   THEN
+$!
+$!    Looks Like DECC, Set To Use DECC.
+$!
+$     COMPILER = "DECC"
+$!
+$!    Tell The User We Are Using DECC.
+$!
+$     WRITE SYS$OUTPUT "Using DECC 'C' Compiler."
+$!
+$!    Use DECC...
+$!
+$     CC = "CC"
+$     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
+	 THEN CC = "CC/DECC"
+$     CC = CC + " /''CC_OPTIMIZE' /''DEBUGGER' /STANDARD=RELAXED"+ -
+       "''POINTER_SIZE' /NOLIST /PREFIX=ALL" + -
+       " /INCLUDE=(''CC_INCLUDES') " + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "VAX_DECC_OPTIONS.OPT"
+$!
+$!  End DECC Check.
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use VAXC.
+$!
+$   IF (P2.EQS."VAXC")
+$   THEN
+$!
+$!    Looks Like VAXC, Set To Use VAXC.
+$!
+$     COMPILER = "VAXC"
+$!
+$!    Tell The User We Are Using VAX C.
+$     WRITE SYS$OUTPUT "Using VAXC 'C' Compiler."
+$!
+$!    Compile Using VAXC.
+$!
+$     CC = "CC"
+$     IF ARCH.NES."VAX"
+$     THEN
+$	WRITE SYS$OUTPUT "There is no VAX C on ''ARCH'!"
+$	EXIT
+$     ENDIF
+$     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
+	   "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS
+$     CCDEFS = CCDEFS + ",""VAXC"""
+$!
+$!    Define <sys> As SYS$COMMON:[SYSLIB]
+$!
+$     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "VAX_VAXC_OPTIONS.OPT"
+$!
+$!  End VAXC Check
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use GNU C.
+$!
+$   IF (P2.EQS."GNUC")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     COMPILER = "GNUC"
+$!
+$!    Tell The User We Are Using GNUC.
+$!
+$     WRITE SYS$OUTPUT "Using GNU 'C' Compiler."
+$!
+$!    Use GNU C...
+$!
+$     IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC
+$     CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
+	   "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "VAX_GNUC_OPTIONS.OPT"
+$!
+$!  End The GNU C Check.
+$!
+$   ENDIF
+$!
+$!  Set up default defines
+$!
+$   CCDEFS = """FLAT_INC=1""," + CCDEFS
+$!
+$!  Else The User Entered An Invalid Argument.
+$!
+$ ELSE
+$!
+$!  Tell The User We Don't Know What They Want.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
+$   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
+$   WRITE SYS$OUTPUT "    GNUC  :  To Compile With GNU C."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Time To EXIT.
+$!
+$   EXIT
+$ ENDIF
+$!
+$! Time to check the contents, and to make sure we get the correct library.
+$!
+$ IF P3.EQS."SOCKETSHR" .OR. P3.EQS."MULTINET" .OR. P3.EQS."UCX" -
+     .OR. P3.EQS."TCPIP" .OR. P3.EQS."NONE"
+$ THEN
+$!
+$!  Check to see if SOCKETSHR was chosen
+$!
+$   IF P3.EQS."SOCKETSHR"
+$   THEN
+$!
+$!    Set the library to use SOCKETSHR
+$!
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS"
+$!
+$!    Done with SOCKETSHR
+$!
+$   ENDIF
+$!
+$!  Check to see if MULTINET was chosen
+$!
+$   IF P3.EQS."MULTINET"
+$   THEN
+$!
+$!    Set the library to use UCX emulation.
+$!
+$     P3 = "UCX"
+$!
+$!    Done with MULTINET
+$!
+$   ENDIF
+$!
+$!  Check to see if UCX was chosen
+$!
+$   IF P3.EQS."UCX"
+$   THEN
+$!
+$!    Set the library to use UCX.
+$!
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS"
+$     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
+$     THEN
+$       TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT /OPTIONS"
+$     ELSE
+$       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
+	  TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT /OPTIONS"
+$     ENDIF
+$!
+$!    Done with UCX
+$!
+$   ENDIF
+$!
+$!  Check to see if TCPIP (post UCX) was chosen
+$!
+$   IF P3.EQS."TCPIP"
+$   THEN
+$!
+$!    Set the library to use TCPIP.
+$!
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS"
+$!
+$!    Done with TCPIP
+$!
+$   ENDIF
+$!
+$!  Check to see if NONE was chosen
+$!
+$   IF P3.EQS."NONE"
+$   THEN
+$!
+$!    Do not use TCPIP.
+$!
+$     TCPIP_LIB = ""
+$!
+$!    Done with TCPIP
+$!
+$   ENDIF
+$!
+$!  Add TCP/IP type to CC definitions.
+$!
+$   CCDEFS = CCDEFS + ",TCPIP_TYPE_''P3'"
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB- ","
+$!
+$!  Else The User Entered An Invalid Argument.
+$!
+$ ELSE
+$!
+$!  Tell The User We Don't Know What They Want.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
+$   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
+$   WRITE SYS$OUTPUT "    TCPIP      :  To link with TCPIP (post UCX) TCP/IP library."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Time To EXIT.
+$!
+$   EXIT
+$!
+$!  Done with TCP/IP libraries
+$!
+$ ENDIF
+$!
+$! Finish up the definition of CC.
+$!
+$ IF COMPILER .EQS. "DECC"
+$ THEN
+$!  Not all compiler versions support MAYLOSEDATA3.
+$   OPT_TEST = "MAYLOSEDATA3"
+$   DEFINE /USER_MODE SYS$ERROR NL:
+$   DEFINE /USER_MODE SYS$OUTPUT NL:
+$   'CC' /NOCROSS_REFERENCE /NOLIST /NOOBJECT -
+      /WARNINGS = DISABLE = ('OPT_TEST', EMPTYFILE) NL:
+$   IF ($SEVERITY)
+$   THEN
+$     IF CCDISABLEWARNINGS .NES. "" THEN -
+        CCDISABLEWARNINGS = CCDISABLEWARNINGS+ ","
+$     CCDISABLEWARNINGS = CCDISABLEWARNINGS+ OPT_TEST
+$   ENDIF
+$   IF CCDISABLEWARNINGS .NES. ""
+$   THEN
+$     CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$   ENDIF
+$ ELSE
+$   CCDISABLEWARNINGS = ""
+$ ENDIF
+$ CC2 = CC + " /DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS
+$ CC = CC + " /DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$!
+$! Show user the result
+$!
+$ WRITE/SYMBOL SYS$OUTPUT "Main Compiling Command: ",CC
+$!
+$! Special Threads For OpenVMS v7.1 Or Later
+$!
+$! Written By:  Richard Levitte
+$!              richard@levitte.org
+$!
+$!
+$! Check To See If We Have A Option For P4.
+$!
+$ IF (P4.EQS."")
+$ THEN
+$!
+$!  Get The Version Of VMS We Are Using.
+$!
+$   ISSEVEN :=
+$   TMP = F$ELEMENT(0,"-",F$EXTRACT(1,4,F$GETSYI("VERSION")))
+$   TMP = F$INTEGER(F$ELEMENT(0,".",TMP)+F$ELEMENT(1,".",TMP))
+$!
+$!  Check To See If The VMS Version Is v7.1 Or Later.
+$!
+$   IF (TMP.GE.71)
+$   THEN
+$!
+$!    We Have OpenVMS v7.1 Or Later, So Use The Special Threads.
+$!
+$     ISSEVEN := ,PTHREAD_USE_D4
+$!
+$!  End The VMS Version Check.
+$!
+$   ENDIF
+$!
+$! End The P4 Check.
+$!
+$ ENDIF
+$!
+$! Check if the user wanted to compile just a subset of all the programs.
+$!
+$ IF P5 .NES. ""
+$ THEN
+$   PROGRAMS = P5
+$ ENDIF
+$!
+$!  Time To RETURN...
+$!
+$ RETURN
+$!
+$ INITIALISE:
+$!
+$! Save old value of the logical name OPENSSL
+$!
+$ __SAVE_OPENSSL = F$TRNLNM("OPENSSL","LNM$PROCESS_TABLE")
+$!
+$! Save directory information
+$!
+$ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;"
+$ __HERE = F$EDIT(__HERE,"UPCASE")
+$ __TOP = __HERE - "APPS]"
+$ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
+$!
+$! Set up the logical name OPENSSL to point at the include directory
+$!
+$ DEFINE OPENSSL /NOLOG '__INCLUDE'
+$!
+$! Done
+$!
+$ RETURN
+$!
+$ CLEANUP:
+$!
+$! Restore the saved logical name OPENSSL, if it had a value.
+$!
+$ if (f$type( __SAVE_OPENSSL) .nes. "")
+$ then
+$   IF __SAVE_OPENSSL .EQS. ""
+$   THEN
+$     DEASSIGN OPENSSL
+$   ELSE
+$     DEFINE /NOLOG OPENSSL '__SAVE_OPENSSL'
+$   ENDIF
+$ endif
+$!
+$! Close any open files.
+$!
+$ if (f$trnlnm( "objects", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
+   close objects
+$!
+$! Done
+$!
+$ RETURN
+$!
diff --git a/openssl/apps/nseq.c b/openssl/apps/nseq.c
new file mode 100644
index 0000000..c306738
--- /dev/null
+++ b/openssl/apps/nseq.c
@@ -0,0 +1,170 @@
+/* nseq.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/pem.h>
+#include <openssl/err.h>
+
+#undef PROG
+#define PROG nseq_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    char **args, *infile = NULL, *outfile = NULL;
+    BIO *in = NULL, *out = NULL;
+    int toseq = 0;
+    X509 *x509 = NULL;
+    NETSCAPE_CERT_SEQUENCE *seq = NULL;
+    int i, ret = 1;
+    int badarg = 0;
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+    ERR_load_crypto_strings();
+    args = argv + 1;
+    while (!badarg && *args && *args[0] == '-') {
+        if (!strcmp(*args, "-toseq"))
+            toseq = 1;
+        else if (!strcmp(*args, "-in")) {
+            if (args[1]) {
+                args++;
+                infile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-out")) {
+            if (args[1]) {
+                args++;
+                outfile = *args;
+            } else
+                badarg = 1;
+        } else
+            badarg = 1;
+        args++;
+    }
+
+    if (badarg) {
+        BIO_printf(bio_err, "Netscape certificate sequence utility\n");
+        BIO_printf(bio_err, "Usage nseq [options]\n");
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, "-in file  input file\n");
+        BIO_printf(bio_err, "-out file output file\n");
+        BIO_printf(bio_err, "-toseq    output NS Sequence file\n");
+        OPENSSL_EXIT(1);
+    }
+
+    if (infile) {
+        if (!(in = BIO_new_file(infile, "r"))) {
+            BIO_printf(bio_err, "Can't open input file %s\n", infile);
+            goto end;
+        }
+    } else
+        in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+    if (outfile) {
+        if (!(out = BIO_new_file(outfile, "w"))) {
+            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
+            goto end;
+        }
+    } else {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    }
+    if (toseq) {
+        seq = NETSCAPE_CERT_SEQUENCE_new();
+        seq->certs = sk_X509_new_null();
+        while ((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
+            sk_X509_push(seq->certs, x509);
+
+        if (!sk_X509_num(seq->certs)) {
+            BIO_printf(bio_err, "Error reading certs file %s\n", infile);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        PEM_write_bio_NETSCAPE_CERT_SEQUENCE(out, seq);
+        ret = 0;
+        goto end;
+    }
+
+    if (!(seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL))) {
+        BIO_printf(bio_err, "Error reading sequence file %s\n", infile);
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    for (i = 0; i < sk_X509_num(seq->certs); i++) {
+        x509 = sk_X509_value(seq->certs, i);
+        dump_cert_text(out, x509);
+        PEM_write_bio_X509(out, x509);
+    }
+    ret = 0;
+ end:
+    BIO_free(in);
+    BIO_free_all(out);
+    NETSCAPE_CERT_SEQUENCE_free(seq);
+
+    OPENSSL_EXIT(ret);
+}
diff --git a/openssl/apps/ocsp.c b/openssl/apps/ocsp.c
new file mode 100644
index 0000000..5da51df
--- /dev/null
+++ b/openssl/apps/ocsp.c
@@ -0,0 +1,1367 @@
+/* ocsp.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#ifndef OPENSSL_NO_OCSP
+
+# ifdef OPENSSL_SYS_VMS
+#  define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
+                                 * on OpenVMS */
+# endif
+
+# define USE_SOCKETS
+
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include <time.h>
+# include "apps.h"              /* needs to be included before the openssl
+                                 * headers! */
+# include <openssl/e_os2.h>
+# include <openssl/crypto.h>
+# include <openssl/err.h>
+# include <openssl/ssl.h>
+# include <openssl/evp.h>
+# include <openssl/bn.h>
+# include <openssl/x509v3.h>
+
+# if defined(NETWARE_CLIB)
+#  ifdef NETWARE_BSDSOCK
+#   include <sys/socket.h>
+#   include <sys/bsdskt.h>
+#  else
+#   include <novsock2.h>
+#  endif
+# elif defined(NETWARE_LIBC)
+#  ifdef NETWARE_BSDSOCK
+#   include <sys/select.h>
+#  else
+#   include <novsock2.h>
+#  endif
+# endif
+
+/* Maximum leeway in validity period: default 5 minutes */
+# define MAX_VALIDITY_PERIOD     (5 * 60)
+
+static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
+                         const EVP_MD *cert_id_md, X509 *issuer,
+                         STACK_OF(OCSP_CERTID) *ids);
+static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
+                           const EVP_MD *cert_id_md, X509 *issuer,
+                           STACK_OF(OCSP_CERTID) *ids);
+static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
+                              STACK_OF(OPENSSL_STRING) *names,
+                              STACK_OF(OCSP_CERTID) *ids, long nsec,
+                              long maxage);
+
+static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
+                              CA_DB *db, X509 *ca, X509 *rcert,
+                              EVP_PKEY *rkey, const EVP_MD *md,
+                              STACK_OF(X509) *rother, unsigned long flags,
+                              int nmin, int ndays, int badsig);
+
+static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
+static BIO *init_responder(const char *port);
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
+                        const char *port);
+static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
+                                      const STACK_OF(CONF_VALUE) *headers,
+                                      OCSP_REQUEST *req, int req_timeout);
+
+# undef PROG
+# define PROG ocsp_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    char **args;
+    char *host = NULL, *port = NULL, *path = "/";
+    char *thost = NULL, *tport = NULL, *tpath = NULL;
+    char *reqin = NULL, *respin = NULL;
+    char *reqout = NULL, *respout = NULL;
+    char *signfile = NULL, *keyfile = NULL;
+    char *rsignfile = NULL, *rkeyfile = NULL;
+    char *outfile = NULL;
+    int add_nonce = 1, noverify = 0, use_ssl = -1;
+    STACK_OF(CONF_VALUE) *headers = NULL;
+    OCSP_REQUEST *req = NULL;
+    OCSP_RESPONSE *resp = NULL;
+    OCSP_BASICRESP *bs = NULL;
+    X509 *issuer = NULL, *cert = NULL;
+    X509 *signer = NULL, *rsigner = NULL;
+    EVP_PKEY *key = NULL, *rkey = NULL;
+    BIO *acbio = NULL, *cbio = NULL;
+    BIO *derbio = NULL;
+    BIO *out = NULL;
+    int req_timeout = -1;
+    int req_text = 0, resp_text = 0;
+    long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
+    char *CAfile = NULL, *CApath = NULL;
+    X509_STORE *store = NULL;
+    X509_VERIFY_PARAM *vpm = NULL;
+    STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
+    char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
+    unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
+    int ret = 1;
+    int accept_count = -1;
+    int badarg = 0;
+    int badsig = 0;
+    int i;
+    int ignore_err = 0;
+    STACK_OF(OPENSSL_STRING) *reqnames = NULL;
+    STACK_OF(OCSP_CERTID) *ids = NULL;
+
+    X509 *rca_cert = NULL;
+    char *ridx_filename = NULL;
+    char *rca_filename = NULL;
+    CA_DB *rdb = NULL;
+    int nmin = 0, ndays = -1;
+    const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
+
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+    SSL_load_error_strings();
+    OpenSSL_add_ssl_algorithms();
+    args = argv + 1;
+    reqnames = sk_OPENSSL_STRING_new_null();
+    ids = sk_OCSP_CERTID_new_null();
+    while (!badarg && *args && *args[0] == '-') {
+        if (!strcmp(*args, "-out")) {
+            if (args[1]) {
+                args++;
+                outfile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-timeout")) {
+            if (args[1]) {
+                args++;
+                req_timeout = atol(*args);
+                if (req_timeout < 0) {
+                    BIO_printf(bio_err, "Illegal timeout value %s\n", *args);
+                    badarg = 1;
+                }
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-url")) {
+            if (thost)
+                OPENSSL_free(thost);
+            if (tport)
+                OPENSSL_free(tport);
+            if (tpath)
+                OPENSSL_free(tpath);
+            thost = tport = tpath = NULL;
+            if (args[1]) {
+                args++;
+                if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) {
+                    BIO_printf(bio_err, "Error parsing URL\n");
+                    badarg = 1;
+                }
+                thost = host;
+                tport = port;
+                tpath = path;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-host")) {
+            if (args[1]) {
+                args++;
+                host = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-port")) {
+            if (args[1]) {
+                args++;
+                port = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-header")) {
+            if (args[1] && args[2]) {
+                if (!X509V3_add_value(args[1], args[2], &headers))
+                    goto end;
+                args += 2;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-ignore_err"))
+            ignore_err = 1;
+        else if (!strcmp(*args, "-noverify"))
+            noverify = 1;
+        else if (!strcmp(*args, "-nonce"))
+            add_nonce = 2;
+        else if (!strcmp(*args, "-no_nonce"))
+            add_nonce = 0;
+        else if (!strcmp(*args, "-resp_no_certs"))
+            rflags |= OCSP_NOCERTS;
+        else if (!strcmp(*args, "-resp_key_id"))
+            rflags |= OCSP_RESPID_KEY;
+        else if (!strcmp(*args, "-no_certs"))
+            sign_flags |= OCSP_NOCERTS;
+        else if (!strcmp(*args, "-no_signature_verify"))
+            verify_flags |= OCSP_NOSIGS;
+        else if (!strcmp(*args, "-no_cert_verify"))
+            verify_flags |= OCSP_NOVERIFY;
+        else if (!strcmp(*args, "-no_chain"))
+            verify_flags |= OCSP_NOCHAIN;
+        else if (!strcmp(*args, "-no_cert_checks"))
+            verify_flags |= OCSP_NOCHECKS;
+        else if (!strcmp(*args, "-no_explicit"))
+            verify_flags |= OCSP_NOEXPLICIT;
+        else if (!strcmp(*args, "-trust_other"))
+            verify_flags |= OCSP_TRUSTOTHER;
+        else if (!strcmp(*args, "-no_intern"))
+            verify_flags |= OCSP_NOINTERN;
+        else if (!strcmp(*args, "-badsig"))
+            badsig = 1;
+        else if (!strcmp(*args, "-text")) {
+            req_text = 1;
+            resp_text = 1;
+        } else if (!strcmp(*args, "-req_text"))
+            req_text = 1;
+        else if (!strcmp(*args, "-resp_text"))
+            resp_text = 1;
+        else if (!strcmp(*args, "-reqin")) {
+            if (args[1]) {
+                args++;
+                reqin = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-respin")) {
+            if (args[1]) {
+                args++;
+                respin = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-signer")) {
+            if (args[1]) {
+                args++;
+                signfile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-VAfile")) {
+            if (args[1]) {
+                args++;
+                verify_certfile = *args;
+                verify_flags |= OCSP_TRUSTOTHER;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-sign_other")) {
+            if (args[1]) {
+                args++;
+                sign_certfile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-verify_other")) {
+            if (args[1]) {
+                args++;
+                verify_certfile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-CAfile")) {
+            if (args[1]) {
+                args++;
+                CAfile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-CApath")) {
+            if (args[1]) {
+                args++;
+                CApath = *args;
+            } else
+                badarg = 1;
+        } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) {
+            if (badarg)
+                goto end;
+            continue;
+        } else if (!strcmp(*args, "-validity_period")) {
+            if (args[1]) {
+                args++;
+                nsec = atol(*args);
+                if (nsec < 0) {
+                    BIO_printf(bio_err,
+                               "Illegal validity period %s\n", *args);
+                    badarg = 1;
+                }
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-status_age")) {
+            if (args[1]) {
+                args++;
+                maxage = atol(*args);
+                if (maxage < 0) {
+                    BIO_printf(bio_err, "Illegal validity age %s\n", *args);
+                    badarg = 1;
+                }
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-signkey")) {
+            if (args[1]) {
+                args++;
+                keyfile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-reqout")) {
+            if (args[1]) {
+                args++;
+                reqout = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-respout")) {
+            if (args[1]) {
+                args++;
+                respout = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-path")) {
+            if (args[1]) {
+                args++;
+                path = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-issuer")) {
+            if (args[1]) {
+                args++;
+                X509_free(issuer);
+                issuer = load_cert(bio_err, *args, FORMAT_PEM,
+                                   NULL, e, "issuer certificate");
+                if (!issuer)
+                    goto end;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-cert")) {
+            if (args[1]) {
+                args++;
+                X509_free(cert);
+                cert = load_cert(bio_err, *args, FORMAT_PEM,
+                                 NULL, e, "certificate");
+                if (!cert)
+                    goto end;
+                if (!cert_id_md)
+                    cert_id_md = EVP_sha1();
+                if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
+                    goto end;
+                if (!sk_OPENSSL_STRING_push(reqnames, *args))
+                    goto end;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-serial")) {
+            if (args[1]) {
+                args++;
+                if (!cert_id_md)
+                    cert_id_md = EVP_sha1();
+                if (!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids))
+                    goto end;
+                if (!sk_OPENSSL_STRING_push(reqnames, *args))
+                    goto end;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-index")) {
+            if (args[1]) {
+                args++;
+                ridx_filename = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-CA")) {
+            if (args[1]) {
+                args++;
+                rca_filename = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-nmin")) {
+            if (args[1]) {
+                args++;
+                nmin = atol(*args);
+                if (nmin < 0) {
+                    BIO_printf(bio_err, "Illegal update period %s\n", *args);
+                    badarg = 1;
+                }
+            }
+            if (ndays == -1)
+                ndays = 0;
+            else
+                badarg = 1;
+        } else if (!strcmp(*args, "-nrequest")) {
+            if (args[1]) {
+                args++;
+                accept_count = atol(*args);
+                if (accept_count < 0) {
+                    BIO_printf(bio_err, "Illegal accept count %s\n", *args);
+                    badarg = 1;
+                }
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-ndays")) {
+            if (args[1]) {
+                args++;
+                ndays = atol(*args);
+                if (ndays < 0) {
+                    BIO_printf(bio_err, "Illegal update period %s\n", *args);
+                    badarg = 1;
+                }
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-rsigner")) {
+            if (args[1]) {
+                args++;
+                rsignfile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-rkey")) {
+            if (args[1]) {
+                args++;
+                rkeyfile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-rother")) {
+            if (args[1]) {
+                args++;
+                rcertfile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-rmd")) {
+            if (args[1]) {
+                args++;
+                rsign_md = EVP_get_digestbyname(*args);
+                if (!rsign_md)
+                    badarg = 1;
+            } else
+                badarg = 1;
+        } else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) {
+            badarg = 1;
+        }
+        args++;
+    }
+
+    /* Have we anything to do? */
+    if (!req && !reqin && !respin && !(port && ridx_filename))
+        badarg = 1;
+
+    if (badarg) {
+        BIO_printf(bio_err, "OCSP utility\n");
+        BIO_printf(bio_err, "Usage ocsp [options]\n");
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, "-out file            output filename\n");
+        BIO_printf(bio_err, "-issuer file         issuer certificate\n");
+        BIO_printf(bio_err, "-cert file           certificate to check\n");
+        BIO_printf(bio_err, "-serial n            serial number to check\n");
+        BIO_printf(bio_err,
+                   "-signer file         certificate to sign OCSP request with\n");
+        BIO_printf(bio_err,
+                   "-signkey file        private key to sign OCSP request with\n");
+        BIO_printf(bio_err,
+                   "-sign_other file     additional certificates to include in signed request\n");
+        BIO_printf(bio_err,
+                   "-no_certs            don't include any certificates in signed request\n");
+        BIO_printf(bio_err,
+                   "-req_text            print text form of request\n");
+        BIO_printf(bio_err,
+                   "-resp_text           print text form of response\n");
+        BIO_printf(bio_err,
+                   "-text                print text form of request and response\n");
+        BIO_printf(bio_err,
+                   "-reqout file         write DER encoded OCSP request to \"file\"\n");
+        BIO_printf(bio_err,
+                   "-respout file        write DER encoded OCSP reponse to \"file\"\n");
+        BIO_printf(bio_err,
+                   "-reqin file          read DER encoded OCSP request from \"file\"\n");
+        BIO_printf(bio_err,
+                   "-respin file         read DER encoded OCSP reponse from \"file\"\n");
+        BIO_printf(bio_err,
+                   "-nonce               add OCSP nonce to request\n");
+        BIO_printf(bio_err,
+                   "-no_nonce            don't add OCSP nonce to request\n");
+        BIO_printf(bio_err, "-url URL             OCSP responder URL\n");
+        BIO_printf(bio_err,
+                   "-host host:n         send OCSP request to host on port n\n");
+        BIO_printf(bio_err,
+                   "-path                path to use in OCSP request\n");
+        BIO_printf(bio_err,
+                   "-CApath dir          trusted certificates directory\n");
+        BIO_printf(bio_err,
+                   "-CAfile file         trusted certificates file\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains       only ever use the first certificate chain found\n");
+        BIO_printf(bio_err,
+                   "-VAfile file         validator certificates file\n");
+        BIO_printf(bio_err,
+                   "-validity_period n   maximum validity discrepancy in seconds\n");
+        BIO_printf(bio_err,
+                   "-status_age n        maximum status age in seconds\n");
+        BIO_printf(bio_err,
+                   "-noverify            don't verify response at all\n");
+        BIO_printf(bio_err,
+                   "-verify_other file   additional certificates to search for signer\n");
+        BIO_printf(bio_err,
+                   "-trust_other         don't verify additional certificates\n");
+        BIO_printf(bio_err,
+                   "-no_intern           don't search certificates contained in response for signer\n");
+        BIO_printf(bio_err,
+                   "-no_signature_verify don't check signature on response\n");
+        BIO_printf(bio_err,
+                   "-no_cert_verify      don't check signing certificate\n");
+        BIO_printf(bio_err,
+                   "-no_chain            don't chain verify response\n");
+        BIO_printf(bio_err,
+                   "-no_cert_checks      don't do additional checks on signing certificate\n");
+        BIO_printf(bio_err,
+                   "-port num            port to run responder on\n");
+        BIO_printf(bio_err,
+                   "-index file          certificate status index file\n");
+        BIO_printf(bio_err, "-CA file             CA certificate\n");
+        BIO_printf(bio_err,
+                   "-rsigner file        responder certificate to sign responses with\n");
+        BIO_printf(bio_err,
+                   "-rkey file           responder key to sign responses with\n");
+        BIO_printf(bio_err,
+                   "-rother file         other certificates to include in response\n");
+        BIO_printf(bio_err,
+                   "-resp_no_certs       don't include any certificates in response\n");
+        BIO_printf(bio_err,
+                   "-nmin n              number of minutes before next update\n");
+        BIO_printf(bio_err,
+                   "-ndays n             number of days before next update\n");
+        BIO_printf(bio_err,
+                   "-resp_key_id         identify reponse by signing certificate key ID\n");
+        BIO_printf(bio_err,
+                   "-nrequest n          number of requests to accept (default unlimited)\n");
+        BIO_printf(bio_err,
+                   "-<dgst alg>          use specified digest in the request\n");
+        BIO_printf(bio_err,
+                   "-timeout n           timeout connection to OCSP responder after n seconds\n");
+        goto end;
+    }
+
+    if (outfile)
+        out = BIO_new_file(outfile, "w");
+    else
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+
+    if (!out) {
+        BIO_printf(bio_err, "Error opening output file\n");
+        goto end;
+    }
+
+    if (!req && (add_nonce != 2))
+        add_nonce = 0;
+
+    if (!req && reqin) {
+        if (!strcmp(reqin, "-"))
+            derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+        else
+            derbio = BIO_new_file(reqin, "rb");
+        if (!derbio) {
+            BIO_printf(bio_err, "Error Opening OCSP request file\n");
+            goto end;
+        }
+        req = d2i_OCSP_REQUEST_bio(derbio, NULL);
+        BIO_free(derbio);
+        if (!req) {
+            BIO_printf(bio_err, "Error reading OCSP request\n");
+            goto end;
+        }
+    }
+
+    if (!req && port) {
+        acbio = init_responder(port);
+        if (!acbio)
+            goto end;
+    }
+
+    if (rsignfile && !rdb) {
+        if (!rkeyfile)
+            rkeyfile = rsignfile;
+        rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
+                            NULL, e, "responder certificate");
+        if (!rsigner) {
+            BIO_printf(bio_err, "Error loading responder certificate\n");
+            goto end;
+        }
+        rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
+                             NULL, e, "CA certificate");
+        if (rcertfile) {
+            rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
+                                NULL, e, "responder other certificates");
+            if (!rother)
+                goto end;
+        }
+        rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
+                        "responder private key");
+        if (!rkey)
+            goto end;
+    }
+    if (acbio)
+        BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
+
+ redo_accept:
+
+    if (acbio) {
+        if (!do_responder(&req, &cbio, acbio, port))
+            goto end;
+        if (!req) {
+            resp =
+                OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
+                                     NULL);
+            send_ocsp_response(cbio, resp);
+            goto done_resp;
+        }
+    }
+
+    if (!req && (signfile || reqout || host || add_nonce || ridx_filename)) {
+        BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
+        goto end;
+    }
+
+    if (req && add_nonce)
+        OCSP_request_add1_nonce(req, NULL, -1);
+
+    if (signfile) {
+        if (!keyfile)
+            keyfile = signfile;
+        signer = load_cert(bio_err, signfile, FORMAT_PEM,
+                           NULL, e, "signer certificate");
+        if (!signer) {
+            BIO_printf(bio_err, "Error loading signer certificate\n");
+            goto end;
+        }
+        if (sign_certfile) {
+            sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
+                                    NULL, e, "signer certificates");
+            if (!sign_other)
+                goto end;
+        }
+        key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
+                       "signer private key");
+        if (!key)
+            goto end;
+
+        if (!OCSP_request_sign
+            (req, signer, key, NULL, sign_other, sign_flags)) {
+            BIO_printf(bio_err, "Error signing OCSP request\n");
+            goto end;
+        }
+    }
+
+    if (req_text && req)
+        OCSP_REQUEST_print(out, req, 0);
+
+    if (reqout) {
+        if (!strcmp(reqout, "-"))
+            derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
+        else
+            derbio = BIO_new_file(reqout, "wb");
+        if (!derbio) {
+            BIO_printf(bio_err, "Error opening file %s\n", reqout);
+            goto end;
+        }
+        i2d_OCSP_REQUEST_bio(derbio, req);
+        BIO_free(derbio);
+    }
+
+    if (ridx_filename && (!rkey || !rsigner || !rca_cert)) {
+        BIO_printf(bio_err,
+                   "Need a responder certificate, key and CA for this operation!\n");
+        goto end;
+    }
+
+    if (ridx_filename && !rdb) {
+        rdb = load_index(ridx_filename, NULL);
+        if (!rdb)
+            goto end;
+        if (!index_index(rdb))
+            goto end;
+    }
+
+    if (rdb) {
+        i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
+                               rsign_md, rother, rflags, nmin, ndays, badsig);
+        if (cbio)
+            send_ocsp_response(cbio, resp);
+    } else if (host) {
+# ifndef OPENSSL_NO_SOCK
+        resp = process_responder(bio_err, req, host, path,
+                                 port, use_ssl, headers, req_timeout);
+        if (!resp)
+            goto end;
+# else
+        BIO_printf(bio_err,
+                   "Error creating connect BIO - sockets not supported.\n");
+        goto end;
+# endif
+    } else if (respin) {
+        if (!strcmp(respin, "-"))
+            derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+        else
+            derbio = BIO_new_file(respin, "rb");
+        if (!derbio) {
+            BIO_printf(bio_err, "Error Opening OCSP response file\n");
+            goto end;
+        }
+        resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
+        BIO_free(derbio);
+        if (!resp) {
+            BIO_printf(bio_err, "Error reading OCSP response\n");
+            goto end;
+        }
+
+    } else {
+        ret = 0;
+        goto end;
+    }
+
+ done_resp:
+
+    if (respout) {
+        if (!strcmp(respout, "-"))
+            derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
+        else
+            derbio = BIO_new_file(respout, "wb");
+        if (!derbio) {
+            BIO_printf(bio_err, "Error opening file %s\n", respout);
+            goto end;
+        }
+        i2d_OCSP_RESPONSE_bio(derbio, resp);
+        BIO_free(derbio);
+    }
+
+    i = OCSP_response_status(resp);
+
+    if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+        BIO_printf(out, "Responder Error: %s (%d)\n",
+                   OCSP_response_status_str(i), i);
+        if (ignore_err)
+            goto redo_accept;
+        ret = 0;
+        goto end;
+    }
+
+    if (resp_text)
+        OCSP_RESPONSE_print(out, resp, 0);
+
+    /* If running as responder don't verify our own response */
+    if (cbio) {
+        if (accept_count > 0)
+            accept_count--;
+        /* Redo if more connections needed */
+        if (accept_count) {
+            BIO_free_all(cbio);
+            cbio = NULL;
+            OCSP_REQUEST_free(req);
+            req = NULL;
+            OCSP_RESPONSE_free(resp);
+            resp = NULL;
+            goto redo_accept;
+        }
+        ret = 0;
+        goto end;
+    } else if (ridx_filename) {
+        ret = 0;
+        goto end;
+    }
+
+    if (!store)
+        store = setup_verify(bio_err, CAfile, CApath);
+    if (!store)
+        goto end;
+    if (vpm)
+        X509_STORE_set1_param(store, vpm);
+    if (verify_certfile) {
+        verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
+                                  NULL, e, "validator certificate");
+        if (!verify_other)
+            goto end;
+    }
+
+    bs = OCSP_response_get1_basic(resp);
+
+    if (!bs) {
+        BIO_printf(bio_err, "Error parsing response\n");
+        goto end;
+    }
+
+    ret = 0;
+
+    if (!noverify) {
+        if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
+            if (i == -1)
+                BIO_printf(bio_err, "WARNING: no nonce in response\n");
+            else {
+                BIO_printf(bio_err, "Nonce Verify error\n");
+                ret = 1;
+                goto end;
+            }
+        }
+
+        i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
+        if (i <= 0) {
+            BIO_printf(bio_err, "Response Verify Failure\n");
+            ERR_print_errors(bio_err);
+            ret = 1;
+        } else
+            BIO_printf(bio_err, "Response verify OK\n");
+
+    }
+
+    if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
+        ret = 1;
+
+ end:
+    ERR_print_errors(bio_err);
+    X509_free(signer);
+    X509_STORE_free(store);
+    if (vpm)
+        X509_VERIFY_PARAM_free(vpm);
+    EVP_PKEY_free(key);
+    EVP_PKEY_free(rkey);
+    X509_free(issuer);
+    X509_free(cert);
+    X509_free(rsigner);
+    X509_free(rca_cert);
+    free_index(rdb);
+    BIO_free_all(cbio);
+    BIO_free_all(acbio);
+    BIO_free(out);
+    OCSP_REQUEST_free(req);
+    OCSP_RESPONSE_free(resp);
+    OCSP_BASICRESP_free(bs);
+    sk_OPENSSL_STRING_free(reqnames);
+    sk_OCSP_CERTID_free(ids);
+    sk_X509_pop_free(sign_other, X509_free);
+    sk_X509_pop_free(verify_other, X509_free);
+    sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
+
+    if (thost)
+        OPENSSL_free(thost);
+    if (tport)
+        OPENSSL_free(tport);
+    if (tpath)
+        OPENSSL_free(tpath);
+
+    OPENSSL_EXIT(ret);
+}
+
+static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
+                         const EVP_MD *cert_id_md, X509 *issuer,
+                         STACK_OF(OCSP_CERTID) *ids)
+{
+    OCSP_CERTID *id;
+    if (!issuer) {
+        BIO_printf(bio_err, "No issuer certificate specified\n");
+        return 0;
+    }
+    if (!*req)
+        *req = OCSP_REQUEST_new();
+    if (!*req)
+        goto err;
+    id = OCSP_cert_to_id(cert_id_md, cert, issuer);
+    if (!id || !sk_OCSP_CERTID_push(ids, id))
+        goto err;
+    if (!OCSP_request_add0_id(*req, id))
+        goto err;
+    return 1;
+
+ err:
+    BIO_printf(bio_err, "Error Creating OCSP request\n");
+    return 0;
+}
+
+static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
+                           const EVP_MD *cert_id_md, X509 *issuer,
+                           STACK_OF(OCSP_CERTID) *ids)
+{
+    OCSP_CERTID *id;
+    X509_NAME *iname;
+    ASN1_BIT_STRING *ikey;
+    ASN1_INTEGER *sno;
+    if (!issuer) {
+        BIO_printf(bio_err, "No issuer certificate specified\n");
+        return 0;
+    }
+    if (!*req)
+        *req = OCSP_REQUEST_new();
+    if (!*req)
+        goto err;
+    iname = X509_get_subject_name(issuer);
+    ikey = X509_get0_pubkey_bitstr(issuer);
+    sno = s2i_ASN1_INTEGER(NULL, serial);
+    if (!sno) {
+        BIO_printf(bio_err, "Error converting serial number %s\n", serial);
+        return 0;
+    }
+    id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);
+    ASN1_INTEGER_free(sno);
+    if (!id || !sk_OCSP_CERTID_push(ids, id))
+        goto err;
+    if (!OCSP_request_add0_id(*req, id))
+        goto err;
+    return 1;
+
+ err:
+    BIO_printf(bio_err, "Error Creating OCSP request\n");
+    return 0;
+}
+
+static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
+                              STACK_OF(OPENSSL_STRING) *names,
+                              STACK_OF(OCSP_CERTID) *ids, long nsec,
+                              long maxage)
+{
+    OCSP_CERTID *id;
+    char *name;
+    int i;
+
+    int status, reason;
+
+    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+
+    if (!bs || !req || !sk_OPENSSL_STRING_num(names)
+        || !sk_OCSP_CERTID_num(ids))
+        return 1;
+
+    for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) {
+        id = sk_OCSP_CERTID_value(ids, i);
+        name = sk_OPENSSL_STRING_value(names, i);
+        BIO_printf(out, "%s: ", name);
+
+        if (!OCSP_resp_find_status(bs, id, &status, &reason,
+                                   &rev, &thisupd, &nextupd)) {
+            BIO_puts(out, "ERROR: No Status found.\n");
+            continue;
+        }
+
+        /*
+         * Check validity: if invalid write to output BIO so we know which
+         * response this refers to.
+         */
+        if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
+            BIO_puts(out, "WARNING: Status times invalid.\n");
+            ERR_print_errors(out);
+        }
+        BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
+
+        BIO_puts(out, "\tThis Update: ");
+        ASN1_GENERALIZEDTIME_print(out, thisupd);
+        BIO_puts(out, "\n");
+
+        if (nextupd) {
+            BIO_puts(out, "\tNext Update: ");
+            ASN1_GENERALIZEDTIME_print(out, nextupd);
+            BIO_puts(out, "\n");
+        }
+
+        if (status != V_OCSP_CERTSTATUS_REVOKED)
+            continue;
+
+        if (reason != -1)
+            BIO_printf(out, "\tReason: %s\n", OCSP_crl_reason_str(reason));
+
+        BIO_puts(out, "\tRevocation Time: ");
+        ASN1_GENERALIZEDTIME_print(out, rev);
+        BIO_puts(out, "\n");
+    }
+
+    return 1;
+}
+
+static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
+                              CA_DB *db, X509 *ca, X509 *rcert,
+                              EVP_PKEY *rkey, const EVP_MD *rmd,
+                              STACK_OF(X509) *rother, unsigned long flags,
+                              int nmin, int ndays, int badsig)
+{
+    ASN1_TIME *thisupd = NULL, *nextupd = NULL;
+    OCSP_CERTID *cid, *ca_id = NULL;
+    OCSP_BASICRESP *bs = NULL;
+    int i, id_count, ret = 1;
+
+    id_count = OCSP_request_onereq_count(req);
+
+    if (id_count <= 0) {
+        *resp =
+            OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
+        goto end;
+    }
+
+    bs = OCSP_BASICRESP_new();
+    thisupd = X509_gmtime_adj(NULL, 0);
+    if (ndays != -1)
+        nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
+
+    /* Examine each certificate id in the request */
+    for (i = 0; i < id_count; i++) {
+        OCSP_ONEREQ *one;
+        ASN1_INTEGER *serial;
+        char **inf;
+        ASN1_OBJECT *cert_id_md_oid;
+        const EVP_MD *cert_id_md;
+        one = OCSP_request_onereq_get0(req, i);
+        cid = OCSP_onereq_get0_id(one);
+
+        OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid);
+
+        cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);
+        if (!cert_id_md) {
+            *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
+                                         NULL);
+            goto end;
+        }
+        if (ca_id)
+            OCSP_CERTID_free(ca_id);
+        ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca);
+
+        /* Is this request about our CA? */
+        if (OCSP_id_issuer_cmp(ca_id, cid)) {
+            OCSP_basic_add1_status(bs, cid,
+                                   V_OCSP_CERTSTATUS_UNKNOWN,
+                                   0, NULL, thisupd, nextupd);
+            continue;
+        }
+        OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
+        inf = lookup_serial(db, serial);
+        if (!inf)
+            OCSP_basic_add1_status(bs, cid,
+                                   V_OCSP_CERTSTATUS_UNKNOWN,
+                                   0, NULL, thisupd, nextupd);
+        else if (inf[DB_type][0] == DB_TYPE_VAL)
+            OCSP_basic_add1_status(bs, cid,
+                                   V_OCSP_CERTSTATUS_GOOD,
+                                   0, NULL, thisupd, nextupd);
+        else if (inf[DB_type][0] == DB_TYPE_REV) {
+            ASN1_OBJECT *inst = NULL;
+            ASN1_TIME *revtm = NULL;
+            ASN1_GENERALIZEDTIME *invtm = NULL;
+            OCSP_SINGLERESP *single;
+            int reason = -1;
+            unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
+            single = OCSP_basic_add1_status(bs, cid,
+                                            V_OCSP_CERTSTATUS_REVOKED,
+                                            reason, revtm, thisupd, nextupd);
+            if (invtm)
+                OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date,
+                                             invtm, 0, 0);
+            else if (inst)
+                OCSP_SINGLERESP_add1_ext_i2d(single,
+                                             NID_hold_instruction_code, inst,
+                                             0, 0);
+            ASN1_OBJECT_free(inst);
+            ASN1_TIME_free(revtm);
+            ASN1_GENERALIZEDTIME_free(invtm);
+        }
+    }
+
+    OCSP_copy_nonce(bs, req);
+
+    OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
+
+    if (badsig)
+        bs->signature->data[bs->signature->length - 1] ^= 0x1;
+
+    *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
+
+ end:
+    ASN1_TIME_free(thisupd);
+    ASN1_TIME_free(nextupd);
+    OCSP_CERTID_free(ca_id);
+    OCSP_BASICRESP_free(bs);
+    return ret;
+
+}
+
+static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
+{
+    int i;
+    BIGNUM *bn = NULL;
+    char *itmp, *row[DB_NUMBER], **rrow;
+    for (i = 0; i < DB_NUMBER; i++)
+        row[i] = NULL;
+    bn = ASN1_INTEGER_to_BN(ser, NULL);
+    OPENSSL_assert(bn);         /* FIXME: should report an error at this
+                                 * point and abort */
+    if (BN_is_zero(bn))
+        itmp = BUF_strdup("00");
+    else
+        itmp = BN_bn2hex(bn);
+    row[DB_serial] = itmp;
+    BN_free(bn);
+    rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
+    OPENSSL_free(itmp);
+    return rrow;
+}
+
+/* Quick and dirty OCSP server: read in and parse input request */
+
+static BIO *init_responder(const char *port)
+{
+    BIO *acbio = NULL, *bufbio = NULL;
+    bufbio = BIO_new(BIO_f_buffer());
+    if (!bufbio)
+        goto err;
+# ifndef OPENSSL_NO_SOCK
+    acbio = BIO_new_accept(port);
+# else
+    BIO_printf(bio_err,
+               "Error setting up accept BIO - sockets not supported.\n");
+# endif
+    if (!acbio)
+        goto err;
+    BIO_set_accept_bios(acbio, bufbio);
+    bufbio = NULL;
+
+    if (BIO_do_accept(acbio) <= 0) {
+        BIO_printf(bio_err, "Error setting up accept BIO\n");
+        ERR_print_errors(bio_err);
+        goto err;
+    }
+
+    return acbio;
+
+ err:
+    BIO_free_all(acbio);
+    BIO_free(bufbio);
+    return NULL;
+}
+
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
+                        const char *port)
+{
+    int have_post = 0, len;
+    OCSP_REQUEST *req = NULL;
+    char inbuf[1024];
+    BIO *cbio = NULL;
+
+    if (BIO_do_accept(acbio) <= 0) {
+        BIO_printf(bio_err, "Error accepting connection\n");
+        ERR_print_errors(bio_err);
+        return 0;
+    }
+
+    cbio = BIO_pop(acbio);
+    *pcbio = cbio;
+
+    for (;;) {
+        len = BIO_gets(cbio, inbuf, sizeof inbuf);
+        if (len <= 0)
+            return 1;
+        /* Look for "POST" signalling start of query */
+        if (!have_post) {
+            if (strncmp(inbuf, "POST", 4)) {
+                BIO_printf(bio_err, "Invalid request\n");
+                return 1;
+            }
+            have_post = 1;
+        }
+        /* Look for end of headers */
+        if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
+            break;
+    }
+
+    /* Try to read OCSP request */
+
+    req = d2i_OCSP_REQUEST_bio(cbio, NULL);
+
+    if (!req) {
+        BIO_printf(bio_err, "Error parsing OCSP request\n");
+        ERR_print_errors(bio_err);
+    }
+
+    *preq = req;
+
+    return 1;
+
+}
+
+static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
+{
+    char http_resp[] =
+        "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
+        "Content-Length: %d\r\n\r\n";
+    if (!cbio)
+        return 0;
+    BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
+    i2d_OCSP_RESPONSE_bio(cbio, resp);
+    (void)BIO_flush(cbio);
+    return 1;
+}
+
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
+                                      const STACK_OF(CONF_VALUE) *headers,
+                                      OCSP_REQUEST *req, int req_timeout)
+{
+    int fd;
+    int rv;
+    int i;
+    OCSP_REQ_CTX *ctx = NULL;
+    OCSP_RESPONSE *rsp = NULL;
+    fd_set confds;
+    struct timeval tv;
+
+    if (req_timeout != -1)
+        BIO_set_nbio(cbio, 1);
+
+    rv = BIO_do_connect(cbio);
+
+    if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
+        BIO_puts(err, "Error connecting BIO\n");
+        return NULL;
+    }
+
+    if (BIO_get_fd(cbio, &fd) < 0) {
+        BIO_puts(bio_err, "Can't get connection fd\n");
+        goto err;
+    }
+
+    if (req_timeout != -1 && rv <= 0) {
+        FD_ZERO(&confds);
+        openssl_fdset(fd, &confds);
+        tv.tv_usec = 0;
+        tv.tv_sec = req_timeout;
+        rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
+        if (rv == 0) {
+            BIO_puts(err, "Timeout on connect\n");
+            return NULL;
+        }
+    }
+
+    ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
+    if (!ctx)
+        return NULL;
+
+    for (i = 0; i < sk_CONF_VALUE_num(headers); i++) {
+        CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
+        if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
+            goto err;
+    }
+
+    if (!OCSP_REQ_CTX_set1_req(ctx, req))
+        goto err;
+
+    for (;;) {
+        rv = OCSP_sendreq_nbio(&rsp, ctx);
+        if (rv != -1)
+            break;
+        if (req_timeout == -1)
+            continue;
+        FD_ZERO(&confds);
+        openssl_fdset(fd, &confds);
+        tv.tv_usec = 0;
+        tv.tv_sec = req_timeout;
+        if (BIO_should_read(cbio))
+            rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
+        else if (BIO_should_write(cbio))
+            rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
+        else {
+            BIO_puts(err, "Unexpected retry condition\n");
+            goto err;
+        }
+        if (rv == 0) {
+            BIO_puts(err, "Timeout on request\n");
+            break;
+        }
+        if (rv == -1) {
+            BIO_puts(err, "Select error\n");
+            break;
+        }
+
+    }
+ err:
+    if (ctx)
+        OCSP_REQ_CTX_free(ctx);
+
+    return rsp;
+}
+
+OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
+                                 const char *host, const char *path,
+                                 const char *port, int use_ssl,
+                                 const STACK_OF(CONF_VALUE) *headers,
+                                 int req_timeout)
+{
+    BIO *cbio = NULL;
+    SSL_CTX *ctx = NULL;
+    OCSP_RESPONSE *resp = NULL;
+    cbio = BIO_new_connect(host);
+    if (!cbio) {
+        BIO_printf(err, "Error creating connect BIO\n");
+        goto end;
+    }
+    if (port)
+        BIO_set_conn_port(cbio, port);
+    if (use_ssl == 1) {
+        BIO *sbio;
+        ctx = SSL_CTX_new(SSLv23_client_method());
+        if (ctx == NULL) {
+            BIO_printf(err, "Error creating SSL context.\n");
+            goto end;
+        }
+        SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+        sbio = BIO_new_ssl(ctx, 1);
+        cbio = BIO_push(sbio, cbio);
+    }
+    resp = query_responder(err, cbio, path, headers, req, req_timeout);
+    if (!resp)
+        BIO_printf(bio_err, "Error querying OCSP responder\n");
+ end:
+    if (cbio)
+        BIO_free_all(cbio);
+    if (ctx)
+        SSL_CTX_free(ctx);
+    return resp;
+}
+
+#endif
diff --git a/openssl/apps/oid.cnf b/openssl/apps/oid.cnf
new file mode 100644
index 0000000..faf425a
--- /dev/null
+++ b/openssl/apps/oid.cnf
@@ -0,0 +1,6 @@
+2.99999.1       SET.ex1         SET x509v3 extension 1
+2.99999.2       SET.ex2         SET x509v3 extension 2
+2.99999.3       SET.ex3         SET x509v3 extension 3
+2.99999.4       SET.ex4         SET x509v3 extension 4
+2.99999.5       SET.ex5         SET x509v3 extension 5
+2.99999.6       SET.ex6         SET x509v3 extension 6
diff --git a/openssl/apps/openssl-vms.cnf b/openssl/apps/openssl-vms.cnf
new file mode 100644
index 0000000..94baac1
--- /dev/null
+++ b/openssl/apps/openssl-vms.cnf
@@ -0,0 +1,350 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= sys\$disk:[.demoCA		# Where everything is kept
+certs		= $dir.certs]		# Where the issued certs are kept
+crl_dir		= $dir.crl]		# Where the issued crl are kept
+database	= $dir]index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir.newcerts]		# default place for new certs.
+
+certificate	= $dir]cacert.pem 	# The CA certificate
+serial		= $dir]serial. 		# The current serial number
+crlnumber	= $dir]crlnumber.	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir]crl.pem 		# The current CRL
+private_key	= $dir.private]cakey.pem# The private key
+RANDFILE	= $dir.private].rand	# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+
+localityName			= Locality Name (eg, city)
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= sys\$disk:[.demoCA		# TSA root directory
+serial		= $dir]tsaserial.	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir.cacert.pem]	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests		= md5, sha1		# Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
diff --git a/openssl/apps/openssl.c b/openssl/apps/openssl.c
new file mode 100644
index 0000000..6873145
--- /dev/null
+++ b/openssl/apps/openssl.c
@@ -0,0 +1,696 @@
+/* apps/openssl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#define OPENSSL_C               /* tells apps.h to use complete
+                                 * apps_startup() */
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
+#include <openssl/lhash.h>
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+#define USE_SOCKETS             /* needed for the _O_BINARY defs in the MS
+                                 * world */
+#include "progs.h"
+#include "s_apps.h"
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
+/*
+ * The LHASH callbacks ("hash" & "cmp") have been replaced by functions with
+ * the base prototypes (we cast each variable inside the function to the
+ * required type of "FUNCTION*"). This removes the necessity for
+ * macro-generated wrapper functions.
+ */
+
+static LHASH_OF(FUNCTION) *prog_init(void);
+static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]);
+static void list_pkey(BIO *out);
+static void list_cipher(BIO *out);
+static void list_md(BIO *out);
+char *default_config_file = NULL;
+
+/* Make sure there is only one when MONOLITH is defined */
+#ifdef MONOLITH
+CONF *config = NULL;
+BIO *bio_err = NULL;
+#endif
+
+static void lock_dbg_cb(int mode, int type, const char *file, int line)
+{
+    static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
+    const char *errstr = NULL;
+    int rw;
+
+    rw = mode & (CRYPTO_READ | CRYPTO_WRITE);
+    if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) {
+        errstr = "invalid mode";
+        goto err;
+    }
+
+    if (type < 0 || type >= CRYPTO_NUM_LOCKS) {
+        errstr = "type out of bounds";
+        goto err;
+    }
+
+    if (mode & CRYPTO_LOCK) {
+        if (modes[type]) {
+            errstr = "already locked";
+            /*
+             * must not happen in a single-threaded program (would deadlock)
+             */
+            goto err;
+        }
+
+        modes[type] = rw;
+    } else if (mode & CRYPTO_UNLOCK) {
+        if (!modes[type]) {
+            errstr = "not locked";
+            goto err;
+        }
+
+        if (modes[type] != rw) {
+            errstr = (rw == CRYPTO_READ) ?
+                "CRYPTO_r_unlock on write lock" :
+                "CRYPTO_w_unlock on read lock";
+        }
+
+        modes[type] = 0;
+    } else {
+        errstr = "invalid mode";
+        goto err;
+    }
+
+ err:
+    if (errstr) {
+        /* we cannot use bio_err here */
+        fprintf(stderr,
+                "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
+                errstr, mode, type, file, line);
+    }
+}
+
+#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
+# define ARGV _Argv
+#else
+# define ARGV Argv
+#endif
+
+int main(int Argc, char *ARGV[])
+{
+    ARGS arg;
+#define PROG_NAME_SIZE  39
+    char pname[PROG_NAME_SIZE + 1];
+    FUNCTION f, *fp;
+    MS_STATIC const char *prompt;
+    MS_STATIC char buf[1024];
+    char *to_free = NULL;
+    int n, i, ret = 0;
+    int argc;
+    char **argv, *p;
+    LHASH_OF(FUNCTION) *prog = NULL;
+    long errline;
+
+#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
+    /*-
+     * 2011-03-22 SMS.
+     * If we have 32-bit pointers everywhere, then we're safe, and
+     * we bypass this mess, as on non-VMS systems.  (See ARGV,
+     * above.)
+     * Problem 1: Compaq/HP C before V7.3 always used 32-bit
+     * pointers for argv[].
+     * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
+     * everywhere else, we always allocate and use a 64-bit
+     * duplicate of argv[].
+     * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
+     * to NULL-terminate a 64-bit argv[].  (As this was written, the
+     * compiler ECO was available only on IA64.)
+     * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
+     * 64-bit argv[argc] for NULL, and, if necessary, use a
+     * (properly) NULL-terminated (64-bit) duplicate of argv[].
+     * The same code is used in either case to duplicate argv[].
+     * Some of these decisions could be handled in preprocessing,
+     * but the code tends to get even uglier, and the penalty for
+     * deciding at compile- or run-time is tiny.
+     */
+    char **Argv = NULL;
+    int free_Argv = 0;
+
+    if ((sizeof(_Argv) < 8)     /* 32-bit argv[]. */
+# if !defined( VMS_TRUST_ARGV)
+        || (_Argv[Argc] != NULL) /* Untrusted argv[argc] not NULL. */
+# endif
+        ) {
+        int i;
+        Argv = OPENSSL_malloc((Argc + 1) * sizeof(char *));
+        if (Argv == NULL) {
+            ret = -1;
+            goto end;
+        }
+        for (i = 0; i < Argc; i++)
+            Argv[i] = _Argv[i];
+        Argv[Argc] = NULL;      /* Certain NULL termination. */
+        free_Argv = 1;
+    } else {
+        /*
+         * Use the known-good 32-bit argv[] (which needs the type cast to
+         * satisfy the compiler), or the trusted or tested-good 64-bit argv[]
+         * as-is.
+         */
+        Argv = (char **)_Argv;
+    }
+#endif                          /* defined( OPENSSL_SYS_VMS) &&
+                                 * (__INITIAL_POINTER_SIZE == 64) */
+
+    arg.data = NULL;
+    arg.count = 0;
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (getenv("OPENSSL_DEBUG_MEMORY") != NULL) { /* if not defined, use
+                                                   * compiled-in library
+                                                   * defaults */
+        if (!(0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))) {
+            CRYPTO_malloc_debug_init();
+            CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+        } else {
+            /* OPENSSL_DEBUG_MEMORY=off */
+            CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
+        }
+    }
+    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+#if 0
+    if (getenv("OPENSSL_DEBUG_LOCKING") != NULL)
+#endif
+    {
+        CRYPTO_set_locking_callback(lock_dbg_cb);
+    }
+
+    if (getenv("OPENSSL_FIPS")) {
+#ifdef OPENSSL_FIPS
+        if (!FIPS_mode_set(1)) {
+            ERR_load_crypto_strings();
+            ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE));
+            EXIT(1);
+        }
+#else
+        fprintf(stderr, "FIPS mode not supported.\n");
+        EXIT(1);
+#endif
+    }
+
+    apps_startup();
+
+    /* Lets load up our environment a little */
+    p = getenv("OPENSSL_CONF");
+    if (p == NULL)
+        p = getenv("SSLEAY_CONF");
+    if (p == NULL)
+        p = to_free = make_config_name();
+
+    default_config_file = p;
+
+    config = NCONF_new(NULL);
+    i = NCONF_load(config, p, &errline);
+    if (i == 0) {
+        if (ERR_GET_REASON(ERR_peek_last_error())
+            == CONF_R_NO_SUCH_FILE) {
+            BIO_printf(bio_err, "WARNING: can't open config file: %s\n", p);
+            ERR_clear_error();
+            NCONF_free(config);
+            config = NULL;
+        } else {
+            ERR_print_errors(bio_err);
+            NCONF_free(config);
+            exit(1);
+        }
+    }
+
+    prog = prog_init();
+
+    /* first check the program name */
+    program_name(Argv[0], pname, sizeof pname);
+
+    f.name = pname;
+    fp = lh_FUNCTION_retrieve(prog, &f);
+    if (fp != NULL) {
+        Argv[0] = pname;
+        ret = fp->func(Argc, Argv);
+        goto end;
+    }
+
+    /*
+     * ok, now check that there are not arguments, if there are, run with
+     * them, shifting the ssleay off the front
+     */
+    if (Argc != 1) {
+        Argc--;
+        Argv++;
+        ret = do_cmd(prog, Argc, Argv);
+        if (ret < 0)
+            ret = 0;
+        goto end;
+    }
+
+    /* ok, lets enter the old 'OpenSSL>' mode */
+
+    for (;;) {
+        ret = 0;
+        p = buf;
+        n = sizeof buf;
+        i = 0;
+        for (;;) {
+            p[0] = '\0';
+            if (i++)
+                prompt = ">";
+            else
+                prompt = "OpenSSL> ";
+            fputs(prompt, stdout);
+            fflush(stdout);
+            if (!fgets(p, n, stdin))
+                goto end;
+            if (p[0] == '\0')
+                goto end;
+            i = strlen(p);
+            if (i <= 1)
+                break;
+            if (p[i - 2] != '\\')
+                break;
+            i -= 2;
+            p += i;
+            n -= i;
+        }
+        if (!chopup_args(&arg, buf, &argc, &argv))
+            break;
+
+        ret = do_cmd(prog, argc, argv);
+        if (ret < 0) {
+            ret = 0;
+            goto end;
+        }
+        if (ret != 0)
+            BIO_printf(bio_err, "error in %s\n", argv[0]);
+        (void)BIO_flush(bio_err);
+    }
+    BIO_printf(bio_err, "bad exit\n");
+    ret = 1;
+ end:
+    if (to_free)
+        OPENSSL_free(to_free);
+    if (config != NULL) {
+        NCONF_free(config);
+        config = NULL;
+    }
+    if (prog != NULL)
+        lh_FUNCTION_free(prog);
+    if (arg.data != NULL)
+        OPENSSL_free(arg.data);
+
+#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
+    /* Free any duplicate Argv[] storage. */
+    if (free_Argv) {
+        OPENSSL_free(Argv);
+    }
+#endif
+    apps_shutdown();
+    CRYPTO_mem_leaks(bio_err);
+    if (bio_err != NULL) {
+        BIO_free(bio_err);
+        bio_err = NULL;
+    }
+
+    OPENSSL_EXIT(ret);
+}
+
+#define LIST_STANDARD_COMMANDS "list-standard-commands"
+#define LIST_MESSAGE_DIGEST_COMMANDS "list-message-digest-commands"
+#define LIST_MESSAGE_DIGEST_ALGORITHMS "list-message-digest-algorithms"
+#define LIST_CIPHER_COMMANDS "list-cipher-commands"
+#define LIST_CIPHER_ALGORITHMS "list-cipher-algorithms"
+#define LIST_PUBLIC_KEY_ALGORITHMS "list-public-key-algorithms"
+
+static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[])
+{
+    FUNCTION f, *fp;
+    int i, ret = 1, tp, nl;
+
+    if ((argc <= 0) || (argv[0] == NULL)) {
+        ret = 0;
+        goto end;
+    }
+    f.name = argv[0];
+    fp = lh_FUNCTION_retrieve(prog, &f);
+    if (fp == NULL) {
+        if (EVP_get_digestbyname(argv[0])) {
+            f.type = FUNC_TYPE_MD;
+            f.func = dgst_main;
+            fp = &f;
+        } else if (EVP_get_cipherbyname(argv[0])) {
+            f.type = FUNC_TYPE_CIPHER;
+            f.func = enc_main;
+            fp = &f;
+        }
+    }
+    if (fp != NULL) {
+        ret = fp->func(argc, argv);
+    } else if ((strncmp(argv[0], "no-", 3)) == 0) {
+        BIO *bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            bio_stdout = BIO_push(tmpbio, bio_stdout);
+        }
+#endif
+        f.name = argv[0] + 3;
+        ret = (lh_FUNCTION_retrieve(prog, &f) != NULL);
+        if (!ret)
+            BIO_printf(bio_stdout, "%s\n", argv[0]);
+        else
+            BIO_printf(bio_stdout, "%s\n", argv[0] + 3);
+        BIO_free_all(bio_stdout);
+        goto end;
+    } else if ((strcmp(argv[0], "quit") == 0) ||
+               (strcmp(argv[0], "q") == 0) ||
+               (strcmp(argv[0], "exit") == 0) ||
+               (strcmp(argv[0], "bye") == 0)) {
+        ret = -1;
+        goto end;
+    } else if ((strcmp(argv[0], LIST_STANDARD_COMMANDS) == 0) ||
+               (strcmp(argv[0], LIST_MESSAGE_DIGEST_COMMANDS) == 0) ||
+               (strcmp(argv[0], LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) ||
+               (strcmp(argv[0], LIST_CIPHER_COMMANDS) == 0) ||
+               (strcmp(argv[0], LIST_CIPHER_ALGORITHMS) == 0) ||
+               (strcmp(argv[0], LIST_PUBLIC_KEY_ALGORITHMS) == 0)) {
+        int list_type;
+        BIO *bio_stdout;
+
+        if (strcmp(argv[0], LIST_STANDARD_COMMANDS) == 0)
+            list_type = FUNC_TYPE_GENERAL;
+        else if (strcmp(argv[0], LIST_MESSAGE_DIGEST_COMMANDS) == 0)
+            list_type = FUNC_TYPE_MD;
+        else if (strcmp(argv[0], LIST_MESSAGE_DIGEST_ALGORITHMS) == 0)
+            list_type = FUNC_TYPE_MD_ALG;
+        else if (strcmp(argv[0], LIST_PUBLIC_KEY_ALGORITHMS) == 0)
+            list_type = FUNC_TYPE_PKEY;
+        else if (strcmp(argv[0], LIST_CIPHER_ALGORITHMS) == 0)
+            list_type = FUNC_TYPE_CIPHER_ALG;
+        else                    /* strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0 */
+            list_type = FUNC_TYPE_CIPHER;
+        bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            bio_stdout = BIO_push(tmpbio, bio_stdout);
+        }
+#endif
+
+        if (!load_config(bio_err, NULL))
+            goto end;
+
+        if (list_type == FUNC_TYPE_PKEY)
+            list_pkey(bio_stdout);
+        if (list_type == FUNC_TYPE_MD_ALG)
+            list_md(bio_stdout);
+        if (list_type == FUNC_TYPE_CIPHER_ALG)
+            list_cipher(bio_stdout);
+        else {
+            for (fp = functions; fp->name != NULL; fp++)
+                if (fp->type == list_type)
+                    BIO_printf(bio_stdout, "%s\n", fp->name);
+        }
+        BIO_free_all(bio_stdout);
+        ret = 0;
+        goto end;
+    } else {
+        BIO_printf(bio_err, "openssl:Error: '%s' is an invalid command.\n",
+                   argv[0]);
+        BIO_printf(bio_err, "\nStandard commands");
+        i = 0;
+        tp = 0;
+        for (fp = functions; fp->name != NULL; fp++) {
+            nl = 0;
+#ifdef OPENSSL_NO_CAMELLIA
+            if (((i++) % 5) == 0)
+#else
+            if (((i++) % 4) == 0)
+#endif
+            {
+                BIO_printf(bio_err, "\n");
+                nl = 1;
+            }
+            if (fp->type != tp) {
+                tp = fp->type;
+                if (!nl)
+                    BIO_printf(bio_err, "\n");
+                if (tp == FUNC_TYPE_MD) {
+                    i = 1;
+                    BIO_printf(bio_err,
+                               "\nMessage Digest commands (see the `dgst' command for more details)\n");
+                } else if (tp == FUNC_TYPE_CIPHER) {
+                    i = 1;
+                    BIO_printf(bio_err,
+                               "\nCipher commands (see the `enc' command for more details)\n");
+                }
+            }
+#ifdef OPENSSL_NO_CAMELLIA
+            BIO_printf(bio_err, "%-15s", fp->name);
+#else
+            BIO_printf(bio_err, "%-18s", fp->name);
+#endif
+        }
+        BIO_printf(bio_err, "\n\n");
+        ret = 0;
+    }
+ end:
+    return (ret);
+}
+
+static int SortFnByName(const void *_f1, const void *_f2)
+{
+    const FUNCTION *f1 = _f1;
+    const FUNCTION *f2 = _f2;
+
+    if (f1->type != f2->type)
+        return f1->type - f2->type;
+    return strcmp(f1->name, f2->name);
+}
+
+static void list_pkey(BIO *out)
+{
+    int i;
+    for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) {
+        const EVP_PKEY_ASN1_METHOD *ameth;
+        int pkey_id, pkey_base_id, pkey_flags;
+        const char *pinfo, *pem_str;
+        ameth = EVP_PKEY_asn1_get0(i);
+        EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags,
+                                &pinfo, &pem_str, ameth);
+        if (pkey_flags & ASN1_PKEY_ALIAS) {
+            BIO_printf(out, "Name: %s\n", OBJ_nid2ln(pkey_id));
+            BIO_printf(out, "\tType: Alias to %s\n",
+                       OBJ_nid2ln(pkey_base_id));
+        } else {
+            BIO_printf(out, "Name: %s\n", pinfo);
+            BIO_printf(out, "\tType: %s Algorithm\n",
+                       pkey_flags & ASN1_PKEY_DYNAMIC ?
+                       "External" : "Builtin");
+            BIO_printf(out, "\tOID: %s\n", OBJ_nid2ln(pkey_id));
+            if (pem_str == NULL)
+                pem_str = "(none)";
+            BIO_printf(out, "\tPEM string: %s\n", pem_str);
+        }
+
+    }
+}
+
+static void list_cipher_fn(const EVP_CIPHER *c,
+                           const char *from, const char *to, void *arg)
+{
+    if (c)
+        BIO_printf(arg, "%s\n", EVP_CIPHER_name(c));
+    else {
+        if (!from)
+            from = "<undefined>";
+        if (!to)
+            to = "<undefined>";
+        BIO_printf(arg, "%s => %s\n", from, to);
+    }
+}
+
+static void list_cipher(BIO *out)
+{
+    EVP_CIPHER_do_all_sorted(list_cipher_fn, out);
+}
+
+static void list_md_fn(const EVP_MD *m,
+                       const char *from, const char *to, void *arg)
+{
+    if (m)
+        BIO_printf(arg, "%s\n", EVP_MD_name(m));
+    else {
+        if (!from)
+            from = "<undefined>";
+        if (!to)
+            to = "<undefined>";
+        BIO_printf(arg, "%s => %s\n", from, to);
+    }
+}
+
+static void list_md(BIO *out)
+{
+    EVP_MD_do_all_sorted(list_md_fn, out);
+}
+
+static int MS_CALLBACK function_cmp(const FUNCTION * a, const FUNCTION * b)
+{
+    return strncmp(a->name, b->name, 8);
+}
+
+static IMPLEMENT_LHASH_COMP_FN(function, FUNCTION)
+
+static unsigned long MS_CALLBACK function_hash(const FUNCTION * a)
+{
+    return lh_strhash(a->name);
+}
+
+static IMPLEMENT_LHASH_HASH_FN(function, FUNCTION)
+
+static LHASH_OF(FUNCTION) *prog_init(void)
+{
+    LHASH_OF(FUNCTION) *ret;
+    FUNCTION *f;
+    size_t i;
+
+    /* Purely so it looks nice when the user hits ? */
+    for (i = 0, f = functions; f->name != NULL; ++f, ++i) ;
+    qsort(functions, i, sizeof *functions, SortFnByName);
+
+    if ((ret = lh_FUNCTION_new()) == NULL)
+        return (NULL);
+
+    for (f = functions; f->name != NULL; f++)
+        (void)lh_FUNCTION_insert(ret, f);
+    return (ret);
+}
diff --git a/openssl/apps/openssl.cnf b/openssl/apps/openssl.cnf
new file mode 100644
index 0000000..1eb86c4
--- /dev/null
+++ b/openssl/apps/openssl.cnf
@@ -0,0 +1,350 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+
+localityName			= Locality Name (eg, city)
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests		= md5, sha1		# Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
diff --git a/openssl/apps/passwd.c b/openssl/apps/passwd.c
new file mode 100644
index 0000000..798a6d5
--- /dev/null
+++ b/openssl/apps/passwd.c
@@ -0,0 +1,494 @@
+/* apps/passwd.c */
+
+#if defined OPENSSL_NO_MD5 || defined CHARSET_EBCDIC
+# define NO_MD5CRYPT_1
+#endif
+
+#if !defined(OPENSSL_NO_DES) || !defined(NO_MD5CRYPT_1)
+
+# include <assert.h>
+# include <string.h>
+
+# include "apps.h"
+
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/evp.h>
+# include <openssl/rand.h>
+# ifndef OPENSSL_NO_DES
+#  include <openssl/des.h>
+# endif
+# ifndef NO_MD5CRYPT_1
+#  include <openssl/md5.h>
+# endif
+
+# undef PROG
+# define PROG passwd_main
+
+static unsigned const char cov_2char[64] = {
+    /* from crypto/des/fcrypt.c */
+    0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
+    0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44,
+    0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+    0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54,
+    0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62,
+    0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A,
+    0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72,
+    0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A
+};
+
+static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
+                     char *passwd, BIO *out, int quiet, int table,
+                     int reverse, size_t pw_maxlen, int usecrypt, int use1,
+                     int useapr1);
+
+/*-
+ * -crypt        - standard Unix password algorithm (default)
+ * -1            - MD5-based password algorithm
+ * -apr1         - MD5-based password algorithm, Apache variant
+ * -salt string  - salt
+ * -in file      - read passwords from file
+ * -stdin        - read passwords from stdin
+ * -noverify     - never verify when reading password from terminal
+ * -quiet        - no warnings
+ * -table        - format output as table
+ * -reverse      - switch table columns
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    int ret = 1;
+    char *infile = NULL;
+    int in_stdin = 0;
+    int in_noverify = 0;
+    char *salt = NULL, *passwd = NULL, **passwds = NULL;
+    char *salt_malloc = NULL, *passwd_malloc = NULL;
+    size_t passwd_malloc_size = 0;
+    int pw_source_defined = 0;
+    BIO *in = NULL, *out = NULL;
+    int i, badopt, opt_done;
+    int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
+    int usecrypt = 0, use1 = 0, useapr1 = 0;
+    size_t pw_maxlen = 0;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto err;
+    out = BIO_new(BIO_s_file());
+    if (out == NULL)
+        goto err;
+    BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
+# ifdef OPENSSL_SYS_VMS
+    {
+        BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+        out = BIO_push(tmpbio, out);
+    }
+# endif
+
+    badopt = 0, opt_done = 0;
+    i = 0;
+    while (!badopt && !opt_done && argv[++i] != NULL) {
+        if (strcmp(argv[i], "-crypt") == 0)
+            usecrypt = 1;
+        else if (strcmp(argv[i], "-1") == 0)
+            use1 = 1;
+        else if (strcmp(argv[i], "-apr1") == 0)
+            useapr1 = 1;
+        else if (strcmp(argv[i], "-salt") == 0) {
+            if ((argv[i + 1] != NULL) && (salt == NULL)) {
+                passed_salt = 1;
+                salt = argv[++i];
+            } else
+                badopt = 1;
+        } else if (strcmp(argv[i], "-in") == 0) {
+            if ((argv[i + 1] != NULL) && !pw_source_defined) {
+                pw_source_defined = 1;
+                infile = argv[++i];
+            } else
+                badopt = 1;
+        } else if (strcmp(argv[i], "-stdin") == 0) {
+            if (!pw_source_defined) {
+                pw_source_defined = 1;
+                in_stdin = 1;
+            } else
+                badopt = 1;
+        } else if (strcmp(argv[i], "-noverify") == 0)
+            in_noverify = 1;
+        else if (strcmp(argv[i], "-quiet") == 0)
+            quiet = 1;
+        else if (strcmp(argv[i], "-table") == 0)
+            table = 1;
+        else if (strcmp(argv[i], "-reverse") == 0)
+            reverse = 1;
+        else if (argv[i][0] == '-')
+            badopt = 1;
+        else if (!pw_source_defined)
+            /* non-option arguments, use as passwords */
+        {
+            pw_source_defined = 1;
+            passwds = &argv[i];
+            opt_done = 1;
+        } else
+            badopt = 1;
+    }
+
+    if (!usecrypt && !use1 && !useapr1) /* use default */
+        usecrypt = 1;
+    if (usecrypt + use1 + useapr1 > 1) /* conflict */
+        badopt = 1;
+
+    /* reject unsupported algorithms */
+# ifdef OPENSSL_NO_DES
+    if (usecrypt)
+        badopt = 1;
+# endif
+# ifdef NO_MD5CRYPT_1
+    if (use1 || useapr1)
+        badopt = 1;
+# endif
+
+    if (badopt) {
+        BIO_printf(bio_err, "Usage: passwd [options] [passwords]\n");
+        BIO_printf(bio_err, "where options are\n");
+# ifndef OPENSSL_NO_DES
+        BIO_printf(bio_err,
+                   "-crypt             standard Unix password algorithm (default)\n");
+# endif
+# ifndef NO_MD5CRYPT_1
+        BIO_printf(bio_err,
+                   "-1                 MD5-based password algorithm\n");
+        BIO_printf(bio_err,
+                   "-apr1              MD5-based password algorithm, Apache variant\n");
+# endif
+        BIO_printf(bio_err, "-salt string       use provided salt\n");
+        BIO_printf(bio_err, "-in file           read passwords from file\n");
+        BIO_printf(bio_err, "-stdin             read passwords from stdin\n");
+        BIO_printf(bio_err,
+                   "-noverify          never verify when reading password from terminal\n");
+        BIO_printf(bio_err, "-quiet             no warnings\n");
+        BIO_printf(bio_err, "-table             format output as table\n");
+        BIO_printf(bio_err, "-reverse           switch table columns\n");
+
+        goto err;
+    }
+
+    if ((infile != NULL) || in_stdin) {
+        in = BIO_new(BIO_s_file());
+        if (in == NULL)
+            goto err;
+        if (infile != NULL) {
+            assert(in_stdin == 0);
+            if (BIO_read_filename(in, infile) <= 0)
+                goto err;
+        } else {
+            assert(in_stdin);
+            BIO_set_fp(in, stdin, BIO_NOCLOSE);
+        }
+    }
+
+    if (usecrypt)
+        pw_maxlen = 8;
+    else if (use1 || useapr1)
+        pw_maxlen = 256;        /* arbitrary limit, should be enough for most
+                                 * passwords */
+
+    if (passwds == NULL) {
+        /* no passwords on the command line */
+
+        passwd_malloc_size = pw_maxlen + 2;
+        /*
+         * longer than necessary so that we can warn about truncation
+         */
+        passwd = passwd_malloc = OPENSSL_malloc(passwd_malloc_size);
+        if (passwd_malloc == NULL)
+            goto err;
+    }
+
+    if ((in == NULL) && (passwds == NULL)) {
+        /* build a null-terminated list */
+        static char *passwds_static[2] = { NULL, NULL };
+
+        passwds = passwds_static;
+        if (in == NULL)
+            if (EVP_read_pw_string
+                (passwd_malloc, passwd_malloc_size, "Password: ",
+                 !(passed_salt || in_noverify)) != 0)
+                goto err;
+        passwds[0] = passwd_malloc;
+    }
+
+    if (in == NULL) {
+        assert(passwds != NULL);
+        assert(*passwds != NULL);
+
+        do {                    /* loop over list of passwords */
+            passwd = *passwds++;
+            if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
+                           quiet, table, reverse, pw_maxlen, usecrypt, use1,
+                           useapr1))
+                goto err;
+        }
+        while (*passwds != NULL);
+    } else
+        /* in != NULL */
+    {
+        int done;
+
+        assert(passwd != NULL);
+        do {
+            int r = BIO_gets(in, passwd, pw_maxlen + 1);
+            if (r > 0) {
+                char *c = (strchr(passwd, '\n'));
+                if (c != NULL)
+                    *c = 0;     /* truncate at newline */
+                else {
+                    /* ignore rest of line */
+                    char trash[BUFSIZ];
+                    do
+                        r = BIO_gets(in, trash, sizeof trash);
+                    while ((r > 0) && (!strchr(trash, '\n')));
+                }
+
+                if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
+                               quiet, table, reverse, pw_maxlen, usecrypt,
+                               use1, useapr1))
+                    goto err;
+            }
+            done = (r <= 0);
+        }
+        while (!done);
+    }
+    ret = 0;
+
+ err:
+    ERR_print_errors(bio_err);
+    if (salt_malloc)
+        OPENSSL_free(salt_malloc);
+    if (passwd_malloc)
+        OPENSSL_free(passwd_malloc);
+    if (in)
+        BIO_free(in);
+    if (out)
+        BIO_free_all(out);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+# ifndef NO_MD5CRYPT_1
+/*
+ * MD5-based password algorithm (should probably be available as a library
+ * function; then the static buffer would not be acceptable). For magic
+ * string "1", this should be compatible to the MD5-based BSD password
+ * algorithm. For 'magic' string "apr1", this is compatible to the MD5-based
+ * Apache password algorithm. (Apparently, the Apache password algorithm is
+ * identical except that the 'magic' string was changed -- the laziest
+ * application of the NIH principle I've ever encountered.)
+ */
+static char *md5crypt(const char *passwd, const char *magic, const char *salt)
+{
+    /* "$apr1$..salt..$.......md5hash..........\0" */
+    static char out_buf[6 + 9 + 24 + 2];
+    unsigned char buf[MD5_DIGEST_LENGTH];
+    char *salt_out;
+    int n;
+    unsigned int i;
+    EVP_MD_CTX md, md2;
+    size_t passwd_len, salt_len;
+
+    passwd_len = strlen(passwd);
+    out_buf[0] = '$';
+    out_buf[1] = 0;
+    assert(strlen(magic) <= 4); /* "1" or "apr1" */
+    strncat(out_buf, magic, 4);
+    strncat(out_buf, "$", 1);
+    strncat(out_buf, salt, 8);
+    assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
+    salt_out = out_buf + 2 + strlen(magic);
+    salt_len = strlen(salt_out);
+    assert(salt_len <= 8);
+
+    EVP_MD_CTX_init(&md);
+    EVP_DigestInit_ex(&md, EVP_md5(), NULL);
+    EVP_DigestUpdate(&md, passwd, passwd_len);
+    EVP_DigestUpdate(&md, "$", 1);
+    EVP_DigestUpdate(&md, magic, strlen(magic));
+    EVP_DigestUpdate(&md, "$", 1);
+    EVP_DigestUpdate(&md, salt_out, salt_len);
+
+    EVP_MD_CTX_init(&md2);
+    EVP_DigestInit_ex(&md2, EVP_md5(), NULL);
+    EVP_DigestUpdate(&md2, passwd, passwd_len);
+    EVP_DigestUpdate(&md2, salt_out, salt_len);
+    EVP_DigestUpdate(&md2, passwd, passwd_len);
+    EVP_DigestFinal_ex(&md2, buf, NULL);
+
+    for (i = passwd_len; i > sizeof buf; i -= sizeof buf)
+        EVP_DigestUpdate(&md, buf, sizeof buf);
+    EVP_DigestUpdate(&md, buf, i);
+
+    n = passwd_len;
+    while (n) {
+        EVP_DigestUpdate(&md, (n & 1) ? "\0" : passwd, 1);
+        n >>= 1;
+    }
+    EVP_DigestFinal_ex(&md, buf, NULL);
+
+    for (i = 0; i < 1000; i++) {
+        EVP_DigestInit_ex(&md2, EVP_md5(), NULL);
+        EVP_DigestUpdate(&md2, (i & 1) ? (unsigned const char *)passwd : buf,
+                         (i & 1) ? passwd_len : sizeof buf);
+        if (i % 3)
+            EVP_DigestUpdate(&md2, salt_out, salt_len);
+        if (i % 7)
+            EVP_DigestUpdate(&md2, passwd, passwd_len);
+        EVP_DigestUpdate(&md2, (i & 1) ? buf : (unsigned const char *)passwd,
+                         (i & 1) ? sizeof buf : passwd_len);
+        EVP_DigestFinal_ex(&md2, buf, NULL);
+    }
+    EVP_MD_CTX_cleanup(&md2);
+
+    {
+        /* transform buf into output string */
+
+        unsigned char buf_perm[sizeof buf];
+        int dest, source;
+        char *output;
+
+        /* silly output permutation */
+        for (dest = 0, source = 0; dest < 14;
+             dest++, source = (source + 6) % 17)
+            buf_perm[dest] = buf[source];
+        buf_perm[14] = buf[5];
+        buf_perm[15] = buf[11];
+#  ifndef PEDANTIC              /* Unfortunately, this generates a "no
+                                 * effect" warning */
+        assert(16 == sizeof buf_perm);
+#  endif
+
+        output = salt_out + salt_len;
+        assert(output == out_buf + strlen(out_buf));
+
+        *output++ = '$';
+
+        for (i = 0; i < 15; i += 3) {
+            *output++ = cov_2char[buf_perm[i + 2] & 0x3f];
+            *output++ = cov_2char[((buf_perm[i + 1] & 0xf) << 2) |
+                                  (buf_perm[i + 2] >> 6)];
+            *output++ = cov_2char[((buf_perm[i] & 3) << 4) |
+                                  (buf_perm[i + 1] >> 4)];
+            *output++ = cov_2char[buf_perm[i] >> 2];
+        }
+        assert(i == 15);
+        *output++ = cov_2char[buf_perm[i] & 0x3f];
+        *output++ = cov_2char[buf_perm[i] >> 6];
+        *output = 0;
+        assert(strlen(out_buf) < sizeof(out_buf));
+    }
+    EVP_MD_CTX_cleanup(&md);
+
+    return out_buf;
+}
+# endif
+
+static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
+                     char *passwd, BIO *out, int quiet, int table,
+                     int reverse, size_t pw_maxlen, int usecrypt, int use1,
+                     int useapr1)
+{
+    char *hash = NULL;
+
+    assert(salt_p != NULL);
+    assert(salt_malloc_p != NULL);
+
+    /* first make sure we have a salt */
+    if (!passed_salt) {
+# ifndef OPENSSL_NO_DES
+        if (usecrypt) {
+            if (*salt_malloc_p == NULL) {
+                *salt_p = *salt_malloc_p = OPENSSL_malloc(3);
+                if (*salt_malloc_p == NULL)
+                    goto err;
+            }
+            if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0)
+                goto err;
+            (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
+            (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
+            (*salt_p)[2] = 0;
+#  ifdef CHARSET_EBCDIC
+            ascii2ebcdic(*salt_p, *salt_p, 2); /* des_crypt will convert back
+                                                * to ASCII */
+#  endif
+        }
+# endif                         /* !OPENSSL_NO_DES */
+
+# ifndef NO_MD5CRYPT_1
+        if (use1 || useapr1) {
+            int i;
+
+            if (*salt_malloc_p == NULL) {
+                *salt_p = *salt_malloc_p = OPENSSL_malloc(9);
+                if (*salt_malloc_p == NULL)
+                    goto err;
+            }
+            if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0)
+                goto err;
+
+            for (i = 0; i < 8; i++)
+                (*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
+            (*salt_p)[8] = 0;
+        }
+# endif                         /* !NO_MD5CRYPT_1 */
+    }
+
+    assert(*salt_p != NULL);
+
+    /* truncate password if necessary */
+    if ((strlen(passwd) > pw_maxlen)) {
+        if (!quiet)
+            /*
+             * XXX: really we should know how to print a size_t, not cast it
+             */
+            BIO_printf(bio_err,
+                       "Warning: truncating password to %u characters\n",
+                       (unsigned)pw_maxlen);
+        passwd[pw_maxlen] = 0;
+    }
+    assert(strlen(passwd) <= pw_maxlen);
+
+    /* now compute password hash */
+# ifndef OPENSSL_NO_DES
+    if (usecrypt)
+        hash = DES_crypt(passwd, *salt_p);
+# endif
+# ifndef NO_MD5CRYPT_1
+    if (use1 || useapr1)
+        hash = md5crypt(passwd, (use1 ? "1" : "apr1"), *salt_p);
+# endif
+    assert(hash != NULL);
+
+    if (table && !reverse)
+        BIO_printf(out, "%s\t%s\n", passwd, hash);
+    else if (table && reverse)
+        BIO_printf(out, "%s\t%s\n", hash, passwd);
+    else
+        BIO_printf(out, "%s\n", hash);
+    return 1;
+
+ err:
+    return 0;
+}
+#else
+
+int MAIN(int argc, char **argv)
+{
+    fputs("Program not available.\n", stderr)
+        OPENSSL_EXIT(1);
+}
+#endif
diff --git a/openssl/apps/pca-cert.srl b/openssl/apps/pca-cert.srl
new file mode 100644
index 0000000..2c7456e
--- /dev/null
+++ b/openssl/apps/pca-cert.srl
@@ -0,0 +1 @@
+07
diff --git a/openssl/apps/pca-key.pem b/openssl/apps/pca-key.pem
new file mode 100644
index 0000000..20029ab
--- /dev/null
+++ b/openssl/apps/pca-key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
+wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
+vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
+AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
+z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
+xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
+HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
+yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
+xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
+7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
+h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
+QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
+hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
+-----END RSA PRIVATE KEY-----
diff --git a/openssl/apps/pca-req.pem b/openssl/apps/pca-req.pem
new file mode 100644
index 0000000..33f1553
--- /dev/null
+++ b/openssl/apps/pca-req.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBmjCCAQMCAQAwXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
+GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAo
+MTAyNCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfj
+Irkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUX
+MRsp22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3
+vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAEzz
+IG8NnfpnPTQSCN5zJhOfy6p9AcDyQzuJirYv1HR/qoYWalPh/U2uiK0lAim7qMcv
+wOlK3I7A8B7/4dLqvIqgtUj9b1WT8zIrnwdvJI4osLI2BY+c1pVlp174DHLMol1L
+Cl1e3N5BTm7lCitTYjuUhsw6hiA8IcdNKDo6sktV
+-----END CERTIFICATE REQUEST-----
diff --git a/openssl/apps/pkcs12.c b/openssl/apps/pkcs12.c
new file mode 100644
index 0000000..d0bd97a
--- /dev/null
+++ b/openssl/apps/pkcs12.c
@@ -0,0 +1,1112 @@
+/* pkcs12.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/opensslconf.h>
+#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
+
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include "apps.h"
+# include <openssl/crypto.h>
+# include <openssl/err.h>
+# include <openssl/pem.h>
+# include <openssl/pkcs12.h>
+
+# define PROG pkcs12_main
+
+const EVP_CIPHER *enc;
+
+# define NOKEYS          0x1
+# define NOCERTS         0x2
+# define INFO            0x4
+# define CLCERTS         0x8
+# define CACERTS         0x10
+
+static int get_cert_chain(X509 *cert, X509_STORE *store,
+                          STACK_OF(X509) **chain);
+int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen,
+                        int options, char *pempass);
+int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
+                          char *pass, int passlen, int options,
+                          char *pempass);
+int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass,
+                         int passlen, int options, char *pempass);
+int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,
+                  const char *name);
+void hex_prin(BIO *out, unsigned char *buf, int len);
+int alg_print(BIO *x, X509_ALGOR *alg);
+int cert_load(BIO *in, STACK_OF(X509) *sk);
+static int set_pbe(BIO *err, int *ppbe, const char *str);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    char *infile = NULL, *outfile = NULL, *keyname = NULL;
+    char *certfile = NULL;
+    BIO *in = NULL, *out = NULL;
+    char **args;
+    char *name = NULL;
+    char *csp_name = NULL;
+    int add_lmk = 0;
+    PKCS12 *p12 = NULL;
+    char pass[50], macpass[50];
+    int export_cert = 0;
+    int options = 0;
+    int chain = 0;
+    int badarg = 0;
+    int iter = PKCS12_DEFAULT_ITER;
+    int maciter = PKCS12_DEFAULT_ITER;
+    int twopass = 0;
+    int keytype = 0;
+    int cert_pbe;
+    int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    int ret = 1;
+    int macver = 1;
+    int noprompt = 0;
+    STACK_OF(OPENSSL_STRING) *canames = NULL;
+    char *cpass = NULL, *mpass = NULL;
+    char *passargin = NULL, *passargout = NULL, *passarg = NULL;
+    char *passin = NULL, *passout = NULL;
+    char *inrand = NULL;
+    char *macalg = NULL;
+    char *CApath = NULL, *CAfile = NULL;
+    char *engine = NULL;
+
+    apps_startup();
+
+    enc = EVP_des_ede3_cbc();
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+# ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+        cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    else
+# endif
+        cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
+    args = argv + 1;
+
+    while (*args) {
+        if (*args[0] == '-') {
+            if (!strcmp(*args, "-nokeys"))
+                options |= NOKEYS;
+            else if (!strcmp(*args, "-keyex"))
+                keytype = KEY_EX;
+            else if (!strcmp(*args, "-keysig"))
+                keytype = KEY_SIG;
+            else if (!strcmp(*args, "-nocerts"))
+                options |= NOCERTS;
+            else if (!strcmp(*args, "-clcerts"))
+                options |= CLCERTS;
+            else if (!strcmp(*args, "-cacerts"))
+                options |= CACERTS;
+            else if (!strcmp(*args, "-noout"))
+                options |= (NOKEYS | NOCERTS);
+            else if (!strcmp(*args, "-info"))
+                options |= INFO;
+            else if (!strcmp(*args, "-chain"))
+                chain = 1;
+            else if (!strcmp(*args, "-twopass"))
+                twopass = 1;
+            else if (!strcmp(*args, "-nomacver"))
+                macver = 0;
+            else if (!strcmp(*args, "-descert"))
+                cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+            else if (!strcmp(*args, "-export"))
+                export_cert = 1;
+            else if (!strcmp(*args, "-des"))
+                enc = EVP_des_cbc();
+            else if (!strcmp(*args, "-des3"))
+                enc = EVP_des_ede3_cbc();
+# ifndef OPENSSL_NO_IDEA
+            else if (!strcmp(*args, "-idea"))
+                enc = EVP_idea_cbc();
+# endif
+# ifndef OPENSSL_NO_SEED
+            else if (!strcmp(*args, "-seed"))
+                enc = EVP_seed_cbc();
+# endif
+# ifndef OPENSSL_NO_AES
+            else if (!strcmp(*args, "-aes128"))
+                enc = EVP_aes_128_cbc();
+            else if (!strcmp(*args, "-aes192"))
+                enc = EVP_aes_192_cbc();
+            else if (!strcmp(*args, "-aes256"))
+                enc = EVP_aes_256_cbc();
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+            else if (!strcmp(*args, "-camellia128"))
+                enc = EVP_camellia_128_cbc();
+            else if (!strcmp(*args, "-camellia192"))
+                enc = EVP_camellia_192_cbc();
+            else if (!strcmp(*args, "-camellia256"))
+                enc = EVP_camellia_256_cbc();
+# endif
+            else if (!strcmp(*args, "-noiter"))
+                iter = 1;
+            else if (!strcmp(*args, "-maciter"))
+                maciter = PKCS12_DEFAULT_ITER;
+            else if (!strcmp(*args, "-nomaciter"))
+                maciter = 1;
+            else if (!strcmp(*args, "-nomac"))
+                maciter = -1;
+            else if (!strcmp(*args, "-macalg"))
+                if (args[1]) {
+                    args++;
+                    macalg = *args;
+                } else
+                    badarg = 1;
+            else if (!strcmp(*args, "-nodes"))
+                enc = NULL;
+            else if (!strcmp(*args, "-certpbe")) {
+                if (!set_pbe(bio_err, &cert_pbe, *++args))
+                    badarg = 1;
+            } else if (!strcmp(*args, "-keypbe")) {
+                if (!set_pbe(bio_err, &key_pbe, *++args))
+                    badarg = 1;
+            } else if (!strcmp(*args, "-rand")) {
+                if (args[1]) {
+                    args++;
+                    inrand = *args;
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-inkey")) {
+                if (args[1]) {
+                    args++;
+                    keyname = *args;
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-certfile")) {
+                if (args[1]) {
+                    args++;
+                    certfile = *args;
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-name")) {
+                if (args[1]) {
+                    args++;
+                    name = *args;
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-LMK"))
+                add_lmk = 1;
+            else if (!strcmp(*args, "-CSP")) {
+                if (args[1]) {
+                    args++;
+                    csp_name = *args;
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-caname")) {
+                if (args[1]) {
+                    args++;
+                    if (!canames)
+                        canames = sk_OPENSSL_STRING_new_null();
+                    sk_OPENSSL_STRING_push(canames, *args);
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-in")) {
+                if (args[1]) {
+                    args++;
+                    infile = *args;
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-out")) {
+                if (args[1]) {
+                    args++;
+                    outfile = *args;
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-passin")) {
+                if (args[1]) {
+                    args++;
+                    passargin = *args;
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-passout")) {
+                if (args[1]) {
+                    args++;
+                    passargout = *args;
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-password")) {
+                if (args[1]) {
+                    args++;
+                    passarg = *args;
+                    noprompt = 1;
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-CApath")) {
+                if (args[1]) {
+                    args++;
+                    CApath = *args;
+                } else
+                    badarg = 1;
+            } else if (!strcmp(*args, "-CAfile")) {
+                if (args[1]) {
+                    args++;
+                    CAfile = *args;
+                } else
+                    badarg = 1;
+# ifndef OPENSSL_NO_ENGINE
+            } else if (!strcmp(*args, "-engine")) {
+                if (args[1]) {
+                    args++;
+                    engine = *args;
+                } else
+                    badarg = 1;
+# endif
+            } else
+                badarg = 1;
+
+        } else
+            badarg = 1;
+        args++;
+    }
+
+    if (badarg) {
+        BIO_printf(bio_err, "Usage: pkcs12 [options]\n");
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, "-export       output PKCS12 file\n");
+        BIO_printf(bio_err, "-chain        add certificate chain\n");
+        BIO_printf(bio_err, "-inkey file   private key if not infile\n");
+        BIO_printf(bio_err, "-certfile f   add all certs in f\n");
+        BIO_printf(bio_err, "-CApath arg   - PEM format directory of CA's\n");
+        BIO_printf(bio_err, "-CAfile arg   - PEM format file of CA's\n");
+        BIO_printf(bio_err, "-name \"name\"  use name as friendly name\n");
+        BIO_printf(bio_err,
+                   "-caname \"nm\"  use nm as CA friendly name (can be used more than once).\n");
+        BIO_printf(bio_err, "-in  infile   input filename\n");
+        BIO_printf(bio_err, "-out outfile  output filename\n");
+        BIO_printf(bio_err,
+                   "-noout        don't output anything, just verify.\n");
+        BIO_printf(bio_err, "-nomacver     don't verify MAC.\n");
+        BIO_printf(bio_err, "-nocerts      don't output certificates.\n");
+        BIO_printf(bio_err,
+                   "-clcerts      only output client certificates.\n");
+        BIO_printf(bio_err, "-cacerts      only output CA certificates.\n");
+        BIO_printf(bio_err, "-nokeys       don't output private keys.\n");
+        BIO_printf(bio_err,
+                   "-info         give info about PKCS#12 structure.\n");
+        BIO_printf(bio_err, "-des          encrypt private keys with DES\n");
+        BIO_printf(bio_err,
+                   "-des3         encrypt private keys with triple DES (default)\n");
+# ifndef OPENSSL_NO_IDEA
+        BIO_printf(bio_err, "-idea         encrypt private keys with idea\n");
+# endif
+# ifndef OPENSSL_NO_SEED
+        BIO_printf(bio_err, "-seed         encrypt private keys with seed\n");
+# endif
+# ifndef OPENSSL_NO_AES
+        BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
+        BIO_printf(bio_err,
+                   "              encrypt PEM output with cbc aes\n");
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+        BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
+        BIO_printf(bio_err,
+                   "              encrypt PEM output with cbc camellia\n");
+# endif
+        BIO_printf(bio_err, "-nodes        don't encrypt private keys\n");
+        BIO_printf(bio_err, "-noiter       don't use encryption iteration\n");
+        BIO_printf(bio_err, "-nomaciter    don't use MAC iteration\n");
+        BIO_printf(bio_err, "-maciter      use MAC iteration\n");
+        BIO_printf(bio_err, "-nomac        don't generate MAC\n");
+        BIO_printf(bio_err,
+                   "-twopass      separate MAC, encryption passwords\n");
+        BIO_printf(bio_err,
+                   "-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
+        BIO_printf(bio_err,
+                   "-certpbe alg  specify certificate PBE algorithm (default RC2-40)\n");
+        BIO_printf(bio_err,
+                   "-keypbe alg   specify private key PBE algorithm (default 3DES)\n");
+        BIO_printf(bio_err,
+                   "-macalg alg   digest algorithm used in MAC (default SHA1)\n");
+        BIO_printf(bio_err, "-keyex        set MS key exchange type\n");
+        BIO_printf(bio_err, "-keysig       set MS key signature type\n");
+        BIO_printf(bio_err,
+                   "-password p   set import/export password source\n");
+        BIO_printf(bio_err, "-passin p     input file pass phrase source\n");
+        BIO_printf(bio_err, "-passout p    output file pass phrase source\n");
+# ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   "-engine e     use engine e, possibly a hardware device.\n");
+# endif
+        BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
+                   LIST_SEPARATOR_CHAR);
+        BIO_printf(bio_err,
+                   "              load the file (or the files in the directory) into\n");
+        BIO_printf(bio_err, "              the random number generator\n");
+        BIO_printf(bio_err, "-CSP name     Microsoft CSP name\n");
+        BIO_printf(bio_err,
+                   "-LMK          Add local machine keyset attribute to private key\n");
+        goto end;
+    }
+    e = setup_engine(bio_err, engine, 0);
+
+    if (passarg) {
+        if (export_cert)
+            passargout = passarg;
+        else
+            passargin = passarg;
+    }
+
+    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+        BIO_printf(bio_err, "Error getting passwords\n");
+        goto end;
+    }
+
+    if (!cpass) {
+        if (export_cert)
+            cpass = passout;
+        else
+            cpass = passin;
+    }
+
+    if (cpass) {
+        mpass = cpass;
+        noprompt = 1;
+    } else {
+        cpass = pass;
+        mpass = macpass;
+    }
+
+    if (export_cert || inrand) {
+        app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+        if (inrand != NULL)
+            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                       app_RAND_load_files(inrand));
+    }
+    ERR_load_crypto_strings();
+
+# ifdef CRYPTO_MDEBUG
+    CRYPTO_push_info("read files");
+# endif
+
+    if (!infile)
+        in = BIO_new_fp(stdin, BIO_NOCLOSE);
+    else
+        in = BIO_new_file(infile, "rb");
+    if (!in) {
+        BIO_printf(bio_err, "Error opening input file %s\n",
+                   infile ? infile : "<stdin>");
+        perror(infile);
+        goto end;
+    }
+# ifdef CRYPTO_MDEBUG
+    CRYPTO_pop_info();
+    CRYPTO_push_info("write files");
+# endif
+
+    if (!outfile) {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    } else
+        out = BIO_new_file(outfile, "wb");
+    if (!out) {
+        BIO_printf(bio_err, "Error opening output file %s\n",
+                   outfile ? outfile : "<stdout>");
+        perror(outfile);
+        goto end;
+    }
+    if (twopass) {
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_push_info("read MAC password");
+# endif
+        if (EVP_read_pw_string
+            (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) {
+            BIO_printf(bio_err, "Can't read Password\n");
+            goto end;
+        }
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+# endif
+    }
+
+    if (export_cert) {
+        EVP_PKEY *key = NULL;
+        X509 *ucert = NULL, *x = NULL;
+        STACK_OF(X509) *certs = NULL;
+        const EVP_MD *macmd = NULL;
+        unsigned char *catmp = NULL;
+        int i;
+
+        if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) {
+            BIO_printf(bio_err, "Nothing to do!\n");
+            goto export_end;
+        }
+
+        if (options & NOCERTS)
+            chain = 0;
+
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_push_info("process -export_cert");
+        CRYPTO_push_info("reading private key");
+# endif
+        if (!(options & NOKEYS)) {
+            key = load_key(bio_err, keyname ? keyname : infile,
+                           FORMAT_PEM, 1, passin, e, "private key");
+            if (!key)
+                goto export_end;
+        }
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_push_info("reading certs from input");
+# endif
+
+        /* Load in all certs in input file */
+        if (!(options & NOCERTS)) {
+            certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
+                               "certificates");
+            if (!certs)
+                goto export_end;
+
+            if (key) {
+                /* Look for matching private key */
+                for (i = 0; i < sk_X509_num(certs); i++) {
+                    x = sk_X509_value(certs, i);
+                    if (X509_check_private_key(x, key)) {
+                        ucert = x;
+                        /* Zero keyid and alias */
+                        X509_keyid_set1(ucert, NULL, 0);
+                        X509_alias_set1(ucert, NULL, 0);
+                        /* Remove from list */
+                        (void)sk_X509_delete(certs, i);
+                        break;
+                    }
+                }
+                if (!ucert) {
+                    BIO_printf(bio_err,
+                               "No certificate matches private key\n");
+                    goto export_end;
+                }
+            }
+
+        }
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_push_info("reading certs from input 2");
+# endif
+
+        /* Add any more certificates asked for */
+        if (certfile) {
+            STACK_OF(X509) *morecerts = NULL;
+            if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
+                                         NULL, e,
+                                         "certificates from certfile")))
+                goto export_end;
+            while (sk_X509_num(morecerts) > 0)
+                sk_X509_push(certs, sk_X509_shift(morecerts));
+            sk_X509_free(morecerts);
+        }
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_push_info("reading certs from certfile");
+# endif
+
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_push_info("building chain");
+# endif
+
+        /* If chaining get chain from user cert */
+        if (chain) {
+            int vret;
+            STACK_OF(X509) *chain2;
+            X509_STORE *store = X509_STORE_new();
+            if (!store) {
+                BIO_printf(bio_err, "Memory allocation error\n");
+                goto export_end;
+            }
+            if (!X509_STORE_load_locations(store, CAfile, CApath))
+                X509_STORE_set_default_paths(store);
+
+            vret = get_cert_chain(ucert, store, &chain2);
+            X509_STORE_free(store);
+
+            if (vret == X509_V_OK) {
+                /* Exclude verified certificate */
+                for (i = 1; i < sk_X509_num(chain2); i++)
+                    sk_X509_push(certs, sk_X509_value(chain2, i));
+                /* Free first certificate */
+                X509_free(sk_X509_value(chain2, 0));
+                sk_X509_free(chain2);
+            } else {
+                if (vret != X509_V_ERR_UNSPECIFIED)
+                    BIO_printf(bio_err, "Error %s getting chain.\n",
+                               X509_verify_cert_error_string(vret));
+                else
+                    ERR_print_errors(bio_err);
+                goto export_end;
+            }
+        }
+
+        /* Add any CA names */
+
+        for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) {
+            catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i);
+            X509_alias_set1(sk_X509_value(certs, i), catmp, -1);
+        }
+
+        if (csp_name && key)
+            EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
+                                      MBSTRING_ASC, (unsigned char *)csp_name,
+                                      -1);
+
+        if (add_lmk && key)
+            EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
+
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_push_info("reading password");
+# endif
+
+        if (!noprompt &&
+            EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:",
+                               1)) {
+            BIO_printf(bio_err, "Can't read Password\n");
+            goto export_end;
+        }
+        if (!twopass)
+            BUF_strlcpy(macpass, pass, sizeof macpass);
+
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_push_info("creating PKCS#12 structure");
+# endif
+
+        p12 = PKCS12_create(cpass, name, key, ucert, certs,
+                            key_pbe, cert_pbe, iter, -1, keytype);
+
+        if (!p12) {
+            ERR_print_errors(bio_err);
+            goto export_end;
+        }
+
+        if (macalg) {
+            macmd = EVP_get_digestbyname(macalg);
+            if (!macmd) {
+                BIO_printf(bio_err, "Unknown digest algorithm %s\n", macalg);
+            }
+        }
+
+        if (maciter != -1)
+            PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd);
+
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_push_info("writing pkcs12");
+# endif
+
+        i2d_PKCS12_bio(out, p12);
+
+        ret = 0;
+
+ export_end:
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_pop_info();
+        CRYPTO_push_info("process -export_cert: freeing");
+# endif
+
+        if (key)
+            EVP_PKEY_free(key);
+        if (certs)
+            sk_X509_pop_free(certs, X509_free);
+        if (ucert)
+            X509_free(ucert);
+
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+# endif
+        goto end;
+
+    }
+
+    if (!(p12 = d2i_PKCS12_bio(in, NULL))) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+# ifdef CRYPTO_MDEBUG
+    CRYPTO_push_info("read import password");
+# endif
+    if (!noprompt
+        && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:",
+                              0)) {
+        BIO_printf(bio_err, "Can't read Password\n");
+        goto end;
+    }
+# ifdef CRYPTO_MDEBUG
+    CRYPTO_pop_info();
+# endif
+
+    if (!twopass)
+        BUF_strlcpy(macpass, pass, sizeof macpass);
+
+    if ((options & INFO) && p12->mac)
+        BIO_printf(bio_err, "MAC Iteration %ld\n",
+                   p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1);
+    if (macver) {
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_push_info("verify MAC");
+# endif
+        /* If we enter empty password try no password first */
+        if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
+            /* If mac and crypto pass the same set it to NULL too */
+            if (!twopass)
+                cpass = NULL;
+        } else if (!PKCS12_verify_mac(p12, mpass, -1)) {
+            BIO_printf(bio_err, "Mac verify error: invalid password?\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        BIO_printf(bio_err, "MAC verified OK\n");
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+# endif
+    }
+# ifdef CRYPTO_MDEBUG
+    CRYPTO_push_info("output keys and certificates");
+# endif
+    if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout)) {
+        BIO_printf(bio_err, "Error outputting keys and certificates\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+# ifdef CRYPTO_MDEBUG
+    CRYPTO_pop_info();
+# endif
+    ret = 0;
+ end:
+    if (p12)
+        PKCS12_free(p12);
+    if (export_cert || inrand)
+        app_RAND_write_file(NULL, bio_err);
+# ifdef CRYPTO_MDEBUG
+    CRYPTO_remove_all_info();
+# endif
+    release_engine(e);
+    BIO_free(in);
+    BIO_free_all(out);
+    if (canames)
+        sk_OPENSSL_STRING_free(canames);
+    if (passin)
+        OPENSSL_free(passin);
+    if (passout)
+        OPENSSL_free(passout);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass,
+                        int passlen, int options, char *pempass)
+{
+    STACK_OF(PKCS7) *asafes = NULL;
+    STACK_OF(PKCS12_SAFEBAG) *bags;
+    int i, bagnid;
+    int ret = 0;
+    PKCS7 *p7;
+
+    if (!(asafes = PKCS12_unpack_authsafes(p12)))
+        return 0;
+    for (i = 0; i < sk_PKCS7_num(asafes); i++) {
+        p7 = sk_PKCS7_value(asafes, i);
+        bagnid = OBJ_obj2nid(p7->type);
+        if (bagnid == NID_pkcs7_data) {
+            bags = PKCS12_unpack_p7data(p7);
+            if (options & INFO)
+                BIO_printf(bio_err, "PKCS7 Data\n");
+        } else if (bagnid == NID_pkcs7_encrypted) {
+            if (options & INFO) {
+                BIO_printf(bio_err, "PKCS7 Encrypted data: ");
+                alg_print(bio_err, p7->d.encrypted->enc_data->algorithm);
+            }
+            bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
+        } else
+            continue;
+        if (!bags)
+            goto err;
+        if (!dump_certs_pkeys_bags(out, bags, pass, passlen,
+                                   options, pempass)) {
+            sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+            goto err;
+        }
+        sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+        bags = NULL;
+    }
+    ret = 1;
+
+ err:
+
+    if (asafes)
+        sk_PKCS7_pop_free(asafes, PKCS7_free);
+    return ret;
+}
+
+int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
+                          char *pass, int passlen, int options, char *pempass)
+{
+    int i;
+    for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
+        if (!dump_certs_pkeys_bag(out,
+                                  sk_PKCS12_SAFEBAG_value(bags, i),
+                                  pass, passlen, options, pempass))
+            return 0;
+    }
+    return 1;
+}
+
+int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
+                         int passlen, int options, char *pempass)
+{
+    EVP_PKEY *pkey;
+    PKCS8_PRIV_KEY_INFO *p8;
+    X509 *x509;
+    int ret = 0;
+
+    switch (M_PKCS12_bag_type(bag)) {
+    case NID_keyBag:
+        if (options & INFO)
+            BIO_printf(bio_err, "Key bag\n");
+        if (options & NOKEYS)
+            return 1;
+        print_attribs(out, bag->attrib, "Bag Attributes");
+        p8 = bag->value.keybag;
+        if (!(pkey = EVP_PKCS82PKEY(p8)))
+            return 0;
+        print_attribs(out, p8->attributes, "Key Attributes");
+        ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
+        EVP_PKEY_free(pkey);
+        break;
+
+    case NID_pkcs8ShroudedKeyBag:
+        if (options & INFO) {
+            BIO_printf(bio_err, "Shrouded Keybag: ");
+            alg_print(bio_err, bag->value.shkeybag->algor);
+        }
+        if (options & NOKEYS)
+            return 1;
+        print_attribs(out, bag->attrib, "Bag Attributes");
+        if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
+            return 0;
+        if (!(pkey = EVP_PKCS82PKEY(p8))) {
+            PKCS8_PRIV_KEY_INFO_free(p8);
+            return 0;
+        }
+        print_attribs(out, p8->attributes, "Key Attributes");
+        PKCS8_PRIV_KEY_INFO_free(p8);
+        ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
+        EVP_PKEY_free(pkey);
+        break;
+
+    case NID_certBag:
+        if (options & INFO)
+            BIO_printf(bio_err, "Certificate bag\n");
+        if (options & NOCERTS)
+            return 1;
+        if (PKCS12_get_attr(bag, NID_localKeyID)) {
+            if (options & CACERTS)
+                return 1;
+        } else if (options & CLCERTS)
+            return 1;
+        print_attribs(out, bag->attrib, "Bag Attributes");
+        if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
+            return 1;
+        if (!(x509 = PKCS12_certbag2x509(bag)))
+            return 0;
+        dump_cert_text(out, x509);
+        ret = PEM_write_bio_X509(out, x509);
+        X509_free(x509);
+        break;
+
+    case NID_safeContentsBag:
+        if (options & INFO)
+            BIO_printf(bio_err, "Safe Contents bag\n");
+        print_attribs(out, bag->attrib, "Bag Attributes");
+        return dump_certs_pkeys_bags(out, bag->value.safes, pass,
+                                     passlen, options, pempass);
+
+    default:
+        BIO_printf(bio_err, "Warning unsupported bag type: ");
+        i2a_ASN1_OBJECT(bio_err, bag->type);
+        BIO_printf(bio_err, "\n");
+        return 1;
+        break;
+    }
+    return ret;
+}
+
+/* Given a single certificate return a verified chain or NULL if error */
+
+static int get_cert_chain(X509 *cert, X509_STORE *store,
+                          STACK_OF(X509) **chain)
+{
+    X509_STORE_CTX store_ctx;
+    STACK_OF(X509) *chn = NULL;
+    int i = 0;
+
+    if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) {
+        *chain = NULL;
+        return X509_V_ERR_UNSPECIFIED;
+    }
+
+    if (X509_verify_cert(&store_ctx) > 0)
+        chn = X509_STORE_CTX_get1_chain(&store_ctx);
+    else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0)
+        i = X509_V_ERR_UNSPECIFIED;
+
+    X509_STORE_CTX_cleanup(&store_ctx);
+    *chain = chn;
+    return i;
+}
+
+int alg_print(BIO *x, X509_ALGOR *alg)
+{
+    int pbenid, aparamtype;
+    ASN1_OBJECT *aoid;
+    void *aparam;
+    PBEPARAM *pbe = NULL;
+
+    X509_ALGOR_get0(&aoid, &aparamtype, &aparam, alg);
+
+    pbenid = OBJ_obj2nid(aoid);
+
+    BIO_printf(x, "%s", OBJ_nid2ln(pbenid));
+
+    /*
+     * If PBE algorithm is PBES2 decode algorithm parameters
+     * for additional details.
+     */
+    if (pbenid == NID_pbes2) {
+        PBE2PARAM *pbe2 = NULL;
+        int encnid;
+        if (aparamtype == V_ASN1_SEQUENCE)
+            pbe2 = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBE2PARAM));
+        if (pbe2 == NULL) {
+            BIO_puts(x, "<unsupported parameters>");
+            goto done;
+        }
+        X509_ALGOR_get0(&aoid, &aparamtype, &aparam, pbe2->keyfunc);
+        pbenid = OBJ_obj2nid(aoid);
+        X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption);
+        encnid = OBJ_obj2nid(aoid);
+        BIO_printf(x, ", %s, %s", OBJ_nid2ln(pbenid),
+                   OBJ_nid2sn(encnid));
+        /* If KDF is PBKDF2 decode parameters */
+        if (pbenid == NID_id_pbkdf2) {
+            PBKDF2PARAM *kdf = NULL;
+            int prfnid;
+            if (aparamtype == V_ASN1_SEQUENCE)
+                kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBKDF2PARAM));
+            if (kdf == NULL) {
+                BIO_puts(x, "<unsupported parameters>");
+                goto done;
+            }
+
+            if (kdf->prf == NULL) {
+                prfnid = NID_hmacWithSHA1;
+            } else {
+                X509_ALGOR_get0(&aoid, NULL, NULL, kdf->prf);
+                prfnid = OBJ_obj2nid(aoid);
+            }
+            BIO_printf(x, ", Iteration %ld, PRF %s",
+                       ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid));
+            PBKDF2PARAM_free(kdf);
+        }
+        PBE2PARAM_free(pbe2);
+    } else {
+        if (aparamtype == V_ASN1_SEQUENCE)
+            pbe = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBEPARAM));
+        if (pbe == NULL) {
+            BIO_puts(x, "<unsupported parameters>");
+            goto done;
+        }
+        BIO_printf(x, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter));
+        PBEPARAM_free(pbe);
+    }
+ done:
+    BIO_puts(x, "\n");
+    return 1;
+}
+
+/* Load all certificates from a given file */
+
+int cert_load(BIO *in, STACK_OF(X509) *sk)
+{
+    int ret;
+    X509 *cert;
+    ret = 0;
+# ifdef CRYPTO_MDEBUG
+    CRYPTO_push_info("cert_load(): reading one cert");
+# endif
+    while ((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+# endif
+        ret = 1;
+        sk_X509_push(sk, cert);
+# ifdef CRYPTO_MDEBUG
+        CRYPTO_push_info("cert_load(): reading one cert");
+# endif
+    }
+# ifdef CRYPTO_MDEBUG
+    CRYPTO_pop_info();
+# endif
+    if (ret)
+        ERR_clear_error();
+    return ret;
+}
+
+/* Generalised attribute print: handle PKCS#8 and bag attributes */
+
+int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,
+                  const char *name)
+{
+    X509_ATTRIBUTE *attr;
+    ASN1_TYPE *av;
+    char *value;
+    int i, attr_nid;
+    if (!attrlst) {
+        BIO_printf(out, "%s: <No Attributes>\n", name);
+        return 1;
+    }
+    if (!sk_X509_ATTRIBUTE_num(attrlst)) {
+        BIO_printf(out, "%s: <Empty Attributes>\n", name);
+        return 1;
+    }
+    BIO_printf(out, "%s\n", name);
+    for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
+        attr = sk_X509_ATTRIBUTE_value(attrlst, i);
+        attr_nid = OBJ_obj2nid(attr->object);
+        BIO_printf(out, "    ");
+        if (attr_nid == NID_undef) {
+            i2a_ASN1_OBJECT(out, attr->object);
+            BIO_printf(out, ": ");
+        } else
+            BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid));
+
+        if (sk_ASN1_TYPE_num(attr->value.set)) {
+            av = sk_ASN1_TYPE_value(attr->value.set, 0);
+            switch (av->type) {
+            case V_ASN1_BMPSTRING:
+                value = OPENSSL_uni2asc(av->value.bmpstring->data,
+                                        av->value.bmpstring->length);
+                BIO_printf(out, "%s\n", value);
+                OPENSSL_free(value);
+                break;
+
+            case V_ASN1_OCTET_STRING:
+                hex_prin(out, av->value.octet_string->data,
+                         av->value.octet_string->length);
+                BIO_printf(out, "\n");
+                break;
+
+            case V_ASN1_BIT_STRING:
+                hex_prin(out, av->value.bit_string->data,
+                         av->value.bit_string->length);
+                BIO_printf(out, "\n");
+                break;
+
+            default:
+                BIO_printf(out, "<Unsupported tag %d>\n", av->type);
+                break;
+            }
+        } else
+            BIO_printf(out, "<No Values>\n");
+    }
+    return 1;
+}
+
+void hex_prin(BIO *out, unsigned char *buf, int len)
+{
+    int i;
+    for (i = 0; i < len; i++)
+        BIO_printf(out, "%02X ", buf[i]);
+}
+
+static int set_pbe(BIO *err, int *ppbe, const char *str)
+{
+    if (!str)
+        return 0;
+    if (!strcmp(str, "NONE")) {
+        *ppbe = -1;
+        return 1;
+    }
+    *ppbe = OBJ_txt2nid(str);
+    if (*ppbe == NID_undef) {
+        BIO_printf(bio_err, "Unknown PBE algorithm %s\n", str);
+        return 0;
+    }
+    return 1;
+}
+
+#else
+static void *dummy = &dummy;
+#endif
diff --git a/openssl/apps/pkcs7.c b/openssl/apps/pkcs7.c
new file mode 100644
index 0000000..c5d51d2
--- /dev/null
+++ b/openssl/apps/pkcs7.c
@@ -0,0 +1,310 @@
+/* apps/pkcs7.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG    pkcs7_main
+
+/*-
+ * -inform arg  - input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg      - input file - default stdin
+ * -out arg     - output file - default stdout
+ * -print_certs
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    PKCS7 *p7 = NULL;
+    int i, badops = 0;
+    BIO *in = NULL, *out = NULL;
+    int informat, outformat;
+    char *infile, *outfile, *prog;
+    int print_certs = 0, text = 0, noout = 0, p7_print = 0;
+    int ret = 1;
+    char *engine = NULL;
+    ENGINE *e = NULL;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    infile = NULL;
+    outfile = NULL;
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-noout") == 0)
+            noout = 1;
+        else if (strcmp(*argv, "-text") == 0)
+            text = 1;
+        else if (strcmp(*argv, "-print") == 0)
+            p7_print = 1;
+        else if (strcmp(*argv, "-print_certs") == 0)
+            print_certs = 1;
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+#endif
+        else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, " -inform arg   input format - DER or PEM\n");
+        BIO_printf(bio_err, " -outform arg  output format - DER or PEM\n");
+        BIO_printf(bio_err, " -in arg       input file\n");
+        BIO_printf(bio_err, " -out arg      output file\n");
+        BIO_printf(bio_err,
+                   " -print_certs  print any certs or crl in the input\n");
+        BIO_printf(bio_err,
+                   " -text         print full details of certificates\n");
+        BIO_printf(bio_err, " -noout        don't output encoded data\n");
+#ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e     use engine e, possibly a hardware device.\n");
+#endif
+        ret = 1;
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+
+    e = setup_engine(bio_err, engine, 0);
+
+    in = BIO_new(BIO_s_file());
+    out = BIO_new(BIO_s_file());
+    if ((in == NULL) || (out == NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (infile == NULL)
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+    else {
+        if (BIO_read_filename(in, infile) <= 0) {
+            BIO_printf(bio_err, "unable to load input file\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (informat == FORMAT_ASN1)
+        p7 = d2i_PKCS7_bio(in, NULL);
+    else if (informat == FORMAT_PEM)
+        p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
+    else {
+        BIO_printf(bio_err, "bad input format specified for pkcs7 object\n");
+        goto end;
+    }
+    if (p7 == NULL) {
+        BIO_printf(bio_err, "unable to load PKCS7 object\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    if (p7_print)
+        PKCS7_print_ctx(out, p7, 0, NULL);
+
+    if (print_certs) {
+        STACK_OF(X509) *certs = NULL;
+        STACK_OF(X509_CRL) *crls = NULL;
+
+        i = OBJ_obj2nid(p7->type);
+        switch (i) {
+        case NID_pkcs7_signed:
+            if (p7->d.sign != NULL) {
+                certs = p7->d.sign->cert;
+                crls = p7->d.sign->crl;
+            }
+            break;
+        case NID_pkcs7_signedAndEnveloped:
+            if (p7->d.signed_and_enveloped != NULL) {
+                certs = p7->d.signed_and_enveloped->cert;
+                crls = p7->d.signed_and_enveloped->crl;
+            }
+            break;
+        default:
+            break;
+        }
+
+        if (certs != NULL) {
+            X509 *x;
+
+            for (i = 0; i < sk_X509_num(certs); i++) {
+                x = sk_X509_value(certs, i);
+                if (text)
+                    X509_print(out, x);
+                else
+                    dump_cert_text(out, x);
+
+                if (!noout)
+                    PEM_write_bio_X509(out, x);
+                BIO_puts(out, "\n");
+            }
+        }
+        if (crls != NULL) {
+            X509_CRL *crl;
+
+            for (i = 0; i < sk_X509_CRL_num(crls); i++) {
+                crl = sk_X509_CRL_value(crls, i);
+
+                X509_CRL_print(out, crl);
+
+                if (!noout)
+                    PEM_write_bio_X509_CRL(out, crl);
+                BIO_puts(out, "\n");
+            }
+        }
+
+        ret = 0;
+        goto end;
+    }
+
+    if (!noout) {
+        if (outformat == FORMAT_ASN1)
+            i = i2d_PKCS7_bio(out, p7);
+        else if (outformat == FORMAT_PEM)
+            i = PEM_write_bio_PKCS7(out, p7);
+        else {
+            BIO_printf(bio_err, "bad output format specified for outfile\n");
+            goto end;
+        }
+
+        if (!i) {
+            BIO_printf(bio_err, "unable to write pkcs7 object\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+    ret = 0;
+ end:
+    if (p7 != NULL)
+        PKCS7_free(p7);
+    release_engine(e);
+    if (in != NULL)
+        BIO_free(in);
+    if (out != NULL)
+        BIO_free_all(out);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
diff --git a/openssl/apps/pkcs8.c b/openssl/apps/pkcs8.c
new file mode 100644
index 0000000..71e3168
--- /dev/null
+++ b/openssl/apps/pkcs8.c
@@ -0,0 +1,399 @@
+/* pkcs8.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999-2004.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pkcs12.h>
+
+#define PROG pkcs8_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    char **args, *infile = NULL, *outfile = NULL;
+    char *passargin = NULL, *passargout = NULL;
+    BIO *in = NULL, *out = NULL;
+    int topk8 = 0;
+    int pbe_nid = -1;
+    const EVP_CIPHER *cipher = NULL;
+    int iter = PKCS12_DEFAULT_ITER;
+    int informat, outformat;
+    int p8_broken = PKCS8_OK;
+    int nocrypt = 0;
+    X509_SIG *p8 = NULL;
+    PKCS8_PRIV_KEY_INFO *p8inf = NULL;
+    EVP_PKEY *pkey = NULL;
+    char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
+    int badarg = 0;
+    int ret = 1;
+    char *engine = NULL;
+
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    ERR_load_crypto_strings();
+    OpenSSL_add_all_algorithms();
+    args = argv + 1;
+    while (!badarg && *args && *args[0] == '-') {
+        if (!strcmp(*args, "-v2")) {
+            if (args[1]) {
+                args++;
+                cipher = EVP_get_cipherbyname(*args);
+                if (!cipher) {
+                    BIO_printf(bio_err, "Unknown cipher %s\n", *args);
+                    badarg = 1;
+                }
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-v1")) {
+            if (args[1]) {
+                args++;
+                pbe_nid = OBJ_txt2nid(*args);
+                if (pbe_nid == NID_undef) {
+                    BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args);
+                    badarg = 1;
+                }
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-v2prf")) {
+            if (args[1]) {
+                args++;
+                pbe_nid = OBJ_txt2nid(*args);
+                if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
+                    BIO_printf(bio_err, "Unknown PRF algorithm %s\n", *args);
+                    badarg = 1;
+                }
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-inform")) {
+            if (args[1]) {
+                args++;
+                informat = str2fmt(*args);
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-outform")) {
+            if (args[1]) {
+                args++;
+                outformat = str2fmt(*args);
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-topk8"))
+            topk8 = 1;
+        else if (!strcmp(*args, "-noiter"))
+            iter = 1;
+        else if (!strcmp(*args, "-nocrypt"))
+            nocrypt = 1;
+        else if (!strcmp(*args, "-nooct"))
+            p8_broken = PKCS8_NO_OCTET;
+        else if (!strcmp(*args, "-nsdb"))
+            p8_broken = PKCS8_NS_DB;
+        else if (!strcmp(*args, "-embed"))
+            p8_broken = PKCS8_EMBEDDED_PARAM;
+        else if (!strcmp(*args, "-passin")) {
+            if (!args[1])
+                goto bad;
+            passargin = *(++args);
+        } else if (!strcmp(*args, "-passout")) {
+            if (!args[1])
+                goto bad;
+            passargout = *(++args);
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*args, "-engine") == 0) {
+            if (!args[1])
+                goto bad;
+            engine = *(++args);
+        }
+#endif
+        else if (!strcmp(*args, "-in")) {
+            if (args[1]) {
+                args++;
+                infile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-out")) {
+            if (args[1]) {
+                args++;
+                outfile = *args;
+            } else
+                badarg = 1;
+        } else
+            badarg = 1;
+        args++;
+    }
+
+    if (badarg) {
+ bad:
+        BIO_printf(bio_err, "Usage pkcs8 [options]\n");
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, "-in file        input file\n");
+        BIO_printf(bio_err, "-inform X       input format (DER or PEM)\n");
+        BIO_printf(bio_err,
+                   "-passin arg     input file pass phrase source\n");
+        BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
+        BIO_printf(bio_err, "-out file       output file\n");
+        BIO_printf(bio_err,
+                   "-passout arg    output file pass phrase source\n");
+        BIO_printf(bio_err, "-topk8          output PKCS8 file\n");
+        BIO_printf(bio_err,
+                   "-nooct          use (nonstandard) no octet format\n");
+        BIO_printf(bio_err,
+                   "-embed          use (nonstandard) embedded DSA parameters format\n");
+        BIO_printf(bio_err,
+                   "-nsdb           use (nonstandard) DSA Netscape DB format\n");
+        BIO_printf(bio_err, "-noiter         use 1 as iteration count\n");
+        BIO_printf(bio_err,
+                   "-nocrypt        use or expect unencrypted private key\n");
+        BIO_printf(bio_err,
+                   "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
+        BIO_printf(bio_err,
+                   "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
+#ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e       use engine e, possibly a hardware device.\n");
+#endif
+        goto end;
+    }
+    e = setup_engine(bio_err, engine, 0);
+
+    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+        BIO_printf(bio_err, "Error getting passwords\n");
+        goto end;
+    }
+
+    if ((pbe_nid == -1) && !cipher)
+        pbe_nid = NID_pbeWithMD5AndDES_CBC;
+
+    if (infile) {
+        if (!(in = BIO_new_file(infile, "rb"))) {
+            BIO_printf(bio_err, "Can't open input file %s\n", infile);
+            goto end;
+        }
+    } else
+        in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+    if (outfile) {
+        if (!(out = BIO_new_file(outfile, "wb"))) {
+            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
+            goto end;
+        }
+    } else {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    }
+    if (topk8) {
+        pkey = load_key(bio_err, infile, informat, 1, passin, e, "key");
+        if (!pkey)
+            goto end;
+        if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
+            BIO_printf(bio_err, "Error converting key\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (nocrypt) {
+            if (outformat == FORMAT_PEM)
+                PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
+            else if (outformat == FORMAT_ASN1)
+                i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
+            else {
+                BIO_printf(bio_err, "Bad format specified for key\n");
+                goto end;
+            }
+        } else {
+            if (passout)
+                p8pass = passout;
+            else {
+                p8pass = pass;
+                if (EVP_read_pw_string
+                    (pass, sizeof pass, "Enter Encryption Password:", 1))
+                    goto end;
+            }
+            app_RAND_load_file(NULL, bio_err, 0);
+            if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
+                                     p8pass, strlen(p8pass),
+                                     NULL, 0, iter, p8inf))) {
+                BIO_printf(bio_err, "Error encrypting key\n");
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+            app_RAND_write_file(NULL, bio_err);
+            if (outformat == FORMAT_PEM)
+                PEM_write_bio_PKCS8(out, p8);
+            else if (outformat == FORMAT_ASN1)
+                i2d_PKCS8_bio(out, p8);
+            else {
+                BIO_printf(bio_err, "Bad format specified for key\n");
+                goto end;
+            }
+        }
+
+        ret = 0;
+        goto end;
+    }
+
+    if (nocrypt) {
+        if (informat == FORMAT_PEM)
+            p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in, NULL, NULL, NULL);
+        else if (informat == FORMAT_ASN1)
+            p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
+        else {
+            BIO_printf(bio_err, "Bad format specified for key\n");
+            goto end;
+        }
+    } else {
+        if (informat == FORMAT_PEM)
+            p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
+        else if (informat == FORMAT_ASN1)
+            p8 = d2i_PKCS8_bio(in, NULL);
+        else {
+            BIO_printf(bio_err, "Bad format specified for key\n");
+            goto end;
+        }
+
+        if (!p8) {
+            BIO_printf(bio_err, "Error reading key\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (passin)
+            p8pass = passin;
+        else {
+            p8pass = pass;
+            EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
+        }
+        p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
+    }
+
+    if (!p8inf) {
+        BIO_printf(bio_err, "Error decrypting key\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
+        BIO_printf(bio_err, "Error converting key\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (p8inf->broken) {
+        BIO_printf(bio_err, "Warning: broken key encoding: ");
+        switch (p8inf->broken) {
+        case PKCS8_NO_OCTET:
+            BIO_printf(bio_err, "No Octet String in PrivateKey\n");
+            break;
+
+        case PKCS8_EMBEDDED_PARAM:
+            BIO_printf(bio_err, "DSA parameters included in PrivateKey\n");
+            break;
+
+        case PKCS8_NS_DB:
+            BIO_printf(bio_err, "DSA public key include in PrivateKey\n");
+            break;
+
+        case PKCS8_NEG_PRIVKEY:
+            BIO_printf(bio_err, "DSA private key value is negative\n");
+            break;
+
+        default:
+            BIO_printf(bio_err, "Unknown broken type\n");
+            break;
+        }
+    }
+
+    if (outformat == FORMAT_PEM)
+        PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
+    else if (outformat == FORMAT_ASN1)
+        i2d_PrivateKey_bio(out, pkey);
+    else {
+        BIO_printf(bio_err, "Bad format specified for key\n");
+        goto end;
+    }
+    ret = 0;
+
+ end:
+    X509_SIG_free(p8);
+    PKCS8_PRIV_KEY_INFO_free(p8inf);
+    EVP_PKEY_free(pkey);
+    release_engine(e);
+    BIO_free_all(out);
+    BIO_free(in);
+    if (passin)
+        OPENSSL_free(passin);
+    if (passout)
+        OPENSSL_free(passout);
+
+    return ret;
+}
diff --git a/openssl/apps/pkey.c b/openssl/apps/pkey.c
new file mode 100644
index 0000000..63d878a
--- /dev/null
+++ b/openssl/apps/pkey.c
@@ -0,0 +1,248 @@
+/* apps/pkey.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+
+#define PROG pkey_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    char **args, *infile = NULL, *outfile = NULL;
+    char *passargin = NULL, *passargout = NULL;
+    BIO *in = NULL, *out = NULL;
+    const EVP_CIPHER *cipher = NULL;
+    int informat, outformat;
+    int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0;
+    EVP_PKEY *pkey = NULL;
+    char *passin = NULL, *passout = NULL;
+    int badarg = 0;
+    char *engine = NULL;
+    int ret = 1;
+
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    ERR_load_crypto_strings();
+    OpenSSL_add_all_algorithms();
+    args = argv + 1;
+    while (!badarg && *args && *args[0] == '-') {
+        if (!strcmp(*args, "-inform")) {
+            if (args[1]) {
+                args++;
+                informat = str2fmt(*args);
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-outform")) {
+            if (args[1]) {
+                args++;
+                outformat = str2fmt(*args);
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-passin")) {
+            if (!args[1])
+                goto bad;
+            passargin = *(++args);
+        } else if (!strcmp(*args, "-passout")) {
+            if (!args[1])
+                goto bad;
+            passargout = *(++args);
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*args, "-engine") == 0) {
+            if (!args[1])
+                goto bad;
+            engine = *(++args);
+        }
+#endif
+        else if (!strcmp(*args, "-in")) {
+            if (args[1]) {
+                args++;
+                infile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-out")) {
+            if (args[1]) {
+                args++;
+                outfile = *args;
+            } else
+                badarg = 1;
+        } else if (strcmp(*args, "-pubin") == 0) {
+            pubin = 1;
+            pubout = 1;
+            pubtext = 1;
+        } else if (strcmp(*args, "-pubout") == 0)
+            pubout = 1;
+        else if (strcmp(*args, "-text_pub") == 0) {
+            pubtext = 1;
+            text = 1;
+        } else if (strcmp(*args, "-text") == 0)
+            text = 1;
+        else if (strcmp(*args, "-noout") == 0)
+            noout = 1;
+        else {
+            cipher = EVP_get_cipherbyname(*args + 1);
+            if (!cipher) {
+                BIO_printf(bio_err, "Unknown cipher %s\n", *args + 1);
+                badarg = 1;
+            }
+        }
+        args++;
+    }
+
+    if (badarg) {
+ bad:
+        BIO_printf(bio_err, "Usage pkey [options]\n");
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, "-in file        input file\n");
+        BIO_printf(bio_err, "-inform X       input format (DER or PEM)\n");
+        BIO_printf(bio_err,
+                   "-passin arg     input file pass phrase source\n");
+        BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
+        BIO_printf(bio_err, "-out file       output file\n");
+        BIO_printf(bio_err,
+                   "-passout arg    output file pass phrase source\n");
+#ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   "-engine e       use engine e, possibly a hardware device.\n");
+#endif
+        return 1;
+    }
+    e = setup_engine(bio_err, engine, 0);
+
+    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+        BIO_printf(bio_err, "Error getting passwords\n");
+        goto end;
+    }
+
+    if (outfile) {
+        if (!(out = BIO_new_file(outfile, "wb"))) {
+            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
+            goto end;
+        }
+    } else {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    }
+
+    if (pubin)
+        pkey = load_pubkey(bio_err, infile, informat, 1,
+                           passin, e, "Public Key");
+    else
+        pkey = load_key(bio_err, infile, informat, 1, passin, e, "key");
+    if (!pkey)
+        goto end;
+
+    if (!noout) {
+        if (outformat == FORMAT_PEM) {
+            if (pubout)
+                PEM_write_bio_PUBKEY(out, pkey);
+            else
+                PEM_write_bio_PrivateKey(out, pkey, cipher,
+                                         NULL, 0, NULL, passout);
+        } else if (outformat == FORMAT_ASN1) {
+            if (pubout)
+                i2d_PUBKEY_bio(out, pkey);
+            else
+                i2d_PrivateKey_bio(out, pkey);
+        } else {
+            BIO_printf(bio_err, "Bad format specified for key\n");
+            goto end;
+        }
+
+    }
+
+    if (text) {
+        if (pubtext)
+            EVP_PKEY_print_public(out, pkey, 0, NULL);
+        else
+            EVP_PKEY_print_private(out, pkey, 0, NULL);
+    }
+
+    ret = 0;
+
+ end:
+    EVP_PKEY_free(pkey);
+    release_engine(e);
+    BIO_free_all(out);
+    BIO_free(in);
+    if (passin)
+        OPENSSL_free(passin);
+    if (passout)
+        OPENSSL_free(passout);
+
+    return ret;
+}
diff --git a/openssl/apps/pkeyparam.c b/openssl/apps/pkeyparam.c
new file mode 100644
index 0000000..1437f03
--- /dev/null
+++ b/openssl/apps/pkeyparam.c
@@ -0,0 +1,183 @@
+/* apps/pkeyparam.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+
+#define PROG pkeyparam_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    char **args, *infile = NULL, *outfile = NULL;
+    BIO *in = NULL, *out = NULL;
+    int text = 0, noout = 0;
+    EVP_PKEY *pkey = NULL;
+    int badarg = 0;
+    char *engine = NULL;
+    ENGINE *e = NULL;
+    int ret = 1;
+
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    ERR_load_crypto_strings();
+    OpenSSL_add_all_algorithms();
+    args = argv + 1;
+    while (!badarg && *args && *args[0] == '-') {
+        if (!strcmp(*args, "-in")) {
+            if (args[1]) {
+                args++;
+                infile = *args;
+            } else
+                badarg = 1;
+        } else if (!strcmp(*args, "-out")) {
+            if (args[1]) {
+                args++;
+                outfile = *args;
+            } else
+                badarg = 1;
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*args, "-engine") == 0) {
+            if (!args[1])
+                goto bad;
+            engine = *(++args);
+        }
+#endif
+
+        else if (strcmp(*args, "-text") == 0)
+            text = 1;
+        else if (strcmp(*args, "-noout") == 0)
+            noout = 1;
+        args++;
+    }
+
+    if (badarg) {
+#ifndef OPENSSL_NO_ENGINE
+ bad:
+#endif
+        BIO_printf(bio_err, "Usage pkeyparam [options]\n");
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, "-in file        input file\n");
+        BIO_printf(bio_err, "-out file       output file\n");
+        BIO_printf(bio_err, "-text           print parameters as text\n");
+        BIO_printf(bio_err,
+                   "-noout          don't output encoded parameters\n");
+#ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   "-engine e       use engine e, possibly a hardware device.\n");
+#endif
+        return 1;
+    }
+    e = setup_engine(bio_err, engine, 0);
+
+    if (infile) {
+        if (!(in = BIO_new_file(infile, "r"))) {
+            BIO_printf(bio_err, "Can't open input file %s\n", infile);
+            goto end;
+        }
+    } else
+        in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+    if (outfile) {
+        if (!(out = BIO_new_file(outfile, "w"))) {
+            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
+            goto end;
+        }
+    } else {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    }
+
+    pkey = PEM_read_bio_Parameters(in, NULL);
+    if (!pkey) {
+        BIO_printf(bio_err, "Error reading parameters\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (!noout)
+        PEM_write_bio_Parameters(out, pkey);
+
+    if (text)
+        EVP_PKEY_print_params(out, pkey, 0, NULL);
+
+    ret = 0;
+
+ end:
+    EVP_PKEY_free(pkey);
+    release_engine(e);
+    BIO_free_all(out);
+    BIO_free(in);
+
+    return ret;
+}
diff --git a/openssl/apps/pkeyutl.c b/openssl/apps/pkeyutl.c
new file mode 100644
index 0000000..7c62d1c
--- /dev/null
+++ b/openssl/apps/pkeyutl.c
@@ -0,0 +1,556 @@
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "apps.h"
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/evp.h>
+
+#define KEY_PRIVKEY     1
+#define KEY_PUBKEY      2
+#define KEY_CERT        3
+
+static void usage(void);
+
+#undef PROG
+
+#define PROG pkeyutl_main
+
+static EVP_PKEY_CTX *init_ctx(int *pkeysize,
+                              const char *keyfile, int keyform, int key_type,
+                              char *passargin, int pkey_op, ENGINE *e,
+                              int   impl);
+
+static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
+                      const char *file, ENGINE* e);
+
+static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
+                    unsigned char *out, size_t *poutlen,
+                    unsigned char *in, size_t inlen);
+
+int MAIN(int argc, char **);
+
+int MAIN(int argc, char **argv)
+{
+    BIO *in = NULL, *out = NULL;
+    char *infile = NULL, *outfile = NULL, *sigfile = NULL;
+    ENGINE *e = NULL;
+    int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
+    int keyform = FORMAT_PEM, peerform = FORMAT_PEM;
+    char badarg = 0, rev = 0;
+    char hexdump = 0, asn1parse = 0;
+    EVP_PKEY_CTX *ctx = NULL;
+    char *passargin = NULL;
+    int keysize = -1;
+    int engine_impl = 0;
+    unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
+    size_t buf_outlen = 0;
+    int buf_inlen = 0, siglen = -1;
+    const char *inkey = NULL;
+    const char *peerkey = NULL;
+    STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
+
+    int ret = 1, rv = -1;
+
+    argc--;
+    argv++;
+
+    if (!bio_err)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+    ERR_load_crypto_strings();
+    OpenSSL_add_all_algorithms();
+
+    while (argc >= 1) {
+        if (!strcmp(*argv, "-in")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                infile = *(++argv);
+        } else if (!strcmp(*argv, "-out")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                outfile = *(++argv);
+        } else if (!strcmp(*argv, "-sigfile")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                sigfile = *(++argv);
+        } else if (!strcmp(*argv, "-inkey")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                inkey = *++argv;
+        } else if (!strcmp(*argv, "-peerkey")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                peerkey = *++argv;
+        } else if (!strcmp(*argv, "-passin")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                passargin = *(++argv);
+        } else if (strcmp(*argv, "-peerform") == 0) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                peerform = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-keyform") == 0) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                keyform = str2fmt(*(++argv));
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (!strcmp(*argv, "-engine")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                e = setup_engine(bio_err, *(++argv), 0);
+        } else if (!strcmp(*argv, "-engine_impl")) {
+                engine_impl = 1;
+        }
+#endif
+        else if (!strcmp(*argv, "-pubin"))
+            key_type = KEY_PUBKEY;
+        else if (!strcmp(*argv, "-certin"))
+            key_type = KEY_CERT;
+        else if (!strcmp(*argv, "-asn1parse"))
+            asn1parse = 1;
+        else if (!strcmp(*argv, "-hexdump"))
+            hexdump = 1;
+        else if (!strcmp(*argv, "-sign"))
+            pkey_op = EVP_PKEY_OP_SIGN;
+        else if (!strcmp(*argv, "-verify"))
+            pkey_op = EVP_PKEY_OP_VERIFY;
+        else if (!strcmp(*argv, "-verifyrecover"))
+            pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
+        else if (!strcmp(*argv, "-encrypt"))
+            pkey_op = EVP_PKEY_OP_ENCRYPT;
+        else if (!strcmp(*argv, "-decrypt"))
+            pkey_op = EVP_PKEY_OP_DECRYPT;
+        else if (!strcmp(*argv, "-derive"))
+            pkey_op = EVP_PKEY_OP_DERIVE;
+        else if (!strcmp(*argv, "-rev"))
+            rev = 1;
+        else if (strcmp(*argv, "-pkeyopt") == 0) {
+            if (--argc < 1)
+                badarg = 1;
+            else if ((pkeyopts == NULL &&
+                     (pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
+                    sk_OPENSSL_STRING_push(pkeyopts, *++argv) == 0) {
+                BIO_puts(bio_err, "out of memory\n");
+                goto end;
+            }
+        } else
+            badarg = 1;
+        if (badarg) {
+            usage();
+            goto end;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (inkey == NULL ||
+        (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE)) {
+        usage();
+        goto end;
+    }
+    ctx = init_ctx(&keysize, inkey, keyform, key_type,
+                   passargin, pkey_op, e, engine_impl);
+    if (!ctx) {
+        BIO_puts(bio_err, "Error initializing context\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if (peerkey != NULL && !setup_peer(bio_err, ctx, peerform, peerkey, e)) {
+        BIO_puts(bio_err, "Error setting up peer key\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if (pkeyopts != NULL) {
+        int num = sk_OPENSSL_STRING_num(pkeyopts);
+        int i;
+
+        for (i = 0; i < num; ++i) {
+            const char *opt = sk_OPENSSL_STRING_value(pkeyopts, i);
+
+            if (pkey_ctrl_string(ctx, opt) <= 0) {
+                BIO_puts(bio_err, "parameter setting error\n");
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        }
+    }
+
+    if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) {
+        BIO_puts(bio_err, "Signature file specified for non verify\n");
+        goto end;
+    }
+
+    if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) {
+        BIO_puts(bio_err, "No signature file specified for verify\n");
+        goto end;
+    }
+
+/* FIXME: seed PRNG only if needed */
+    app_RAND_load_file(NULL, bio_err, 0);
+
+    if (pkey_op != EVP_PKEY_OP_DERIVE) {
+        if (infile) {
+            if (!(in = BIO_new_file(infile, "rb"))) {
+                BIO_puts(bio_err, "Error Opening Input File\n");
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        } else
+            in = BIO_new_fp(stdin, BIO_NOCLOSE);
+    }
+
+    if (outfile) {
+        if (!(out = BIO_new_file(outfile, "wb"))) {
+            BIO_printf(bio_err, "Error Creating Output File\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    } else {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    }
+
+    if (sigfile) {
+        BIO *sigbio = BIO_new_file(sigfile, "rb");
+        if (!sigbio) {
+            BIO_printf(bio_err, "Can't open signature file %s\n", sigfile);
+            goto end;
+        }
+        siglen = bio_to_mem(&sig, keysize * 10, sigbio);
+        BIO_free(sigbio);
+        if (siglen < 0) {
+            BIO_printf(bio_err, "Error reading signature data\n");
+            goto end;
+        }
+    }
+
+    if (in) {
+        /* Read the input data */
+        buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
+        if (buf_inlen < 0) {
+            BIO_printf(bio_err, "Error reading input Data\n");
+            exit(1);
+        }
+        if (rev) {
+            size_t i;
+            unsigned char ctmp;
+            size_t l = (size_t)buf_inlen;
+            for (i = 0; i < l / 2; i++) {
+                ctmp = buf_in[i];
+                buf_in[i] = buf_in[l - 1 - i];
+                buf_in[l - 1 - i] = ctmp;
+            }
+        }
+    }
+
+    if (pkey_op == EVP_PKEY_OP_VERIFY) {
+        rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
+                             buf_in, (size_t)buf_inlen);
+        if (rv == 0)
+            BIO_puts(out, "Signature Verification Failure\n");
+        else if (rv == 1)
+            BIO_puts(out, "Signature Verified Successfully\n");
+        if (rv >= 0)
+            goto end;
+    } else {
+        rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
+                      buf_in, (size_t)buf_inlen);
+        if (rv > 0 && buf_outlen != 0) {
+            buf_out = OPENSSL_malloc(buf_outlen);
+            if (!buf_out)
+                rv = -1;
+            else
+                rv = do_keyop(ctx, pkey_op,
+                              buf_out, (size_t *)&buf_outlen,
+                              buf_in, (size_t)buf_inlen);
+        }
+    }
+
+    if (rv <= 0) {
+        BIO_printf(bio_err, "Public Key operation error\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    ret = 0;
+    if (asn1parse) {
+        if (!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
+            ERR_print_errors(bio_err);
+    } else if (hexdump)
+        BIO_dump(out, (char *)buf_out, buf_outlen);
+    else
+        BIO_write(out, buf_out, buf_outlen);
+
+ end:
+    if (ctx)
+        EVP_PKEY_CTX_free(ctx);
+    release_engine(e);
+    BIO_free(in);
+    BIO_free_all(out);
+    if (buf_in != NULL)
+        OPENSSL_free(buf_in);
+    if (buf_out != NULL)
+        OPENSSL_free(buf_out);
+    if (sig != NULL)
+        OPENSSL_free(sig);
+    if (pkeyopts != NULL)
+        sk_OPENSSL_STRING_free(pkeyopts);
+    return ret;
+}
+
+static void usage()
+{
+    BIO_printf(bio_err, "Usage: pkeyutl [options]\n");
+    BIO_printf(bio_err, "-in file        input file\n");
+    BIO_printf(bio_err, "-out file       output file\n");
+    BIO_printf(bio_err,
+               "-sigfile file signature file (verify operation only)\n");
+    BIO_printf(bio_err, "-inkey file     input key\n");
+    BIO_printf(bio_err, "-keyform arg    private key format - default PEM\n");
+    BIO_printf(bio_err, "-pubin          input is a public key\n");
+    BIO_printf(bio_err,
+               "-certin         input is a certificate carrying a public key\n");
+    BIO_printf(bio_err, "-pkeyopt X:Y    public key options\n");
+    BIO_printf(bio_err, "-sign           sign with private key\n");
+    BIO_printf(bio_err, "-verify         verify with public key\n");
+    BIO_printf(bio_err,
+               "-verifyrecover  verify with public key, recover original data\n");
+    BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
+    BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
+    BIO_printf(bio_err, "-derive         derive shared secret\n");
+    BIO_printf(bio_err, "-hexdump        hex dump output\n");
+#ifndef OPENSSL_NO_ENGINE
+    BIO_printf(bio_err,
+               "-engine e       use engine e, maybe a hardware device, for loading keys.\n");
+    BIO_printf(bio_err, "-engine_impl    also use engine given by -engine for crypto operations\n");
+#endif
+    BIO_printf(bio_err, "-passin arg     pass phrase source\n");
+
+}
+
+static EVP_PKEY_CTX *init_ctx(int *pkeysize,
+                              const char *keyfile, int keyform, int key_type,
+                              char *passargin, int pkey_op, ENGINE *e,
+                              int   engine_impl)
+{
+    EVP_PKEY *pkey = NULL;
+    EVP_PKEY_CTX *ctx = NULL;
+    ENGINE *impl = NULL;
+    char *passin = NULL;
+    int rv = -1;
+    X509 *x;
+    if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
+         || (pkey_op == EVP_PKEY_OP_DERIVE))
+        && (key_type != KEY_PRIVKEY)) {
+        BIO_printf(bio_err, "A private key is needed for this operation\n");
+        goto end;
+    }
+    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+    switch (key_type) {
+    case KEY_PRIVKEY:
+        pkey = load_key(bio_err, keyfile, keyform, 0,
+                        passin, e, "Private Key");
+        break;
+
+    case KEY_PUBKEY:
+        pkey = load_pubkey(bio_err, keyfile, keyform, 0,
+                           NULL, e, "Public Key");
+        break;
+
+    case KEY_CERT:
+        x = load_cert(bio_err, keyfile, keyform, NULL, e, "Certificate");
+        if (x) {
+            pkey = X509_get_pubkey(x);
+            X509_free(x);
+        }
+        break;
+
+    }
+
+    *pkeysize = EVP_PKEY_size(pkey);
+
+    if (!pkey)
+        goto end;
+        
+#ifndef OPENSSL_NO_ENGINE
+    if (engine_impl)
+	impl = e;
+#endif
+            
+    ctx = EVP_PKEY_CTX_new(pkey, impl);
+    
+    EVP_PKEY_free(pkey);
+
+    if (!ctx)
+        goto end;
+
+    switch (pkey_op) {
+    case EVP_PKEY_OP_SIGN:
+        rv = EVP_PKEY_sign_init(ctx);
+        break;
+
+    case EVP_PKEY_OP_VERIFY:
+        rv = EVP_PKEY_verify_init(ctx);
+        break;
+
+    case EVP_PKEY_OP_VERIFYRECOVER:
+        rv = EVP_PKEY_verify_recover_init(ctx);
+        break;
+
+    case EVP_PKEY_OP_ENCRYPT:
+        rv = EVP_PKEY_encrypt_init(ctx);
+        break;
+
+    case EVP_PKEY_OP_DECRYPT:
+        rv = EVP_PKEY_decrypt_init(ctx);
+        break;
+
+    case EVP_PKEY_OP_DERIVE:
+        rv = EVP_PKEY_derive_init(ctx);
+        break;
+    }
+
+    if (rv <= 0) {
+        EVP_PKEY_CTX_free(ctx);
+        ctx = NULL;
+    }
+
+ end:
+
+    if (passin)
+        OPENSSL_free(passin);
+
+    return ctx;
+
+}
+
+static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
+                      const char *file, ENGINE* e)
+{
+    EVP_PKEY *peer = NULL;
+    ENGINE* engine = NULL;
+    int ret;
+
+    if (peerform == FORMAT_ENGINE)
+        engine = e;
+    peer = load_pubkey(bio_err, file, peerform, 0, NULL, engine, "Peer Key");
+
+    if (!peer) {
+        BIO_printf(bio_err, "Error reading peer key %s\n", file);
+        ERR_print_errors(err);
+        return 0;
+    }
+
+    ret = EVP_PKEY_derive_set_peer(ctx, peer);
+
+    EVP_PKEY_free(peer);
+    if (ret <= 0)
+        ERR_print_errors(err);
+    return ret;
+}
+
+static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
+                    unsigned char *out, size_t *poutlen,
+                    unsigned char *in, size_t inlen)
+{
+    int rv = 0;
+    switch (pkey_op) {
+    case EVP_PKEY_OP_VERIFYRECOVER:
+        rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
+        break;
+
+    case EVP_PKEY_OP_SIGN:
+        rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen);
+        break;
+
+    case EVP_PKEY_OP_ENCRYPT:
+        rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen);
+        break;
+
+    case EVP_PKEY_OP_DECRYPT:
+        rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen);
+        break;
+
+    case EVP_PKEY_OP_DERIVE:
+        rv = EVP_PKEY_derive(ctx, out, poutlen);
+        break;
+
+    }
+    return rv;
+}
diff --git a/openssl/apps/prime.c b/openssl/apps/prime.c
new file mode 100644
index 0000000..133167f
--- /dev/null
+++ b/openssl/apps/prime.c
@@ -0,0 +1,159 @@
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+
+#include "apps.h"
+#include <openssl/bn.h>
+
+#undef PROG
+#define PROG prime_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    int hex = 0;
+    int checks = 20;
+    int generate = 0;
+    int bits = 0;
+    int safe = 0;
+    BIGNUM *bn = NULL;
+    BIO *bio_out;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    --argc;
+    ++argv;
+    while (argc >= 1 && **argv == '-') {
+        if (!strcmp(*argv, "-hex"))
+            hex = 1;
+        else if (!strcmp(*argv, "-generate"))
+            generate = 1;
+        else if (!strcmp(*argv, "-bits"))
+            if (--argc < 1)
+                goto bad;
+            else
+                bits = atoi(*++argv);
+        else if (!strcmp(*argv, "-safe"))
+            safe = 1;
+        else if (!strcmp(*argv, "-checks"))
+            if (--argc < 1)
+                goto bad;
+            else
+                checks = atoi(*++argv);
+        else {
+            BIO_printf(bio_err, "Unknown option '%s'\n", *argv);
+            goto bad;
+        }
+        --argc;
+        ++argv;
+    }
+
+    if (argv[0] == NULL && !generate) {
+        BIO_printf(bio_err, "No prime specified\n");
+        goto bad;
+    }
+
+    if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
+        BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            bio_out = BIO_push(tmpbio, bio_out);
+        }
+#endif
+    }
+
+    if (generate) {
+        char *s;
+
+        if (!bits) {
+            BIO_printf(bio_err, "Specifiy the number of bits.\n");
+            return 1;
+        }
+        bn = BN_new();
+        BN_generate_prime_ex(bn, bits, safe, NULL, NULL, NULL);
+        s = hex ? BN_bn2hex(bn) : BN_bn2dec(bn);
+        BIO_printf(bio_out, "%s\n", s);
+        OPENSSL_free(s);
+    } else {
+        int r;
+
+        if (hex)
+            r = BN_hex2bn(&bn, argv[0]);
+        else
+            r = BN_dec2bn(&bn, argv[0]);
+
+        if(!r) {
+            BIO_printf(bio_err, "Failed to process value (%s)\n", argv[0]);
+            goto end;
+        }
+
+        BN_print(bio_out, bn);
+        BIO_printf(bio_out, " is %sprime\n",
+                   BN_is_prime_ex(bn, checks, NULL, NULL) ? "" : "not ");
+    }
+
+ end:
+    BN_free(bn);
+    BIO_free_all(bio_out);
+
+    return 0;
+
+ bad:
+    BIO_printf(bio_err, "options are\n");
+    BIO_printf(bio_err, "%-14s hex\n", "-hex");
+    BIO_printf(bio_err, "%-14s number of checks\n", "-checks <n>");
+    return 1;
+}
diff --git a/openssl/apps/privkey.pem b/openssl/apps/privkey.pem
new file mode 100644
index 0000000..0af4647
--- /dev/null
+++ b/openssl/apps/privkey.pem
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,BA26229A1653B7FF
+
+6nhWG8PKhTPO/s3ZvjUa6226NlKdvPDZFsNXOOoSUs9ejxpb/aj5huhs6qRYzsz9
+Year47uaAZYhGD0vAagnNiBnYmjWEpN9G/wQxG7pgZThK1ZxDi63qn8aQ8UjuGHo
+F6RpnnBQIAnWTWqr/Qsybtc5EoNkrj/Cpx0OfbSr6gZsFBCxwX1R1hT3/mhJ45f3
+XMofY32Vdfx9/vtw1O7HmlHXQnXaqnbd9/nn1EpvFJG9+UjPoW7gV4jCOLuR4deE
+jS8hm+cpkwXmFtk3VGjT9tQXPpMv3JpYfBqgGQoMAJ5Toq0DWcHi6Wg08PsD8lgy
+vmTioPsRg+JGkJkJ8GnusgLpQdlQJbjzd7wGE6ElUFLfOxLo8bLlRHoriHNdWYhh
+JjY0LyeTkovcmWxVjImc6ZyBz5Ly4t0BYf1gq3OkjsV91Q1taBxnhiavfizqMCAf
+PPB3sLQnlXG77TOXkNxpqbZfEYrVZW2Nsqqdn8s07Uj4IMONZyq2odYKWFPMJBiM
+POYwXjMAOcmFMTHYsVlhcUJuV6LOuipw/FEbTtPH/MYMxLe4zx65dYo1rb4iLKLS
+gMtB0o/Wl4Xno3ZXh1ucicYnV2J7NpVcjVq+3SFiCRu2SrSkZHZ23EPS13Ec6fcz
+8X/YGA2vTJ8MAOozAzQUwHQYvLk7bIoQVekqDq4p0AZQbhdspHpArCk0Ifqqzg/v
+Uyky/zZiQYanzDenTSRVI/8wac3olxpU8QvbySxYqmbkgq6bTpXJfYFQfnAttEsC
+dA4S5UFgyOPZluxCAM4yaJF3Ft6neutNwftuJQMbgCUi9vYg2tGdSw==
+-----END RSA PRIVATE KEY-----
diff --git a/openssl/apps/progs.h b/openssl/apps/progs.h
new file mode 100644
index 0000000..fb498fd
--- /dev/null
+++ b/openssl/apps/progs.h
@@ -0,0 +1,366 @@
+/* apps/progs.h */
+/* automatically generated by progs.pl for openssl.c */
+
+extern int verify_main(int argc, char *argv[]);
+extern int asn1parse_main(int argc, char *argv[]);
+extern int req_main(int argc, char *argv[]);
+extern int dgst_main(int argc, char *argv[]);
+extern int dh_main(int argc, char *argv[]);
+extern int dhparam_main(int argc, char *argv[]);
+extern int enc_main(int argc, char *argv[]);
+extern int passwd_main(int argc, char *argv[]);
+extern int gendh_main(int argc, char *argv[]);
+extern int errstr_main(int argc, char *argv[]);
+extern int ca_main(int argc, char *argv[]);
+extern int crl_main(int argc, char *argv[]);
+extern int rsa_main(int argc, char *argv[]);
+extern int rsautl_main(int argc, char *argv[]);
+extern int dsa_main(int argc, char *argv[]);
+extern int dsaparam_main(int argc, char *argv[]);
+extern int ec_main(int argc, char *argv[]);
+extern int ecparam_main(int argc, char *argv[]);
+extern int x509_main(int argc, char *argv[]);
+extern int genrsa_main(int argc, char *argv[]);
+extern int gendsa_main(int argc, char *argv[]);
+extern int genpkey_main(int argc, char *argv[]);
+extern int s_server_main(int argc, char *argv[]);
+extern int s_client_main(int argc, char *argv[]);
+extern int speed_main(int argc, char *argv[]);
+extern int s_time_main(int argc, char *argv[]);
+extern int version_main(int argc, char *argv[]);
+extern int pkcs7_main(int argc, char *argv[]);
+extern int cms_main(int argc, char *argv[]);
+extern int crl2pkcs7_main(int argc, char *argv[]);
+extern int sess_id_main(int argc, char *argv[]);
+extern int ciphers_main(int argc, char *argv[]);
+extern int nseq_main(int argc, char *argv[]);
+extern int pkcs12_main(int argc, char *argv[]);
+extern int pkcs8_main(int argc, char *argv[]);
+extern int pkey_main(int argc, char *argv[]);
+extern int pkeyparam_main(int argc, char *argv[]);
+extern int pkeyutl_main(int argc, char *argv[]);
+extern int spkac_main(int argc, char *argv[]);
+extern int smime_main(int argc, char *argv[]);
+extern int rand_main(int argc, char *argv[]);
+extern int engine_main(int argc, char *argv[]);
+extern int ocsp_main(int argc, char *argv[]);
+extern int prime_main(int argc, char *argv[]);
+extern int ts_main(int argc, char *argv[]);
+extern int srp_main(int argc, char *argv[]);
+
+#define FUNC_TYPE_GENERAL       1
+#define FUNC_TYPE_MD            2
+#define FUNC_TYPE_CIPHER        3
+#define FUNC_TYPE_PKEY          4
+#define FUNC_TYPE_MD_ALG        5
+#define FUNC_TYPE_CIPHER_ALG    6
+
+typedef struct {
+    int type;
+    const char *name;
+    int (*func) (int argc, char *argv[]);
+} FUNCTION;
+DECLARE_LHASH_OF(FUNCTION);
+
+FUNCTION functions[] = {
+    {FUNC_TYPE_GENERAL, "verify", verify_main},
+    {FUNC_TYPE_GENERAL, "asn1parse", asn1parse_main},
+    {FUNC_TYPE_GENERAL, "req", req_main},
+    {FUNC_TYPE_GENERAL, "dgst", dgst_main},
+#ifndef OPENSSL_NO_DH
+    {FUNC_TYPE_GENERAL, "dh", dh_main},
+#endif
+#ifndef OPENSSL_NO_DH
+    {FUNC_TYPE_GENERAL, "dhparam", dhparam_main},
+#endif
+    {FUNC_TYPE_GENERAL, "enc", enc_main},
+    {FUNC_TYPE_GENERAL, "passwd", passwd_main},
+#ifndef OPENSSL_NO_DH
+    {FUNC_TYPE_GENERAL, "gendh", gendh_main},
+#endif
+    {FUNC_TYPE_GENERAL, "errstr", errstr_main},
+    {FUNC_TYPE_GENERAL, "ca", ca_main},
+    {FUNC_TYPE_GENERAL, "crl", crl_main},
+#ifndef OPENSSL_NO_RSA
+    {FUNC_TYPE_GENERAL, "rsa", rsa_main},
+#endif
+#ifndef OPENSSL_NO_RSA
+    {FUNC_TYPE_GENERAL, "rsautl", rsautl_main},
+#endif
+#ifndef OPENSSL_NO_DSA
+    {FUNC_TYPE_GENERAL, "dsa", dsa_main},
+#endif
+#ifndef OPENSSL_NO_DSA
+    {FUNC_TYPE_GENERAL, "dsaparam", dsaparam_main},
+#endif
+#ifndef OPENSSL_NO_EC
+    {FUNC_TYPE_GENERAL, "ec", ec_main},
+#endif
+#ifndef OPENSSL_NO_EC
+    {FUNC_TYPE_GENERAL, "ecparam", ecparam_main},
+#endif
+    {FUNC_TYPE_GENERAL, "x509", x509_main},
+#ifndef OPENSSL_NO_RSA
+    {FUNC_TYPE_GENERAL, "genrsa", genrsa_main},
+#endif
+#ifndef OPENSSL_NO_DSA
+    {FUNC_TYPE_GENERAL, "gendsa", gendsa_main},
+#endif
+    {FUNC_TYPE_GENERAL, "genpkey", genpkey_main},
+#if !defined(OPENSSL_NO_SOCK)
+    {FUNC_TYPE_GENERAL, "s_server", s_server_main},
+#endif
+#if !defined(OPENSSL_NO_SOCK)
+    {FUNC_TYPE_GENERAL, "s_client", s_client_main},
+#endif
+#ifndef OPENSSL_NO_SPEED
+    {FUNC_TYPE_GENERAL, "speed", speed_main},
+#endif
+#if !defined(OPENSSL_NO_SOCK)
+    {FUNC_TYPE_GENERAL, "s_time", s_time_main},
+#endif
+    {FUNC_TYPE_GENERAL, "version", version_main},
+    {FUNC_TYPE_GENERAL, "pkcs7", pkcs7_main},
+#ifndef OPENSSL_NO_CMS
+    {FUNC_TYPE_GENERAL, "cms", cms_main},
+#endif
+    {FUNC_TYPE_GENERAL, "crl2pkcs7", crl2pkcs7_main},
+    {FUNC_TYPE_GENERAL, "sess_id", sess_id_main},
+#if !defined(OPENSSL_NO_SOCK)
+    {FUNC_TYPE_GENERAL, "ciphers", ciphers_main},
+#endif
+    {FUNC_TYPE_GENERAL, "nseq", nseq_main},
+#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
+    {FUNC_TYPE_GENERAL, "pkcs12", pkcs12_main},
+#endif
+    {FUNC_TYPE_GENERAL, "pkcs8", pkcs8_main},
+    {FUNC_TYPE_GENERAL, "pkey", pkey_main},
+    {FUNC_TYPE_GENERAL, "pkeyparam", pkeyparam_main},
+    {FUNC_TYPE_GENERAL, "pkeyutl", pkeyutl_main},
+    {FUNC_TYPE_GENERAL, "spkac", spkac_main},
+    {FUNC_TYPE_GENERAL, "smime", smime_main},
+    {FUNC_TYPE_GENERAL, "rand", rand_main},
+#ifndef OPENSSL_NO_ENGINE
+    {FUNC_TYPE_GENERAL, "engine", engine_main},
+#endif
+#ifndef OPENSSL_NO_OCSP
+    {FUNC_TYPE_GENERAL, "ocsp", ocsp_main},
+#endif
+    {FUNC_TYPE_GENERAL, "prime", prime_main},
+    {FUNC_TYPE_GENERAL, "ts", ts_main},
+#ifndef OPENSSL_NO_SRP
+    {FUNC_TYPE_GENERAL, "srp", srp_main},
+#endif
+#ifndef OPENSSL_NO_MD2
+    {FUNC_TYPE_MD, "md2", dgst_main},
+#endif
+#ifndef OPENSSL_NO_MD4
+    {FUNC_TYPE_MD, "md4", dgst_main},
+#endif
+#ifndef OPENSSL_NO_MD5
+    {FUNC_TYPE_MD, "md5", dgst_main},
+#endif
+#ifndef OPENSSL_NO_SHA
+    {FUNC_TYPE_MD, "sha", dgst_main},
+#endif
+#ifndef OPENSSL_NO_SHA1
+    {FUNC_TYPE_MD, "sha1", dgst_main},
+#endif
+#ifndef OPENSSL_NO_MDC2
+    {FUNC_TYPE_MD, "mdc2", dgst_main},
+#endif
+#ifndef OPENSSL_NO_RMD160
+    {FUNC_TYPE_MD, "rmd160", dgst_main},
+#endif
+#ifndef OPENSSL_NO_AES
+    {FUNC_TYPE_CIPHER, "aes-128-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_AES
+    {FUNC_TYPE_CIPHER, "aes-128-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_AES
+    {FUNC_TYPE_CIPHER, "aes-192-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_AES
+    {FUNC_TYPE_CIPHER, "aes-192-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_AES
+    {FUNC_TYPE_CIPHER, "aes-256-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_AES
+    {FUNC_TYPE_CIPHER, "aes-256-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+    {FUNC_TYPE_CIPHER, "camellia-128-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+    {FUNC_TYPE_CIPHER, "camellia-128-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+    {FUNC_TYPE_CIPHER, "camellia-192-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+    {FUNC_TYPE_CIPHER, "camellia-192-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+    {FUNC_TYPE_CIPHER, "camellia-256-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+    {FUNC_TYPE_CIPHER, "camellia-256-ecb", enc_main},
+#endif
+    {FUNC_TYPE_CIPHER, "base64", enc_main},
+#ifdef ZLIB
+    {FUNC_TYPE_CIPHER, "zlib", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des3", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "desx", enc_main},
+#endif
+#ifndef OPENSSL_NO_IDEA
+    {FUNC_TYPE_CIPHER, "idea", enc_main},
+#endif
+#ifndef OPENSSL_NO_SEED
+    {FUNC_TYPE_CIPHER, "seed", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC4
+    {FUNC_TYPE_CIPHER, "rc4", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC4
+    {FUNC_TYPE_CIPHER, "rc4-40", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC2
+    {FUNC_TYPE_CIPHER, "rc2", enc_main},
+#endif
+#ifndef OPENSSL_NO_BF
+    {FUNC_TYPE_CIPHER, "bf", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAST
+    {FUNC_TYPE_CIPHER, "cast", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC5
+    {FUNC_TYPE_CIPHER, "rc5", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-ede", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-ede3", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-ede-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-ede3-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-cfb", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-ede-cfb", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-ede3-cfb", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-ofb", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-ede-ofb", enc_main},
+#endif
+#ifndef OPENSSL_NO_DES
+    {FUNC_TYPE_CIPHER, "des-ede3-ofb", enc_main},
+#endif
+#ifndef OPENSSL_NO_IDEA
+    {FUNC_TYPE_CIPHER, "idea-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_IDEA
+    {FUNC_TYPE_CIPHER, "idea-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_IDEA
+    {FUNC_TYPE_CIPHER, "idea-cfb", enc_main},
+#endif
+#ifndef OPENSSL_NO_IDEA
+    {FUNC_TYPE_CIPHER, "idea-ofb", enc_main},
+#endif
+#ifndef OPENSSL_NO_SEED
+    {FUNC_TYPE_CIPHER, "seed-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_SEED
+    {FUNC_TYPE_CIPHER, "seed-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_SEED
+    {FUNC_TYPE_CIPHER, "seed-cfb", enc_main},
+#endif
+#ifndef OPENSSL_NO_SEED
+    {FUNC_TYPE_CIPHER, "seed-ofb", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC2
+    {FUNC_TYPE_CIPHER, "rc2-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC2
+    {FUNC_TYPE_CIPHER, "rc2-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC2
+    {FUNC_TYPE_CIPHER, "rc2-cfb", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC2
+    {FUNC_TYPE_CIPHER, "rc2-ofb", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC2
+    {FUNC_TYPE_CIPHER, "rc2-64-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC2
+    {FUNC_TYPE_CIPHER, "rc2-40-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_BF
+    {FUNC_TYPE_CIPHER, "bf-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_BF
+    {FUNC_TYPE_CIPHER, "bf-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_BF
+    {FUNC_TYPE_CIPHER, "bf-cfb", enc_main},
+#endif
+#ifndef OPENSSL_NO_BF
+    {FUNC_TYPE_CIPHER, "bf-ofb", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAST
+    {FUNC_TYPE_CIPHER, "cast5-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAST
+    {FUNC_TYPE_CIPHER, "cast5-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAST
+    {FUNC_TYPE_CIPHER, "cast5-cfb", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAST
+    {FUNC_TYPE_CIPHER, "cast5-ofb", enc_main},
+#endif
+#ifndef OPENSSL_NO_CAST
+    {FUNC_TYPE_CIPHER, "cast-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC5
+    {FUNC_TYPE_CIPHER, "rc5-cbc", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC5
+    {FUNC_TYPE_CIPHER, "rc5-ecb", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC5
+    {FUNC_TYPE_CIPHER, "rc5-cfb", enc_main},
+#endif
+#ifndef OPENSSL_NO_RC5
+    {FUNC_TYPE_CIPHER, "rc5-ofb", enc_main},
+#endif
+    {0, NULL, NULL}
+};
diff --git a/openssl/apps/progs.pl b/openssl/apps/progs.pl
new file mode 100644
index 0000000..fa6258c
--- /dev/null
+++ b/openssl/apps/progs.pl
@@ -0,0 +1,104 @@
+#!/usr/local/bin/perl
+
+print "/* apps/progs.h */\n";
+print "/* automatically generated by progs.pl for openssl.c */\n\n";
+
+grep(s/^asn1pars$/asn1parse/,@ARGV);
+
+foreach (@ARGV)
+	{ printf "extern int %s_main(int argc,char *argv[]);\n",$_; }
+
+print <<'EOF';
+
+#define FUNC_TYPE_GENERAL	1
+#define FUNC_TYPE_MD		2
+#define FUNC_TYPE_CIPHER	3
+#define FUNC_TYPE_PKEY		4
+#define FUNC_TYPE_MD_ALG	5
+#define FUNC_TYPE_CIPHER_ALG	6
+
+typedef struct {
+	int type;
+	const char *name;
+	int (*func)(int argc,char *argv[]);
+	} FUNCTION;
+DECLARE_LHASH_OF(FUNCTION);
+
+FUNCTION functions[] = {
+EOF
+
+foreach (@ARGV)
+	{
+	push(@files,$_);
+	$str="\t{FUNC_TYPE_GENERAL,\"$_\",${_}_main},\n";
+	if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/))
+		{ print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n"; } 
+	elsif ( ($_ =~ /^speed$/))
+		{ print "#ifndef OPENSSL_NO_SPEED\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^engine$/))
+		{ print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) || ($_ =~ /^rsautl$/)) 
+		{ print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";  }
+	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
+		{ print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^ec$/) || ($_ =~ /^ecparam$/))
+		{ print "#ifndef OPENSSL_NO_EC\n${str}#endif\n";}
+	elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/) || ($_ =~ /^dhparam$/))
+		{ print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^pkcs12$/))
+		{ print "#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^cms$/))
+		{ print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^ocsp$/))
+		{ print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^srp$/))
+		{ print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n"; }
+	else
+		{ print $str; }
+	}
+
+foreach ("md2","md4","md5","sha","sha1","mdc2","rmd160")
+	{
+	push(@files,$_);
+	printf "#ifndef OPENSSL_NO_".uc($_)."\n\t{FUNC_TYPE_MD,\"".$_."\",dgst_main},\n#endif\n";
+	}
+
+foreach (
+	"aes-128-cbc", "aes-128-ecb",
+	"aes-192-cbc", "aes-192-ecb",
+	"aes-256-cbc", "aes-256-ecb",
+	"camellia-128-cbc", "camellia-128-ecb",
+	"camellia-192-cbc", "camellia-192-ecb",
+	"camellia-256-cbc", "camellia-256-ecb",
+	"base64", "zlib",
+	"des", "des3", "desx", "idea", "seed", "rc4", "rc4-40",
+	"rc2", "bf", "cast", "rc5",
+	"des-ecb", "des-ede",    "des-ede3",
+	"des-cbc", "des-ede-cbc","des-ede3-cbc",
+	"des-cfb", "des-ede-cfb","des-ede3-cfb",
+	"des-ofb", "des-ede-ofb","des-ede3-ofb",
+	"idea-cbc","idea-ecb",    "idea-cfb", "idea-ofb",
+	"seed-cbc","seed-ecb",    "seed-cfb", "seed-ofb",
+	"rc2-cbc", "rc2-ecb", "rc2-cfb","rc2-ofb", "rc2-64-cbc", "rc2-40-cbc",
+	"bf-cbc",  "bf-ecb",     "bf-cfb",   "bf-ofb",
+	"cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb",
+	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb")
+	{
+	push(@files,$_);
+
+	$t=sprintf("\t{FUNC_TYPE_CIPHER,\"%s\",enc_main},\n",$_);
+	if    ($_ =~ /des/)  { $t="#ifndef OPENSSL_NO_DES\n${t}#endif\n"; }
+	elsif ($_ =~ /aes/)  { $t="#ifndef OPENSSL_NO_AES\n${t}#endif\n"; }
+	elsif ($_ =~ /camellia/)  { $t="#ifndef OPENSSL_NO_CAMELLIA\n${t}#endif\n"; }
+	elsif ($_ =~ /idea/) { $t="#ifndef OPENSSL_NO_IDEA\n${t}#endif\n"; }
+	elsif ($_ =~ /seed/) { $t="#ifndef OPENSSL_NO_SEED\n${t}#endif\n"; }
+	elsif ($_ =~ /rc4/)  { $t="#ifndef OPENSSL_NO_RC4\n${t}#endif\n"; }
+	elsif ($_ =~ /rc2/)  { $t="#ifndef OPENSSL_NO_RC2\n${t}#endif\n"; }
+	elsif ($_ =~ /bf/)   { $t="#ifndef OPENSSL_NO_BF\n${t}#endif\n"; }
+	elsif ($_ =~ /cast/) { $t="#ifndef OPENSSL_NO_CAST\n${t}#endif\n"; }
+	elsif ($_ =~ /rc5/)  { $t="#ifndef OPENSSL_NO_RC5\n${t}#endif\n"; }
+	elsif ($_ =~ /zlib/)  { $t="#ifdef ZLIB\n${t}#endif\n"; }
+	print $t;
+	}
+
+print "\t{0,NULL,NULL}\n\t};\n";
diff --git a/openssl/apps/rand.c b/openssl/apps/rand.c
new file mode 100644
index 0000000..96dcb72
--- /dev/null
+++ b/openssl/apps/rand.c
@@ -0,0 +1,227 @@
+/* apps/rand.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "apps.h"
+
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+#undef PROG
+#define PROG rand_main
+
+/*-
+ * -out file         - write to file
+ * -rand file:file   - PRNG seed files
+ * -base64           - base64 encode output
+ * -hex              - hex encode output
+ * num               - write 'num' bytes
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    int i, r, ret = 1;
+    int badopt;
+    char *outfile = NULL;
+    char *inrand = NULL;
+    int base64 = 0;
+    int hex = 0;
+    BIO *out = NULL;
+    int num = -1;
+    ENGINE *e = NULL;
+    char *engine = NULL;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto err;
+
+    badopt = 0;
+    i = 0;
+    while (!badopt && argv[++i] != NULL) {
+        if (strcmp(argv[i], "-out") == 0) {
+            if ((argv[i + 1] != NULL) && (outfile == NULL))
+                outfile = argv[++i];
+            else
+                badopt = 1;
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(argv[i], "-engine") == 0) {
+            if ((argv[i + 1] != NULL) && (engine == NULL))
+                engine = argv[++i];
+            else
+                badopt = 1;
+        }
+#endif
+        else if (strcmp(argv[i], "-rand") == 0) {
+            if ((argv[i + 1] != NULL) && (inrand == NULL))
+                inrand = argv[++i];
+            else
+                badopt = 1;
+        } else if (strcmp(argv[i], "-base64") == 0) {
+            if (!base64)
+                base64 = 1;
+            else
+                badopt = 1;
+        } else if (strcmp(argv[i], "-hex") == 0) {
+            if (!hex)
+                hex = 1;
+            else
+                badopt = 1;
+        } else if (isdigit((unsigned char)argv[i][0])) {
+            if (num < 0) {
+                r = sscanf(argv[i], "%d", &num);
+                if (r == 0 || num < 0)
+                    badopt = 1;
+            } else
+                badopt = 1;
+        } else
+            badopt = 1;
+    }
+
+    if (hex && base64)
+        badopt = 1;
+
+    if (num < 0)
+        badopt = 1;
+
+    if (badopt) {
+        BIO_printf(bio_err, "Usage: rand [options] num\n");
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, "-out file             - write to file\n");
+#ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   "-engine e             - use engine e, possibly a hardware device.\n");
+#endif
+        BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n",
+                   LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+        BIO_printf(bio_err, "-base64               - base64 encode output\n");
+        BIO_printf(bio_err, "-hex                  - hex encode output\n");
+        goto err;
+    }
+    e = setup_engine(bio_err, engine, 0);
+
+    app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+    if (inrand != NULL)
+        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                   app_RAND_load_files(inrand));
+
+    out = BIO_new(BIO_s_file());
+    if (out == NULL)
+        goto err;
+    if (outfile != NULL)
+        r = BIO_write_filename(out, outfile);
+    else {
+        r = BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    }
+    if (r <= 0)
+        goto err;
+
+    if (base64) {
+        BIO *b64 = BIO_new(BIO_f_base64());
+        if (b64 == NULL)
+            goto err;
+        out = BIO_push(b64, out);
+    }
+
+    while (num > 0) {
+        unsigned char buf[4096];
+        int chunk;
+
+        chunk = num;
+        if (chunk > (int)sizeof(buf))
+            chunk = sizeof buf;
+        r = RAND_bytes(buf, chunk);
+        if (r <= 0)
+            goto err;
+        if (!hex)
+            BIO_write(out, buf, chunk);
+        else {
+            for (i = 0; i < chunk; i++)
+                BIO_printf(out, "%02x", buf[i]);
+        }
+        num -= chunk;
+    }
+    if (hex)
+        BIO_puts(out, "\n");
+    (void)BIO_flush(out);
+
+    app_RAND_write_file(NULL, bio_err);
+    ret = 0;
+
+ err:
+    ERR_print_errors(bio_err);
+    release_engine(e);
+    if (out)
+        BIO_free_all(out);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
diff --git a/openssl/apps/req.c b/openssl/apps/req.c
new file mode 100644
index 0000000..cdea1f6
--- /dev/null
+++ b/openssl/apps/req.c
@@ -0,0 +1,1729 @@
+/* apps/req.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/*
+ * Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code
+ */
+#ifdef OPENSSL_NO_DEPRECATED
+# undef OPENSSL_NO_DEPRECATED
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/objects.h>
+#include <openssl/pem.h>
+#include <openssl/bn.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+
+#define SECTION         "req"
+
+#define BITS            "default_bits"
+#define KEYFILE         "default_keyfile"
+#define PROMPT          "prompt"
+#define DISTINGUISHED_NAME      "distinguished_name"
+#define ATTRIBUTES      "attributes"
+#define V3_EXTENSIONS   "x509_extensions"
+#define REQ_EXTENSIONS  "req_extensions"
+#define STRING_MASK     "string_mask"
+#define UTF8_IN         "utf8"
+
+#define DEFAULT_KEY_LENGTH      2048
+#define MIN_KEY_LENGTH          512
+
+#undef PROG
+#define PROG    req_main
+
+/*-
+ * -inform arg  - input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg      - input file - default stdin
+ * -out arg     - output file - default stdout
+ * -verify      - check request signature
+ * -noout       - don't print stuff out.
+ * -text        - print out human readable text.
+ * -nodes       - no des encryption
+ * -config file - Load configuration file.
+ * -key file    - make a request using key in file (or use it for verification).
+ * -keyform arg - key file format.
+ * -rand file(s) - load the file(s) into the PRNG.
+ * -newkey      - make a key and a request.
+ * -modulus     - print RSA modulus.
+ * -pubkey      - output Public Key.
+ * -x509        - output a self signed X509 structure instead.
+ * -asn1-kludge - output new certificate request in a format that some CA's
+ *                require.  This format is wrong
+ */
+
+static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
+                    int attribs, unsigned long chtype);
+static int build_subject(X509_REQ *req, char *subj, unsigned long chtype,
+                         int multirdn);
+static int prompt_info(X509_REQ *req,
+                       STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
+                       STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect,
+                       int attribs, unsigned long chtype);
+static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
+                     STACK_OF(CONF_VALUE) *attr, int attribs,
+                     unsigned long chtype);
+static int add_attribute_object(X509_REQ *req, char *text, const char *def,
+                                char *value, int nid, int n_min, int n_max,
+                                unsigned long chtype);
+static int add_DN_object(X509_NAME *n, char *text, const char *def,
+                         char *value, int nid, int n_min, int n_max,
+                         unsigned long chtype, int mval);
+static int genpkey_cb(EVP_PKEY_CTX *ctx);
+static int req_check_len(int len, int n_min, int n_max);
+static int check_end(const char *str, const char *end);
+static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr,
+                                    int *pkey_type, long *pkeylen,
+                                    char **palgnam, ENGINE *keygen_engine);
+#ifndef MONOLITH
+static char *default_config_file = NULL;
+#endif
+static CONF *req_conf = NULL;
+static int batch = 0;
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL, *gen_eng = NULL;
+    unsigned long nmflag = 0, reqflag = 0;
+    int ex = 1, x509 = 0, days = 30;
+    X509 *x509ss = NULL;
+    X509_REQ *req = NULL;
+    EVP_PKEY_CTX *genctx = NULL;
+    const char *keyalg = NULL;
+    char *keyalgstr = NULL;
+    STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
+    EVP_PKEY *pkey = NULL;
+    int i = 0, badops = 0, newreq = 0, verbose = 0, pkey_type = -1;
+    long newkey = -1;
+    BIO *in = NULL, *out = NULL;
+    int informat, outformat, verify = 0, noout = 0, text = 0, keyform =
+        FORMAT_PEM;
+    int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0;
+    char *infile, *outfile, *prog, *keyfile = NULL, *template =
+        NULL, *keyout = NULL;
+    char *engine = NULL;
+    char *extensions = NULL;
+    char *req_exts = NULL;
+    const EVP_CIPHER *cipher = NULL;
+    ASN1_INTEGER *serial = NULL;
+    int modulus = 0;
+    char *inrand = NULL;
+    char *passargin = NULL, *passargout = NULL;
+    char *passin = NULL, *passout = NULL;
+    char *p;
+    char *subj = NULL;
+    int multirdn = 0;
+    const EVP_MD *md_alg = NULL, *digest = NULL;
+    unsigned long chtype = MBSTRING_ASC;
+#ifndef MONOLITH
+    char *to_free;
+    long errline;
+#endif
+
+    req_conf = NULL;
+#ifndef OPENSSL_NO_DES
+    cipher = EVP_des_ede3_cbc();
+#endif
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    infile = NULL;
+    outfile = NULL;
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        } else if (strcmp(*argv, "-keygen_engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            gen_eng = ENGINE_by_id(*(++argv));
+            if (gen_eng == NULL) {
+                BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
+                goto end;
+            }
+        }
+#endif
+        else if (strcmp(*argv, "-key") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keyfile = *(++argv);
+        } else if (strcmp(*argv, "-pubkey") == 0) {
+            pubkey = 1;
+        } else if (strcmp(*argv, "-new") == 0) {
+            newreq = 1;
+        } else if (strcmp(*argv, "-config") == 0) {
+            if (--argc < 1)
+                goto bad;
+            template = *(++argv);
+        } else if (strcmp(*argv, "-keyform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keyform = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-keyout") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keyout = *(++argv);
+        } else if (strcmp(*argv, "-passin") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargin = *(++argv);
+        } else if (strcmp(*argv, "-passout") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargout = *(++argv);
+        } else if (strcmp(*argv, "-rand") == 0) {
+            if (--argc < 1)
+                goto bad;
+            inrand = *(++argv);
+        } else if (strcmp(*argv, "-newkey") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keyalg = *(++argv);
+            newreq = 1;
+        } else if (strcmp(*argv, "-pkeyopt") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!pkeyopts)
+                pkeyopts = sk_OPENSSL_STRING_new_null();
+            if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv)))
+                goto bad;
+        } else if (strcmp(*argv, "-sigopt") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!sigopts)
+                sigopts = sk_OPENSSL_STRING_new_null();
+            if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
+                goto bad;
+        } else if (strcmp(*argv, "-batch") == 0)
+            batch = 1;
+        else if (strcmp(*argv, "-newhdr") == 0)
+            newhdr = 1;
+        else if (strcmp(*argv, "-modulus") == 0)
+            modulus = 1;
+        else if (strcmp(*argv, "-verify") == 0)
+            verify = 1;
+        else if (strcmp(*argv, "-nodes") == 0)
+            nodes = 1;
+        else if (strcmp(*argv, "-noout") == 0)
+            noout = 1;
+        else if (strcmp(*argv, "-verbose") == 0)
+            verbose = 1;
+        else if (strcmp(*argv, "-utf8") == 0)
+            chtype = MBSTRING_UTF8;
+        else if (strcmp(*argv, "-nameopt") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!set_name_ex(&nmflag, *(++argv)))
+                goto bad;
+        } else if (strcmp(*argv, "-reqopt") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!set_cert_ex(&reqflag, *(++argv)))
+                goto bad;
+        } else if (strcmp(*argv, "-subject") == 0)
+            subject = 1;
+        else if (strcmp(*argv, "-text") == 0)
+            text = 1;
+        else if (strcmp(*argv, "-x509") == 0) {
+            newreq = 1;
+            x509 = 1;
+        } else if (strcmp(*argv, "-asn1-kludge") == 0)
+            kludge = 1;
+        else if (strcmp(*argv, "-no-asn1-kludge") == 0)
+            kludge = 0;
+        else if (strcmp(*argv, "-subj") == 0) {
+            if (--argc < 1)
+                goto bad;
+            subj = *(++argv);
+        } else if (strcmp(*argv, "-multivalue-rdn") == 0)
+            multirdn = 1;
+        else if (strcmp(*argv, "-days") == 0) {
+            if (--argc < 1)
+                goto bad;
+            days = atoi(*(++argv));
+            if (days == 0)
+                days = 30;
+        } else if (strcmp(*argv, "-set_serial") == 0) {
+            if (--argc < 1)
+                goto bad;
+            serial = s2i_ASN1_INTEGER(NULL, *(++argv));
+            if (!serial)
+                goto bad;
+        } else if (strcmp(*argv, "-extensions") == 0) {
+            if (--argc < 1)
+                goto bad;
+            extensions = *(++argv);
+        } else if (strcmp(*argv, "-reqexts") == 0) {
+            if (--argc < 1)
+                goto bad;
+            req_exts = *(++argv);
+        } else if ((md_alg = EVP_get_digestbyname(&((*argv)[1]))) != NULL) {
+            /* ok */
+            digest = md_alg;
+        } else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
+        BIO_printf(bio_err, "where options  are\n");
+        BIO_printf(bio_err, " -inform arg    input format - DER or PEM\n");
+        BIO_printf(bio_err, " -outform arg   output format - DER or PEM\n");
+        BIO_printf(bio_err, " -in arg        input file\n");
+        BIO_printf(bio_err, " -out arg       output file\n");
+        BIO_printf(bio_err, " -text          text form of request\n");
+        BIO_printf(bio_err, " -pubkey        output public key\n");
+        BIO_printf(bio_err, " -noout         do not output REQ\n");
+        BIO_printf(bio_err, " -verify        verify signature on REQ\n");
+        BIO_printf(bio_err, " -modulus       RSA modulus\n");
+        BIO_printf(bio_err, " -nodes         don't encrypt the output key\n");
+#ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e      use engine e, possibly a hardware device\n");
+#endif
+        BIO_printf(bio_err, " -subject       output the request's subject\n");
+        BIO_printf(bio_err, " -passin        private key password source\n");
+        BIO_printf(bio_err,
+                   " -key file      use the private key contained in file\n");
+        BIO_printf(bio_err, " -keyform arg   key file format\n");
+        BIO_printf(bio_err, " -keyout arg    file to send the key to\n");
+        BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
+                   LIST_SEPARATOR_CHAR);
+        BIO_printf(bio_err,
+                   "                load the file (or the files in the directory) into\n");
+        BIO_printf(bio_err, "                the random number generator\n");
+        BIO_printf(bio_err,
+                   " -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
+        BIO_printf(bio_err,
+                   " -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
+#ifndef OPENSSL_NO_ECDSA
+        BIO_printf(bio_err,
+                   " -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
+#endif
+        BIO_printf(bio_err,
+                   " -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
+        BIO_printf(bio_err, " -config file   request template file.\n");
+        BIO_printf(bio_err,
+                   " -subj arg      set or modify request subject\n");
+        BIO_printf(bio_err,
+                   " -multivalue-rdn enable support for multivalued RDNs\n");
+        BIO_printf(bio_err, " -new           new request.\n");
+        BIO_printf(bio_err,
+                   " -batch         do not ask anything during request generation\n");
+        BIO_printf(bio_err,
+                   " -x509          output a x509 structure instead of a cert. req.\n");
+        BIO_printf(bio_err,
+                   " -days          number of days a certificate generated by -x509 is valid for.\n");
+        BIO_printf(bio_err,
+                   " -set_serial    serial number to use for a certificate generated by -x509.\n");
+        BIO_printf(bio_err,
+                   " -newhdr        output \"NEW\" in the header lines\n");
+        BIO_printf(bio_err,
+                   " -asn1-kludge   Output the 'request' in a format that is wrong but some CA's\n");
+        BIO_printf(bio_err,
+                   "                have been reported as requiring\n");
+        BIO_printf(bio_err,
+                   " -extensions .. specify certificate extension section (override value in config file)\n");
+        BIO_printf(bio_err,
+                   " -reqexts ..    specify request extension section (override value in config file)\n");
+        BIO_printf(bio_err,
+                   " -utf8          input characters are UTF8 (default ASCII)\n");
+        BIO_printf(bio_err,
+                   " -nameopt arg    - various certificate name options\n");
+        BIO_printf(bio_err,
+                   " -reqopt arg    - various request text options\n\n");
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+        BIO_printf(bio_err, "Error getting passwords\n");
+        goto end;
+    }
+#ifndef MONOLITH                /* else this has happened in openssl.c
+                                 * (global `config') */
+    /* Lets load up our environment a little */
+    p = getenv("OPENSSL_CONF");
+    if (p == NULL)
+        p = getenv("SSLEAY_CONF");
+    if (p == NULL)
+        p = to_free = make_config_name();
+    default_config_file = p;
+    config = NCONF_new(NULL);
+    i = NCONF_load(config, p, &errline);
+#endif
+
+    if (template != NULL) {
+        long errline = -1;
+
+        if (verbose)
+            BIO_printf(bio_err, "Using configuration from %s\n", template);
+        req_conf = NCONF_new(NULL);
+        i = NCONF_load(req_conf, template, &errline);
+        if (i == 0) {
+            BIO_printf(bio_err, "error on line %ld of %s\n", errline,
+                       template);
+            goto end;
+        }
+    } else {
+        req_conf = config;
+
+        if (req_conf == NULL) {
+            BIO_printf(bio_err, "Unable to load config info from %s\n",
+                       default_config_file);
+            if (newreq)
+                goto end;
+        } else if (verbose)
+            BIO_printf(bio_err, "Using configuration from %s\n",
+                       default_config_file);
+    }
+
+    if (req_conf != NULL) {
+        if (!load_config(bio_err, req_conf))
+            goto end;
+        p = NCONF_get_string(req_conf, NULL, "oid_file");
+        if (p == NULL)
+            ERR_clear_error();
+        if (p != NULL) {
+            BIO *oid_bio;
+
+            oid_bio = BIO_new_file(p, "r");
+            if (oid_bio == NULL) {
+                /*-
+                BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
+                ERR_print_errors(bio_err);
+                */
+            } else {
+                OBJ_create_objects(oid_bio);
+                BIO_free(oid_bio);
+            }
+        }
+    }
+    if (!add_oid_section(bio_err, req_conf))
+        goto end;
+
+    if (md_alg == NULL) {
+        p = NCONF_get_string(req_conf, SECTION, "default_md");
+        if (p == NULL)
+            ERR_clear_error();
+        if (p != NULL) {
+            if ((md_alg = EVP_get_digestbyname(p)) != NULL)
+                digest = md_alg;
+        }
+    }
+
+    if (!extensions) {
+        extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
+        if (!extensions)
+            ERR_clear_error();
+    }
+    if (extensions) {
+        /* Check syntax of file */
+        X509V3_CTX ctx;
+        X509V3_set_ctx_test(&ctx);
+        X509V3_set_nconf(&ctx, req_conf);
+        if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
+            BIO_printf(bio_err,
+                       "Error Loading extension section %s\n", extensions);
+            goto end;
+        }
+    }
+
+    if (!passin) {
+        passin = NCONF_get_string(req_conf, SECTION, "input_password");
+        if (!passin)
+            ERR_clear_error();
+    }
+
+    if (!passout) {
+        passout = NCONF_get_string(req_conf, SECTION, "output_password");
+        if (!passout)
+            ERR_clear_error();
+    }
+
+    p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
+    if (!p)
+        ERR_clear_error();
+
+    if (p && !ASN1_STRING_set_default_mask_asc(p)) {
+        BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
+        goto end;
+    }
+
+    if (chtype != MBSTRING_UTF8) {
+        p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
+        if (!p)
+            ERR_clear_error();
+        else if (!strcmp(p, "yes"))
+            chtype = MBSTRING_UTF8;
+    }
+
+    if (!req_exts) {
+        req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
+        if (!req_exts)
+            ERR_clear_error();
+    }
+    if (req_exts) {
+        /* Check syntax of file */
+        X509V3_CTX ctx;
+        X509V3_set_ctx_test(&ctx);
+        X509V3_set_nconf(&ctx, req_conf);
+        if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
+            BIO_printf(bio_err,
+                       "Error Loading request extension section %s\n",
+                       req_exts);
+            goto end;
+        }
+    }
+
+    in = BIO_new(BIO_s_file());
+    out = BIO_new(BIO_s_file());
+    if ((in == NULL) || (out == NULL))
+        goto end;
+
+    e = setup_engine(bio_err, engine, 0);
+
+    if (keyfile != NULL) {
+        pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
+                        "Private Key");
+        if (!pkey) {
+            /*
+             * load_key() has already printed an appropriate message
+             */
+            goto end;
+        } else {
+            char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
+            if (randfile == NULL)
+                ERR_clear_error();
+            app_RAND_load_file(randfile, bio_err, 0);
+        }
+    }
+
+    if (newreq && (pkey == NULL)) {
+        char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE");
+        if (randfile == NULL)
+            ERR_clear_error();
+        app_RAND_load_file(randfile, bio_err, 0);
+        if (inrand)
+            app_RAND_load_files(inrand);
+
+        if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
+            newkey = DEFAULT_KEY_LENGTH;
+        }
+
+        if (keyalg) {
+            genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
+                                    &keyalgstr, gen_eng);
+            if (!genctx)
+                goto end;
+        }
+
+        if (newkey < MIN_KEY_LENGTH
+            && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) {
+            BIO_printf(bio_err, "private key length is too short,\n");
+            BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n",
+                       MIN_KEY_LENGTH, newkey);
+            goto end;
+        }
+
+        if (!genctx) {
+            genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey,
+                                    &keyalgstr, gen_eng);
+            if (!genctx)
+                goto end;
+        }
+
+        if (pkeyopts) {
+            char *genopt;
+            for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
+                genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
+                if (pkey_ctrl_string(genctx, genopt) <= 0) {
+                    BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
+                    ERR_print_errors(bio_err);
+                    goto end;
+                }
+            }
+        }
+
+        BIO_printf(bio_err, "Generating a %ld bit %s private key\n",
+                   newkey, keyalgstr);
+
+        EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
+        EVP_PKEY_CTX_set_app_data(genctx, bio_err);
+
+        if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
+            BIO_puts(bio_err, "Error Generating Key\n");
+            goto end;
+        }
+
+        EVP_PKEY_CTX_free(genctx);
+        genctx = NULL;
+
+        app_RAND_write_file(randfile, bio_err);
+
+        if (keyout == NULL) {
+            keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
+            if (keyout == NULL)
+                ERR_clear_error();
+        }
+
+        if (keyout == NULL) {
+            BIO_printf(bio_err, "writing new private key to stdout\n");
+            BIO_set_fp(out, stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+            {
+                BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+                out = BIO_push(tmpbio, out);
+            }
+#endif
+        } else {
+            BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
+            if (BIO_write_filename(out, keyout) <= 0) {
+                perror(keyout);
+                goto end;
+            }
+        }
+
+        p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
+        if (p == NULL) {
+            ERR_clear_error();
+            p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
+            if (p == NULL)
+                ERR_clear_error();
+        }
+        if ((p != NULL) && (strcmp(p, "no") == 0))
+            cipher = NULL;
+        if (nodes)
+            cipher = NULL;
+
+        i = 0;
+ loop:
+        if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
+                                      NULL, 0, NULL, passout)) {
+            if ((ERR_GET_REASON(ERR_peek_error()) ==
+                 PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
+                ERR_clear_error();
+                i++;
+                goto loop;
+            }
+            goto end;
+        }
+        BIO_printf(bio_err, "-----\n");
+    }
+
+    if (!newreq) {
+        /*
+         * Since we are using a pre-existing certificate request, the kludge
+         * 'format' info should not be changed.
+         */
+        kludge = -1;
+        if (infile == NULL)
+            BIO_set_fp(in, stdin, BIO_NOCLOSE);
+        else {
+            if (BIO_read_filename(in, infile) <= 0) {
+                perror(infile);
+                goto end;
+            }
+        }
+
+        if (informat == FORMAT_ASN1)
+            req = d2i_X509_REQ_bio(in, NULL);
+        else if (informat == FORMAT_PEM)
+            req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
+        else {
+            BIO_printf(bio_err,
+                       "bad input format specified for X509 request\n");
+            goto end;
+        }
+        if (req == NULL) {
+            BIO_printf(bio_err, "unable to load X509 request\n");
+            goto end;
+        }
+    }
+
+    if (newreq) {
+        if (pkey == NULL) {
+            BIO_printf(bio_err, "you need to specify a private key\n");
+            goto end;
+        }
+
+        if (req == NULL) {
+            req = X509_REQ_new();
+            if (req == NULL) {
+                goto end;
+            }
+
+            i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
+            subj = NULL;        /* done processing '-subj' option */
+            if ((kludge > 0)
+                && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) {
+                sk_X509_ATTRIBUTE_free(req->req_info->attributes);
+                req->req_info->attributes = NULL;
+            }
+            if (!i) {
+                BIO_printf(bio_err, "problems making Certificate Request\n");
+                goto end;
+            }
+        }
+        if (x509) {
+            EVP_PKEY *tmppkey;
+            X509V3_CTX ext_ctx;
+            if ((x509ss = X509_new()) == NULL)
+                goto end;
+
+            /* Set version to V3 */
+            if (extensions && !X509_set_version(x509ss, 2))
+                goto end;
+            if (serial) {
+                if (!X509_set_serialNumber(x509ss, serial))
+                    goto end;
+            } else {
+                if (!rand_serial(NULL, X509_get_serialNumber(x509ss)))
+                    goto end;
+            }
+
+            if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
+                goto end;
+            if (!X509_gmtime_adj(X509_get_notBefore(x509ss), 0))
+                goto end;
+            if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL))
+                goto end;
+            if (!X509_set_subject_name
+                (x509ss, X509_REQ_get_subject_name(req)))
+                goto end;
+            tmppkey = X509_REQ_get_pubkey(req);
+            if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
+                goto end;
+            EVP_PKEY_free(tmppkey);
+
+            /* Set up V3 context struct */
+
+            X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
+            X509V3_set_nconf(&ext_ctx, req_conf);
+
+            /* Add extensions */
+            if (extensions && !X509V3_EXT_add_nconf(req_conf,
+                                                    &ext_ctx, extensions,
+                                                    x509ss)) {
+                BIO_printf(bio_err, "Error Loading extension section %s\n",
+                           extensions);
+                goto end;
+            }
+
+            i = do_X509_sign(bio_err, x509ss, pkey, digest, sigopts);
+            if (!i) {
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        } else {
+            X509V3_CTX ext_ctx;
+
+            /* Set up V3 context struct */
+
+            X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
+            X509V3_set_nconf(&ext_ctx, req_conf);
+
+            /* Add extensions */
+            if (req_exts && !X509V3_EXT_REQ_add_nconf(req_conf,
+                                                      &ext_ctx, req_exts,
+                                                      req)) {
+                BIO_printf(bio_err, "Error Loading extension section %s\n",
+                           req_exts);
+                goto end;
+            }
+            i = do_X509_REQ_sign(bio_err, req, pkey, digest, sigopts);
+            if (!i) {
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        }
+    }
+
+    if (subj && x509) {
+        BIO_printf(bio_err, "Cannot modifiy certificate subject\n");
+        goto end;
+    }
+
+    if (subj && !x509) {
+        if (verbose) {
+            BIO_printf(bio_err, "Modifying Request's Subject\n");
+            print_name(bio_err, "old subject=",
+                       X509_REQ_get_subject_name(req), nmflag);
+        }
+
+        if (build_subject(req, subj, chtype, multirdn) == 0) {
+            BIO_printf(bio_err, "ERROR: cannot modify subject\n");
+            ex = 1;
+            goto end;
+        }
+
+        req->req_info->enc.modified = 1;
+
+        if (verbose) {
+            print_name(bio_err, "new subject=",
+                       X509_REQ_get_subject_name(req), nmflag);
+        }
+    }
+
+    if (verify && !x509) {
+        int tmp = 0;
+
+        if (pkey == NULL) {
+            pkey = X509_REQ_get_pubkey(req);
+            tmp = 1;
+            if (pkey == NULL)
+                goto end;
+        }
+
+        i = X509_REQ_verify(req, pkey);
+        if (tmp) {
+            EVP_PKEY_free(pkey);
+            pkey = NULL;
+        }
+
+        if (i < 0) {
+            goto end;
+        } else if (i == 0) {
+            BIO_printf(bio_err, "verify failure\n");
+            ERR_print_errors(bio_err);
+        } else                  /* if (i > 0) */
+            BIO_printf(bio_err, "verify OK\n");
+    }
+
+    if (noout && !text && !modulus && !subject && !pubkey) {
+        ex = 0;
+        goto end;
+    }
+
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    } else {
+        if ((keyout != NULL) && (strcmp(outfile, keyout) == 0))
+            i = (int)BIO_append_filename(out, outfile);
+        else
+            i = (int)BIO_write_filename(out, outfile);
+        if (!i) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    if (pubkey) {
+        EVP_PKEY *tpubkey;
+        tpubkey = X509_REQ_get_pubkey(req);
+        if (tpubkey == NULL) {
+            BIO_printf(bio_err, "Error getting public key\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        PEM_write_bio_PUBKEY(out, tpubkey);
+        EVP_PKEY_free(tpubkey);
+    }
+
+    if (text) {
+        if (x509)
+            X509_print_ex(out, x509ss, nmflag, reqflag);
+        else
+            X509_REQ_print_ex(out, req, nmflag, reqflag);
+    }
+
+    if (subject) {
+        if (x509)
+            print_name(out, "subject=", X509_get_subject_name(x509ss),
+                       nmflag);
+        else
+            print_name(out, "subject=", X509_REQ_get_subject_name(req),
+                       nmflag);
+    }
+
+    if (modulus) {
+        EVP_PKEY *tpubkey;
+
+        if (x509)
+            tpubkey = X509_get_pubkey(x509ss);
+        else
+            tpubkey = X509_REQ_get_pubkey(req);
+        if (tpubkey == NULL) {
+            fprintf(stdout, "Modulus=unavailable\n");
+            goto end;
+        }
+        fprintf(stdout, "Modulus=");
+#ifndef OPENSSL_NO_RSA
+        if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)
+            BN_print(out, tpubkey->pkey.rsa->n);
+        else
+#endif
+            fprintf(stdout, "Wrong Algorithm type");
+        EVP_PKEY_free(tpubkey);
+        fprintf(stdout, "\n");
+    }
+
+    if (!noout && !x509) {
+        if (outformat == FORMAT_ASN1)
+            i = i2d_X509_REQ_bio(out, req);
+        else if (outformat == FORMAT_PEM) {
+            if (newhdr)
+                i = PEM_write_bio_X509_REQ_NEW(out, req);
+            else
+                i = PEM_write_bio_X509_REQ(out, req);
+        } else {
+            BIO_printf(bio_err, "bad output format specified for outfile\n");
+            goto end;
+        }
+        if (!i) {
+            BIO_printf(bio_err, "unable to write X509 request\n");
+            goto end;
+        }
+    }
+    if (!noout && x509 && (x509ss != NULL)) {
+        if (outformat == FORMAT_ASN1)
+            i = i2d_X509_bio(out, x509ss);
+        else if (outformat == FORMAT_PEM)
+            i = PEM_write_bio_X509(out, x509ss);
+        else {
+            BIO_printf(bio_err, "bad output format specified for outfile\n");
+            goto end;
+        }
+        if (!i) {
+            BIO_printf(bio_err, "unable to write X509 certificate\n");
+            goto end;
+        }
+    }
+    ex = 0;
+ end:
+#ifndef MONOLITH
+    if (to_free)
+        OPENSSL_free(to_free);
+#endif
+    if (ex) {
+        ERR_print_errors(bio_err);
+    }
+    if ((req_conf != NULL) && (req_conf != config))
+        NCONF_free(req_conf);
+    BIO_free(in);
+    BIO_free_all(out);
+    EVP_PKEY_free(pkey);
+    if (genctx)
+        EVP_PKEY_CTX_free(genctx);
+    if (pkeyopts)
+        sk_OPENSSL_STRING_free(pkeyopts);
+    if (sigopts)
+        sk_OPENSSL_STRING_free(sigopts);
+#ifndef OPENSSL_NO_ENGINE
+    if (gen_eng)
+        ENGINE_free(gen_eng);
+#endif
+    if (keyalgstr)
+        OPENSSL_free(keyalgstr);
+    X509_REQ_free(req);
+    X509_free(x509ss);
+    ASN1_INTEGER_free(serial);
+    release_engine(e);
+    if (passargin && passin)
+        OPENSSL_free(passin);
+    if (passargout && passout)
+        OPENSSL_free(passout);
+    OBJ_cleanup();
+    apps_shutdown();
+    OPENSSL_EXIT(ex);
+}
+
+static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
+                    int attribs, unsigned long chtype)
+{
+    int ret = 0, i;
+    char no_prompt = 0;
+    STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
+    char *tmp, *dn_sect, *attr_sect;
+
+    tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
+    if (tmp == NULL)
+        ERR_clear_error();
+    if ((tmp != NULL) && !strcmp(tmp, "no"))
+        no_prompt = 1;
+
+    dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
+    if (dn_sect == NULL) {
+        BIO_printf(bio_err, "unable to find '%s' in config\n",
+                   DISTINGUISHED_NAME);
+        goto err;
+    }
+    dn_sk = NCONF_get_section(req_conf, dn_sect);
+    if (dn_sk == NULL) {
+        BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
+        goto err;
+    }
+
+    attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
+    if (attr_sect == NULL) {
+        ERR_clear_error();
+        attr_sk = NULL;
+    } else {
+        attr_sk = NCONF_get_section(req_conf, attr_sect);
+        if (attr_sk == NULL) {
+            BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
+            goto err;
+        }
+    }
+
+    /* setup version number */
+    if (!X509_REQ_set_version(req, 0L))
+        goto err;               /* version 1 */
+
+    if (no_prompt)
+        i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
+    else {
+        if (subj)
+            i = build_subject(req, subj, chtype, multirdn);
+        else
+            i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
+                            chtype);
+    }
+    if (!i)
+        goto err;
+
+    if (!X509_REQ_set_pubkey(req, pkey))
+        goto err;
+
+    ret = 1;
+ err:
+    return (ret);
+}
+
+/*
+ * subject is expected to be in the format /type0=value0/type1=value1/type2=...
+ * where characters may be escaped by \
+ */
+static int build_subject(X509_REQ *req, char *subject, unsigned long chtype,
+                         int multirdn)
+{
+    X509_NAME *n;
+
+    if (!(n = parse_name(subject, chtype, multirdn)))
+        return 0;
+
+    if (!X509_REQ_set_subject_name(req, n)) {
+        X509_NAME_free(n);
+        return 0;
+    }
+    X509_NAME_free(n);
+    return 1;
+}
+
+static int prompt_info(X509_REQ *req,
+                       STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
+                       STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect,
+                       int attribs, unsigned long chtype)
+{
+    int i;
+    char *p, *q;
+    char buf[100];
+    int nid, mval;
+    long n_min, n_max;
+    char *type, *value;
+    const char *def;
+    CONF_VALUE *v;
+    X509_NAME *subj;
+    subj = X509_REQ_get_subject_name(req);
+
+    if (!batch) {
+        BIO_printf(bio_err,
+                   "You are about to be asked to enter information that will be incorporated\n");
+        BIO_printf(bio_err, "into your certificate request.\n");
+        BIO_printf(bio_err,
+                   "What you are about to enter is what is called a Distinguished Name or a DN.\n");
+        BIO_printf(bio_err,
+                   "There are quite a few fields but you can leave some blank\n");
+        BIO_printf(bio_err,
+                   "For some fields there will be a default value,\n");
+        BIO_printf(bio_err,
+                   "If you enter '.', the field will be left blank.\n");
+        BIO_printf(bio_err, "-----\n");
+    }
+
+    if (sk_CONF_VALUE_num(dn_sk)) {
+        i = -1;
+ start:for (;;) {
+            i++;
+            if (sk_CONF_VALUE_num(dn_sk) <= i)
+                break;
+
+            v = sk_CONF_VALUE_value(dn_sk, i);
+            p = q = NULL;
+            type = v->name;
+            if (!check_end(type, "_min") || !check_end(type, "_max") ||
+                !check_end(type, "_default") || !check_end(type, "_value"))
+                continue;
+            /*
+             * Skip past any leading X. X: X, etc to allow for multiple
+             * instances
+             */
+            for (p = v->name; *p; p++)
+                if ((*p == ':') || (*p == ',') || (*p == '.')) {
+                    p++;
+                    if (*p)
+                        type = p;
+                    break;
+                }
+            if (*type == '+') {
+                mval = -1;
+                type++;
+            } else
+                mval = 0;
+            /* If OBJ not recognised ignore it */
+            if ((nid = OBJ_txt2nid(type)) == NID_undef)
+                goto start;
+            if (BIO_snprintf(buf, sizeof buf, "%s_default", v->name)
+                >= (int)sizeof(buf)) {
+                BIO_printf(bio_err, "Name '%s' too long\n", v->name);
+                return 0;
+            }
+
+            if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
+                ERR_clear_error();
+                def = "";
+            }
+
+            BIO_snprintf(buf, sizeof buf, "%s_value", v->name);
+            if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
+                ERR_clear_error();
+                value = NULL;
+            }
+
+            BIO_snprintf(buf, sizeof buf, "%s_min", v->name);
+            if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
+                ERR_clear_error();
+                n_min = -1;
+            }
+
+            BIO_snprintf(buf, sizeof buf, "%s_max", v->name);
+            if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
+                ERR_clear_error();
+                n_max = -1;
+            }
+
+            if (!add_DN_object(subj, v->value, def, value, nid,
+                               n_min, n_max, chtype, mval))
+                return 0;
+        }
+        if (X509_NAME_entry_count(subj) == 0) {
+            BIO_printf(bio_err,
+                       "error, no objects specified in config file\n");
+            return 0;
+        }
+
+        if (attribs) {
+            if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
+                && (!batch)) {
+                BIO_printf(bio_err,
+                           "\nPlease enter the following 'extra' attributes\n");
+                BIO_printf(bio_err,
+                           "to be sent with your certificate request\n");
+            }
+
+            i = -1;
+ start2:   for (;;) {
+                i++;
+                if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
+                    break;
+
+                v = sk_CONF_VALUE_value(attr_sk, i);
+                type = v->name;
+                if ((nid = OBJ_txt2nid(type)) == NID_undef)
+                    goto start2;
+
+                if (BIO_snprintf(buf, sizeof buf, "%s_default", type)
+                    >= (int)sizeof(buf)) {
+                    BIO_printf(bio_err, "Name '%s' too long\n", v->name);
+                    return 0;
+                }
+
+                if ((def = NCONF_get_string(req_conf, attr_sect, buf))
+                    == NULL) {
+                    ERR_clear_error();
+                    def = "";
+                }
+
+                BIO_snprintf(buf, sizeof buf, "%s_value", type);
+                if ((value = NCONF_get_string(req_conf, attr_sect, buf))
+                    == NULL) {
+                    ERR_clear_error();
+                    value = NULL;
+                }
+
+                BIO_snprintf(buf, sizeof buf, "%s_min", type);
+                if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
+                    ERR_clear_error();
+                    n_min = -1;
+                }
+
+                BIO_snprintf(buf, sizeof buf, "%s_max", type);
+                if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
+                    ERR_clear_error();
+                    n_max = -1;
+                }
+
+                if (!add_attribute_object(req,
+                                          v->value, def, value, nid, n_min,
+                                          n_max, chtype))
+                    return 0;
+            }
+        }
+    } else {
+        BIO_printf(bio_err, "No template, please set one up.\n");
+        return 0;
+    }
+
+    return 1;
+
+}
+
+static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
+                     STACK_OF(CONF_VALUE) *attr_sk, int attribs,
+                     unsigned long chtype)
+{
+    int i;
+    char *p, *q;
+    char *type;
+    CONF_VALUE *v;
+    X509_NAME *subj;
+
+    subj = X509_REQ_get_subject_name(req);
+
+    for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
+        int mval;
+        v = sk_CONF_VALUE_value(dn_sk, i);
+        p = q = NULL;
+        type = v->name;
+        /*
+         * Skip past any leading X. X: X, etc to allow for multiple instances
+         */
+        for (p = v->name; *p; p++)
+#ifndef CHARSET_EBCDIC
+            if ((*p == ':') || (*p == ',') || (*p == '.')) {
+#else
+            if ((*p == os_toascii[':']) || (*p == os_toascii[','])
+                || (*p == os_toascii['.'])) {
+#endif
+                p++;
+                if (*p)
+                    type = p;
+                break;
+            }
+#ifndef CHARSET_EBCDIC
+        if (*type == '+') {
+#else
+        if (*type == os_toascii['+']) {
+#endif
+            type++;
+            mval = -1;
+        } else
+            mval = 0;
+        if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
+                                        (unsigned char *)v->value, -1, -1,
+                                        mval))
+            return 0;
+
+    }
+
+    if (!X509_NAME_entry_count(subj)) {
+        BIO_printf(bio_err, "error, no objects specified in config file\n");
+        return 0;
+    }
+    if (attribs) {
+        for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
+            v = sk_CONF_VALUE_value(attr_sk, i);
+            if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
+                                           (unsigned char *)v->value, -1))
+                return 0;
+        }
+    }
+    return 1;
+}
+
+static int add_DN_object(X509_NAME *n, char *text, const char *def,
+                         char *value, int nid, int n_min, int n_max,
+                         unsigned long chtype, int mval)
+{
+    int i, ret = 0;
+    MS_STATIC char buf[1024];
+ start:
+    if (!batch)
+        BIO_printf(bio_err, "%s [%s]:", text, def);
+    (void)BIO_flush(bio_err);
+    if (value != NULL) {
+        BUF_strlcpy(buf, value, sizeof buf);
+        BUF_strlcat(buf, "\n", sizeof buf);
+        BIO_printf(bio_err, "%s\n", value);
+    } else {
+        buf[0] = '\0';
+        if (!batch) {
+            if (!fgets(buf, sizeof buf, stdin))
+                return 0;
+        } else {
+            buf[0] = '\n';
+            buf[1] = '\0';
+        }
+    }
+
+    if (buf[0] == '\0')
+        return (0);
+    else if (buf[0] == '\n') {
+        if ((def == NULL) || (def[0] == '\0'))
+            return (1);
+        BUF_strlcpy(buf, def, sizeof buf);
+        BUF_strlcat(buf, "\n", sizeof buf);
+    } else if ((buf[0] == '.') && (buf[1] == '\n'))
+        return (1);
+
+    i = strlen(buf);
+    if (buf[i - 1] != '\n') {
+        BIO_printf(bio_err, "weird input :-(\n");
+        return (0);
+    }
+    buf[--i] = '\0';
+#ifdef CHARSET_EBCDIC
+    ebcdic2ascii(buf, buf, i);
+#endif
+    if (!req_check_len(i, n_min, n_max)) {
+        if (batch || value)
+            return 0;
+        goto start;
+    }
+
+    if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
+                                    (unsigned char *)buf, -1, -1, mval))
+        goto err;
+    ret = 1;
+ err:
+    return (ret);
+}
+
+static int add_attribute_object(X509_REQ *req, char *text, const char *def,
+                                char *value, int nid, int n_min,
+                                int n_max, unsigned long chtype)
+{
+    int i;
+    static char buf[1024];
+
+ start:
+    if (!batch)
+        BIO_printf(bio_err, "%s [%s]:", text, def);
+    (void)BIO_flush(bio_err);
+    if (value != NULL) {
+        BUF_strlcpy(buf, value, sizeof buf);
+        BUF_strlcat(buf, "\n", sizeof buf);
+        BIO_printf(bio_err, "%s\n", value);
+    } else {
+        buf[0] = '\0';
+        if (!batch) {
+            if (!fgets(buf, sizeof buf, stdin))
+                return 0;
+        } else {
+            buf[0] = '\n';
+            buf[1] = '\0';
+        }
+    }
+
+    if (buf[0] == '\0')
+        return (0);
+    else if (buf[0] == '\n') {
+        if ((def == NULL) || (def[0] == '\0'))
+            return (1);
+        BUF_strlcpy(buf, def, sizeof buf);
+        BUF_strlcat(buf, "\n", sizeof buf);
+    } else if ((buf[0] == '.') && (buf[1] == '\n'))
+        return (1);
+
+    i = strlen(buf);
+    if (buf[i - 1] != '\n') {
+        BIO_printf(bio_err, "weird input :-(\n");
+        return (0);
+    }
+    buf[--i] = '\0';
+#ifdef CHARSET_EBCDIC
+    ebcdic2ascii(buf, buf, i);
+#endif
+    if (!req_check_len(i, n_min, n_max)) {
+        if (batch || value)
+            return 0;
+        goto start;
+    }
+
+    if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
+                                   (unsigned char *)buf, -1)) {
+        BIO_printf(bio_err, "Error adding attribute\n");
+        ERR_print_errors(bio_err);
+        goto err;
+    }
+
+    return (1);
+ err:
+    return (0);
+}
+
+static int req_check_len(int len, int n_min, int n_max)
+{
+    if ((n_min > 0) && (len < n_min)) {
+        BIO_printf(bio_err,
+                   "string is too short, it needs to be at least %d bytes long\n",
+                   n_min);
+        return (0);
+    }
+    if ((n_max >= 0) && (len > n_max)) {
+        BIO_printf(bio_err,
+                   "string is too long, it needs to be less than  %d bytes long\n",
+                   n_max);
+        return (0);
+    }
+    return (1);
+}
+
+/* Check if the end of a string matches 'end' */
+static int check_end(const char *str, const char *end)
+{
+    int elen, slen;
+    const char *tmp;
+    elen = strlen(end);
+    slen = strlen(str);
+    if (elen > slen)
+        return 1;
+    tmp = str + slen - elen;
+    return strcmp(tmp, end);
+}
+
+static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr,
+                                    int *pkey_type, long *pkeylen,
+                                    char **palgnam, ENGINE *keygen_engine)
+{
+    EVP_PKEY_CTX *gctx = NULL;
+    EVP_PKEY *param = NULL;
+    long keylen = -1;
+    BIO *pbio = NULL;
+    const char *paramfile = NULL;
+
+    if (gstr == NULL) {
+        *pkey_type = EVP_PKEY_RSA;
+        keylen = *pkeylen;
+    } else if (gstr[0] >= '0' && gstr[0] <= '9') {
+        *pkey_type = EVP_PKEY_RSA;
+        keylen = atol(gstr);
+        *pkeylen = keylen;
+    } else if (!strncmp(gstr, "param:", 6))
+        paramfile = gstr + 6;
+    else {
+        const char *p = strchr(gstr, ':');
+        int len;
+        ENGINE *tmpeng;
+        const EVP_PKEY_ASN1_METHOD *ameth;
+
+        if (p)
+            len = p - gstr;
+        else
+            len = strlen(gstr);
+        /*
+         * The lookup of a the string will cover all engines so keep a note
+         * of the implementation.
+         */
+
+        ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
+
+        if (!ameth) {
+            BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr);
+            return NULL;
+        }
+
+        EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
+#ifndef OPENSSL_NO_ENGINE
+        if (tmpeng)
+            ENGINE_finish(tmpeng);
+#endif
+        if (*pkey_type == EVP_PKEY_RSA) {
+            if (p) {
+                keylen = atol(p + 1);
+                *pkeylen = keylen;
+            } else
+                keylen = *pkeylen;
+        } else if (p)
+            paramfile = p + 1;
+    }
+
+    if (paramfile) {
+        pbio = BIO_new_file(paramfile, "r");
+        if (!pbio) {
+            BIO_printf(err, "Can't open parameter file %s\n", paramfile);
+            return NULL;
+        }
+        param = PEM_read_bio_Parameters(pbio, NULL);
+
+        if (!param) {
+            X509 *x;
+            (void)BIO_reset(pbio);
+            x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
+            if (x) {
+                param = X509_get_pubkey(x);
+                X509_free(x);
+            }
+        }
+
+        BIO_free(pbio);
+
+        if (!param) {
+            BIO_printf(err, "Error reading parameter file %s\n", paramfile);
+            return NULL;
+        }
+        if (*pkey_type == -1)
+            *pkey_type = EVP_PKEY_id(param);
+        else if (*pkey_type != EVP_PKEY_base_id(param)) {
+            BIO_printf(err, "Key Type does not match parameters\n");
+            EVP_PKEY_free(param);
+            return NULL;
+        }
+    }
+
+    if (palgnam) {
+        const EVP_PKEY_ASN1_METHOD *ameth;
+        ENGINE *tmpeng;
+        const char *anam;
+        ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
+        if (!ameth) {
+            BIO_puts(err, "Internal error: can't find key algorithm\n");
+            return NULL;
+        }
+        EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
+        *palgnam = BUF_strdup(anam);
+#ifndef OPENSSL_NO_ENGINE
+        if (tmpeng)
+            ENGINE_finish(tmpeng);
+#endif
+    }
+
+    if (param) {
+        gctx = EVP_PKEY_CTX_new(param, keygen_engine);
+        *pkeylen = EVP_PKEY_bits(param);
+        EVP_PKEY_free(param);
+    } else
+        gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
+
+    if (!gctx) {
+        BIO_puts(err, "Error allocating keygen context\n");
+        ERR_print_errors(err);
+        return NULL;
+    }
+
+    if (EVP_PKEY_keygen_init(gctx) <= 0) {
+        BIO_puts(err, "Error initializing keygen context\n");
+        ERR_print_errors(err);
+        return NULL;
+    }
+#ifndef OPENSSL_NO_RSA
+    if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
+        if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
+            BIO_puts(err, "Error setting RSA keysize\n");
+            ERR_print_errors(err);
+            EVP_PKEY_CTX_free(gctx);
+            return NULL;
+        }
+    }
+#endif
+
+    return gctx;
+}
+
+static int genpkey_cb(EVP_PKEY_CTX *ctx)
+{
+    char c = '*';
+    BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
+    int p;
+    p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
+    if (p == 0)
+        c = '.';
+    if (p == 1)
+        c = '+';
+    if (p == 2)
+        c = '*';
+    if (p == 3)
+        c = '\n';
+    BIO_write(b, &c, 1);
+    (void)BIO_flush(b);
+#ifdef LINT
+    p = n;
+#endif
+    return 1;
+}
+
+static int do_sign_init(BIO *err, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
+                        const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
+{
+    EVP_PKEY_CTX *pkctx = NULL;
+    int i;
+    EVP_MD_CTX_init(ctx);
+    if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
+        return 0;
+    for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
+        char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
+        if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
+            BIO_printf(err, "parameter error \"%s\"\n", sigopt);
+            ERR_print_errors(bio_err);
+            return 0;
+        }
+    }
+    return 1;
+}
+
+int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
+                 STACK_OF(OPENSSL_STRING) *sigopts)
+{
+    int rv;
+    EVP_MD_CTX mctx;
+    EVP_MD_CTX_init(&mctx);
+    rv = do_sign_init(err, &mctx, pkey, md, sigopts);
+    if (rv > 0)
+        rv = X509_sign_ctx(x, &mctx);
+    EVP_MD_CTX_cleanup(&mctx);
+    return rv > 0 ? 1 : 0;
+}
+
+int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
+                     STACK_OF(OPENSSL_STRING) *sigopts)
+{
+    int rv;
+    EVP_MD_CTX mctx;
+    EVP_MD_CTX_init(&mctx);
+    rv = do_sign_init(err, &mctx, pkey, md, sigopts);
+    if (rv > 0)
+        rv = X509_REQ_sign_ctx(x, &mctx);
+    EVP_MD_CTX_cleanup(&mctx);
+    return rv > 0 ? 1 : 0;
+}
+
+int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
+                     STACK_OF(OPENSSL_STRING) *sigopts)
+{
+    int rv;
+    EVP_MD_CTX mctx;
+    EVP_MD_CTX_init(&mctx);
+    rv = do_sign_init(err, &mctx, pkey, md, sigopts);
+    if (rv > 0)
+        rv = X509_CRL_sign_ctx(x, &mctx);
+    EVP_MD_CTX_cleanup(&mctx);
+    return rv > 0 ? 1 : 0;
+}
diff --git a/openssl/apps/req.pem b/openssl/apps/req.pem
new file mode 100644
index 0000000..5537df6
--- /dev/null
+++ b/openssl/apps/req.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBlzCCAVcCAQAwXjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMORXJp
+YyB0aGUgWW91bmcwge8wgaYGBSsOAwIMMIGcAkEA+ZiKEvZmc9MtnaFZh4NiZ3oZ
+S4J1PHvPrm9MXj5ntVheDPkdmBDTncyaGAJcMjwsyB/GvLDGd6yGCw/8eF+09wIV
+AK3VagOxGd/Q4Af5NbxR5FB7CXEjAkA2t/q7HgVLi0KeKvcDG8BRl3wuy7bCvpjg
+tWiJc/tpvcuzeuAayH89UofjAGueKjXDADiRffvSdhrNw5dkqdqlA0QAAkEAtUSo
+84OekjitKGVjxLu0HvXck29pu+foad53vPKXAsuJdACj88BPqZ91Y9PIJf1GUh38
+CuiHWi7z3cEDfZCyCKAAMAkGBSsOAwIbBQADLwAwLAIUTg8amKVBE9oqC5B75dDQ
+Chy3LdQCFHKodGEj3LjuTzdm/RTe2KZL9Uzf
+-----END CERTIFICATE REQUEST-----
diff --git a/openssl/apps/rsa.c b/openssl/apps/rsa.c
new file mode 100644
index 0000000..ad3af39
--- /dev/null
+++ b/openssl/apps/rsa.c
@@ -0,0 +1,436 @@
+/* apps/rsa.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_RSA
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include <time.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/rsa.h>
+# include <openssl/evp.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+# include <openssl/bn.h>
+
+# undef PROG
+# define PROG    rsa_main
+
+/*-
+ * -inform arg  - input format - default PEM (one of DER, NET or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg      - input file - default stdin
+ * -out arg     - output file - default stdout
+ * -des         - encrypt output if PEM format with DES in cbc mode
+ * -des3        - encrypt output if PEM format
+ * -idea        - encrypt output if PEM format
+ * -seed        - encrypt output if PEM format
+ * -aes128      - encrypt output if PEM format
+ * -aes192      - encrypt output if PEM format
+ * -aes256      - encrypt output if PEM format
+ * -camellia128 - encrypt output if PEM format
+ * -camellia192 - encrypt output if PEM format
+ * -camellia256 - encrypt output if PEM format
+ * -text        - print a text version
+ * -modulus     - print the RSA key modulus
+ * -check       - verify key consistency
+ * -pubin       - Expect a public key in input file.
+ * -pubout      - Output a public key.
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    int ret = 1;
+    RSA *rsa = NULL;
+    int i, badops = 0, sgckey = 0;
+    const EVP_CIPHER *enc = NULL;
+    BIO *out = NULL;
+    int informat, outformat, text = 0, check = 0, noout = 0;
+    int pubin = 0, pubout = 0;
+    char *infile, *outfile, *prog;
+    char *passargin = NULL, *passargout = NULL;
+    char *passin = NULL, *passout = NULL;
+    char *engine = NULL;
+    int modulus = 0;
+
+    int pvk_encr = 2;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    infile = NULL;
+    outfile = NULL;
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-passin") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargin = *(++argv);
+        } else if (strcmp(*argv, "-passout") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargout = *(++argv);
+        }
+# ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+# endif
+        else if (strcmp(*argv, "-sgckey") == 0)
+            sgckey = 1;
+        else if (strcmp(*argv, "-pubin") == 0)
+            pubin = 1;
+        else if (strcmp(*argv, "-pubout") == 0)
+            pubout = 1;
+        else if (strcmp(*argv, "-RSAPublicKey_in") == 0)
+            pubin = 2;
+        else if (strcmp(*argv, "-RSAPublicKey_out") == 0)
+            pubout = 2;
+        else if (strcmp(*argv, "-pvk-strong") == 0)
+            pvk_encr = 2;
+        else if (strcmp(*argv, "-pvk-weak") == 0)
+            pvk_encr = 1;
+        else if (strcmp(*argv, "-pvk-none") == 0)
+            pvk_encr = 0;
+        else if (strcmp(*argv, "-noout") == 0)
+            noout = 1;
+        else if (strcmp(*argv, "-text") == 0)
+            text = 1;
+        else if (strcmp(*argv, "-modulus") == 0)
+            modulus = 1;
+        else if (strcmp(*argv, "-check") == 0)
+            check = 1;
+        else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err,
+                   " -inform arg     input format - one of DER NET PEM\n");
+        BIO_printf(bio_err,
+                   " -outform arg    output format - one of DER NET PEM\n");
+        BIO_printf(bio_err, " -in arg         input file\n");
+        BIO_printf(bio_err, " -sgckey         Use IIS SGC key format\n");
+        BIO_printf(bio_err,
+                   " -passin arg     input file pass phrase source\n");
+        BIO_printf(bio_err, " -out arg        output file\n");
+        BIO_printf(bio_err,
+                   " -passout arg    output file pass phrase source\n");
+        BIO_printf(bio_err,
+                   " -des            encrypt PEM output with cbc des\n");
+        BIO_printf(bio_err,
+                   " -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
+# ifndef OPENSSL_NO_IDEA
+        BIO_printf(bio_err,
+                   " -idea           encrypt PEM output with cbc idea\n");
+# endif
+# ifndef OPENSSL_NO_SEED
+        BIO_printf(bio_err,
+                   " -seed           encrypt PEM output with cbc seed\n");
+# endif
+# ifndef OPENSSL_NO_AES
+        BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
+        BIO_printf(bio_err,
+                   "                 encrypt PEM output with cbc aes\n");
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+        BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
+        BIO_printf(bio_err,
+                   "                 encrypt PEM output with cbc camellia\n");
+# endif
+        BIO_printf(bio_err, " -text           print the key in text\n");
+        BIO_printf(bio_err, " -noout          don't print key out\n");
+        BIO_printf(bio_err, " -modulus        print the RSA key modulus\n");
+        BIO_printf(bio_err, " -check          verify key consistency\n");
+        BIO_printf(bio_err,
+                   " -pubin          expect a public key in input file\n");
+        BIO_printf(bio_err, " -pubout         output a public key\n");
+# ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e       use engine e, possibly a hardware device.\n");
+# endif
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+
+    e = setup_engine(bio_err, engine, 0);
+
+    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+        BIO_printf(bio_err, "Error getting passwords\n");
+        goto end;
+    }
+
+    if (check && pubin) {
+        BIO_printf(bio_err, "Only private keys can be checked\n");
+        goto end;
+    }
+
+    out = BIO_new(BIO_s_file());
+
+    {
+        EVP_PKEY *pkey;
+
+        if (pubin) {
+            int tmpformat = -1;
+            if (pubin == 2) {
+                if (informat == FORMAT_PEM)
+                    tmpformat = FORMAT_PEMRSA;
+                else if (informat == FORMAT_ASN1)
+                    tmpformat = FORMAT_ASN1RSA;
+            } else if (informat == FORMAT_NETSCAPE && sgckey)
+                tmpformat = FORMAT_IISSGC;
+            else
+                tmpformat = informat;
+
+            pkey = load_pubkey(bio_err, infile, tmpformat, 1,
+                               passin, e, "Public Key");
+        } else
+            pkey = load_key(bio_err, infile,
+                            (informat == FORMAT_NETSCAPE && sgckey ?
+                             FORMAT_IISSGC : informat), 1,
+                            passin, e, "Private Key");
+
+        if (pkey != NULL)
+            rsa = EVP_PKEY_get1_RSA(pkey);
+        EVP_PKEY_free(pkey);
+    }
+
+    if (rsa == NULL) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (outfile == NULL) {
+        BIO_set_fp(out, stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    } else {
+        if (BIO_write_filename(out, outfile) <= 0) {
+            perror(outfile);
+            goto end;
+        }
+    }
+
+    if (text)
+        if (!RSA_print(out, rsa, 0)) {
+            perror(outfile);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+    if (modulus) {
+        BIO_printf(out, "Modulus=");
+        BN_print(out, rsa->n);
+        BIO_printf(out, "\n");
+    }
+
+    if (check) {
+        int r = RSA_check_key(rsa);
+
+        if (r == 1)
+            BIO_printf(out, "RSA key ok\n");
+        else if (r == 0) {
+            unsigned long err;
+
+            while ((err = ERR_peek_error()) != 0 &&
+                   ERR_GET_LIB(err) == ERR_LIB_RSA &&
+                   ERR_GET_FUNC(err) == RSA_F_RSA_CHECK_KEY &&
+                   ERR_GET_REASON(err) != ERR_R_MALLOC_FAILURE) {
+                BIO_printf(out, "RSA key error: %s\n",
+                           ERR_reason_error_string(err));
+                ERR_get_error(); /* remove e from error stack */
+            }
+        }
+
+        if (r == -1 || ERR_peek_error() != 0) { /* should happen only if r ==
+                                                 * -1 */
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (noout) {
+        ret = 0;
+        goto end;
+    }
+    BIO_printf(bio_err, "writing RSA key\n");
+    if (outformat == FORMAT_ASN1) {
+        if (pubout || pubin) {
+            if (pubout == 2)
+                i = i2d_RSAPublicKey_bio(out, rsa);
+            else
+                i = i2d_RSA_PUBKEY_bio(out, rsa);
+        } else
+            i = i2d_RSAPrivateKey_bio(out, rsa);
+    }
+# ifndef OPENSSL_NO_RC4
+    else if (outformat == FORMAT_NETSCAPE) {
+        unsigned char *p, *pp;
+        int size;
+
+        i = 1;
+        size = i2d_RSA_NET(rsa, NULL, NULL, sgckey);
+        if ((p = (unsigned char *)OPENSSL_malloc(size)) == NULL) {
+            BIO_printf(bio_err, "Memory allocation failure\n");
+            goto end;
+        }
+        pp = p;
+        i2d_RSA_NET(rsa, &p, NULL, sgckey);
+        BIO_write(out, (char *)pp, size);
+        OPENSSL_free(pp);
+    }
+# endif
+    else if (outformat == FORMAT_PEM) {
+        if (pubout || pubin) {
+            if (pubout == 2)
+                i = PEM_write_bio_RSAPublicKey(out, rsa);
+            else
+                i = PEM_write_bio_RSA_PUBKEY(out, rsa);
+        } else
+            i = PEM_write_bio_RSAPrivateKey(out, rsa,
+                                            enc, NULL, 0, NULL, passout);
+# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
+    } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
+        EVP_PKEY *pk;
+        pk = EVP_PKEY_new();
+        EVP_PKEY_set1_RSA(pk, rsa);
+        if (outformat == FORMAT_PVK)
+            i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
+        else if (pubin || pubout)
+            i = i2b_PublicKey_bio(out, pk);
+        else
+            i = i2b_PrivateKey_bio(out, pk);
+        EVP_PKEY_free(pk);
+# endif
+    } else {
+        BIO_printf(bio_err, "bad output format specified for outfile\n");
+        goto end;
+    }
+    if (i <= 0) {
+        BIO_printf(bio_err, "unable to write key\n");
+        ERR_print_errors(bio_err);
+    } else
+        ret = 0;
+ end:
+    release_engine(e);
+    if (out != NULL)
+        BIO_free_all(out);
+    if (rsa != NULL)
+        RSA_free(rsa);
+    if (passin)
+        OPENSSL_free(passin);
+    if (passout)
+        OPENSSL_free(passout);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+#else                           /* !OPENSSL_NO_RSA */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/rsa8192.pem b/openssl/apps/rsa8192.pem
new file mode 100644
index 0000000..946a6e5
--- /dev/null
+++ b/openssl/apps/rsa8192.pem
@@ -0,0 +1,101 @@
+-----BEGIN RSA PRIVATE KEY-----
+
+MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ
+ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF
+MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY
+55/A20XL7tlV2opEfwhy3uVlveQBM0DnZ3MUQfrk+lRRNWv7yE4ScbOfER9fjvOm
+yJc3ZbOa3e+AMGGU9OqJ/fyOl0SGYyP2k23omy/idBV4uOs8QWdnAvq8UOzDdua3
+tuf5Tn17XBurPJ8juwyPBNispkwwn8BjxAZVPhwUIcxFBg339IxJ9cW0WdVy4nNA
+LWo/8Ahlf+kZNnFNGCPFytU9gGMLMhab9w/rLrwa9qNe4L8Fmu1JxONn1WfhMOKE
+aFmycf2olJsYLgUIGYZrjnYu0p/7P3yhTOv8JIhmK+SzmA/I0xiQoF84rpaQzH2d
+PvxICOA9oQSowou0gLuBSZWm6LiXirg1DZCziU46v33ErQlWM1dSyNaUSzihcV59
+mVD0nmzboXH75lGiyiZlp8cLbozzoCwvk9rYqpUGSBzbAy0ECCpabGpzO2Ug+oDi
+71e5z4WMpeoR4IS8MaOG/GsJnwaXhiB/gNYfK+8pRADVk5StEAZDE2alSuCbDs0z
+d9zYr4/em5T9VZsLetxRE7pm/Es9yELuViz8/Tm0/8MVdmNYc/xZU1t6qYYFdyQ2
+wlGDTiNPsjR8yXCkmBjKwqnuleu1X6LaZu3VPhEkXGcyFAquQUkSiMv0Yu74qAe0
+bQ2v+jjZzP6AM9LUo89cW4Kd8SGD96BdNlAVPNMXoBcIOsZBwsOtETBd4KAyvkXE
+Ob17u+PLl4UPnSxm9ypKZunUNFRPxtKUyjySYnvlGL+kTjAXrIrZwKJqIn0uhnfa
+Ck3o7bU6yVMK22ODxy2/Vi3E0P6k5JLwnrF0VIOBqGhts66qo6mWDP8l6MZHARFd
+pU+nofssVmr8tLKmMmjYGMM5GmKIXRNBs0ksTwFnKRs9AmpE5owC8tTSVdTAkGuS
+os7QwLvyvNzq7BGJiVr0Iy3Dhsl1vzR35acNOrCsDl3DcCQONKJ2sVXV4pD3dBah
+mG3sR/jHgjasffJJ35uiGoAua9dbT7HG/+D0z1SHYaVqH8zO4VZSOnGJh/P9rtxx
+cckFDbiag/JMWig2lbnCjebTtp/BcUsK3TNaDOb7vb0LvbAeRJadd1EFu6PSlH3K
+LykSUPm4UedvUU3cWjqkSY5lITFJkVaIYOv/EljYtK7p7kFZFTaEwMAWxgsXU3pQ
+tTzVmq1gZ4vXPwcUq0zK50Frq0F7SQc21ZsunwIDAQABAoIEADuQAkDEpBausJsS
+PgL1RXuzECPJJJCBxTE+2qx0FoY4hJICCWTORHGmU8nGPE3Ht0wBiNDsULw6KXl9
+psmzYW6D3qRbpdQebky6fu/KZ5H0XTyGpJGomaXELH5hkwo2gdKB805LSXB+m7p0
+9o96kSdMkpBLVGtf5iZ8W4rY2LsZmlI9f7taQHSLVt/M8HTz1mTnBRU92QO3zZW6
+xVa+OrWaFl18u3ZeIaSh2X40tBK68cqstXVD0r2OWuXNKobcQeJW8/XABzBShZ0c
+ihL0lzyqiN4uXrLu+Nbr22b+FU2OODy6dGk3U6/69NvI4piMCPlHsfhHOnFjd1ZW
+RIVywyUlCtLNdcn11CchuRro+0J3c2Ba+i9Cl9r3qzT11xFEGF8/XLyUBBCB+uGf
+1dR/xJQhCA7cXWWLXyI/semxcvTaGpImP6kiIl1MAjHjXZTSdvyw4JmfXyYGhSjI
+P0mw3Xn7FXxJ/os9gOfNKz2nZHjr0q4sgWRYO+4vllkeL0GteZrg4oVaVpmZb7LH
+77afhodLylhijlEtV5skfkPujbBLQk6E5Ez3U/huEt2NLg6guADmwxMxfBRliZO4
+4Ex/td4cuggpEj3FGJV74qRvdvj/MF/uF7IxC/3WapPIsFBFH4zrJsUYt6u3L68I
+/KC/bfioDeUR/8ANw1DNh+UsnPV3GJIwDkIJKdppi2uXPahJyJQQ8Inps53nn8Gg
+GifS+HnOXNgMoKOJnZ9IDGjXpfjIs8dJNrGfDHF0mH30N2WARq2v/a3cNUC+f8Bq
+HSKQ9YrZopktMunsut8u7ZYbTmjIqJpXCaM0CCrSlzSMTDHFSj2tzLk6+qnxeGxB
+ZwIdShbdeK+0ETG91lE1e9RPQs/uXQP9+uCHJV0YpqQcA6pkCLYJfYpoSMu/Bafy
+AgfVZz6l5tyEnV0wCcbopsQShc1k9xtTbYNF1h9AQHknj6zeDW4iZMvmVeh3RovT
+52OA2R8oLyauF+QaG6x2wUjEx13SJlaBarJZ4seZIOJ+a8+oNzKsbgokXc2cyC9p
+5FAZz1OsOb68o93qD1Xvl7bY97fq2q55L7G1XHPPLtZE5lGiLGDtnAuwY8UPrdpr
+7Mv2yIxB7xVGurXyHb5PvusR88XED6HMPfLBG/55ENHTal7G5mRix+IWSBAIkxA5
+KZ0j8r5Ng4+wELZhqFQai39799bIAyiV6CEz4kyDXlo0kSSexp8o4iz5sPq5vp6h
+cCb7rdRw7uRnbXrHmXahxoB+ibXaurgV/6B2yurrU/UFoxEp2sHp8LXZGfF6ztY1
+dMhSQAACK2vGy5yNagbkTHLgVaHicG5zavJBqzCE+lbPlCqhOUQPdOIwvjHNjdS/
+DL3WV/ECggIBAMbW65wPk/i43nSyeZeYwcHtR1SUJqDXavYfBPC0VRhKz+7DVMFw
+Nwnocn6gITABc445W1yl7U3uww+LGuDlSlFnd8WuiXpVYud9/jeNu6Mu4wvNsnWr
+f4f4ua8CcS03GmqmcbROD2Z6by1AblCZ2UL1kv9cUX1FLVjPP1ESAGKoePt3BmZQ
+J1uJfK8HilNT8dcUlj/5CBi2uHxttDhoG0sxXE/SVsG9OD/Pjme0mj7gdzc6Ztd+
+TALuvpNQR4pRzfo5XWDZBcEYntcEE3PxYJB1+vnZ8509ew5/yLHTbLjFxIcx71zY
+fhH0gM36Sz7mz37r0+E/QkRkc5bVIDC4LDnWmjpAde6QUx0d218ShNx6sJo4kt5c
+Dd7tEVx8nuX8AIZYgwsOb382anLyFRkkmEdK3gRvwQ6SWR36Ez5L7/mHWODpLAX5
+mVBKSG4/ccFbc633/g0xHw0Nwajir/klckdakuYPlwF0yAxJSKDLhmNctDhRmxjC
+YP+fISkl5oTvFRzJH6HEyNu8M3ybRvmpPIjM5J5JpnB2IYbohYBR+T6/97C1DKrd
+mzL5PjlrWm0c1/d7LlDoP65fOShDMmj2zCiBAHHOM0Alokx+v5LmMd8NJumZIwGJ
+Rt5OpeMOhowz6j1AjYxYgV7PmJL6Ovpfb775od/aLaUbbwHz2uWIvfF7AoICAQCw
+c7NaO7oJVLJClhYw6OCvjT6oqtgNVWaennnDiJgzY9lv5HEgV0MAG0eYuB3hvj+w
+Y1P9DJxP1D+R+cshYrAFg8yU/3kaYVNI0Bl3ygX0eW1b/0HZTdocs+8kM/9PZQDR
+WrKQoU5lHvqRt99dXlD4NWGI2YQtzdZ8iet9QLqnjwRZabgE96mF01qKisMnFcsh
+KjT7ieheU4J15TZj/mdZRNK126d7e3q/rNj73e5EJ9tkYLcolSr4gpknUMJULSEi
+JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLebrgfTYoPPdo
+yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ
+kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9
+DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN
+22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
+ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz
+D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP
+PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8
+dUrYmHNEUJfHl4T1ESgkX1vkcpVFeQFruZDjk7EP3+1sgvpSroGTZkVBRFsTXbQZ
+FuCv0Pgt1TKG+zGmklxhj3TsiRy8MEjWAxBUp++ftZJnZNI4feDGnfEx7tLwVhAg
+6DWSiWDO6hgQpvOLwX5lu+0x9itc1MQsnDO/OqIDnBAJDN5k7cVVkfKlqbVjxgpz
+eqUJs3yAd81f44kDQTCB4ahYocgeIGsrOqd/WoGL1EEPPo/O9wQP7VtlIRt8UwuG
+bS18+a4sBUfAa56xYu/pnPo7YcubsgZfcSIujzFQqMpVTClJRnOnEuJ4J1+PXzRz
+XAO9fs4VJ+CMEmgAyonUz4Xadxulnknlw//sO9VKgM69oFHCDHL/XamAAbqAdwvf
+7R/+uy+Ol7romC0wMhb6SsIZazrvvH2mNtduAKZ638nAP1x/WbQp+6iVG7yJok7w
+82Q7tO7baOePTXh12Rrt4mNPor0HLYxhra4GFgfqkumJ2Mz0esuZAozxJXFOq8ly
+beo9CVtXP5zbT6qNpeNismX6PLICaev8t+1iOZSE56WSLtefuuj/cOVrTMNDz1Rr
+pUkEVV2zjUSjlcScM538A9iL2QKCAgBLbBk0r6T0ihRsK9UucMxhnYEz/Vq+UEu9
+70Vi1AciqEJv9nh4d3Q3HnH7EHANZxG4Jqzm1DYYVUQa9GfkTFeq88xFv/GW2hUM
+YY8RSfRDrIeXNEOETCe37x2AHw25dRXlZtw+wARPau91y9+Y/FCl18NqCHfcUEin
+ERjsf/eI2bPlODAlR2tZvZ7M60VBdqpN8cmV3zvI3e88z43xLfQlDyr1+v7a5Evy
+lEJnXlSTI2o+vKxtl103vjMSwA1gh63K90gBVsJWXQDZueOzi8mB9UqNRfcMmOEe
+4YHttTXPxeu0x+4cCRfam9zKShsVFgI28vRQ/ijl6qmbQ5gV8wqf18GV1j1L4z0P
+lP6iVynDA4MMrug/w9DqPsHsfK0pwekeETfSj4y0xVXyjWZBfHG2ZBrS6mDTf+RG
+LC4sJgR0hjdILLnUqIX7PzuhieBHRrjBcopwvcryVWRHnI7kslAS0+yHjiWc5oW3
+x5mtlum4HzelNYuD9cAE/95P6CeSMfp9CyIE/KSX4VvsRm6gQVkoQRKMxnQIFQ3w
+O5gl1l88vhjoo2HxYScgCp70BsDwiUNTqIR3NM+ZBHYFweVf3Gwz5LzHZT2rEZtD
+6VXRP75Q/2wOLnqCO4bK4BUs6sqxcQZmOldruPkPynrY0oPfHHExjxZDvQu4/r80
+Ls3n0L8yvQKCAgEAnYWS6EikwaQNpJEfiUnOlglgFz4EE1eVkrDbBY4J3oPU+doz
+DrqmsvgpSZIAfd2MUbkN4pOMsMTjbeIYWDnZDa1RoctKs3FhwFPHwAjQpznab4mn
+Bp81FMHM40qyb0NaNuFRwghdXvoQvBBX1p8oEnFzDRvTiuS/vTPTA8KDY8IeRp8R
+oGzKHpfziNwq/URpqj7pwi9odNjGZvR2IwYw9jCLPIqaEbMoSOdI0mg4MoYyqP4q
+nm7d4wqSDwrYxiXZ6f3nYpkhEY1lb0Wbksp1ig8sKSF4nDZRGK1RSfE+6gjBp94H
+X/Wog6Zb6NC9ZpusTiDLvuIUXcyUJvmHiWjSNqiTv8jurlwEsgSwhziEQfqLrtdV
+QI3PRMolBkD1iCk+HFE53r05LMf1bp3r4MS+naaQrLbIrl1kgDNGwVdgS+SCM7Bg
+TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWvOb3NA5DP3c
+46C6SaWI0TD9B11nJbHGTYN3Si9n0EBgoDJEXUKeh3km9O47dgvkSug4WzhYsvrE
+rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv
+I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8=
+-----END RSA PRIVATE KEY-----
+
diff --git a/openssl/apps/rsautl.c b/openssl/apps/rsautl.c
new file mode 100644
index 0000000..87d1806
--- /dev/null
+++ b/openssl/apps/rsautl.c
@@ -0,0 +1,372 @@
+/* rsautl.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_RSA
+
+# include "apps.h"
+# include <string.h>
+# include <openssl/err.h>
+# include <openssl/pem.h>
+# include <openssl/rsa.h>
+
+# define RSA_SIGN        1
+# define RSA_VERIFY      2
+# define RSA_ENCRYPT     3
+# define RSA_DECRYPT     4
+
+# define KEY_PRIVKEY     1
+# define KEY_PUBKEY      2
+# define KEY_CERT        3
+
+static void usage(void);
+
+# undef PROG
+
+# define PROG rsautl_main
+
+int MAIN(int argc, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    BIO *in = NULL, *out = NULL;
+    char *infile = NULL, *outfile = NULL;
+    char *engine = NULL;
+    char *keyfile = NULL;
+    char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
+    int keyform = FORMAT_PEM;
+    char need_priv = 0, badarg = 0, rev = 0;
+    char hexdump = 0, asn1parse = 0;
+    X509 *x;
+    EVP_PKEY *pkey = NULL;
+    RSA *rsa = NULL;
+    unsigned char *rsa_in = NULL, *rsa_out = NULL, pad;
+    char *passargin = NULL, *passin = NULL;
+    int rsa_inlen, rsa_outlen = 0;
+    int keysize;
+
+    int ret = 1;
+
+    argc--;
+    argv++;
+
+    if (!bio_err)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+    ERR_load_crypto_strings();
+    OpenSSL_add_all_algorithms();
+    pad = RSA_PKCS1_PADDING;
+
+    while (argc >= 1) {
+        if (!strcmp(*argv, "-in")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                infile = *(++argv);
+        } else if (!strcmp(*argv, "-out")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                outfile = *(++argv);
+        } else if (!strcmp(*argv, "-inkey")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                keyfile = *(++argv);
+        } else if (!strcmp(*argv, "-passin")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                passargin = *(++argv);
+        } else if (strcmp(*argv, "-keyform") == 0) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                keyform = str2fmt(*(++argv));
+# ifndef OPENSSL_NO_ENGINE
+        } else if (!strcmp(*argv, "-engine")) {
+            if (--argc < 1)
+                badarg = 1;
+            else
+                engine = *(++argv);
+# endif
+        } else if (!strcmp(*argv, "-pubin")) {
+            key_type = KEY_PUBKEY;
+        } else if (!strcmp(*argv, "-certin")) {
+            key_type = KEY_CERT;
+        } else if (!strcmp(*argv, "-asn1parse"))
+            asn1parse = 1;
+        else if (!strcmp(*argv, "-hexdump"))
+            hexdump = 1;
+        else if (!strcmp(*argv, "-raw"))
+            pad = RSA_NO_PADDING;
+        else if (!strcmp(*argv, "-oaep"))
+            pad = RSA_PKCS1_OAEP_PADDING;
+        else if (!strcmp(*argv, "-ssl"))
+            pad = RSA_SSLV23_PADDING;
+        else if (!strcmp(*argv, "-pkcs"))
+            pad = RSA_PKCS1_PADDING;
+        else if (!strcmp(*argv, "-x931"))
+            pad = RSA_X931_PADDING;
+        else if (!strcmp(*argv, "-sign")) {
+            rsa_mode = RSA_SIGN;
+            need_priv = 1;
+        } else if (!strcmp(*argv, "-verify"))
+            rsa_mode = RSA_VERIFY;
+        else if (!strcmp(*argv, "-rev"))
+            rev = 1;
+        else if (!strcmp(*argv, "-encrypt"))
+            rsa_mode = RSA_ENCRYPT;
+        else if (!strcmp(*argv, "-decrypt")) {
+            rsa_mode = RSA_DECRYPT;
+            need_priv = 1;
+        } else
+            badarg = 1;
+        if (badarg) {
+            usage();
+            goto end;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (need_priv && (key_type != KEY_PRIVKEY)) {
+        BIO_printf(bio_err, "A private key is needed for this operation\n");
+        goto end;
+    }
+    e = setup_engine(bio_err, engine, 0);
+    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+
+/* FIXME: seed PRNG only if needed */
+    app_RAND_load_file(NULL, bio_err, 0);
+
+    switch (key_type) {
+    case KEY_PRIVKEY:
+        pkey = load_key(bio_err, keyfile, keyform, 0,
+                        passin, e, "Private Key");
+        break;
+
+    case KEY_PUBKEY:
+        pkey = load_pubkey(bio_err, keyfile, keyform, 0,
+                           NULL, e, "Public Key");
+        break;
+
+    case KEY_CERT:
+        x = load_cert(bio_err, keyfile, keyform, NULL, e, "Certificate");
+        if (x) {
+            pkey = X509_get_pubkey(x);
+            X509_free(x);
+        }
+        break;
+    }
+
+    if (!pkey) {
+        return 1;
+    }
+
+    rsa = EVP_PKEY_get1_RSA(pkey);
+    EVP_PKEY_free(pkey);
+
+    if (!rsa) {
+        BIO_printf(bio_err, "Error getting RSA key\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (infile) {
+        if (!(in = BIO_new_file(infile, "rb"))) {
+            BIO_printf(bio_err, "Error Reading Input File\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    } else
+        in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+    if (outfile) {
+        if (!(out = BIO_new_file(outfile, "wb"))) {
+            BIO_printf(bio_err, "Error Writing Output File\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    } else {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+# ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+# endif
+    }
+
+    keysize = RSA_size(rsa);
+
+    rsa_in = OPENSSL_malloc(keysize * 2);
+    rsa_out = OPENSSL_malloc(keysize);
+    if (!rsa_in || !rsa_out) {
+        BIO_printf(bio_err, "Out of memory\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    /* Read the input data */
+    rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
+    if (rsa_inlen < 0) {
+        BIO_printf(bio_err, "Error reading input Data\n");
+        exit(1);
+    }
+    if (rev) {
+        int i;
+        unsigned char ctmp;
+        for (i = 0; i < rsa_inlen / 2; i++) {
+            ctmp = rsa_in[i];
+            rsa_in[i] = rsa_in[rsa_inlen - 1 - i];
+            rsa_in[rsa_inlen - 1 - i] = ctmp;
+        }
+    }
+    switch (rsa_mode) {
+
+    case RSA_VERIFY:
+        rsa_outlen = RSA_public_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+        break;
+
+    case RSA_SIGN:
+        rsa_outlen =
+            RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+        break;
+
+    case RSA_ENCRYPT:
+        rsa_outlen = RSA_public_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+        break;
+
+    case RSA_DECRYPT:
+        rsa_outlen =
+            RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+        break;
+
+    }
+
+    if (rsa_outlen < 0) {
+        BIO_printf(bio_err, "RSA operation error\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    ret = 0;
+    if (asn1parse) {
+        if (!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1)) {
+            ERR_print_errors(bio_err);
+        }
+    } else if (hexdump)
+        BIO_dump(out, (char *)rsa_out, rsa_outlen);
+    else
+        BIO_write(out, rsa_out, rsa_outlen);
+ end:
+    RSA_free(rsa);
+    release_engine(e);
+    BIO_free(in);
+    BIO_free_all(out);
+    if (rsa_in)
+        OPENSSL_free(rsa_in);
+    if (rsa_out)
+        OPENSSL_free(rsa_out);
+    if (passin)
+        OPENSSL_free(passin);
+    return ret;
+}
+
+static void usage()
+{
+    BIO_printf(bio_err, "Usage: rsautl [options]\n");
+    BIO_printf(bio_err, "-in file        input file\n");
+    BIO_printf(bio_err, "-out file       output file\n");
+    BIO_printf(bio_err, "-inkey file     input key\n");
+    BIO_printf(bio_err, "-keyform arg    private key format - default PEM\n");
+    BIO_printf(bio_err, "-pubin          input is an RSA public\n");
+    BIO_printf(bio_err,
+               "-certin         input is a certificate carrying an RSA public key\n");
+    BIO_printf(bio_err, "-ssl            use SSL v2 padding\n");
+    BIO_printf(bio_err, "-raw            use no padding\n");
+    BIO_printf(bio_err,
+               "-pkcs           use PKCS#1 v1.5 padding (default)\n");
+    BIO_printf(bio_err, "-oaep           use PKCS#1 OAEP\n");
+    BIO_printf(bio_err, "-sign           sign with private key\n");
+    BIO_printf(bio_err, "-verify         verify with public key\n");
+    BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
+    BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
+    BIO_printf(bio_err, "-hexdump        hex dump output\n");
+# ifndef OPENSSL_NO_ENGINE
+    BIO_printf(bio_err,
+               "-engine e       use engine e, possibly a hardware device.\n");
+    BIO_printf(bio_err, "-passin arg    pass phrase source\n");
+# endif
+
+}
+
+#else                           /* !OPENSSL_NO_RSA */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/openssl/apps/s1024key.pem b/openssl/apps/s1024key.pem
new file mode 100644
index 0000000..19e0403
--- /dev/null
+++ b/openssl/apps/s1024key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQCzEfU8E+ZGTGtHXV5XhvM2Lg32fXUIjydXb34BGVPX6oN7+aNV
+S9eWayvW/+9/vUb0aCqilJrpFesgItV2T8VhhjOE++XUz46uNpcMU7wHMEAXUufP
+pztpFm8ZEk2tFKvadkSSoN8lb11juvZVkSkPlB65pFhSe4QKSp6J4HrkYwIDAQAB
+AoGBAKy8jvb0Lzby8q11yNLf7+78wCVdYi7ugMHcYA1JVFK8+zb1WfSm44FLQo/0
+dSChAjgz36TTexeLODPYxleJndjVcOMVzsLJjSM8dLpXsTS4FCeMbhw2s2u+xqKY
+bbPWfk+HOTyJjfnkcC5Nbg44eOmruq0gSmBeUXVM5UntlTnxAkEA7TGCA3h7kx5E
+Bl4zl2pc3gPAGt+dyfk5Po9mGJUUXhF5p2zueGmYWW74TmOWB1kzt4QRdYMzFePq
+zfDNXEa1CwJBAMFErdY0xp0UJ13WwBbUTk8rujqQdHtjw0klhpbuKkjxu2hN0wwM
+6p0D9qxF7JHaghqVRI0fAW/EE0OzdHMR9QkCQQDNR26dMFXKsoPu+vItljj/UEGf
+QG7gERiQ4yxaFBPHgdpGo0kT31eh9x9hQGDkxTe0GNG/YSgCRvm8+C3TMcKXAkBD
+dhGn36wkUFCddMSAM4NSJ1VN8/Z0y5HzCmI8dM3VwGtGMUQlxKxwOl30LEQzdS5M
+0SWojNYXiT2gOBfBwtbhAkEAhafl5QEOIgUz+XazS/IlZ8goNKdDVfYgK3mHHjvv
+nY5G+AuGebdNkXJr4KSWxDcN+C2i47zuj4QXA16MAOandA==
+-----END RSA PRIVATE KEY-----
diff --git a/openssl/apps/s1024req.pem b/openssl/apps/s1024req.pem
new file mode 100644
index 0000000..bb75e7e
--- /dev/null
+++ b/openssl/apps/s1024req.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBojCCAQsCAQAwZDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
+GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSQwIgYDVQQDExtTZXJ2ZXIgdGVz
+dCBjZXJ0ICgxMDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALMR
+9TwT5kZMa0ddXleG8zYuDfZ9dQiPJ1dvfgEZU9fqg3v5o1VL15ZrK9b/73+9RvRo
+KqKUmukV6yAi1XZPxWGGM4T75dTPjq42lwxTvAcwQBdS58+nO2kWbxkSTa0Uq9p2
+RJKg3yVvXWO69lWRKQ+UHrmkWFJ7hApKnongeuRjAgMBAAEwDQYJKoZIhvcNAQEE
+BQADgYEAStHlk4pBbwiNeQ2/PKTPPXzITYC8Gn0XMbrU94e/6JIKiO7aArq9Espq
+nrBSvC14dHcNl6NNvnkEKdQ7hAkcACfBbnOXA/oQvMBd4GD78cH3k0jVDoVUEjil
+frLfWlckW6WzpTktt0ZPDdAjJCmKVh0ABHimi7Bo9FC3wIGIe5M=
+-----END CERTIFICATE REQUEST-----
diff --git a/openssl/apps/s512-key.pem b/openssl/apps/s512-key.pem
new file mode 100644
index 0000000..0e3ff2d
--- /dev/null
+++ b/openssl/apps/s512-key.pem
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD
+TGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDu
+OA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj
+gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOz
+rHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3b
+PzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEA
+vnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU=
+-----END RSA PRIVATE KEY-----
diff --git a/openssl/apps/s512-req.pem b/openssl/apps/s512-req.pem
new file mode 100644
index 0000000..ea314be
--- /dev/null
+++ b/openssl/apps/s512-req.pem
@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBGzCBxgIBADBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEa
+MBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0
+IGNlcnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8S
+MVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8E
+y2//Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAANBAAB+uQi+qwn6qRSHB8EUTvsm
+5TNTHzYDeN39nyIbZNX2s0se3Srn2Bxft5YCwD3moFZ9QoyDHxE0h6qLX5yjD+8=
+-----END CERTIFICATE REQUEST-----
diff --git a/openssl/apps/s_apps.h b/openssl/apps/s_apps.h
new file mode 100644
index 0000000..5ba1e1d
--- /dev/null
+++ b/openssl/apps/s_apps.h
@@ -0,0 +1,212 @@
+/* apps/s_apps.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* conflicts with winsock2 stuff on netware */
+#if !defined(OPENSSL_SYS_NETWARE)
+# include <sys/types.h>
+#endif
+#include <openssl/opensslconf.h>
+
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+# include <conio.h>
+#endif
+
+#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
+# define _kbhit kbhit
+#endif
+
+#if defined(OPENSSL_SYS_VMS) && !defined(FD_SET)
+/*
+ * VAX C does not defined fd_set and friends, but it's actually quite simple
+ */
+/* These definitions are borrowed from SOCKETSHR.       /Richard Levitte */
+# define MAX_NOFILE      32
+# define NBBY             8     /* number of bits in a byte */
+
+# ifndef FD_SETSIZE
+#  define FD_SETSIZE      MAX_NOFILE
+# endif                         /* FD_SETSIZE */
+
+/* How many things we'll allow select to use. 0 if unlimited */
+# define MAXSELFD        MAX_NOFILE
+typedef int fd_mask;            /* int here! VMS prototypes int, not long */
+# define NFDBITS (sizeof(fd_mask) * NBBY)/* bits per mask (power of 2!) */
+# define NFDSHIFT 5             /* Shift based on above */
+
+typedef fd_mask fd_set;
+# define FD_SET(n, p)    (*(p) |= (1 << ((n) % NFDBITS)))
+# define FD_CLR(n, p)    (*(p) &= ~(1 << ((n) % NFDBITS)))
+# define FD_ISSET(n, p)  (*(p) & (1 << ((n) % NFDBITS)))
+# define FD_ZERO(p)      memset((char *)(p), 0, sizeof(*(p)))
+#endif
+
+#define PORT            4433
+#define PORT_STR        "4433"
+#define PROTOCOL        "tcp"
+
+int do_server(int port, int type, int *ret,
+              int (*cb) (char *hostname, int s, int stype,
+                         unsigned char *context), unsigned char *context,
+              int naccept);
+#ifdef HEADER_X509_H
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
+#endif
+#ifdef HEADER_SSL_H
+int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
+                       STACK_OF(X509) *chain, int build_chain);
+int ssl_print_sigalgs(BIO *out, SSL *s);
+int ssl_print_point_formats(BIO *out, SSL *s);
+int ssl_print_curves(BIO *out, SSL *s, int noshared);
+#endif
+int ssl_print_tmp_key(BIO *out, SSL *s);
+int init_client(int *sock, char *server, int port, int type);
+int should_retry(int i);
+int extract_port(char *str, short *port_ptr);
+int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
+                      short *p);
+
+long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
+                                   int argi, long argl, long ret);
+
+#ifdef HEADER_SSL_H
+void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret);
+void MS_CALLBACK msg_cb(int write_p, int version, int content_type,
+                        const void *buf, size_t len, SSL *ssl, void *arg);
+void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
+                           unsigned char *data, int len, void *arg);
+#endif
+
+int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie,
+                                         unsigned int *cookie_len);
+int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie,
+                                       unsigned int cookie_len);
+
+typedef struct ssl_excert_st SSL_EXCERT;
+
+void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc);
+void ssl_excert_free(SSL_EXCERT *exc);
+int args_excert(char ***pargs, int *pargc,
+                int *badarg, BIO *err, SSL_EXCERT **pexc);
+int load_excert(SSL_EXCERT **pexc, BIO *err);
+void print_ssl_summary(BIO *bio, SSL *s);
+#ifdef HEADER_SSL_H
+int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
+             int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr,
+             int *no_prot_opt);
+int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
+                  STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
+                     int crl_download);
+int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
+                    const char *vfyCAfile, const char *chCApath,
+                    const char *chCAfile, STACK_OF(X509_CRL) *crls,
+                    int crl_download);
+#endif
diff --git a/openssl/apps/s_cb.c b/openssl/apps/s_cb.c
new file mode 100644
index 0000000..7d71954
--- /dev/null
+++ b/openssl/apps/s_cb.c
@@ -0,0 +1,1664 @@
+/* apps/s_cb.c - callback functions used by s_client, s_server, and s_time */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h> /* for memcpy() and strcmp() */
+#define USE_SOCKETS
+#define NON_MAIN
+#include "apps.h"
+#undef NON_MAIN
+#undef USE_SOCKETS
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include "s_apps.h"
+
+#define COOKIE_SECRET_LENGTH    16
+
+int verify_depth = 0;
+int verify_quiet = 0;
+int verify_error = X509_V_OK;
+int verify_return_error = 0;
+unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
+int cookie_initialized = 0;
+
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
+{
+    X509 *err_cert;
+    int err, depth;
+
+    err_cert = X509_STORE_CTX_get_current_cert(ctx);
+    err = X509_STORE_CTX_get_error(ctx);
+    depth = X509_STORE_CTX_get_error_depth(ctx);
+
+    if (!verify_quiet || !ok) {
+        BIO_printf(bio_err, "depth=%d ", depth);
+        if (err_cert) {
+            X509_NAME_print_ex(bio_err,
+                               X509_get_subject_name(err_cert),
+                               0, XN_FLAG_ONELINE);
+            BIO_puts(bio_err, "\n");
+        } else
+            BIO_puts(bio_err, "<no cert>\n");
+    }
+    if (!ok) {
+        BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
+                   X509_verify_cert_error_string(err));
+        if (verify_depth >= depth) {
+            if (!verify_return_error)
+                ok = 1;
+            verify_error = X509_V_OK;
+        } else {
+            ok = 0;
+            verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+        }
+    }
+    switch (err) {
+    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+        BIO_puts(bio_err, "issuer= ");
+        X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
+                           0, XN_FLAG_ONELINE);
+        BIO_puts(bio_err, "\n");
+        break;
+    case X509_V_ERR_CERT_NOT_YET_VALID:
+    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+        BIO_printf(bio_err, "notBefore=");
+        ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert));
+        BIO_printf(bio_err, "\n");
+        break;
+    case X509_V_ERR_CERT_HAS_EXPIRED:
+    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+        BIO_printf(bio_err, "notAfter=");
+        ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
+        BIO_printf(bio_err, "\n");
+        break;
+    case X509_V_ERR_NO_EXPLICIT_POLICY:
+        if (!verify_quiet)
+            policies_print(bio_err, ctx);
+        break;
+    }
+    if (err == X509_V_OK && ok == 2 && !verify_quiet)
+        policies_print(bio_err, ctx);
+    if (ok && !verify_quiet)
+        BIO_printf(bio_err, "verify return:%d\n", ok);
+    return (ok);
+}
+
+int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
+{
+    if (cert_file != NULL) {
+        /*-
+        SSL *ssl;
+        X509 *x509;
+        */
+
+        if (SSL_CTX_use_certificate_file(ctx, cert_file,
+                                         SSL_FILETYPE_PEM) <= 0) {
+            BIO_printf(bio_err, "unable to get certificate from '%s'\n",
+                       cert_file);
+            ERR_print_errors(bio_err);
+            return (0);
+        }
+        if (key_file == NULL)
+            key_file = cert_file;
+        if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) {
+            BIO_printf(bio_err, "unable to get private key from '%s'\n",
+                       key_file);
+            ERR_print_errors(bio_err);
+            return (0);
+        }
+
+        /*-
+        In theory this is no longer needed
+        ssl=SSL_new(ctx);
+        x509=SSL_get_certificate(ssl);
+
+        if (x509 != NULL) {
+                EVP_PKEY *pktmp;
+                pktmp = X509_get_pubkey(x509);
+                EVP_PKEY_copy_parameters(pktmp,
+                                        SSL_get_privatekey(ssl));
+                EVP_PKEY_free(pktmp);
+        }
+        SSL_free(ssl);
+        */
+
+        /*
+         * If we are using DSA, we can copy the parameters from the private
+         * key
+         */
+
+        /*
+         * Now we know that a key and cert have been set against the SSL
+         * context
+         */
+        if (!SSL_CTX_check_private_key(ctx)) {
+            BIO_printf(bio_err,
+                       "Private key does not match the certificate public key\n");
+            return (0);
+        }
+    }
+    return (1);
+}
+
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
+                       STACK_OF(X509) *chain, int build_chain)
+{
+    int chflags = chain ? SSL_BUILD_CHAIN_FLAG_CHECK : 0;
+    if (cert == NULL)
+        return 1;
+    if (SSL_CTX_use_certificate(ctx, cert) <= 0) {
+        BIO_printf(bio_err, "error setting certificate\n");
+        ERR_print_errors(bio_err);
+        return 0;
+    }
+
+    if (SSL_CTX_use_PrivateKey(ctx, key) <= 0) {
+        BIO_printf(bio_err, "error setting private key\n");
+        ERR_print_errors(bio_err);
+        return 0;
+    }
+
+    /*
+     * Now we know that a key and cert have been set against the SSL context
+     */
+    if (!SSL_CTX_check_private_key(ctx)) {
+        BIO_printf(bio_err,
+                   "Private key does not match the certificate public key\n");
+        return 0;
+    }
+    if (chain && !SSL_CTX_set1_chain(ctx, chain)) {
+        BIO_printf(bio_err, "error setting certificate chain\n");
+        ERR_print_errors(bio_err);
+        return 0;
+    }
+    if (build_chain && !SSL_CTX_build_cert_chain(ctx, chflags)) {
+        BIO_printf(bio_err, "error building certificate chain\n");
+        ERR_print_errors(bio_err);
+        return 0;
+    }
+    return 1;
+}
+
+static void ssl_print_client_cert_types(BIO *bio, SSL *s)
+{
+    const unsigned char *p;
+    int i;
+    int cert_type_num = SSL_get0_certificate_types(s, &p);
+    if (!cert_type_num)
+        return;
+    BIO_puts(bio, "Client Certificate Types: ");
+    for (i = 0; i < cert_type_num; i++) {
+        unsigned char cert_type = p[i];
+        char *cname;
+        switch (cert_type) {
+        case TLS_CT_RSA_SIGN:
+            cname = "RSA sign";
+            break;
+
+        case TLS_CT_DSS_SIGN:
+            cname = "DSA sign";
+            break;
+
+        case TLS_CT_RSA_FIXED_DH:
+            cname = "RSA fixed DH";
+            break;
+
+        case TLS_CT_DSS_FIXED_DH:
+            cname = "DSS fixed DH";
+            break;
+
+        case TLS_CT_ECDSA_SIGN:
+            cname = "ECDSA sign";
+            break;
+
+        case TLS_CT_RSA_FIXED_ECDH:
+            cname = "RSA fixed ECDH";
+            break;
+
+        case TLS_CT_ECDSA_FIXED_ECDH:
+            cname = "ECDSA fixed ECDH";
+            break;
+
+        case TLS_CT_GOST94_SIGN:
+            cname = "GOST94 Sign";
+            break;
+
+        case TLS_CT_GOST01_SIGN:
+            cname = "GOST01 Sign";
+            break;
+
+        default:
+            cname = NULL;
+        }
+
+        if (i)
+            BIO_puts(bio, ", ");
+
+        if (cname)
+            BIO_puts(bio, cname);
+        else
+            BIO_printf(bio, "UNKNOWN (%d),", cert_type);
+    }
+    BIO_puts(bio, "\n");
+}
+
+static int do_print_sigalgs(BIO *out, SSL *s, int shared)
+{
+    int i, nsig, client;
+    client = SSL_is_server(s) ? 0 : 1;
+    if (shared)
+        nsig = SSL_get_shared_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
+    else
+        nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
+    if (nsig == 0)
+        return 1;
+
+    if (shared)
+        BIO_puts(out, "Shared ");
+
+    if (client)
+        BIO_puts(out, "Requested ");
+    BIO_puts(out, "Signature Algorithms: ");
+    for (i = 0; i < nsig; i++) {
+        int hash_nid, sign_nid;
+        unsigned char rhash, rsign;
+        const char *sstr = NULL;
+        if (shared)
+            SSL_get_shared_sigalgs(s, i, &sign_nid, &hash_nid, NULL,
+                                   &rsign, &rhash);
+        else
+            SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL, &rsign, &rhash);
+        if (i)
+            BIO_puts(out, ":");
+        if (sign_nid == EVP_PKEY_RSA)
+            sstr = "RSA";
+        else if (sign_nid == EVP_PKEY_DSA)
+            sstr = "DSA";
+        else if (sign_nid == EVP_PKEY_EC)
+            sstr = "ECDSA";
+        if (sstr)
+            BIO_printf(out, "%s+", sstr);
+        else
+            BIO_printf(out, "0x%02X+", (int)rsign);
+        if (hash_nid != NID_undef)
+            BIO_printf(out, "%s", OBJ_nid2sn(hash_nid));
+        else
+            BIO_printf(out, "0x%02X", (int)rhash);
+    }
+    BIO_puts(out, "\n");
+    return 1;
+}
+
+int ssl_print_sigalgs(BIO *out, SSL *s)
+{
+    int mdnid;
+    if (!SSL_is_server(s))
+        ssl_print_client_cert_types(out, s);
+    do_print_sigalgs(out, s, 0);
+    do_print_sigalgs(out, s, 1);
+    if (SSL_get_peer_signature_nid(s, &mdnid))
+        BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid));
+    return 1;
+}
+
+#ifndef OPENSSL_NO_EC
+int ssl_print_point_formats(BIO *out, SSL *s)
+{
+    int i, nformats;
+    const char *pformats;
+    nformats = SSL_get0_ec_point_formats(s, &pformats);
+    if (nformats <= 0)
+        return 1;
+    BIO_puts(out, "Supported Elliptic Curve Point Formats: ");
+    for (i = 0; i < nformats; i++, pformats++) {
+        if (i)
+            BIO_puts(out, ":");
+        switch (*pformats) {
+        case TLSEXT_ECPOINTFORMAT_uncompressed:
+            BIO_puts(out, "uncompressed");
+            break;
+
+        case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime:
+            BIO_puts(out, "ansiX962_compressed_prime");
+            break;
+
+        case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2:
+            BIO_puts(out, "ansiX962_compressed_char2");
+            break;
+
+        default:
+            BIO_printf(out, "unknown(%d)", (int)*pformats);
+            break;
+
+        }
+    }
+    if (nformats <= 0)
+        BIO_puts(out, "NONE");
+    BIO_puts(out, "\n");
+    return 1;
+}
+
+int ssl_print_curves(BIO *out, SSL *s, int noshared)
+{
+    int i, ncurves, *curves, nid;
+    const char *cname;
+    ncurves = SSL_get1_curves(s, NULL);
+    if (ncurves <= 0)
+        return 1;
+    curves = OPENSSL_malloc(ncurves * sizeof(int));
+    if (!curves) {
+        BIO_puts(out, "Malloc error getting supported curves\n");
+        return 0;
+    }
+    SSL_get1_curves(s, curves);
+
+
+    BIO_puts(out, "Supported Elliptic Curves: ");
+    for (i = 0; i < ncurves; i++) {
+        if (i)
+            BIO_puts(out, ":");
+        nid = curves[i];
+        /* If unrecognised print out hex version */
+        if (nid & TLSEXT_nid_unknown)
+            BIO_printf(out, "0x%04X", nid & 0xFFFF);
+        else {
+            /* Use NIST name for curve if it exists */
+            cname = EC_curve_nid2nist(nid);
+            if (!cname)
+                cname = OBJ_nid2sn(nid);
+            BIO_printf(out, "%s", cname);
+        }
+    }
+    if (ncurves == 0)
+        BIO_puts(out, "NONE");
+    OPENSSL_free(curves);
+    if (noshared) {
+        BIO_puts(out, "\n");
+        return 1;
+    }
+    BIO_puts(out, "\nShared Elliptic curves: ");
+    ncurves = SSL_get_shared_curve(s, -1);
+    for (i = 0; i < ncurves; i++) {
+        if (i)
+            BIO_puts(out, ":");
+        nid = SSL_get_shared_curve(s, i);
+        cname = EC_curve_nid2nist(nid);
+        if (!cname)
+            cname = OBJ_nid2sn(nid);
+        BIO_printf(out, "%s", cname);
+    }
+    if (ncurves == 0)
+        BIO_puts(out, "NONE");
+    BIO_puts(out, "\n");
+    return 1;
+}
+#endif
+int ssl_print_tmp_key(BIO *out, SSL *s)
+{
+    EVP_PKEY *key;
+    if (!SSL_get_server_tmp_key(s, &key))
+        return 1;
+    BIO_puts(out, "Server Temp Key: ");
+    switch (EVP_PKEY_id(key)) {
+    case EVP_PKEY_RSA:
+        BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key));
+        break;
+
+    case EVP_PKEY_DH:
+        BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));
+        break;
+#ifndef OPENSSL_NO_ECDH
+    case EVP_PKEY_EC:
+        {
+            EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
+            int nid;
+            const char *cname;
+            nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+            EC_KEY_free(ec);
+            cname = EC_curve_nid2nist(nid);
+            if (!cname)
+                cname = OBJ_nid2sn(nid);
+            BIO_printf(out, "ECDH, %s, %d bits\n", cname, EVP_PKEY_bits(key));
+        }
+#endif
+    }
+    EVP_PKEY_free(key);
+    return 1;
+}
+
+long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
+                                   int argi, long argl, long ret)
+{
+    BIO *out;
+
+    out = (BIO *)BIO_get_callback_arg(bio);
+    if (out == NULL)
+        return (ret);
+
+    if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
+        BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n",
+                   (void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
+        BIO_dump(out, argp, (int)ret);
+        return (ret);
+    } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
+        BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n",
+                   (void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
+        BIO_dump(out, argp, (int)ret);
+    }
+    return (ret);
+}
+
+void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret)
+{
+    const char *str;
+    int w;
+
+    w = where & ~SSL_ST_MASK;
+
+    if (w & SSL_ST_CONNECT)
+        str = "SSL_connect";
+    else if (w & SSL_ST_ACCEPT)
+        str = "SSL_accept";
+    else
+        str = "undefined";
+
+    if (where & SSL_CB_LOOP) {
+        BIO_printf(bio_err, "%s:%s\n", str, SSL_state_string_long(s));
+    } else if (where & SSL_CB_ALERT) {
+        str = (where & SSL_CB_READ) ? "read" : "write";
+        BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n",
+                   str,
+                   SSL_alert_type_string_long(ret),
+                   SSL_alert_desc_string_long(ret));
+    } else if (where & SSL_CB_EXIT) {
+        if (ret == 0)
+            BIO_printf(bio_err, "%s:failed in %s\n",
+                       str, SSL_state_string_long(s));
+        else if (ret < 0) {
+            BIO_printf(bio_err, "%s:error in %s\n",
+                       str, SSL_state_string_long(s));
+        }
+    }
+}
+
+void MS_CALLBACK msg_cb(int write_p, int version, int content_type,
+                        const void *buf, size_t len, SSL *ssl, void *arg)
+{
+    BIO *bio = arg;
+    const char *str_write_p, *str_version, *str_content_type =
+        "", *str_details1 = "", *str_details2 = "";
+
+    str_write_p = write_p ? ">>>" : "<<<";
+
+    switch (version) {
+    case SSL2_VERSION:
+        str_version = "SSL 2.0";
+        break;
+    case SSL3_VERSION:
+        str_version = "SSL 3.0 ";
+        break;
+    case TLS1_VERSION:
+        str_version = "TLS 1.0 ";
+        break;
+    case TLS1_1_VERSION:
+        str_version = "TLS 1.1 ";
+        break;
+    case TLS1_2_VERSION:
+        str_version = "TLS 1.2 ";
+        break;
+    case DTLS1_VERSION:
+        str_version = "DTLS 1.0 ";
+        break;
+    case DTLS1_BAD_VER:
+        str_version = "DTLS 1.0 (bad) ";
+        break;
+    default:
+        str_version = "???";
+    }
+
+    if (version == SSL2_VERSION) {
+        str_details1 = "???";
+
+        if (len > 0) {
+            switch (((const unsigned char *)buf)[0]) {
+            case 0:
+                str_details1 = ", ERROR:";
+                str_details2 = " ???";
+                if (len >= 3) {
+                    unsigned err =
+                        (((const unsigned char *)buf)[1] << 8) +
+                        ((const unsigned char *)buf)[2];
+
+                    switch (err) {
+                    case 0x0001:
+                        str_details2 = " NO-CIPHER-ERROR";
+                        break;
+                    case 0x0002:
+                        str_details2 = " NO-CERTIFICATE-ERROR";
+                        break;
+                    case 0x0004:
+                        str_details2 = " BAD-CERTIFICATE-ERROR";
+                        break;
+                    case 0x0006:
+                        str_details2 = " UNSUPPORTED-CERTIFICATE-TYPE-ERROR";
+                        break;
+                    }
+                }
+
+                break;
+            case 1:
+                str_details1 = ", CLIENT-HELLO";
+                break;
+            case 2:
+                str_details1 = ", CLIENT-MASTER-KEY";
+                break;
+            case 3:
+                str_details1 = ", CLIENT-FINISHED";
+                break;
+            case 4:
+                str_details1 = ", SERVER-HELLO";
+                break;
+            case 5:
+                str_details1 = ", SERVER-VERIFY";
+                break;
+            case 6:
+                str_details1 = ", SERVER-FINISHED";
+                break;
+            case 7:
+                str_details1 = ", REQUEST-CERTIFICATE";
+                break;
+            case 8:
+                str_details1 = ", CLIENT-CERTIFICATE";
+                break;
+            }
+        }
+    }
+
+    if (version == SSL3_VERSION ||
+        version == TLS1_VERSION ||
+        version == TLS1_1_VERSION ||
+        version == TLS1_2_VERSION ||
+        version == DTLS1_VERSION || version == DTLS1_BAD_VER) {
+        switch (content_type) {
+        case 20:
+            str_content_type = "ChangeCipherSpec";
+            break;
+        case 21:
+            str_content_type = "Alert";
+            break;
+        case 22:
+            str_content_type = "Handshake";
+            break;
+        }
+
+        if (content_type == 21) { /* Alert */
+            str_details1 = ", ???";
+
+            if (len == 2) {
+                switch (((const unsigned char *)buf)[0]) {
+                case 1:
+                    str_details1 = ", warning";
+                    break;
+                case 2:
+                    str_details1 = ", fatal";
+                    break;
+                }
+
+                str_details2 = " ???";
+                switch (((const unsigned char *)buf)[1]) {
+                case 0:
+                    str_details2 = " close_notify";
+                    break;
+                case 10:
+                    str_details2 = " unexpected_message";
+                    break;
+                case 20:
+                    str_details2 = " bad_record_mac";
+                    break;
+                case 21:
+                    str_details2 = " decryption_failed";
+                    break;
+                case 22:
+                    str_details2 = " record_overflow";
+                    break;
+                case 30:
+                    str_details2 = " decompression_failure";
+                    break;
+                case 40:
+                    str_details2 = " handshake_failure";
+                    break;
+                case 42:
+                    str_details2 = " bad_certificate";
+                    break;
+                case 43:
+                    str_details2 = " unsupported_certificate";
+                    break;
+                case 44:
+                    str_details2 = " certificate_revoked";
+                    break;
+                case 45:
+                    str_details2 = " certificate_expired";
+                    break;
+                case 46:
+                    str_details2 = " certificate_unknown";
+                    break;
+                case 47:
+                    str_details2 = " illegal_parameter";
+                    break;
+                case 48:
+                    str_details2 = " unknown_ca";
+                    break;
+                case 49:
+                    str_details2 = " access_denied";
+                    break;
+                case 50:
+                    str_details2 = " decode_error";
+                    break;
+                case 51:
+                    str_details2 = " decrypt_error";
+                    break;
+                case 60:
+                    str_details2 = " export_restriction";
+                    break;
+                case 70:
+                    str_details2 = " protocol_version";
+                    break;
+                case 71:
+                    str_details2 = " insufficient_security";
+                    break;
+                case 80:
+                    str_details2 = " internal_error";
+                    break;
+                case 90:
+                    str_details2 = " user_canceled";
+                    break;
+                case 100:
+                    str_details2 = " no_renegotiation";
+                    break;
+                case 110:
+                    str_details2 = " unsupported_extension";
+                    break;
+                case 111:
+                    str_details2 = " certificate_unobtainable";
+                    break;
+                case 112:
+                    str_details2 = " unrecognized_name";
+                    break;
+                case 113:
+                    str_details2 = " bad_certificate_status_response";
+                    break;
+                case 114:
+                    str_details2 = " bad_certificate_hash_value";
+                    break;
+                case 115:
+                    str_details2 = " unknown_psk_identity";
+                    break;
+                }
+            }
+        }
+
+        if (content_type == 22) { /* Handshake */
+            str_details1 = "???";
+
+            if (len > 0) {
+                switch (((const unsigned char *)buf)[0]) {
+                case 0:
+                    str_details1 = ", HelloRequest";
+                    break;
+                case 1:
+                    str_details1 = ", ClientHello";
+                    break;
+                case 2:
+                    str_details1 = ", ServerHello";
+                    break;
+                case 3:
+                    str_details1 = ", HelloVerifyRequest";
+                    break;
+                case 11:
+                    str_details1 = ", Certificate";
+                    break;
+                case 12:
+                    str_details1 = ", ServerKeyExchange";
+                    break;
+                case 13:
+                    str_details1 = ", CertificateRequest";
+                    break;
+                case 14:
+                    str_details1 = ", ServerHelloDone";
+                    break;
+                case 15:
+                    str_details1 = ", CertificateVerify";
+                    break;
+                case 16:
+                    str_details1 = ", ClientKeyExchange";
+                    break;
+                case 20:
+                    str_details1 = ", Finished";
+                    break;
+                }
+            }
+        }
+#ifndef OPENSSL_NO_HEARTBEATS
+        if (content_type == 24) { /* Heartbeat */
+            str_details1 = ", Heartbeat";
+
+            if (len > 0) {
+                switch (((const unsigned char *)buf)[0]) {
+                case 1:
+                    str_details1 = ", HeartbeatRequest";
+                    break;
+                case 2:
+                    str_details1 = ", HeartbeatResponse";
+                    break;
+                }
+            }
+        }
+#endif
+    }
+
+    BIO_printf(bio, "%s %s%s [length %04lx]%s%s\n", str_write_p, str_version,
+               str_content_type, (unsigned long)len, str_details1,
+               str_details2);
+
+    if (len > 0) {
+        size_t num, i;
+
+        BIO_printf(bio, "   ");
+        num = len;
+#if 0
+        if (num > 16)
+            num = 16;
+#endif
+        for (i = 0; i < num; i++) {
+            if (i % 16 == 0 && i > 0)
+                BIO_printf(bio, "\n   ");
+            BIO_printf(bio, " %02x", ((const unsigned char *)buf)[i]);
+        }
+        if (i < len)
+            BIO_printf(bio, " ...");
+        BIO_printf(bio, "\n");
+    }
+    (void)BIO_flush(bio);
+}
+
+void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
+                           unsigned char *data, int len, void *arg)
+{
+    BIO *bio = arg;
+    char *extname;
+
+    switch (type) {
+    case TLSEXT_TYPE_server_name:
+        extname = "server name";
+        break;
+
+    case TLSEXT_TYPE_max_fragment_length:
+        extname = "max fragment length";
+        break;
+
+    case TLSEXT_TYPE_client_certificate_url:
+        extname = "client certificate URL";
+        break;
+
+    case TLSEXT_TYPE_trusted_ca_keys:
+        extname = "trusted CA keys";
+        break;
+
+    case TLSEXT_TYPE_truncated_hmac:
+        extname = "truncated HMAC";
+        break;
+
+    case TLSEXT_TYPE_status_request:
+        extname = "status request";
+        break;
+
+    case TLSEXT_TYPE_user_mapping:
+        extname = "user mapping";
+        break;
+
+    case TLSEXT_TYPE_client_authz:
+        extname = "client authz";
+        break;
+
+    case TLSEXT_TYPE_server_authz:
+        extname = "server authz";
+        break;
+
+    case TLSEXT_TYPE_cert_type:
+        extname = "cert type";
+        break;
+
+    case TLSEXT_TYPE_elliptic_curves:
+        extname = "elliptic curves";
+        break;
+
+    case TLSEXT_TYPE_ec_point_formats:
+        extname = "EC point formats";
+        break;
+
+    case TLSEXT_TYPE_srp:
+        extname = "SRP";
+        break;
+
+    case TLSEXT_TYPE_signature_algorithms:
+        extname = "signature algorithms";
+        break;
+
+    case TLSEXT_TYPE_use_srtp:
+        extname = "use SRTP";
+        break;
+
+    case TLSEXT_TYPE_heartbeat:
+        extname = "heartbeat";
+        break;
+
+    case TLSEXT_TYPE_session_ticket:
+        extname = "session ticket";
+        break;
+
+    case TLSEXT_TYPE_renegotiate:
+        extname = "renegotiation info";
+        break;
+
+#ifdef TLSEXT_TYPE_opaque_prf_input
+    case TLSEXT_TYPE_opaque_prf_input:
+        extname = "opaque PRF input";
+        break;
+#endif
+#ifdef TLSEXT_TYPE_next_proto_neg
+    case TLSEXT_TYPE_next_proto_neg:
+        extname = "next protocol";
+        break;
+#endif
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+    case TLSEXT_TYPE_application_layer_protocol_negotiation:
+        extname = "application layer protocol negotiation";
+        break;
+#endif
+
+    case TLSEXT_TYPE_padding:
+        extname = "TLS padding";
+        break;
+
+    default:
+        extname = "unknown";
+        break;
+
+    }
+
+    BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n",
+               client_server ? "server" : "client", extname, type, len);
+    BIO_dump(bio, (char *)data, len);
+    (void)BIO_flush(bio);
+}
+
+int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie,
+                                         unsigned int *cookie_len)
+{
+    unsigned char *buffer, result[EVP_MAX_MD_SIZE];
+    unsigned int length, resultlength;
+    union {
+        struct sockaddr sa;
+        struct sockaddr_in s4;
+#if OPENSSL_USE_IPV6
+        struct sockaddr_in6 s6;
+#endif
+    } peer;
+
+    /* Initialize a random secret */
+    if (!cookie_initialized) {
+        if (RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH) <= 0) {
+            BIO_printf(bio_err, "error setting random cookie secret\n");
+            return 0;
+        }
+        cookie_initialized = 1;
+    }
+
+    /* Read peer information */
+    (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
+
+    /* Create buffer with peer's address and port */
+    length = 0;
+    switch (peer.sa.sa_family) {
+    case AF_INET:
+        length += sizeof(struct in_addr);
+        length += sizeof(peer.s4.sin_port);
+        break;
+#if OPENSSL_USE_IPV6
+    case AF_INET6:
+        length += sizeof(struct in6_addr);
+        length += sizeof(peer.s6.sin6_port);
+        break;
+#endif
+    default:
+        OPENSSL_assert(0);
+        break;
+    }
+    buffer = OPENSSL_malloc(length);
+
+    if (buffer == NULL) {
+        BIO_printf(bio_err, "out of memory\n");
+        return 0;
+    }
+
+    switch (peer.sa.sa_family) {
+    case AF_INET:
+        memcpy(buffer, &peer.s4.sin_port, sizeof(peer.s4.sin_port));
+        memcpy(buffer + sizeof(peer.s4.sin_port),
+               &peer.s4.sin_addr, sizeof(struct in_addr));
+        break;
+#if OPENSSL_USE_IPV6
+    case AF_INET6:
+        memcpy(buffer, &peer.s6.sin6_port, sizeof(peer.s6.sin6_port));
+        memcpy(buffer + sizeof(peer.s6.sin6_port),
+               &peer.s6.sin6_addr, sizeof(struct in6_addr));
+        break;
+#endif
+    default:
+        OPENSSL_assert(0);
+        break;
+    }
+
+    /* Calculate HMAC of buffer using the secret */
+    HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
+         buffer, length, result, &resultlength);
+    OPENSSL_free(buffer);
+
+    memcpy(cookie, result, resultlength);
+    *cookie_len = resultlength;
+
+    return 1;
+}
+
+int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie,
+                                       unsigned int cookie_len)
+{
+    unsigned char *buffer, result[EVP_MAX_MD_SIZE];
+    unsigned int length, resultlength;
+    union {
+        struct sockaddr sa;
+        struct sockaddr_in s4;
+#if OPENSSL_USE_IPV6
+        struct sockaddr_in6 s6;
+#endif
+    } peer;
+
+    /* If secret isn't initialized yet, the cookie can't be valid */
+    if (!cookie_initialized)
+        return 0;
+
+    /* Read peer information */
+    (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
+
+    /* Create buffer with peer's address and port */
+    length = 0;
+    switch (peer.sa.sa_family) {
+    case AF_INET:
+        length += sizeof(struct in_addr);
+        length += sizeof(peer.s4.sin_port);
+        break;
+#if OPENSSL_USE_IPV6
+    case AF_INET6:
+        length += sizeof(struct in6_addr);
+        length += sizeof(peer.s6.sin6_port);
+        break;
+#endif
+    default:
+        OPENSSL_assert(0);
+        break;
+    }
+    buffer = OPENSSL_malloc(length);
+
+    if (buffer == NULL) {
+        BIO_printf(bio_err, "out of memory\n");
+        return 0;
+    }
+
+    switch (peer.sa.sa_family) {
+    case AF_INET:
+        memcpy(buffer, &peer.s4.sin_port, sizeof(peer.s4.sin_port));
+        memcpy(buffer + sizeof(peer.s4.sin_port),
+               &peer.s4.sin_addr, sizeof(struct in_addr));
+        break;
+#if OPENSSL_USE_IPV6
+    case AF_INET6:
+        memcpy(buffer, &peer.s6.sin6_port, sizeof(peer.s6.sin6_port));
+        memcpy(buffer + sizeof(peer.s6.sin6_port),
+               &peer.s6.sin6_addr, sizeof(struct in6_addr));
+        break;
+#endif
+    default:
+        OPENSSL_assert(0);
+        break;
+    }
+
+    /* Calculate HMAC of buffer using the secret */
+    HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
+         buffer, length, result, &resultlength);
+    OPENSSL_free(buffer);
+
+    if (cookie_len == resultlength
+        && memcmp(result, cookie, resultlength) == 0)
+        return 1;
+
+    return 0;
+}
+
+/*
+ * Example of extended certificate handling. Where the standard support of
+ * one certificate per algorithm is not sufficient an application can decide
+ * which certificate(s) to use at runtime based on whatever criteria it deems
+ * appropriate.
+ */
+
+/* Linked list of certificates, keys and chains */
+struct ssl_excert_st {
+    int certform;
+    const char *certfile;
+    int keyform;
+    const char *keyfile;
+    const char *chainfile;
+    X509 *cert;
+    EVP_PKEY *key;
+    STACK_OF(X509) *chain;
+    int build_chain;
+    struct ssl_excert_st *next, *prev;
+};
+
+struct chain_flags {
+    int flag;
+    const char *name;
+};
+
+struct chain_flags chain_flags_list[] = {
+    {CERT_PKEY_VALID, "Overall Validity"},
+    {CERT_PKEY_SIGN, "Sign with EE key"},
+    {CERT_PKEY_EE_SIGNATURE, "EE signature"},
+    {CERT_PKEY_CA_SIGNATURE, "CA signature"},
+    {CERT_PKEY_EE_PARAM, "EE key parameters"},
+    {CERT_PKEY_CA_PARAM, "CA key parameters"},
+    {CERT_PKEY_EXPLICIT_SIGN, "Explicity sign with EE key"},
+    {CERT_PKEY_ISSUER_NAME, "Issuer Name"},
+    {CERT_PKEY_CERT_TYPE, "Certificate Type"},
+    {0, NULL}
+};
+
+static void print_chain_flags(BIO *out, SSL *s, int flags)
+{
+    struct chain_flags *ctmp = chain_flags_list;
+    while (ctmp->name) {
+        BIO_printf(out, "\t%s: %s\n", ctmp->name,
+                   flags & ctmp->flag ? "OK" : "NOT OK");
+        ctmp++;
+    }
+    BIO_printf(out, "\tSuite B: ");
+    if (SSL_set_cert_flags(s, 0) & SSL_CERT_FLAG_SUITEB_128_LOS)
+        BIO_puts(out, flags & CERT_PKEY_SUITEB ? "OK\n" : "NOT OK\n");
+    else
+        BIO_printf(out, "not tested\n");
+}
+
+/*
+ * Very basic selection callback: just use any certificate chain reported as
+ * valid. More sophisticated could prioritise according to local policy.
+ */
+static int set_cert_cb(SSL *ssl, void *arg)
+{
+    int i, rv;
+    SSL_EXCERT *exc = arg;
+#ifdef CERT_CB_TEST_RETRY
+    static int retry_cnt;
+    if (retry_cnt < 5) {
+        retry_cnt++;
+        fprintf(stderr, "Certificate callback retry test: count %d\n",
+                retry_cnt);
+        return -1;
+    }
+#endif
+    SSL_certs_clear(ssl);
+
+    if (!exc)
+        return 1;
+
+    /*
+     * Go to end of list and traverse backwards since we prepend newer
+     * entries this retains the original order.
+     */
+    while (exc->next)
+        exc = exc->next;
+
+    i = 0;
+
+    while (exc) {
+        i++;
+        rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain);
+        BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i);
+        X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0,
+                           XN_FLAG_ONELINE);
+        BIO_puts(bio_err, "\n");
+
+        print_chain_flags(bio_err, ssl, rv);
+        if (rv & CERT_PKEY_VALID) {
+            SSL_use_certificate(ssl, exc->cert);
+            SSL_use_PrivateKey(ssl, exc->key);
+            /*
+             * NB: we wouldn't normally do this as it is not efficient
+             * building chains on each connection better to cache the chain
+             * in advance.
+             */
+            if (exc->build_chain) {
+                if (!SSL_build_cert_chain(ssl, 0))
+                    return 0;
+            } else if (exc->chain)
+                SSL_set1_chain(ssl, exc->chain);
+        }
+        exc = exc->prev;
+    }
+    return 1;
+}
+
+void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc)
+{
+    SSL_CTX_set_cert_cb(ctx, set_cert_cb, exc);
+}
+
+static int ssl_excert_prepend(SSL_EXCERT **pexc)
+{
+    SSL_EXCERT *exc;
+    exc = OPENSSL_malloc(sizeof(SSL_EXCERT));
+    if (!exc)
+        return 0;
+    exc->certfile = NULL;
+    exc->keyfile = NULL;
+    exc->chainfile = NULL;
+    exc->cert = NULL;
+    exc->key = NULL;
+    exc->chain = NULL;
+    exc->prev = NULL;
+    exc->build_chain = 0;
+
+    exc->next = *pexc;
+    *pexc = exc;
+
+    if (exc->next) {
+        exc->certform = exc->next->certform;
+        exc->keyform = exc->next->keyform;
+        exc->next->prev = exc;
+    } else {
+        exc->certform = FORMAT_PEM;
+        exc->keyform = FORMAT_PEM;
+    }
+    return 1;
+
+}
+
+void ssl_excert_free(SSL_EXCERT *exc)
+{
+    SSL_EXCERT *curr;
+    while (exc) {
+        if (exc->cert)
+            X509_free(exc->cert);
+        if (exc->key)
+            EVP_PKEY_free(exc->key);
+        if (exc->chain)
+            sk_X509_pop_free(exc->chain, X509_free);
+        curr = exc;
+        exc = exc->next;
+        OPENSSL_free(curr);
+    }
+}
+
+int load_excert(SSL_EXCERT **pexc, BIO *err)
+{
+    SSL_EXCERT *exc = *pexc;
+    if (!exc)
+        return 1;
+    /* If nothing in list, free and set to NULL */
+    if (!exc->certfile && !exc->next) {
+        ssl_excert_free(exc);
+        *pexc = NULL;
+        return 1;
+    }
+    for (; exc; exc = exc->next) {
+        if (!exc->certfile) {
+            BIO_printf(err, "Missing filename\n");
+            return 0;
+        }
+        exc->cert = load_cert(err, exc->certfile, exc->certform,
+                              NULL, NULL, "Server Certificate");
+        if (!exc->cert)
+            return 0;
+        if (exc->keyfile) {
+            exc->key = load_key(err, exc->keyfile, exc->keyform,
+                                0, NULL, NULL, "Server Key");
+        } else {
+            exc->key = load_key(err, exc->certfile, exc->certform,
+                                0, NULL, NULL, "Server Key");
+        }
+        if (!exc->key)
+            return 0;
+        if (exc->chainfile) {
+            exc->chain = load_certs(err,
+                                    exc->chainfile, FORMAT_PEM,
+                                    NULL, NULL, "Server Chain");
+            if (!exc->chain)
+                return 0;
+        }
+    }
+    return 1;
+}
+
+int args_excert(char ***pargs, int *pargc,
+                int *badarg, BIO *err, SSL_EXCERT **pexc)
+{
+    char *arg = **pargs, *argn = (*pargs)[1];
+    SSL_EXCERT *exc = *pexc;
+    int narg = 2;
+    if (!exc) {
+        if (ssl_excert_prepend(&exc))
+            *pexc = exc;
+        else {
+            BIO_printf(err, "Error initialising xcert\n");
+            *badarg = 1;
+            goto err;
+        }
+    }
+    if (strcmp(arg, "-xcert") == 0) {
+        if (!argn) {
+            *badarg = 1;
+            return 1;
+        }
+        if (exc->certfile && !ssl_excert_prepend(&exc)) {
+            BIO_printf(err, "Error adding xcert\n");
+            *badarg = 1;
+            goto err;
+        }
+        exc->certfile = argn;
+    } else if (strcmp(arg, "-xkey") == 0) {
+        if (!argn) {
+            *badarg = 1;
+            return 1;
+        }
+        if (exc->keyfile) {
+            BIO_printf(err, "Key already specified\n");
+            *badarg = 1;
+            return 1;
+        }
+        exc->keyfile = argn;
+    } else if (strcmp(arg, "-xchain") == 0) {
+        if (!argn) {
+            *badarg = 1;
+            return 1;
+        }
+        if (exc->chainfile) {
+            BIO_printf(err, "Chain already specified\n");
+            *badarg = 1;
+            return 1;
+        }
+        exc->chainfile = argn;
+    } else if (strcmp(arg, "-xchain_build") == 0) {
+        narg = 1;
+        exc->build_chain = 1;
+    } else if (strcmp(arg, "-xcertform") == 0) {
+        if (!argn) {
+            *badarg = 1;
+            goto err;
+        }
+        exc->certform = str2fmt(argn);
+    } else if (strcmp(arg, "-xkeyform") == 0) {
+        if (!argn) {
+            *badarg = 1;
+            goto err;
+        }
+        exc->keyform = str2fmt(argn);
+    } else
+        return 0;
+
+    (*pargs) += narg;
+
+    if (pargc)
+        *pargc -= narg;
+
+    *pexc = exc;
+
+    return 1;
+
+ err:
+    ERR_print_errors(err);
+    ssl_excert_free(exc);
+    *pexc = NULL;
+    return 1;
+}
+
+static void print_raw_cipherlist(BIO *bio, SSL *s)
+{
+    const unsigned char *rlist;
+    static const unsigned char scsv_id[] = { 0, 0, 0xFF };
+    size_t i, rlistlen, num;
+    if (!SSL_is_server(s))
+        return;
+    num = SSL_get0_raw_cipherlist(s, NULL);
+    rlistlen = SSL_get0_raw_cipherlist(s, &rlist);
+    BIO_puts(bio, "Client cipher list: ");
+    for (i = 0; i < rlistlen; i += num, rlist += num) {
+        const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist);
+        if (i)
+            BIO_puts(bio, ":");
+        if (c)
+            BIO_puts(bio, SSL_CIPHER_get_name(c));
+        else if (!memcmp(rlist, scsv_id - num + 3, num))
+            BIO_puts(bio, "SCSV");
+        else {
+            size_t j;
+            BIO_puts(bio, "0x");
+            for (j = 0; j < num; j++)
+                BIO_printf(bio, "%02X", rlist[j]);
+        }
+    }
+    BIO_puts(bio, "\n");
+}
+
+void print_ssl_summary(BIO *bio, SSL *s)
+{
+    const SSL_CIPHER *c;
+    X509 *peer;
+    /*
+     * const char *pnam = SSL_is_server(s) ? "client" : "server";
+     */
+    BIO_printf(bio, "Protocol version: %s\n", SSL_get_version(s));
+    print_raw_cipherlist(bio, s);
+    c = SSL_get_current_cipher(s);
+    BIO_printf(bio, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c));
+    do_print_sigalgs(bio, s, 0);
+    peer = SSL_get_peer_certificate(s);
+    if (peer) {
+        int nid;
+        BIO_puts(bio, "Peer certificate: ");
+        X509_NAME_print_ex(bio, X509_get_subject_name(peer),
+                           0, XN_FLAG_ONELINE);
+        BIO_puts(bio, "\n");
+        if (SSL_get_peer_signature_nid(s, &nid))
+            BIO_printf(bio, "Hash used: %s\n", OBJ_nid2sn(nid));
+    } else
+        BIO_puts(bio, "No peer certificate\n");
+    if (peer)
+        X509_free(peer);
+#ifndef OPENSSL_NO_EC
+    ssl_print_point_formats(bio, s);
+    if (SSL_is_server(s))
+        ssl_print_curves(bio, s, 1);
+    else
+        ssl_print_tmp_key(bio, s);
+#else
+    if (!SSL_is_server(s))
+        ssl_print_tmp_key(bio, s);
+#endif
+}
+
+int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
+             int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr,
+             int *no_prot_opt)
+{
+    char *arg = **pargs, *argn = (*pargs)[1];
+    int rv;
+
+    if (strcmp(arg, "-no_ssl2") == 0 || strcmp(arg, "-no_ssl3") == 0
+        || strcmp(arg, "-no_tls1") == 0 || strcmp(arg, "-no_tls1_1") == 0
+        || strcmp(arg, "-no_tls1_2") == 0) {
+        *no_prot_opt = 1;
+    }
+
+    /* Attempt to run SSL configuration command */
+    rv = SSL_CONF_cmd_argv(cctx, pargc, pargs);
+    /* If parameter not recognised just return */
+    if (rv == 0)
+        return 0;
+    /* see if missing argument error */
+    if (rv == -3) {
+        BIO_printf(err, "%s needs an argument\n", arg);
+        *badarg = 1;
+        goto end;
+    }
+    /* Check for some other error */
+    if (rv < 0) {
+        BIO_printf(err, "Error with command: \"%s %s\"\n",
+                   arg, argn ? argn : "");
+        *badarg = 1;
+        goto end;
+    }
+    /* Store command and argument */
+    /* If only one argument processed store value as NULL */
+    if (rv == 1)
+        argn = NULL;
+    if (!*pstr)
+        *pstr = sk_OPENSSL_STRING_new_null();
+    if (!*pstr || !sk_OPENSSL_STRING_push(*pstr, arg) ||
+        !sk_OPENSSL_STRING_push(*pstr, argn)) {
+        BIO_puts(err, "Memory allocation failure\n");
+        goto end;
+    }
+
+ end:
+    if (*badarg)
+        ERR_print_errors(err);
+
+    return 1;
+}
+
+int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
+                  STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake)
+{
+    int i;
+    SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+    for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
+        const char *param = sk_OPENSSL_STRING_value(str, i);
+        const char *value = sk_OPENSSL_STRING_value(str, i + 1);
+        /*
+         * If no_ecdhe or named curve already specified don't need a default.
+         */
+        if (!no_ecdhe && !strcmp(param, "-named_curve"))
+            no_ecdhe = 1;
+#ifndef OPENSSL_NO_JPAKE
+        if (!no_jpake && !strcmp(param, "-cipher")) {
+            BIO_puts(err, "JPAKE sets cipher to PSK\n");
+            return 0;
+        }
+#endif
+        if (SSL_CONF_cmd(cctx, param, value) <= 0) {
+            BIO_printf(err, "Error with command: \"%s %s\"\n",
+                       param, value ? value : "");
+            ERR_print_errors(err);
+            return 0;
+        }
+    }
+    /*
+     * This is a special case to keep existing s_server functionality: if we
+     * don't have any curve specified *and* we haven't disabled ECDHE then
+     * use P-256.
+     */
+    if (!no_ecdhe) {
+        if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) {
+            BIO_puts(err, "Error setting EC curve\n");
+            ERR_print_errors(err);
+            return 0;
+        }
+    }
+#ifndef OPENSSL_NO_JPAKE
+    if (!no_jpake) {
+        if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) {
+            BIO_puts(err, "Error setting cipher to PSK\n");
+            ERR_print_errors(err);
+            return 0;
+        }
+    }
+#endif
+    if (!SSL_CONF_CTX_finish(cctx)) {
+        BIO_puts(err, "Error finishing context\n");
+        ERR_print_errors(err);
+        return 0;
+    }
+    return 1;
+}
+
+static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
+{
+    X509_CRL *crl;
+    int i;
+    for (i = 0; i < sk_X509_CRL_num(crls); i++) {
+        crl = sk_X509_CRL_value(crls, i);
+        X509_STORE_add_crl(st, crl);
+    }
+    return 1;
+}
+
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)
+{
+    X509_STORE *st;
+    st = SSL_CTX_get_cert_store(ctx);
+    add_crls_store(st, crls);
+    if (crl_download)
+        store_setup_crl_download(st);
+    return 1;
+}
+
+int ssl_load_stores(SSL_CTX *ctx,
+                    const char *vfyCApath, const char *vfyCAfile,
+                    const char *chCApath, const char *chCAfile,
+                    STACK_OF(X509_CRL) *crls, int crl_download)
+{
+    X509_STORE *vfy = NULL, *ch = NULL;
+    int rv = 0;
+    if (vfyCApath || vfyCAfile) {
+        vfy = X509_STORE_new();
+        if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
+            goto err;
+        add_crls_store(vfy, crls);
+        SSL_CTX_set1_verify_cert_store(ctx, vfy);
+        if (crl_download)
+            store_setup_crl_download(vfy);
+    }
+    if (chCApath || chCAfile) {
+        ch = X509_STORE_new();
+        if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
+            goto err;
+        SSL_CTX_set1_chain_cert_store(ctx, ch);
+    }
+    rv = 1;
+ err:
+    if (vfy)
+        X509_STORE_free(vfy);
+    if (ch)
+        X509_STORE_free(ch);
+    return rv;
+}
diff --git a/openssl/apps/s_client.c b/openssl/apps/s_client.c
new file mode 100644
index 0000000..3cabfb5
--- /dev/null
+++ b/openssl/apps/s_client.c
@@ -0,0 +1,2360 @@
+/* apps/s_client.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * The portions of the attached software ("Contribution") is developed by
+ * Nokia Corporation and is licensed pursuant to the OpenSSL open source
+ * license.
+ *
+ * The Contribution, originally written by Mika Kousa and Pasi Eronen of
+ * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+ * support (see RFC 4279) to OpenSSL.
+ *
+ * No patent licenses or other rights except those expressly stated in
+ * the OpenSSL open source license shall be deemed granted or received
+ * expressly, by implication, estoppel, or otherwise.
+ *
+ * No assurances are provided by Nokia that the Contribution does not
+ * infringe the patent or other intellectual property rights of any third
+ * party or that the license provides you with all the necessary rights
+ * to make use of the Contribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+ * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
+
+#include <assert.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/e_os2.h>
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
+
+/*
+ * With IPv6, it looks like Digital has mixed up the proper order of
+ * recursive header file inclusion, resulting in the compiler complaining
+ * that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
+ * needed to have fileno() declared correctly...  So let's define u_int
+ */
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
+# define __U_INT
+typedef unsigned int u_int;
+#endif
+
+#define USE_SOCKETS
+#include "apps.h"
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/ocsp.h>
+#include <openssl/bn.h>
+#ifndef OPENSSL_NO_SRP
+# include <openssl/srp.h>
+#endif
+#include "s_apps.h"
+#include "timeouts.h"
+
+#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
+/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
+# undef FIONBIO
+#endif
+
+#if defined(OPENSSL_SYS_BEOS_R5)
+# include <fcntl.h>
+#endif
+
+#undef PROG
+#define PROG    s_client_main
+
+/*
+ * #define SSL_HOST_NAME "www.netscape.com"
+ */
+/*
+ * #define SSL_HOST_NAME "193.118.187.102"
+ */
+#define SSL_HOST_NAME   "localhost"
+
+/* no default cert. */
+/*
+ * #define TEST_CERT "client.pem"
+ */
+
+#undef BUFSIZZ
+#define BUFSIZZ 1024*8
+
+extern int verify_depth;
+extern int verify_error;
+extern int verify_return_error;
+extern int verify_quiet;
+
+#ifdef FIONBIO
+static int c_nbio = 0;
+#endif
+static int c_Pause = 0;
+static int c_debug = 0;
+#ifndef OPENSSL_NO_TLSEXT
+static int c_tlsextdebug = 0;
+static int c_status_req = 0;
+#endif
+static int c_msg = 0;
+static int c_showcerts = 0;
+
+static char *keymatexportlabel = NULL;
+static int keymatexportlen = 20;
+
+static void sc_usage(void);
+static void print_stuff(BIO *berr, SSL *con, int full);
+#ifndef OPENSSL_NO_TLSEXT
+static int ocsp_resp_cb(SSL *s, void *arg);
+#endif
+static BIO *bio_c_out = NULL;
+static BIO *bio_c_msg = NULL;
+static int c_quiet = 0;
+static int c_ign_eof = 0;
+static int c_brief = 0;
+
+#ifndef OPENSSL_NO_PSK
+/* Default PSK identity and key */
+static char *psk_identity = "Client_identity";
+/*
+ * char *psk_key=NULL; by default PSK is not used
+ */
+
+static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
+                                  unsigned int max_identity_len,
+                                  unsigned char *psk,
+                                  unsigned int max_psk_len)
+{
+    int ret;
+    long key_len;
+    unsigned char *key;
+
+    if (c_debug)
+        BIO_printf(bio_c_out, "psk_client_cb\n");
+    if (!hint) {
+        /* no ServerKeyExchange message */
+        if (c_debug)
+            BIO_printf(bio_c_out,
+                       "NULL received PSK identity hint, continuing anyway\n");
+    } else if (c_debug)
+        BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
+
+    /*
+     * lookup PSK identity and PSK key based on the given identity hint here
+     */
+    ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
+    if (ret < 0 || (unsigned int)ret > max_identity_len)
+        goto out_err;
+    if (c_debug)
+        BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity,
+                   ret);
+
+    /* convert the PSK key to binary */
+    key = string_to_hex(psk_key, &key_len);
+    if (key == NULL) {
+        BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
+                   psk_key);
+        return 0;
+    }
+    if ((unsigned long)key_len > (unsigned long)max_psk_len) {
+        BIO_printf(bio_err,
+                   "psk buffer of callback is too small (%d) for key (%ld)\n",
+                   max_psk_len, key_len);
+        OPENSSL_free(key);
+        return 0;
+    }
+
+    memcpy(psk, key, key_len);
+    OPENSSL_free(key);
+
+    if (c_debug)
+        BIO_printf(bio_c_out, "created PSK len=%ld\n", key_len);
+
+    return key_len;
+ out_err:
+    if (c_debug)
+        BIO_printf(bio_err, "Error in PSK client callback\n");
+    return 0;
+}
+#endif
+
+static void sc_usage(void)
+{
+    BIO_printf(bio_err, "usage: s_client args\n");
+    BIO_printf(bio_err, "\n");
+    BIO_printf(bio_err, " -host host     - use -connect instead\n");
+    BIO_printf(bio_err, " -port port     - use -connect instead\n");
+    BIO_printf(bio_err,
+               " -connect host:port - who to connect to (default is %s:%s)\n",
+               SSL_HOST_NAME, PORT_STR);
+    BIO_printf(bio_err,
+               " -verify_hostname host - check peer certificate matches \"host\"\n");
+    BIO_printf(bio_err,
+               " -verify_email email - check peer certificate matches \"email\"\n");
+    BIO_printf(bio_err,
+               " -verify_ip ipaddr - check peer certificate matches \"ipaddr\"\n");
+
+    BIO_printf(bio_err,
+               " -verify arg   - turn on peer certificate verification\n");
+    BIO_printf(bio_err,
+               " -verify_return_error - return verification errors\n");
+    BIO_printf(bio_err,
+               " -cert arg     - certificate file to use, PEM format assumed\n");
+    BIO_printf(bio_err,
+               " -certform arg - certificate format (PEM or DER) PEM default\n");
+    BIO_printf(bio_err,
+               " -key arg      - Private key file to use, in cert file if\n");
+    BIO_printf(bio_err, "                 not specified but cert file is.\n");
+    BIO_printf(bio_err,
+               " -keyform arg  - key format (PEM or DER) PEM default\n");
+    BIO_printf(bio_err,
+               " -pass arg     - private key file pass phrase source\n");
+    BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
+    BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
+    BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
+    BIO_printf(bio_err,
+               " -reconnect    - Drop and re-make the connection with the same Session-ID\n");
+    BIO_printf(bio_err,
+               " -pause        - sleep(1) after each read(2) and write(2) system call\n");
+    BIO_printf(bio_err,
+               " -prexit       - print session information even on connection failure\n");
+    BIO_printf(bio_err,
+               " -showcerts    - show all certificates in the chain\n");
+    BIO_printf(bio_err, " -debug        - extra output\n");
+#ifdef WATT32
+    BIO_printf(bio_err, " -wdebug       - WATT-32 tcp debugging\n");
+#endif
+    BIO_printf(bio_err, " -msg          - Show protocol messages\n");
+    BIO_printf(bio_err, " -nbio_test    - more ssl protocol testing\n");
+    BIO_printf(bio_err, " -state        - print the 'ssl' states\n");
+#ifdef FIONBIO
+    BIO_printf(bio_err, " -nbio         - Run with non-blocking IO\n");
+#endif
+    BIO_printf(bio_err,
+               " -crlf         - convert LF from terminal into CRLF\n");
+    BIO_printf(bio_err, " -quiet        - no s_client output\n");
+    BIO_printf(bio_err,
+               " -ign_eof      - ignore input eof (default when -quiet)\n");
+    BIO_printf(bio_err, " -no_ign_eof   - don't ignore input eof\n");
+#ifndef OPENSSL_NO_PSK
+    BIO_printf(bio_err, " -psk_identity arg - PSK identity\n");
+    BIO_printf(bio_err, " -psk arg      - PSK in hex (without 0x)\n");
+# ifndef OPENSSL_NO_JPAKE
+    BIO_printf(bio_err, " -jpake arg    - JPAKE secret to use\n");
+# endif
+#endif
+#ifndef OPENSSL_NO_SRP
+    BIO_printf(bio_err,
+               " -srpuser user     - SRP authentification for 'user'\n");
+    BIO_printf(bio_err, " -srppass arg      - password for 'user'\n");
+    BIO_printf(bio_err,
+               " -srp_lateuser     - SRP username into second ClientHello message\n");
+    BIO_printf(bio_err,
+               " -srp_moregroups   - Tolerate other than the known g N values.\n");
+    BIO_printf(bio_err,
+               " -srp_strength int - minimal length in bits for N (default %d).\n",
+               SRP_MINIMAL_N);
+#endif
+    BIO_printf(bio_err, " -ssl2         - just use SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
+    BIO_printf(bio_err, " -ssl3         - just use SSLv3\n");
+#endif
+    BIO_printf(bio_err, " -tls1_2       - just use TLSv1.2\n");
+    BIO_printf(bio_err, " -tls1_1       - just use TLSv1.1\n");
+    BIO_printf(bio_err, " -tls1         - just use TLSv1\n");
+    BIO_printf(bio_err, " -dtls1        - just use DTLSv1\n");
+    BIO_printf(bio_err, " -fallback_scsv - send TLS_FALLBACK_SCSV\n");
+    BIO_printf(bio_err, " -mtu          - set the link layer MTU\n");
+    BIO_printf(bio_err,
+               " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
+    BIO_printf(bio_err,
+               " -bugs         - Switch on all SSL implementation bug workarounds\n");
+    BIO_printf(bio_err,
+               " -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
+    BIO_printf(bio_err,
+               "                 command to see what is available\n");
+    BIO_printf(bio_err,
+               " -starttls prot - use the STARTTLS command before starting TLS\n");
+    BIO_printf(bio_err,
+               "                 for those protocols that support it, where\n");
+    BIO_printf(bio_err,
+               "                 'prot' defines which one to assume.  Currently,\n");
+    BIO_printf(bio_err,
+               "                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
+    BIO_printf(bio_err, "                 are supported.\n");
+#ifndef OPENSSL_NO_ENGINE
+    BIO_printf(bio_err,
+               " -engine id    - Initialise and use the specified engine\n");
+#endif
+    BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
+               LIST_SEPARATOR_CHAR);
+    BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n");
+    BIO_printf(bio_err, " -sess_in arg  - file to read SSL session from\n");
+#ifndef OPENSSL_NO_TLSEXT
+    BIO_printf(bio_err,
+               " -servername host  - Set TLS extension servername in ClientHello\n");
+    BIO_printf(bio_err,
+               " -tlsextdebug      - hex dump of all TLS extensions received\n");
+    BIO_printf(bio_err,
+               " -status           - request certificate status from server\n");
+    BIO_printf(bio_err,
+               " -no_ticket        - disable use of RFC4507bis session tickets\n");
+    BIO_printf(bio_err,
+               " -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
+    BIO_printf(bio_err,
+               " -curves arg       - Elliptic curves to advertise (colon-separated list)\n");
+    BIO_printf(bio_err,
+               " -sigalgs arg      - Signature algorithms to support (colon-separated list)\n");
+    BIO_printf(bio_err,
+               " -client_sigalgs arg - Signature algorithms to support for client\n");
+    BIO_printf(bio_err,
+               "                       certificate authentication (colon-separated list)\n");
+#endif
+#ifndef OPENSSL_NO_NEXTPROTONEG
+    BIO_printf(bio_err,
+               " -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
+#endif
+    BIO_printf(bio_err,
+               " -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
+    BIO_printf(bio_err,
+               " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+#ifndef OPENSSL_NO_SRTP
+    BIO_printf(bio_err,
+               " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
+#endif
+    BIO_printf(bio_err,
+               " -keymatexport label   - Export keying material using label\n");
+    BIO_printf(bio_err,
+               " -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
+}
+
+#ifndef OPENSSL_NO_TLSEXT
+
+/* This is a context that we pass to callbacks */
+typedef struct tlsextctx_st {
+    BIO *biodebug;
+    int ack;
+} tlsextctx;
+
+static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
+{
+    tlsextctx *p = (tlsextctx *) arg;
+    const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+    if (SSL_get_servername_type(s) != -1)
+        p->ack = !SSL_session_reused(s) && hn != NULL;
+    else
+        BIO_printf(bio_err, "Can't use SSL_get_servername\n");
+
+    return SSL_TLSEXT_ERR_OK;
+}
+
+# ifndef OPENSSL_NO_SRP
+
+/* This is a context that we pass to all callbacks */
+typedef struct srp_arg_st {
+    char *srppassin;
+    char *srplogin;
+    int msg;                    /* copy from c_msg */
+    int debug;                  /* copy from c_debug */
+    int amp;                    /* allow more groups */
+    int strength /* minimal size for N */ ;
+} SRP_ARG;
+
+#  define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
+
+static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
+{
+    BN_CTX *bn_ctx = BN_CTX_new();
+    BIGNUM *p = BN_new();
+    BIGNUM *r = BN_new();
+    int ret =
+        g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
+        BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
+        p != NULL && BN_rshift1(p, N) &&
+        /* p = (N-1)/2 */
+        BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
+        r != NULL &&
+        /* verify g^((N-1)/2) == -1 (mod N) */
+        BN_mod_exp(r, g, p, N, bn_ctx) &&
+        BN_add_word(r, 1) && BN_cmp(r, N) == 0;
+
+    if (r)
+        BN_free(r);
+    if (p)
+        BN_free(p);
+    if (bn_ctx)
+        BN_CTX_free(bn_ctx);
+    return ret;
+}
+
+/*-
+ * This callback is used here for two purposes:
+ * - extended debugging
+ * - making some primality tests for unknown groups
+ * The callback is only called for a non default group.
+ *
+ * An application does not need the call back at all if
+ * only the stanard groups are used.  In real life situations,
+ * client and server already share well known groups,
+ * thus there is no need to verify them.
+ * Furthermore, in case that a server actually proposes a group that
+ * is not one of those defined in RFC 5054, it is more appropriate
+ * to add the group to a static list and then compare since
+ * primality tests are rather cpu consuming.
+ */
+
+static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
+{
+    SRP_ARG *srp_arg = (SRP_ARG *)arg;
+    BIGNUM *N = NULL, *g = NULL;
+    if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
+        return 0;
+    if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) {
+        BIO_printf(bio_err, "SRP parameters:\n");
+        BIO_printf(bio_err, "\tN=");
+        BN_print(bio_err, N);
+        BIO_printf(bio_err, "\n\tg=");
+        BN_print(bio_err, g);
+        BIO_printf(bio_err, "\n");
+    }
+
+    if (SRP_check_known_gN_param(g, N))
+        return 1;
+
+    if (srp_arg->amp == 1) {
+        if (srp_arg->debug)
+            BIO_printf(bio_err,
+                       "SRP param N and g are not known params, going to check deeper.\n");
+
+        /*
+         * The srp_moregroups is a real debugging feature. Implementors
+         * should rather add the value to the known ones. The minimal size
+         * has already been tested.
+         */
+        if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N, g))
+            return 1;
+    }
+    BIO_printf(bio_err, "SRP param N and g rejected.\n");
+    return 0;
+}
+
+#  define PWD_STRLEN 1024
+
+static char *MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
+{
+    SRP_ARG *srp_arg = (SRP_ARG *)arg;
+    char *pass = (char *)OPENSSL_malloc(PWD_STRLEN + 1);
+    PW_CB_DATA cb_tmp;
+    int l;
+
+    if (!pass) {
+        BIO_printf(bio_err, "Malloc failure\n");
+        return NULL;
+    }
+
+    cb_tmp.password = (char *)srp_arg->srppassin;
+    cb_tmp.prompt_info = "SRP user";
+    if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) {
+        BIO_printf(bio_err, "Can't read Password\n");
+        OPENSSL_free(pass);
+        return NULL;
+    }
+    *(pass + l) = '\0';
+
+    return pass;
+}
+
+# endif
+# ifndef OPENSSL_NO_SRTP
+char *srtp_profiles = NULL;
+# endif
+
+# ifndef OPENSSL_NO_NEXTPROTONEG
+/* This the context that we pass to next_proto_cb */
+typedef struct tlsextnextprotoctx_st {
+    unsigned char *data;
+    unsigned short len;
+    int status;
+} tlsextnextprotoctx;
+
+static tlsextnextprotoctx next_proto;
+
+static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen,
+                         const unsigned char *in, unsigned int inlen,
+                         void *arg)
+{
+    tlsextnextprotoctx *ctx = arg;
+
+    if (!c_quiet) {
+        /* We can assume that |in| is syntactically valid. */
+        unsigned i;
+        BIO_printf(bio_c_out, "Protocols advertised by server: ");
+        for (i = 0; i < inlen;) {
+            if (i)
+                BIO_write(bio_c_out, ", ", 2);
+            BIO_write(bio_c_out, &in[i + 1], in[i]);
+            i += in[i] + 1;
+        }
+        BIO_write(bio_c_out, "\n", 1);
+    }
+
+    ctx->status =
+        SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
+    return SSL_TLSEXT_ERR_OK;
+}
+# endif                         /* ndef OPENSSL_NO_NEXTPROTONEG */
+
+static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
+                                   const unsigned char *in, size_t inlen,
+                                   int *al, void *arg)
+{
+    char pem_name[100];
+    unsigned char ext_buf[4 + 65536];
+
+    /* Reconstruct the type/len fields prior to extension data */
+    ext_buf[0] = ext_type >> 8;
+    ext_buf[1] = ext_type & 0xFF;
+    ext_buf[2] = inlen >> 8;
+    ext_buf[3] = inlen & 0xFF;
+    memcpy(ext_buf + 4, in, inlen);
+
+    BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
+                 ext_type);
+    PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
+    return 1;
+}
+
+#endif
+
+enum {
+    PROTO_OFF = 0,
+    PROTO_SMTP,
+    PROTO_POP3,
+    PROTO_IMAP,
+    PROTO_FTP,
+    PROTO_XMPP
+};
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    int build_chain = 0;
+    SSL *con = NULL;
+#ifndef OPENSSL_NO_KRB5
+    KSSL_CTX *kctx;
+#endif
+    int s, k, width, state = 0;
+    char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL;
+    int cbuf_len, cbuf_off;
+    int sbuf_len, sbuf_off;
+    fd_set readfds, writefds;
+    short port = PORT;
+    int full_log = 1;
+    char *host = SSL_HOST_NAME;
+    char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
+    int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
+    char *passarg = NULL, *pass = NULL;
+    X509 *cert = NULL;
+    EVP_PKEY *key = NULL;
+    STACK_OF(X509) *chain = NULL;
+    char *CApath = NULL, *CAfile = NULL;
+    char *chCApath = NULL, *chCAfile = NULL;
+    char *vfyCApath = NULL, *vfyCAfile = NULL;
+    int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE;
+    int crlf = 0;
+    int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
+    SSL_CTX *ctx = NULL;
+    int ret = 1, in_init = 1, i, nbio_test = 0;
+    int starttls_proto = PROTO_OFF;
+    int prexit = 0;
+    X509_VERIFY_PARAM *vpm = NULL;
+    int badarg = 0;
+    const SSL_METHOD *meth = NULL;
+    int socket_type = SOCK_STREAM;
+    BIO *sbio;
+    char *inrand = NULL;
+    int mbuf_len = 0;
+    struct timeval timeout, *timeoutp;
+    char *engine_id = NULL;
+    ENGINE *e = NULL;
+#ifndef OPENSSL_NO_ENGINE
+    char *ssl_client_engine_id = NULL;
+    ENGINE *ssl_client_engine = NULL;
+#endif
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
+    struct timeval tv;
+# if defined(OPENSSL_SYS_BEOS_R5)
+    int stdin_set = 0;
+# endif
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+    char *servername = NULL;
+    tlsextctx tlsextcbp = { NULL, 0 };
+# ifndef OPENSSL_NO_NEXTPROTONEG
+    const char *next_proto_neg_in = NULL;
+# endif
+    const char *alpn_in = NULL;
+# define MAX_SI_TYPES 100
+    unsigned short serverinfo_types[MAX_SI_TYPES];
+    int serverinfo_types_count = 0;
+#endif
+    char *sess_in = NULL;
+    char *sess_out = NULL;
+    struct sockaddr peer;
+    int peerlen = sizeof(peer);
+    int fallback_scsv = 0;
+    int enable_timeouts = 0;
+    long socket_mtu = 0;
+#ifndef OPENSSL_NO_JPAKE
+    static char *jpake_secret = NULL;
+# define no_jpake !jpake_secret
+#else
+# define no_jpake 1
+#endif
+#ifndef OPENSSL_NO_SRP
+    char *srppass = NULL;
+    int srp_lateuser = 0;
+    SRP_ARG srp_arg = { NULL, NULL, 0, 0, 0, 1024 };
+#endif
+    SSL_EXCERT *exc = NULL;
+
+    SSL_CONF_CTX *cctx = NULL;
+    STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
+
+    char *crl_file = NULL;
+    int crl_format = FORMAT_PEM;
+    int crl_download = 0;
+    STACK_OF(X509_CRL) *crls = NULL;
+    int prot_opt = 0, no_prot_opt = 0;
+
+    meth = SSLv23_client_method();
+
+    apps_startup();
+    c_Pause = 0;
+    c_quiet = 0;
+    c_ign_eof = 0;
+    c_debug = 0;
+    c_msg = 0;
+    c_showcerts = 0;
+
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    cctx = SSL_CONF_CTX_new();
+    if (!cctx)
+        goto end;
+    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
+    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
+
+    if (((cbuf = OPENSSL_malloc(BUFSIZZ)) == NULL) ||
+        ((sbuf = OPENSSL_malloc(BUFSIZZ)) == NULL) ||
+        ((mbuf = OPENSSL_malloc(BUFSIZZ)) == NULL)) {
+        BIO_printf(bio_err, "out of memory\n");
+        goto end;
+    }
+
+    verify_depth = 0;
+    verify_error = X509_V_OK;
+#ifdef FIONBIO
+    c_nbio = 0;
+#endif
+
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-host") == 0) {
+            if (--argc < 1)
+                goto bad;
+            host = *(++argv);
+        } else if (strcmp(*argv, "-port") == 0) {
+            if (--argc < 1)
+                goto bad;
+            port = atoi(*(++argv));
+            if (port == 0)
+                goto bad;
+        } else if (strcmp(*argv, "-connect") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!extract_host_port(*(++argv), &host, NULL, &port))
+                goto bad;
+        } else if (strcmp(*argv, "-verify") == 0) {
+            verify = SSL_VERIFY_PEER;
+            if (--argc < 1)
+                goto bad;
+            verify_depth = atoi(*(++argv));
+            if (!c_quiet)
+                BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
+        } else if (strcmp(*argv, "-cert") == 0) {
+            if (--argc < 1)
+                goto bad;
+            cert_file = *(++argv);
+        } else if (strcmp(*argv, "-CRL") == 0) {
+            if (--argc < 1)
+                goto bad;
+            crl_file = *(++argv);
+        } else if (strcmp(*argv, "-crl_download") == 0)
+            crl_download = 1;
+        else if (strcmp(*argv, "-sess_out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            sess_out = *(++argv);
+        } else if (strcmp(*argv, "-sess_in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            sess_in = *(++argv);
+        } else if (strcmp(*argv, "-certform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            cert_format = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-CRLform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            crl_format = str2fmt(*(++argv));
+        } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) {
+            if (badarg)
+                goto bad;
+            continue;
+        } else if (strcmp(*argv, "-verify_return_error") == 0)
+            verify_return_error = 1;
+        else if (strcmp(*argv, "-verify_quiet") == 0)
+            verify_quiet = 1;
+        else if (strcmp(*argv, "-brief") == 0) {
+            c_brief = 1;
+            verify_quiet = 1;
+            c_quiet = 1;
+        } else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) {
+            if (badarg)
+                goto bad;
+            continue;
+        } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args,
+                            &no_prot_opt)) {
+            if (badarg)
+                goto bad;
+            continue;
+        } else if (strcmp(*argv, "-prexit") == 0)
+            prexit = 1;
+        else if (strcmp(*argv, "-crlf") == 0)
+            crlf = 1;
+        else if (strcmp(*argv, "-quiet") == 0) {
+            c_quiet = 1;
+            c_ign_eof = 1;
+        } else if (strcmp(*argv, "-ign_eof") == 0)
+            c_ign_eof = 1;
+        else if (strcmp(*argv, "-no_ign_eof") == 0)
+            c_ign_eof = 0;
+        else if (strcmp(*argv, "-pause") == 0)
+            c_Pause = 1;
+        else if (strcmp(*argv, "-debug") == 0)
+            c_debug = 1;
+#ifndef OPENSSL_NO_TLSEXT
+        else if (strcmp(*argv, "-tlsextdebug") == 0)
+            c_tlsextdebug = 1;
+        else if (strcmp(*argv, "-status") == 0)
+            c_status_req = 1;
+#endif
+#ifdef WATT32
+        else if (strcmp(*argv, "-wdebug") == 0)
+            dbug_init();
+#endif
+        else if (strcmp(*argv, "-msg") == 0)
+            c_msg = 1;
+        else if (strcmp(*argv, "-msgfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            bio_c_msg = BIO_new_file(*(++argv), "w");
+        }
+#ifndef OPENSSL_NO_SSL_TRACE
+        else if (strcmp(*argv, "-trace") == 0)
+            c_msg = 2;
+#endif
+        else if (strcmp(*argv, "-showcerts") == 0)
+            c_showcerts = 1;
+        else if (strcmp(*argv, "-nbio_test") == 0)
+            nbio_test = 1;
+        else if (strcmp(*argv, "-state") == 0)
+            state = 1;
+#ifndef OPENSSL_NO_PSK
+        else if (strcmp(*argv, "-psk_identity") == 0) {
+            if (--argc < 1)
+                goto bad;
+            psk_identity = *(++argv);
+        } else if (strcmp(*argv, "-psk") == 0) {
+            size_t j;
+
+            if (--argc < 1)
+                goto bad;
+            psk_key = *(++argv);
+            for (j = 0; j < strlen(psk_key); j++) {
+                if (isxdigit((unsigned char)psk_key[j]))
+                    continue;
+                BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
+                goto bad;
+            }
+        }
+#endif
+#ifndef OPENSSL_NO_SRP
+        else if (strcmp(*argv, "-srpuser") == 0) {
+            if (--argc < 1)
+                goto bad;
+            srp_arg.srplogin = *(++argv);
+            meth = TLSv1_client_method();
+        } else if (strcmp(*argv, "-srppass") == 0) {
+            if (--argc < 1)
+                goto bad;
+            srppass = *(++argv);
+            meth = TLSv1_client_method();
+        } else if (strcmp(*argv, "-srp_strength") == 0) {
+            if (--argc < 1)
+                goto bad;
+            srp_arg.strength = atoi(*(++argv));
+            BIO_printf(bio_err, "SRP minimal length for N is %d\n",
+                       srp_arg.strength);
+            meth = TLSv1_client_method();
+        } else if (strcmp(*argv, "-srp_lateuser") == 0) {
+            srp_lateuser = 1;
+            meth = TLSv1_client_method();
+        } else if (strcmp(*argv, "-srp_moregroups") == 0) {
+            srp_arg.amp = 1;
+            meth = TLSv1_client_method();
+        }
+#endif
+#ifndef OPENSSL_NO_SSL2
+        else if (strcmp(*argv, "-ssl2") == 0) {
+            meth = SSLv2_client_method();
+            prot_opt++;
+        }
+#endif
+#ifndef OPENSSL_NO_SSL3_METHOD
+        else if (strcmp(*argv, "-ssl3") == 0) {
+            meth = SSLv3_client_method();
+            prot_opt++;
+        }
+#endif
+#ifndef OPENSSL_NO_TLS1
+        else if (strcmp(*argv, "-tls1_2") == 0) {
+            meth = TLSv1_2_client_method();
+            prot_opt++;
+        } else if (strcmp(*argv, "-tls1_1") == 0) {
+            meth = TLSv1_1_client_method();
+            prot_opt++;
+        } else if (strcmp(*argv, "-tls1") == 0) {
+            meth = TLSv1_client_method();
+            prot_opt++;
+        }
+#endif
+#ifndef OPENSSL_NO_DTLS1
+        else if (strcmp(*argv, "-dtls") == 0) {
+            meth = DTLS_client_method();
+            socket_type = SOCK_DGRAM;
+            prot_opt++;
+        } else if (strcmp(*argv, "-dtls1") == 0) {
+            meth = DTLSv1_client_method();
+            socket_type = SOCK_DGRAM;
+            prot_opt++;
+        } else if (strcmp(*argv, "-dtls1_2") == 0) {
+            meth = DTLSv1_2_client_method();
+            socket_type = SOCK_DGRAM;
+            prot_opt++;
+        } else if (strcmp(*argv, "-timeout") == 0)
+            enable_timeouts = 1;
+        else if (strcmp(*argv, "-mtu") == 0) {
+            if (--argc < 1)
+                goto bad;
+            socket_mtu = atol(*(++argv));
+        }
+#endif
+        else if (strcmp(*argv, "-fallback_scsv") == 0) {
+            fallback_scsv = 1;
+        } else if (strcmp(*argv, "-keyform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            key_format = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-pass") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passarg = *(++argv);
+        } else if (strcmp(*argv, "-cert_chain") == 0) {
+            if (--argc < 1)
+                goto bad;
+            chain_file = *(++argv);
+        } else if (strcmp(*argv, "-key") == 0) {
+            if (--argc < 1)
+                goto bad;
+            key_file = *(++argv);
+        } else if (strcmp(*argv, "-reconnect") == 0) {
+            reconnect = 5;
+        } else if (strcmp(*argv, "-CApath") == 0) {
+            if (--argc < 1)
+                goto bad;
+            CApath = *(++argv);
+        } else if (strcmp(*argv, "-chainCApath") == 0) {
+            if (--argc < 1)
+                goto bad;
+            chCApath = *(++argv);
+        } else if (strcmp(*argv, "-verifyCApath") == 0) {
+            if (--argc < 1)
+                goto bad;
+            vfyCApath = *(++argv);
+        } else if (strcmp(*argv, "-build_chain") == 0)
+            build_chain = 1;
+        else if (strcmp(*argv, "-CAfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            CAfile = *(++argv);
+        } else if (strcmp(*argv, "-chainCAfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            chCAfile = *(++argv);
+        } else if (strcmp(*argv, "-verifyCAfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            vfyCAfile = *(++argv);
+        }
+#ifndef OPENSSL_NO_TLSEXT
+# ifndef OPENSSL_NO_NEXTPROTONEG
+        else if (strcmp(*argv, "-nextprotoneg") == 0) {
+            if (--argc < 1)
+                goto bad;
+            next_proto_neg_in = *(++argv);
+        }
+# endif
+        else if (strcmp(*argv, "-alpn") == 0) {
+            if (--argc < 1)
+                goto bad;
+            alpn_in = *(++argv);
+        } else if (strcmp(*argv, "-serverinfo") == 0) {
+            char *c;
+            int start = 0;
+            int len;
+
+            if (--argc < 1)
+                goto bad;
+            c = *(++argv);
+            serverinfo_types_count = 0;
+            len = strlen(c);
+            for (i = 0; i <= len; ++i) {
+                if (i == len || c[i] == ',') {
+                    serverinfo_types[serverinfo_types_count]
+                        = atoi(c + start);
+                    serverinfo_types_count++;
+                    start = i + 1;
+                }
+                if (serverinfo_types_count == MAX_SI_TYPES)
+                    break;
+            }
+        }
+#endif
+#ifdef FIONBIO
+        else if (strcmp(*argv, "-nbio") == 0) {
+            c_nbio = 1;
+        }
+#endif
+        else if (strcmp(*argv, "-starttls") == 0) {
+            if (--argc < 1)
+                goto bad;
+            ++argv;
+            if (strcmp(*argv, "smtp") == 0)
+                starttls_proto = PROTO_SMTP;
+            else if (strcmp(*argv, "pop3") == 0)
+                starttls_proto = PROTO_POP3;
+            else if (strcmp(*argv, "imap") == 0)
+                starttls_proto = PROTO_IMAP;
+            else if (strcmp(*argv, "ftp") == 0)
+                starttls_proto = PROTO_FTP;
+            else if (strcmp(*argv, "xmpp") == 0)
+                starttls_proto = PROTO_XMPP;
+            else
+                goto bad;
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine_id = *(++argv);
+        } else if (strcmp(*argv, "-ssl_client_engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            ssl_client_engine_id = *(++argv);
+        }
+#endif
+        else if (strcmp(*argv, "-rand") == 0) {
+            if (--argc < 1)
+                goto bad;
+            inrand = *(++argv);
+        }
+#ifndef OPENSSL_NO_TLSEXT
+        else if (strcmp(*argv, "-servername") == 0) {
+            if (--argc < 1)
+                goto bad;
+            servername = *(++argv);
+            /* meth=TLSv1_client_method(); */
+        }
+#endif
+#ifndef OPENSSL_NO_JPAKE
+        else if (strcmp(*argv, "-jpake") == 0) {
+            if (--argc < 1)
+                goto bad;
+            jpake_secret = *++argv;
+        }
+#endif
+#ifndef OPENSSL_NO_SRTP
+        else if (strcmp(*argv, "-use_srtp") == 0) {
+            if (--argc < 1)
+                goto bad;
+            srtp_profiles = *(++argv);
+        }
+#endif
+        else if (strcmp(*argv, "-keymatexport") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keymatexportlabel = *(++argv);
+        } else if (strcmp(*argv, "-keymatexportlen") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keymatexportlen = atoi(*(++argv));
+            if (keymatexportlen == 0)
+                goto bad;
+        } else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badop = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+    if (badop) {
+ bad:
+        sc_usage();
+        goto end;
+    }
+#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
+    if (jpake_secret) {
+        if (psk_key) {
+            BIO_printf(bio_err, "Can't use JPAKE and PSK together\n");
+            goto end;
+        }
+        psk_identity = "JPAKE";
+    }
+#endif
+
+    if (prot_opt > 1) {
+        BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
+        goto end;
+    }
+
+    if (prot_opt == 1 && no_prot_opt) {
+        BIO_printf(bio_err, "Cannot supply both a protocol flag and "
+                            "\"-no_<prot>\"\n");
+        goto end;
+    }
+
+    OpenSSL_add_ssl_algorithms();
+    SSL_load_error_strings();
+
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+    next_proto.status = -1;
+    if (next_proto_neg_in) {
+        next_proto.data =
+            next_protos_parse(&next_proto.len, next_proto_neg_in);
+        if (next_proto.data == NULL) {
+            BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
+            goto end;
+        }
+    } else
+        next_proto.data = NULL;
+#endif
+
+    e = setup_engine(bio_err, engine_id, 1);
+#ifndef OPENSSL_NO_ENGINE
+    if (ssl_client_engine_id) {
+        ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
+        if (!ssl_client_engine) {
+            BIO_printf(bio_err, "Error getting client auth engine\n");
+            goto end;
+        }
+    }
+#endif
+    if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+
+    if (key_file == NULL)
+        key_file = cert_file;
+
+    if (key_file) {
+
+        key = load_key(bio_err, key_file, key_format, 0, pass, e,
+                       "client certificate private key file");
+        if (!key) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+    }
+
+    if (cert_file) {
+        cert = load_cert(bio_err, cert_file, cert_format,
+                         NULL, e, "client certificate file");
+
+        if (!cert) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (chain_file) {
+        chain = load_certs(bio_err, chain_file, FORMAT_PEM,
+                           NULL, e, "client certificate chain");
+        if (!chain)
+            goto end;
+    }
+
+    if (crl_file) {
+        X509_CRL *crl;
+        crl = load_crl(crl_file, crl_format);
+        if (!crl) {
+            BIO_puts(bio_err, "Error loading CRL\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        crls = sk_X509_CRL_new_null();
+        if (!crls || !sk_X509_CRL_push(crls, crl)) {
+            BIO_puts(bio_err, "Error adding CRL\n");
+            ERR_print_errors(bio_err);
+            X509_CRL_free(crl);
+            goto end;
+        }
+    }
+
+    if (!load_excert(&exc, bio_err))
+        goto end;
+
+    if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
+        && !RAND_status()) {
+        BIO_printf(bio_err,
+                   "warning, not much extra random data, consider using the -rand option\n");
+    }
+    if (inrand != NULL)
+        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                   app_RAND_load_files(inrand));
+
+    if (bio_c_out == NULL) {
+        if (c_quiet && !c_debug) {
+            bio_c_out = BIO_new(BIO_s_null());
+            if (c_msg && !bio_c_msg)
+                bio_c_msg = BIO_new_fp(stdout, BIO_NOCLOSE);
+        } else {
+            if (bio_c_out == NULL)
+                bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE);
+        }
+    }
+#ifndef OPENSSL_NO_SRP
+    if (!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+#endif
+
+    ctx = SSL_CTX_new(meth);
+    if (ctx == NULL) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (vpm)
+        SSL_CTX_set1_param(ctx, vpm);
+
+    if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
+                         crls, crl_download)) {
+        BIO_printf(bio_err, "Error loading store locations\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+#ifndef OPENSSL_NO_ENGINE
+    if (ssl_client_engine) {
+        if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) {
+            BIO_puts(bio_err, "Error setting client auth engine\n");
+            ERR_print_errors(bio_err);
+            ENGINE_free(ssl_client_engine);
+            goto end;
+        }
+        ENGINE_free(ssl_client_engine);
+    }
+#endif
+
+#ifndef OPENSSL_NO_PSK
+# ifdef OPENSSL_NO_JPAKE
+    if (psk_key != NULL)
+# else
+    if (psk_key != NULL || jpake_secret)
+# endif
+    {
+        if (c_debug)
+            BIO_printf(bio_c_out,
+                       "PSK key given or JPAKE in use, setting client callback\n");
+        SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
+    }
+#endif
+#ifndef OPENSSL_NO_SRTP
+    if (srtp_profiles != NULL)
+        SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
+#endif
+    if (exc)
+        ssl_ctx_set_excert(ctx, exc);
+
+#if !defined(OPENSSL_NO_TLSEXT)
+# if !defined(OPENSSL_NO_NEXTPROTONEG)
+    if (next_proto.data)
+        SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
+# endif
+    if (alpn_in) {
+        unsigned short alpn_len;
+        unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
+
+        if (alpn == NULL) {
+            BIO_printf(bio_err, "Error parsing -alpn argument\n");
+            goto end;
+        }
+        SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
+        OPENSSL_free(alpn);
+    }
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+    for (i = 0; i < serverinfo_types_count; i++) {
+        SSL_CTX_add_client_custom_ext(ctx,
+                                      serverinfo_types[i],
+                                      NULL, NULL, NULL,
+                                      serverinfo_cli_parse_cb, NULL);
+    }
+#endif
+
+    if (state)
+        SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
+#if 0
+    else
+        SSL_CTX_set_cipher_list(ctx, getenv("SSL_CIPHER"));
+#endif
+
+    SSL_CTX_set_verify(ctx, verify, verify_callback);
+
+    if ((CAfile || CApath)
+        && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+        ERR_print_errors(bio_err);
+    }
+    if (!SSL_CTX_set_default_verify_paths(ctx)) {
+        ERR_print_errors(bio_err);
+    }
+
+    ssl_ctx_add_crls(ctx, crls, crl_download);
+    if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
+        goto end;
+
+#ifndef OPENSSL_NO_TLSEXT
+    if (servername != NULL) {
+        tlsextcbp.biodebug = bio_err;
+        SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
+        SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
+    }
+# ifndef OPENSSL_NO_SRP
+    if (srp_arg.srplogin) {
+        if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) {
+            BIO_printf(bio_err, "Unable to set SRP username\n");
+            goto end;
+        }
+        srp_arg.msg = c_msg;
+        srp_arg.debug = c_debug;
+        SSL_CTX_set_srp_cb_arg(ctx, &srp_arg);
+        SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
+        SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
+        if (c_msg || c_debug || srp_arg.amp == 0)
+            SSL_CTX_set_srp_verify_param_callback(ctx,
+                                                  ssl_srp_verify_param_cb);
+    }
+# endif
+#endif
+
+    con = SSL_new(ctx);
+    if (sess_in) {
+        SSL_SESSION *sess;
+        BIO *stmp = BIO_new_file(sess_in, "r");
+        if (!stmp) {
+            BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
+        BIO_free(stmp);
+        if (!sess) {
+            BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        SSL_set_session(con, sess);
+        SSL_SESSION_free(sess);
+    }
+
+    if (fallback_scsv)
+        SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
+
+#ifndef OPENSSL_NO_TLSEXT
+    if (servername != NULL) {
+        if (!SSL_set_tlsext_host_name(con, servername)) {
+            BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+#endif
+#ifndef OPENSSL_NO_KRB5
+    if (con && (kctx = kssl_ctx_new()) != NULL) {
+        SSL_set0_kssl_ctx(con, kctx);
+        kssl_ctx_setstring(kctx, KSSL_SERVER, host);
+    }
+#endif                          /* OPENSSL_NO_KRB5 */
+/*      SSL_set_cipher_list(con,"RC4-MD5"); */
+#if 0
+# ifdef TLSEXT_TYPE_opaque_prf_input
+    SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
+# endif
+#endif
+
+ re_start:
+
+    if (init_client(&s, host, port, socket_type) == 0) {
+        BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
+        SHUTDOWN(s);
+        goto end;
+    }
+    BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s);
+
+#ifdef FIONBIO
+    if (c_nbio) {
+        unsigned long l = 1;
+        BIO_printf(bio_c_out, "turning on non blocking io\n");
+        if (BIO_socket_ioctl(s, FIONBIO, &l) < 0) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+#endif
+    if (c_Pause & 0x01)
+        SSL_set_debug(con, 1);
+
+    if (socket_type == SOCK_DGRAM) {
+
+        sbio = BIO_new_dgram(s, BIO_NOCLOSE);
+        if (getsockname(s, &peer, (void *)&peerlen) < 0) {
+            BIO_printf(bio_err, "getsockname:errno=%d\n",
+                       get_last_socket_error());
+            SHUTDOWN(s);
+            goto end;
+        }
+
+        (void)BIO_ctrl_set_connected(sbio, 1, &peer);
+
+        if (enable_timeouts) {
+            timeout.tv_sec = 0;
+            timeout.tv_usec = DGRAM_RCV_TIMEOUT;
+            BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
+
+            timeout.tv_sec = 0;
+            timeout.tv_usec = DGRAM_SND_TIMEOUT;
+            BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
+        }
+
+        if (socket_mtu) {
+            if (socket_mtu < DTLS_get_link_min_mtu(con)) {
+                BIO_printf(bio_err, "MTU too small. Must be at least %ld\n",
+                           DTLS_get_link_min_mtu(con));
+                BIO_free(sbio);
+                goto shut;
+            }
+            SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
+            if (!DTLS_set_link_mtu(con, socket_mtu)) {
+                BIO_printf(bio_err, "Failed to set MTU\n");
+                BIO_free(sbio);
+                goto shut;
+            }
+        } else
+            /* want to do MTU discovery */
+            BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
+    } else
+        sbio = BIO_new_socket(s, BIO_NOCLOSE);
+
+    if (nbio_test) {
+        BIO *test;
+
+        test = BIO_new(BIO_f_nbio_test());
+        sbio = BIO_push(test, sbio);
+    }
+
+    if (c_debug) {
+        SSL_set_debug(con, 1);
+        BIO_set_callback(sbio, bio_dump_callback);
+        BIO_set_callback_arg(sbio, (char *)bio_c_out);
+    }
+    if (c_msg) {
+#ifndef OPENSSL_NO_SSL_TRACE
+        if (c_msg == 2)
+            SSL_set_msg_callback(con, SSL_trace);
+        else
+#endif
+            SSL_set_msg_callback(con, msg_cb);
+        SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
+    }
+#ifndef OPENSSL_NO_TLSEXT
+    if (c_tlsextdebug) {
+        SSL_set_tlsext_debug_callback(con, tlsext_cb);
+        SSL_set_tlsext_debug_arg(con, bio_c_out);
+    }
+    if (c_status_req) {
+        SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
+        SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
+        SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
+# if 0
+        {
+            STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
+            OCSP_RESPID *id = OCSP_RESPID_new();
+            id->value.byKey = ASN1_OCTET_STRING_new();
+            id->type = V_OCSP_RESPID_KEY;
+            ASN1_STRING_set(id->value.byKey, "Hello World", -1);
+            sk_OCSP_RESPID_push(ids, id);
+            SSL_set_tlsext_status_ids(con, ids);
+        }
+# endif
+    }
+#endif
+#ifndef OPENSSL_NO_JPAKE
+    if (jpake_secret)
+        jpake_client_auth(bio_c_out, sbio, jpake_secret);
+#endif
+
+    SSL_set_bio(con, sbio, sbio);
+    SSL_set_connect_state(con);
+
+    /* ok, lets connect */
+    if (fileno_stdin() > SSL_get_fd(con))
+        width = fileno_stdin() + 1;
+    else
+        width = SSL_get_fd(con) + 1;
+
+    read_tty = 1;
+    write_tty = 0;
+    tty_on = 0;
+    read_ssl = 1;
+    write_ssl = 1;
+
+    cbuf_len = 0;
+    cbuf_off = 0;
+    sbuf_len = 0;
+    sbuf_off = 0;
+
+    /* This is an ugly hack that does a lot of assumptions */
+    /*
+     * We do have to handle multi-line responses which may come in a single
+     * packet or not. We therefore have to use BIO_gets() which does need a
+     * buffering BIO. So during the initial chitchat we do push a buffering
+     * BIO into the chain that is removed again later on to not disturb the
+     * rest of the s_client operation.
+     */
+    if (starttls_proto == PROTO_SMTP) {
+        int foundit = 0;
+        BIO *fbio = BIO_new(BIO_f_buffer());
+        BIO_push(fbio, sbio);
+        /* wait for multi-line response to end from SMTP */
+        do {
+            mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+        }
+        while (mbuf_len > 3 && mbuf[3] == '-');
+        /* STARTTLS command requires EHLO... */
+        BIO_printf(fbio, "EHLO openssl.client.net\r\n");
+        (void)BIO_flush(fbio);
+        /* wait for multi-line response to end EHLO SMTP response */
+        do {
+            mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+            if (strstr(mbuf, "STARTTLS"))
+                foundit = 1;
+        }
+        while (mbuf_len > 3 && mbuf[3] == '-');
+        (void)BIO_flush(fbio);
+        BIO_pop(fbio);
+        BIO_free(fbio);
+        if (!foundit)
+            BIO_printf(bio_err,
+                       "didn't found starttls in server response,"
+                       " try anyway...\n");
+        BIO_printf(sbio, "STARTTLS\r\n");
+        BIO_read(sbio, sbuf, BUFSIZZ);
+    } else if (starttls_proto == PROTO_POP3) {
+        BIO_read(sbio, mbuf, BUFSIZZ);
+        BIO_printf(sbio, "STLS\r\n");
+        BIO_read(sbio, sbuf, BUFSIZZ);
+    } else if (starttls_proto == PROTO_IMAP) {
+        int foundit = 0;
+        BIO *fbio = BIO_new(BIO_f_buffer());
+        BIO_push(fbio, sbio);
+        BIO_gets(fbio, mbuf, BUFSIZZ);
+        /* STARTTLS command requires CAPABILITY... */
+        BIO_printf(fbio, ". CAPABILITY\r\n");
+        (void)BIO_flush(fbio);
+        /* wait for multi-line CAPABILITY response */
+        do {
+            mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+            if (strstr(mbuf, "STARTTLS"))
+                foundit = 1;
+        }
+        while (mbuf_len > 3 && mbuf[0] != '.');
+        (void)BIO_flush(fbio);
+        BIO_pop(fbio);
+        BIO_free(fbio);
+        if (!foundit)
+            BIO_printf(bio_err,
+                       "didn't found STARTTLS in server response,"
+                       " try anyway...\n");
+        BIO_printf(sbio, ". STARTTLS\r\n");
+        BIO_read(sbio, sbuf, BUFSIZZ);
+    } else if (starttls_proto == PROTO_FTP) {
+        BIO *fbio = BIO_new(BIO_f_buffer());
+        BIO_push(fbio, sbio);
+        /* wait for multi-line response to end from FTP */
+        do {
+            mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+        }
+        while (mbuf_len > 3 && mbuf[3] == '-');
+        (void)BIO_flush(fbio);
+        BIO_pop(fbio);
+        BIO_free(fbio);
+        BIO_printf(sbio, "AUTH TLS\r\n");
+        BIO_read(sbio, sbuf, BUFSIZZ);
+    }
+    if (starttls_proto == PROTO_XMPP) {
+        int seen = 0;
+        BIO_printf(sbio, "<stream:stream "
+                   "xmlns:stream='http://etherx.jabber.org/streams' "
+                   "xmlns='jabber:client' to='%s' version='1.0'>", host);
+        seen = BIO_read(sbio, mbuf, BUFSIZZ);
+        mbuf[seen] = 0;
+        while (!strstr
+               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
+            if (strstr(mbuf, "/stream:features>"))
+                goto shut;
+            seen = BIO_read(sbio, mbuf, BUFSIZZ);
+            mbuf[seen] = 0;
+        }
+        BIO_printf(sbio,
+                   "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
+        seen = BIO_read(sbio, sbuf, BUFSIZZ);
+        sbuf[seen] = 0;
+        if (!strstr(sbuf, "<proceed"))
+            goto shut;
+        mbuf[0] = 0;
+    }
+
+    for (;;) {
+        FD_ZERO(&readfds);
+        FD_ZERO(&writefds);
+
+        if ((SSL_version(con) == DTLS1_VERSION) &&
+            DTLSv1_get_timeout(con, &timeout))
+            timeoutp = &timeout;
+        else
+            timeoutp = NULL;
+
+        if (SSL_in_init(con) && !SSL_total_renegotiations(con)) {
+            in_init = 1;
+            tty_on = 0;
+        } else {
+            tty_on = 1;
+            if (in_init) {
+                in_init = 0;
+#if 0                           /* This test doesn't really work as intended
+                                 * (needs to be fixed) */
+# ifndef OPENSSL_NO_TLSEXT
+                if (servername != NULL && !SSL_session_reused(con)) {
+                    BIO_printf(bio_c_out,
+                               "Server did %sacknowledge servername extension.\n",
+                               tlsextcbp.ack ? "" : "not ");
+                }
+# endif
+#endif
+                if (sess_out) {
+                    BIO *stmp = BIO_new_file(sess_out, "w");
+                    if (stmp) {
+                        PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
+                        BIO_free(stmp);
+                    } else
+                        BIO_printf(bio_err, "Error writing session file %s\n",
+                                   sess_out);
+                }
+                if (c_brief) {
+                    BIO_puts(bio_err, "CONNECTION ESTABLISHED\n");
+                    print_ssl_summary(bio_err, con);
+                }
+
+                print_stuff(bio_c_out, con, full_log);
+                if (full_log > 0)
+                    full_log--;
+
+                if (starttls_proto) {
+                    BIO_printf(bio_err, "%s", mbuf);
+                    /* We don't need to know any more */
+                    starttls_proto = PROTO_OFF;
+                }
+
+                if (reconnect) {
+                    reconnect--;
+                    BIO_printf(bio_c_out,
+                               "drop connection and then reconnect\n");
+                    SSL_shutdown(con);
+                    SSL_set_connect_state(con);
+                    SHUTDOWN(SSL_get_fd(con));
+                    goto re_start;
+                }
+            }
+        }
+
+        ssl_pending = read_ssl && SSL_pending(con);
+
+        if (!ssl_pending) {
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
+            if (tty_on) {
+                if (read_tty)
+                    openssl_fdset(fileno_stdin(), &readfds);
+#if !defined(OPENSSL_SYS_VMS)
+                if (write_tty)
+                    openssl_fdset(fileno_stdout(), &writefds);
+#endif
+            }
+            if (read_ssl)
+                openssl_fdset(SSL_get_fd(con), &readfds);
+            if (write_ssl)
+                openssl_fdset(SSL_get_fd(con), &writefds);
+#else
+            if (!tty_on || !write_tty) {
+                if (read_ssl)
+                    openssl_fdset(SSL_get_fd(con), &readfds);
+                if (write_ssl)
+                    openssl_fdset(SSL_get_fd(con), &writefds);
+            }
+#endif
+/*-         printf("mode tty(%d %d%d) ssl(%d%d)\n",
+                    tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
+
+            /*
+             * Note: under VMS with SOCKETSHR the second parameter is
+             * currently of type (int *) whereas under other systems it is
+             * (void *) if you don't have a cast it will choke the compiler:
+             * if you do have a cast then you can either go for (int *) or
+             * (void *).
+             */
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+            /*
+             * Under Windows/DOS we make the assumption that we can always
+             * write to the tty: therefore if we need to write to the tty we
+             * just fall through. Otherwise we timeout the select every
+             * second and see if there are any keypresses. Note: this is a
+             * hack, in a proper Windows application we wouldn't do this.
+             */
+            i = 0;
+            if (!write_tty) {
+                if (read_tty) {
+                    tv.tv_sec = 1;
+                    tv.tv_usec = 0;
+                    i = select(width, (void *)&readfds, (void *)&writefds,
+                               NULL, &tv);
+# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
+                    if (!i && (!_kbhit() || !read_tty))
+                        continue;
+# else
+                    if (!i && (!((_kbhit())
+                                 || (WAIT_OBJECT_0 ==
+                                     WaitForSingleObject(GetStdHandle
+                                                         (STD_INPUT_HANDLE),
+                                                         0)))
+                               || !read_tty))
+                        continue;
+# endif
+                } else
+                    i = select(width, (void *)&readfds, (void *)&writefds,
+                               NULL, timeoutp);
+            }
+#elif defined(OPENSSL_SYS_NETWARE)
+            if (!write_tty) {
+                if (read_tty) {
+                    tv.tv_sec = 1;
+                    tv.tv_usec = 0;
+                    i = select(width, (void *)&readfds, (void *)&writefds,
+                               NULL, &tv);
+                } else
+                    i = select(width, (void *)&readfds, (void *)&writefds,
+                               NULL, timeoutp);
+            }
+#elif defined(OPENSSL_SYS_BEOS_R5)
+            /* Under BeOS-R5 the situation is similar to DOS */
+            i = 0;
+            stdin_set = 0;
+            (void)fcntl(fileno_stdin(), F_SETFL, O_NONBLOCK);
+            if (!write_tty) {
+                if (read_tty) {
+                    tv.tv_sec = 1;
+                    tv.tv_usec = 0;
+                    i = select(width, (void *)&readfds, (void *)&writefds,
+                               NULL, &tv);
+                    if (read(fileno_stdin(), sbuf, 0) >= 0)
+                        stdin_set = 1;
+                    if (!i && (stdin_set != 1 || !read_tty))
+                        continue;
+                } else
+                    i = select(width, (void *)&readfds, (void *)&writefds,
+                               NULL, timeoutp);
+            }
+            (void)fcntl(fileno_stdin(), F_SETFL, 0);
+#else
+            i = select(width, (void *)&readfds, (void *)&writefds,
+                       NULL, timeoutp);
+#endif
+            if (i < 0) {
+                BIO_printf(bio_err, "bad select %d\n",
+                           get_last_socket_error());
+                goto shut;
+                /* goto end; */
+            }
+        }
+
+        if ((SSL_version(con) == DTLS1_VERSION)
+            && DTLSv1_handle_timeout(con) > 0) {
+            BIO_printf(bio_err, "TIMEOUT occured\n");
+        }
+
+        if (!ssl_pending && FD_ISSET(SSL_get_fd(con), &writefds)) {
+            k = SSL_write(con, &(cbuf[cbuf_off]), (unsigned int)cbuf_len);
+            switch (SSL_get_error(con, k)) {
+            case SSL_ERROR_NONE:
+                cbuf_off += k;
+                cbuf_len -= k;
+                if (k <= 0)
+                    goto end;
+                /* we have done a  write(con,NULL,0); */
+                if (cbuf_len <= 0) {
+                    read_tty = 1;
+                    write_ssl = 0;
+                } else {        /* if (cbuf_len > 0) */
+
+                    read_tty = 0;
+                    write_ssl = 1;
+                }
+                break;
+            case SSL_ERROR_WANT_WRITE:
+                BIO_printf(bio_c_out, "write W BLOCK\n");
+                write_ssl = 1;
+                read_tty = 0;
+                break;
+            case SSL_ERROR_WANT_READ:
+                BIO_printf(bio_c_out, "write R BLOCK\n");
+                write_tty = 0;
+                read_ssl = 1;
+                write_ssl = 0;
+                break;
+            case SSL_ERROR_WANT_X509_LOOKUP:
+                BIO_printf(bio_c_out, "write X BLOCK\n");
+                break;
+            case SSL_ERROR_ZERO_RETURN:
+                if (cbuf_len != 0) {
+                    BIO_printf(bio_c_out, "shutdown\n");
+                    ret = 0;
+                    goto shut;
+                } else {
+                    read_tty = 1;
+                    write_ssl = 0;
+                    break;
+                }
+
+            case SSL_ERROR_SYSCALL:
+                if ((k != 0) || (cbuf_len != 0)) {
+                    BIO_printf(bio_err, "write:errno=%d\n",
+                               get_last_socket_error());
+                    goto shut;
+                } else {
+                    read_tty = 1;
+                    write_ssl = 0;
+                }
+                break;
+            case SSL_ERROR_SSL:
+                ERR_print_errors(bio_err);
+                goto shut;
+            }
+        }
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) || defined(OPENSSL_SYS_VMS)
+        /* Assume Windows/DOS/BeOS can always write */
+        else if (!ssl_pending && write_tty)
+#else
+        else if (!ssl_pending && FD_ISSET(fileno_stdout(), &writefds))
+#endif
+        {
+#ifdef CHARSET_EBCDIC
+            ascii2ebcdic(&(sbuf[sbuf_off]), &(sbuf[sbuf_off]), sbuf_len);
+#endif
+            i = raw_write_stdout(&(sbuf[sbuf_off]), sbuf_len);
+
+            if (i <= 0) {
+                BIO_printf(bio_c_out, "DONE\n");
+                ret = 0;
+                goto shut;
+                /* goto end; */
+            }
+
+            sbuf_len -= i;;
+            sbuf_off += i;
+            if (sbuf_len <= 0) {
+                read_ssl = 1;
+                write_tty = 0;
+            }
+        } else if (ssl_pending || FD_ISSET(SSL_get_fd(con), &readfds)) {
+#ifdef RENEG
+            {
+                static int iiii;
+                if (++iiii == 52) {
+                    SSL_renegotiate(con);
+                    iiii = 0;
+                }
+            }
+#endif
+#if 1
+            k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ );
+#else
+/* Demo for pending and peek :-) */
+            k = SSL_read(con, sbuf, 16);
+            {
+                char zbuf[10240];
+                printf("read=%d pending=%d peek=%d\n", k, SSL_pending(con),
+                       SSL_peek(con, zbuf, 10240));
+            }
+#endif
+
+            switch (SSL_get_error(con, k)) {
+            case SSL_ERROR_NONE:
+                if (k <= 0)
+                    goto end;
+                sbuf_off = 0;
+                sbuf_len = k;
+
+                read_ssl = 0;
+                write_tty = 1;
+                break;
+            case SSL_ERROR_WANT_WRITE:
+                BIO_printf(bio_c_out, "read W BLOCK\n");
+                write_ssl = 1;
+                read_tty = 0;
+                break;
+            case SSL_ERROR_WANT_READ:
+                BIO_printf(bio_c_out, "read R BLOCK\n");
+                write_tty = 0;
+                read_ssl = 1;
+                if ((read_tty == 0) && (write_ssl == 0))
+                    write_ssl = 1;
+                break;
+            case SSL_ERROR_WANT_X509_LOOKUP:
+                BIO_printf(bio_c_out, "read X BLOCK\n");
+                break;
+            case SSL_ERROR_SYSCALL:
+                ret = get_last_socket_error();
+                if (c_brief)
+                    BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
+                else
+                    BIO_printf(bio_err, "read:errno=%d\n", ret);
+                goto shut;
+            case SSL_ERROR_ZERO_RETURN:
+                BIO_printf(bio_c_out, "closed\n");
+                ret = 0;
+                goto shut;
+            case SSL_ERROR_SSL:
+                ERR_print_errors(bio_err);
+                goto shut;
+                /* break; */
+            }
+        }
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
+        else if (_kbhit())
+# else
+        else if ((_kbhit())
+                 || (WAIT_OBJECT_0 ==
+                     WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
+# endif
+#elif defined (OPENSSL_SYS_NETWARE)
+        else if (_kbhit())
+#elif defined(OPENSSL_SYS_BEOS_R5)
+        else if (stdin_set)
+#else
+        else if (FD_ISSET(fileno_stdin(), &readfds))
+#endif
+        {
+            if (crlf) {
+                int j, lf_num;
+
+                i = raw_read_stdin(cbuf, BUFSIZZ / 2);
+                lf_num = 0;
+                /* both loops are skipped when i <= 0 */
+                for (j = 0; j < i; j++)
+                    if (cbuf[j] == '\n')
+                        lf_num++;
+                for (j = i - 1; j >= 0; j--) {
+                    cbuf[j + lf_num] = cbuf[j];
+                    if (cbuf[j] == '\n') {
+                        lf_num--;
+                        i++;
+                        cbuf[j + lf_num] = '\r';
+                    }
+                }
+                assert(lf_num == 0);
+            } else
+                i = raw_read_stdin(cbuf, BUFSIZZ);
+
+            if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) {
+                BIO_printf(bio_err, "DONE\n");
+                ret = 0;
+                goto shut;
+            }
+
+            if ((!c_ign_eof) && (cbuf[0] == 'R')) {
+                BIO_printf(bio_err, "RENEGOTIATING\n");
+                SSL_renegotiate(con);
+                cbuf_len = 0;
+            }
+#ifndef OPENSSL_NO_HEARTBEATS
+            else if ((!c_ign_eof) && (cbuf[0] == 'B')) {
+                BIO_printf(bio_err, "HEARTBEATING\n");
+                SSL_heartbeat(con);
+                cbuf_len = 0;
+            }
+#endif
+            else {
+                cbuf_len = i;
+                cbuf_off = 0;
+#ifdef CHARSET_EBCDIC
+                ebcdic2ascii(cbuf, cbuf, i);
+#endif
+            }
+
+            write_ssl = 1;
+            read_tty = 0;
+        }
+    }
+
+    ret = 0;
+ shut:
+    if (in_init)
+        print_stuff(bio_c_out, con, full_log);
+    SSL_shutdown(con);
+    SHUTDOWN(SSL_get_fd(con));
+ end:
+    if (con != NULL) {
+        if (prexit != 0)
+            print_stuff(bio_c_out, con, 1);
+        SSL_free(con);
+    }
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+    if (next_proto.data)
+        OPENSSL_free(next_proto.data);
+#endif
+    if (ctx != NULL)
+        SSL_CTX_free(ctx);
+    if (cert)
+        X509_free(cert);
+    if (crls)
+        sk_X509_CRL_pop_free(crls, X509_CRL_free);
+    if (key)
+        EVP_PKEY_free(key);
+    if (chain)
+        sk_X509_pop_free(chain, X509_free);
+    if (pass)
+        OPENSSL_free(pass);
+#ifndef OPENSSL_NO_SRP
+    OPENSSL_free(srp_arg.srppassin);
+#endif
+    if (vpm)
+        X509_VERIFY_PARAM_free(vpm);
+    ssl_excert_free(exc);
+    if (ssl_args)
+        sk_OPENSSL_STRING_free(ssl_args);
+    if (cctx)
+        SSL_CONF_CTX_free(cctx);
+#ifndef OPENSSL_NO_JPAKE
+    if (jpake_secret && psk_key)
+        OPENSSL_free(psk_key);
+#endif
+    if (cbuf != NULL) {
+        OPENSSL_cleanse(cbuf, BUFSIZZ);
+        OPENSSL_free(cbuf);
+    }
+    if (sbuf != NULL) {
+        OPENSSL_cleanse(sbuf, BUFSIZZ);
+        OPENSSL_free(sbuf);
+    }
+    if (mbuf != NULL) {
+        OPENSSL_cleanse(mbuf, BUFSIZZ);
+        OPENSSL_free(mbuf);
+    }
+    release_engine(e);
+    if (bio_c_out != NULL) {
+        BIO_free(bio_c_out);
+        bio_c_out = NULL;
+    }
+    if (bio_c_msg != NULL) {
+        BIO_free(bio_c_msg);
+        bio_c_msg = NULL;
+    }
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+static void print_stuff(BIO *bio, SSL *s, int full)
+{
+    X509 *peer = NULL;
+    char *p;
+    static const char *space = "                ";
+    char buf[BUFSIZ];
+    STACK_OF(X509) *sk;
+    STACK_OF(X509_NAME) *sk2;
+    const SSL_CIPHER *c;
+    X509_NAME *xn;
+    int j, i;
+#ifndef OPENSSL_NO_COMP
+    const COMP_METHOD *comp, *expansion;
+#endif
+    unsigned char *exportedkeymat;
+
+    if (full) {
+        int got_a_chain = 0;
+
+        sk = SSL_get_peer_cert_chain(s);
+        if (sk != NULL) {
+            got_a_chain = 1;    /* we don't have it for SSL2 (yet) */
+
+            BIO_printf(bio, "---\nCertificate chain\n");
+            for (i = 0; i < sk_X509_num(sk); i++) {
+                X509_NAME_oneline(X509_get_subject_name(sk_X509_value(sk, i)),
+                                  buf, sizeof buf);
+                BIO_printf(bio, "%2d s:%s\n", i, buf);
+                X509_NAME_oneline(X509_get_issuer_name(sk_X509_value(sk, i)),
+                                  buf, sizeof buf);
+                BIO_printf(bio, "   i:%s\n", buf);
+                if (c_showcerts)
+                    PEM_write_bio_X509(bio, sk_X509_value(sk, i));
+            }
+        }
+
+        BIO_printf(bio, "---\n");
+        peer = SSL_get_peer_certificate(s);
+        if (peer != NULL) {
+            BIO_printf(bio, "Server certificate\n");
+
+            /* Redundant if we showed the whole chain */
+            if (!(c_showcerts && got_a_chain))
+                PEM_write_bio_X509(bio, peer);
+            X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof buf);
+            BIO_printf(bio, "subject=%s\n", buf);
+            X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof buf);
+            BIO_printf(bio, "issuer=%s\n", buf);
+        } else
+            BIO_printf(bio, "no peer certificate available\n");
+
+        sk2 = SSL_get_client_CA_list(s);
+        if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) {
+            BIO_printf(bio, "---\nAcceptable client certificate CA names\n");
+            for (i = 0; i < sk_X509_NAME_num(sk2); i++) {
+                xn = sk_X509_NAME_value(sk2, i);
+                X509_NAME_oneline(xn, buf, sizeof(buf));
+                BIO_write(bio, buf, strlen(buf));
+                BIO_write(bio, "\n", 1);
+            }
+        } else {
+            BIO_printf(bio, "---\nNo client certificate CA names sent\n");
+        }
+        p = SSL_get_shared_ciphers(s, buf, sizeof buf);
+        if (p != NULL) {
+            /*
+             * This works only for SSL 2.  In later protocol versions, the
+             * client does not know what other ciphers (in addition to the
+             * one to be used in the current connection) the server supports.
+             */
+
+            BIO_printf(bio,
+                       "---\nCiphers common between both SSL endpoints:\n");
+            j = i = 0;
+            while (*p) {
+                if (*p == ':') {
+                    BIO_write(bio, space, 15 - j % 25);
+                    i++;
+                    j = 0;
+                    BIO_write(bio, ((i % 3) ? " " : "\n"), 1);
+                } else {
+                    BIO_write(bio, p, 1);
+                    j++;
+                }
+                p++;
+            }
+            BIO_write(bio, "\n", 1);
+        }
+
+        ssl_print_sigalgs(bio, s);
+        ssl_print_tmp_key(bio, s);
+
+        BIO_printf(bio,
+                   "---\nSSL handshake has read %ld bytes and written %ld bytes\n",
+                   BIO_number_read(SSL_get_rbio(s)),
+                   BIO_number_written(SSL_get_wbio(s)));
+    }
+    BIO_printf(bio, (SSL_cache_hit(s) ? "---\nReused, " : "---\nNew, "));
+    c = SSL_get_current_cipher(s);
+    BIO_printf(bio, "%s, Cipher is %s\n",
+               SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
+    if (peer != NULL) {
+        EVP_PKEY *pktmp;
+        pktmp = X509_get_pubkey(peer);
+        BIO_printf(bio, "Server public key is %d bit\n",
+                   EVP_PKEY_bits(pktmp));
+        EVP_PKEY_free(pktmp);
+    }
+    BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
+               SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
+#ifndef OPENSSL_NO_COMP
+    comp = SSL_get_current_compression(s);
+    expansion = SSL_get_current_expansion(s);
+    BIO_printf(bio, "Compression: %s\n",
+               comp ? SSL_COMP_get_name(comp) : "NONE");
+    BIO_printf(bio, "Expansion: %s\n",
+               expansion ? SSL_COMP_get_name(expansion) : "NONE");
+#endif
+
+#ifdef SSL_DEBUG
+    {
+        /* Print out local port of connection: useful for debugging */
+        int sock;
+        struct sockaddr_in ladd;
+        socklen_t ladd_size = sizeof(ladd);
+        sock = SSL_get_fd(s);
+        getsockname(sock, (struct sockaddr *)&ladd, &ladd_size);
+        BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port));
+    }
+#endif
+
+#if !defined(OPENSSL_NO_TLSEXT)
+# if !defined(OPENSSL_NO_NEXTPROTONEG)
+    if (next_proto.status != -1) {
+        const unsigned char *proto;
+        unsigned int proto_len;
+        SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
+        BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
+        BIO_write(bio, proto, proto_len);
+        BIO_write(bio, "\n", 1);
+    }
+# endif
+    {
+        const unsigned char *proto;
+        unsigned int proto_len;
+        SSL_get0_alpn_selected(s, &proto, &proto_len);
+        if (proto_len > 0) {
+            BIO_printf(bio, "ALPN protocol: ");
+            BIO_write(bio, proto, proto_len);
+            BIO_write(bio, "\n", 1);
+        } else
+            BIO_printf(bio, "No ALPN negotiated\n");
+    }
+#endif
+
+#ifndef OPENSSL_NO_SRTP
+    {
+        SRTP_PROTECTION_PROFILE *srtp_profile =
+            SSL_get_selected_srtp_profile(s);
+
+        if (srtp_profile)
+            BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n",
+                       srtp_profile->name);
+    }
+#endif
+
+    SSL_SESSION_print(bio, SSL_get_session(s));
+    if (keymatexportlabel != NULL) {
+        BIO_printf(bio, "Keying material exporter:\n");
+        BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
+        BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
+        exportedkeymat = OPENSSL_malloc(keymatexportlen);
+        if (exportedkeymat != NULL) {
+            if (!SSL_export_keying_material(s, exportedkeymat,
+                                            keymatexportlen,
+                                            keymatexportlabel,
+                                            strlen(keymatexportlabel),
+                                            NULL, 0, 0)) {
+                BIO_printf(bio, "    Error\n");
+            } else {
+                BIO_printf(bio, "    Keying material: ");
+                for (i = 0; i < keymatexportlen; i++)
+                    BIO_printf(bio, "%02X", exportedkeymat[i]);
+                BIO_printf(bio, "\n");
+            }
+            OPENSSL_free(exportedkeymat);
+        }
+    }
+    BIO_printf(bio, "---\n");
+    if (peer != NULL)
+        X509_free(peer);
+    /* flush, or debugging output gets mixed with http response */
+    (void)BIO_flush(bio);
+}
+
+#ifndef OPENSSL_NO_TLSEXT
+
+static int ocsp_resp_cb(SSL *s, void *arg)
+{
+    const unsigned char *p;
+    int len;
+    OCSP_RESPONSE *rsp;
+    len = SSL_get_tlsext_status_ocsp_resp(s, &p);
+    BIO_puts(arg, "OCSP response: ");
+    if (!p) {
+        BIO_puts(arg, "no response sent\n");
+        return 1;
+    }
+    rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
+    if (!rsp) {
+        BIO_puts(arg, "response parse error\n");
+        BIO_dump_indent(arg, (char *)p, len, 4);
+        return 0;
+    }
+    BIO_puts(arg, "\n======================================\n");
+    OCSP_RESPONSE_print(arg, rsp, 0);
+    BIO_puts(arg, "======================================\n");
+    OCSP_RESPONSE_free(rsp);
+    return 1;
+}
+
+#endif
diff --git a/openssl/apps/s_server.c b/openssl/apps/s_server.c
new file mode 100644
index 0000000..b561cf3
--- /dev/null
+++ b/openssl/apps/s_server.c
@@ -0,0 +1,3518 @@
+/* apps/s_server.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * The portions of the attached software ("Contribution") is developed by
+ * Nokia Corporation and is licensed pursuant to the OpenSSL open source
+ * license.
+ *
+ * The Contribution, originally written by Mika Kousa and Pasi Eronen of
+ * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+ * support (see RFC 4279) to OpenSSL.
+ *
+ * No patent licenses or other rights except those expressly stated in
+ * the OpenSSL open source license shall be deemed granted or received
+ * expressly, by implication, estoppel, or otherwise.
+ *
+ * No assurances are provided by Nokia that the Contribution does not
+ * infringe the patent or other intellectual property rights of any third
+ * party or that the license provides you with all the necessary rights
+ * to make use of the Contribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+ * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
+
+/*
+ * Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code
+ */
+#ifdef OPENSSL_NO_DEPRECATED
+# undef OPENSSL_NO_DEPRECATED
+#endif
+
+#include <assert.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/e_os2.h>
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
+
+/* conflicts with winsock2 stuff on netware */
+#if !defined(OPENSSL_SYS_NETWARE)
+# include <sys/types.h>
+#endif
+
+/*
+ * With IPv6, it looks like Digital has mixed up the proper order of
+ * recursive header file inclusion, resulting in the compiler complaining
+ * that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
+ * needed to have fileno() declared correctly...  So let's define u_int
+ */
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
+# define __U_INT
+typedef unsigned int u_int;
+#endif
+
+#include <openssl/lhash.h>
+#include <openssl/bn.h>
+#define USE_SOCKETS
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/rand.h>
+#include <openssl/ocsp.h>
+#ifndef OPENSSL_NO_DH
+# include <openssl/dh.h>
+#endif
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_SRP
+# include <openssl/srp.h>
+#endif
+#include "s_apps.h"
+#include "timeouts.h"
+
+#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
+/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
+# undef FIONBIO
+#endif
+
+#if defined(OPENSSL_SYS_BEOS_R5)
+# include <fcntl.h>
+#endif
+
+#ifndef OPENSSL_NO_RSA
+static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
+#endif
+static int sv_body(char *hostname, int s, int stype, unsigned char *context);
+static int www_body(char *hostname, int s, int stype, unsigned char *context);
+static int rev_body(char *hostname, int s, int stype, unsigned char *context);
+static void close_accept_socket(void);
+static void sv_usage(void);
+static int init_ssl_connection(SSL *s);
+static void print_stats(BIO *bp, SSL_CTX *ctx);
+static int generate_session_id(const SSL *ssl, unsigned char *id,
+                               unsigned int *id_len);
+static void init_session_cache_ctx(SSL_CTX *sctx);
+static void free_sessions(void);
+#ifndef OPENSSL_NO_DH
+static DH *load_dh_param(const char *dhfile);
+static DH *get_dh2048(void);
+#endif
+
+#ifdef MONOLITH
+static void s_server_init(void);
+#endif
+
+#ifndef OPENSSL_NO_DH
+static unsigned char dh2048_p[] = {
+    0xF6,0x42,0x57,0xB7,0x08,0x7F,0x08,0x17,0x72,0xA2,0xBA,0xD6,
+    0xA9,0x42,0xF3,0x05,0xE8,0xF9,0x53,0x11,0x39,0x4F,0xB6,0xF1,
+    0x6E,0xB9,0x4B,0x38,0x20,0xDA,0x01,0xA7,0x56,0xA3,0x14,0xE9,
+    0x8F,0x40,0x55,0xF3,0xD0,0x07,0xC6,0xCB,0x43,0xA9,0x94,0xAD,
+    0xF7,0x4C,0x64,0x86,0x49,0xF8,0x0C,0x83,0xBD,0x65,0xE9,0x17,
+    0xD4,0xA1,0xD3,0x50,0xF8,0xF5,0x59,0x5F,0xDC,0x76,0x52,0x4F,
+    0x3D,0x3D,0x8D,0xDB,0xCE,0x99,0xE1,0x57,0x92,0x59,0xCD,0xFD,
+    0xB8,0xAE,0x74,0x4F,0xC5,0xFC,0x76,0xBC,0x83,0xC5,0x47,0x30,
+    0x61,0xCE,0x7C,0xC9,0x66,0xFF,0x15,0xF9,0xBB,0xFD,0x91,0x5E,
+    0xC7,0x01,0xAA,0xD3,0x5B,0x9E,0x8D,0xA0,0xA5,0x72,0x3A,0xD4,
+    0x1A,0xF0,0xBF,0x46,0x00,0x58,0x2B,0xE5,0xF4,0x88,0xFD,0x58,
+    0x4E,0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4,0x91,0x07,0x36,0x6B,
+    0x33,0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C,0x88,0xB3,0x1C,0x7C,
+    0x5B,0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0,0x43,0xF0,0xA5,0x5B,
+    0x18,0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D,0x38,0xD3,0x34,0xFD,
+    0x7C,0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C,0xDE,0x33,0x21,0x2C,
+    0xB5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C,
+    0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29,
+    0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B,
+    0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C,
+    0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55,
+    0xE9,0x32,0x0B,0x3B,
+};
+
+static unsigned char dh2048_g[] = {
+    0x02,
+};
+
+DH *get_dh2048()
+{
+    DH *dh;
+
+    if ((dh = DH_new()) == NULL)
+        return NULL;
+    dh->p=BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+    dh->g=BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+    if (dh->p == NULL || dh->g == NULL) {
+        DH_free(dh);
+        return NULL;
+    }
+    return dh;
+}
+#endif
+
+/* static int load_CA(SSL_CTX *ctx, char *file);*/
+
+#undef BUFSIZZ
+#define BUFSIZZ 16*1024
+static int bufsize = BUFSIZZ;
+static int accept_socket = -1;
+
+#define TEST_CERT       "server.pem"
+#ifndef OPENSSL_NO_TLSEXT
+# define TEST_CERT2      "server2.pem"
+#endif
+#undef PROG
+#define PROG            s_server_main
+
+extern int verify_depth, verify_return_error, verify_quiet;
+
+static int s_server_verify = SSL_VERIFY_NONE;
+static int s_server_session_id_context = 1; /* anything will do */
+static const char *s_cert_file = TEST_CERT, *s_key_file =
+    NULL, *s_chain_file = NULL;
+#ifndef OPENSSL_NO_TLSEXT
+static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
+#endif
+static char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL;
+#ifdef FIONBIO
+static int s_nbio = 0;
+#endif
+static int s_nbio_test = 0;
+int s_crlf = 0;
+static SSL_CTX *ctx = NULL;
+#ifndef OPENSSL_NO_TLSEXT
+static SSL_CTX *ctx2 = NULL;
+#endif
+static int www = 0;
+
+static BIO *bio_s_out = NULL;
+static BIO *bio_s_msg = NULL;
+static int s_debug = 0;
+#ifndef OPENSSL_NO_TLSEXT
+static int s_tlsextdebug = 0;
+static int s_tlsextstatus = 0;
+static int cert_status_cb(SSL *s, void *arg);
+#endif
+static int no_resume_ephemeral = 0;
+static int s_msg = 0;
+static int s_quiet = 0;
+static int s_ign_eof = 0;
+static int s_brief = 0;
+
+static char *keymatexportlabel = NULL;
+static int keymatexportlen = 20;
+
+static int hack = 0;
+static char *engine_id = NULL;
+static const char *session_id_prefix = NULL;
+
+static int enable_timeouts = 0;
+static long socket_mtu;
+#ifndef OPENSSL_NO_DTLS1
+static int cert_chain = 0;
+#endif
+
+#ifndef OPENSSL_NO_TLSEXT
+static BIO *serverinfo_in = NULL;
+static const char *s_serverinfo_file = NULL;
+
+#endif
+
+#ifndef OPENSSL_NO_PSK
+static char *psk_identity = "Client_identity";
+char *psk_key = NULL;           /* by default PSK is not used */
+
+static unsigned int psk_server_cb(SSL *ssl, const char *identity,
+                                  unsigned char *psk,
+                                  unsigned int max_psk_len)
+{
+    long key_len = 0;
+    unsigned char *key;
+
+    if (s_debug)
+        BIO_printf(bio_s_out, "psk_server_cb\n");
+    if (!identity) {
+        BIO_printf(bio_err, "Error: client did not send PSK identity\n");
+        goto out_err;
+    }
+    if (s_debug)
+        BIO_printf(bio_s_out, "identity_len=%d identity=%s\n",
+                   (int)strlen(identity), identity);
+
+    /* here we could lookup the given identity e.g. from a database */
+    if (strcmp(identity, psk_identity) != 0) {
+        BIO_printf(bio_s_out, "PSK error: client identity not found"
+                   " (got '%s' expected '%s')\n", identity, psk_identity);
+        goto out_err;
+    }
+    if (s_debug)
+        BIO_printf(bio_s_out, "PSK client identity found\n");
+
+    /* convert the PSK key to binary */
+    key = string_to_hex(psk_key, &key_len);
+    if (key == NULL) {
+        BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
+                   psk_key);
+        return 0;
+    }
+    if (key_len > (int)max_psk_len) {
+        BIO_printf(bio_err,
+                   "psk buffer of callback is too small (%d) for key (%ld)\n",
+                   max_psk_len, key_len);
+        OPENSSL_free(key);
+        return 0;
+    }
+
+    memcpy(psk, key, key_len);
+    OPENSSL_free(key);
+
+    if (s_debug)
+        BIO_printf(bio_s_out, "fetched PSK len=%ld\n", key_len);
+    return key_len;
+ out_err:
+    if (s_debug)
+        BIO_printf(bio_err, "Error in PSK server callback\n");
+    return 0;
+}
+#endif
+
+#ifndef OPENSSL_NO_SRP
+/* This is a context that we pass to callbacks */
+typedef struct srpsrvparm_st {
+    char *login;
+    SRP_VBASE *vb;
+    SRP_user_pwd *user;
+} srpsrvparm;
+
+/*
+ * This callback pretends to require some asynchronous logic in order to
+ * obtain a verifier. When the callback is called for a new connection we
+ * return with a negative value. This will provoke the accept etc to return
+ * with an LOOKUP_X509. The main logic of the reinvokes the suspended call
+ * (which would normally occur after a worker has finished) and we set the
+ * user parameters.
+ */
+static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
+{
+    srpsrvparm *p = (srpsrvparm *) arg;
+    int ret = SSL3_AL_FATAL;
+
+    if (p->login == NULL && p->user == NULL) {
+        p->login = SSL_get_srp_username(s);
+        BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
+        return (-1);
+    }
+
+    if (p->user == NULL) {
+        BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
+        goto err;
+    }
+
+    if (SSL_set_srp_server_param
+        (s, p->user->N, p->user->g, p->user->s, p->user->v,
+         p->user->info) < 0) {
+        *ad = SSL_AD_INTERNAL_ERROR;
+        goto err;
+    }
+    BIO_printf(bio_err,
+               "SRP parameters set: username = \"%s\" info=\"%s\" \n",
+               p->login, p->user->info);
+    ret = SSL_ERROR_NONE;
+
+err:
+    SRP_user_pwd_free(p->user);
+    p->user = NULL;
+    p->login = NULL;
+    return ret;
+}
+
+#endif
+
+#ifdef MONOLITH
+static void s_server_init(void)
+{
+    accept_socket = -1;
+    s_server_verify = SSL_VERIFY_NONE;
+    s_dcert_file = NULL;
+    s_dkey_file = NULL;
+    s_dchain_file = NULL;
+    s_cert_file = TEST_CERT;
+    s_key_file = NULL;
+    s_chain_file = NULL;
+# ifndef OPENSSL_NO_TLSEXT
+    s_cert_file2 = TEST_CERT2;
+    s_key_file2 = NULL;
+    ctx2 = NULL;
+# endif
+# ifdef FIONBIO
+    s_nbio = 0;
+# endif
+    s_nbio_test = 0;
+    ctx = NULL;
+    www = 0;
+
+    bio_s_out = NULL;
+    s_debug = 0;
+    s_msg = 0;
+    s_quiet = 0;
+    s_brief = 0;
+    hack = 0;
+    engine_id = NULL;
+}
+#endif
+
+static void sv_usage(void)
+{
+    BIO_printf(bio_err, "usage: s_server [args ...]\n");
+    BIO_printf(bio_err, "\n");
+    BIO_printf(bio_err,
+               " -accept arg   - port to accept on (default is %d)\n", PORT);
+    BIO_printf(bio_err,
+               " -verify_hostname host - check peer certificate matches \"host\"\n");
+    BIO_printf(bio_err,
+               " -verify_email email - check peer certificate matches \"email\"\n");
+    BIO_printf(bio_err,
+               " -verify_ip ipaddr - check peer certificate matches \"ipaddr\"\n");
+    BIO_printf(bio_err, " -context arg  - set session ID context\n");
+    BIO_printf(bio_err,
+               " -verify arg   - turn on peer certificate verification\n");
+    BIO_printf(bio_err,
+               " -Verify arg   - turn on peer certificate verification, must have a cert.\n");
+    BIO_printf(bio_err,
+               " -verify_return_error - return verification errors\n");
+    BIO_printf(bio_err, " -cert arg     - certificate file to use\n");
+    BIO_printf(bio_err, "                 (default is %s)\n", TEST_CERT);
+#ifndef OPENSSL_NO_TLSEXT
+    BIO_printf(bio_err,
+               " -serverinfo arg - PEM serverinfo file for certificate\n");
+    BIO_printf(bio_err,
+               " -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
+    BIO_printf(bio_err,
+               " -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
+#endif
+    BIO_printf(bio_err,
+               " -no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag\n");
+    BIO_printf(bio_err,
+               " -crl_check    - check the peer certificate has not been revoked by its CA.\n"
+               "                 The CRL(s) are appended to the certificate file\n");
+    BIO_printf(bio_err,
+               " -crl_check_all - check the peer certificate has not been revoked by its CA\n"
+               "                 or any other CRL in the CA chain. CRL(s) are appened to the\n"
+               "                 the certificate file.\n");
+    BIO_printf(bio_err,
+               " -certform arg - certificate format (PEM or DER) PEM default\n");
+    BIO_printf(bio_err,
+               " -key arg      - Private Key file to use, in cert file if\n");
+    BIO_printf(bio_err, "                 not specified (default is %s)\n",
+               TEST_CERT);
+    BIO_printf(bio_err,
+               " -keyform arg  - key format (PEM, DER or ENGINE) PEM default\n");
+    BIO_printf(bio_err,
+               " -pass arg     - private key file pass phrase source\n");
+    BIO_printf(bio_err,
+               " -dcert arg    - second certificate file to use (usually for DSA)\n");
+    BIO_printf(bio_err,
+               " -dcertform x  - second certificate format (PEM or DER) PEM default\n");
+    BIO_printf(bio_err,
+               " -dkey arg     - second private key file to use (usually for DSA)\n");
+    BIO_printf(bio_err,
+               " -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
+    BIO_printf(bio_err,
+               " -dpass arg    - second private key file pass phrase source\n");
+    BIO_printf(bio_err,
+               " -dhparam arg  - DH parameter file to use, in cert file if not specified\n");
+    BIO_printf(bio_err,
+               "                 or a default set of parameters is used\n");
+#ifndef OPENSSL_NO_ECDH
+    BIO_printf(bio_err,
+               " -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.\n"
+               "                 Use \"openssl ecparam -list_curves\" for all names\n"
+               "                 (default is nistp256).\n");
+#endif
+#ifdef FIONBIO
+    BIO_printf(bio_err, " -nbio         - Run with non-blocking IO\n");
+#endif
+    BIO_printf(bio_err,
+               " -nbio_test    - test with the non-blocking test bio\n");
+    BIO_printf(bio_err,
+               " -crlf         - convert LF from terminal into CRLF\n");
+    BIO_printf(bio_err, " -debug        - Print more output\n");
+    BIO_printf(bio_err, " -msg          - Show protocol messages\n");
+    BIO_printf(bio_err, " -state        - Print the SSL states\n");
+    BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
+    BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
+    BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
+    BIO_printf(bio_err,
+               " -nocert       - Don't use any certificates (Anon-DH)\n");
+    BIO_printf(bio_err,
+               " -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
+    BIO_printf(bio_err, " -serverpref   - Use server's cipher preferences\n");
+    BIO_printf(bio_err, " -quiet        - No server output\n");
+    BIO_printf(bio_err, " -no_tmp_rsa   - Do not generate a tmp RSA key\n");
+#ifndef OPENSSL_NO_PSK
+    BIO_printf(bio_err, " -psk_hint arg - PSK identity hint to use\n");
+    BIO_printf(bio_err, " -psk arg      - PSK in hex (without 0x)\n");
+# ifndef OPENSSL_NO_JPAKE
+    BIO_printf(bio_err, " -jpake arg    - JPAKE secret to use\n");
+# endif
+#endif
+#ifndef OPENSSL_NO_SRP
+    BIO_printf(bio_err, " -srpvfile file      - The verifier file for SRP\n");
+    BIO_printf(bio_err,
+               " -srpuserseed string - A seed string for a default user salt.\n");
+#endif
+    BIO_printf(bio_err, " -ssl2         - Just talk SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
+    BIO_printf(bio_err, " -ssl3         - Just talk SSLv3\n");
+#endif
+    BIO_printf(bio_err, " -tls1_2       - Just talk TLSv1.2\n");
+    BIO_printf(bio_err, " -tls1_1       - Just talk TLSv1.1\n");
+    BIO_printf(bio_err, " -tls1         - Just talk TLSv1\n");
+    BIO_printf(bio_err, " -dtls1        - Just talk DTLSv1\n");
+    BIO_printf(bio_err, " -dtls1_2      - Just talk DTLSv1.2\n");
+    BIO_printf(bio_err, " -timeout      - Enable timeouts\n");
+    BIO_printf(bio_err, " -mtu          - Set link layer MTU\n");
+    BIO_printf(bio_err, " -chain        - Read a certificate chain\n");
+    BIO_printf(bio_err, " -no_ssl2      - Just disable SSLv2\n");
+    BIO_printf(bio_err, " -no_ssl3      - Just disable SSLv3\n");
+    BIO_printf(bio_err, " -no_tls1      - Just disable TLSv1\n");
+    BIO_printf(bio_err, " -no_tls1_1    - Just disable TLSv1.1\n");
+    BIO_printf(bio_err, " -no_tls1_2    - Just disable TLSv1.2\n");
+#ifndef OPENSSL_NO_DH
+    BIO_printf(bio_err, " -no_dhe       - Disable ephemeral DH\n");
+#endif
+#ifndef OPENSSL_NO_ECDH
+    BIO_printf(bio_err, " -no_ecdhe     - Disable ephemeral ECDH\n");
+#endif
+    BIO_printf(bio_err, " -bugs         - Turn on SSL bug compatibility\n");
+    BIO_printf(bio_err,
+               " -hack         - workaround for early Netscape code\n");
+    BIO_printf(bio_err,
+               " -www          - Respond to a 'GET /' with a status page\n");
+    BIO_printf(bio_err,
+               " -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
+    BIO_printf(bio_err,
+               " -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
+    BIO_printf(bio_err,
+               "                 with the assumption it contains a complete HTTP response.\n");
+#ifndef OPENSSL_NO_ENGINE
+    BIO_printf(bio_err,
+               " -engine id    - Initialise and use the specified engine\n");
+#endif
+    BIO_printf(bio_err,
+               " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
+    BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
+               LIST_SEPARATOR_CHAR);
+#ifndef OPENSSL_NO_TLSEXT
+    BIO_printf(bio_err,
+               " -servername host - servername for HostName TLS extension\n");
+    BIO_printf(bio_err,
+               " -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
+    BIO_printf(bio_err,
+               " -cert2 arg    - certificate file to use for servername\n");
+    BIO_printf(bio_err, "                 (default is %s)\n", TEST_CERT2);
+    BIO_printf(bio_err,
+               " -key2 arg     - Private Key file to use for servername, in cert file if\n");
+    BIO_printf(bio_err, "                 not specified (default is %s)\n",
+               TEST_CERT2);
+    BIO_printf(bio_err,
+               " -tlsextdebug  - hex dump of all TLS extensions received\n");
+    BIO_printf(bio_err,
+               " -no_ticket    - disable use of RFC4507bis session tickets\n");
+    BIO_printf(bio_err,
+               " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+    BIO_printf(bio_err,
+               " -sigalgs arg      - Signature algorithms to support (colon-separated list)\n");
+    BIO_printf(bio_err,
+               " -client_sigalgs arg  - Signature algorithms to support for client \n");
+    BIO_printf(bio_err,
+               "                        certificate authentication (colon-separated list)\n");
+# ifndef OPENSSL_NO_NEXTPROTONEG
+    BIO_printf(bio_err,
+               " -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
+# endif
+# ifndef OPENSSL_NO_SRTP
+    BIO_printf(bio_err,
+               " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
+# endif
+    BIO_printf(bio_err,
+               " -alpn arg  - set the advertised protocols for the ALPN extension (comma-separated list)\n");
+#endif
+    BIO_printf(bio_err,
+               " -keymatexport label   - Export keying material using label\n");
+    BIO_printf(bio_err,
+               " -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
+    BIO_printf(bio_err,
+               " -status           - respond to certificate status requests\n");
+    BIO_printf(bio_err,
+               " -status_verbose   - enable status request verbose printout\n");
+    BIO_printf(bio_err,
+               " -status_timeout n - status request responder timeout\n");
+    BIO_printf(bio_err, " -status_url URL   - status request fallback URL\n");
+}
+
+static int local_argc = 0;
+static char **local_argv;
+
+#ifdef CHARSET_EBCDIC
+static int ebcdic_new(BIO *bi);
+static int ebcdic_free(BIO *a);
+static int ebcdic_read(BIO *b, char *out, int outl);
+static int ebcdic_write(BIO *b, const char *in, int inl);
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
+static int ebcdic_gets(BIO *bp, char *buf, int size);
+static int ebcdic_puts(BIO *bp, const char *str);
+
+# define BIO_TYPE_EBCDIC_FILTER  (18|0x0200)
+static BIO_METHOD methods_ebcdic = {
+    BIO_TYPE_EBCDIC_FILTER,
+    "EBCDIC/ASCII filter",
+    ebcdic_write,
+    ebcdic_read,
+    ebcdic_puts,
+    ebcdic_gets,
+    ebcdic_ctrl,
+    ebcdic_new,
+    ebcdic_free,
+};
+
+typedef struct {
+    size_t alloced;
+    char buff[1];
+} EBCDIC_OUTBUFF;
+
+BIO_METHOD *BIO_f_ebcdic_filter()
+{
+    return (&methods_ebcdic);
+}
+
+static int ebcdic_new(BIO *bi)
+{
+    EBCDIC_OUTBUFF *wbuf;
+
+    wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
+    if (!wbuf)
+        return 0;
+    wbuf->alloced = 1024;
+    wbuf->buff[0] = '\0';
+
+    bi->ptr = (char *)wbuf;
+    bi->init = 1;
+    bi->flags = 0;
+    return (1);
+}
+
+static int ebcdic_free(BIO *a)
+{
+    if (a == NULL)
+        return (0);
+    if (a->ptr != NULL)
+        OPENSSL_free(a->ptr);
+    a->ptr = NULL;
+    a->init = 0;
+    a->flags = 0;
+    return (1);
+}
+
+static int ebcdic_read(BIO *b, char *out, int outl)
+{
+    int ret = 0;
+
+    if (out == NULL || outl == 0)
+        return (0);
+    if (b->next_bio == NULL)
+        return (0);
+
+    ret = BIO_read(b->next_bio, out, outl);
+    if (ret > 0)
+        ascii2ebcdic(out, out, ret);
+    return (ret);
+}
+
+static int ebcdic_write(BIO *b, const char *in, int inl)
+{
+    EBCDIC_OUTBUFF *wbuf;
+    int ret = 0;
+    int num;
+    unsigned char n;
+
+    if ((in == NULL) || (inl <= 0))
+        return (0);
+    if (b->next_bio == NULL)
+        return (0);
+
+    wbuf = (EBCDIC_OUTBUFF *) b->ptr;
+
+    if (inl > (num = wbuf->alloced)) {
+        num = num + num;        /* double the size */
+        if (num < inl)
+            num = inl;
+        wbuf =
+            (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
+        if (!wbuf)
+            return 0;
+        OPENSSL_free(b->ptr);
+
+        wbuf->alloced = num;
+        wbuf->buff[0] = '\0';
+
+        b->ptr = (char *)wbuf;
+    }
+
+    ebcdic2ascii(wbuf->buff, in, inl);
+
+    ret = BIO_write(b->next_bio, wbuf->buff, inl);
+
+    return (ret);
+}
+
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
+{
+    long ret;
+
+    if (b->next_bio == NULL)
+        return (0);
+    switch (cmd) {
+    case BIO_CTRL_DUP:
+        ret = 0L;
+        break;
+    default:
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
+        break;
+    }
+    return (ret);
+}
+
+static int ebcdic_gets(BIO *bp, char *buf, int size)
+{
+    int i, ret = 0;
+    if (bp->next_bio == NULL)
+        return (0);
+/*      return(BIO_gets(bp->next_bio,buf,size));*/
+    for (i = 0; i < size - 1; ++i) {
+        ret = ebcdic_read(bp, &buf[i], 1);
+        if (ret <= 0)
+            break;
+        else if (buf[i] == '\n') {
+            ++i;
+            break;
+        }
+    }
+    if (i < size)
+        buf[i] = '\0';
+    return (ret < 0 && i == 0) ? ret : i;
+}
+
+static int ebcdic_puts(BIO *bp, const char *str)
+{
+    if (bp->next_bio == NULL)
+        return (0);
+    return ebcdic_write(bp, str, strlen(str));
+}
+#endif
+
+#ifndef OPENSSL_NO_TLSEXT
+
+/* This is a context that we pass to callbacks */
+typedef struct tlsextctx_st {
+    char *servername;
+    BIO *biodebug;
+    int extension_error;
+} tlsextctx;
+
+static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
+{
+    tlsextctx *p = (tlsextctx *) arg;
+    const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+    if (servername && p->biodebug)
+        BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n",
+                   servername);
+
+    if (!p->servername)
+        return SSL_TLSEXT_ERR_NOACK;
+
+    if (servername) {
+        if (strcasecmp(servername, p->servername))
+            return p->extension_error;
+        if (ctx2) {
+            BIO_printf(p->biodebug, "Switching server context.\n");
+            SSL_set_SSL_CTX(s, ctx2);
+        }
+    }
+    return SSL_TLSEXT_ERR_OK;
+}
+
+/* Structure passed to cert status callback */
+
+typedef struct tlsextstatusctx_st {
+    /* Default responder to use */
+    char *host, *path, *port;
+    int use_ssl;
+    int timeout;
+    BIO *err;
+    int verbose;
+} tlsextstatusctx;
+
+static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, NULL, 0 };
+
+/*
+ * Certificate Status callback. This is called when a client includes a
+ * certificate status request extension. This is a simplified version. It
+ * examines certificates each time and makes one OCSP responder query for
+ * each request. A full version would store details such as the OCSP
+ * certificate IDs and minimise the number of OCSP responses by caching them
+ * until they were considered "expired".
+ */
+
+static int cert_status_cb(SSL *s, void *arg)
+{
+    tlsextstatusctx *srctx = arg;
+    BIO *err = srctx->err;
+    char *host, *port, *path;
+    int use_ssl;
+    unsigned char *rspder = NULL;
+    int rspderlen;
+    STACK_OF(OPENSSL_STRING) *aia = NULL;
+    X509 *x = NULL;
+    X509_STORE_CTX inctx;
+    X509_OBJECT obj;
+    OCSP_REQUEST *req = NULL;
+    OCSP_RESPONSE *resp = NULL;
+    OCSP_CERTID *id = NULL;
+    STACK_OF(X509_EXTENSION) *exts;
+    int ret = SSL_TLSEXT_ERR_NOACK;
+    int i;
+# if 0
+    STACK_OF(OCSP_RESPID) *ids;
+    SSL_get_tlsext_status_ids(s, &ids);
+    BIO_printf(err, "cert_status: received %d ids\n",
+               sk_OCSP_RESPID_num(ids));
+# endif
+    if (srctx->verbose)
+        BIO_puts(err, "cert_status: callback called\n");
+    /* Build up OCSP query from server certificate */
+    x = SSL_get_certificate(s);
+    aia = X509_get1_ocsp(x);
+    if (aia) {
+        if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
+                            &host, &port, &path, &use_ssl)) {
+            BIO_puts(err, "cert_status: can't parse AIA URL\n");
+            goto err;
+        }
+        if (srctx->verbose)
+            BIO_printf(err, "cert_status: AIA URL: %s\n",
+                       sk_OPENSSL_STRING_value(aia, 0));
+    } else {
+        if (!srctx->host) {
+            BIO_puts(srctx->err,
+                     "cert_status: no AIA and no default responder URL\n");
+            goto done;
+        }
+        host = srctx->host;
+        path = srctx->path;
+        port = srctx->port;
+        use_ssl = srctx->use_ssl;
+    }
+
+    if (!X509_STORE_CTX_init(&inctx,
+                             SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
+                             NULL, NULL))
+        goto err;
+    if (X509_STORE_get_by_subject(&inctx, X509_LU_X509,
+                                  X509_get_issuer_name(x), &obj) <= 0) {
+        BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n");
+        X509_STORE_CTX_cleanup(&inctx);
+        goto done;
+    }
+    req = OCSP_REQUEST_new();
+    if (!req)
+        goto err;
+    id = OCSP_cert_to_id(NULL, x, obj.data.x509);
+    X509_free(obj.data.x509);
+    X509_STORE_CTX_cleanup(&inctx);
+    if (!id)
+        goto err;
+    if (!OCSP_request_add0_id(req, id))
+        goto err;
+    id = NULL;
+    /* Add any extensions to the request */
+    SSL_get_tlsext_status_exts(s, &exts);
+    for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
+        X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
+        if (!OCSP_REQUEST_add_ext(req, ext, -1))
+            goto err;
+    }
+    resp = process_responder(err, req, host, path, port, use_ssl, NULL,
+                             srctx->timeout);
+    if (!resp) {
+        BIO_puts(err, "cert_status: error querying responder\n");
+        goto done;
+    }
+    rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
+    if (rspderlen <= 0)
+        goto err;
+    SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
+    if (srctx->verbose) {
+        BIO_puts(err, "cert_status: ocsp response sent:\n");
+        OCSP_RESPONSE_print(err, resp, 2);
+    }
+    ret = SSL_TLSEXT_ERR_OK;
+ done:
+    if (ret != SSL_TLSEXT_ERR_OK)
+        ERR_print_errors(err);
+    if (aia) {
+        OPENSSL_free(host);
+        OPENSSL_free(path);
+        OPENSSL_free(port);
+        X509_email_free(aia);
+    }
+    if (id)
+        OCSP_CERTID_free(id);
+    if (req)
+        OCSP_REQUEST_free(req);
+    if (resp)
+        OCSP_RESPONSE_free(resp);
+    return ret;
+ err:
+    ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+    goto done;
+}
+
+# ifndef OPENSSL_NO_NEXTPROTONEG
+/* This is the context that we pass to next_proto_cb */
+typedef struct tlsextnextprotoctx_st {
+    unsigned char *data;
+    unsigned int len;
+} tlsextnextprotoctx;
+
+static int next_proto_cb(SSL *s, const unsigned char **data,
+                         unsigned int *len, void *arg)
+{
+    tlsextnextprotoctx *next_proto = arg;
+
+    *data = next_proto->data;
+    *len = next_proto->len;
+
+    return SSL_TLSEXT_ERR_OK;
+}
+# endif                         /* ndef OPENSSL_NO_NEXTPROTONEG */
+
+/* This the context that we pass to alpn_cb */
+typedef struct tlsextalpnctx_st {
+    unsigned char *data;
+    unsigned short len;
+} tlsextalpnctx;
+
+static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
+                   const unsigned char *in, unsigned int inlen, void *arg)
+{
+    tlsextalpnctx *alpn_ctx = arg;
+
+    if (!s_quiet) {
+        /* We can assume that |in| is syntactically valid. */
+        unsigned i;
+        BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
+        for (i = 0; i < inlen;) {
+            if (i)
+                BIO_write(bio_s_out, ", ", 2);
+            BIO_write(bio_s_out, &in[i + 1], in[i]);
+            i += in[i] + 1;
+        }
+        BIO_write(bio_s_out, "\n", 1);
+    }
+
+    if (SSL_select_next_proto
+        ((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
+         inlen) != OPENSSL_NPN_NEGOTIATED) {
+        return SSL_TLSEXT_ERR_NOACK;
+    }
+
+    if (!s_quiet) {
+        BIO_printf(bio_s_out, "ALPN protocols selected: ");
+        BIO_write(bio_s_out, *out, *outlen);
+        BIO_write(bio_s_out, "\n", 1);
+    }
+
+    return SSL_TLSEXT_ERR_OK;
+}
+#endif                          /* ndef OPENSSL_NO_TLSEXT */
+
+int MAIN(int, char **);
+
+#ifndef OPENSSL_NO_JPAKE
+static char *jpake_secret = NULL;
+# define no_jpake !jpake_secret
+#else
+# define no_jpake 1
+#endif
+#ifndef OPENSSL_NO_SRP
+static srpsrvparm srp_callback_parm;
+#endif
+#ifndef OPENSSL_NO_SRTP
+static char *srtp_profiles = NULL;
+#endif
+
+int MAIN(int argc, char *argv[])
+{
+    X509_VERIFY_PARAM *vpm = NULL;
+    int badarg = 0;
+    short port = PORT;
+    char *CApath = NULL, *CAfile = NULL;
+    char *chCApath = NULL, *chCAfile = NULL;
+    char *vfyCApath = NULL, *vfyCAfile = NULL;
+    unsigned char *context = NULL;
+    char *dhfile = NULL;
+    int badop = 0;
+    int ret = 1;
+    int build_chain = 0;
+    int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0;
+    int state = 0;
+    const SSL_METHOD *meth = NULL;
+    int socket_type = SOCK_STREAM;
+    ENGINE *e = NULL;
+    char *inrand = NULL;
+    int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
+    char *passarg = NULL, *pass = NULL;
+    char *dpassarg = NULL, *dpass = NULL;
+    int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
+    X509 *s_cert = NULL, *s_dcert = NULL;
+    STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL;
+    EVP_PKEY *s_key = NULL, *s_dkey = NULL;
+    int no_cache = 0, ext_cache = 0;
+    int rev = 0, naccept = -1;
+#ifndef OPENSSL_NO_TLSEXT
+    EVP_PKEY *s_key2 = NULL;
+    X509 *s_cert2 = NULL;
+    tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
+# ifndef OPENSSL_NO_NEXTPROTONEG
+    const char *next_proto_neg_in = NULL;
+    tlsextnextprotoctx next_proto = { NULL, 0 };
+# endif
+    const char *alpn_in = NULL;
+    tlsextalpnctx alpn_ctx = { NULL, 0 };
+#endif
+#ifndef OPENSSL_NO_PSK
+    /* by default do not send a PSK identity hint */
+    static char *psk_identity_hint = NULL;
+#endif
+#ifndef OPENSSL_NO_SRP
+    char *srpuserseed = NULL;
+    char *srp_verifier_file = NULL;
+#endif
+    SSL_EXCERT *exc = NULL;
+    SSL_CONF_CTX *cctx = NULL;
+    STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
+
+    char *crl_file = NULL;
+    int crl_format = FORMAT_PEM;
+    int crl_download = 0;
+    STACK_OF(X509_CRL) *crls = NULL;
+    int prot_opt = 0, no_prot_opt = 0;
+
+    meth = SSLv23_server_method();
+
+    local_argc = argc;
+    local_argv = argv;
+
+    apps_startup();
+#ifdef MONOLITH
+    s_server_init();
+#endif
+
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    cctx = SSL_CONF_CTX_new();
+    if (!cctx)
+        goto end;
+    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
+
+    verify_depth = 0;
+#ifdef FIONBIO
+    s_nbio = 0;
+#endif
+    s_nbio_test = 0;
+
+    argc--;
+    argv++;
+
+    while (argc >= 1) {
+        if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {
+            if (--argc < 1)
+                goto bad;
+            if (!extract_port(*(++argv), &port))
+                goto bad;
+        } else if (strcmp(*argv, "-naccept") == 0) {
+            if (--argc < 1)
+                goto bad;
+            naccept = atol(*(++argv));
+            if (naccept <= 0) {
+                BIO_printf(bio_err, "bad accept value %s\n", *argv);
+                goto bad;
+            }
+        } else if (strcmp(*argv, "-verify") == 0) {
+            s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+            if (--argc < 1)
+                goto bad;
+            verify_depth = atoi(*(++argv));
+            if (!s_quiet)
+                BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
+        } else if (strcmp(*argv, "-Verify") == 0) {
+            s_server_verify =
+                SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
+                SSL_VERIFY_CLIENT_ONCE;
+            if (--argc < 1)
+                goto bad;
+            verify_depth = atoi(*(++argv));
+            if (!s_quiet)
+                BIO_printf(bio_err,
+                           "verify depth is %d, must return a certificate\n",
+                           verify_depth);
+        } else if (strcmp(*argv, "-context") == 0) {
+            if (--argc < 1)
+                goto bad;
+            context = (unsigned char *)*(++argv);
+        } else if (strcmp(*argv, "-cert") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_cert_file = *(++argv);
+        } else if (strcmp(*argv, "-CRL") == 0) {
+            if (--argc < 1)
+                goto bad;
+            crl_file = *(++argv);
+        } else if (strcmp(*argv, "-crl_download") == 0)
+            crl_download = 1;
+#ifndef OPENSSL_NO_TLSEXT
+        else if (strcmp(*argv, "-serverinfo") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_serverinfo_file = *(++argv);
+        }
+#endif
+        else if (strcmp(*argv, "-certform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_cert_format = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-key") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_key_file = *(++argv);
+        } else if (strcmp(*argv, "-keyform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_key_format = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-pass") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passarg = *(++argv);
+        } else if (strcmp(*argv, "-cert_chain") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_chain_file = *(++argv);
+        } else if (strcmp(*argv, "-dhparam") == 0) {
+            if (--argc < 1)
+                goto bad;
+            dhfile = *(++argv);
+        } else if (strcmp(*argv, "-dcertform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_dcert_format = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-dcert") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_dcert_file = *(++argv);
+        } else if (strcmp(*argv, "-dkeyform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_dkey_format = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-dpass") == 0) {
+            if (--argc < 1)
+                goto bad;
+            dpassarg = *(++argv);
+        } else if (strcmp(*argv, "-dkey") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_dkey_file = *(++argv);
+        } else if (strcmp(*argv, "-dcert_chain") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_dchain_file = *(++argv);
+        } else if (strcmp(*argv, "-nocert") == 0) {
+            nocert = 1;
+        } else if (strcmp(*argv, "-CApath") == 0) {
+            if (--argc < 1)
+                goto bad;
+            CApath = *(++argv);
+        } else if (strcmp(*argv, "-chainCApath") == 0) {
+            if (--argc < 1)
+                goto bad;
+            chCApath = *(++argv);
+        } else if (strcmp(*argv, "-verifyCApath") == 0) {
+            if (--argc < 1)
+                goto bad;
+            vfyCApath = *(++argv);
+        } else if (strcmp(*argv, "-no_cache") == 0)
+            no_cache = 1;
+        else if (strcmp(*argv, "-ext_cache") == 0)
+            ext_cache = 1;
+        else if (strcmp(*argv, "-CRLform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            crl_format = str2fmt(*(++argv));
+        } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) {
+            if (badarg)
+                goto bad;
+            continue;
+        } else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) {
+            if (badarg)
+                goto bad;
+            continue;
+        } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args,
+                            &no_prot_opt)) {
+            if (badarg)
+                goto bad;
+            continue;
+        } else if (strcmp(*argv, "-verify_return_error") == 0)
+            verify_return_error = 1;
+        else if (strcmp(*argv, "-verify_quiet") == 0)
+            verify_quiet = 1;
+        else if (strcmp(*argv, "-build_chain") == 0)
+            build_chain = 1;
+        else if (strcmp(*argv, "-CAfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            CAfile = *(++argv);
+        } else if (strcmp(*argv, "-chainCAfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            chCAfile = *(++argv);
+        } else if (strcmp(*argv, "-verifyCAfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            vfyCAfile = *(++argv);
+        }
+#ifdef FIONBIO
+        else if (strcmp(*argv, "-nbio") == 0) {
+            s_nbio = 1;
+        }
+#endif
+        else if (strcmp(*argv, "-nbio_test") == 0) {
+#ifdef FIONBIO
+            s_nbio = 1;
+#endif
+            s_nbio_test = 1;
+        } else if (strcmp(*argv, "-ign_eof") == 0)
+            s_ign_eof = 1;
+        else if (strcmp(*argv, "-no_ign_eof") == 0)
+            s_ign_eof = 0;
+        else if (strcmp(*argv, "-debug") == 0) {
+            s_debug = 1;
+        }
+#ifndef OPENSSL_NO_TLSEXT
+        else if (strcmp(*argv, "-tlsextdebug") == 0)
+            s_tlsextdebug = 1;
+        else if (strcmp(*argv, "-status") == 0)
+            s_tlsextstatus = 1;
+        else if (strcmp(*argv, "-status_verbose") == 0) {
+            s_tlsextstatus = 1;
+            tlscstatp.verbose = 1;
+        } else if (!strcmp(*argv, "-status_timeout")) {
+            s_tlsextstatus = 1;
+            if (--argc < 1)
+                goto bad;
+            tlscstatp.timeout = atoi(*(++argv));
+        } else if (!strcmp(*argv, "-status_url")) {
+            s_tlsextstatus = 1;
+            if (--argc < 1)
+                goto bad;
+            if (!OCSP_parse_url(*(++argv),
+                                &tlscstatp.host,
+                                &tlscstatp.port,
+                                &tlscstatp.path, &tlscstatp.use_ssl)) {
+                BIO_printf(bio_err, "Error parsing URL\n");
+                goto bad;
+            }
+        }
+#endif
+        else if (strcmp(*argv, "-msg") == 0) {
+            s_msg = 1;
+        } else if (strcmp(*argv, "-msgfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            bio_s_msg = BIO_new_file(*(++argv), "w");
+        }
+#ifndef OPENSSL_NO_SSL_TRACE
+        else if (strcmp(*argv, "-trace") == 0) {
+            s_msg = 2;
+        }
+#endif
+        else if (strcmp(*argv, "-hack") == 0) {
+            hack = 1;
+        } else if (strcmp(*argv, "-state") == 0) {
+            state = 1;
+        } else if (strcmp(*argv, "-crlf") == 0) {
+            s_crlf = 1;
+        } else if (strcmp(*argv, "-quiet") == 0) {
+            s_quiet = 1;
+        } else if (strcmp(*argv, "-brief") == 0) {
+            s_quiet = 1;
+            s_brief = 1;
+            verify_quiet = 1;
+        } else if (strcmp(*argv, "-no_tmp_rsa") == 0) {
+            no_tmp_rsa = 1;
+        } else if (strcmp(*argv, "-no_dhe") == 0) {
+            no_dhe = 1;
+        } else if (strcmp(*argv, "-no_ecdhe") == 0) {
+            no_ecdhe = 1;
+        } else if (strcmp(*argv, "-no_resume_ephemeral") == 0) {
+            no_resume_ephemeral = 1;
+        }
+#ifndef OPENSSL_NO_PSK
+        else if (strcmp(*argv, "-psk_hint") == 0) {
+            if (--argc < 1)
+                goto bad;
+            psk_identity_hint = *(++argv);
+        } else if (strcmp(*argv, "-psk") == 0) {
+            size_t i;
+
+            if (--argc < 1)
+                goto bad;
+            psk_key = *(++argv);
+            for (i = 0; i < strlen(psk_key); i++) {
+                if (isxdigit((unsigned char)psk_key[i]))
+                    continue;
+                BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
+                goto bad;
+            }
+        }
+#endif
+#ifndef OPENSSL_NO_SRP
+        else if (strcmp(*argv, "-srpvfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            srp_verifier_file = *(++argv);
+            meth = TLSv1_server_method();
+        } else if (strcmp(*argv, "-srpuserseed") == 0) {
+            if (--argc < 1)
+                goto bad;
+            srpuserseed = *(++argv);
+            meth = TLSv1_server_method();
+        }
+#endif
+        else if (strcmp(*argv, "-rev") == 0) {
+            rev = 1;
+        } else if (strcmp(*argv, "-www") == 0) {
+            www = 1;
+        } else if (strcmp(*argv, "-WWW") == 0) {
+            www = 2;
+        } else if (strcmp(*argv, "-HTTP") == 0) {
+            www = 3;
+        }
+#ifndef OPENSSL_NO_SSL2
+        else if (strcmp(*argv, "-ssl2") == 0) {
+            no_ecdhe = 1;
+            meth = SSLv2_server_method();
+            prot_opt++;
+        }
+#endif
+#ifndef OPENSSL_NO_SSL3_METHOD
+        else if (strcmp(*argv, "-ssl3") == 0) {
+            meth = SSLv3_server_method();
+            prot_opt++;
+        }
+#endif
+#ifndef OPENSSL_NO_TLS1
+        else if (strcmp(*argv, "-tls1") == 0) {
+            meth = TLSv1_server_method();
+            prot_opt++;
+        } else if (strcmp(*argv, "-tls1_1") == 0) {
+            meth = TLSv1_1_server_method();
+            prot_opt++;
+        } else if (strcmp(*argv, "-tls1_2") == 0) {
+            meth = TLSv1_2_server_method();
+            prot_opt++;
+        }
+#endif
+#ifndef OPENSSL_NO_DTLS1
+        else if (strcmp(*argv, "-dtls") == 0) {
+            meth = DTLS_server_method();
+            socket_type = SOCK_DGRAM;
+            prot_opt++;
+        } else if (strcmp(*argv, "-dtls1") == 0) {
+            meth = DTLSv1_server_method();
+            socket_type = SOCK_DGRAM;
+            prot_opt++;
+        } else if (strcmp(*argv, "-dtls1_2") == 0) {
+            meth = DTLSv1_2_server_method();
+            socket_type = SOCK_DGRAM;
+            prot_opt++;
+        } else if (strcmp(*argv, "-timeout") == 0)
+            enable_timeouts = 1;
+        else if (strcmp(*argv, "-mtu") == 0) {
+            if (--argc < 1)
+                goto bad;
+            socket_mtu = atol(*(++argv));
+        } else if (strcmp(*argv, "-chain") == 0)
+            cert_chain = 1;
+#endif
+        else if (strcmp(*argv, "-id_prefix") == 0) {
+            if (--argc < 1)
+                goto bad;
+            session_id_prefix = *(++argv);
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine_id = *(++argv);
+        }
+#endif
+        else if (strcmp(*argv, "-rand") == 0) {
+            if (--argc < 1)
+                goto bad;
+            inrand = *(++argv);
+        }
+#ifndef OPENSSL_NO_TLSEXT
+        else if (strcmp(*argv, "-servername") == 0) {
+            if (--argc < 1)
+                goto bad;
+            tlsextcbp.servername = *(++argv);
+        } else if (strcmp(*argv, "-servername_fatal") == 0) {
+            tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL;
+        } else if (strcmp(*argv, "-cert2") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_cert_file2 = *(++argv);
+        } else if (strcmp(*argv, "-key2") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_key_file2 = *(++argv);
+        }
+# ifndef OPENSSL_NO_NEXTPROTONEG
+        else if (strcmp(*argv, "-nextprotoneg") == 0) {
+            if (--argc < 1)
+                goto bad;
+            next_proto_neg_in = *(++argv);
+        }
+# endif
+        else if (strcmp(*argv, "-alpn") == 0) {
+            if (--argc < 1)
+                goto bad;
+            alpn_in = *(++argv);
+        }
+#endif
+#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
+        else if (strcmp(*argv, "-jpake") == 0) {
+            if (--argc < 1)
+                goto bad;
+            jpake_secret = *(++argv);
+        }
+#endif
+#ifndef OPENSSL_NO_SRTP
+        else if (strcmp(*argv, "-use_srtp") == 0) {
+            if (--argc < 1)
+                goto bad;
+            srtp_profiles = *(++argv);
+        }
+#endif
+        else if (strcmp(*argv, "-keymatexport") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keymatexportlabel = *(++argv);
+        } else if (strcmp(*argv, "-keymatexportlen") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keymatexportlen = atoi(*(++argv));
+            if (keymatexportlen == 0)
+                goto bad;
+        } else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badop = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+    if (badop) {
+ bad:
+        sv_usage();
+        goto end;
+    }
+#ifndef OPENSSL_NO_DTLS1
+    if (www && socket_type == SOCK_DGRAM) {
+        BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
+        goto end;
+    }
+#endif
+
+#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
+    if (jpake_secret) {
+        if (psk_key) {
+            BIO_printf(bio_err, "Can't use JPAKE and PSK together\n");
+            goto end;
+        }
+        psk_identity = "JPAKE";
+    }
+#endif
+
+    if (prot_opt > 1) {
+        BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
+        goto end;
+    }
+
+    if (prot_opt == 1 && no_prot_opt) {
+        BIO_printf(bio_err, "Cannot supply both a protocol flag and "
+                            "\"-no_<prot>\"\n");
+        goto end;
+    }
+
+    SSL_load_error_strings();
+    OpenSSL_add_ssl_algorithms();
+
+    e = setup_engine(bio_err, engine_id, 1);
+
+    if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+
+    if (s_key_file == NULL)
+        s_key_file = s_cert_file;
+#ifndef OPENSSL_NO_TLSEXT
+    if (s_key_file2 == NULL)
+        s_key_file2 = s_cert_file2;
+#endif
+
+    if (!load_excert(&exc, bio_err))
+        goto end;
+
+    if (nocert == 0) {
+        s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
+                         "server certificate private key file");
+        if (!s_key) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        s_cert = load_cert(bio_err, s_cert_file, s_cert_format,
+                           NULL, e, "server certificate file");
+
+        if (!s_cert) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (s_chain_file) {
+            s_chain = load_certs(bio_err, s_chain_file, FORMAT_PEM,
+                                 NULL, e, "server certificate chain");
+            if (!s_chain)
+                goto end;
+        }
+#ifndef OPENSSL_NO_TLSEXT
+        if (tlsextcbp.servername) {
+            s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e,
+                              "second server certificate private key file");
+            if (!s_key2) {
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+
+            s_cert2 = load_cert(bio_err, s_cert_file2, s_cert_format,
+                                NULL, e, "second server certificate file");
+
+            if (!s_cert2) {
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        }
+#endif                          /* OPENSSL_NO_TLSEXT */
+    }
+#if !defined(OPENSSL_NO_TLSEXT)
+# if !defined(OPENSSL_NO_NEXTPROTONEG)
+    if (next_proto_neg_in) {
+        unsigned short len;
+        next_proto.data = next_protos_parse(&len, next_proto_neg_in);
+        if (next_proto.data == NULL)
+            goto end;
+        next_proto.len = len;
+    } else {
+        next_proto.data = NULL;
+    }
+# endif
+    alpn_ctx.data = NULL;
+    if (alpn_in) {
+        unsigned short len;
+        alpn_ctx.data = next_protos_parse(&len, alpn_in);
+        if (alpn_ctx.data == NULL)
+            goto end;
+        alpn_ctx.len = len;
+    }
+#endif
+
+    if (crl_file) {
+        X509_CRL *crl;
+        crl = load_crl(crl_file, crl_format);
+        if (!crl) {
+            BIO_puts(bio_err, "Error loading CRL\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        crls = sk_X509_CRL_new_null();
+        if (!crls || !sk_X509_CRL_push(crls, crl)) {
+            BIO_puts(bio_err, "Error adding CRL\n");
+            ERR_print_errors(bio_err);
+            X509_CRL_free(crl);
+            goto end;
+        }
+    }
+
+    if (s_dcert_file) {
+
+        if (s_dkey_file == NULL)
+            s_dkey_file = s_dcert_file;
+
+        s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
+                          0, dpass, e, "second certificate private key file");
+        if (!s_dkey) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        s_dcert = load_cert(bio_err, s_dcert_file, s_dcert_format,
+                            NULL, e, "second server certificate file");
+
+        if (!s_dcert) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (s_dchain_file) {
+            s_dchain = load_certs(bio_err, s_dchain_file, FORMAT_PEM,
+                                  NULL, e, "second server certificate chain");
+            if (!s_dchain)
+                goto end;
+        }
+
+    }
+
+    if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
+        && !RAND_status()) {
+        BIO_printf(bio_err,
+                   "warning, not much extra random data, consider using the -rand option\n");
+    }
+    if (inrand != NULL)
+        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                   app_RAND_load_files(inrand));
+
+    if (bio_s_out == NULL) {
+        if (s_quiet && !s_debug) {
+            bio_s_out = BIO_new(BIO_s_null());
+            if (s_msg && !bio_s_msg)
+                bio_s_msg = BIO_new_fp(stdout, BIO_NOCLOSE);
+        } else {
+            if (bio_s_out == NULL)
+                bio_s_out = BIO_new_fp(stdout, BIO_NOCLOSE);
+        }
+    }
+#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
+    if (nocert)
+#endif
+    {
+        s_cert_file = NULL;
+        s_key_file = NULL;
+        s_dcert_file = NULL;
+        s_dkey_file = NULL;
+#ifndef OPENSSL_NO_TLSEXT
+        s_cert_file2 = NULL;
+        s_key_file2 = NULL;
+#endif
+    }
+
+    ctx = SSL_CTX_new(meth);
+    if (ctx == NULL) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if (session_id_prefix) {
+        if (strlen(session_id_prefix) >= 32)
+            BIO_printf(bio_err,
+                       "warning: id_prefix is too long, only one new session will be possible\n");
+        else if (strlen(session_id_prefix) >= 16)
+            BIO_printf(bio_err,
+                       "warning: id_prefix is too long if you use SSLv2\n");
+        if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
+            BIO_printf(bio_err, "error setting 'id_prefix'\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
+    }
+    SSL_CTX_set_quiet_shutdown(ctx, 1);
+    if (hack)
+        SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
+    if (exc)
+        ssl_ctx_set_excert(ctx, exc);
+
+    if (state)
+        SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
+    if (no_cache)
+        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+    else if (ext_cache)
+        init_session_cache_ctx(ctx);
+    else
+        SSL_CTX_sess_set_cache_size(ctx, 128);
+
+#ifndef OPENSSL_NO_SRTP
+    if (srtp_profiles != NULL)
+        SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
+#endif
+
+#if 0
+    if (cipher == NULL)
+        cipher = getenv("SSL_CIPHER");
+#endif
+
+#if 0
+    if (s_cert_file == NULL) {
+        BIO_printf(bio_err,
+                   "You must specify a certificate file for the server to use\n");
+        goto end;
+    }
+#endif
+
+    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
+        (!SSL_CTX_set_default_verify_paths(ctx))) {
+        /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+        ERR_print_errors(bio_err);
+        /* goto end; */
+    }
+    if (vpm)
+        SSL_CTX_set1_param(ctx, vpm);
+
+    ssl_ctx_add_crls(ctx, crls, 0);
+
+    if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
+        goto end;
+
+    if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
+                         crls, crl_download)) {
+        BIO_printf(bio_err, "Error loading store locations\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+#ifndef OPENSSL_NO_TLSEXT
+    if (s_cert2) {
+        ctx2 = SSL_CTX_new(meth);
+        if (ctx2 == NULL) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (ctx2) {
+        BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
+
+        if (session_id_prefix) {
+            if (strlen(session_id_prefix) >= 32)
+                BIO_printf(bio_err,
+                           "warning: id_prefix is too long, only one new session will be possible\n");
+            else if (strlen(session_id_prefix) >= 16)
+                BIO_printf(bio_err,
+                           "warning: id_prefix is too long if you use SSLv2\n");
+            if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
+                BIO_printf(bio_err, "error setting 'id_prefix'\n");
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+            BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
+        }
+        SSL_CTX_set_quiet_shutdown(ctx2, 1);
+        if (hack)
+            SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
+        if (exc)
+            ssl_ctx_set_excert(ctx2, exc);
+
+        if (state)
+            SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
+
+        if (no_cache)
+            SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF);
+        else if (ext_cache)
+            init_session_cache_ctx(ctx2);
+        else
+            SSL_CTX_sess_set_cache_size(ctx2, 128);
+
+        if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
+            (!SSL_CTX_set_default_verify_paths(ctx2))) {
+            ERR_print_errors(bio_err);
+        }
+        if (vpm)
+            SSL_CTX_set1_param(ctx2, vpm);
+
+        ssl_ctx_add_crls(ctx2, crls, 0);
+
+        if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
+            goto end;
+
+    }
+# ifndef OPENSSL_NO_NEXTPROTONEG
+    if (next_proto.data)
+        SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb,
+                                              &next_proto);
+# endif
+    if (alpn_ctx.data)
+        SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
+#endif
+
+#ifndef OPENSSL_NO_DH
+    if (!no_dhe) {
+        DH *dh = NULL;
+
+        if (dhfile)
+            dh = load_dh_param(dhfile);
+        else if (s_cert_file)
+            dh = load_dh_param(s_cert_file);
+
+        if (dh != NULL) {
+            BIO_printf(bio_s_out, "Setting temp DH parameters\n");
+        } else {
+            BIO_printf(bio_s_out, "Using default temp DH parameters\n");
+            dh = get_dh2048();
+            if (dh == NULL) {
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        }
+        (void)BIO_flush(bio_s_out);
+
+        SSL_CTX_set_tmp_dh(ctx, dh);
+# ifndef OPENSSL_NO_TLSEXT
+        if (ctx2) {
+            if (!dhfile) {
+                DH *dh2 = load_dh_param(s_cert_file2);
+                if (dh2 != NULL) {
+                    BIO_printf(bio_s_out, "Setting temp DH parameters\n");
+                    (void)BIO_flush(bio_s_out);
+
+                    DH_free(dh);
+                    dh = dh2;
+                }
+            }
+            SSL_CTX_set_tmp_dh(ctx2, dh);
+        }
+# endif
+        DH_free(dh);
+    }
+#endif
+
+    if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
+        goto end;
+#ifndef OPENSSL_NO_TLSEXT
+    if (s_serverinfo_file != NULL
+        && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+    if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL, build_chain))
+        goto end;
+#endif
+    if (s_dcert != NULL) {
+        if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain))
+            goto end;
+    }
+#ifndef OPENSSL_NO_RSA
+# if 1
+    if (!no_tmp_rsa) {
+        SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
+#  ifndef OPENSSL_NO_TLSEXT
+        if (ctx2)
+            SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb);
+#  endif
+    }
+# else
+    if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) {
+        RSA *rsa;
+
+        BIO_printf(bio_s_out, "Generating temp (512 bit) RSA key...");
+        BIO_flush(bio_s_out);
+
+        rsa = RSA_generate_key(512, RSA_F4, NULL);
+
+        if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+#  ifndef OPENSSL_NO_TLSEXT
+        if (ctx2) {
+            if (!SSL_CTX_set_tmp_rsa(ctx2, rsa)) {
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        }
+#  endif
+        RSA_free(rsa);
+        BIO_printf(bio_s_out, "\n");
+    }
+# endif
+#endif
+
+#ifndef OPENSSL_NO_PSK
+# ifdef OPENSSL_NO_JPAKE
+    if (psk_key != NULL)
+# else
+    if (psk_key != NULL || jpake_secret)
+# endif
+    {
+        if (s_debug)
+            BIO_printf(bio_s_out,
+                       "PSK key given or JPAKE in use, setting server callback\n");
+        SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
+    }
+
+    if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) {
+        BIO_printf(bio_err, "error setting PSK identity hint to context\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+#endif
+
+    SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);
+    SSL_CTX_set_session_id_context(ctx, (void *)&s_server_session_id_context,
+                                   sizeof s_server_session_id_context);
+
+    /* Set DTLS cookie generation and verification callbacks */
+    SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
+    SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
+
+#ifndef OPENSSL_NO_TLSEXT
+    if (ctx2) {
+        SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
+        SSL_CTX_set_session_id_context(ctx2,
+                                       (void *)&s_server_session_id_context,
+                                       sizeof s_server_session_id_context);
+
+        tlsextcbp.biodebug = bio_s_out;
+        SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
+        SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
+        SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
+        SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
+    }
+#endif
+
+#ifndef OPENSSL_NO_SRP
+    if (srp_verifier_file != NULL) {
+        srp_callback_parm.vb = SRP_VBASE_new(srpuserseed);
+        srp_callback_parm.user = NULL;
+        srp_callback_parm.login = NULL;
+        if ((ret =
+             SRP_VBASE_init(srp_callback_parm.vb,
+                            srp_verifier_file)) != SRP_NO_ERROR) {
+            BIO_printf(bio_err,
+                       "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
+                       srp_verifier_file, ret);
+            goto end;
+        }
+        SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback);
+        SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm);
+        SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
+    } else
+#endif
+    if (CAfile != NULL) {
+        SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
+#ifndef OPENSSL_NO_TLSEXT
+        if (ctx2)
+            SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
+#endif
+    }
+
+    BIO_printf(bio_s_out, "ACCEPT\n");
+    (void)BIO_flush(bio_s_out);
+    if (rev)
+        do_server(port, socket_type, &accept_socket, rev_body, context,
+                  naccept);
+    else if (www)
+        do_server(port, socket_type, &accept_socket, www_body, context,
+                  naccept);
+    else
+        do_server(port, socket_type, &accept_socket, sv_body, context,
+                  naccept);
+    print_stats(bio_s_out, ctx);
+    ret = 0;
+ end:
+    if (ctx != NULL)
+        SSL_CTX_free(ctx);
+    if (s_cert)
+        X509_free(s_cert);
+    if (crls)
+        sk_X509_CRL_pop_free(crls, X509_CRL_free);
+    if (s_dcert)
+        X509_free(s_dcert);
+    if (s_key)
+        EVP_PKEY_free(s_key);
+    if (s_dkey)
+        EVP_PKEY_free(s_dkey);
+    if (s_chain)
+        sk_X509_pop_free(s_chain, X509_free);
+    if (s_dchain)
+        sk_X509_pop_free(s_dchain, X509_free);
+    if (pass)
+        OPENSSL_free(pass);
+    if (dpass)
+        OPENSSL_free(dpass);
+    if (vpm)
+        X509_VERIFY_PARAM_free(vpm);
+    free_sessions();
+#ifndef OPENSSL_NO_TLSEXT
+    if (tlscstatp.host)
+        OPENSSL_free(tlscstatp.host);
+    if (tlscstatp.port)
+        OPENSSL_free(tlscstatp.port);
+    if (tlscstatp.path)
+        OPENSSL_free(tlscstatp.path);
+    if (ctx2 != NULL)
+        SSL_CTX_free(ctx2);
+    if (s_cert2)
+        X509_free(s_cert2);
+    if (s_key2)
+        EVP_PKEY_free(s_key2);
+    if (serverinfo_in != NULL)
+        BIO_free(serverinfo_in);
+# ifndef OPENSSL_NO_NEXTPROTONEG
+    if (next_proto.data)
+        OPENSSL_free(next_proto.data);
+# endif
+    if (alpn_ctx.data)
+        OPENSSL_free(alpn_ctx.data);
+#endif
+    ssl_excert_free(exc);
+    if (ssl_args)
+        sk_OPENSSL_STRING_free(ssl_args);
+    if (cctx)
+        SSL_CONF_CTX_free(cctx);
+#ifndef OPENSSL_NO_JPAKE
+    if (jpake_secret && psk_key)
+        OPENSSL_free(psk_key);
+#endif
+    release_engine(e);
+    if (bio_s_out != NULL) {
+        BIO_free(bio_s_out);
+        bio_s_out = NULL;
+    }
+    if (bio_s_msg != NULL) {
+        BIO_free(bio_s_msg);
+        bio_s_msg = NULL;
+    }
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
+{
+    BIO_printf(bio, "%4ld items in the session cache\n",
+               SSL_CTX_sess_number(ssl_ctx));
+    BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
+               SSL_CTX_sess_connect(ssl_ctx));
+    BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n",
+               SSL_CTX_sess_connect_renegotiate(ssl_ctx));
+    BIO_printf(bio, "%4ld client connects that finished\n",
+               SSL_CTX_sess_connect_good(ssl_ctx));
+    BIO_printf(bio, "%4ld server accepts (SSL_accept())\n",
+               SSL_CTX_sess_accept(ssl_ctx));
+    BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n",
+               SSL_CTX_sess_accept_renegotiate(ssl_ctx));
+    BIO_printf(bio, "%4ld server accepts that finished\n",
+               SSL_CTX_sess_accept_good(ssl_ctx));
+    BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx));
+    BIO_printf(bio, "%4ld session cache misses\n",
+               SSL_CTX_sess_misses(ssl_ctx));
+    BIO_printf(bio, "%4ld session cache timeouts\n",
+               SSL_CTX_sess_timeouts(ssl_ctx));
+    BIO_printf(bio, "%4ld callback cache hits\n",
+               SSL_CTX_sess_cb_hits(ssl_ctx));
+    BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
+               SSL_CTX_sess_cache_full(ssl_ctx),
+               SSL_CTX_sess_get_cache_size(ssl_ctx));
+}
+
+static int sv_body(char *hostname, int s, int stype, unsigned char *context)
+{
+    char *buf = NULL;
+    fd_set readfds;
+    int ret = 1, width;
+    int k, i;
+    unsigned long l;
+    SSL *con = NULL;
+    BIO *sbio;
+#ifndef OPENSSL_NO_KRB5
+    KSSL_CTX *kctx;
+#endif
+    struct timeval timeout;
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
+    struct timeval tv;
+#else
+    struct timeval *timeoutp;
+#endif
+
+    if ((buf = OPENSSL_malloc(bufsize)) == NULL) {
+        BIO_printf(bio_err, "out of memory\n");
+        goto err;
+    }
+#ifdef FIONBIO
+    if (s_nbio) {
+        unsigned long sl = 1;
+
+        if (!s_quiet)
+            BIO_printf(bio_err, "turning on non blocking io\n");
+        if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
+            ERR_print_errors(bio_err);
+    }
+#endif
+
+    if (con == NULL) {
+        con = SSL_new(ctx);
+#ifndef OPENSSL_NO_TLSEXT
+        if (s_tlsextdebug) {
+            SSL_set_tlsext_debug_callback(con, tlsext_cb);
+            SSL_set_tlsext_debug_arg(con, bio_s_out);
+        }
+        if (s_tlsextstatus) {
+            SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
+            tlscstatp.err = bio_err;
+            SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
+        }
+#endif
+#ifndef OPENSSL_NO_KRB5
+        if ((kctx = kssl_ctx_new()) != NULL) {
+            SSL_set0_kssl_ctx(con, kctx);
+            kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+            kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
+        }
+#endif                          /* OPENSSL_NO_KRB5 */
+        if (context)
+            SSL_set_session_id_context(con, context, strlen((char *)context));
+    }
+    SSL_clear(con);
+#if 0
+# ifdef TLSEXT_TYPE_opaque_prf_input
+    SSL_set_tlsext_opaque_prf_input(con, "Test server", 11);
+# endif
+#endif
+
+    if (stype == SOCK_DGRAM) {
+
+        sbio = BIO_new_dgram(s, BIO_NOCLOSE);
+
+        if (enable_timeouts) {
+            timeout.tv_sec = 0;
+            timeout.tv_usec = DGRAM_RCV_TIMEOUT;
+            BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
+
+            timeout.tv_sec = 0;
+            timeout.tv_usec = DGRAM_SND_TIMEOUT;
+            BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
+        }
+
+        if (socket_mtu) {
+            if (socket_mtu < DTLS_get_link_min_mtu(con)) {
+                BIO_printf(bio_err, "MTU too small. Must be at least %ld\n",
+                           DTLS_get_link_min_mtu(con));
+                ret = -1;
+                BIO_free(sbio);
+                goto err;
+            }
+            SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
+            if (!DTLS_set_link_mtu(con, socket_mtu)) {
+                BIO_printf(bio_err, "Failed to set MTU\n");
+                ret = -1;
+                BIO_free(sbio);
+                goto err;
+            }
+        } else
+            /* want to do MTU discovery */
+            BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
+
+        /* turn on cookie exchange */
+        SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
+    } else
+        sbio = BIO_new_socket(s, BIO_NOCLOSE);
+
+    if (s_nbio_test) {
+        BIO *test;
+
+        test = BIO_new(BIO_f_nbio_test());
+        sbio = BIO_push(test, sbio);
+    }
+#ifndef OPENSSL_NO_JPAKE
+    if (jpake_secret)
+        jpake_server_auth(bio_s_out, sbio, jpake_secret);
+#endif
+
+    SSL_set_bio(con, sbio, sbio);
+    SSL_set_accept_state(con);
+    /* SSL_set_fd(con,s); */
+
+    if (s_debug) {
+        SSL_set_debug(con, 1);
+        BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
+        BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
+    }
+    if (s_msg) {
+#ifndef OPENSSL_NO_SSL_TRACE
+        if (s_msg == 2)
+            SSL_set_msg_callback(con, SSL_trace);
+        else
+#endif
+            SSL_set_msg_callback(con, msg_cb);
+        SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
+    }
+#ifndef OPENSSL_NO_TLSEXT
+    if (s_tlsextdebug) {
+        SSL_set_tlsext_debug_callback(con, tlsext_cb);
+        SSL_set_tlsext_debug_arg(con, bio_s_out);
+    }
+#endif
+
+    if (fileno_stdin() > s)
+        width = fileno_stdin() + 1;
+    else
+        width = s + 1;
+    for (;;) {
+        int read_from_terminal;
+        int read_from_sslcon;
+
+        read_from_terminal = 0;
+        read_from_sslcon = SSL_pending(con);
+
+        if (!read_from_sslcon) {
+            FD_ZERO(&readfds);
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5)
+            openssl_fdset(fileno_stdin(), &readfds);
+#endif
+            openssl_fdset(s, &readfds);
+            /*
+             * Note: under VMS with SOCKETSHR the second parameter is
+             * currently of type (int *) whereas under other systems it is
+             * (void *) if you don't have a cast it will choke the compiler:
+             * if you do have a cast then you can either go for (int *) or
+             * (void *).
+             */
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+            /*
+             * Under DOS (non-djgpp) and Windows we can't select on stdin:
+             * only on sockets. As a workaround we timeout the select every
+             * second and check for any keypress. In a proper Windows
+             * application we wouldn't do this because it is inefficient.
+             */
+            tv.tv_sec = 1;
+            tv.tv_usec = 0;
+            i = select(width, (void *)&readfds, NULL, NULL, &tv);
+            if ((i < 0) || (!i && !_kbhit()))
+                continue;
+            if (_kbhit())
+                read_from_terminal = 1;
+#elif defined(OPENSSL_SYS_BEOS_R5)
+            /* Under BeOS-R5 the situation is similar to DOS */
+            tv.tv_sec = 1;
+            tv.tv_usec = 0;
+            (void)fcntl(fileno_stdin(), F_SETFL, O_NONBLOCK);
+            i = select(width, (void *)&readfds, NULL, NULL, &tv);
+            if ((i < 0) || (!i && read(fileno_stdin(), buf, 0) < 0))
+                continue;
+            if (read(fileno_stdin(), buf, 0) >= 0)
+                read_from_terminal = 1;
+            (void)fcntl(fileno_stdin(), F_SETFL, 0);
+#else
+            if ((SSL_version(con) == DTLS1_VERSION) &&
+                DTLSv1_get_timeout(con, &timeout))
+                timeoutp = &timeout;
+            else
+                timeoutp = NULL;
+
+            i = select(width, (void *)&readfds, NULL, NULL, timeoutp);
+
+            if ((SSL_version(con) == DTLS1_VERSION)
+                && DTLSv1_handle_timeout(con) > 0) {
+                BIO_printf(bio_err, "TIMEOUT occured\n");
+            }
+
+            if (i <= 0)
+                continue;
+            if (FD_ISSET(fileno_stdin(), &readfds))
+                read_from_terminal = 1;
+#endif
+            if (FD_ISSET(s, &readfds))
+                read_from_sslcon = 1;
+        }
+        if (read_from_terminal) {
+            if (s_crlf) {
+                int j, lf_num;
+
+                i = raw_read_stdin(buf, bufsize / 2);
+                lf_num = 0;
+                /* both loops are skipped when i <= 0 */
+                for (j = 0; j < i; j++)
+                    if (buf[j] == '\n')
+                        lf_num++;
+                for (j = i - 1; j >= 0; j--) {
+                    buf[j + lf_num] = buf[j];
+                    if (buf[j] == '\n') {
+                        lf_num--;
+                        i++;
+                        buf[j + lf_num] = '\r';
+                    }
+                }
+                assert(lf_num == 0);
+            } else
+                i = raw_read_stdin(buf, bufsize);
+
+            if (!s_quiet && !s_brief) {
+                if ((i <= 0) || (buf[0] == 'Q')) {
+                    BIO_printf(bio_s_out, "DONE\n");
+                    SHUTDOWN(s);
+                    close_accept_socket();
+                    ret = -11;
+                    goto err;
+                }
+                if ((i <= 0) || (buf[0] == 'q')) {
+                    BIO_printf(bio_s_out, "DONE\n");
+                    if (SSL_version(con) != DTLS1_VERSION)
+                        SHUTDOWN(s);
+                    /*
+                     * close_accept_socket(); ret= -11;
+                     */
+                    goto err;
+                }
+#ifndef OPENSSL_NO_HEARTBEATS
+                if ((buf[0] == 'B') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
+                    BIO_printf(bio_err, "HEARTBEATING\n");
+                    SSL_heartbeat(con);
+                    i = 0;
+                    continue;
+                }
+#endif
+                if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
+                    SSL_renegotiate(con);
+                    i = SSL_do_handshake(con);
+                    printf("SSL_do_handshake -> %d\n", i);
+                    i = 0;      /* 13; */
+                    continue;
+                    /*
+                     * strcpy(buf,"server side RE-NEGOTIATE\n");
+                     */
+                }
+                if ((buf[0] == 'R') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
+                    SSL_set_verify(con,
+                                   SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
+                                   NULL);
+                    SSL_renegotiate(con);
+                    i = SSL_do_handshake(con);
+                    printf("SSL_do_handshake -> %d\n", i);
+                    i = 0;      /* 13; */
+                    continue;
+                    /*
+                     * strcpy(buf,"server side RE-NEGOTIATE asking for client
+                     * cert\n");
+                     */
+                }
+                if (buf[0] == 'P') {
+                    static const char *str = "Lets print some clear text\n";
+                    BIO_write(SSL_get_wbio(con), str, strlen(str));
+                }
+                if (buf[0] == 'S') {
+                    print_stats(bio_s_out, SSL_get_SSL_CTX(con));
+                }
+            }
+#ifdef CHARSET_EBCDIC
+            ebcdic2ascii(buf, buf, i);
+#endif
+            l = k = 0;
+            for (;;) {
+                /* should do a select for the write */
+#ifdef RENEG
+                {
+                    static count = 0;
+                    if (++count == 100) {
+                        count = 0;
+                        SSL_renegotiate(con);
+                    }
+                }
+#endif
+                k = SSL_write(con, &(buf[l]), (unsigned int)i);
+#ifndef OPENSSL_NO_SRP
+                while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
+                    BIO_printf(bio_s_out, "LOOKUP renego during write\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
+                    srp_callback_parm.user =
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
+                    if (srp_callback_parm.user)
+                        BIO_printf(bio_s_out, "LOOKUP done %s\n",
+                                   srp_callback_parm.user->info);
+                    else
+                        BIO_printf(bio_s_out, "LOOKUP not successful\n");
+                    k = SSL_write(con, &(buf[l]), (unsigned int)i);
+                }
+#endif
+                switch (SSL_get_error(con, k)) {
+                case SSL_ERROR_NONE:
+                    break;
+                case SSL_ERROR_WANT_WRITE:
+                case SSL_ERROR_WANT_READ:
+                case SSL_ERROR_WANT_X509_LOOKUP:
+                    BIO_printf(bio_s_out, "Write BLOCK\n");
+                    break;
+                case SSL_ERROR_SYSCALL:
+                case SSL_ERROR_SSL:
+                    BIO_printf(bio_s_out, "ERROR\n");
+                    ERR_print_errors(bio_err);
+                    ret = 1;
+                    goto err;
+                    /* break; */
+                case SSL_ERROR_ZERO_RETURN:
+                    BIO_printf(bio_s_out, "DONE\n");
+                    ret = 1;
+                    goto err;
+                }
+                if (k > 0) {
+                    l += k;
+                    i -= k;
+                }
+                if (i <= 0)
+                    break;
+            }
+        }
+        if (read_from_sslcon) {
+            if (!SSL_is_init_finished(con)) {
+                i = init_ssl_connection(con);
+
+                if (i < 0) {
+                    ret = 0;
+                    goto err;
+                } else if (i == 0) {
+                    ret = 1;
+                    goto err;
+                }
+            } else {
+ again:
+                i = SSL_read(con, (char *)buf, bufsize);
+#ifndef OPENSSL_NO_SRP
+                while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
+                    BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
+                    srp_callback_parm.user =
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
+                    if (srp_callback_parm.user)
+                        BIO_printf(bio_s_out, "LOOKUP done %s\n",
+                                   srp_callback_parm.user->info);
+                    else
+                        BIO_printf(bio_s_out, "LOOKUP not successful\n");
+                    i = SSL_read(con, (char *)buf, bufsize);
+                }
+#endif
+                switch (SSL_get_error(con, i)) {
+                case SSL_ERROR_NONE:
+#ifdef CHARSET_EBCDIC
+                    ascii2ebcdic(buf, buf, i);
+#endif
+                    raw_write_stdout(buf, (unsigned int)i);
+                    if (SSL_pending(con))
+                        goto again;
+                    break;
+                case SSL_ERROR_WANT_WRITE:
+                case SSL_ERROR_WANT_READ:
+                    BIO_printf(bio_s_out, "Read BLOCK\n");
+                    break;
+                case SSL_ERROR_SYSCALL:
+                case SSL_ERROR_SSL:
+                    BIO_printf(bio_s_out, "ERROR\n");
+                    ERR_print_errors(bio_err);
+                    ret = 1;
+                    goto err;
+                case SSL_ERROR_ZERO_RETURN:
+                    BIO_printf(bio_s_out, "DONE\n");
+                    ret = 1;
+                    goto err;
+                }
+            }
+        }
+    }
+ err:
+    if (con != NULL) {
+        BIO_printf(bio_s_out, "shutting down SSL\n");
+#if 1
+        SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
+#else
+        SSL_shutdown(con);
+#endif
+        SSL_free(con);
+    }
+    BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
+    if (buf != NULL) {
+        OPENSSL_cleanse(buf, bufsize);
+        OPENSSL_free(buf);
+    }
+    if (ret >= 0)
+        BIO_printf(bio_s_out, "ACCEPT\n");
+    return (ret);
+}
+
+static void close_accept_socket(void)
+{
+    BIO_printf(bio_err, "shutdown accept socket\n");
+    if (accept_socket >= 0) {
+        SHUTDOWN2(accept_socket);
+    }
+}
+
+static int init_ssl_connection(SSL *con)
+{
+    int i;
+    const char *str;
+    X509 *peer;
+    long verify_error;
+    MS_STATIC char buf[BUFSIZ];
+#ifndef OPENSSL_NO_KRB5
+    char *client_princ;
+#endif
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+    const unsigned char *next_proto_neg;
+    unsigned next_proto_neg_len;
+#endif
+    unsigned char *exportedkeymat;
+
+    i = SSL_accept(con);
+#ifdef CERT_CB_TEST_RETRY
+    {
+        while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP
+               && SSL_state(con) == SSL3_ST_SR_CLNT_HELLO_C) {
+            fprintf(stderr,
+                    "LOOKUP from certificate callback during accept\n");
+            i = SSL_accept(con);
+        }
+    }
+#endif
+#ifndef OPENSSL_NO_SRP
+    while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
+        BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
+                   srp_callback_parm.login);
+        SRP_user_pwd_free(srp_callback_parm.user);
+        srp_callback_parm.user =
+            SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                   srp_callback_parm.login);
+        if (srp_callback_parm.user)
+            BIO_printf(bio_s_out, "LOOKUP done %s\n",
+                       srp_callback_parm.user->info);
+        else
+            BIO_printf(bio_s_out, "LOOKUP not successful\n");
+        i = SSL_accept(con);
+    }
+#endif
+
+    if (i <= 0) {
+        if (BIO_sock_should_retry(i)) {
+            BIO_printf(bio_s_out, "DELAY\n");
+            return (1);
+        }
+
+        BIO_printf(bio_err, "ERROR\n");
+        verify_error = SSL_get_verify_result(con);
+        if (verify_error != X509_V_OK) {
+            BIO_printf(bio_err, "verify error:%s\n",
+                       X509_verify_cert_error_string(verify_error));
+        }
+        /* Always print any error messages */
+        ERR_print_errors(bio_err);
+        return (0);
+    }
+
+    if (s_brief)
+        print_ssl_summary(bio_err, con);
+
+    PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
+
+    peer = SSL_get_peer_certificate(con);
+    if (peer != NULL) {
+        BIO_printf(bio_s_out, "Client certificate\n");
+        PEM_write_bio_X509(bio_s_out, peer);
+        X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof buf);
+        BIO_printf(bio_s_out, "subject=%s\n", buf);
+        X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof buf);
+        BIO_printf(bio_s_out, "issuer=%s\n", buf);
+        X509_free(peer);
+    }
+
+    if (SSL_get_shared_ciphers(con, buf, sizeof buf) != NULL)
+        BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf);
+    str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
+    ssl_print_sigalgs(bio_s_out, con);
+#ifndef OPENSSL_NO_EC
+    ssl_print_point_formats(bio_s_out, con);
+    ssl_print_curves(bio_s_out, con, 0);
+#endif
+    BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
+
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+    SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
+    if (next_proto_neg) {
+        BIO_printf(bio_s_out, "NEXTPROTO is ");
+        BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
+        BIO_printf(bio_s_out, "\n");
+    }
+#endif
+#ifndef OPENSSL_NO_SRTP
+    {
+        SRTP_PROTECTION_PROFILE *srtp_profile
+            = SSL_get_selected_srtp_profile(con);
+
+        if (srtp_profile)
+            BIO_printf(bio_s_out, "SRTP Extension negotiated, profile=%s\n",
+                       srtp_profile->name);
+    }
+#endif
+    if (SSL_cache_hit(con))
+        BIO_printf(bio_s_out, "Reused session-id\n");
+    if (SSL_ctrl(con, SSL_CTRL_GET_FLAGS, 0, NULL) &
+        TLS1_FLAGS_TLS_PADDING_BUG)
+        BIO_printf(bio_s_out, "Peer has incorrect TLSv1 block padding\n");
+#ifndef OPENSSL_NO_KRB5
+    client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con));
+    if (client_princ != NULL) {
+        BIO_printf(bio_s_out, "Kerberos peer principal is %s\n",
+                   client_princ);
+    }
+#endif                          /* OPENSSL_NO_KRB5 */
+    BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
+               SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
+    if (keymatexportlabel != NULL) {
+        BIO_printf(bio_s_out, "Keying material exporter:\n");
+        BIO_printf(bio_s_out, "    Label: '%s'\n", keymatexportlabel);
+        BIO_printf(bio_s_out, "    Length: %i bytes\n", keymatexportlen);
+        exportedkeymat = OPENSSL_malloc(keymatexportlen);
+        if (exportedkeymat != NULL) {
+            if (!SSL_export_keying_material(con, exportedkeymat,
+                                            keymatexportlen,
+                                            keymatexportlabel,
+                                            strlen(keymatexportlabel),
+                                            NULL, 0, 0)) {
+                BIO_printf(bio_s_out, "    Error\n");
+            } else {
+                BIO_printf(bio_s_out, "    Keying material: ");
+                for (i = 0; i < keymatexportlen; i++)
+                    BIO_printf(bio_s_out, "%02X", exportedkeymat[i]);
+                BIO_printf(bio_s_out, "\n");
+            }
+            OPENSSL_free(exportedkeymat);
+        }
+    }
+
+    return (1);
+}
+
+#ifndef OPENSSL_NO_DH
+static DH *load_dh_param(const char *dhfile)
+{
+    DH *ret = NULL;
+    BIO *bio;
+
+    if ((bio = BIO_new_file(dhfile, "r")) == NULL)
+        goto err;
+    ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ err:
+    if (bio != NULL)
+        BIO_free(bio);
+    return (ret);
+}
+#endif
+#ifndef OPENSSL_NO_KRB5
+char *client_princ;
+#endif
+
+#if 0
+static int load_CA(SSL_CTX *ctx, char *file)
+{
+    FILE *in;
+    X509 *x = NULL;
+
+    if ((in = fopen(file, "r")) == NULL)
+        return (0);
+
+    for (;;) {
+        if (PEM_read_X509(in, &x, NULL) == NULL)
+            break;
+        SSL_CTX_add_client_CA(ctx, x);
+    }
+    if (x != NULL)
+        X509_free(x);
+    fclose(in);
+    return (1);
+}
+#endif
+
+static int www_body(char *hostname, int s, int stype, unsigned char *context)
+{
+    char *buf = NULL;
+    int ret = 1;
+    int i, j, k, dot;
+    SSL *con;
+    const SSL_CIPHER *c;
+    BIO *io, *ssl_bio, *sbio;
+#ifndef OPENSSL_NO_KRB5
+    KSSL_CTX *kctx;
+#endif
+
+    buf = OPENSSL_malloc(bufsize);
+    if (buf == NULL)
+        return (0);
+    io = BIO_new(BIO_f_buffer());
+    ssl_bio = BIO_new(BIO_f_ssl());
+    if ((io == NULL) || (ssl_bio == NULL))
+        goto err;
+
+#ifdef FIONBIO
+    if (s_nbio) {
+        unsigned long sl = 1;
+
+        if (!s_quiet)
+            BIO_printf(bio_err, "turning on non blocking io\n");
+        if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
+            ERR_print_errors(bio_err);
+    }
+#endif
+
+    /* lets make the output buffer a reasonable size */
+    if (!BIO_set_write_buffer_size(io, bufsize))
+        goto err;
+
+    if ((con = SSL_new(ctx)) == NULL)
+        goto err;
+#ifndef OPENSSL_NO_TLSEXT
+    if (s_tlsextdebug) {
+        SSL_set_tlsext_debug_callback(con, tlsext_cb);
+        SSL_set_tlsext_debug_arg(con, bio_s_out);
+    }
+#endif
+#ifndef OPENSSL_NO_KRB5
+    if ((kctx = kssl_ctx_new()) != NULL) {
+        kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+        kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
+    }
+#endif                          /* OPENSSL_NO_KRB5 */
+    if (context)
+        SSL_set_session_id_context(con, context, strlen((char *)context));
+
+    sbio = BIO_new_socket(s, BIO_NOCLOSE);
+    if (s_nbio_test) {
+        BIO *test;
+
+        test = BIO_new(BIO_f_nbio_test());
+        sbio = BIO_push(test, sbio);
+    }
+    SSL_set_bio(con, sbio, sbio);
+    SSL_set_accept_state(con);
+
+    /* SSL_set_fd(con,s); */
+    BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
+    BIO_push(io, ssl_bio);
+#ifdef CHARSET_EBCDIC
+    io = BIO_push(BIO_new(BIO_f_ebcdic_filter()), io);
+#endif
+
+    if (s_debug) {
+        SSL_set_debug(con, 1);
+        BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
+        BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
+    }
+    if (s_msg) {
+#ifndef OPENSSL_NO_SSL_TRACE
+        if (s_msg == 2)
+            SSL_set_msg_callback(con, SSL_trace);
+        else
+#endif
+            SSL_set_msg_callback(con, msg_cb);
+        SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
+    }
+
+    for (;;) {
+        if (hack) {
+            i = SSL_accept(con);
+#ifndef OPENSSL_NO_SRP
+            while (i <= 0
+                   && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
+                BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
+                           srp_callback_parm.login);
+                SRP_user_pwd_free(srp_callback_parm.user);
+                srp_callback_parm.user =
+                    SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                           srp_callback_parm.login);
+                if (srp_callback_parm.user)
+                    BIO_printf(bio_s_out, "LOOKUP done %s\n",
+                               srp_callback_parm.user->info);
+                else
+                    BIO_printf(bio_s_out, "LOOKUP not successful\n");
+                i = SSL_accept(con);
+            }
+#endif
+            switch (SSL_get_error(con, i)) {
+            case SSL_ERROR_NONE:
+                break;
+            case SSL_ERROR_WANT_WRITE:
+            case SSL_ERROR_WANT_READ:
+            case SSL_ERROR_WANT_X509_LOOKUP:
+                continue;
+            case SSL_ERROR_SYSCALL:
+            case SSL_ERROR_SSL:
+            case SSL_ERROR_ZERO_RETURN:
+                ret = 1;
+                goto err;
+                /* break; */
+            }
+
+            SSL_renegotiate(con);
+            SSL_write(con, NULL, 0);
+        }
+
+        i = BIO_gets(io, buf, bufsize - 1);
+        if (i < 0) {            /* error */
+            if (!BIO_should_retry(io)) {
+                if (!s_quiet)
+                    ERR_print_errors(bio_err);
+                goto err;
+            } else {
+                BIO_printf(bio_s_out, "read R BLOCK\n");
+#ifndef OPENSSL_NO_SRP
+                if (BIO_should_io_special(io)
+                    && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
+                    BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
+                    srp_callback_parm.user =
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
+                    if (srp_callback_parm.user)
+                        BIO_printf(bio_s_out, "LOOKUP done %s\n",
+                                   srp_callback_parm.user->info);
+                    else
+                        BIO_printf(bio_s_out, "LOOKUP not successful\n");
+                    continue;
+                }
+#endif
+#if defined(OPENSSL_SYS_NETWARE)
+                delay(1000);
+#elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
+                sleep(1);
+#endif
+                continue;
+            }
+        } else if (i == 0) {    /* end of input */
+            ret = 1;
+            goto end;
+        }
+
+        /* else we have data */
+        if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
+            ((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
+            char *p;
+            X509 *peer;
+            STACK_OF(SSL_CIPHER) *sk;
+            static const char *space = "                          ";
+
+            BIO_puts(io,
+                     "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
+            BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
+            BIO_puts(io, "<pre>\n");
+/*                      BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
+            BIO_puts(io, "\n");
+            for (i = 0; i < local_argc; i++) {
+                BIO_puts(io, local_argv[i]);
+                BIO_write(io, " ", 1);
+            }
+            BIO_puts(io, "\n");
+
+            BIO_printf(io,
+                       "Secure Renegotiation IS%s supported\n",
+                       SSL_get_secure_renegotiation_support(con) ?
+                       "" : " NOT");
+
+            /*
+             * The following is evil and should not really be done
+             */
+            BIO_printf(io, "Ciphers supported in s_server binary\n");
+            sk = SSL_get_ciphers(con);
+            j = sk_SSL_CIPHER_num(sk);
+            for (i = 0; i < j; i++) {
+                c = sk_SSL_CIPHER_value(sk, i);
+                BIO_printf(io, "%-11s:%-25s",
+                           SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
+                if ((((i + 1) % 2) == 0) && (i + 1 != j))
+                    BIO_puts(io, "\n");
+            }
+            BIO_puts(io, "\n");
+            p = SSL_get_shared_ciphers(con, buf, bufsize);
+            if (p != NULL) {
+                BIO_printf(io,
+                           "---\nCiphers common between both SSL end points:\n");
+                j = i = 0;
+                while (*p) {
+                    if (*p == ':') {
+                        BIO_write(io, space, 26 - j);
+                        i++;
+                        j = 0;
+                        BIO_write(io, ((i % 3) ? " " : "\n"), 1);
+                    } else {
+                        BIO_write(io, p, 1);
+                        j++;
+                    }
+                    p++;
+                }
+                BIO_puts(io, "\n");
+            }
+            ssl_print_sigalgs(io, con);
+#ifndef OPENSSL_NO_EC
+            ssl_print_curves(io, con, 0);
+#endif
+            BIO_printf(io, (SSL_cache_hit(con)
+                            ? "---\nReused, " : "---\nNew, "));
+            c = SSL_get_current_cipher(con);
+            BIO_printf(io, "%s, Cipher is %s\n",
+                       SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
+            SSL_SESSION_print(io, SSL_get_session(con));
+            BIO_printf(io, "---\n");
+            print_stats(io, SSL_get_SSL_CTX(con));
+            BIO_printf(io, "---\n");
+            peer = SSL_get_peer_certificate(con);
+            if (peer != NULL) {
+                BIO_printf(io, "Client certificate\n");
+                X509_print(io, peer);
+                PEM_write_bio_X509(io, peer);
+            } else
+                BIO_puts(io, "no client certificate available\n");
+            BIO_puts(io, "</BODY></HTML>\r\n\r\n");
+            break;
+        } else if ((www == 2 || www == 3)
+                   && (strncmp("GET /", buf, 5) == 0)) {
+            BIO *file;
+            char *p, *e;
+            static const char *text =
+                "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
+
+            /* skip the '/' */
+            p = &(buf[5]);
+
+            dot = 1;
+            for (e = p; *e != '\0'; e++) {
+                if (e[0] == ' ')
+                    break;
+
+                switch (dot) {
+                case 1:
+                    dot = (e[0] == '.') ? 2 : 0;
+                    break;
+                case 2:
+                    dot = (e[0] == '.') ? 3 : 0;
+                    break;
+                case 3:
+                    dot = (e[0] == '/') ? -1 : 0;
+                    break;
+                }
+                if (dot == 0)
+                    dot = (e[0] == '/') ? 1 : 0;
+            }
+            dot = (dot == 3) || (dot == -1); /* filename contains ".."
+                                              * component */
+
+            if (*e == '\0') {
+                BIO_puts(io, text);
+                BIO_printf(io, "'%s' is an invalid file name\r\n", p);
+                break;
+            }
+            *e = '\0';
+
+            if (dot) {
+                BIO_puts(io, text);
+                BIO_printf(io, "'%s' contains '..' reference\r\n", p);
+                break;
+            }
+
+            if (*p == '/') {
+                BIO_puts(io, text);
+                BIO_printf(io, "'%s' is an invalid path\r\n", p);
+                break;
+            }
+#if 0
+            /* append if a directory lookup */
+            if (e[-1] == '/')
+                strcat(p, "index.html");
+#endif
+
+            /* if a directory, do the index thang */
+            if (app_isdir(p) > 0) {
+#if 0                           /* must check buffer size */
+                strcat(p, "/index.html");
+#else
+                BIO_puts(io, text);
+                BIO_printf(io, "'%s' is a directory\r\n", p);
+                break;
+#endif
+            }
+
+            if ((file = BIO_new_file(p, "r")) == NULL) {
+                BIO_puts(io, text);
+                BIO_printf(io, "Error opening '%s'\r\n", p);
+                ERR_print_errors(io);
+                break;
+            }
+
+            if (!s_quiet)
+                BIO_printf(bio_err, "FILE:%s\n", p);
+
+            if (www == 2) {
+                i = strlen(p);
+                if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) ||
+                    ((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) ||
+                    ((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0)))
+                    BIO_puts(io,
+                             "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
+                else
+                    BIO_puts(io,
+                             "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
+            }
+            /* send the file */
+            for (;;) {
+                i = BIO_read(file, buf, bufsize);
+                if (i <= 0)
+                    break;
+
+#ifdef RENEG
+                total_bytes += i;
+                fprintf(stderr, "%d\n", i);
+                if (total_bytes > 3 * 1024) {
+                    total_bytes = 0;
+                    fprintf(stderr, "RENEGOTIATE\n");
+                    SSL_renegotiate(con);
+                }
+#endif
+
+                for (j = 0; j < i;) {
+#ifdef RENEG
+                    {
+                        static count = 0;
+                        if (++count == 13) {
+                            SSL_renegotiate(con);
+                        }
+                    }
+#endif
+                    k = BIO_write(io, &(buf[j]), i - j);
+                    if (k <= 0) {
+                        if (!BIO_should_retry(io))
+                            goto write_error;
+                        else {
+                            BIO_printf(bio_s_out, "rwrite W BLOCK\n");
+                        }
+                    } else {
+                        j += k;
+                    }
+                }
+            }
+ write_error:
+            BIO_free(file);
+            break;
+        }
+    }
+
+    for (;;) {
+        i = (int)BIO_flush(io);
+        if (i <= 0) {
+            if (!BIO_should_retry(io))
+                break;
+        } else
+            break;
+    }
+ end:
+#if 1
+    /* make sure we re-use sessions */
+    SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
+#else
+    /* This kills performance */
+    /*
+     * SSL_shutdown(con); A shutdown gets sent in the BIO_free_all(io)
+     * procession
+     */
+#endif
+
+ err:
+
+    if (ret >= 0)
+        BIO_printf(bio_s_out, "ACCEPT\n");
+
+    if (buf != NULL)
+        OPENSSL_free(buf);
+    if (io != NULL)
+        BIO_free_all(io);
+/*      if (ssl_bio != NULL) BIO_free(ssl_bio);*/
+    return (ret);
+}
+
+static int rev_body(char *hostname, int s, int stype, unsigned char *context)
+{
+    char *buf = NULL;
+    int i;
+    int ret = 1;
+    SSL *con;
+    BIO *io, *ssl_bio, *sbio;
+#ifndef OPENSSL_NO_KRB5
+    KSSL_CTX *kctx;
+#endif
+
+    buf = OPENSSL_malloc(bufsize);
+    if (buf == NULL)
+        return (0);
+    io = BIO_new(BIO_f_buffer());
+    ssl_bio = BIO_new(BIO_f_ssl());
+    if ((io == NULL) || (ssl_bio == NULL))
+        goto err;
+
+    /* lets make the output buffer a reasonable size */
+    if (!BIO_set_write_buffer_size(io, bufsize))
+        goto err;
+
+    if ((con = SSL_new(ctx)) == NULL)
+        goto err;
+#ifndef OPENSSL_NO_TLSEXT
+    if (s_tlsextdebug) {
+        SSL_set_tlsext_debug_callback(con, tlsext_cb);
+        SSL_set_tlsext_debug_arg(con, bio_s_out);
+    }
+#endif
+#ifndef OPENSSL_NO_KRB5
+    if ((kctx = kssl_ctx_new()) != NULL) {
+        kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+        kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
+    }
+#endif                          /* OPENSSL_NO_KRB5 */
+    if (context)
+        SSL_set_session_id_context(con, context, strlen((char *)context));
+
+    sbio = BIO_new_socket(s, BIO_NOCLOSE);
+    SSL_set_bio(con, sbio, sbio);
+    SSL_set_accept_state(con);
+
+    BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
+    BIO_push(io, ssl_bio);
+#ifdef CHARSET_EBCDIC
+    io = BIO_push(BIO_new(BIO_f_ebcdic_filter()), io);
+#endif
+
+    if (s_debug) {
+        SSL_set_debug(con, 1);
+        BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
+        BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
+    }
+    if (s_msg) {
+#ifndef OPENSSL_NO_SSL_TRACE
+        if (s_msg == 2)
+            SSL_set_msg_callback(con, SSL_trace);
+        else
+#endif
+            SSL_set_msg_callback(con, msg_cb);
+        SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
+    }
+
+    for (;;) {
+        i = BIO_do_handshake(io);
+        if (i > 0)
+            break;
+        if (!BIO_should_retry(io)) {
+            BIO_puts(bio_err, "CONNECTION FAILURE\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+#ifndef OPENSSL_NO_SRP
+        if (BIO_should_io_special(io)
+            && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
+            BIO_printf(bio_s_out, "LOOKUP renego during accept\n");
+            SRP_user_pwd_free(srp_callback_parm.user);
+            srp_callback_parm.user =
+                SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                       srp_callback_parm.login);
+            if (srp_callback_parm.user)
+                BIO_printf(bio_s_out, "LOOKUP done %s\n",
+                           srp_callback_parm.user->info);
+            else
+                BIO_printf(bio_s_out, "LOOKUP not successful\n");
+            continue;
+        }
+#endif
+    }
+    BIO_printf(bio_err, "CONNECTION ESTABLISHED\n");
+    print_ssl_summary(bio_err, con);
+
+    for (;;) {
+        i = BIO_gets(io, buf, bufsize - 1);
+        if (i < 0) {            /* error */
+            if (!BIO_should_retry(io)) {
+                if (!s_quiet)
+                    ERR_print_errors(bio_err);
+                goto err;
+            } else {
+                BIO_printf(bio_s_out, "read R BLOCK\n");
+#ifndef OPENSSL_NO_SRP
+                if (BIO_should_io_special(io)
+                    && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
+                    BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
+                    srp_callback_parm.user =
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
+                    if (srp_callback_parm.user)
+                        BIO_printf(bio_s_out, "LOOKUP done %s\n",
+                                   srp_callback_parm.user->info);
+                    else
+                        BIO_printf(bio_s_out, "LOOKUP not successful\n");
+                    continue;
+                }
+#endif
+#if defined(OPENSSL_SYS_NETWARE)
+                delay(1000);
+#elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
+                sleep(1);
+#endif
+                continue;
+            }
+        } else if (i == 0) {    /* end of input */
+            ret = 1;
+            BIO_printf(bio_err, "CONNECTION CLOSED\n");
+            goto end;
+        } else {
+            char *p = buf + i - 1;
+            while (i && (*p == '\n' || *p == '\r')) {
+                p--;
+                i--;
+            }
+            if (!s_ign_eof && i == 5 && !strncmp(buf, "CLOSE", 5)) {
+                ret = 1;
+                BIO_printf(bio_err, "CONNECTION CLOSED\n");
+                goto end;
+            }
+            BUF_reverse((unsigned char *)buf, NULL, i);
+            buf[i] = '\n';
+            BIO_write(io, buf, i + 1);
+            for (;;) {
+                i = BIO_flush(io);
+                if (i > 0)
+                    break;
+                if (!BIO_should_retry(io))
+                    goto end;
+            }
+        }
+    }
+ end:
+    /* make sure we re-use sessions */
+    SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
+
+ err:
+
+    if (buf != NULL)
+        OPENSSL_free(buf);
+    if (io != NULL)
+        BIO_free_all(io);
+    return (ret);
+}
+
+#ifndef OPENSSL_NO_RSA
+static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
+{
+    BIGNUM *bn = NULL;
+    static RSA *rsa_tmp = NULL;
+
+    if (!rsa_tmp && ((bn = BN_new()) == NULL))
+        BIO_printf(bio_err, "Allocation error in generating RSA key\n");
+    if (!rsa_tmp && bn) {
+        if (!s_quiet) {
+            BIO_printf(bio_err, "Generating temp (%d bit) RSA key...",
+                       keylength);
+            (void)BIO_flush(bio_err);
+        }
+        if (!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
+            !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
+            if (rsa_tmp)
+                RSA_free(rsa_tmp);
+            rsa_tmp = NULL;
+        }
+        if (!s_quiet) {
+            BIO_printf(bio_err, "\n");
+            (void)BIO_flush(bio_err);
+        }
+        BN_free(bn);
+    }
+    return (rsa_tmp);
+}
+#endif
+
+#define MAX_SESSION_ID_ATTEMPTS 10
+static int generate_session_id(const SSL *ssl, unsigned char *id,
+                               unsigned int *id_len)
+{
+    unsigned int count = 0;
+    do {
+        if (RAND_bytes(id, *id_len) <= 0)
+            return 0;
+        /*
+         * Prefix the session_id with the required prefix. NB: If our prefix
+         * is too long, clip it - but there will be worse effects anyway, eg.
+         * the server could only possibly create 1 session ID (ie. the
+         * prefix!) so all future session negotiations will fail due to
+         * conflicts.
+         */
+        memcpy(id, session_id_prefix,
+               (strlen(session_id_prefix) < *id_len) ?
+               strlen(session_id_prefix) : *id_len);
+    }
+    while (SSL_has_matching_session_id(ssl, id, *id_len) &&
+           (++count < MAX_SESSION_ID_ATTEMPTS));
+    if (count >= MAX_SESSION_ID_ATTEMPTS)
+        return 0;
+    return 1;
+}
+
+/*
+ * By default s_server uses an in-memory cache which caches SSL_SESSION
+ * structures without any serialisation. This hides some bugs which only
+ * become apparent in deployed servers. By implementing a basic external
+ * session cache some issues can be debugged using s_server.
+ */
+
+typedef struct simple_ssl_session_st {
+    unsigned char *id;
+    unsigned int idlen;
+    unsigned char *der;
+    int derlen;
+    struct simple_ssl_session_st *next;
+} simple_ssl_session;
+
+static simple_ssl_session *first = NULL;
+
+static int add_session(SSL *ssl, SSL_SESSION *session)
+{
+    simple_ssl_session *sess;
+    unsigned char *p;
+
+    sess = OPENSSL_malloc(sizeof(simple_ssl_session));
+    if (!sess) {
+        BIO_printf(bio_err, "Out of memory adding session to external cache\n");
+        return 0;
+    }
+
+    SSL_SESSION_get_id(session, &sess->idlen);
+    sess->derlen = i2d_SSL_SESSION(session, NULL);
+
+    sess->id = BUF_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen);
+
+    sess->der = OPENSSL_malloc(sess->derlen);
+    if (!sess->id || !sess->der) {
+        BIO_printf(bio_err, "Out of memory adding session to external cache\n");
+
+        if (sess->id)
+            OPENSSL_free(sess->id);
+        if (sess->der)
+            OPENSSL_free(sess->der);
+        OPENSSL_free(sess);
+        return 0;
+    }
+    p = sess->der;
+    i2d_SSL_SESSION(session, &p);
+
+    sess->next = first;
+    first = sess;
+    BIO_printf(bio_err, "New session added to external cache\n");
+    return 0;
+}
+
+static SSL_SESSION *get_session(SSL *ssl, unsigned char *id, int idlen,
+                                int *do_copy)
+{
+    simple_ssl_session *sess;
+    *do_copy = 0;
+    for (sess = first; sess; sess = sess->next) {
+        if (idlen == (int)sess->idlen && !memcmp(sess->id, id, idlen)) {
+            const unsigned char *p = sess->der;
+            BIO_printf(bio_err, "Lookup session: cache hit\n");
+            return d2i_SSL_SESSION(NULL, &p, sess->derlen);
+        }
+    }
+    BIO_printf(bio_err, "Lookup session: cache miss\n");
+    return NULL;
+}
+
+static void del_session(SSL_CTX *sctx, SSL_SESSION *session)
+{
+    simple_ssl_session *sess, *prev = NULL;
+    const unsigned char *id;
+    unsigned int idlen;
+    id = SSL_SESSION_get_id(session, &idlen);
+    for (sess = first; sess; sess = sess->next) {
+        if (idlen == sess->idlen && !memcmp(sess->id, id, idlen)) {
+            if (prev)
+                prev->next = sess->next;
+            else
+                first = sess->next;
+            OPENSSL_free(sess->id);
+            OPENSSL_free(sess->der);
+            OPENSSL_free(sess);
+            return;
+        }
+        prev = sess;
+    }
+}
+
+static void init_session_cache_ctx(SSL_CTX *sctx)
+{
+    SSL_CTX_set_session_cache_mode(sctx,
+                                   SSL_SESS_CACHE_NO_INTERNAL |
+                                   SSL_SESS_CACHE_SERVER);
+    SSL_CTX_sess_set_new_cb(sctx, add_session);
+    SSL_CTX_sess_set_get_cb(sctx, get_session);
+    SSL_CTX_sess_set_remove_cb(sctx, del_session);
+}
+
+static void free_sessions(void)
+{
+    simple_ssl_session *sess, *tsess;
+    for (sess = first; sess;) {
+        OPENSSL_free(sess->id);
+        OPENSSL_free(sess->der);
+        tsess = sess;
+        sess = sess->next;
+        OPENSSL_free(tsess);
+    }
+    first = NULL;
+}
diff --git a/openssl/apps/s_socket.c b/openssl/apps/s_socket.c
new file mode 100644
index 0000000..77a7688
--- /dev/null
+++ b/openssl/apps/s_socket.c
@@ -0,0 +1,613 @@
+/*
+ * apps/s_socket.c - socket-related functions used by s_client and s_server
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <signal.h>
+
+#ifdef FLAT_INC
+# include "e_os2.h"
+#else
+# include "../e_os2.h"
+#endif
+
+/*
+ * With IPv6, it looks like Digital has mixed up the proper order of
+ * recursive header file inclusion, resulting in the compiler complaining
+ * that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
+ * needed to have fileno() declared correctly...  So let's define u_int
+ */
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
+# define __U_INT
+typedef unsigned int u_int;
+#endif
+
+#define USE_SOCKETS
+#define NON_MAIN
+#include "apps.h"
+#undef USE_SOCKETS
+#undef NON_MAIN
+#include "s_apps.h"
+#include <openssl/ssl.h>
+
+#ifdef FLAT_INC
+# include "e_os.h"
+#else
+# include "../e_os.h"
+#endif
+
+#ifndef OPENSSL_NO_SOCK
+
+# if defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_BSDSOCK)
+#  include "netdb.h"
+# endif
+
+static struct hostent *GetHostByName(char *name);
+# if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
+static void ssl_sock_cleanup(void);
+# endif
+static int ssl_sock_init(void);
+static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
+static int init_server(int *sock, int port, int type);
+static int init_server_long(int *sock, int port, char *ip, int type);
+static int do_accept(int acc_sock, int *sock, char **host);
+static int host_ip(char *str, unsigned char ip[4]);
+
+# ifdef OPENSSL_SYS_WIN16
+#  define SOCKET_PROTOCOL 0     /* more microsoft stupidity */
+# else
+#  define SOCKET_PROTOCOL IPPROTO_TCP
+# endif
+
+# if defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
+static int wsa_init_done = 0;
+# endif
+
+# ifdef OPENSSL_SYS_WINDOWS
+static struct WSAData wsa_state;
+static int wsa_init_done = 0;
+
+#  ifdef OPENSSL_SYS_WIN16
+static HWND topWnd = 0;
+static FARPROC lpTopWndProc = NULL;
+static FARPROC lpTopHookProc = NULL;
+extern HINSTANCE _hInstance;    /* nice global CRT provides */
+
+static LONG FAR PASCAL topHookProc(HWND hwnd, UINT message, WPARAM wParam,
+                                   LPARAM lParam)
+{
+    if (hwnd == topWnd) {
+        switch (message) {
+        case WM_DESTROY:
+        case WM_CLOSE:
+            SetWindowLong(topWnd, GWL_WNDPROC, (LONG) lpTopWndProc);
+            ssl_sock_cleanup();
+            break;
+        }
+    }
+    return CallWindowProc(lpTopWndProc, hwnd, message, wParam, lParam);
+}
+
+static BOOL CALLBACK enumproc(HWND hwnd, LPARAM lParam)
+{
+    topWnd = hwnd;
+    return (FALSE);
+}
+
+#  endif                        /* OPENSSL_SYS_WIN32 */
+# endif                         /* OPENSSL_SYS_WINDOWS */
+
+# ifdef OPENSSL_SYS_WINDOWS
+static void ssl_sock_cleanup(void)
+{
+    if (wsa_init_done) {
+        wsa_init_done = 0;
+#  ifndef OPENSSL_SYS_WINCE
+        WSACancelBlockingCall();
+#  endif
+        WSACleanup();
+    }
+}
+# elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
+static void sock_cleanup(void)
+{
+    if (wsa_init_done) {
+        wsa_init_done = 0;
+        WSACleanup();
+    }
+}
+# endif
+
+static int ssl_sock_init(void)
+{
+# ifdef WATT32
+    extern int _watt_do_exit;
+    _watt_do_exit = 0;
+    if (sock_init())
+        return (0);
+# elif defined(OPENSSL_SYS_WINDOWS)
+    if (!wsa_init_done) {
+        int err;
+
+#  ifdef SIGINT
+        signal(SIGINT, (void (*)(int))ssl_sock_cleanup);
+#  endif
+        wsa_init_done = 1;
+        memset(&wsa_state, 0, sizeof(wsa_state));
+        if (WSAStartup(0x0101, &wsa_state) != 0) {
+            err = WSAGetLastError();
+            BIO_printf(bio_err, "unable to start WINSOCK, error code=%d\n",
+                       err);
+            return (0);
+        }
+#  ifdef OPENSSL_SYS_WIN16
+        EnumTaskWindows(GetCurrentTask(), enumproc, 0L);
+        lpTopWndProc = (FARPROC) GetWindowLong(topWnd, GWL_WNDPROC);
+        lpTopHookProc = MakeProcInstance((FARPROC) topHookProc, _hInstance);
+
+        SetWindowLong(topWnd, GWL_WNDPROC, (LONG) lpTopHookProc);
+#  endif                        /* OPENSSL_SYS_WIN16 */
+    }
+# elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
+    WORD wVerReq;
+    WSADATA wsaData;
+    int err;
+
+    if (!wsa_init_done) {
+
+#  ifdef SIGINT
+        signal(SIGINT, (void (*)(int))sock_cleanup);
+#  endif
+
+        wsa_init_done = 1;
+        wVerReq = MAKEWORD(2, 0);
+        err = WSAStartup(wVerReq, &wsaData);
+        if (err != 0) {
+            BIO_printf(bio_err, "unable to start WINSOCK2, error code=%d\n",
+                       err);
+            return (0);
+        }
+    }
+# endif                         /* OPENSSL_SYS_WINDOWS */
+    return (1);
+}
+
+int init_client(int *sock, char *host, int port, int type)
+{
+    unsigned char ip[4];
+
+    memset(ip, '\0', sizeof ip);
+    if (!host_ip(host, &(ip[0])))
+        return 0;
+    return init_client_ip(sock, ip, port, type);
+}
+
+static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
+{
+    unsigned long addr;
+    struct sockaddr_in them;
+    int s, i;
+
+    if (!ssl_sock_init())
+        return (0);
+
+    memset((char *)&them, 0, sizeof(them));
+    them.sin_family = AF_INET;
+    them.sin_port = htons((unsigned short)port);
+    addr = (unsigned long)
+        ((unsigned long)ip[0] << 24L) |
+        ((unsigned long)ip[1] << 16L) |
+        ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
+    them.sin_addr.s_addr = htonl(addr);
+
+    if (type == SOCK_STREAM)
+        s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+    else                        /* ( type == SOCK_DGRAM) */
+        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+
+    if (s == INVALID_SOCKET) {
+        perror("socket");
+        return (0);
+    }
+# if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
+    if (type == SOCK_STREAM) {
+        i = 0;
+        i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
+        if (i < 0) {
+            closesocket(s);
+            perror("keepalive");
+            return (0);
+        }
+    }
+# endif
+
+    if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
+        closesocket(s);
+        perror("connect");
+        return (0);
+    }
+    *sock = s;
+    return (1);
+}
+
+int do_server(int port, int type, int *ret,
+              int (*cb) (char *hostname, int s, int stype,
+                         unsigned char *context), unsigned char *context,
+              int naccept)
+{
+    int sock;
+    char *name = NULL;
+    int accept_socket = 0;
+    int i;
+
+    if (!init_server(&accept_socket, port, type))
+        return (0);
+
+    if (ret != NULL) {
+        *ret = accept_socket;
+        /* return(1); */
+    }
+    for (;;) {
+        if (type == SOCK_STREAM) {
+            if (do_accept(accept_socket, &sock, &name) == 0) {
+                SHUTDOWN(accept_socket);
+                return (0);
+            }
+        } else
+            sock = accept_socket;
+        i = (*cb) (name, sock, type, context);
+        if (name != NULL)
+            OPENSSL_free(name);
+        if (type == SOCK_STREAM)
+            SHUTDOWN2(sock);
+        if (naccept != -1)
+            naccept--;
+        if (i < 0 || naccept == 0) {
+            SHUTDOWN2(accept_socket);
+            return (i);
+        }
+    }
+}
+
+static int init_server_long(int *sock, int port, char *ip, int type)
+{
+    int ret = 0;
+    struct sockaddr_in server;
+    int s = -1;
+
+    if (!ssl_sock_init())
+        return (0);
+
+    memset((char *)&server, 0, sizeof(server));
+    server.sin_family = AF_INET;
+    server.sin_port = htons((unsigned short)port);
+    if (ip == NULL)
+        server.sin_addr.s_addr = INADDR_ANY;
+    else
+/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
+# ifndef BIT_FIELD_LIMITS
+        memcpy(&server.sin_addr.s_addr, ip, 4);
+# else
+        memcpy(&server.sin_addr, ip, 4);
+# endif
+
+    if (type == SOCK_STREAM)
+        s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+    else                        /* type == SOCK_DGRAM */
+        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+
+    if (s == INVALID_SOCKET)
+        goto err;
+# if defined SOL_SOCKET && defined SO_REUSEADDR
+    {
+        int j = 1;
+        setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
+    }
+# endif
+    if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
+# ifndef OPENSSL_SYS_WINDOWS
+        perror("bind");
+# endif
+        goto err;
+    }
+    /* Make it 128 for linux */
+    if (type == SOCK_STREAM && listen(s, 128) == -1)
+        goto err;
+    *sock = s;
+    ret = 1;
+ err:
+    if ((ret == 0) && (s != -1)) {
+        SHUTDOWN(s);
+    }
+    return (ret);
+}
+
+static int init_server(int *sock, int port, int type)
+{
+    return (init_server_long(sock, port, NULL, type));
+}
+
+static int do_accept(int acc_sock, int *sock, char **host)
+{
+    int ret;
+    struct hostent *h1, *h2;
+    static struct sockaddr_in from;
+    int len;
+/*      struct linger ling; */
+
+    if (!ssl_sock_init())
+        return (0);
+
+# ifndef OPENSSL_SYS_WINDOWS
+ redoit:
+# endif
+
+    memset((char *)&from, 0, sizeof(from));
+    len = sizeof(from);
+    /*
+     * Note: under VMS with SOCKETSHR the fourth parameter is currently of
+     * type (int *) whereas under other systems it is (void *) if you don't
+     * have a cast it will choke the compiler: if you do have a cast then you
+     * can either go for (int *) or (void *).
+     */
+    ret = accept(acc_sock, (struct sockaddr *)&from, (void *)&len);
+    if (ret == INVALID_SOCKET) {
+# if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
+        int i;
+        i = WSAGetLastError();
+        BIO_printf(bio_err, "accept error %d\n", i);
+# else
+        if (errno == EINTR) {
+            /*
+             * check_timeout();
+             */
+            goto redoit;
+        }
+        fprintf(stderr, "errno=%d ", errno);
+        perror("accept");
+# endif
+        return (0);
+    }
+
+/*-
+    ling.l_onoff=1;
+    ling.l_linger=0;
+    i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
+    if (i < 0) { perror("linger"); return(0); }
+    i=0;
+    i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
+    if (i < 0) { perror("keepalive"); return(0); }
+*/
+
+    if (host == NULL)
+        goto end;
+# ifndef BIT_FIELD_LIMITS
+    /* I should use WSAAsyncGetHostByName() under windows */
+    h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
+                       sizeof(from.sin_addr.s_addr), AF_INET);
+# else
+    h1 = gethostbyaddr((char *)&from.sin_addr,
+                       sizeof(struct in_addr), AF_INET);
+# endif
+    if (h1 == NULL) {
+        BIO_printf(bio_err, "bad gethostbyaddr\n");
+        *host = NULL;
+        /* return(0); */
+    } else {
+        if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
+            perror("OPENSSL_malloc");
+            closesocket(ret);
+            return (0);
+        }
+        BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
+
+        h2 = GetHostByName(*host);
+        if (h2 == NULL) {
+            BIO_printf(bio_err, "gethostbyname failure\n");
+            closesocket(ret);
+            return (0);
+        }
+        if (h2->h_addrtype != AF_INET) {
+            BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
+            closesocket(ret);
+            return (0);
+        }
+    }
+ end:
+    *sock = ret;
+    return (1);
+}
+
+int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
+                      short *port_ptr)
+{
+    char *h, *p;
+
+    h = str;
+    p = strchr(str, ':');
+    if (p == NULL) {
+        BIO_printf(bio_err, "no port defined\n");
+        return (0);
+    }
+    *(p++) = '\0';
+
+    if ((ip != NULL) && !host_ip(str, ip))
+        goto err;
+    if (host_ptr != NULL)
+        *host_ptr = h;
+
+    if (!extract_port(p, port_ptr))
+        goto err;
+    return (1);
+ err:
+    return (0);
+}
+
+static int host_ip(char *str, unsigned char ip[4])
+{
+    unsigned int in[4];
+    int i;
+
+    if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
+        4) {
+        for (i = 0; i < 4; i++)
+            if (in[i] > 255) {
+                BIO_printf(bio_err, "invalid IP address\n");
+                goto err;
+            }
+        ip[0] = in[0];
+        ip[1] = in[1];
+        ip[2] = in[2];
+        ip[3] = in[3];
+    } else {                    /* do a gethostbyname */
+        struct hostent *he;
+
+        if (!ssl_sock_init())
+            return (0);
+
+        he = GetHostByName(str);
+        if (he == NULL) {
+            BIO_printf(bio_err, "gethostbyname failure\n");
+            goto err;
+        }
+        /* cast to short because of win16 winsock definition */
+        if ((short)he->h_addrtype != AF_INET) {
+            BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
+            return (0);
+        }
+        ip[0] = he->h_addr_list[0][0];
+        ip[1] = he->h_addr_list[0][1];
+        ip[2] = he->h_addr_list[0][2];
+        ip[3] = he->h_addr_list[0][3];
+    }
+    return (1);
+ err:
+    return (0);
+}
+
+int extract_port(char *str, short *port_ptr)
+{
+    int i;
+    struct servent *s;
+
+    i = atoi(str);
+    if (i != 0)
+        *port_ptr = (unsigned short)i;
+    else {
+        s = getservbyname(str, "tcp");
+        if (s == NULL) {
+            BIO_printf(bio_err, "getservbyname failure for %s\n", str);
+            return (0);
+        }
+        *port_ptr = ntohs((unsigned short)s->s_port);
+    }
+    return (1);
+}
+
+# define GHBN_NUM        4
+static struct ghbn_cache_st {
+    char name[128];
+    struct hostent ent;
+    unsigned long order;
+} ghbn_cache[GHBN_NUM];
+
+static unsigned long ghbn_hits = 0L;
+static unsigned long ghbn_miss = 0L;
+
+static struct hostent *GetHostByName(char *name)
+{
+    struct hostent *ret;
+    int i, lowi = 0;
+    unsigned long low = (unsigned long)-1;
+
+    for (i = 0; i < GHBN_NUM; i++) {
+        if (low > ghbn_cache[i].order) {
+            low = ghbn_cache[i].order;
+            lowi = i;
+        }
+        if (ghbn_cache[i].order > 0) {
+            if (strncmp(name, ghbn_cache[i].name, 128) == 0)
+                break;
+        }
+    }
+    if (i == GHBN_NUM) {        /* no hit */
+        ghbn_miss++;
+        ret = gethostbyname(name);
+        if (ret == NULL)
+            return (NULL);
+        /* else add to cache */
+        if (strlen(name) < sizeof ghbn_cache[0].name) {
+            strcpy(ghbn_cache[lowi].name, name);
+            memcpy((char *)&(ghbn_cache[lowi].ent), ret,
+                   sizeof(struct hostent));
+            ghbn_cache[lowi].order = ghbn_miss + ghbn_hits;
+        }
+        return (ret);
+    } else {
+        ghbn_hits++;
+        ret = &(ghbn_cache[i].ent);
+        ghbn_cache[i].order = ghbn_miss + ghbn_hits;
+        return (ret);
+    }
+}
+
+#endif
diff --git a/openssl/apps/s_time.c b/openssl/apps/s_time.c
new file mode 100644
index 0000000..38788f7
--- /dev/null
+++ b/openssl/apps/s_time.c
@@ -0,0 +1,641 @@
+/* apps/s_time.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#define NO_SHUTDOWN
+
+/* ----------------------------------------
+   s_time - SSL client connection timer program
+   Written and donated by Larry Streepy <streepy@healthcare.com>
+  -----------------------------------------*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define USE_SOCKETS
+#include "apps.h"
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
+#include <openssl/x509.h>
+#include <openssl/ssl.h>
+#include <openssl/pem.h>
+#include "s_apps.h"
+#include <openssl/err.h>
+#ifdef WIN32_STUFF
+# include "winmain.h"
+# include "wintext.h"
+#endif
+#if !defined(OPENSSL_SYS_MSDOS)
+# include OPENSSL_UNISTD
+#endif
+
+#undef PROG
+#define PROG s_time_main
+
+#undef ioctl
+#define ioctl ioctlsocket
+
+#define SSL_CONNECT_NAME        "localhost:4433"
+
+/* no default cert. */
+/*
+ * #define TEST_CERT "client.pem"
+ */
+
+#undef BUFSIZZ
+#define BUFSIZZ 1024*10
+
+#define MYBUFSIZ 1024*8
+
+#undef min
+#undef max
+#define min(a,b) (((a) < (b)) ? (a) : (b))
+#define max(a,b) (((a) > (b)) ? (a) : (b))
+
+#undef SECONDS
+#define SECONDS 30
+extern int verify_depth;
+extern int verify_error;
+
+static void s_time_usage(void);
+static int parseArgs(int argc, char **argv);
+static SSL *doConnection(SSL *scon);
+static void s_time_init(void);
+
+/***********************************************************************
+ * Static data declarations
+ */
+
+/* static char *port=PORT_STR;*/
+static char *host = SSL_CONNECT_NAME;
+static char *t_cert_file = NULL;
+static char *t_key_file = NULL;
+static char *CApath = NULL;
+static char *CAfile = NULL;
+static char *tm_cipher = NULL;
+static int tm_verify = SSL_VERIFY_NONE;
+static int maxTime = SECONDS;
+static SSL_CTX *tm_ctx = NULL;
+static const SSL_METHOD *s_time_meth = NULL;
+static char *s_www_path = NULL;
+static long bytes_read = 0;
+static int st_bugs = 0;
+static int perform = 0;
+#ifdef FIONBIO
+static int t_nbio = 0;
+#endif
+#ifdef OPENSSL_SYS_WIN32
+static int exitNow = 0;         /* Set when it's time to exit main */
+#endif
+
+static void s_time_init(void)
+{
+    host = SSL_CONNECT_NAME;
+    t_cert_file = NULL;
+    t_key_file = NULL;
+    CApath = NULL;
+    CAfile = NULL;
+    tm_cipher = NULL;
+    tm_verify = SSL_VERIFY_NONE;
+    maxTime = SECONDS;
+    tm_ctx = NULL;
+    s_time_meth = NULL;
+    s_www_path = NULL;
+    bytes_read = 0;
+    st_bugs = 0;
+    perform = 0;
+
+#ifdef FIONBIO
+    t_nbio = 0;
+#endif
+#ifdef OPENSSL_SYS_WIN32
+    exitNow = 0;                /* Set when it's time to exit main */
+#endif
+}
+
+/***********************************************************************
+ * usage - display usage message
+ */
+static void s_time_usage(void)
+{
+    static char umsg[] = "\
+-time arg     - max number of seconds to collect data, default %d\n\
+-verify arg   - turn on peer certificate verification, arg == depth\n\
+-cert arg     - certificate file to use, PEM format assumed\n\
+-key arg      - RSA file to use, PEM format assumed, key is in cert file\n\
+                file if not specified by this option\n\
+-CApath arg   - PEM format directory of CA's\n\
+-CAfile arg   - PEM format file of CA's\n\
+-cipher       - preferred cipher to use, play with 'openssl ciphers'\n\n";
+
+    printf("usage: s_time <args>\n\n");
+
+    printf("-connect host:port - host:port to connect to (default is %s)\n",
+           SSL_CONNECT_NAME);
+#ifdef FIONBIO
+    printf("-nbio         - Run with non-blocking IO\n");
+    printf("-ssl2         - Just use SSLv2\n");
+    printf("-ssl3         - Just use SSLv3\n");
+    printf("-bugs         - Turn on SSL bug compatibility\n");
+    printf("-new          - Just time new connections\n");
+    printf("-reuse        - Just time connection reuse\n");
+    printf("-www page     - Retrieve 'page' from the site\n");
+#endif
+    printf(umsg, SECONDS);
+}
+
+/***********************************************************************
+ * parseArgs - Parse command line arguments and initialize data
+ *
+ * Returns 0 if ok, -1 on bad args
+ */
+static int parseArgs(int argc, char **argv)
+{
+    int badop = 0;
+
+    verify_depth = 0;
+    verify_error = X509_V_OK;
+
+    argc--;
+    argv++;
+
+    while (argc >= 1) {
+        if (strcmp(*argv, "-connect") == 0) {
+            if (--argc < 1)
+                goto bad;
+            host = *(++argv);
+        }
+#if 0
+        else if (strcmp(*argv, "-host") == 0) {
+            if (--argc < 1)
+                goto bad;
+            host = *(++argv);
+        } else if (strcmp(*argv, "-port") == 0) {
+            if (--argc < 1)
+                goto bad;
+            port = *(++argv);
+        }
+#endif
+        else if (strcmp(*argv, "-reuse") == 0)
+            perform = 2;
+        else if (strcmp(*argv, "-new") == 0)
+            perform = 1;
+        else if (strcmp(*argv, "-verify") == 0) {
+
+            tm_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+            if (--argc < 1)
+                goto bad;
+            verify_depth = atoi(*(++argv));
+            BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
+
+        } else if (strcmp(*argv, "-cert") == 0) {
+
+            if (--argc < 1)
+                goto bad;
+            t_cert_file = *(++argv);
+
+        } else if (strcmp(*argv, "-key") == 0) {
+
+            if (--argc < 1)
+                goto bad;
+            t_key_file = *(++argv);
+
+        } else if (strcmp(*argv, "-CApath") == 0) {
+
+            if (--argc < 1)
+                goto bad;
+            CApath = *(++argv);
+
+        } else if (strcmp(*argv, "-CAfile") == 0) {
+
+            if (--argc < 1)
+                goto bad;
+            CAfile = *(++argv);
+
+        } else if (strcmp(*argv, "-cipher") == 0) {
+
+            if (--argc < 1)
+                goto bad;
+            tm_cipher = *(++argv);
+        }
+#ifdef FIONBIO
+        else if (strcmp(*argv, "-nbio") == 0) {
+            t_nbio = 1;
+        }
+#endif
+        else if (strcmp(*argv, "-www") == 0) {
+            if (--argc < 1)
+                goto bad;
+            s_www_path = *(++argv);
+            if (strlen(s_www_path) > MYBUFSIZ - 100) {
+                BIO_printf(bio_err, "-www option too long\n");
+                badop = 1;
+            }
+        } else if (strcmp(*argv, "-bugs") == 0)
+            st_bugs = 1;
+#ifndef OPENSSL_NO_SSL2
+        else if (strcmp(*argv, "-ssl2") == 0)
+            s_time_meth = SSLv2_client_method();
+#endif
+#ifndef OPENSSL_NO_SSL3
+        else if (strcmp(*argv, "-ssl3") == 0)
+            s_time_meth = SSLv3_client_method();
+#endif
+        else if (strcmp(*argv, "-time") == 0) {
+
+            if (--argc < 1)
+                goto bad;
+            maxTime = atoi(*(++argv));
+            if (maxTime <= 0) {
+                BIO_printf(bio_err, "time must be > 0\n");
+                badop = 1;
+            }
+        } else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badop = 1;
+            break;
+        }
+
+        argc--;
+        argv++;
+    }
+
+    if (perform == 0)
+        perform = 3;
+
+    if (badop) {
+ bad:
+        s_time_usage();
+        return -1;
+    }
+
+    return 0;                   /* Valid args */
+}
+
+/***********************************************************************
+ * TIME - time functions
+ */
+#define START   0
+#define STOP    1
+
+static double tm_Time_F(int s)
+{
+    return app_tminterval(s, 1);
+}
+
+/***********************************************************************
+ * MAIN - main processing area for client
+ *                      real name depends on MONOLITH
+ */
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    double totalTime = 0.0;
+    int nConn = 0;
+    SSL *scon = NULL;
+    long finishtime = 0;
+    int ret = 1, i;
+    MS_STATIC char buf[1024 * 8];
+    int ver;
+
+    apps_startup();
+    s_time_init();
+
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    s_time_meth = SSLv23_client_method();
+
+    /* parse the command line arguments */
+    if (parseArgs(argc, argv) < 0)
+        goto end;
+
+    OpenSSL_add_ssl_algorithms();
+    if ((tm_ctx = SSL_CTX_new(s_time_meth)) == NULL)
+        return (1);
+
+    SSL_CTX_set_quiet_shutdown(tm_ctx, 1);
+
+    if (st_bugs)
+        SSL_CTX_set_options(tm_ctx, SSL_OP_ALL);
+    SSL_CTX_set_cipher_list(tm_ctx, tm_cipher);
+    if (!set_cert_stuff(tm_ctx, t_cert_file, t_key_file))
+        goto end;
+
+    SSL_load_error_strings();
+
+    if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
+        (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
+        /*
+         * BIO_printf(bio_err,"error setting default verify locations\n");
+         */
+        ERR_print_errors(bio_err);
+        /* goto end; */
+    }
+
+    if (tm_cipher == NULL)
+        tm_cipher = getenv("SSL_CIPHER");
+
+    if (tm_cipher == NULL) {
+        fprintf(stderr, "No CIPHER specified\n");
+    }
+
+    if (!(perform & 1))
+        goto next;
+    printf("Collecting connection statistics for %d seconds\n", maxTime);
+
+    /* Loop and time how long it takes to make connections */
+
+    bytes_read = 0;
+    finishtime = (long)time(NULL) + maxTime;
+    tm_Time_F(START);
+    for (;;) {
+        if (finishtime < (long)time(NULL))
+            break;
+#ifdef WIN32_STUFF
+
+        if (flushWinMsgs(0) == -1)
+            goto end;
+
+        if (waitingToDie || exitNow) /* we're dead */
+            goto end;
+#endif
+
+        if ((scon = doConnection(NULL)) == NULL)
+            goto end;
+
+        if (s_www_path != NULL) {
+            BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n",
+                         s_www_path);
+            SSL_write(scon, buf, strlen(buf));
+            while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
+                bytes_read += i;
+        }
+#ifdef NO_SHUTDOWN
+        SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
+#else
+        SSL_shutdown(scon);
+#endif
+        SHUTDOWN2(SSL_get_fd(scon));
+
+        nConn += 1;
+        if (SSL_session_reused(scon))
+            ver = 'r';
+        else {
+            ver = SSL_version(scon);
+            if (ver == TLS1_VERSION)
+                ver = 't';
+            else if (ver == SSL3_VERSION)
+                ver = '3';
+            else if (ver == SSL2_VERSION)
+                ver = '2';
+            else
+                ver = '*';
+        }
+        fputc(ver, stdout);
+        fflush(stdout);
+
+        SSL_free(scon);
+        scon = NULL;
+    }
+    totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
+
+    i = (int)((long)time(NULL) - finishtime + maxTime);
+    printf
+        ("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
+         nConn, totalTime, ((double)nConn / totalTime), bytes_read);
+    printf
+        ("%d connections in %ld real seconds, %ld bytes read per connection\n",
+         nConn, (long)time(NULL) - finishtime + maxTime, bytes_read / nConn);
+
+    /*
+     * Now loop and time connections using the same session id over and over
+     */
+
+ next:
+    if (!(perform & 2))
+        goto end;
+    printf("\n\nNow timing with session id reuse.\n");
+
+    /* Get an SSL object so we can reuse the session id */
+    if ((scon = doConnection(NULL)) == NULL) {
+        fprintf(stderr, "Unable to get connection\n");
+        goto end;
+    }
+
+    if (s_www_path != NULL) {
+        BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", s_www_path);
+        SSL_write(scon, buf, strlen(buf));
+        while (SSL_read(scon, buf, sizeof(buf)) > 0) ;
+    }
+#ifdef NO_SHUTDOWN
+    SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
+#else
+    SSL_shutdown(scon);
+#endif
+    SHUTDOWN2(SSL_get_fd(scon));
+
+    nConn = 0;
+    totalTime = 0.0;
+
+    finishtime = (long)time(NULL) + maxTime;
+
+    printf("starting\n");
+    bytes_read = 0;
+    tm_Time_F(START);
+
+    for (;;) {
+        if (finishtime < (long)time(NULL))
+            break;
+
+#ifdef WIN32_STUFF
+        if (flushWinMsgs(0) == -1)
+            goto end;
+
+        if (waitingToDie || exitNow) /* we're dead */
+            goto end;
+#endif
+
+        if ((doConnection(scon)) == NULL)
+            goto end;
+
+        if (s_www_path) {
+            BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n",
+                         s_www_path);
+            SSL_write(scon, buf, strlen(buf));
+            while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
+                bytes_read += i;
+        }
+#ifdef NO_SHUTDOWN
+        SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
+#else
+        SSL_shutdown(scon);
+#endif
+        SHUTDOWN2(SSL_get_fd(scon));
+
+        nConn += 1;
+        if (SSL_session_reused(scon))
+            ver = 'r';
+        else {
+            ver = SSL_version(scon);
+            if (ver == TLS1_VERSION)
+                ver = 't';
+            else if (ver == SSL3_VERSION)
+                ver = '3';
+            else if (ver == SSL2_VERSION)
+                ver = '2';
+            else
+                ver = '*';
+        }
+        fputc(ver, stdout);
+        fflush(stdout);
+    }
+    totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
+
+    printf
+        ("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
+         nConn, totalTime, ((double)nConn / totalTime), bytes_read);
+    printf
+        ("%d connections in %ld real seconds, %ld bytes read per connection\n",
+         nConn, (long)time(NULL) - finishtime + maxTime,
+         bytes_read / (nConn?nConn:1));
+
+    ret = 0;
+ end:
+    if (scon != NULL)
+        SSL_free(scon);
+
+    if (tm_ctx != NULL) {
+        SSL_CTX_free(tm_ctx);
+        tm_ctx = NULL;
+    }
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+/*-
+ * doConnection - make a connection
+ * Args:
+ *              scon    = earlier ssl connection for session id, or NULL
+ * Returns:
+ *              SSL *   = the connection pointer.
+ */
+static SSL *doConnection(SSL *scon)
+{
+    BIO *conn;
+    SSL *serverCon;
+    int width, i;
+    fd_set readfds;
+
+    if ((conn = BIO_new(BIO_s_connect())) == NULL)
+        return (NULL);
+
+/*      BIO_set_conn_port(conn,port);*/
+    BIO_set_conn_hostname(conn, host);
+
+    if (scon == NULL)
+        serverCon = SSL_new(tm_ctx);
+    else {
+        serverCon = scon;
+        SSL_set_connect_state(serverCon);
+    }
+
+    SSL_set_bio(serverCon, conn, conn);
+
+#if 0
+    if (scon != NULL)
+        SSL_set_session(serverCon, SSL_get_session(scon));
+#endif
+
+    /* ok, lets connect */
+    for (;;) {
+        i = SSL_connect(serverCon);
+        if (BIO_sock_should_retry(i)) {
+            BIO_printf(bio_err, "DELAY\n");
+
+            i = SSL_get_fd(serverCon);
+            width = i + 1;
+            FD_ZERO(&readfds);
+            openssl_fdset(i, &readfds);
+            /*
+             * Note: under VMS with SOCKETSHR the 2nd parameter is currently
+             * of type (int *) whereas under other systems it is (void *) if
+             * you don't have a cast it will choke the compiler: if you do
+             * have a cast then you can either go for (int *) or (void *).
+             */
+            select(width, (void *)&readfds, NULL, NULL, NULL);
+            continue;
+        }
+        break;
+    }
+    if (i <= 0) {
+        BIO_printf(bio_err, "ERROR\n");
+        if (verify_error != X509_V_OK)
+            BIO_printf(bio_err, "verify error:%s\n",
+                       X509_verify_cert_error_string(verify_error));
+        else
+            ERR_print_errors(bio_err);
+        if (scon == NULL)
+            SSL_free(serverCon);
+        return NULL;
+    }
+
+    return serverCon;
+}
diff --git a/openssl/apps/server.pem b/openssl/apps/server.pem
new file mode 100644
index 0000000..d0fc265
--- /dev/null
+++ b/openssl/apps/server.pem
@@ -0,0 +1,52 @@
+subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert
+issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
+-----BEGIN CERTIFICATE-----
+MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
+VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG
+A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
+RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgU2VydmVyIENlcnQw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzhPOSNtyyRspmeuUpxfNJ
+KCLTuf7g3uQ4zu4iHOmRO5TQci+HhVlLZrHF9XqFXcIP0y4pWDbMSGuiorUmzmfi
+R7bfSdI/+qIQt8KXRH6HNG1t8ou0VSvWId5TS5Dq/er5ODUr9OaaDva7EquHIcMv
+vPQGuI+OEAcnleVCy9HVEIySrO4P3CNIicnGkwwiAud05yUAq/gPXBC1hTtmlPD7
+TVcGVSEiJdvzqqlgv02qedGrkki6GY4S7GjZxrrf7Foc2EP+51LJzwLQx3/JfrCU
+41NEWAsu/Sl0tQabXESN+zJ1pDqoZ3uHMgpQjeGiE0olr+YcsSW/tJmiU9OiAr8R
+AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI
+AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
+BBSCvM8AABPR9zklmifnr9LvIBturDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49
+hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAqb1NV0B0/pbpK9Z4/bNjzPQLTRLK
+WnSNm/Jh5v0GEUOE/Beg7GNjNrmeNmqxAlpqWz9qoeoFZax+QBpIZYjROU3TS3fp
+yLsrnlr0CDQ5R7kCCDGa8dkXxemmpZZLbUCpW2Uoy8sAA4JjN9OtsZY7dvUXFgJ7
+vVNTRnI01ghknbtD+2SxSQd3CWF6QhcRMAzZJ1z1cbbwGDDzfvGFPzJ+Sq+zEPds
+xoVLLSetCiBc+40ZcDS5dV98h9XD7JMTQfxzA7mNGv73JoZJA6nFgj+ADSlJsY/t
+JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA84TzkjbcskbKZnrlKcXzSSgi07n+4N7kOM7uIhzpkTuU0HIv
+h4VZS2axxfV6hV3CD9MuKVg2zEhroqK1Js5n4ke230nSP/qiELfCl0R+hzRtbfKL
+tFUr1iHeU0uQ6v3q+Tg1K/Tmmg72uxKrhyHDL7z0BriPjhAHJ5XlQsvR1RCMkqzu
+D9wjSInJxpMMIgLndOclAKv4D1wQtYU7ZpTw+01XBlUhIiXb86qpYL9NqnnRq5JI
+uhmOEuxo2ca63+xaHNhD/udSyc8C0Md/yX6wlONTRFgLLv0pdLUGm1xEjfsydaQ6
+qGd7hzIKUI3hohNKJa/mHLElv7SZolPTogK/EQIDAQABAoIBAADq9FwNtuE5IRQn
+zGtO4q7Y5uCzZ8GDNYr9RKp+P2cbuWDbvVAecYq2NV9QoIiWJOAYZKklOvekIju3
+r0UZLA0PRiIrTg6NrESx3JrjWDK8QNlUO7CPTZ39/K+FrmMkV9lem9yxjJjyC34D
+AQB+YRTx+l14HppjdxNwHjAVQpIx/uO2F5xAMuk32+3K+pq9CZUtrofe1q4Agj9R
+5s8mSy9pbRo9kW9wl5xdEotz1LivFOEiqPUJTUq5J5PeMKao3vdK726XI4Z455Nm
+W2/MA0YV0ug2FYinHcZdvKM6dimH8GLfa3X8xKRfzjGjTiMSwsdjgMa4awY3tEHH
+674jhAECgYEA/zqMrc0zsbNk83sjgaYIug5kzEpN4ic020rSZsmQxSCerJTgNhmg
+utKSCt0Re09Jt3LqG48msahX8ycqDsHNvlEGPQSbMu9IYeO3Wr3fAm75GEtFWePY
+BhM73I7gkRt4s8bUiUepMG/wY45c5tRF23xi8foReHFFe9MDzh8fJFECgYEA9EFX
+4qAik1pOJGNei9BMwmx0I0gfVEIgu0tzeVqT45vcxbxr7RkTEaDoAG6PlbWP6D9a
+WQNLp4gsgRM90ZXOJ4up5DsAWDluvaF4/omabMA+MJJ5kGZ0gCj5rbZbKqUws7x8
+bp+6iBfUPJUbcqNqFmi/08Yt7vrDnMnyMw2A/sECgYEAiiuRMxnuzVm34hQcsbhH
+6ymVqf7j0PW2qK0F4H1ocT9qhzWFd+RB3kHWrCjnqODQoI6GbGr/4JepHUpre1ex
+4UEN5oSS3G0ru0rC3U4C59dZ5KwDHFm7ffZ1pr52ljfQDUsrjjIMRtuiwNK2OoRa
+WSsqiaL+SDzSB+nBmpnAizECgYBdt/y6rerWUx4MhDwwtTnel7JwHyo2MDFS6/5g
+n8qC2Lj6/fMDRE22w+CA2esp7EJNQJGv+b27iFpbJEDh+/Lf5YzIT4MwVskQ5bYB
+JFcmRxUVmf4e09D7o705U/DjCgMH09iCsbLmqQ38ONIRSHZaJtMDtNTHD1yi+jF+
+OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
+xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
+UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
+-----END RSA PRIVATE KEY-----
diff --git a/openssl/apps/server.srl b/openssl/apps/server.srl
new file mode 100644
index 0000000..8a0f05e
--- /dev/null
+++ b/openssl/apps/server.srl
@@ -0,0 +1 @@
+01
diff --git a/openssl/apps/server2.pem b/openssl/apps/server2.pem
new file mode 100644
index 0000000..a3927cf
--- /dev/null
+++ b/openssl/apps/server2.pem
@@ -0,0 +1,52 @@
+subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert #2
+issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
+-----BEGIN CERTIFICATE-----
+MIID6jCCAtKgAwIBAgIJALnu1NlVpZ60MA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
+VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZzELMAkG
+A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
+RVNUSU5HIFBVUlBPU0VTIE9OTFkxHDAaBgNVBAMME1Rlc3QgU2VydmVyIENlcnQg
+IzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrdi7j9yctG+L4EjBy
+gjPmEqZzOJEQba26MoQGzglU7e5Xf59Rb/hgVQuKAoiZe7/R8rK4zJ4W7iXdXw0L
+qBpyG8B5aGKeI32w+A9TcBApoXXL2CrYQEQjZwUIpLlYBIi2NkJj3nVkq5dgl1gO
+ALiQ+W8jg3kzg5Ec9rimp9r93N8wsSL3awsafurmYCvOf7leHaMP1WJ/zDRGUNHG
+/WtDjXc8ZUG1+6EXU9Jc2Fs+2Omf7fcN0l00AK/wPg8OaNS0rKyGq9JdIT9FRGV1
+bXe/rx58FaE5CItdwCSYhJvF/O95LWQoxJXye5bCFLmvDTEyVq9FMSCptfsmbXjE
+ZGsXAgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJ
+YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud
+DgQWBBR52UaWWTKzZGDH/X4mWNcuqeQVazAfBgNVHSMEGDAWgBQ2w2yI55X+sL3s
+zj49hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEANBW+XYLlHBqVY/31ie+3gRlS
+LPfy4SIqn0t3RJjagT29MXprblBO2cbMO8VGjkQdKGpmMXjxbht2arOOUXRHX4n/
+XTyn/QHEf0bcwIITMReO3DZUPAEw8hSjn9xEOM0IRVOCP+mH5fi74QzzQaZVCyYg
+5VtLKdww/+sc0nCbKl2KWgDluriH0nfVx95qgW3mg9dhXRr0zmf1w2zkBHYpARYL
+Dew6Z8EE4tS3HJu8/qM6meWzNtrfonQ3eiiMxjZBxzV46jchBwa2z9XYhP6AmpPb
+oeTSzcQNbWsxaGYzWo46oLDUZmJOwSBawbS31bZNMCoPIY6ukoesCzFSsUKZww==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA63Yu4/cnLRvi+BIwcoIz5hKmcziREG2tujKEBs4JVO3uV3+f
+UW/4YFULigKImXu/0fKyuMyeFu4l3V8NC6gachvAeWhiniN9sPgPU3AQKaF1y9gq
+2EBEI2cFCKS5WASItjZCY951ZKuXYJdYDgC4kPlvI4N5M4ORHPa4pqfa/dzfMLEi
+92sLGn7q5mArzn+5Xh2jD9Vif8w0RlDRxv1rQ413PGVBtfuhF1PSXNhbPtjpn+33
+DdJdNACv8D4PDmjUtKyshqvSXSE/RURldW13v68efBWhOQiLXcAkmISbxfzveS1k
+KMSV8nuWwhS5rw0xMlavRTEgqbX7Jm14xGRrFwIDAQABAoIBAHLsTPihIfLnYIE5
+x4GsQQ5zXeBw5ITDM37ktwHnQDC+rIzyUl1aLD1AZRBoKinXd4lOTqLZ4/NHKx4A
+DYr58mZtWyUmqLOMmQVuHXTZBlp7XtYuXMMNovQwjQlp9LicBeoBU6gQ5PVMtubD
+F4xGF89Sn0cTHW3iMkqTtQ5KcR1j57OcJO0FEb1vPvk2MXI5ZyAatUYE7YacbEzd
+rg02uIwx3FqNSkuSI79uz4hMdV5TPtuhxx9nTwj9aLUhXFeZ0mn2PVgVzEnnMoJb
++znlsZDgzDlJqdaD744YGWh8Z3OEssB35KfzFcdOeO6yH8lmv2Zfznk7pNPT7LTb
+Lae9VgkCgYEA92p1qnAB3NtJtNcaW53i0S5WJgS1hxWKvUDx3lTB9s8X9fHpqL1a
+E94fDfWzp/hax6FefUKIvBOukPLQ6bYjTMiFoOHzVirghAIuIUoMI5VtLhwD1hKs
+Lr7l/dptMgKb1nZHyXoKHRBthsy3K4+udsPi8TzMvYElgEqyQIe/Rk0CgYEA86GL
+8HC6zLszzKERDPBxrboRmoFvVUCTQDhsfj1M8aR3nQ8V5LkdIJc7Wqm/Ggfk9QRf
+rJ8M2WUMlU5CNnCn/KCrKzCNZIReze3fV+HnKdbcXGLvgbHPrhnz8yYehUFG+RGq
+bVyDWRU94T38izy2s5qMYrMJWZEYyXncSPbfcPMCgYAtaXfxcZ+V5xYPQFARMtiX
+5nZfggvDoJuXgx0h3tK/N2HBfcaSdzbaYLG4gTmZggc/jwnl2dl5E++9oSPhUdIG
+3ONSFUbxsOsGr9PBvnKd8WZZyUCXAVRjPBzAzF+whzQNWCZy/5htnz9LN7YDI9s0
+5113Q96cheDZPFydZY0hHQKBgQDVbEhNukM5xCiNcu+f2SaMnLp9EjQ4h5g3IvaP
+5B16daw/Dw8LzcohWboqIxeAsze0GD/D1ZUJAEd0qBjC3g+a9BjefervCjKOzXng
+38mEUm+6EwVjJSQcjSmycEs+Sr/kwr/8i5WYvU32+jk4tFgMoC+o6tQe/Uesf68k
+z/dPVwKBgGbF7Vv1/3SmhlOy+zYyvJ0CrWtKxH9QP6tLIEgEpd8x7YTSuCH94yok
+kToMXYA3sWNPt22GbRDZ+rcp4c7HkDx6I6vpdP9aQEwJTp0EPy0sgWr2XwYmreIQ
+NFmkk8Itn9EY2R9VBaP7GLv5kvwxDdLAnmwGmzVtbmaVdxCaBwUk
+-----END RSA PRIVATE KEY-----
diff --git a/openssl/apps/sess_id.c b/openssl/apps/sess_id.c
new file mode 100644
index 0000000..7773abe
--- /dev/null
+++ b/openssl/apps/sess_id.c
@@ -0,0 +1,300 @@
+/* apps/sess_id.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+
+#undef PROG
+#define PROG    sess_id_main
+
+static const char *sess_id_usage[] = {
+    "usage: sess_id args\n",
+    "\n",
+    " -inform arg     - input format - default PEM (DER or PEM)\n",
+    " -outform arg    - output format - default PEM\n",
+    " -in arg         - input file - default stdin\n",
+    " -out arg        - output file - default stdout\n",
+    " -text           - print ssl session id details\n",
+    " -cert           - output certificate \n",
+    " -noout          - no CRL output\n",
+    " -context arg    - set the session ID context\n",
+    NULL
+};
+
+static SSL_SESSION *load_sess_id(char *file, int format);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    SSL_SESSION *x = NULL;
+    X509 *peer = NULL;
+    int ret = 1, i, num, badops = 0;
+    BIO *out = NULL;
+    int informat, outformat;
+    char *infile = NULL, *outfile = NULL, *context = NULL;
+    int cert = 0, noout = 0, text = 0;
+    const char **pp;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+
+    argc--;
+    argv++;
+    num = 0;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-text") == 0)
+            text = ++num;
+        else if (strcmp(*argv, "-cert") == 0)
+            cert = ++num;
+        else if (strcmp(*argv, "-noout") == 0)
+            noout = ++num;
+        else if (strcmp(*argv, "-context") == 0) {
+            if (--argc < 1)
+                goto bad;
+            context = *++argv;
+        } else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        for (pp = sess_id_usage; (*pp != NULL); pp++)
+            BIO_printf(bio_err, "%s", *pp);
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+    x = load_sess_id(infile, informat);
+    if (x == NULL) {
+        goto end;
+    }
+    peer = SSL_SESSION_get0_peer(x);
+
+    if (context) {
+        size_t ctx_len = strlen(context);
+        if (ctx_len > SSL_MAX_SID_CTX_LENGTH) {
+            BIO_printf(bio_err, "Context too long\n");
+            goto end;
+        }
+        SSL_SESSION_set1_id_context(x, (unsigned char *)context, ctx_len);
+    }
+#ifdef undef
+    /* just testing for memory leaks :-) */
+    {
+        SSL_SESSION *s;
+        char buf[1024 * 10], *p;
+        int i;
+
+        s = SSL_SESSION_new();
+
+        p = &buf;
+        i = i2d_SSL_SESSION(x, &p);
+        p = &buf;
+        d2i_SSL_SESSION(&s, &p, (long)i);
+        p = &buf;
+        d2i_SSL_SESSION(&s, &p, (long)i);
+        p = &buf;
+        d2i_SSL_SESSION(&s, &p, (long)i);
+        SSL_SESSION_free(s);
+    }
+#endif
+
+    if (!noout || text) {
+        out = BIO_new(BIO_s_file());
+        if (out == NULL) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        if (outfile == NULL) {
+            BIO_set_fp(out, stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+            {
+                BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+                out = BIO_push(tmpbio, out);
+            }
+#endif
+        } else {
+            if (BIO_write_filename(out, outfile) <= 0) {
+                perror(outfile);
+                goto end;
+            }
+        }
+    }
+
+    if (text) {
+        SSL_SESSION_print(out, x);
+
+        if (cert) {
+            if (peer == NULL)
+                BIO_puts(out, "No certificate present\n");
+            else
+                X509_print(out, peer);
+        }
+    }
+
+    if (!noout && !cert) {
+        if (outformat == FORMAT_ASN1)
+            i = i2d_SSL_SESSION_bio(out, x);
+        else if (outformat == FORMAT_PEM)
+            i = PEM_write_bio_SSL_SESSION(out, x);
+        else {
+            BIO_printf(bio_err, "bad output format specified for outfile\n");
+            goto end;
+        }
+        if (!i) {
+            BIO_printf(bio_err, "unable to write SSL_SESSION\n");
+            goto end;
+        }
+    } else if (!noout && (peer != NULL)) { /* just print the certificate */
+        if (outformat == FORMAT_ASN1)
+            i = (int)i2d_X509_bio(out, peer);
+        else if (outformat == FORMAT_PEM)
+            i = PEM_write_bio_X509(out, peer);
+        else {
+            BIO_printf(bio_err, "bad output format specified for outfile\n");
+            goto end;
+        }
+        if (!i) {
+            BIO_printf(bio_err, "unable to write X509\n");
+            goto end;
+        }
+    }
+    ret = 0;
+ end:
+    if (out != NULL)
+        BIO_free_all(out);
+    if (x != NULL)
+        SSL_SESSION_free(x);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+static SSL_SESSION *load_sess_id(char *infile, int format)
+{
+    SSL_SESSION *x = NULL;
+    BIO *in = NULL;
+
+    in = BIO_new(BIO_s_file());
+    if (in == NULL) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (infile == NULL)
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+    else {
+        if (BIO_read_filename(in, infile) <= 0) {
+            perror(infile);
+            goto end;
+        }
+    }
+    if (format == FORMAT_ASN1)
+        x = d2i_SSL_SESSION_bio(in, NULL);
+    else if (format == FORMAT_PEM)
+        x = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL);
+    else {
+        BIO_printf(bio_err, "bad input format specified for input crl\n");
+        goto end;
+    }
+    if (x == NULL) {
+        BIO_printf(bio_err, "unable to load SSL_SESSION\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+ end:
+    if (in != NULL)
+        BIO_free(in);
+    return (x);
+}
diff --git a/openssl/apps/set/set-g-ca.pem b/openssl/apps/set/set-g-ca.pem
new file mode 100644
index 0000000..78499f0
--- /dev/null
+++ b/openssl/apps/set/set-g-ca.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAuGgAwIBAgIgYCYUeg8NJ9kO1q3z6vGCkAmPRfu5+Nur0FyGF79MADMw
+DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx
+MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw
+MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtQ
+Q0ExMDIxMTgyODEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJyi5V7l1HohY6hN/2N9x6mvWeMy8rD1
+6lfXjgmiuGmhpaszWYaalesMcS2OGuG8Lq3PkaSzpVzqASKfIOjxLMsdpYyYJRub
+vRPDWi3xd8wlp9xUwWHKqn+ki8mPo0yN4eONwZZ4rcZr6K+tWd+5EJZSjuENJoQ/
+SRRmGRzdcS7XAgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG
+EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7
+aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2
+MTAyMjAxMjIwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG
+SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwICBDB5
+BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3
+Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn
+ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBn19R2
+AgGvpJDmfXrHTDdCoYyMkaP2MPzw0hFRwh+wqnw0/pqUXa7MrLXMqtD3rUyOWaNR
+9fYpJZd0Bh/1OeIc2+U+VNfUovLLuZ8nNemdxyq2KMYnHtnh7UdO7atZ+PFLVu8x
+a+J2Mtj8MGy12CJNTJcjLSrJ/1f3AuVrwELjlQ==
+-----END CERTIFICATE-----
diff --git a/openssl/apps/set/set-m-ca.pem b/openssl/apps/set/set-m-ca.pem
new file mode 100644
index 0000000..0e74caf
--- /dev/null
+++ b/openssl/apps/set/set-m-ca.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAuGgAwIBAgIgEGvcf5aUnufALdVMa/dmPdflq1CoORGeK5DUwbqhVYcw
+DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx
+MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw
+MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtN
+Q0ExMDIxMTgyNzEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALuWwr63YrT1GIZpYKfIeiVFHESG/FZO
+7RAJKml/p12ZyZ7D5YPP4BBXVsa1H8e8arR1LKC4rdCArrtKKlBeBiMo9+NB+u35
+FnLnTmfzM4iZ2Syw35DXY8+Xn/LM7RJ1RG+vMNcTqpoUg7QPye7flq2Pt7vVROPn
+SZxPyVxmILe3AgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG
+EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7
+aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2
+MTAyMjAxMjEwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG
+SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwIDCDB5
+BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3
+Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn
+ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQApaj0W
+GgyR47URZEZ7z83yivvnVErqtodub/nR1fMgJ4bDC0ofjA0SzXBP1/3eDq9VkPuS
+EKUw9BpM2XrSUKhJ6F1CbBjWpM0M7GC1nTSxMxmV+XL+Ab/Gn2SwozUApWtht29/
+x9VLB8qsi6wN2aOsVdQMl5iVCjGQYfEkyuoIgA==
+-----END CERTIFICATE-----
diff --git a/openssl/apps/set/set_b_ca.pem b/openssl/apps/set/set_b_ca.pem
new file mode 100644
index 0000000..eba7d5c
--- /dev/null
+++ b/openssl/apps/set/set_b_ca.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1zCCAr+gAwIBAgIgYClSzXgB3u31VMarY+lXwPKU9DtoBMzaaivuVzV9a9kw
+DQYJKoZIhvcNAQEFBQAwIzELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1JDQTEwMTEx
+ODI5MB4XDTk2MTAxNzAwMDAwMFoXDTk2MTExNjIzNTk1OVowRTELMAkGA1UEBhMC
+VVMxFDASBgNVBAoTC0JDQTEwMTcxMTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlBy
+b2R1Y3QgVHlwZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApPewvR0BwV02
+9E12ic48pMY/aMB6SkMEWPDx2hURr0DKYGJ6qMvzZn2pSfaVH1BqDtK6oK4Ye5Mj
+ItywwQIdXXO9Ut8+TLnvtzq9ByCJ0YThjZJBc7ZcpJxSV7QAoBON/lzxZuAVq3+L
+3uc39MgRwmBpRllZEpWrkojxs6166X0CAwEAAaOCAVcwggFTMFQGA1UdIwRNMEuh
+J6QlMCMxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtSQ0ExMDExMTgyOYIgVqenwCYv
+mmxUIvi9gUMCa+uJGJ60mZecw9HrISXnLaYwDgYDVR0PAQH/BAQDAgEGMC4GA1Ud
+EAEB/wQkMCKADzE5OTYxMDE3MTc1NzAwWoEPMTk5NjExMTYyMzU5NTlaMBsGA1Ud
+IAEB/wQRMA8wDQYLYIZIAYb4RQEHAQEwEgYDVR0TAQH/BAgwBgEB/wIBATAPBgSG
+jW8DAQH/BAQDAgABMHkGBIaNbwcBAf8EbjBsMCQCAQAwCQYFKw4DAhoFAAQUMmY3
+NGIxYWY0ZmNjMDYwZjc2NzYTD3RlcnNlIHN0YXRlbWVudIAXaHR0cDovL3d3dy52
+ZXJpc2lnbi5jb22BGmdldHNldC1jZW50ZXJAdmVyaXNpZ24uY29tMA0GCSqGSIb3
+DQEBBQUAA4IBAQAWoMS8Aj2sO0LDxRoMcnWTKY8nd8Jw2vl2Mgsm+0qCvcndICM5
+43N0y9uHlP8WeCZULbFz95gTL8mfP/QTu4EctMUkQgRHJnx80f0XSF3HE/X6zBbI
+9rit/bF6yP1mhkdss/vGanReDpki7q8pLx+VIIcxWst/366HP3dW1Fb7ECW/WmVV
+VMN93f/xqk9I4sXchVZcVKQT3W4tzv+qQvugrEi1dSEkbAy1CITEAEGiaFhGUyCe
+WPox3guRXaEHoINNeajGrISe6d//alsz5EEroBoLnM2ryqWfLAtRsf4rjNzTgklw
+lbiz0fw7bNkXKp5ZVr0wlnOjQnoSM6dTI0AV
+-----END CERTIFICATE-----
diff --git a/openssl/apps/set/set_c_ca.pem b/openssl/apps/set/set_c_ca.pem
new file mode 100644
index 0000000..48b2cbd
--- /dev/null
+++ b/openssl/apps/set/set_c_ca.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAuGgAwIBAgIgOnl8J6lAYNDdTWtIojWCGnloNf4ufHjOZ4Fkxwg5xOsw
+DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx
+MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw
+MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtD
+Q0ExMDIxMTYxNjEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANA3a9+U8oXU3Dv1wJf8g0A7HjCRZAXc
+Y8E4OLOdye5aUssxifCE05qTPVqHMXo6cnCYcfroMdURhjQlswyTGtjQybgUnXjp
+pchw+V4D1DkN0ThErrMCh9ZFSykC0lUhQTRLESvbIb4Gal/HMAFAF5sj0GoOFi2H
+RRj7gpzBIU3xAgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG
+EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7
+aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2
+MTAyMjAxMTAwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG
+SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwIEEDB5
+BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3
+Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn
+ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBteLaZ
+u/TASC64UWPfhxYAUdys9DQ1pG/J1qPWNTkjOmpXFvW+7l/3nkxyRPgUoFNwx1e7
+XVVPr6zhy8LaaXppwfIZvVryzAUdbtijiUf/MO0hvV3w7e9NlCVProdU5H9EvCXr
++IV8rH8fdEkirIVyw0JGHkuWhkmtS1HEwai9vg==
+-----END CERTIFICATE-----
diff --git a/openssl/apps/set/set_d_ct.pem b/openssl/apps/set/set_d_ct.pem
new file mode 100644
index 0000000..9f8c7d8
--- /dev/null
+++ b/openssl/apps/set/set_d_ct.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdjCCAt+gAwIBAgIgRU5t24v72xVDpZ4iHpyoOAQaQmfio1yhTZAOkBfT2uUw
+DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0NDQTEwMjEx
+NjE2MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjQw
+MDAwMDBaFw05NjExMjMyMzU5NTlaMG4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdC
+cmFuZElEMSYwJAYDVQQLEx1Jc3N1aW5nIEZpbmFuY2lhbCBJbnN0aXR1dGlvbjEl
+MCMGA1UEAxMcR2lYb0t0VjViN1V0MHZKa2hkSG5RYmNzc2JrPTBcMA0GCSqGSIb3
+DQEBAQUAA0sAMEgCQQDIUxgpNB1aoSW585WErtN8WInCRWCqDj3RGT2mJye0F4SM
+/iT5ywdWMasmw18vpEpDlMypfZnRkUAdfyHcRABVAgMBAAGjggFwMIIBbDB2BgNV
+HSMEbzBtoUmkRzBFMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQkNBMTAxNzExMDQx
+IDAeBgNVBAMTF0JyYW5kIE5hbWU6UHJvZHVjdCBUeXBlgiA6eXwnqUBg0N1Na0ii
+NYIaeWg1/i58eM5ngWTHCDnE6zAOBgNVHQ8BAf8EBAMCB4AwLgYDVR0QAQH/BCQw
+IoAPMTk5NjEwMjQwMTA0MDBagQ8xOTk2MTEyMzIzNTk1OVowGAYDVR0gBBEwDzAN
+BgtghkgBhvhFAQcBATAMBgNVHRMBAf8EAjAAMA8GBIaNbwMBAf8EBAMCB4AweQYE
+ho1vBwEB/wRuMGwwJAIBADAJBgUrDgMCGgUABBQzOTgyMzk4NzIzNzg5MTM0OTc4
+MhMPdGVyc2Ugc3RhdGVtZW50gBdodHRwOi8vd3d3LnZlcmlzaWduLmNvbYEaZ2V0
+c2V0LWNlbnRlckB2ZXJpc2lnbi5jb20wDQYJKoZIhvcNAQEFBQADgYEAVHCjhxeD
+mIFSkm3DpQAq7pGfcAFPWvSM9I9bK8qeFT1M5YQ+5fbPqaWlNcQlGKIe3cHd4+0P
+ndL5lb6UBhhA0kTzEYA38+HtBxPe/lokCv0bYfyWY9asUmvfbUrTYta0yjN7ixnV
+UqvxxHQHOAwhf6bcc7xNHapOxloWzGUU0RQ=
+-----END CERTIFICATE-----
diff --git a/openssl/apps/set/set_root.pem b/openssl/apps/set/set_root.pem
new file mode 100644
index 0000000..8dd104f
--- /dev/null
+++ b/openssl/apps/set/set_root.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAk+gAwIBAgIgVqenwCYvmmxUIvi9gUMCa+uJGJ60mZecw9HrISXnLaYw
+DQYJKoZIhvcNAQEFBQAwIzELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1JDQTEwMTEx
+ODI5MB4XDTk2MTAxMjAwMDAwMFoXDTk2MTExMTIzNTk1OVowIzELMAkGA1UEBhMC
+VVMxFDASBgNVBAoTC1JDQTEwMTExODI5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAukca0PVUGFIYX7EyrShi+dVi9GTNzG0V2Wtdw6DqFzKfedba/KpE
+zqnRDV/wRZlBn3oXPS6kNCFiBPRV9mEFXI7y2W+q8/vPurjRDIXMsqQ+dAhKwf4q
+rofJBTiET4NUN0YTtpx6aYuoVubjiOgKdbqnUArxAWWP2Dkco17ipEYyUtd4sTAe
+/xKR02AHpbYGYPSHjMDS/nzUJ7uX4d51phs0rt7If48ExJSnDV/KoHMfm42mdmH2
+g23005qdHKY3UXeh10tZmb3QtGTSvF6OqpRZ+e9/ALklu7ZcIjqbb944ci4QWemb
+ZNWiDFrWWUoO1k942BI/iZ8Fh8pETYSDBQIDAQABo4GGMIGDMA4GA1UdDwEB/wQE
+AwIBBjAuBgNVHRABAf8EJDAigA8xOTk2MTAxMjAxMzQwMFqBDzE5OTYxMTExMjM1
+OTU5WjAbBgNVHSABAf8EETAPMA0GC2CGSAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYB
+Af8CAQIwEAYEho1vAwEB/wQFAwMHAIAwDQYJKoZIhvcNAQEFBQADggEBAK4tntea
+y+ws7PdULwfqAS5osaoNvw73uBn5lROTpx91uhQbJyf0oZ3XG9GUuHZBpqG9qmr9
+vIL40RsvRpNMYgaNHKTxF716yx6rZmruAYZsrE3SpV63tQJCckKLPSge2E5uDhSQ
+O8UjusG+IRT9fKMXUHLv4OmZPOQVOSl1qTCN2XoJFqEPtC3Y9P4YR4xHL0P2jb1l
+DLdIbruuh+6omH+0XUZd5fKnQZTTi6gjl0iunj3wGnkcqGZtwr3j87ONiB/8tDwY
+vz8ceII4YYdX12PrNzn+fu3R5rChvPW4/ah/SaYQ2VQ0AupaIF4xrNJ/gLYYw0YO
+bxCrVJLd8tu9WgA=
+-----END CERTIFICATE-----
diff --git a/openssl/apps/smime.c b/openssl/apps/smime.c
new file mode 100644
index 0000000..1758330
--- /dev/null
+++ b/openssl/apps/smime.c
@@ -0,0 +1,775 @@
+/* smime.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* S/MIME utility function */
+
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/crypto.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/x509_vfy.h>
+#include <openssl/x509v3.h>
+
+#undef PROG
+#define PROG smime_main
+static int save_certs(char *signerfile, STACK_OF(X509) *signers);
+static int smime_cb(int ok, X509_STORE_CTX *ctx);
+
+#define SMIME_OP        0x10
+#define SMIME_IP        0x20
+#define SMIME_SIGNERS   0x40
+#define SMIME_ENCRYPT   (1 | SMIME_OP)
+#define SMIME_DECRYPT   (2 | SMIME_IP)
+#define SMIME_SIGN      (3 | SMIME_OP | SMIME_SIGNERS)
+#define SMIME_VERIFY    (4 | SMIME_IP)
+#define SMIME_PK7OUT    (5 | SMIME_IP | SMIME_OP)
+#define SMIME_RESIGN    (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    int operation = 0;
+    int ret = 0;
+    char **args;
+    const char *inmode = "r", *outmode = "w";
+    char *infile = NULL, *outfile = NULL;
+    char *signerfile = NULL, *recipfile = NULL;
+    STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
+    char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
+    const EVP_CIPHER *cipher = NULL;
+    PKCS7 *p7 = NULL;
+    X509_STORE *store = NULL;
+    X509 *cert = NULL, *recip = NULL, *signer = NULL;
+    EVP_PKEY *key = NULL;
+    STACK_OF(X509) *encerts = NULL, *other = NULL;
+    BIO *in = NULL, *out = NULL, *indata = NULL;
+    int badarg = 0;
+    int flags = PKCS7_DETACHED;
+    char *to = NULL, *from = NULL, *subject = NULL;
+    char *CAfile = NULL, *CApath = NULL;
+    char *passargin = NULL, *passin = NULL;
+    char *inrand = NULL;
+    int need_rand = 0;
+    int indef = 0;
+    const EVP_MD *sign_md = NULL;
+    int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
+    int keyform = FORMAT_PEM;
+    char *engine = NULL;
+
+    X509_VERIFY_PARAM *vpm = NULL;
+
+    args = argv + 1;
+    ret = 1;
+
+    apps_startup();
+
+    if (bio_err == NULL) {
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+    }
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    while (!badarg && *args && *args[0] == '-') {
+        if (!strcmp(*args, "-encrypt"))
+            operation = SMIME_ENCRYPT;
+        else if (!strcmp(*args, "-decrypt"))
+            operation = SMIME_DECRYPT;
+        else if (!strcmp(*args, "-sign"))
+            operation = SMIME_SIGN;
+        else if (!strcmp(*args, "-resign"))
+            operation = SMIME_RESIGN;
+        else if (!strcmp(*args, "-verify"))
+            operation = SMIME_VERIFY;
+        else if (!strcmp(*args, "-pk7out"))
+            operation = SMIME_PK7OUT;
+#ifndef OPENSSL_NO_DES
+        else if (!strcmp(*args, "-des3"))
+            cipher = EVP_des_ede3_cbc();
+        else if (!strcmp(*args, "-des"))
+            cipher = EVP_des_cbc();
+#endif
+#ifndef OPENSSL_NO_SEED
+        else if (!strcmp(*args, "-seed"))
+            cipher = EVP_seed_cbc();
+#endif
+#ifndef OPENSSL_NO_RC2
+        else if (!strcmp(*args, "-rc2-40"))
+            cipher = EVP_rc2_40_cbc();
+        else if (!strcmp(*args, "-rc2-128"))
+            cipher = EVP_rc2_cbc();
+        else if (!strcmp(*args, "-rc2-64"))
+            cipher = EVP_rc2_64_cbc();
+#endif
+#ifndef OPENSSL_NO_AES
+        else if (!strcmp(*args, "-aes128"))
+            cipher = EVP_aes_128_cbc();
+        else if (!strcmp(*args, "-aes192"))
+            cipher = EVP_aes_192_cbc();
+        else if (!strcmp(*args, "-aes256"))
+            cipher = EVP_aes_256_cbc();
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+        else if (!strcmp(*args, "-camellia128"))
+            cipher = EVP_camellia_128_cbc();
+        else if (!strcmp(*args, "-camellia192"))
+            cipher = EVP_camellia_192_cbc();
+        else if (!strcmp(*args, "-camellia256"))
+            cipher = EVP_camellia_256_cbc();
+#endif
+        else if (!strcmp(*args, "-text"))
+            flags |= PKCS7_TEXT;
+        else if (!strcmp(*args, "-nointern"))
+            flags |= PKCS7_NOINTERN;
+        else if (!strcmp(*args, "-noverify"))
+            flags |= PKCS7_NOVERIFY;
+        else if (!strcmp(*args, "-nochain"))
+            flags |= PKCS7_NOCHAIN;
+        else if (!strcmp(*args, "-nocerts"))
+            flags |= PKCS7_NOCERTS;
+        else if (!strcmp(*args, "-noattr"))
+            flags |= PKCS7_NOATTR;
+        else if (!strcmp(*args, "-nodetach"))
+            flags &= ~PKCS7_DETACHED;
+        else if (!strcmp(*args, "-nosmimecap"))
+            flags |= PKCS7_NOSMIMECAP;
+        else if (!strcmp(*args, "-binary"))
+            flags |= PKCS7_BINARY;
+        else if (!strcmp(*args, "-nosigs"))
+            flags |= PKCS7_NOSIGS;
+        else if (!strcmp(*args, "-stream"))
+            indef = 1;
+        else if (!strcmp(*args, "-indef"))
+            indef = 1;
+        else if (!strcmp(*args, "-noindef"))
+            indef = 0;
+        else if (!strcmp(*args, "-nooldmime"))
+            flags |= PKCS7_NOOLDMIMETYPE;
+        else if (!strcmp(*args, "-crlfeol"))
+            flags |= PKCS7_CRLFEOL;
+        else if (!strcmp(*args, "-rand")) {
+            if (!args[1])
+                goto argerr;
+            args++;
+            inrand = *args;
+            need_rand = 1;
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (!strcmp(*args, "-engine")) {
+            if (!args[1])
+                goto argerr;
+            engine = *++args;
+        }
+#endif
+        else if (!strcmp(*args, "-passin")) {
+            if (!args[1])
+                goto argerr;
+            passargin = *++args;
+        } else if (!strcmp(*args, "-to")) {
+            if (!args[1])
+                goto argerr;
+            to = *++args;
+        } else if (!strcmp(*args, "-from")) {
+            if (!args[1])
+                goto argerr;
+            from = *++args;
+        } else if (!strcmp(*args, "-subject")) {
+            if (!args[1])
+                goto argerr;
+            subject = *++args;
+        } else if (!strcmp(*args, "-signer")) {
+            if (!args[1])
+                goto argerr;
+            /* If previous -signer argument add signer to list */
+
+            if (signerfile) {
+                if (!sksigners)
+                    sksigners = sk_OPENSSL_STRING_new_null();
+                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                if (!keyfile)
+                    keyfile = signerfile;
+                if (!skkeys)
+                    skkeys = sk_OPENSSL_STRING_new_null();
+                sk_OPENSSL_STRING_push(skkeys, keyfile);
+                keyfile = NULL;
+            }
+            signerfile = *++args;
+        } else if (!strcmp(*args, "-recip")) {
+            if (!args[1])
+                goto argerr;
+            recipfile = *++args;
+        } else if (!strcmp(*args, "-md")) {
+            if (!args[1])
+                goto argerr;
+            sign_md = EVP_get_digestbyname(*++args);
+            if (sign_md == NULL) {
+                BIO_printf(bio_err, "Unknown digest %s\n", *args);
+                goto argerr;
+            }
+        } else if (!strcmp(*args, "-inkey")) {
+            if (!args[1])
+                goto argerr;
+            /* If previous -inkey arument add signer to list */
+            if (keyfile) {
+                if (!signerfile) {
+                    BIO_puts(bio_err, "Illegal -inkey without -signer\n");
+                    goto argerr;
+                }
+                if (!sksigners)
+                    sksigners = sk_OPENSSL_STRING_new_null();
+                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                signerfile = NULL;
+                if (!skkeys)
+                    skkeys = sk_OPENSSL_STRING_new_null();
+                sk_OPENSSL_STRING_push(skkeys, keyfile);
+            }
+            keyfile = *++args;
+        } else if (!strcmp(*args, "-keyform")) {
+            if (!args[1])
+                goto argerr;
+            keyform = str2fmt(*++args);
+        } else if (!strcmp(*args, "-certfile")) {
+            if (!args[1])
+                goto argerr;
+            certfile = *++args;
+        } else if (!strcmp(*args, "-CAfile")) {
+            if (!args[1])
+                goto argerr;
+            CAfile = *++args;
+        } else if (!strcmp(*args, "-CApath")) {
+            if (!args[1])
+                goto argerr;
+            CApath = *++args;
+        } else if (!strcmp(*args, "-in")) {
+            if (!args[1])
+                goto argerr;
+            infile = *++args;
+        } else if (!strcmp(*args, "-inform")) {
+            if (!args[1])
+                goto argerr;
+            informat = str2fmt(*++args);
+        } else if (!strcmp(*args, "-outform")) {
+            if (!args[1])
+                goto argerr;
+            outformat = str2fmt(*++args);
+        } else if (!strcmp(*args, "-out")) {
+            if (!args[1])
+                goto argerr;
+            outfile = *++args;
+        } else if (!strcmp(*args, "-content")) {
+            if (!args[1])
+                goto argerr;
+            contfile = *++args;
+        } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
+            continue;
+        else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL)
+            badarg = 1;
+        args++;
+    }
+
+    if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) {
+        BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
+        goto argerr;
+    }
+
+    if (operation & SMIME_SIGNERS) {
+        /* Check to see if any final signer needs to be appended */
+        if (keyfile && !signerfile) {
+            BIO_puts(bio_err, "Illegal -inkey without -signer\n");
+            goto argerr;
+        }
+        if (signerfile) {
+            if (!sksigners)
+                sksigners = sk_OPENSSL_STRING_new_null();
+            sk_OPENSSL_STRING_push(sksigners, signerfile);
+            if (!skkeys)
+                skkeys = sk_OPENSSL_STRING_new_null();
+            if (!keyfile)
+                keyfile = signerfile;
+            sk_OPENSSL_STRING_push(skkeys, keyfile);
+        }
+        if (!sksigners) {
+            BIO_printf(bio_err, "No signer certificate specified\n");
+            badarg = 1;
+        }
+        signerfile = NULL;
+        keyfile = NULL;
+        need_rand = 1;
+    } else if (operation == SMIME_DECRYPT) {
+        if (!recipfile && !keyfile) {
+            BIO_printf(bio_err,
+                       "No recipient certificate or key specified\n");
+            badarg = 1;
+        }
+    } else if (operation == SMIME_ENCRYPT) {
+        if (!*args) {
+            BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
+            badarg = 1;
+        }
+        need_rand = 1;
+    } else if (!operation)
+        badarg = 1;
+
+    if (badarg) {
+ argerr:
+        BIO_printf(bio_err, "Usage smime [options] cert.pem ...\n");
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, "-encrypt       encrypt message\n");
+        BIO_printf(bio_err, "-decrypt       decrypt encrypted message\n");
+        BIO_printf(bio_err, "-sign          sign message\n");
+        BIO_printf(bio_err, "-verify        verify signed message\n");
+        BIO_printf(bio_err, "-pk7out        output PKCS#7 structure\n");
+#ifndef OPENSSL_NO_DES
+        BIO_printf(bio_err, "-des3          encrypt with triple DES\n");
+        BIO_printf(bio_err, "-des           encrypt with DES\n");
+#endif
+#ifndef OPENSSL_NO_SEED
+        BIO_printf(bio_err, "-seed          encrypt with SEED\n");
+#endif
+#ifndef OPENSSL_NO_RC2
+        BIO_printf(bio_err, "-rc2-40        encrypt with RC2-40 (default)\n");
+        BIO_printf(bio_err, "-rc2-64        encrypt with RC2-64\n");
+        BIO_printf(bio_err, "-rc2-128       encrypt with RC2-128\n");
+#endif
+#ifndef OPENSSL_NO_AES
+        BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
+        BIO_printf(bio_err,
+                   "               encrypt PEM output with cbc aes\n");
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+        BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
+        BIO_printf(bio_err,
+                   "               encrypt PEM output with cbc camellia\n");
+#endif
+        BIO_printf(bio_err,
+                   "-nointern      don't search certificates in message for signer\n");
+        BIO_printf(bio_err,
+                   "-nosigs        don't verify message signature\n");
+        BIO_printf(bio_err,
+                   "-noverify      don't verify signers certificate\n");
+        BIO_printf(bio_err,
+                   "-nocerts       don't include signers certificate when signing\n");
+        BIO_printf(bio_err, "-nodetach      use opaque signing\n");
+        BIO_printf(bio_err,
+                   "-noattr        don't include any signed attributes\n");
+        BIO_printf(bio_err,
+                   "-binary        don't translate message to text\n");
+        BIO_printf(bio_err, "-certfile file other certificates file\n");
+        BIO_printf(bio_err, "-signer file   signer certificate file\n");
+        BIO_printf(bio_err,
+                   "-recip  file   recipient certificate file for decryption\n");
+        BIO_printf(bio_err, "-in file       input file\n");
+        BIO_printf(bio_err,
+                   "-inform arg    input format SMIME (default), PEM or DER\n");
+        BIO_printf(bio_err,
+                   "-inkey file    input private key (if not signer or recipient)\n");
+        BIO_printf(bio_err,
+                   "-keyform arg   input private key format (PEM or ENGINE)\n");
+        BIO_printf(bio_err, "-out file      output file\n");
+        BIO_printf(bio_err,
+                   "-outform arg   output format SMIME (default), PEM or DER\n");
+        BIO_printf(bio_err,
+                   "-content file  supply or override content for detached signature\n");
+        BIO_printf(bio_err, "-to addr       to address\n");
+        BIO_printf(bio_err, "-from ad       from address\n");
+        BIO_printf(bio_err, "-subject s     subject\n");
+        BIO_printf(bio_err,
+                   "-text          include or delete text MIME headers\n");
+        BIO_printf(bio_err,
+                   "-CApath dir    trusted certificates directory\n");
+        BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
+        BIO_printf(bio_err,
+                   "-crl_check     check revocation status of signer's certificate using CRLs\n");
+        BIO_printf(bio_err,
+                   "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
+#ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   "-engine e      use engine e, possibly a hardware device.\n");
+#endif
+        BIO_printf(bio_err, "-passin arg    input file pass phrase source\n");
+        BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
+                   LIST_SEPARATOR_CHAR);
+        BIO_printf(bio_err,
+                   "               load the file (or the files in the directory) into\n");
+        BIO_printf(bio_err, "               the random number generator\n");
+        BIO_printf(bio_err,
+                   "cert.pem       recipient certificate(s) for encryption\n");
+        goto end;
+    }
+    e = setup_engine(bio_err, engine, 0);
+
+    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+
+    if (need_rand) {
+        app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+        if (inrand != NULL)
+            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                       app_RAND_load_files(inrand));
+    }
+
+    ret = 2;
+
+    if (!(operation & SMIME_SIGNERS))
+        flags &= ~PKCS7_DETACHED;
+
+    if (operation & SMIME_OP) {
+        if (outformat == FORMAT_ASN1)
+            outmode = "wb";
+    } else {
+        if (flags & PKCS7_BINARY)
+            outmode = "wb";
+    }
+
+    if (operation & SMIME_IP) {
+        if (informat == FORMAT_ASN1)
+            inmode = "rb";
+    } else {
+        if (flags & PKCS7_BINARY)
+            inmode = "rb";
+    }
+
+    if (operation == SMIME_ENCRYPT) {
+        if (!cipher) {
+#ifndef OPENSSL_NO_DES
+            cipher = EVP_des_ede3_cbc();
+#else
+            BIO_printf(bio_err, "No cipher selected\n");
+            goto end;
+#endif
+        }
+        encerts = sk_X509_new_null();
+        while (*args) {
+            if (!(cert = load_cert(bio_err, *args, FORMAT_PEM,
+                                   NULL, e, "recipient certificate file"))) {
+#if 0                           /* An appropriate message is already printed */
+                BIO_printf(bio_err,
+                           "Can't read recipient certificate file %s\n",
+                           *args);
+#endif
+                goto end;
+            }
+            sk_X509_push(encerts, cert);
+            cert = NULL;
+            args++;
+        }
+    }
+
+    if (certfile) {
+        if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL,
+                                 e, "certificate file"))) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (recipfile && (operation == SMIME_DECRYPT)) {
+        if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL,
+                                e, "recipient certificate file"))) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (operation == SMIME_DECRYPT) {
+        if (!keyfile)
+            keyfile = recipfile;
+    } else if (operation == SMIME_SIGN) {
+        if (!keyfile)
+            keyfile = signerfile;
+    } else
+        keyfile = NULL;
+
+    if (keyfile) {
+        key = load_key(bio_err, keyfile, keyform, 0, passin, e,
+                       "signing key file");
+        if (!key)
+            goto end;
+    }
+
+    if (infile) {
+        if (!(in = BIO_new_file(infile, inmode))) {
+            BIO_printf(bio_err, "Can't open input file %s\n", infile);
+            goto end;
+        }
+    } else
+        in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+    if (operation & SMIME_IP) {
+        if (informat == FORMAT_SMIME)
+            p7 = SMIME_read_PKCS7(in, &indata);
+        else if (informat == FORMAT_PEM)
+            p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
+        else if (informat == FORMAT_ASN1)
+            p7 = d2i_PKCS7_bio(in, NULL);
+        else {
+            BIO_printf(bio_err, "Bad input format for PKCS#7 file\n");
+            goto end;
+        }
+
+        if (!p7) {
+            BIO_printf(bio_err, "Error reading S/MIME message\n");
+            goto end;
+        }
+        if (contfile) {
+            BIO_free(indata);
+            if (!(indata = BIO_new_file(contfile, "rb"))) {
+                BIO_printf(bio_err, "Can't read content file %s\n", contfile);
+                goto end;
+            }
+        }
+    }
+
+    if (outfile) {
+        if (!(out = BIO_new_file(outfile, outmode))) {
+            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
+            goto end;
+        }
+    } else {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    }
+
+    if (operation == SMIME_VERIFY) {
+        if (!(store = setup_verify(bio_err, CAfile, CApath)))
+            goto end;
+        X509_STORE_set_verify_cb(store, smime_cb);
+        if (vpm)
+            X509_STORE_set1_param(store, vpm);
+    }
+
+    ret = 3;
+
+    if (operation == SMIME_ENCRYPT) {
+        if (indef)
+            flags |= PKCS7_STREAM;
+        p7 = PKCS7_encrypt(encerts, in, cipher, flags);
+    } else if (operation & SMIME_SIGNERS) {
+        int i;
+        /*
+         * If detached data content we only enable streaming if S/MIME output
+         * format.
+         */
+        if (operation == SMIME_SIGN) {
+            if (flags & PKCS7_DETACHED) {
+                if (outformat == FORMAT_SMIME)
+                    flags |= PKCS7_STREAM;
+            } else if (indef)
+                flags |= PKCS7_STREAM;
+            flags |= PKCS7_PARTIAL;
+            p7 = PKCS7_sign(NULL, NULL, other, in, flags);
+            if (!p7)
+                goto end;
+            if (flags & PKCS7_NOCERTS) {
+                for (i = 0; i < sk_X509_num(other); i++) {
+                    X509 *x = sk_X509_value(other, i);
+                    PKCS7_add_certificate(p7, x);
+                }
+            }
+        } else
+            flags |= PKCS7_REUSE_DIGEST;
+        for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
+            signerfile = sk_OPENSSL_STRING_value(sksigners, i);
+            keyfile = sk_OPENSSL_STRING_value(skkeys, i);
+            signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
+                               e, "signer certificate");
+            if (!signer)
+                goto end;
+            key = load_key(bio_err, keyfile, keyform, 0, passin, e,
+                           "signing key file");
+            if (!key)
+                goto end;
+            if (!PKCS7_sign_add_signer(p7, signer, key, sign_md, flags))
+                goto end;
+            X509_free(signer);
+            signer = NULL;
+            EVP_PKEY_free(key);
+            key = NULL;
+        }
+        /* If not streaming or resigning finalize structure */
+        if ((operation == SMIME_SIGN) && !(flags & PKCS7_STREAM)) {
+            if (!PKCS7_final(p7, in, flags))
+                goto end;
+        }
+    }
+
+    if (!p7) {
+        BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
+        goto end;
+    }
+
+    ret = 4;
+    if (operation == SMIME_DECRYPT) {
+        if (!PKCS7_decrypt(p7, key, recip, out, flags)) {
+            BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n");
+            goto end;
+        }
+    } else if (operation == SMIME_VERIFY) {
+        STACK_OF(X509) *signers;
+        if (PKCS7_verify(p7, other, store, indata, out, flags))
+            BIO_printf(bio_err, "Verification successful\n");
+        else {
+            BIO_printf(bio_err, "Verification failure\n");
+            goto end;
+        }
+        signers = PKCS7_get0_signers(p7, other, flags);
+        if (!save_certs(signerfile, signers)) {
+            BIO_printf(bio_err, "Error writing signers to %s\n", signerfile);
+            ret = 5;
+            goto end;
+        }
+        sk_X509_free(signers);
+    } else if (operation == SMIME_PK7OUT)
+        PEM_write_bio_PKCS7(out, p7);
+    else {
+        if (to)
+            BIO_printf(out, "To: %s\n", to);
+        if (from)
+            BIO_printf(out, "From: %s\n", from);
+        if (subject)
+            BIO_printf(out, "Subject: %s\n", subject);
+        if (outformat == FORMAT_SMIME) {
+            if (operation == SMIME_RESIGN)
+                SMIME_write_PKCS7(out, p7, indata, flags);
+            else
+                SMIME_write_PKCS7(out, p7, in, flags);
+        } else if (outformat == FORMAT_PEM)
+            PEM_write_bio_PKCS7_stream(out, p7, in, flags);
+        else if (outformat == FORMAT_ASN1)
+            i2d_PKCS7_bio_stream(out, p7, in, flags);
+        else {
+            BIO_printf(bio_err, "Bad output format for PKCS#7 file\n");
+            goto end;
+        }
+    }
+    ret = 0;
+ end:
+    if (need_rand)
+        app_RAND_write_file(NULL, bio_err);
+    if (ret)
+        ERR_print_errors(bio_err);
+    sk_X509_pop_free(encerts, X509_free);
+    sk_X509_pop_free(other, X509_free);
+    if (vpm)
+        X509_VERIFY_PARAM_free(vpm);
+    if (sksigners)
+        sk_OPENSSL_STRING_free(sksigners);
+    if (skkeys)
+        sk_OPENSSL_STRING_free(skkeys);
+    X509_STORE_free(store);
+    X509_free(cert);
+    X509_free(recip);
+    X509_free(signer);
+    EVP_PKEY_free(key);
+    PKCS7_free(p7);
+    release_engine(e);
+    BIO_free(in);
+    BIO_free(indata);
+    BIO_free_all(out);
+    if (passin)
+        OPENSSL_free(passin);
+    return (ret);
+}
+
+static int save_certs(char *signerfile, STACK_OF(X509) *signers)
+{
+    int i;
+    BIO *tmp;
+    if (!signerfile)
+        return 1;
+    tmp = BIO_new_file(signerfile, "w");
+    if (!tmp)
+        return 0;
+    for (i = 0; i < sk_X509_num(signers); i++)
+        PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
+    BIO_free(tmp);
+    return 1;
+}
+
+/* Minimal callback just to output policy info (if any) */
+
+static int smime_cb(int ok, X509_STORE_CTX *ctx)
+{
+    int error;
+
+    error = X509_STORE_CTX_get_error(ctx);
+
+    if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
+        && ((error != X509_V_OK) || (ok != 2)))
+        return ok;
+
+    policies_print(NULL, ctx);
+
+    return ok;
+
+}
diff --git a/openssl/apps/speed.c b/openssl/apps/speed.c
new file mode 100644
index 0000000..6cd1021
--- /dev/null
+++ b/openssl/apps/speed.c
@@ -0,0 +1,2878 @@
+/* apps/speed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the OpenSSL open source
+ * license provided above.
+ *
+ * The ECDH and ECDSA speed test software is originally written by
+ * Sumit Gupta of Sun Microsystems Laboratories.
+ *
+ */
+
+/* most of this code has been pilfered from my libdes speed.c program */
+
+#ifndef OPENSSL_NO_SPEED
+
+# undef SECONDS
+# define SECONDS         3
+# define RSA_SECONDS     10
+# define DSA_SECONDS     10
+# define ECDSA_SECONDS   10
+# define ECDH_SECONDS    10
+
+/* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
+/* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
+
+# undef PROG
+# define PROG speed_main
+
+# include <stdio.h>
+# include <stdlib.h>
+
+# include <string.h>
+# include <math.h>
+# include "apps.h"
+# ifdef OPENSSL_NO_STDIO
+#  define APPS_WIN16
+# endif
+# include <openssl/crypto.h>
+# include <openssl/rand.h>
+# include <openssl/err.h>
+# include <openssl/evp.h>
+# include <openssl/objects.h>
+# if !defined(OPENSSL_SYS_MSDOS)
+#  include OPENSSL_UNISTD
+# endif
+
+# ifndef OPENSSL_SYS_NETWARE
+#  include <signal.h>
+# endif
+
+# if defined(_WIN32) || defined(__CYGWIN__)
+#  include <windows.h>
+#  if defined(__CYGWIN__) && !defined(_WIN32)
+  /*
+   * <windows.h> should define _WIN32, which normally is mutually exclusive
+   * with __CYGWIN__, but if it didn't...
+   */
+#   define _WIN32
+  /* this is done because Cygwin alarm() fails sometimes. */
+#  endif
+# endif
+
+# include <openssl/bn.h>
+# ifndef OPENSSL_NO_DES
+#  include <openssl/des.h>
+# endif
+# ifndef OPENSSL_NO_AES
+#  include <openssl/aes.h>
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+#  include <openssl/camellia.h>
+# endif
+# ifndef OPENSSL_NO_MD2
+#  include <openssl/md2.h>
+# endif
+# ifndef OPENSSL_NO_MDC2
+#  include <openssl/mdc2.h>
+# endif
+# ifndef OPENSSL_NO_MD4
+#  include <openssl/md4.h>
+# endif
+# ifndef OPENSSL_NO_MD5
+#  include <openssl/md5.h>
+# endif
+# ifndef OPENSSL_NO_HMAC
+#  include <openssl/hmac.h>
+# endif
+# include <openssl/evp.h>
+# ifndef OPENSSL_NO_SHA
+#  include <openssl/sha.h>
+# endif
+# ifndef OPENSSL_NO_RIPEMD
+#  include <openssl/ripemd.h>
+# endif
+# ifndef OPENSSL_NO_WHIRLPOOL
+#  include <openssl/whrlpool.h>
+# endif
+# ifndef OPENSSL_NO_RC4
+#  include <openssl/rc4.h>
+# endif
+# ifndef OPENSSL_NO_RC5
+#  include <openssl/rc5.h>
+# endif
+# ifndef OPENSSL_NO_RC2
+#  include <openssl/rc2.h>
+# endif
+# ifndef OPENSSL_NO_IDEA
+#  include <openssl/idea.h>
+# endif
+# ifndef OPENSSL_NO_SEED
+#  include <openssl/seed.h>
+# endif
+# ifndef OPENSSL_NO_BF
+#  include <openssl/blowfish.h>
+# endif
+# ifndef OPENSSL_NO_CAST
+#  include <openssl/cast.h>
+# endif
+# ifndef OPENSSL_NO_RSA
+#  include <openssl/rsa.h>
+#  include "./testrsa.h"
+# endif
+# include <openssl/x509.h>
+# ifndef OPENSSL_NO_DSA
+#  include <openssl/dsa.h>
+#  include "./testdsa.h"
+# endif
+# ifndef OPENSSL_NO_ECDSA
+#  include <openssl/ecdsa.h>
+# endif
+# ifndef OPENSSL_NO_ECDH
+#  include <openssl/ecdh.h>
+# endif
+# include <openssl/modes.h>
+
+# ifdef OPENSSL_FIPS
+#  ifdef OPENSSL_DOING_MAKEDEPEND
+#   undef AES_set_encrypt_key
+#   undef AES_set_decrypt_key
+#   undef DES_set_key_unchecked
+#  endif
+#  define BF_set_key      private_BF_set_key
+#  define CAST_set_key    private_CAST_set_key
+#  define idea_set_encrypt_key    private_idea_set_encrypt_key
+#  define SEED_set_key    private_SEED_set_key
+#  define RC2_set_key     private_RC2_set_key
+#  define RC4_set_key     private_RC4_set_key
+#  define DES_set_key_unchecked   private_DES_set_key_unchecked
+#  define AES_set_encrypt_key     private_AES_set_encrypt_key
+#  define AES_set_decrypt_key     private_AES_set_decrypt_key
+#  define Camellia_set_key        private_Camellia_set_key
+# endif
+
+# ifndef HAVE_FORK
+#  if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
+#   define HAVE_FORK 0
+#  else
+#   define HAVE_FORK 1
+#  endif
+# endif
+
+# if HAVE_FORK
+#  undef NO_FORK
+# else
+#  define NO_FORK
+# endif
+
+# undef BUFSIZE
+# define BUFSIZE ((long)1024*8+1)
+static volatile int run = 0;
+
+static int mr = 0;
+static int usertime = 1;
+
+static double Time_F(int s);
+static void print_message(const char *s, long num, int length);
+static void pkey_print_message(const char *str, const char *str2,
+                               long num, int bits, int sec);
+static void print_result(int alg, int run_no, int count, double time_used);
+# ifndef NO_FORK
+static int do_multi(int multi);
+# endif
+
+# define ALGOR_NUM       30
+# define SIZE_NUM        5
+# define RSA_NUM         4
+# define DSA_NUM         3
+
+# define EC_NUM       16
+# define MAX_ECDH_SIZE 256
+
+static const char *names[ALGOR_NUM] = {
+    "md2", "mdc2", "md4", "md5", "hmac(md5)", "sha1", "rmd160", "rc4",
+    "des cbc", "des ede3", "idea cbc", "seed cbc",
+    "rc2 cbc", "rc5-32/12 cbc", "blowfish cbc", "cast cbc",
+    "aes-128 cbc", "aes-192 cbc", "aes-256 cbc",
+    "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc",
+    "evp", "sha256", "sha512", "whirlpool",
+    "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash"
+};
+
+static double results[ALGOR_NUM][SIZE_NUM];
+static int lengths[SIZE_NUM] = { 16, 64, 256, 1024, 8 * 1024 };
+
+# ifndef OPENSSL_NO_RSA
+static double rsa_results[RSA_NUM][2];
+# endif
+# ifndef OPENSSL_NO_DSA
+static double dsa_results[DSA_NUM][2];
+# endif
+# ifndef OPENSSL_NO_ECDSA
+static double ecdsa_results[EC_NUM][2];
+# endif
+# ifndef OPENSSL_NO_ECDH
+static double ecdh_results[EC_NUM][1];
+# endif
+
+# if defined(OPENSSL_NO_DSA) && !(defined(OPENSSL_NO_ECDSA) && defined(OPENSSL_NO_ECDH))
+static const char rnd_seed[] =
+    "string to make the random number generator think it has entropy";
+static int rnd_fake = 0;
+# endif
+
+# ifdef SIGALRM
+#  if defined(__STDC__) || defined(sgi) || defined(_AIX)
+#   define SIGRETTYPE void
+#  else
+#   define SIGRETTYPE int
+#  endif
+
+static SIGRETTYPE sig_done(int sig);
+static SIGRETTYPE sig_done(int sig)
+{
+    signal(SIGALRM, sig_done);
+    run = 0;
+#  ifdef LINT
+    sig = sig;
+#  endif
+}
+# endif
+
+# define START   0
+# define STOP    1
+
+# if defined(_WIN32)
+
+#  if !defined(SIGALRM)
+#   define SIGALRM
+#  endif
+static unsigned int lapse, schlock;
+static void alarm_win32(unsigned int secs)
+{
+    lapse = secs * 1000;
+}
+
+#  define alarm alarm_win32
+
+static DWORD WINAPI sleepy(VOID * arg)
+{
+    schlock = 1;
+    Sleep(lapse);
+    run = 0;
+    return 0;
+}
+
+static double Time_F(int s)
+{
+    if (s == START) {
+        HANDLE thr;
+        schlock = 0;
+        thr = CreateThread(NULL, 4096, sleepy, NULL, 0, NULL);
+        if (thr == NULL) {
+            DWORD ret = GetLastError();
+            BIO_printf(bio_err, "unable to CreateThread (%d)", ret);
+            ExitProcess(ret);
+        }
+        CloseHandle(thr);       /* detach the thread */
+        while (!schlock)
+            Sleep(0);           /* scheduler spinlock */
+    }
+
+    return app_tminterval(s, usertime);
+}
+# else
+
+static double Time_F(int s)
+{
+    return app_tminterval(s, usertime);
+}
+# endif
+
+# ifndef OPENSSL_NO_ECDH
+static const int KDF1_SHA1_len = 20;
+static void *KDF1_SHA1(const void *in, size_t inlen, void *out,
+                       size_t *outlen)
+{
+#  ifndef OPENSSL_NO_SHA
+    if (*outlen < SHA_DIGEST_LENGTH)
+        return NULL;
+    else
+        *outlen = SHA_DIGEST_LENGTH;
+    return SHA1(in, inlen, out);
+#  else
+    return NULL;
+#  endif                        /* OPENSSL_NO_SHA */
+}
+# endif                         /* OPENSSL_NO_ECDH */
+
+static void multiblock_speed(const EVP_CIPHER *evp_cipher);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    unsigned char *buf = NULL, *buf2 = NULL;
+    int mret = 1;
+    long count = 0, save_count = 0;
+    int i, j, k;
+# if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA)
+    long rsa_count;
+# endif
+# ifndef OPENSSL_NO_RSA
+    unsigned rsa_num;
+# endif
+    unsigned char md[EVP_MAX_MD_SIZE];
+# ifndef OPENSSL_NO_MD2
+    unsigned char md2[MD2_DIGEST_LENGTH];
+# endif
+# ifndef OPENSSL_NO_MDC2
+    unsigned char mdc2[MDC2_DIGEST_LENGTH];
+# endif
+# ifndef OPENSSL_NO_MD4
+    unsigned char md4[MD4_DIGEST_LENGTH];
+# endif
+# ifndef OPENSSL_NO_MD5
+    unsigned char md5[MD5_DIGEST_LENGTH];
+    unsigned char hmac[MD5_DIGEST_LENGTH];
+# endif
+# ifndef OPENSSL_NO_SHA
+    unsigned char sha[SHA_DIGEST_LENGTH];
+#  ifndef OPENSSL_NO_SHA256
+    unsigned char sha256[SHA256_DIGEST_LENGTH];
+#  endif
+#  ifndef OPENSSL_NO_SHA512
+    unsigned char sha512[SHA512_DIGEST_LENGTH];
+#  endif
+# endif
+# ifndef OPENSSL_NO_WHIRLPOOL
+    unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH];
+# endif
+# ifndef OPENSSL_NO_RIPEMD
+    unsigned char rmd160[RIPEMD160_DIGEST_LENGTH];
+# endif
+# ifndef OPENSSL_NO_RC4
+    RC4_KEY rc4_ks;
+# endif
+# ifndef OPENSSL_NO_RC5
+    RC5_32_KEY rc5_ks;
+# endif
+# ifndef OPENSSL_NO_RC2
+    RC2_KEY rc2_ks;
+# endif
+# ifndef OPENSSL_NO_IDEA
+    IDEA_KEY_SCHEDULE idea_ks;
+# endif
+# ifndef OPENSSL_NO_SEED
+    SEED_KEY_SCHEDULE seed_ks;
+# endif
+# ifndef OPENSSL_NO_BF
+    BF_KEY bf_ks;
+# endif
+# ifndef OPENSSL_NO_CAST
+    CAST_KEY cast_ks;
+# endif
+    static const unsigned char key16[16] = {
+        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
+        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12
+    };
+# ifndef OPENSSL_NO_AES
+    static const unsigned char key24[24] = {
+        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
+        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
+        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34
+    };
+    static const unsigned char key32[32] = {
+        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
+        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
+        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
+        0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56
+    };
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+    static const unsigned char ckey24[24] = {
+        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
+        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
+        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34
+    };
+    static const unsigned char ckey32[32] = {
+        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
+        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
+        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
+        0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56
+    };
+# endif
+# ifndef OPENSSL_NO_AES
+#  define MAX_BLOCK_SIZE 128
+# else
+#  define MAX_BLOCK_SIZE 64
+# endif
+    unsigned char DES_iv[8];
+    unsigned char iv[2 * MAX_BLOCK_SIZE / 8];
+# ifndef OPENSSL_NO_DES
+    static DES_cblock key =
+        { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0 };
+    static DES_cblock key2 =
+        { 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 };
+    static DES_cblock key3 =
+        { 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34 };
+    DES_key_schedule sch;
+    DES_key_schedule sch2;
+    DES_key_schedule sch3;
+# endif
+# ifndef OPENSSL_NO_AES
+    AES_KEY aes_ks1, aes_ks2, aes_ks3;
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+    CAMELLIA_KEY camellia_ks1, camellia_ks2, camellia_ks3;
+# endif
+# define D_MD2           0
+# define D_MDC2          1
+# define D_MD4           2
+# define D_MD5           3
+# define D_HMAC          4
+# define D_SHA1          5
+# define D_RMD160        6
+# define D_RC4           7
+# define D_CBC_DES       8
+# define D_EDE3_DES      9
+# define D_CBC_IDEA      10
+# define D_CBC_SEED      11
+# define D_CBC_RC2       12
+# define D_CBC_RC5       13
+# define D_CBC_BF        14
+# define D_CBC_CAST      15
+# define D_CBC_128_AES   16
+# define D_CBC_192_AES   17
+# define D_CBC_256_AES   18
+# define D_CBC_128_CML   19
+# define D_CBC_192_CML   20
+# define D_CBC_256_CML   21
+# define D_EVP           22
+# define D_SHA256        23
+# define D_SHA512        24
+# define D_WHIRLPOOL     25
+# define D_IGE_128_AES   26
+# define D_IGE_192_AES   27
+# define D_IGE_256_AES   28
+# define D_GHASH         29
+    double d = 0.0;
+    long c[ALGOR_NUM][SIZE_NUM];
+# define R_DSA_512       0
+# define R_DSA_1024      1
+# define R_DSA_2048      2
+# define R_RSA_512       0
+# define R_RSA_1024      1
+# define R_RSA_2048      2
+# define R_RSA_4096      3
+
+# define R_EC_P160    0
+# define R_EC_P192    1
+# define R_EC_P224    2
+# define R_EC_P256    3
+# define R_EC_P384    4
+# define R_EC_P521    5
+# define R_EC_K163    6
+# define R_EC_K233    7
+# define R_EC_K283    8
+# define R_EC_K409    9
+# define R_EC_K571    10
+# define R_EC_B163    11
+# define R_EC_B233    12
+# define R_EC_B283    13
+# define R_EC_B409    14
+# define R_EC_B571    15
+
+# ifndef OPENSSL_NO_RSA
+    RSA *rsa_key[RSA_NUM];
+    long rsa_c[RSA_NUM][2];
+    static unsigned int rsa_bits[RSA_NUM] = {
+        512, 1024, 2048, 4096
+    };
+    static unsigned char *rsa_data[RSA_NUM] = {
+        test512, test1024, test2048, test4096
+    };
+    static int rsa_data_length[RSA_NUM] = {
+        sizeof(test512), sizeof(test1024),
+        sizeof(test2048), sizeof(test4096)
+    };
+# endif
+# ifndef OPENSSL_NO_DSA
+    DSA *dsa_key[DSA_NUM];
+    long dsa_c[DSA_NUM][2];
+    static unsigned int dsa_bits[DSA_NUM] = { 512, 1024, 2048 };
+# endif
+# ifndef OPENSSL_NO_EC
+    /*
+     * We only test over the following curves as they are representative, To
+     * add tests over more curves, simply add the curve NID and curve name to
+     * the following arrays and increase the EC_NUM value accordingly.
+     */
+    static unsigned int test_curves[EC_NUM] = {
+        /* Prime Curves */
+        NID_secp160r1,
+        NID_X9_62_prime192v1,
+        NID_secp224r1,
+        NID_X9_62_prime256v1,
+        NID_secp384r1,
+        NID_secp521r1,
+        /* Binary Curves */
+        NID_sect163k1,
+        NID_sect233k1,
+        NID_sect283k1,
+        NID_sect409k1,
+        NID_sect571k1,
+        NID_sect163r2,
+        NID_sect233r1,
+        NID_sect283r1,
+        NID_sect409r1,
+        NID_sect571r1
+    };
+    static const char *test_curves_names[EC_NUM] = {
+        /* Prime Curves */
+        "secp160r1",
+        "nistp192",
+        "nistp224",
+        "nistp256",
+        "nistp384",
+        "nistp521",
+        /* Binary Curves */
+        "nistk163",
+        "nistk233",
+        "nistk283",
+        "nistk409",
+        "nistk571",
+        "nistb163",
+        "nistb233",
+        "nistb283",
+        "nistb409",
+        "nistb571"
+    };
+    static int test_curves_bits[EC_NUM] = {
+        160, 192, 224, 256, 384, 521,
+        163, 233, 283, 409, 571,
+        163, 233, 283, 409, 571
+    };
+
+# endif
+
+# ifndef OPENSSL_NO_ECDSA
+    unsigned char ecdsasig[256];
+    unsigned int ecdsasiglen;
+    EC_KEY *ecdsa[EC_NUM];
+    long ecdsa_c[EC_NUM][2];
+# endif
+
+# ifndef OPENSSL_NO_ECDH
+    EC_KEY *ecdh_a[EC_NUM], *ecdh_b[EC_NUM];
+    unsigned char secret_a[MAX_ECDH_SIZE], secret_b[MAX_ECDH_SIZE];
+    int secret_size_a, secret_size_b;
+    int ecdh_checks = 0;
+    int secret_idx = 0;
+    long ecdh_c[EC_NUM][2];
+# endif
+
+    int rsa_doit[RSA_NUM];
+    int dsa_doit[DSA_NUM];
+# ifndef OPENSSL_NO_ECDSA
+    int ecdsa_doit[EC_NUM];
+# endif
+# ifndef OPENSSL_NO_ECDH
+    int ecdh_doit[EC_NUM];
+# endif
+    int doit[ALGOR_NUM];
+    int pr_header = 0;
+    const EVP_CIPHER *evp_cipher = NULL;
+    const EVP_MD *evp_md = NULL;
+    int decrypt = 0;
+# ifndef NO_FORK
+    int multi = 0;
+# endif
+    int multiblock = 0;
+
+# ifndef TIMES
+    usertime = -1;
+# endif
+
+    apps_startup();
+    memset(results, 0, sizeof(results));
+# ifndef OPENSSL_NO_DSA
+    memset(dsa_key, 0, sizeof(dsa_key));
+# endif
+# ifndef OPENSSL_NO_ECDSA
+    for (i = 0; i < EC_NUM; i++)
+        ecdsa[i] = NULL;
+# endif
+# ifndef OPENSSL_NO_ECDH
+    for (i = 0; i < EC_NUM; i++) {
+        ecdh_a[i] = NULL;
+        ecdh_b[i] = NULL;
+    }
+# endif
+# ifndef OPENSSL_NO_RSA
+    for (i = 0; i < RSA_NUM; i++)
+        rsa_key[i] = NULL;
+# endif
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    if ((buf = (unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL) {
+        BIO_printf(bio_err, "out of memory\n");
+        goto end;
+    }
+    if ((buf2 = (unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL) {
+        BIO_printf(bio_err, "out of memory\n");
+        goto end;
+    }
+
+    memset(c, 0, sizeof(c));
+    memset(DES_iv, 0, sizeof(DES_iv));
+    memset(iv, 0, sizeof(iv));
+
+    for (i = 0; i < ALGOR_NUM; i++)
+        doit[i] = 0;
+    for (i = 0; i < RSA_NUM; i++)
+        rsa_doit[i] = 0;
+    for (i = 0; i < DSA_NUM; i++)
+        dsa_doit[i] = 0;
+# ifndef OPENSSL_NO_ECDSA
+    for (i = 0; i < EC_NUM; i++)
+        ecdsa_doit[i] = 0;
+# endif
+# ifndef OPENSSL_NO_ECDH
+    for (i = 0; i < EC_NUM; i++)
+        ecdh_doit[i] = 0;
+# endif
+
+    j = 0;
+    argc--;
+    argv++;
+    while (argc) {
+        if ((argc > 0) && (strcmp(*argv, "-elapsed") == 0)) {
+            usertime = 0;
+            j--;                /* Otherwise, -elapsed gets confused with an
+                                 * algorithm. */
+        } else if ((argc > 0) && (strcmp(*argv, "-evp") == 0)) {
+            argc--;
+            argv++;
+            if (argc == 0) {
+                BIO_printf(bio_err, "no EVP given\n");
+                goto end;
+            }
+            evp_cipher = EVP_get_cipherbyname(*argv);
+            if (!evp_cipher) {
+                evp_md = EVP_get_digestbyname(*argv);
+            }
+            if (!evp_cipher && !evp_md) {
+                BIO_printf(bio_err, "%s is an unknown cipher or digest\n",
+                           *argv);
+                goto end;
+            }
+            doit[D_EVP] = 1;
+        } else if (argc > 0 && !strcmp(*argv, "-decrypt")) {
+            decrypt = 1;
+            j--;                /* Otherwise, -elapsed gets confused with an
+                                 * algorithm. */
+        }
+# ifndef OPENSSL_NO_ENGINE
+        else if ((argc > 0) && (strcmp(*argv, "-engine") == 0)) {
+            argc--;
+            argv++;
+            if (argc == 0) {
+                BIO_printf(bio_err, "no engine given\n");
+                goto end;
+            }
+            e = setup_engine(bio_err, *argv, 0);
+            /*
+             * j will be increased again further down.  We just don't want
+             * speed to confuse an engine with an algorithm, especially when
+             * none is given (which means all of them should be run)
+             */
+            j--;
+        }
+# endif
+# ifndef NO_FORK
+        else if ((argc > 0) && (strcmp(*argv, "-multi") == 0)) {
+            argc--;
+            argv++;
+            if (argc == 0) {
+                BIO_printf(bio_err, "no multi count given\n");
+                goto end;
+            }
+            multi = atoi(argv[0]);
+            if (multi <= 0) {
+                BIO_printf(bio_err, "bad multi count\n");
+                goto end;
+            }
+            j--;                /* Otherwise, -mr gets confused with an
+                                 * algorithm. */
+        }
+# endif
+        else if (argc > 0 && !strcmp(*argv, "-mr")) {
+            mr = 1;
+            j--;                /* Otherwise, -mr gets confused with an
+                                 * algorithm. */
+        } else if (argc > 0 && !strcmp(*argv, "-mb")) {
+            multiblock = 1;
+            j--;
+        } else
+# ifndef OPENSSL_NO_MD2
+        if (strcmp(*argv, "md2") == 0)
+            doit[D_MD2] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_MDC2
+        if (strcmp(*argv, "mdc2") == 0)
+            doit[D_MDC2] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_MD4
+        if (strcmp(*argv, "md4") == 0)
+            doit[D_MD4] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_MD5
+        if (strcmp(*argv, "md5") == 0)
+            doit[D_MD5] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_MD5
+        if (strcmp(*argv, "hmac") == 0)
+            doit[D_HMAC] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_SHA
+        if (strcmp(*argv, "sha1") == 0)
+            doit[D_SHA1] = 1;
+        else if (strcmp(*argv, "sha") == 0)
+            doit[D_SHA1] = 1, doit[D_SHA256] = 1, doit[D_SHA512] = 1;
+        else
+#  ifndef OPENSSL_NO_SHA256
+        if (strcmp(*argv, "sha256") == 0)
+            doit[D_SHA256] = 1;
+        else
+#  endif
+#  ifndef OPENSSL_NO_SHA512
+        if (strcmp(*argv, "sha512") == 0)
+            doit[D_SHA512] = 1;
+        else
+#  endif
+# endif
+# ifndef OPENSSL_NO_WHIRLPOOL
+        if (strcmp(*argv, "whirlpool") == 0)
+            doit[D_WHIRLPOOL] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_RIPEMD
+        if (strcmp(*argv, "ripemd") == 0)
+            doit[D_RMD160] = 1;
+        else if (strcmp(*argv, "rmd160") == 0)
+            doit[D_RMD160] = 1;
+        else if (strcmp(*argv, "ripemd160") == 0)
+            doit[D_RMD160] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_RC4
+        if (strcmp(*argv, "rc4") == 0)
+            doit[D_RC4] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_DES
+        if (strcmp(*argv, "des-cbc") == 0)
+            doit[D_CBC_DES] = 1;
+        else if (strcmp(*argv, "des-ede3") == 0)
+            doit[D_EDE3_DES] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_AES
+        if (strcmp(*argv, "aes-128-cbc") == 0)
+            doit[D_CBC_128_AES] = 1;
+        else if (strcmp(*argv, "aes-192-cbc") == 0)
+            doit[D_CBC_192_AES] = 1;
+        else if (strcmp(*argv, "aes-256-cbc") == 0)
+            doit[D_CBC_256_AES] = 1;
+        else if (strcmp(*argv, "aes-128-ige") == 0)
+            doit[D_IGE_128_AES] = 1;
+        else if (strcmp(*argv, "aes-192-ige") == 0)
+            doit[D_IGE_192_AES] = 1;
+        else if (strcmp(*argv, "aes-256-ige") == 0)
+            doit[D_IGE_256_AES] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+        if (strcmp(*argv, "camellia-128-cbc") == 0)
+            doit[D_CBC_128_CML] = 1;
+        else if (strcmp(*argv, "camellia-192-cbc") == 0)
+            doit[D_CBC_192_CML] = 1;
+        else if (strcmp(*argv, "camellia-256-cbc") == 0)
+            doit[D_CBC_256_CML] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_RSA
+#  if 0                         /* was: #ifdef RSAref */
+        if (strcmp(*argv, "rsaref") == 0) {
+            RSA_set_default_openssl_method(RSA_PKCS1_RSAref());
+            j--;
+        } else
+#  endif
+#  ifndef RSA_NULL
+        if (strcmp(*argv, "openssl") == 0) {
+            RSA_set_default_method(RSA_PKCS1_SSLeay());
+            j--;
+        } else
+#  endif
+# endif                         /* !OPENSSL_NO_RSA */
+        if (strcmp(*argv, "dsa512") == 0)
+            dsa_doit[R_DSA_512] = 2;
+        else if (strcmp(*argv, "dsa1024") == 0)
+            dsa_doit[R_DSA_1024] = 2;
+        else if (strcmp(*argv, "dsa2048") == 0)
+            dsa_doit[R_DSA_2048] = 2;
+        else if (strcmp(*argv, "rsa512") == 0)
+            rsa_doit[R_RSA_512] = 2;
+        else if (strcmp(*argv, "rsa1024") == 0)
+            rsa_doit[R_RSA_1024] = 2;
+        else if (strcmp(*argv, "rsa2048") == 0)
+            rsa_doit[R_RSA_2048] = 2;
+        else if (strcmp(*argv, "rsa4096") == 0)
+            rsa_doit[R_RSA_4096] = 2;
+        else
+# ifndef OPENSSL_NO_RC2
+        if (strcmp(*argv, "rc2-cbc") == 0)
+            doit[D_CBC_RC2] = 1;
+        else if (strcmp(*argv, "rc2") == 0)
+            doit[D_CBC_RC2] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_RC5
+        if (strcmp(*argv, "rc5-cbc") == 0)
+            doit[D_CBC_RC5] = 1;
+        else if (strcmp(*argv, "rc5") == 0)
+            doit[D_CBC_RC5] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_IDEA
+        if (strcmp(*argv, "idea-cbc") == 0)
+            doit[D_CBC_IDEA] = 1;
+        else if (strcmp(*argv, "idea") == 0)
+            doit[D_CBC_IDEA] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_SEED
+        if (strcmp(*argv, "seed-cbc") == 0)
+            doit[D_CBC_SEED] = 1;
+        else if (strcmp(*argv, "seed") == 0)
+            doit[D_CBC_SEED] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_BF
+        if (strcmp(*argv, "bf-cbc") == 0)
+            doit[D_CBC_BF] = 1;
+        else if (strcmp(*argv, "blowfish") == 0)
+            doit[D_CBC_BF] = 1;
+        else if (strcmp(*argv, "bf") == 0)
+            doit[D_CBC_BF] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_CAST
+        if (strcmp(*argv, "cast-cbc") == 0)
+            doit[D_CBC_CAST] = 1;
+        else if (strcmp(*argv, "cast") == 0)
+            doit[D_CBC_CAST] = 1;
+        else if (strcmp(*argv, "cast5") == 0)
+            doit[D_CBC_CAST] = 1;
+        else
+# endif
+# ifndef OPENSSL_NO_DES
+        if (strcmp(*argv, "des") == 0) {
+            doit[D_CBC_DES] = 1;
+            doit[D_EDE3_DES] = 1;
+        } else
+# endif
+# ifndef OPENSSL_NO_AES
+        if (strcmp(*argv, "aes") == 0) {
+            doit[D_CBC_128_AES] = 1;
+            doit[D_CBC_192_AES] = 1;
+            doit[D_CBC_256_AES] = 1;
+        } else if (strcmp(*argv, "ghash") == 0) {
+            doit[D_GHASH] = 1;
+        } else
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+        if (strcmp(*argv, "camellia") == 0) {
+            doit[D_CBC_128_CML] = 1;
+            doit[D_CBC_192_CML] = 1;
+            doit[D_CBC_256_CML] = 1;
+        } else
+# endif
+# ifndef OPENSSL_NO_RSA
+        if (strcmp(*argv, "rsa") == 0) {
+            rsa_doit[R_RSA_512] = 1;
+            rsa_doit[R_RSA_1024] = 1;
+            rsa_doit[R_RSA_2048] = 1;
+            rsa_doit[R_RSA_4096] = 1;
+        } else
+# endif
+# ifndef OPENSSL_NO_DSA
+        if (strcmp(*argv, "dsa") == 0) {
+            dsa_doit[R_DSA_512] = 1;
+            dsa_doit[R_DSA_1024] = 1;
+            dsa_doit[R_DSA_2048] = 1;
+        } else
+# endif
+# ifndef OPENSSL_NO_ECDSA
+        if (strcmp(*argv, "ecdsap160") == 0)
+            ecdsa_doit[R_EC_P160] = 2;
+        else if (strcmp(*argv, "ecdsap192") == 0)
+            ecdsa_doit[R_EC_P192] = 2;
+        else if (strcmp(*argv, "ecdsap224") == 0)
+            ecdsa_doit[R_EC_P224] = 2;
+        else if (strcmp(*argv, "ecdsap256") == 0)
+            ecdsa_doit[R_EC_P256] = 2;
+        else if (strcmp(*argv, "ecdsap384") == 0)
+            ecdsa_doit[R_EC_P384] = 2;
+        else if (strcmp(*argv, "ecdsap521") == 0)
+            ecdsa_doit[R_EC_P521] = 2;
+        else if (strcmp(*argv, "ecdsak163") == 0)
+            ecdsa_doit[R_EC_K163] = 2;
+        else if (strcmp(*argv, "ecdsak233") == 0)
+            ecdsa_doit[R_EC_K233] = 2;
+        else if (strcmp(*argv, "ecdsak283") == 0)
+            ecdsa_doit[R_EC_K283] = 2;
+        else if (strcmp(*argv, "ecdsak409") == 0)
+            ecdsa_doit[R_EC_K409] = 2;
+        else if (strcmp(*argv, "ecdsak571") == 0)
+            ecdsa_doit[R_EC_K571] = 2;
+        else if (strcmp(*argv, "ecdsab163") == 0)
+            ecdsa_doit[R_EC_B163] = 2;
+        else if (strcmp(*argv, "ecdsab233") == 0)
+            ecdsa_doit[R_EC_B233] = 2;
+        else if (strcmp(*argv, "ecdsab283") == 0)
+            ecdsa_doit[R_EC_B283] = 2;
+        else if (strcmp(*argv, "ecdsab409") == 0)
+            ecdsa_doit[R_EC_B409] = 2;
+        else if (strcmp(*argv, "ecdsab571") == 0)
+            ecdsa_doit[R_EC_B571] = 2;
+        else if (strcmp(*argv, "ecdsa") == 0) {
+            for (i = 0; i < EC_NUM; i++)
+                ecdsa_doit[i] = 1;
+        } else
+# endif
+# ifndef OPENSSL_NO_ECDH
+        if (strcmp(*argv, "ecdhp160") == 0)
+            ecdh_doit[R_EC_P160] = 2;
+        else if (strcmp(*argv, "ecdhp192") == 0)
+            ecdh_doit[R_EC_P192] = 2;
+        else if (strcmp(*argv, "ecdhp224") == 0)
+            ecdh_doit[R_EC_P224] = 2;
+        else if (strcmp(*argv, "ecdhp256") == 0)
+            ecdh_doit[R_EC_P256] = 2;
+        else if (strcmp(*argv, "ecdhp384") == 0)
+            ecdh_doit[R_EC_P384] = 2;
+        else if (strcmp(*argv, "ecdhp521") == 0)
+            ecdh_doit[R_EC_P521] = 2;
+        else if (strcmp(*argv, "ecdhk163") == 0)
+            ecdh_doit[R_EC_K163] = 2;
+        else if (strcmp(*argv, "ecdhk233") == 0)
+            ecdh_doit[R_EC_K233] = 2;
+        else if (strcmp(*argv, "ecdhk283") == 0)
+            ecdh_doit[R_EC_K283] = 2;
+        else if (strcmp(*argv, "ecdhk409") == 0)
+            ecdh_doit[R_EC_K409] = 2;
+        else if (strcmp(*argv, "ecdhk571") == 0)
+            ecdh_doit[R_EC_K571] = 2;
+        else if (strcmp(*argv, "ecdhb163") == 0)
+            ecdh_doit[R_EC_B163] = 2;
+        else if (strcmp(*argv, "ecdhb233") == 0)
+            ecdh_doit[R_EC_B233] = 2;
+        else if (strcmp(*argv, "ecdhb283") == 0)
+            ecdh_doit[R_EC_B283] = 2;
+        else if (strcmp(*argv, "ecdhb409") == 0)
+            ecdh_doit[R_EC_B409] = 2;
+        else if (strcmp(*argv, "ecdhb571") == 0)
+            ecdh_doit[R_EC_B571] = 2;
+        else if (strcmp(*argv, "ecdh") == 0) {
+            for (i = 0; i < EC_NUM; i++)
+                ecdh_doit[i] = 1;
+        } else
+# endif
+        {
+            BIO_printf(bio_err, "Error: bad option or value\n");
+            BIO_printf(bio_err, "\n");
+            BIO_printf(bio_err, "Available values:\n");
+# ifndef OPENSSL_NO_MD2
+            BIO_printf(bio_err, "md2      ");
+# endif
+# ifndef OPENSSL_NO_MDC2
+            BIO_printf(bio_err, "mdc2     ");
+# endif
+# ifndef OPENSSL_NO_MD4
+            BIO_printf(bio_err, "md4      ");
+# endif
+# ifndef OPENSSL_NO_MD5
+            BIO_printf(bio_err, "md5      ");
+#  ifndef OPENSSL_NO_HMAC
+            BIO_printf(bio_err, "hmac     ");
+#  endif
+# endif
+# ifndef OPENSSL_NO_SHA1
+            BIO_printf(bio_err, "sha1     ");
+# endif
+# ifndef OPENSSL_NO_SHA256
+            BIO_printf(bio_err, "sha256   ");
+# endif
+# ifndef OPENSSL_NO_SHA512
+            BIO_printf(bio_err, "sha512   ");
+# endif
+# ifndef OPENSSL_NO_WHIRLPOOL
+            BIO_printf(bio_err, "whirlpool");
+# endif
+# ifndef OPENSSL_NO_RIPEMD160
+            BIO_printf(bio_err, "rmd160");
+# endif
+# if !defined(OPENSSL_NO_MD2) || !defined(OPENSSL_NO_MDC2) || \
+    !defined(OPENSSL_NO_MD4) || !defined(OPENSSL_NO_MD5) || \
+    !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) || \
+    !defined(OPENSSL_NO_WHIRLPOOL)
+            BIO_printf(bio_err, "\n");
+# endif
+
+# ifndef OPENSSL_NO_IDEA
+            BIO_printf(bio_err, "idea-cbc ");
+# endif
+# ifndef OPENSSL_NO_SEED
+            BIO_printf(bio_err, "seed-cbc ");
+# endif
+# ifndef OPENSSL_NO_RC2
+            BIO_printf(bio_err, "rc2-cbc  ");
+# endif
+# ifndef OPENSSL_NO_RC5
+            BIO_printf(bio_err, "rc5-cbc  ");
+# endif
+# ifndef OPENSSL_NO_BF
+            BIO_printf(bio_err, "bf-cbc");
+# endif
+# if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_SEED) || !defined(OPENSSL_NO_RC2) || \
+    !defined(OPENSSL_NO_BF) || !defined(OPENSSL_NO_RC5)
+            BIO_printf(bio_err, "\n");
+# endif
+# ifndef OPENSSL_NO_DES
+            BIO_printf(bio_err, "des-cbc  des-ede3 ");
+# endif
+# ifndef OPENSSL_NO_AES
+            BIO_printf(bio_err, "aes-128-cbc aes-192-cbc aes-256-cbc ");
+            BIO_printf(bio_err, "aes-128-ige aes-192-ige aes-256-ige ");
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+            BIO_printf(bio_err, "\n");
+            BIO_printf(bio_err,
+                       "camellia-128-cbc camellia-192-cbc camellia-256-cbc ");
+# endif
+# ifndef OPENSSL_NO_RC4
+            BIO_printf(bio_err, "rc4");
+# endif
+            BIO_printf(bio_err, "\n");
+
+# ifndef OPENSSL_NO_RSA
+            BIO_printf(bio_err, "rsa512   rsa1024  rsa2048  rsa4096\n");
+# endif
+
+# ifndef OPENSSL_NO_DSA
+            BIO_printf(bio_err, "dsa512   dsa1024  dsa2048\n");
+# endif
+# ifndef OPENSSL_NO_ECDSA
+            BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
+                       "ecdsap256 ecdsap384 ecdsap521\n");
+            BIO_printf(bio_err,
+                       "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
+            BIO_printf(bio_err,
+                       "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
+            BIO_printf(bio_err, "ecdsa\n");
+# endif
+# ifndef OPENSSL_NO_ECDH
+            BIO_printf(bio_err, "ecdhp160  ecdhp192  ecdhp224 "
+                       "ecdhp256  ecdhp384  ecdhp521\n");
+            BIO_printf(bio_err,
+                       "ecdhk163  ecdhk233  ecdhk283  ecdhk409  ecdhk571\n");
+            BIO_printf(bio_err,
+                       "ecdhb163  ecdhb233  ecdhb283  ecdhb409  ecdhb571\n");
+            BIO_printf(bio_err, "ecdh\n");
+# endif
+
+# ifndef OPENSSL_NO_IDEA
+            BIO_printf(bio_err, "idea     ");
+# endif
+# ifndef OPENSSL_NO_SEED
+            BIO_printf(bio_err, "seed     ");
+# endif
+# ifndef OPENSSL_NO_RC2
+            BIO_printf(bio_err, "rc2      ");
+# endif
+# ifndef OPENSSL_NO_DES
+            BIO_printf(bio_err, "des      ");
+# endif
+# ifndef OPENSSL_NO_AES
+            BIO_printf(bio_err, "aes      ");
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+            BIO_printf(bio_err, "camellia ");
+# endif
+# ifndef OPENSSL_NO_RSA
+            BIO_printf(bio_err, "rsa      ");
+# endif
+# ifndef OPENSSL_NO_BF
+            BIO_printf(bio_err, "blowfish");
+# endif
+# if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_SEED) || \
+    !defined(OPENSSL_NO_RC2) || !defined(OPENSSL_NO_DES) || \
+    !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_BF) || \
+    !defined(OPENSSL_NO_AES) || !defined(OPENSSL_NO_CAMELLIA)
+            BIO_printf(bio_err, "\n");
+# endif
+
+            BIO_printf(bio_err, "\n");
+            BIO_printf(bio_err, "Available options:\n");
+# if defined(TIMES) || defined(USE_TOD)
+            BIO_printf(bio_err, "-elapsed        "
+                       "measure time in real time instead of CPU user time.\n");
+# endif
+# ifndef OPENSSL_NO_ENGINE
+            BIO_printf(bio_err,
+                       "-engine e       "
+                       "use engine e, possibly a hardware device.\n");
+# endif
+            BIO_printf(bio_err, "-evp e          " "use EVP e.\n");
+            BIO_printf(bio_err,
+                       "-decrypt        "
+                       "time decryption instead of encryption (only EVP).\n");
+            BIO_printf(bio_err,
+                       "-mr             "
+                       "produce machine readable output.\n");
+# ifndef NO_FORK
+            BIO_printf(bio_err,
+                       "-multi n        " "run n benchmarks in parallel.\n");
+# endif
+            goto end;
+        }
+        argc--;
+        argv++;
+        j++;
+    }
+
+# ifndef NO_FORK
+    if (multi && do_multi(multi))
+        goto show_res;
+# endif
+
+    if (j == 0) {
+        for (i = 0; i < ALGOR_NUM; i++) {
+            if (i != D_EVP)
+                doit[i] = 1;
+        }
+        for (i = 0; i < RSA_NUM; i++)
+            rsa_doit[i] = 1;
+        for (i = 0; i < DSA_NUM; i++)
+            dsa_doit[i] = 1;
+# ifndef OPENSSL_NO_ECDSA
+        for (i = 0; i < EC_NUM; i++)
+            ecdsa_doit[i] = 1;
+# endif
+# ifndef OPENSSL_NO_ECDH
+        for (i = 0; i < EC_NUM; i++)
+            ecdh_doit[i] = 1;
+# endif
+    }
+    for (i = 0; i < ALGOR_NUM; i++)
+        if (doit[i])
+            pr_header++;
+
+    if (usertime == 0 && !mr)
+        BIO_printf(bio_err,
+                   "You have chosen to measure elapsed time "
+                   "instead of user CPU time.\n");
+
+# ifndef OPENSSL_NO_RSA
+    for (i = 0; i < RSA_NUM; i++) {
+        const unsigned char *p;
+
+        p = rsa_data[i];
+        rsa_key[i] = d2i_RSAPrivateKey(NULL, &p, rsa_data_length[i]);
+        if (rsa_key[i] == NULL) {
+            BIO_printf(bio_err, "internal error loading RSA key number %d\n",
+                       i);
+            goto end;
+        }
+#  if 0
+        else {
+            BIO_printf(bio_err,
+                       mr ? "+RK:%d:"
+                       : "Loaded RSA key, %d bit modulus and e= 0x",
+                       BN_num_bits(rsa_key[i]->n));
+            BN_print(bio_err, rsa_key[i]->e);
+            BIO_printf(bio_err, "\n");
+        }
+#  endif
+    }
+# endif
+
+# ifndef OPENSSL_NO_DSA
+    dsa_key[0] = get_dsa512();
+    dsa_key[1] = get_dsa1024();
+    dsa_key[2] = get_dsa2048();
+# endif
+
+# ifndef OPENSSL_NO_DES
+    DES_set_key_unchecked(&key, &sch);
+    DES_set_key_unchecked(&key2, &sch2);
+    DES_set_key_unchecked(&key3, &sch3);
+# endif
+# ifndef OPENSSL_NO_AES
+    AES_set_encrypt_key(key16, 128, &aes_ks1);
+    AES_set_encrypt_key(key24, 192, &aes_ks2);
+    AES_set_encrypt_key(key32, 256, &aes_ks3);
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+    Camellia_set_key(key16, 128, &camellia_ks1);
+    Camellia_set_key(ckey24, 192, &camellia_ks2);
+    Camellia_set_key(ckey32, 256, &camellia_ks3);
+# endif
+# ifndef OPENSSL_NO_IDEA
+    idea_set_encrypt_key(key16, &idea_ks);
+# endif
+# ifndef OPENSSL_NO_SEED
+    SEED_set_key(key16, &seed_ks);
+# endif
+# ifndef OPENSSL_NO_RC4
+    RC4_set_key(&rc4_ks, 16, key16);
+# endif
+# ifndef OPENSSL_NO_RC2
+    RC2_set_key(&rc2_ks, 16, key16, 128);
+# endif
+# ifndef OPENSSL_NO_RC5
+    RC5_32_set_key(&rc5_ks, 16, key16, 12);
+# endif
+# ifndef OPENSSL_NO_BF
+    BF_set_key(&bf_ks, 16, key16);
+# endif
+# ifndef OPENSSL_NO_CAST
+    CAST_set_key(&cast_ks, 16, key16);
+# endif
+# ifndef OPENSSL_NO_RSA
+    memset(rsa_c, 0, sizeof(rsa_c));
+# endif
+# ifndef SIGALRM
+#  ifndef OPENSSL_NO_DES
+    BIO_printf(bio_err, "First we calculate the approximate speed ...\n");
+    count = 10;
+    do {
+        long it;
+        count *= 2;
+        Time_F(START);
+        for (it = count; it; it--)
+            DES_ecb_encrypt((DES_cblock *)buf,
+                            (DES_cblock *)buf, &sch, DES_ENCRYPT);
+        d = Time_F(STOP);
+    } while (d < 3);
+    save_count = count;
+    c[D_MD2][0] = count / 10;
+    c[D_MDC2][0] = count / 10;
+    c[D_MD4][0] = count;
+    c[D_MD5][0] = count;
+    c[D_HMAC][0] = count;
+    c[D_SHA1][0] = count;
+    c[D_RMD160][0] = count;
+    c[D_RC4][0] = count * 5;
+    c[D_CBC_DES][0] = count;
+    c[D_EDE3_DES][0] = count / 3;
+    c[D_CBC_IDEA][0] = count;
+    c[D_CBC_SEED][0] = count;
+    c[D_CBC_RC2][0] = count;
+    c[D_CBC_RC5][0] = count;
+    c[D_CBC_BF][0] = count;
+    c[D_CBC_CAST][0] = count;
+    c[D_CBC_128_AES][0] = count;
+    c[D_CBC_192_AES][0] = count;
+    c[D_CBC_256_AES][0] = count;
+    c[D_CBC_128_CML][0] = count;
+    c[D_CBC_192_CML][0] = count;
+    c[D_CBC_256_CML][0] = count;
+    c[D_SHA256][0] = count;
+    c[D_SHA512][0] = count;
+    c[D_WHIRLPOOL][0] = count;
+    c[D_IGE_128_AES][0] = count;
+    c[D_IGE_192_AES][0] = count;
+    c[D_IGE_256_AES][0] = count;
+    c[D_GHASH][0] = count;
+
+    for (i = 1; i < SIZE_NUM; i++) {
+        c[D_MD2][i] = c[D_MD2][0] * 4 * lengths[0] / lengths[i];
+        c[D_MDC2][i] = c[D_MDC2][0] * 4 * lengths[0] / lengths[i];
+        c[D_MD4][i] = c[D_MD4][0] * 4 * lengths[0] / lengths[i];
+        c[D_MD5][i] = c[D_MD5][0] * 4 * lengths[0] / lengths[i];
+        c[D_HMAC][i] = c[D_HMAC][0] * 4 * lengths[0] / lengths[i];
+        c[D_SHA1][i] = c[D_SHA1][0] * 4 * lengths[0] / lengths[i];
+        c[D_RMD160][i] = c[D_RMD160][0] * 4 * lengths[0] / lengths[i];
+        c[D_SHA256][i] = c[D_SHA256][0] * 4 * lengths[0] / lengths[i];
+        c[D_SHA512][i] = c[D_SHA512][0] * 4 * lengths[0] / lengths[i];
+        c[D_WHIRLPOOL][i] = c[D_WHIRLPOOL][0] * 4 * lengths[0] / lengths[i];
+    }
+    for (i = 1; i < SIZE_NUM; i++) {
+        long l0, l1;
+
+        l0 = (long)lengths[i - 1];
+        l1 = (long)lengths[i];
+        c[D_RC4][i] = c[D_RC4][i - 1] * l0 / l1;
+        c[D_CBC_DES][i] = c[D_CBC_DES][i - 1] * l0 / l1;
+        c[D_EDE3_DES][i] = c[D_EDE3_DES][i - 1] * l0 / l1;
+        c[D_CBC_IDEA][i] = c[D_CBC_IDEA][i - 1] * l0 / l1;
+        c[D_CBC_SEED][i] = c[D_CBC_SEED][i - 1] * l0 / l1;
+        c[D_CBC_RC2][i] = c[D_CBC_RC2][i - 1] * l0 / l1;
+        c[D_CBC_RC5][i] = c[D_CBC_RC5][i - 1] * l0 / l1;
+        c[D_CBC_BF][i] = c[D_CBC_BF][i - 1] * l0 / l1;
+        c[D_CBC_CAST][i] = c[D_CBC_CAST][i - 1] * l0 / l1;
+        c[D_CBC_128_AES][i] = c[D_CBC_128_AES][i - 1] * l0 / l1;
+        c[D_CBC_192_AES][i] = c[D_CBC_192_AES][i - 1] * l0 / l1;
+        c[D_CBC_256_AES][i] = c[D_CBC_256_AES][i - 1] * l0 / l1;
+        c[D_CBC_128_CML][i] = c[D_CBC_128_CML][i - 1] * l0 / l1;
+        c[D_CBC_192_CML][i] = c[D_CBC_192_CML][i - 1] * l0 / l1;
+        c[D_CBC_256_CML][i] = c[D_CBC_256_CML][i - 1] * l0 / l1;
+        c[D_IGE_128_AES][i] = c[D_IGE_128_AES][i - 1] * l0 / l1;
+        c[D_IGE_192_AES][i] = c[D_IGE_192_AES][i - 1] * l0 / l1;
+        c[D_IGE_256_AES][i] = c[D_IGE_256_AES][i - 1] * l0 / l1;
+    }
+#   ifndef OPENSSL_NO_RSA
+    rsa_c[R_RSA_512][0] = count / 2000;
+    rsa_c[R_RSA_512][1] = count / 400;
+    for (i = 1; i < RSA_NUM; i++) {
+        rsa_c[i][0] = rsa_c[i - 1][0] / 8;
+        rsa_c[i][1] = rsa_c[i - 1][1] / 4;
+        if ((rsa_doit[i] <= 1) && (rsa_c[i][0] == 0))
+            rsa_doit[i] = 0;
+        else {
+            if (rsa_c[i][0] == 0) {
+                rsa_c[i][0] = 1;
+                rsa_c[i][1] = 20;
+            }
+        }
+    }
+#   endif
+
+#   ifndef OPENSSL_NO_DSA
+    dsa_c[R_DSA_512][0] = count / 1000;
+    dsa_c[R_DSA_512][1] = count / 1000 / 2;
+    for (i = 1; i < DSA_NUM; i++) {
+        dsa_c[i][0] = dsa_c[i - 1][0] / 4;
+        dsa_c[i][1] = dsa_c[i - 1][1] / 4;
+        if ((dsa_doit[i] <= 1) && (dsa_c[i][0] == 0))
+            dsa_doit[i] = 0;
+        else {
+            if (dsa_c[i] == 0) {
+                dsa_c[i][0] = 1;
+                dsa_c[i][1] = 1;
+            }
+        }
+    }
+#   endif
+
+#   ifndef OPENSSL_NO_ECDSA
+    ecdsa_c[R_EC_P160][0] = count / 1000;
+    ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
+    for (i = R_EC_P192; i <= R_EC_P521; i++) {
+        ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
+        ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
+        if ((ecdsa_doit[i] <= 1) && (ecdsa_c[i][0] == 0))
+            ecdsa_doit[i] = 0;
+        else {
+            if (ecdsa_c[i] == 0) {
+                ecdsa_c[i][0] = 1;
+                ecdsa_c[i][1] = 1;
+            }
+        }
+    }
+    ecdsa_c[R_EC_K163][0] = count / 1000;
+    ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
+    for (i = R_EC_K233; i <= R_EC_K571; i++) {
+        ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
+        ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
+        if ((ecdsa_doit[i] <= 1) && (ecdsa_c[i][0] == 0))
+            ecdsa_doit[i] = 0;
+        else {
+            if (ecdsa_c[i] == 0) {
+                ecdsa_c[i][0] = 1;
+                ecdsa_c[i][1] = 1;
+            }
+        }
+    }
+    ecdsa_c[R_EC_B163][0] = count / 1000;
+    ecdsa_c[R_EC_B163][1] = count / 1000 / 2;
+    for (i = R_EC_B233; i <= R_EC_B571; i++) {
+        ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
+        ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
+        if ((ecdsa_doit[i] <= 1) && (ecdsa_c[i][0] == 0))
+            ecdsa_doit[i] = 0;
+        else {
+            if (ecdsa_c[i] == 0) {
+                ecdsa_c[i][0] = 1;
+                ecdsa_c[i][1] = 1;
+            }
+        }
+    }
+#   endif
+
+#   ifndef OPENSSL_NO_ECDH
+    ecdh_c[R_EC_P160][0] = count / 1000;
+    ecdh_c[R_EC_P160][1] = count / 1000;
+    for (i = R_EC_P192; i <= R_EC_P521; i++) {
+        ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
+        ecdh_c[i][1] = ecdh_c[i - 1][1] / 2;
+        if ((ecdh_doit[i] <= 1) && (ecdh_c[i][0] == 0))
+            ecdh_doit[i] = 0;
+        else {
+            if (ecdh_c[i] == 0) {
+                ecdh_c[i][0] = 1;
+                ecdh_c[i][1] = 1;
+            }
+        }
+    }
+    ecdh_c[R_EC_K163][0] = count / 1000;
+    ecdh_c[R_EC_K163][1] = count / 1000;
+    for (i = R_EC_K233; i <= R_EC_K571; i++) {
+        ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
+        ecdh_c[i][1] = ecdh_c[i - 1][1] / 2;
+        if ((ecdh_doit[i] <= 1) && (ecdh_c[i][0] == 0))
+            ecdh_doit[i] = 0;
+        else {
+            if (ecdh_c[i] == 0) {
+                ecdh_c[i][0] = 1;
+                ecdh_c[i][1] = 1;
+            }
+        }
+    }
+    ecdh_c[R_EC_B163][0] = count / 1000;
+    ecdh_c[R_EC_B163][1] = count / 1000;
+    for (i = R_EC_B233; i <= R_EC_B571; i++) {
+        ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
+        ecdh_c[i][1] = ecdh_c[i - 1][1] / 2;
+        if ((ecdh_doit[i] <= 1) && (ecdh_c[i][0] == 0))
+            ecdh_doit[i] = 0;
+        else {
+            if (ecdh_c[i] == 0) {
+                ecdh_c[i][0] = 1;
+                ecdh_c[i][1] = 1;
+            }
+        }
+    }
+#   endif
+
+#   define COND(d) (count < (d))
+#   define COUNT(d) (d)
+#  else
+/* not worth fixing */
+#   error "You cannot disable DES on systems without SIGALRM."
+#  endif                        /* OPENSSL_NO_DES */
+# else
+#  define COND(c) (run && count<0x7fffffff)
+#  define COUNT(d) (count)
+#  ifndef _WIN32
+    signal(SIGALRM, sig_done);
+#  endif
+# endif                         /* SIGALRM */
+
+# ifndef OPENSSL_NO_MD2
+    if (doit[D_MD2]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_MD2], c[D_MD2][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_MD2][j]); count++)
+                EVP_Digest(buf, (unsigned long)lengths[j], &(md2[0]), NULL,
+                           EVP_md2(), NULL);
+            d = Time_F(STOP);
+            print_result(D_MD2, j, count, d);
+        }
+    }
+# endif
+# ifndef OPENSSL_NO_MDC2
+    if (doit[D_MDC2]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_MDC2], c[D_MDC2][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_MDC2][j]); count++)
+                EVP_Digest(buf, (unsigned long)lengths[j], &(mdc2[0]), NULL,
+                           EVP_mdc2(), NULL);
+            d = Time_F(STOP);
+            print_result(D_MDC2, j, count, d);
+        }
+    }
+# endif
+
+# ifndef OPENSSL_NO_MD4
+    if (doit[D_MD4]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_MD4], c[D_MD4][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_MD4][j]); count++)
+                EVP_Digest(&(buf[0]), (unsigned long)lengths[j], &(md4[0]),
+                           NULL, EVP_md4(), NULL);
+            d = Time_F(STOP);
+            print_result(D_MD4, j, count, d);
+        }
+    }
+# endif
+
+# ifndef OPENSSL_NO_MD5
+    if (doit[D_MD5]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_MD5], c[D_MD5][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_MD5][j]); count++)
+                EVP_Digest(&(buf[0]), (unsigned long)lengths[j], &(md5[0]),
+                           NULL, EVP_get_digestbyname("md5"), NULL);
+            d = Time_F(STOP);
+            print_result(D_MD5, j, count, d);
+        }
+    }
+# endif
+
+# if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_HMAC)
+    if (doit[D_HMAC]) {
+        HMAC_CTX hctx;
+
+        HMAC_CTX_init(&hctx);
+        HMAC_Init_ex(&hctx, (unsigned char *)"This is a key...",
+                     16, EVP_md5(), NULL);
+
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_HMAC], c[D_HMAC][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_HMAC][j]); count++) {
+                HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL);
+                HMAC_Update(&hctx, buf, lengths[j]);
+                HMAC_Final(&hctx, &(hmac[0]), NULL);
+            }
+            d = Time_F(STOP);
+            print_result(D_HMAC, j, count, d);
+        }
+        HMAC_CTX_cleanup(&hctx);
+    }
+# endif
+# ifndef OPENSSL_NO_SHA
+    if (doit[D_SHA1]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_SHA1], c[D_SHA1][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_SHA1][j]); count++)
+                EVP_Digest(buf, (unsigned long)lengths[j], &(sha[0]), NULL,
+                           EVP_sha1(), NULL);
+            d = Time_F(STOP);
+            print_result(D_SHA1, j, count, d);
+        }
+    }
+#  ifndef OPENSSL_NO_SHA256
+    if (doit[D_SHA256]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_SHA256], c[D_SHA256][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_SHA256][j]); count++)
+                SHA256(buf, lengths[j], sha256);
+            d = Time_F(STOP);
+            print_result(D_SHA256, j, count, d);
+        }
+    }
+#  endif
+
+#  ifndef OPENSSL_NO_SHA512
+    if (doit[D_SHA512]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_SHA512], c[D_SHA512][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_SHA512][j]); count++)
+                SHA512(buf, lengths[j], sha512);
+            d = Time_F(STOP);
+            print_result(D_SHA512, j, count, d);
+        }
+    }
+#  endif
+# endif
+
+# ifndef OPENSSL_NO_WHIRLPOOL
+    if (doit[D_WHIRLPOOL]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_WHIRLPOOL], c[D_WHIRLPOOL][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_WHIRLPOOL][j]); count++)
+                WHIRLPOOL(buf, lengths[j], whirlpool);
+            d = Time_F(STOP);
+            print_result(D_WHIRLPOOL, j, count, d);
+        }
+    }
+# endif
+
+# ifndef OPENSSL_NO_RIPEMD
+    if (doit[D_RMD160]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_RMD160], c[D_RMD160][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_RMD160][j]); count++)
+                EVP_Digest(buf, (unsigned long)lengths[j], &(rmd160[0]), NULL,
+                           EVP_ripemd160(), NULL);
+            d = Time_F(STOP);
+            print_result(D_RMD160, j, count, d);
+        }
+    }
+# endif
+# ifndef OPENSSL_NO_RC4
+    if (doit[D_RC4]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_RC4], c[D_RC4][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_RC4][j]); count++)
+                RC4(&rc4_ks, (unsigned int)lengths[j], buf, buf);
+            d = Time_F(STOP);
+            print_result(D_RC4, j, count, d);
+        }
+    }
+# endif
+# ifndef OPENSSL_NO_DES
+    if (doit[D_CBC_DES]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_DES], c[D_CBC_DES][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_DES][j]); count++)
+                DES_ncbc_encrypt(buf, buf, lengths[j], &sch,
+                                 &DES_iv, DES_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_DES, j, count, d);
+        }
+    }
+
+    if (doit[D_EDE3_DES]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_EDE3_DES], c[D_EDE3_DES][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_EDE3_DES][j]); count++)
+                DES_ede3_cbc_encrypt(buf, buf, lengths[j],
+                                     &sch, &sch2, &sch3,
+                                     &DES_iv, DES_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_EDE3_DES, j, count, d);
+        }
+    }
+# endif
+# ifndef OPENSSL_NO_AES
+    if (doit[D_CBC_128_AES]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_128_AES], c[D_CBC_128_AES][j],
+                          lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_128_AES][j]); count++)
+                AES_cbc_encrypt(buf, buf,
+                                (unsigned long)lengths[j], &aes_ks1,
+                                iv, AES_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_128_AES, j, count, d);
+        }
+    }
+    if (doit[D_CBC_192_AES]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_192_AES], c[D_CBC_192_AES][j],
+                          lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_192_AES][j]); count++)
+                AES_cbc_encrypt(buf, buf,
+                                (unsigned long)lengths[j], &aes_ks2,
+                                iv, AES_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_192_AES, j, count, d);
+        }
+    }
+    if (doit[D_CBC_256_AES]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_256_AES], c[D_CBC_256_AES][j],
+                          lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_256_AES][j]); count++)
+                AES_cbc_encrypt(buf, buf,
+                                (unsigned long)lengths[j], &aes_ks3,
+                                iv, AES_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_256_AES, j, count, d);
+        }
+    }
+
+    if (doit[D_IGE_128_AES]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_IGE_128_AES], c[D_IGE_128_AES][j],
+                          lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_IGE_128_AES][j]); count++)
+                AES_ige_encrypt(buf, buf2,
+                                (unsigned long)lengths[j], &aes_ks1,
+                                iv, AES_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_IGE_128_AES, j, count, d);
+        }
+    }
+    if (doit[D_IGE_192_AES]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_IGE_192_AES], c[D_IGE_192_AES][j],
+                          lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_IGE_192_AES][j]); count++)
+                AES_ige_encrypt(buf, buf2,
+                                (unsigned long)lengths[j], &aes_ks2,
+                                iv, AES_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_IGE_192_AES, j, count, d);
+        }
+    }
+    if (doit[D_IGE_256_AES]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_IGE_256_AES], c[D_IGE_256_AES][j],
+                          lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_IGE_256_AES][j]); count++)
+                AES_ige_encrypt(buf, buf2,
+                                (unsigned long)lengths[j], &aes_ks3,
+                                iv, AES_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_IGE_256_AES, j, count, d);
+        }
+    }
+    if (doit[D_GHASH]) {
+        GCM128_CONTEXT *ctx =
+            CRYPTO_gcm128_new(&aes_ks1, (block128_f) AES_encrypt);
+        CRYPTO_gcm128_setiv(ctx, (unsigned char *)"0123456789ab", 12);
+
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_GHASH], c[D_GHASH][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_GHASH][j]); count++)
+                CRYPTO_gcm128_aad(ctx, buf, lengths[j]);
+            d = Time_F(STOP);
+            print_result(D_GHASH, j, count, d);
+        }
+        CRYPTO_gcm128_release(ctx);
+    }
+# endif
+# ifndef OPENSSL_NO_CAMELLIA
+    if (doit[D_CBC_128_CML]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_128_CML], c[D_CBC_128_CML][j],
+                          lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_128_CML][j]); count++)
+                Camellia_cbc_encrypt(buf, buf,
+                                     (unsigned long)lengths[j], &camellia_ks1,
+                                     iv, CAMELLIA_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_128_CML, j, count, d);
+        }
+    }
+    if (doit[D_CBC_192_CML]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_192_CML], c[D_CBC_192_CML][j],
+                          lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_192_CML][j]); count++)
+                Camellia_cbc_encrypt(buf, buf,
+                                     (unsigned long)lengths[j], &camellia_ks2,
+                                     iv, CAMELLIA_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_192_CML, j, count, d);
+        }
+    }
+    if (doit[D_CBC_256_CML]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_256_CML], c[D_CBC_256_CML][j],
+                          lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_256_CML][j]); count++)
+                Camellia_cbc_encrypt(buf, buf,
+                                     (unsigned long)lengths[j], &camellia_ks3,
+                                     iv, CAMELLIA_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_256_CML, j, count, d);
+        }
+    }
+# endif
+# ifndef OPENSSL_NO_IDEA
+    if (doit[D_CBC_IDEA]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_IDEA], c[D_CBC_IDEA][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_IDEA][j]); count++)
+                idea_cbc_encrypt(buf, buf,
+                                 (unsigned long)lengths[j], &idea_ks,
+                                 iv, IDEA_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_IDEA, j, count, d);
+        }
+    }
+# endif
+# ifndef OPENSSL_NO_SEED
+    if (doit[D_CBC_SEED]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_SEED], c[D_CBC_SEED][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_SEED][j]); count++)
+                SEED_cbc_encrypt(buf, buf,
+                                 (unsigned long)lengths[j], &seed_ks, iv, 1);
+            d = Time_F(STOP);
+            print_result(D_CBC_SEED, j, count, d);
+        }
+    }
+# endif
+# ifndef OPENSSL_NO_RC2
+    if (doit[D_CBC_RC2]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_RC2], c[D_CBC_RC2][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_RC2][j]); count++)
+                RC2_cbc_encrypt(buf, buf,
+                                (unsigned long)lengths[j], &rc2_ks,
+                                iv, RC2_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_RC2, j, count, d);
+        }
+    }
+# endif
+# ifndef OPENSSL_NO_RC5
+    if (doit[D_CBC_RC5]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_RC5], c[D_CBC_RC5][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_RC5][j]); count++)
+                RC5_32_cbc_encrypt(buf, buf,
+                                   (unsigned long)lengths[j], &rc5_ks,
+                                   iv, RC5_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_RC5, j, count, d);
+        }
+    }
+# endif
+# ifndef OPENSSL_NO_BF
+    if (doit[D_CBC_BF]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_BF], c[D_CBC_BF][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_BF][j]); count++)
+                BF_cbc_encrypt(buf, buf,
+                               (unsigned long)lengths[j], &bf_ks,
+                               iv, BF_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_BF, j, count, d);
+        }
+    }
+# endif
+# ifndef OPENSSL_NO_CAST
+    if (doit[D_CBC_CAST]) {
+        for (j = 0; j < SIZE_NUM; j++) {
+            print_message(names[D_CBC_CAST], c[D_CBC_CAST][j], lengths[j]);
+            Time_F(START);
+            for (count = 0, run = 1; COND(c[D_CBC_CAST][j]); count++)
+                CAST_cbc_encrypt(buf, buf,
+                                 (unsigned long)lengths[j], &cast_ks,
+                                 iv, CAST_ENCRYPT);
+            d = Time_F(STOP);
+            print_result(D_CBC_CAST, j, count, d);
+        }
+    }
+# endif
+
+    if (doit[D_EVP]) {
+# ifdef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
+        if (multiblock && evp_cipher) {
+            if (!
+                (EVP_CIPHER_flags(evp_cipher) &
+                 EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) {
+                fprintf(stderr, "%s is not multi-block capable\n",
+                        OBJ_nid2ln(evp_cipher->nid));
+                goto end;
+            }
+            multiblock_speed(evp_cipher);
+            mret = 0;
+            goto end;
+        }
+# endif
+        for (j = 0; j < SIZE_NUM; j++) {
+            if (evp_cipher) {
+                EVP_CIPHER_CTX ctx;
+                int outl;
+
+                names[D_EVP] = OBJ_nid2ln(evp_cipher->nid);
+                /*
+                 * -O3 -fschedule-insns messes up an optimization here!
+                 * names[D_EVP] somehow becomes NULL
+                 */
+                print_message(names[D_EVP], save_count, lengths[j]);
+
+                EVP_CIPHER_CTX_init(&ctx);
+                if (decrypt)
+                    EVP_DecryptInit_ex(&ctx, evp_cipher, NULL, key16, iv);
+                else
+                    EVP_EncryptInit_ex(&ctx, evp_cipher, NULL, key16, iv);
+                EVP_CIPHER_CTX_set_padding(&ctx, 0);
+
+                Time_F(START);
+                if (decrypt)
+                    for (count = 0, run = 1;
+                         COND(save_count * 4 * lengths[0] / lengths[j]);
+                         count++)
+                        EVP_DecryptUpdate(&ctx, buf, &outl, buf, lengths[j]);
+                else
+                    for (count = 0, run = 1;
+                         COND(save_count * 4 * lengths[0] / lengths[j]);
+                         count++)
+                        EVP_EncryptUpdate(&ctx, buf, &outl, buf, lengths[j]);
+                if (decrypt)
+                    EVP_DecryptFinal_ex(&ctx, buf, &outl);
+                else
+                    EVP_EncryptFinal_ex(&ctx, buf, &outl);
+                d = Time_F(STOP);
+                EVP_CIPHER_CTX_cleanup(&ctx);
+            }
+            if (evp_md) {
+                names[D_EVP] = OBJ_nid2ln(evp_md->type);
+                print_message(names[D_EVP], save_count, lengths[j]);
+
+                Time_F(START);
+                for (count = 0, run = 1;
+                     COND(save_count * 4 * lengths[0] / lengths[j]); count++)
+                    EVP_Digest(buf, lengths[j], &(md[0]), NULL, evp_md, NULL);
+
+                d = Time_F(STOP);
+            }
+            print_result(D_EVP, j, count, d);
+        }
+    }
+
+    RAND_pseudo_bytes(buf, 36);
+# ifndef OPENSSL_NO_RSA
+    for (j = 0; j < RSA_NUM; j++) {
+        int ret;
+        if (!rsa_doit[j])
+            continue;
+        ret = RSA_sign(NID_md5_sha1, buf, 36, buf2, &rsa_num, rsa_key[j]);
+        if (ret == 0) {
+            BIO_printf(bio_err,
+                       "RSA sign failure.  No RSA sign will be done.\n");
+            ERR_print_errors(bio_err);
+            rsa_count = 1;
+        } else {
+            pkey_print_message("private", "rsa",
+                               rsa_c[j][0], rsa_bits[j], RSA_SECONDS);
+            /* RSA_blinding_on(rsa_key[j],NULL); */
+            Time_F(START);
+            for (count = 0, run = 1; COND(rsa_c[j][0]); count++) {
+                ret = RSA_sign(NID_md5_sha1, buf, 36, buf2,
+                               &rsa_num, rsa_key[j]);
+                if (ret == 0) {
+                    BIO_printf(bio_err, "RSA sign failure\n");
+                    ERR_print_errors(bio_err);
+                    count = 1;
+                    break;
+                }
+            }
+            d = Time_F(STOP);
+            BIO_printf(bio_err,
+                       mr ? "+R1:%ld:%d:%.2f\n"
+                       : "%ld %d bit private RSA's in %.2fs\n",
+                       count, rsa_bits[j], d);
+            rsa_results[j][0] = d / (double)count;
+            rsa_count = count;
+        }
+
+#  if 1
+        ret = RSA_verify(NID_md5_sha1, buf, 36, buf2, rsa_num, rsa_key[j]);
+        if (ret <= 0) {
+            BIO_printf(bio_err,
+                       "RSA verify failure.  No RSA verify will be done.\n");
+            ERR_print_errors(bio_err);
+            rsa_doit[j] = 0;
+        } else {
+            pkey_print_message("public", "rsa",
+                               rsa_c[j][1], rsa_bits[j], RSA_SECONDS);
+            Time_F(START);
+            for (count = 0, run = 1; COND(rsa_c[j][1]); count++) {
+                ret = RSA_verify(NID_md5_sha1, buf, 36, buf2,
+                                 rsa_num, rsa_key[j]);
+                if (ret <= 0) {
+                    BIO_printf(bio_err, "RSA verify failure\n");
+                    ERR_print_errors(bio_err);
+                    count = 1;
+                    break;
+                }
+            }
+            d = Time_F(STOP);
+            BIO_printf(bio_err,
+                       mr ? "+R2:%ld:%d:%.2f\n"
+                       : "%ld %d bit public RSA's in %.2fs\n",
+                       count, rsa_bits[j], d);
+            rsa_results[j][1] = d / (double)count;
+        }
+#  endif
+
+        if (rsa_count <= 1) {
+            /* if longer than 10s, don't do any more */
+            for (j++; j < RSA_NUM; j++)
+                rsa_doit[j] = 0;
+        }
+    }
+# endif
+
+    RAND_pseudo_bytes(buf, 20);
+# ifndef OPENSSL_NO_DSA
+    if (RAND_status() != 1) {
+        RAND_seed(rnd_seed, sizeof rnd_seed);
+        rnd_fake = 1;
+    }
+    for (j = 0; j < DSA_NUM; j++) {
+        unsigned int kk;
+        int ret;
+
+        if (!dsa_doit[j])
+            continue;
+
+        /* DSA_generate_key(dsa_key[j]); */
+        /* DSA_sign_setup(dsa_key[j],NULL); */
+        ret = DSA_sign(EVP_PKEY_DSA, buf, 20, buf2, &kk, dsa_key[j]);
+        if (ret == 0) {
+            BIO_printf(bio_err,
+                       "DSA sign failure.  No DSA sign will be done.\n");
+            ERR_print_errors(bio_err);
+            rsa_count = 1;
+        } else {
+            pkey_print_message("sign", "dsa",
+                               dsa_c[j][0], dsa_bits[j], DSA_SECONDS);
+            Time_F(START);
+            for (count = 0, run = 1; COND(dsa_c[j][0]); count++) {
+                ret = DSA_sign(EVP_PKEY_DSA, buf, 20, buf2, &kk, dsa_key[j]);
+                if (ret == 0) {
+                    BIO_printf(bio_err, "DSA sign failure\n");
+                    ERR_print_errors(bio_err);
+                    count = 1;
+                    break;
+                }
+            }
+            d = Time_F(STOP);
+            BIO_printf(bio_err,
+                       mr ? "+R3:%ld:%d:%.2f\n"
+                       : "%ld %d bit DSA signs in %.2fs\n",
+                       count, dsa_bits[j], d);
+            dsa_results[j][0] = d / (double)count;
+            rsa_count = count;
+        }
+
+        ret = DSA_verify(EVP_PKEY_DSA, buf, 20, buf2, kk, dsa_key[j]);
+        if (ret <= 0) {
+            BIO_printf(bio_err,
+                       "DSA verify failure.  No DSA verify will be done.\n");
+            ERR_print_errors(bio_err);
+            dsa_doit[j] = 0;
+        } else {
+            pkey_print_message("verify", "dsa",
+                               dsa_c[j][1], dsa_bits[j], DSA_SECONDS);
+            Time_F(START);
+            for (count = 0, run = 1; COND(dsa_c[j][1]); count++) {
+                ret = DSA_verify(EVP_PKEY_DSA, buf, 20, buf2, kk, dsa_key[j]);
+                if (ret <= 0) {
+                    BIO_printf(bio_err, "DSA verify failure\n");
+                    ERR_print_errors(bio_err);
+                    count = 1;
+                    break;
+                }
+            }
+            d = Time_F(STOP);
+            BIO_printf(bio_err,
+                       mr ? "+R4:%ld:%d:%.2f\n"
+                       : "%ld %d bit DSA verify in %.2fs\n",
+                       count, dsa_bits[j], d);
+            dsa_results[j][1] = d / (double)count;
+        }
+
+        if (rsa_count <= 1) {
+            /* if longer than 10s, don't do any more */
+            for (j++; j < DSA_NUM; j++)
+                dsa_doit[j] = 0;
+        }
+    }
+    if (rnd_fake)
+        RAND_cleanup();
+# endif
+
+# ifndef OPENSSL_NO_ECDSA
+    if (RAND_status() != 1) {
+        RAND_seed(rnd_seed, sizeof rnd_seed);
+        rnd_fake = 1;
+    }
+    for (j = 0; j < EC_NUM; j++) {
+        int ret;
+
+        if (!ecdsa_doit[j])
+            continue;           /* Ignore Curve */
+        ecdsa[j] = EC_KEY_new_by_curve_name(test_curves[j]);
+        if (ecdsa[j] == NULL) {
+            BIO_printf(bio_err, "ECDSA failure.\n");
+            ERR_print_errors(bio_err);
+            rsa_count = 1;
+        } else {
+#  if 1
+            EC_KEY_precompute_mult(ecdsa[j], NULL);
+#  endif
+            /* Perform ECDSA signature test */
+            EC_KEY_generate_key(ecdsa[j]);
+            ret = ECDSA_sign(0, buf, 20, ecdsasig, &ecdsasiglen, ecdsa[j]);
+            if (ret == 0) {
+                BIO_printf(bio_err,
+                           "ECDSA sign failure.  No ECDSA sign will be done.\n");
+                ERR_print_errors(bio_err);
+                rsa_count = 1;
+            } else {
+                pkey_print_message("sign", "ecdsa",
+                                   ecdsa_c[j][0],
+                                   test_curves_bits[j], ECDSA_SECONDS);
+
+                Time_F(START);
+                for (count = 0, run = 1; COND(ecdsa_c[j][0]); count++) {
+                    ret = ECDSA_sign(0, buf, 20,
+                                     ecdsasig, &ecdsasiglen, ecdsa[j]);
+                    if (ret == 0) {
+                        BIO_printf(bio_err, "ECDSA sign failure\n");
+                        ERR_print_errors(bio_err);
+                        count = 1;
+                        break;
+                    }
+                }
+                d = Time_F(STOP);
+
+                BIO_printf(bio_err,
+                           mr ? "+R5:%ld:%d:%.2f\n" :
+                           "%ld %d bit ECDSA signs in %.2fs \n",
+                           count, test_curves_bits[j], d);
+                ecdsa_results[j][0] = d / (double)count;
+                rsa_count = count;
+            }
+
+            /* Perform ECDSA verification test */
+            ret = ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen, ecdsa[j]);
+            if (ret != 1) {
+                BIO_printf(bio_err,
+                           "ECDSA verify failure.  No ECDSA verify will be done.\n");
+                ERR_print_errors(bio_err);
+                ecdsa_doit[j] = 0;
+            } else {
+                pkey_print_message("verify", "ecdsa",
+                                   ecdsa_c[j][1],
+                                   test_curves_bits[j], ECDSA_SECONDS);
+                Time_F(START);
+                for (count = 0, run = 1; COND(ecdsa_c[j][1]); count++) {
+                    ret =
+                        ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen,
+                                     ecdsa[j]);
+                    if (ret != 1) {
+                        BIO_printf(bio_err, "ECDSA verify failure\n");
+                        ERR_print_errors(bio_err);
+                        count = 1;
+                        break;
+                    }
+                }
+                d = Time_F(STOP);
+                BIO_printf(bio_err,
+                           mr ? "+R6:%ld:%d:%.2f\n"
+                           : "%ld %d bit ECDSA verify in %.2fs\n",
+                           count, test_curves_bits[j], d);
+                ecdsa_results[j][1] = d / (double)count;
+            }
+
+            if (rsa_count <= 1) {
+                /* if longer than 10s, don't do any more */
+                for (j++; j < EC_NUM; j++)
+                    ecdsa_doit[j] = 0;
+            }
+        }
+    }
+    if (rnd_fake)
+        RAND_cleanup();
+# endif
+
+# ifndef OPENSSL_NO_ECDH
+    if (RAND_status() != 1) {
+        RAND_seed(rnd_seed, sizeof rnd_seed);
+        rnd_fake = 1;
+    }
+    for (j = 0; j < EC_NUM; j++) {
+        if (!ecdh_doit[j])
+            continue;
+        ecdh_a[j] = EC_KEY_new_by_curve_name(test_curves[j]);
+        ecdh_b[j] = EC_KEY_new_by_curve_name(test_curves[j]);
+        if ((ecdh_a[j] == NULL) || (ecdh_b[j] == NULL)) {
+            BIO_printf(bio_err, "ECDH failure.\n");
+            ERR_print_errors(bio_err);
+            rsa_count = 1;
+        } else {
+            /* generate two ECDH key pairs */
+            if (!EC_KEY_generate_key(ecdh_a[j]) ||
+                !EC_KEY_generate_key(ecdh_b[j])) {
+                BIO_printf(bio_err, "ECDH key generation failure.\n");
+                ERR_print_errors(bio_err);
+                rsa_count = 1;
+            } else {
+                /*
+                 * If field size is not more than 24 octets, then use SHA-1
+                 * hash of result; otherwise, use result (see section 4.8 of
+                 * draft-ietf-tls-ecc-03.txt).
+                 */
+                int field_size, outlen;
+                void *(*kdf) (const void *in, size_t inlen, void *out,
+                              size_t *xoutlen);
+                field_size =
+                    EC_GROUP_get_degree(EC_KEY_get0_group(ecdh_a[j]));
+                if (field_size <= 24 * 8) {
+                    outlen = KDF1_SHA1_len;
+                    kdf = KDF1_SHA1;
+                } else {
+                    outlen = (field_size + 7) / 8;
+                    kdf = NULL;
+                }
+                secret_size_a =
+                    ECDH_compute_key(secret_a, outlen,
+                                     EC_KEY_get0_public_key(ecdh_b[j]),
+                                     ecdh_a[j], kdf);
+                secret_size_b =
+                    ECDH_compute_key(secret_b, outlen,
+                                     EC_KEY_get0_public_key(ecdh_a[j]),
+                                     ecdh_b[j], kdf);
+                if (secret_size_a != secret_size_b)
+                    ecdh_checks = 0;
+                else
+                    ecdh_checks = 1;
+
+                for (secret_idx = 0; (secret_idx < secret_size_a)
+                     && (ecdh_checks == 1); secret_idx++) {
+                    if (secret_a[secret_idx] != secret_b[secret_idx])
+                        ecdh_checks = 0;
+                }
+
+                if (ecdh_checks == 0) {
+                    BIO_printf(bio_err, "ECDH computations don't match.\n");
+                    ERR_print_errors(bio_err);
+                    rsa_count = 1;
+                }
+
+                pkey_print_message("", "ecdh",
+                                   ecdh_c[j][0],
+                                   test_curves_bits[j], ECDH_SECONDS);
+                Time_F(START);
+                for (count = 0, run = 1; COND(ecdh_c[j][0]); count++) {
+                    ECDH_compute_key(secret_a, outlen,
+                                     EC_KEY_get0_public_key(ecdh_b[j]),
+                                     ecdh_a[j], kdf);
+                }
+                d = Time_F(STOP);
+                BIO_printf(bio_err,
+                           mr ? "+R7:%ld:%d:%.2f\n" :
+                           "%ld %d-bit ECDH ops in %.2fs\n", count,
+                           test_curves_bits[j], d);
+                ecdh_results[j][0] = d / (double)count;
+                rsa_count = count;
+            }
+        }
+
+        if (rsa_count <= 1) {
+            /* if longer than 10s, don't do any more */
+            for (j++; j < EC_NUM; j++)
+                ecdh_doit[j] = 0;
+        }
+    }
+    if (rnd_fake)
+        RAND_cleanup();
+# endif
+# ifndef NO_FORK
+ show_res:
+# endif
+    if (!mr) {
+        fprintf(stdout, "%s\n", SSLeay_version(SSLEAY_VERSION));
+        fprintf(stdout, "%s\n", SSLeay_version(SSLEAY_BUILT_ON));
+        printf("options:");
+        printf("%s ", BN_options());
+# ifndef OPENSSL_NO_MD2
+        printf("%s ", MD2_options());
+# endif
+# ifndef OPENSSL_NO_RC4
+        printf("%s ", RC4_options());
+# endif
+# ifndef OPENSSL_NO_DES
+        printf("%s ", DES_options());
+# endif
+# ifndef OPENSSL_NO_AES
+        printf("%s ", AES_options());
+# endif
+# ifndef OPENSSL_NO_IDEA
+        printf("%s ", idea_options());
+# endif
+# ifndef OPENSSL_NO_BF
+        printf("%s ", BF_options());
+# endif
+        fprintf(stdout, "\n%s\n", SSLeay_version(SSLEAY_CFLAGS));
+    }
+
+    if (pr_header) {
+        if (mr)
+            fprintf(stdout, "+H");
+        else {
+            fprintf(stdout,
+                    "The 'numbers' are in 1000s of bytes per second processed.\n");
+            fprintf(stdout, "type        ");
+        }
+        for (j = 0; j < SIZE_NUM; j++)
+            fprintf(stdout, mr ? ":%d" : "%7d bytes", lengths[j]);
+        fprintf(stdout, "\n");
+    }
+
+    for (k = 0; k < ALGOR_NUM; k++) {
+        if (!doit[k])
+            continue;
+        if (mr)
+            fprintf(stdout, "+F:%d:%s", k, names[k]);
+        else
+            fprintf(stdout, "%-13s", names[k]);
+        for (j = 0; j < SIZE_NUM; j++) {
+            if (results[k][j] > 10000 && !mr)
+                fprintf(stdout, " %11.2fk", results[k][j] / 1e3);
+            else
+                fprintf(stdout, mr ? ":%.2f" : " %11.2f ", results[k][j]);
+        }
+        fprintf(stdout, "\n");
+    }
+# ifndef OPENSSL_NO_RSA
+    j = 1;
+    for (k = 0; k < RSA_NUM; k++) {
+        if (!rsa_doit[k])
+            continue;
+        if (j && !mr) {
+            printf("%18ssign    verify    sign/s verify/s\n", " ");
+            j = 0;
+        }
+        if (mr)
+            fprintf(stdout, "+F2:%u:%u:%f:%f\n",
+                    k, rsa_bits[k], rsa_results[k][0], rsa_results[k][1]);
+        else
+            fprintf(stdout, "rsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
+                    rsa_bits[k], rsa_results[k][0], rsa_results[k][1],
+                    1.0 / rsa_results[k][0], 1.0 / rsa_results[k][1]);
+    }
+# endif
+# ifndef OPENSSL_NO_DSA
+    j = 1;
+    for (k = 0; k < DSA_NUM; k++) {
+        if (!dsa_doit[k])
+            continue;
+        if (j && !mr) {
+            printf("%18ssign    verify    sign/s verify/s\n", " ");
+            j = 0;
+        }
+        if (mr)
+            fprintf(stdout, "+F3:%u:%u:%f:%f\n",
+                    k, dsa_bits[k], dsa_results[k][0], dsa_results[k][1]);
+        else
+            fprintf(stdout, "dsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
+                    dsa_bits[k], dsa_results[k][0], dsa_results[k][1],
+                    1.0 / dsa_results[k][0], 1.0 / dsa_results[k][1]);
+    }
+# endif
+# ifndef OPENSSL_NO_ECDSA
+    j = 1;
+    for (k = 0; k < EC_NUM; k++) {
+        if (!ecdsa_doit[k])
+            continue;
+        if (j && !mr) {
+            printf("%30ssign    verify    sign/s verify/s\n", " ");
+            j = 0;
+        }
+
+        if (mr)
+            fprintf(stdout, "+F4:%u:%u:%f:%f\n",
+                    k, test_curves_bits[k],
+                    ecdsa_results[k][0], ecdsa_results[k][1]);
+        else
+            fprintf(stdout,
+                    "%4u bit ecdsa (%s) %8.4fs %8.4fs %8.1f %8.1f\n",
+                    test_curves_bits[k],
+                    test_curves_names[k],
+                    ecdsa_results[k][0], ecdsa_results[k][1],
+                    1.0 / ecdsa_results[k][0], 1.0 / ecdsa_results[k][1]);
+    }
+# endif
+
+# ifndef OPENSSL_NO_ECDH
+    j = 1;
+    for (k = 0; k < EC_NUM; k++) {
+        if (!ecdh_doit[k])
+            continue;
+        if (j && !mr) {
+            printf("%30sop      op/s\n", " ");
+            j = 0;
+        }
+        if (mr)
+            fprintf(stdout, "+F5:%u:%u:%f:%f\n",
+                    k, test_curves_bits[k],
+                    ecdh_results[k][0], 1.0 / ecdh_results[k][0]);
+
+        else
+            fprintf(stdout, "%4u bit ecdh (%s) %8.4fs %8.1f\n",
+                    test_curves_bits[k],
+                    test_curves_names[k],
+                    ecdh_results[k][0], 1.0 / ecdh_results[k][0]);
+    }
+# endif
+
+    mret = 0;
+
+ end:
+    ERR_print_errors(bio_err);
+    if (buf != NULL)
+        OPENSSL_free(buf);
+    if (buf2 != NULL)
+        OPENSSL_free(buf2);
+# ifndef OPENSSL_NO_RSA
+    for (i = 0; i < RSA_NUM; i++)
+        if (rsa_key[i] != NULL)
+            RSA_free(rsa_key[i]);
+# endif
+# ifndef OPENSSL_NO_DSA
+    for (i = 0; i < DSA_NUM; i++)
+        if (dsa_key[i] != NULL)
+            DSA_free(dsa_key[i]);
+# endif
+
+# ifndef OPENSSL_NO_ECDSA
+    for (i = 0; i < EC_NUM; i++)
+        if (ecdsa[i] != NULL)
+            EC_KEY_free(ecdsa[i]);
+# endif
+# ifndef OPENSSL_NO_ECDH
+    for (i = 0; i < EC_NUM; i++) {
+        if (ecdh_a[i] != NULL)
+            EC_KEY_free(ecdh_a[i]);
+        if (ecdh_b[i] != NULL)
+            EC_KEY_free(ecdh_b[i]);
+    }
+# endif
+
+    release_engine(e);
+    apps_shutdown();
+    OPENSSL_EXIT(mret);
+}
+
+static void print_message(const char *s, long num, int length)
+{
+# ifdef SIGALRM
+    BIO_printf(bio_err,
+               mr ? "+DT:%s:%d:%d\n"
+               : "Doing %s for %ds on %d size blocks: ", s, SECONDS, length);
+    (void)BIO_flush(bio_err);
+    alarm(SECONDS);
+# else
+    BIO_printf(bio_err,
+               mr ? "+DN:%s:%ld:%d\n"
+               : "Doing %s %ld times on %d size blocks: ", s, num, length);
+    (void)BIO_flush(bio_err);
+# endif
+# ifdef LINT
+    num = num;
+# endif
+}
+
+static void pkey_print_message(const char *str, const char *str2, long num,
+                               int bits, int tm)
+{
+# ifdef SIGALRM
+    BIO_printf(bio_err,
+               mr ? "+DTP:%d:%s:%s:%d\n"
+               : "Doing %d bit %s %s's for %ds: ", bits, str, str2, tm);
+    (void)BIO_flush(bio_err);
+    alarm(tm);
+# else
+    BIO_printf(bio_err,
+               mr ? "+DNP:%ld:%d:%s:%s\n"
+               : "Doing %ld %d bit %s %s's: ", num, bits, str, str2);
+    (void)BIO_flush(bio_err);
+# endif
+# ifdef LINT
+    num = num;
+# endif
+}
+
+static void print_result(int alg, int run_no, int count, double time_used)
+{
+    BIO_printf(bio_err,
+               mr ? "+R:%d:%s:%f\n"
+               : "%d %s's in %.2fs\n", count, names[alg], time_used);
+    results[alg][run_no] = ((double)count) / time_used * lengths[run_no];
+}
+
+# ifndef NO_FORK
+static char *sstrsep(char **string, const char *delim)
+{
+    char isdelim[256];
+    char *token = *string;
+
+    if (**string == 0)
+        return NULL;
+
+    memset(isdelim, 0, sizeof isdelim);
+    isdelim[0] = 1;
+
+    while (*delim) {
+        isdelim[(unsigned char)(*delim)] = 1;
+        delim++;
+    }
+
+    while (!isdelim[(unsigned char)(**string)]) {
+        (*string)++;
+    }
+
+    if (**string) {
+        **string = 0;
+        (*string)++;
+    }
+
+    return token;
+}
+
+static int do_multi(int multi)
+{
+    int n;
+    int fd[2];
+    int *fds;
+    static char sep[] = ":";
+
+    fds = malloc(multi * sizeof *fds);
+    if (fds == NULL) {
+        fprintf(stderr, "Out of memory in speed (do_multi)\n");
+        exit(1);
+    }
+    for (n = 0; n < multi; ++n) {
+        if (pipe(fd) == -1) {
+            fprintf(stderr, "pipe failure\n");
+            exit(1);
+        }
+        fflush(stdout);
+        fflush(stderr);
+        if (fork()) {
+            close(fd[1]);
+            fds[n] = fd[0];
+        } else {
+            close(fd[0]);
+            close(1);
+            if (dup(fd[1]) == -1) {
+                fprintf(stderr, "dup failed\n");
+                exit(1);
+            }
+            close(fd[1]);
+            mr = 1;
+            usertime = 0;
+            free(fds);
+            return 0;
+        }
+        printf("Forked child %d\n", n);
+    }
+
+    /* for now, assume the pipe is long enough to take all the output */
+    for (n = 0; n < multi; ++n) {
+        FILE *f;
+        char buf[1024];
+        char *p;
+
+        f = fdopen(fds[n], "r");
+        while (fgets(buf, sizeof buf, f)) {
+            p = strchr(buf, '\n');
+            if (p)
+                *p = '\0';
+            if (buf[0] != '+') {
+                fprintf(stderr, "Don't understand line '%s' from child %d\n",
+                        buf, n);
+                continue;
+            }
+            printf("Got: %s from %d\n", buf, n);
+            if (!strncmp(buf, "+F:", 3)) {
+                int alg;
+                int j;
+
+                p = buf + 3;
+                alg = atoi(sstrsep(&p, sep));
+                sstrsep(&p, sep);
+                for (j = 0; j < SIZE_NUM; ++j)
+                    results[alg][j] += atof(sstrsep(&p, sep));
+            } else if (!strncmp(buf, "+F2:", 4)) {
+                int k;
+                double d;
+
+                p = buf + 4;
+                k = atoi(sstrsep(&p, sep));
+                sstrsep(&p, sep);
+
+                d = atof(sstrsep(&p, sep));
+                if (n)
+                    rsa_results[k][0] = 1 / (1 / rsa_results[k][0] + 1 / d);
+                else
+                    rsa_results[k][0] = d;
+
+                d = atof(sstrsep(&p, sep));
+                if (n)
+                    rsa_results[k][1] = 1 / (1 / rsa_results[k][1] + 1 / d);
+                else
+                    rsa_results[k][1] = d;
+            }
+#  ifndef OPENSSL_NO_DSA
+            else if (!strncmp(buf, "+F3:", 4)) {
+                int k;
+                double d;
+
+                p = buf + 4;
+                k = atoi(sstrsep(&p, sep));
+                sstrsep(&p, sep);
+
+                d = atof(sstrsep(&p, sep));
+                if (n)
+                    dsa_results[k][0] = 1 / (1 / dsa_results[k][0] + 1 / d);
+                else
+                    dsa_results[k][0] = d;
+
+                d = atof(sstrsep(&p, sep));
+                if (n)
+                    dsa_results[k][1] = 1 / (1 / dsa_results[k][1] + 1 / d);
+                else
+                    dsa_results[k][1] = d;
+            }
+#  endif
+#  ifndef OPENSSL_NO_ECDSA
+            else if (!strncmp(buf, "+F4:", 4)) {
+                int k;
+                double d;
+
+                p = buf + 4;
+                k = atoi(sstrsep(&p, sep));
+                sstrsep(&p, sep);
+
+                d = atof(sstrsep(&p, sep));
+                if (n)
+                    ecdsa_results[k][0] =
+                        1 / (1 / ecdsa_results[k][0] + 1 / d);
+                else
+                    ecdsa_results[k][0] = d;
+
+                d = atof(sstrsep(&p, sep));
+                if (n)
+                    ecdsa_results[k][1] =
+                        1 / (1 / ecdsa_results[k][1] + 1 / d);
+                else
+                    ecdsa_results[k][1] = d;
+            }
+#  endif
+
+#  ifndef OPENSSL_NO_ECDH
+            else if (!strncmp(buf, "+F5:", 4)) {
+                int k;
+                double d;
+
+                p = buf + 4;
+                k = atoi(sstrsep(&p, sep));
+                sstrsep(&p, sep);
+
+                d = atof(sstrsep(&p, sep));
+                if (n)
+                    ecdh_results[k][0] = 1 / (1 / ecdh_results[k][0] + 1 / d);
+                else
+                    ecdh_results[k][0] = d;
+
+            }
+#  endif
+
+            else if (!strncmp(buf, "+H:", 3)) {
+            } else
+                fprintf(stderr, "Unknown type '%s' from child %d\n", buf, n);
+        }
+
+        fclose(f);
+    }
+    free(fds);
+    return 1;
+}
+# endif
+
+static void multiblock_speed(const EVP_CIPHER *evp_cipher)
+{
+    static int mblengths[] =
+        { 8 * 1024, 2 * 8 * 1024, 4 * 8 * 1024, 8 * 8 * 1024, 8 * 16 * 1024 };
+    int j, count, num = sizeof(lengths) / sizeof(lengths[0]);
+    const char *alg_name;
+    unsigned char *inp, *out, no_key[32], no_iv[16];
+    EVP_CIPHER_CTX ctx;
+    double d = 0.0;
+
+    inp = OPENSSL_malloc(mblengths[num - 1]);
+    out = OPENSSL_malloc(mblengths[num - 1] + 1024);
+    if (!inp || !out) {
+        BIO_printf(bio_err,"Out of memory\n");
+        goto end;
+    }
+
+
+    EVP_CIPHER_CTX_init(&ctx);
+    EVP_EncryptInit_ex(&ctx, evp_cipher, NULL, no_key, no_iv);
+    EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_AEAD_SET_MAC_KEY, sizeof(no_key),
+                        no_key);
+    alg_name = OBJ_nid2ln(evp_cipher->nid);
+
+    for (j = 0; j < num; j++) {
+        print_message(alg_name, 0, mblengths[j]);
+        Time_F(START);
+        for (count = 0, run = 1; run && count < 0x7fffffff; count++) {
+            unsigned char aad[EVP_AEAD_TLS1_AAD_LEN];
+            EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
+            size_t len = mblengths[j];
+            int packlen;
+
+            memset(aad, 0, 8);  /* avoid uninitialized values */
+            aad[8] = 23;        /* SSL3_RT_APPLICATION_DATA */
+            aad[9] = 3;         /* version */
+            aad[10] = 2;
+            aad[11] = 0;        /* length */
+            aad[12] = 0;
+            mb_param.out = NULL;
+            mb_param.inp = aad;
+            mb_param.len = len;
+            mb_param.interleave = 8;
+
+            packlen = EVP_CIPHER_CTX_ctrl(&ctx,
+                                          EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
+                                          sizeof(mb_param), &mb_param);
+
+            if (packlen > 0) {
+                mb_param.out = out;
+                mb_param.inp = inp;
+                mb_param.len = len;
+                EVP_CIPHER_CTX_ctrl(&ctx,
+                                    EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
+                                    sizeof(mb_param), &mb_param);
+            } else {
+                int pad;
+
+                RAND_bytes(out, 16);
+                len += 16;
+                aad[11] = len >> 8;
+                aad[12] = len;
+                pad = EVP_CIPHER_CTX_ctrl(&ctx,
+                                          EVP_CTRL_AEAD_TLS1_AAD,
+                                          EVP_AEAD_TLS1_AAD_LEN, aad);
+                EVP_Cipher(&ctx, out, inp, len + pad);
+            }
+        }
+        d = Time_F(STOP);
+        BIO_printf(bio_err,
+                   mr ? "+R:%d:%s:%f\n"
+                   : "%d %s's in %.2fs\n", count, "evp", d);
+        results[D_EVP][j] = ((double)count) / d * mblengths[j];
+    }
+
+    if (mr) {
+        fprintf(stdout, "+H");
+        for (j = 0; j < num; j++)
+            fprintf(stdout, ":%d", mblengths[j]);
+        fprintf(stdout, "\n");
+        fprintf(stdout, "+F:%d:%s", D_EVP, alg_name);
+        for (j = 0; j < num; j++)
+            fprintf(stdout, ":%.2f", results[D_EVP][j]);
+        fprintf(stdout, "\n");
+    } else {
+        fprintf(stdout,
+                "The 'numbers' are in 1000s of bytes per second processed.\n");
+        fprintf(stdout, "type                    ");
+        for (j = 0; j < num; j++)
+            fprintf(stdout, "%7d bytes", mblengths[j]);
+        fprintf(stdout, "\n");
+        fprintf(stdout, "%-24s", alg_name);
+
+        for (j = 0; j < num; j++) {
+            if (results[D_EVP][j] > 10000)
+                fprintf(stdout, " %11.2fk", results[D_EVP][j] / 1e3);
+            else
+                fprintf(stdout, " %11.2f ", results[D_EVP][j]);
+        }
+        fprintf(stdout, "\n");
+    }
+
+end:
+    if (inp)
+        OPENSSL_free(inp);
+    if (out)
+        OPENSSL_free(out);
+}
+#endif
diff --git a/openssl/apps/spkac.c b/openssl/apps/spkac.c
new file mode 100644
index 0000000..7f5333f
--- /dev/null
+++ b/openssl/apps/spkac.c
@@ -0,0 +1,309 @@
+/* apps/spkac.c */
+
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999. Based on an original idea by Massimiliano Pala (madwolf@openca.org).
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/lhash.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG    spkac_main
+
+/*-
+ * -in arg      - input file - default stdin
+ * -out arg     - output file - default stdout
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    int i, badops = 0, ret = 1;
+    BIO *in = NULL, *out = NULL;
+    int verify = 0, noout = 0, pubkey = 0;
+    char *infile = NULL, *outfile = NULL, *prog;
+    char *passargin = NULL, *passin = NULL;
+    const char *spkac = "SPKAC", *spksect = "default";
+    char *spkstr = NULL;
+    char *challenge = NULL, *keyfile = NULL;
+    CONF *conf = NULL;
+    NETSCAPE_SPKI *spki = NULL;
+    EVP_PKEY *pkey = NULL;
+    char *engine = NULL;
+
+    apps_startup();
+
+    if (!bio_err)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    prog = argv[0];
+    argc--;
+    argv++;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-passin") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargin = *(++argv);
+        } else if (strcmp(*argv, "-key") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keyfile = *(++argv);
+        } else if (strcmp(*argv, "-challenge") == 0) {
+            if (--argc < 1)
+                goto bad;
+            challenge = *(++argv);
+        } else if (strcmp(*argv, "-spkac") == 0) {
+            if (--argc < 1)
+                goto bad;
+            spkac = *(++argv);
+        } else if (strcmp(*argv, "-spksect") == 0) {
+            if (--argc < 1)
+                goto bad;
+            spksect = *(++argv);
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+#endif
+        else if (strcmp(*argv, "-noout") == 0)
+            noout = 1;
+        else if (strcmp(*argv, "-pubkey") == 0)
+            pubkey = 1;
+        else if (strcmp(*argv, "-verify") == 0)
+            verify = 1;
+        else
+            badops = 1;
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        BIO_printf(bio_err, "%s [options]\n", prog);
+        BIO_printf(bio_err, "where options are\n");
+        BIO_printf(bio_err, " -in arg        input file\n");
+        BIO_printf(bio_err, " -out arg       output file\n");
+        BIO_printf(bio_err,
+                   " -key arg       create SPKAC using private key\n");
+        BIO_printf(bio_err,
+                   " -passin arg    input file pass phrase source\n");
+        BIO_printf(bio_err, " -challenge arg challenge string\n");
+        BIO_printf(bio_err, " -spkac arg     alternative SPKAC name\n");
+        BIO_printf(bio_err, " -noout         don't print SPKAC\n");
+        BIO_printf(bio_err, " -pubkey        output public key\n");
+        BIO_printf(bio_err, " -verify        verify SPKAC signature\n");
+#ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err,
+                   " -engine e      use engine e, possibly a hardware device.\n");
+#endif
+        goto end;
+    }
+
+    ERR_load_crypto_strings();
+    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+    e = setup_engine(bio_err, engine, 0);
+
+    if (keyfile) {
+        pkey = load_key(bio_err,
+                        strcmp(keyfile, "-") ? keyfile : NULL,
+                        FORMAT_PEM, 1, passin, e, "private key");
+        if (!pkey) {
+            goto end;
+        }
+        spki = NETSCAPE_SPKI_new();
+        if (challenge)
+            ASN1_STRING_set(spki->spkac->challenge,
+                            challenge, (int)strlen(challenge));
+        NETSCAPE_SPKI_set_pubkey(spki, pkey);
+        NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
+        spkstr = NETSCAPE_SPKI_b64_encode(spki);
+
+        if (outfile)
+            out = BIO_new_file(outfile, "w");
+        else {
+            out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+            {
+                BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+                out = BIO_push(tmpbio, out);
+            }
+#endif
+        }
+
+        if (!out) {
+            BIO_printf(bio_err, "Error opening output file\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        BIO_printf(out, "SPKAC=%s\n", spkstr);
+        OPENSSL_free(spkstr);
+        ret = 0;
+        goto end;
+    }
+
+    if (infile)
+        in = BIO_new_file(infile, "r");
+    else
+        in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+    if (!in) {
+        BIO_printf(bio_err, "Error opening input file\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    conf = NCONF_new(NULL);
+    i = NCONF_load_bio(conf, in, NULL);
+
+    if (!i) {
+        BIO_printf(bio_err, "Error parsing config file\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    spkstr = NCONF_get_string(conf, spksect, spkac);
+
+    if (!spkstr) {
+        BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n", spkac);
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
+
+    if (!spki) {
+        BIO_printf(bio_err, "Error loading SPKAC\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (outfile)
+        out = BIO_new_file(outfile, "w");
+    else {
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            out = BIO_push(tmpbio, out);
+        }
+#endif
+    }
+
+    if (!out) {
+        BIO_printf(bio_err, "Error opening output file\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (!noout)
+        NETSCAPE_SPKI_print(out, spki);
+    pkey = NETSCAPE_SPKI_get_pubkey(spki);
+    if (verify) {
+        i = NETSCAPE_SPKI_verify(spki, pkey);
+        if (i > 0)
+            BIO_printf(bio_err, "Signature OK\n");
+        else {
+            BIO_printf(bio_err, "Signature Failure\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+    if (pubkey)
+        PEM_write_bio_PUBKEY(out, pkey);
+
+    ret = 0;
+
+ end:
+    NCONF_free(conf);
+    NETSCAPE_SPKI_free(spki);
+    BIO_free(in);
+    BIO_free_all(out);
+    EVP_PKEY_free(pkey);
+    release_engine(e);
+    if (passin)
+        OPENSSL_free(passin);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
diff --git a/openssl/apps/srp.c b/openssl/apps/srp.c
new file mode 100644
index 0000000..37341a5
--- /dev/null
+++ b/openssl/apps/srp.c
@@ -0,0 +1,768 @@
+/* apps/srp.c */
+/*
+ * Written by Peter Sylvester (peter.sylvester@edelweb.fr) for the EdelKey
+ * project and contributed to the OpenSSL project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_SRP
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include <openssl/conf.h>
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/txt_db.h>
+# include <openssl/buffer.h>
+# include <openssl/srp.h>
+
+# include "apps.h"
+
+# undef PROG
+# define PROG srp_main
+
+# define BASE_SECTION    "srp"
+# define CONFIG_FILE "openssl.cnf"
+
+# define ENV_RANDFILE            "RANDFILE"
+
+# define ENV_DATABASE            "srpvfile"
+# define ENV_DEFAULT_SRP         "default_srp"
+
+static char *srp_usage[] = {
+    "usage: srp [args] [user] \n",
+    "\n",
+    " -verbose        Talk alot while doing things\n",
+    " -config file    A config file\n",
+    " -name arg       The particular srp definition to use\n",
+    " -srpvfile arg   The srp verifier file name\n",
+    " -add            add an user and srp verifier\n",
+    " -modify         modify the srp verifier of an existing user\n",
+    " -delete         delete user from verifier file\n",
+    " -list           list user\n",
+    " -gn arg         g and N values to be used for new verifier\n",
+    " -userinfo arg   additional info to be set for user\n",
+    " -passin arg     input file pass phrase source\n",
+    " -passout arg    output file pass phrase source\n",
+# ifndef OPENSSL_NO_ENGINE
+    " -engine e         - use engine e, possibly a hardware device.\n",
+# endif
+    NULL
+};
+
+# ifdef EFENCE
+extern int EF_PROTECT_FREE;
+extern int EF_PROTECT_BELOW;
+extern int EF_ALIGNMENT;
+# endif
+
+static CONF *conf = NULL;
+static char *section = NULL;
+
+# define VERBOSE if (verbose)
+# define VVERBOSE if (verbose>1)
+
+int MAIN(int, char **);
+
+static int get_index(CA_DB *db, char *id, char type)
+{
+    char **pp;
+    int i;
+    if (id == NULL)
+        return -1;
+    if (type == DB_SRP_INDEX)
+        for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
+            pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
+            if (pp[DB_srptype][0] == DB_SRP_INDEX
+                && !strcmp(id, pp[DB_srpid]))
+                return i;
+    } else
+        for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
+            pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
+
+            if (pp[DB_srptype][0] != DB_SRP_INDEX
+                && !strcmp(id, pp[DB_srpid]))
+                return i;
+        }
+
+    return -1;
+}
+
+static void print_entry(CA_DB *db, BIO *bio, int indx, int verbose, char *s)
+{
+    if (indx >= 0 && verbose) {
+        int j;
+        char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx);
+        BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]);
+        for (j = 0; j < DB_NUMBER; j++) {
+            BIO_printf(bio_err, "  %d = \"%s\"\n", j, pp[j]);
+        }
+    }
+}
+
+static void print_index(CA_DB *db, BIO *bio, int indexindex, int verbose)
+{
+    print_entry(db, bio, indexindex, verbose, "g N entry");
+}
+
+static void print_user(CA_DB *db, BIO *bio, int userindex, int verbose)
+{
+    if (verbose > 0) {
+        char **pp = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+
+        if (pp[DB_srptype][0] != 'I') {
+            print_entry(db, bio, userindex, verbose, "User entry");
+            print_entry(db, bio, get_index(db, pp[DB_srpgN], 'I'), verbose,
+                        "g N entry");
+        }
+
+    }
+}
+
+static int update_index(CA_DB *db, BIO *bio, char **row)
+{
+    char **irow;
+    int i;
+
+    if ((irow =
+         (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) {
+        BIO_printf(bio_err, "Memory allocation failure\n");
+        return 0;
+    }
+
+    for (i = 0; i < DB_NUMBER; i++) {
+        irow[i] = row[i];
+        row[i] = NULL;
+    }
+    irow[DB_NUMBER] = NULL;
+
+    if (!TXT_DB_insert(db->db, irow)) {
+        BIO_printf(bio, "failed to update srpvfile\n");
+        BIO_printf(bio, "TXT_DB error number %ld\n", db->db->error);
+        OPENSSL_free(irow);
+        return 0;
+    }
+    return 1;
+}
+
+static void lookup_fail(const char *name, char *tag)
+{
+    BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
+}
+
+static char *srp_verify_user(const char *user, const char *srp_verifier,
+                             char *srp_usersalt, const char *g, const char *N,
+                             const char *passin, BIO *bio, int verbose)
+{
+    char password[1024];
+    PW_CB_DATA cb_tmp;
+    char *verifier = NULL;
+    char *gNid = NULL;
+
+    cb_tmp.prompt_info = user;
+    cb_tmp.password = passin;
+
+    if (password_callback(password, 1024, 0, &cb_tmp) > 0) {
+        VERBOSE BIO_printf(bio,
+                           "Validating\n   user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
+                           user, srp_verifier, srp_usersalt, g, N);
+        BIO_printf(bio, "Pass %s\n", password);
+
+        if (!
+            (gNid =
+             SRP_create_verifier(user, password, &srp_usersalt, &verifier, N,
+                                 g))) {
+            BIO_printf(bio, "Internal error validating SRP verifier\n");
+        } else {
+            if (strcmp(verifier, srp_verifier))
+                gNid = NULL;
+            OPENSSL_free(verifier);
+        }
+    }
+    return gNid;
+}
+
+static char *srp_create_user(char *user, char **srp_verifier,
+                             char **srp_usersalt, char *g, char *N,
+                             char *passout, BIO *bio, int verbose)
+{
+    char password[1024];
+    PW_CB_DATA cb_tmp;
+    char *gNid = NULL;
+    char *salt = NULL;
+    cb_tmp.prompt_info = user;
+    cb_tmp.password = passout;
+
+    if (password_callback(password, 1024, 1, &cb_tmp) > 0) {
+        VERBOSE BIO_printf(bio,
+                           "Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
+                           user, g, N);
+        if (!
+            (gNid =
+             SRP_create_verifier(user, password, &salt, srp_verifier, N,
+                                 g))) {
+            BIO_printf(bio, "Internal error creating SRP verifier\n");
+        } else
+            *srp_usersalt = salt;
+        VVERBOSE BIO_printf(bio, "gNid=%s salt =\"%s\"\n verifier =\"%s\"\n",
+                            gNid, salt, *srp_verifier);
+
+    }
+    return gNid;
+}
+
+int MAIN(int argc, char **argv)
+{
+    int add_user = 0;
+    int list_user = 0;
+    int delete_user = 0;
+    int modify_user = 0;
+    char *user = NULL;
+
+    char *passargin = NULL, *passargout = NULL;
+    char *passin = NULL, *passout = NULL;
+    char *gN = NULL;
+    int gNindex = -1;
+    char **gNrow = NULL;
+    int maxgN = -1;
+
+    char *userinfo = NULL;
+
+    int badops = 0;
+    int ret = 1;
+    int errors = 0;
+    int verbose = 0;
+    int doupdatedb = 0;
+    char *configfile = NULL;
+    char *dbfile = NULL;
+    CA_DB *db = NULL;
+    char **pp;
+    int i;
+    long errorline = -1;
+    char *randfile = NULL;
+    ENGINE *e = NULL;
+    char *engine = NULL;
+    char *tofree = NULL;
+    DB_ATTR db_attr;
+
+# ifdef EFENCE
+    EF_PROTECT_FREE = 1;
+    EF_PROTECT_BELOW = 1;
+    EF_ALIGNMENT = 0;
+# endif
+
+    apps_startup();
+
+    conf = NULL;
+    section = NULL;
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    argc--;
+    argv++;
+    while (argc >= 1 && badops == 0) {
+        if (strcmp(*argv, "-verbose") == 0)
+            verbose++;
+        else if (strcmp(*argv, "-config") == 0) {
+            if (--argc < 1)
+                goto bad;
+            configfile = *(++argv);
+        } else if (strcmp(*argv, "-name") == 0) {
+            if (--argc < 1)
+                goto bad;
+            section = *(++argv);
+        } else if (strcmp(*argv, "-srpvfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            dbfile = *(++argv);
+        } else if (strcmp(*argv, "-add") == 0)
+            add_user = 1;
+        else if (strcmp(*argv, "-delete") == 0)
+            delete_user = 1;
+        else if (strcmp(*argv, "-modify") == 0)
+            modify_user = 1;
+        else if (strcmp(*argv, "-list") == 0)
+            list_user = 1;
+        else if (strcmp(*argv, "-gn") == 0) {
+            if (--argc < 1)
+                goto bad;
+            gN = *(++argv);
+        } else if (strcmp(*argv, "-userinfo") == 0) {
+            if (--argc < 1)
+                goto bad;
+            userinfo = *(++argv);
+        } else if (strcmp(*argv, "-passin") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargin = *(++argv);
+        } else if (strcmp(*argv, "-passout") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargout = *(++argv);
+        }
+# ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+# endif
+
+        else if (**argv == '-') {
+ bad:
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        } else
+            break;
+
+        argc--;
+        argv++;
+    }
+
+    if (dbfile && configfile) {
+        BIO_printf(bio_err,
+                   "-dbfile and -configfile cannot be specified together.\n");
+        badops = 1;
+    }
+    if (add_user + delete_user + modify_user + list_user != 1) {
+        BIO_printf(bio_err,
+                   "Exactly one of the options -add, -delete, -modify -list must be specified.\n");
+        badops = 1;
+    }
+    if (delete_user + modify_user + delete_user == 1 && argc <= 0) {
+        BIO_printf(bio_err,
+                   "Need at least one user for options -add, -delete, -modify. \n");
+        badops = 1;
+    }
+    if ((passin || passout) && argc != 1) {
+        BIO_printf(bio_err,
+                   "-passin, -passout arguments only valid with one user.\n");
+        badops = 1;
+    }
+
+    if (badops) {
+        for (pp = srp_usage; (*pp != NULL); pp++)
+            BIO_printf(bio_err, "%s", *pp);
+
+        BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
+                   LIST_SEPARATOR_CHAR);
+        BIO_printf(bio_err,
+                   "                 load the file (or the files in the directory) into\n");
+        BIO_printf(bio_err, "                 the random number generator\n");
+        goto err;
+    }
+
+    ERR_load_crypto_strings();
+
+    e = setup_engine(bio_err, engine, 0);
+
+    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+        BIO_printf(bio_err, "Error getting passwords\n");
+        goto err;
+    }
+
+    if (!dbfile) {
+
+        /*****************************************************************/
+        tofree = NULL;
+        if (configfile == NULL)
+            configfile = getenv("OPENSSL_CONF");
+        if (configfile == NULL)
+            configfile = getenv("SSLEAY_CONF");
+        if (configfile == NULL) {
+            const char *s = X509_get_default_cert_area();
+            size_t len;
+
+# ifdef OPENSSL_SYS_VMS
+            len = strlen(s) + sizeof(CONFIG_FILE);
+            tofree = OPENSSL_malloc(len);
+            if (!tofree) {
+                BIO_printf(bio_err, "Out of memory\n");
+                goto err;
+            }
+            strcpy(tofree, s);
+# else
+            len = strlen(s) + sizeof(CONFIG_FILE) + 1;
+            tofree = OPENSSL_malloc(len);
+            if (!tofree) {
+                BIO_printf(bio_err, "Out of memory\n");
+                goto err;
+            }
+            BUF_strlcpy(tofree, s, len);
+            BUF_strlcat(tofree, "/", len);
+# endif
+            BUF_strlcat(tofree, CONFIG_FILE, len);
+            configfile = tofree;
+        }
+
+        VERBOSE BIO_printf(bio_err, "Using configuration from %s\n",
+                           configfile);
+        conf = NCONF_new(NULL);
+        if (NCONF_load(conf, configfile, &errorline) <= 0) {
+            if (errorline <= 0)
+                BIO_printf(bio_err, "error loading the config file '%s'\n",
+                           configfile);
+            else
+                BIO_printf(bio_err, "error on line %ld of config file '%s'\n",
+                           errorline, configfile);
+            goto err;
+        }
+        if (tofree) {
+            OPENSSL_free(tofree);
+            tofree = NULL;
+        }
+
+        if (!load_config(bio_err, conf))
+            goto err;
+
+        /* Lets get the config section we are using */
+        if (section == NULL) {
+            VERBOSE BIO_printf(bio_err,
+                               "trying to read " ENV_DEFAULT_SRP
+                               " in \" BASE_SECTION \"\n");
+
+            section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_SRP);
+            if (section == NULL) {
+                lookup_fail(BASE_SECTION, ENV_DEFAULT_SRP);
+                goto err;
+            }
+        }
+
+        if (randfile == NULL && conf)
+            randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");
+
+        VERBOSE BIO_printf(bio_err,
+                           "trying to read " ENV_DATABASE
+                           " in section \"%s\"\n", section);
+
+        if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) {
+            lookup_fail(section, ENV_DATABASE);
+            goto err;
+        }
+
+    }
+    if (randfile == NULL)
+        ERR_clear_error();
+    else
+        app_RAND_load_file(randfile, bio_err, 0);
+
+    VERBOSE BIO_printf(bio_err, "Trying to read SRP verifier file \"%s\"\n",
+                       dbfile);
+
+    db = load_index(dbfile, &db_attr);
+    if (db == NULL)
+        goto err;
+
+    /* Lets check some fields */
+    for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
+        pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
+
+        if (pp[DB_srptype][0] == DB_SRP_INDEX) {
+            maxgN = i;
+            if (gNindex < 0 && gN != NULL && !strcmp(gN, pp[DB_srpid]))
+                gNindex = i;
+
+            print_index(db, bio_err, i, verbose > 1);
+        }
+    }
+
+    VERBOSE BIO_printf(bio_err, "Database initialised\n");
+
+    if (gNindex >= 0) {
+        gNrow = sk_OPENSSL_PSTRING_value(db->db->data, gNindex);
+        print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N");
+    } else if (maxgN > 0 && !SRP_get_default_gN(gN)) {
+        BIO_printf(bio_err, "No g and N value for index \"%s\"\n", gN);
+        goto err;
+    } else {
+        VERBOSE BIO_printf(bio_err, "Database has no g N information.\n");
+        gNrow = NULL;
+    }
+
+    VVERBOSE BIO_printf(bio_err, "Starting user processing\n");
+
+    if (argc > 0)
+        user = *(argv++);
+
+    while (list_user || user) {
+        int userindex = -1;
+        if (user)
+            VVERBOSE BIO_printf(bio_err, "Processing user \"%s\"\n", user);
+        if ((userindex = get_index(db, user, 'U')) >= 0) {
+            print_user(db, bio_err, userindex, (verbose > 0) || list_user);
+        }
+
+        if (list_user) {
+            if (user == NULL) {
+                BIO_printf(bio_err, "List all users\n");
+
+                for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
+                    print_user(db, bio_err, i, 1);
+                }
+                list_user = 0;
+            } else if (userindex < 0) {
+                BIO_printf(bio_err,
+                           "user \"%s\" does not exist, ignored. t\n", user);
+                errors++;
+            }
+        } else if (add_user) {
+            if (userindex >= 0) {
+                /* reactivation of a new user */
+                char **row =
+                    sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+                BIO_printf(bio_err, "user \"%s\" reactivated.\n", user);
+                row[DB_srptype][0] = 'V';
+
+                doupdatedb = 1;
+            } else {
+                char *row[DB_NUMBER];
+                char *gNid;
+                row[DB_srpverifier] = NULL;
+                row[DB_srpsalt] = NULL;
+                row[DB_srpinfo] = NULL;
+                if (!
+                    (gNid =
+                     srp_create_user(user, &(row[DB_srpverifier]),
+                                     &(row[DB_srpsalt]),
+                                     gNrow ? gNrow[DB_srpsalt] : gN,
+                                     gNrow ? gNrow[DB_srpverifier] : NULL,
+                                     passout, bio_err, verbose))) {
+                    BIO_printf(bio_err,
+                               "Cannot create srp verifier for user \"%s\", operation abandoned .\n",
+                               user);
+                    errors++;
+                    goto err;
+                }
+                row[DB_srpid] = BUF_strdup(user);
+                row[DB_srptype] = BUF_strdup("v");
+                row[DB_srpgN] = BUF_strdup(gNid);
+
+                if (!row[DB_srpid] || !row[DB_srpgN] || !row[DB_srptype]
+                    || !row[DB_srpverifier] || !row[DB_srpsalt] || (userinfo
+                                                                    &&
+                                                                    (!(row
+                                                                       [DB_srpinfo]
+                                                                       =
+                                                                       BUF_strdup
+                                                                       (userinfo))))
+                    || !update_index(db, bio_err, row)) {
+                    if (row[DB_srpid])
+                        OPENSSL_free(row[DB_srpid]);
+                    if (row[DB_srpgN])
+                        OPENSSL_free(row[DB_srpgN]);
+                    if (row[DB_srpinfo])
+                        OPENSSL_free(row[DB_srpinfo]);
+                    if (row[DB_srptype])
+                        OPENSSL_free(row[DB_srptype]);
+                    if (row[DB_srpverifier])
+                        OPENSSL_free(row[DB_srpverifier]);
+                    if (row[DB_srpsalt])
+                        OPENSSL_free(row[DB_srpsalt]);
+                    goto err;
+                }
+                doupdatedb = 1;
+            }
+        } else if (modify_user) {
+            if (userindex < 0) {
+                BIO_printf(bio_err,
+                           "user \"%s\" does not exist, operation ignored.\n",
+                           user);
+                errors++;
+            } else {
+
+                char **row =
+                    sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+                char type = row[DB_srptype][0];
+                if (type == 'v') {
+                    BIO_printf(bio_err,
+                               "user \"%s\" already updated, operation ignored.\n",
+                               user);
+                    errors++;
+                } else {
+                    char *gNid;
+
+                    if (row[DB_srptype][0] == 'V') {
+                        int user_gN;
+                        char **irow = NULL;
+                        VERBOSE BIO_printf(bio_err,
+                                           "Verifying password for user \"%s\"\n",
+                                           user);
+                        if ((user_gN =
+                             get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0)
+                            irow =
+                                (char **)sk_OPENSSL_PSTRING_value(db->
+                                                                  db->data,
+                                                                  userindex);
+
+                        if (!srp_verify_user
+                            (user, row[DB_srpverifier], row[DB_srpsalt],
+                             irow ? irow[DB_srpsalt] : row[DB_srpgN],
+                             irow ? irow[DB_srpverifier] : NULL, passin,
+                             bio_err, verbose)) {
+                            BIO_printf(bio_err,
+                                       "Invalid password for user \"%s\", operation abandoned.\n",
+                                       user);
+                            errors++;
+                            goto err;
+                        }
+                    }
+                    VERBOSE BIO_printf(bio_err,
+                                       "Password for user \"%s\" ok.\n",
+                                       user);
+
+                    if (!
+                        (gNid =
+                         srp_create_user(user, &(row[DB_srpverifier]),
+                                         &(row[DB_srpsalt]),
+                                         gNrow ? gNrow[DB_srpsalt] : NULL,
+                                         gNrow ? gNrow[DB_srpverifier] : NULL,
+                                         passout, bio_err, verbose))) {
+                        BIO_printf(bio_err,
+                                   "Cannot create srp verifier for user \"%s\", operation abandoned.\n",
+                                   user);
+                        errors++;
+                        goto err;
+                    }
+
+                    row[DB_srptype][0] = 'v';
+                    row[DB_srpgN] = BUF_strdup(gNid);
+
+                    if (!row[DB_srpid] || !row[DB_srpgN] || !row[DB_srptype]
+                        || !row[DB_srpverifier] || !row[DB_srpsalt]
+                        || (userinfo
+                            && (!(row[DB_srpinfo] = BUF_strdup(userinfo)))))
+                        goto err;
+
+                    doupdatedb = 1;
+                }
+            }
+        } else if (delete_user) {
+            if (userindex < 0) {
+                BIO_printf(bio_err,
+                           "user \"%s\" does not exist, operation ignored. t\n",
+                           user);
+                errors++;
+            } else {
+                char **xpp =
+                    sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+                BIO_printf(bio_err, "user \"%s\" revoked. t\n", user);
+
+                xpp[DB_srptype][0] = 'R';
+
+                doupdatedb = 1;
+            }
+        }
+        if (--argc > 0)
+            user = *(argv++);
+        else {
+            user = NULL;
+            list_user = 0;
+        }
+    }
+
+    VERBOSE BIO_printf(bio_err, "User procession done.\n");
+
+    if (doupdatedb) {
+        /* Lets check some fields */
+        for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
+            pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
+
+            if (pp[DB_srptype][0] == 'v') {
+                pp[DB_srptype][0] = 'V';
+                print_user(db, bio_err, i, verbose);
+            }
+        }
+
+        VERBOSE BIO_printf(bio_err, "Trying to update srpvfile.\n");
+        if (!save_index(dbfile, "new", db))
+            goto err;
+
+        VERBOSE BIO_printf(bio_err, "Temporary srpvfile created.\n");
+        if (!rotate_index(dbfile, "new", "old"))
+            goto err;
+
+        VERBOSE BIO_printf(bio_err, "srpvfile updated.\n");
+    }
+
+    ret = (errors != 0);
+ err:
+    if (errors != 0)
+        VERBOSE BIO_printf(bio_err, "User errors %d.\n", errors);
+
+    VERBOSE BIO_printf(bio_err, "SRP terminating with code %d.\n", ret);
+    if (tofree)
+        OPENSSL_free(tofree);
+    if (ret)
+        ERR_print_errors(bio_err);
+    if (randfile)
+        app_RAND_write_file(randfile, bio_err);
+    if (conf)
+        NCONF_free(conf);
+    if (db)
+        free_index(db);
+
+    release_engine(e);
+    OBJ_cleanup();
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+#else
+static void *dummy = &dummy;
+#endif
diff --git a/openssl/apps/testCA.pem b/openssl/apps/testCA.pem
new file mode 100644
index 0000000..dcb710a
--- /dev/null
+++ b/openssl/apps/testCA.pem
@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBBzCBsgIBADBNMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEX
+MBUGA1UEChMOTWluY29tIFB0eSBMdGQxEDAOBgNVBAMTB1RFU1QgQ0EwXDANBgkq
+hkiG9w0BAQEFAANLADBIAkEAzW9brgA8efT2ODB+NrsflJZj3KKqKsm4OrXTRqfL
+VETj1ws/zCXl42XJAxdWQMCP0liKfc9Ut4xi1qCVI7N07wIDAQABoAAwDQYJKoZI
+hvcNAQEEBQADQQBjZZ42Det9Uw0AFwJy4ufUEy5Cv74pxBp5SZnljgHY+Az0Hs2S
+uNkIegr2ITX5azKi9nOkg9ZmsmGG13FIjiC/
+-----END CERTIFICATE REQUEST-----
diff --git a/openssl/apps/testdsa.h b/openssl/apps/testdsa.h
new file mode 100644
index 0000000..550c625
--- /dev/null
+++ b/openssl/apps/testdsa.h
@@ -0,0 +1,233 @@
+/* NOCW */
+/* used by apps/speed.c */
+DSA *get_dsa512(void);
+DSA *get_dsa1024(void);
+DSA *get_dsa2048(void);
+static unsigned char dsa512_priv[] = {
+    0x65, 0xe5, 0xc7, 0x38, 0x60, 0x24, 0xb5, 0x89, 0xd4, 0x9c, 0xeb, 0x4c,
+    0x9c, 0x1d, 0x7a, 0x22, 0xbd, 0xd1, 0xc2, 0xd2,
+};
+
+static unsigned char dsa512_pub[] = {
+    0x00, 0x95, 0xa7, 0x0d, 0xec, 0x93, 0x68, 0xba, 0x5f, 0xf7, 0x5f, 0x07,
+    0xf2, 0x3b, 0xad, 0x6b, 0x01, 0xdc, 0xbe, 0xec, 0xde, 0x04, 0x7a, 0x3a,
+    0x27, 0xb3, 0xec, 0x49, 0xfd, 0x08, 0x43, 0x3d, 0x7e, 0xa8, 0x2c, 0x5e,
+    0x7b, 0xbb, 0xfc, 0xf4, 0x6e, 0xeb, 0x6c, 0xb0, 0x6e, 0xf8, 0x02, 0x12,
+    0x8c, 0x38, 0x5d, 0x83, 0x56, 0x7d, 0xee, 0x53, 0x05, 0x3e, 0x24, 0x84,
+    0xbe, 0xba, 0x0a, 0x6b, 0xc8,
+};
+
+static unsigned char dsa512_p[] = {
+    0x9D, 0x1B, 0x69, 0x8E, 0x26, 0xDB, 0xF2, 0x2B, 0x11, 0x70, 0x19, 0x86,
+    0xF6, 0x19, 0xC8, 0xF8, 0x19, 0xF2, 0x18, 0x53, 0x94, 0x46, 0x06, 0xD0,
+    0x62, 0x50, 0x33, 0x4B, 0x02, 0x3C, 0x52, 0x30, 0x03, 0x8B, 0x3B, 0xF9,
+    0x5F, 0xD1, 0x24, 0x06, 0x4F, 0x7B, 0x4C, 0xBA, 0xAA, 0x40, 0x9B, 0xFD,
+    0x96, 0xE4, 0x37, 0x33, 0xBB, 0x2D, 0x5A, 0xD7, 0x5A, 0x11, 0x40, 0x66,
+    0xA2, 0x76, 0x7D, 0x31,
+};
+
+static unsigned char dsa512_q[] = {
+    0xFB, 0x53, 0xEF, 0x50, 0xB4, 0x40, 0x92, 0x31, 0x56, 0x86, 0x53, 0x7A,
+    0xE8, 0x8B, 0x22, 0x9A, 0x49, 0xFB, 0x71, 0x8F,
+};
+
+static unsigned char dsa512_g[] = {
+    0x83, 0x3E, 0x88, 0xE5, 0xC5, 0x89, 0x73, 0xCE, 0x3B, 0x6C, 0x01, 0x49,
+    0xBF, 0xB3, 0xC7, 0x9F, 0x0A, 0xEA, 0x44, 0x91, 0xE5, 0x30, 0xAA, 0xD9,
+    0xBE, 0x5B, 0x5F, 0xB7, 0x10, 0xD7, 0x89, 0xB7, 0x8E, 0x74, 0xFB, 0xCF,
+    0x29, 0x1E, 0xEB, 0xA8, 0x2C, 0x54, 0x51, 0xB8, 0x10, 0xDE, 0xA0, 0xCE,
+    0x2F, 0xCC, 0x24, 0x6B, 0x90, 0x77, 0xDE, 0xA2, 0x68, 0xA6, 0x52, 0x12,
+    0xA2, 0x03, 0x9D, 0x20,
+};
+
+DSA *get_dsa512()
+{
+    DSA *dsa;
+
+    if ((dsa = DSA_new()) == NULL)
+        return (NULL);
+    dsa->priv_key = BN_bin2bn(dsa512_priv, sizeof(dsa512_priv), NULL);
+    dsa->pub_key = BN_bin2bn(dsa512_pub, sizeof(dsa512_pub), NULL);
+    dsa->p = BN_bin2bn(dsa512_p, sizeof(dsa512_p), NULL);
+    dsa->q = BN_bin2bn(dsa512_q, sizeof(dsa512_q), NULL);
+    dsa->g = BN_bin2bn(dsa512_g, sizeof(dsa512_g), NULL);
+    if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL)
+        || (dsa->q == NULL) || (dsa->g == NULL))
+        return (NULL);
+    return (dsa);
+}
+
+static unsigned char dsa1024_priv[] = {
+    0x7d, 0x21, 0xda, 0xbb, 0x62, 0x15, 0x47, 0x36, 0x07, 0x67, 0x12, 0xe8,
+    0x8c, 0xaa, 0x1c, 0xcd, 0x38, 0x12, 0x61, 0x18,
+};
+
+static unsigned char dsa1024_pub[] = {
+    0x3c, 0x4e, 0x9c, 0x2a, 0x7f, 0x16, 0xc1, 0x25, 0xeb, 0xac, 0x78, 0x63,
+    0x90, 0x14, 0x8c, 0x8b, 0xf4, 0x68, 0x43, 0x3c, 0x2d, 0xee, 0x65, 0x50,
+    0x7d, 0x9c, 0x8f, 0x8c, 0x8a, 0x51, 0xd6, 0x11, 0x2b, 0x99, 0xaf, 0x1e,
+    0x90, 0x97, 0xb5, 0xd3, 0xa6, 0x20, 0x25, 0xd6, 0xfe, 0x43, 0x02, 0xd5,
+    0x91, 0x7d, 0xa7, 0x8c, 0xdb, 0xc9, 0x85, 0xa3, 0x36, 0x48, 0xf7, 0x68,
+    0xaa, 0x60, 0xb1, 0xf7, 0x05, 0x68, 0x3a, 0xa3, 0x3f, 0xd3, 0x19, 0x82,
+    0xd8, 0x82, 0x7a, 0x77, 0xfb, 0xef, 0xf4, 0x15, 0x0a, 0xeb, 0x06, 0x04,
+    0x7f, 0x53, 0x07, 0x0c, 0xbc, 0xcb, 0x2d, 0x83, 0xdb, 0x3e, 0xd1, 0x28,
+    0xa5, 0xa1, 0x31, 0xe0, 0x67, 0xfa, 0x50, 0xde, 0x9b, 0x07, 0x83, 0x7e,
+    0x2c, 0x0b, 0xc3, 0x13, 0x50, 0x61, 0xe5, 0xad, 0xbd, 0x36, 0xb8, 0x97,
+    0x4e, 0x40, 0x7d, 0xe8, 0x83, 0x0d, 0xbc, 0x4b
+};
+
+static unsigned char dsa1024_p[] = {
+    0xA7, 0x3F, 0x6E, 0x85, 0xBF, 0x41, 0x6A, 0x29, 0x7D, 0xF0, 0x9F, 0x47,
+    0x19, 0x30, 0x90, 0x9A, 0x09, 0x1D, 0xDA, 0x6A, 0x33, 0x1E, 0xC5, 0x3D,
+    0x86, 0x96, 0xB3, 0x15, 0xE0, 0x53, 0x2E, 0x8F, 0xE0, 0x59, 0x82, 0x73,
+    0x90, 0x3E, 0x75, 0x31, 0x99, 0x47, 0x7A, 0x52, 0xFB, 0x85, 0xE4, 0xD9,
+    0xA6, 0x7B, 0x38, 0x9B, 0x68, 0x8A, 0x84, 0x9B, 0x87, 0xC6, 0x1E, 0xB5,
+    0x7E, 0x86, 0x4B, 0x53, 0x5B, 0x59, 0xCF, 0x71, 0x65, 0x19, 0x88, 0x6E,
+    0xCE, 0x66, 0xAE, 0x6B, 0x88, 0x36, 0xFB, 0xEC, 0x28, 0xDC, 0xC2, 0xD7,
+    0xA5, 0xBB, 0xE5, 0x2C, 0x39, 0x26, 0x4B, 0xDA, 0x9A, 0x70, 0x18, 0x95,
+    0x37, 0x95, 0x10, 0x56, 0x23, 0xF6, 0x15, 0xED, 0xBA, 0x04, 0x5E, 0xDE,
+    0x39, 0x4F, 0xFD, 0xB7, 0x43, 0x1F, 0xB5, 0xA4, 0x65, 0x6F, 0xCD, 0x80,
+    0x11, 0xE4, 0x70, 0x95, 0x5B, 0x50, 0xCD, 0x49,
+};
+
+static unsigned char dsa1024_q[] = {
+    0xF7, 0x07, 0x31, 0xED, 0xFA, 0x6C, 0x06, 0x03, 0xD5, 0x85, 0x8A, 0x1C,
+    0xAC, 0x9C, 0x65, 0xE7, 0x50, 0x66, 0x65, 0x6F,
+};
+
+static unsigned char dsa1024_g[] = {
+    0x4D, 0xDF, 0x4C, 0x03, 0xA6, 0x91, 0x8A, 0xF5, 0x19, 0x6F, 0x50, 0x46,
+    0x25, 0x99, 0xE5, 0x68, 0x6F, 0x30, 0xE3, 0x69, 0xE1, 0xE5, 0xB3, 0x5D,
+    0x98, 0xBB, 0x28, 0x86, 0x48, 0xFC, 0xDE, 0x99, 0x04, 0x3F, 0x5F, 0x88,
+    0x0C, 0x9C, 0x73, 0x24, 0x0D, 0x20, 0x5D, 0xB9, 0x2A, 0x9A, 0x3F, 0x18,
+    0x96, 0x27, 0xE4, 0x62, 0x87, 0xC1, 0x7B, 0x74, 0x62, 0x53, 0xFC, 0x61,
+    0x27, 0xA8, 0x7A, 0x91, 0x09, 0x9D, 0xB6, 0xF1, 0x4D, 0x9C, 0x54, 0x0F,
+    0x58, 0x06, 0xEE, 0x49, 0x74, 0x07, 0xCE, 0x55, 0x7E, 0x23, 0xCE, 0x16,
+    0xF6, 0xCA, 0xDC, 0x5A, 0x61, 0x01, 0x7E, 0xC9, 0x71, 0xB5, 0x4D, 0xF6,
+    0xDC, 0x34, 0x29, 0x87, 0x68, 0xF6, 0x5E, 0x20, 0x93, 0xB3, 0xDB, 0xF5,
+    0xE4, 0x09, 0x6C, 0x41, 0x17, 0x95, 0x92, 0xEB, 0x01, 0xB5, 0x73, 0xA5,
+    0x6A, 0x7E, 0xD8, 0x32, 0xED, 0x0E, 0x02, 0xB8,
+};
+
+DSA *get_dsa1024()
+{
+    DSA *dsa;
+
+    if ((dsa = DSA_new()) == NULL)
+        return (NULL);
+    dsa->priv_key = BN_bin2bn(dsa1024_priv, sizeof(dsa1024_priv), NULL);
+    dsa->pub_key = BN_bin2bn(dsa1024_pub, sizeof(dsa1024_pub), NULL);
+    dsa->p = BN_bin2bn(dsa1024_p, sizeof(dsa1024_p), NULL);
+    dsa->q = BN_bin2bn(dsa1024_q, sizeof(dsa1024_q), NULL);
+    dsa->g = BN_bin2bn(dsa1024_g, sizeof(dsa1024_g), NULL);
+    if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL)
+        || (dsa->q == NULL) || (dsa->g == NULL))
+        return (NULL);
+    return (dsa);
+}
+
+static unsigned char dsa2048_priv[] = {
+    0x32, 0x67, 0x92, 0xf6, 0xc4, 0xe2, 0xe2, 0xe8, 0xa0, 0x8b, 0x6b, 0x45,
+    0x0c, 0x8a, 0x76, 0xb0, 0xee, 0xcf, 0x91, 0xa7,
+};
+
+static unsigned char dsa2048_pub[] = {
+    0x17, 0x8f, 0xa8, 0x11, 0x84, 0x92, 0xec, 0x83, 0x47, 0xc7, 0x6a, 0xb0,
+    0x92, 0xaf, 0x5a, 0x20, 0x37, 0xa3, 0x64, 0x79, 0xd2, 0xd0, 0x3d, 0xcd,
+    0xe0, 0x61, 0x88, 0x88, 0x21, 0xcc, 0x74, 0x5d, 0xce, 0x4c, 0x51, 0x47,
+    0xf0, 0xc5, 0x5c, 0x4c, 0x82, 0x7a, 0xaf, 0x72, 0xad, 0xb9, 0xe0, 0x53,
+    0xf2, 0x78, 0xb7, 0xf0, 0xb5, 0x48, 0x7f, 0x8a, 0x3a, 0x18, 0xd1, 0x9f,
+    0x8b, 0x7d, 0xa5, 0x47, 0xb7, 0x95, 0xab, 0x98, 0xf8, 0x7b, 0x74, 0x50,
+    0x56, 0x8e, 0x57, 0xf0, 0xee, 0xf5, 0xb7, 0xba, 0xab, 0x85, 0x86, 0xf9,
+    0x2b, 0xef, 0x41, 0x56, 0xa0, 0xa4, 0x9f, 0xb7, 0x38, 0x00, 0x46, 0x0a,
+    0xa6, 0xf1, 0xfc, 0x1f, 0xd8, 0x4e, 0x85, 0x44, 0x92, 0x43, 0x21, 0x5d,
+    0x6e, 0xcc, 0xc2, 0xcb, 0x26, 0x31, 0x0d, 0x21, 0xc4, 0xbd, 0x8d, 0x24,
+    0xbc, 0xd9, 0x18, 0x19, 0xd7, 0xdc, 0xf1, 0xe7, 0x93, 0x50, 0x48, 0x03,
+    0x2c, 0xae, 0x2e, 0xe7, 0x49, 0x88, 0x5f, 0x93, 0x57, 0x27, 0x99, 0x36,
+    0xb4, 0x20, 0xab, 0xfc, 0xa7, 0x2b, 0xf2, 0xd9, 0x98, 0xd7, 0xd4, 0x34,
+    0x9d, 0x96, 0x50, 0x58, 0x9a, 0xea, 0x54, 0xf3, 0xee, 0xf5, 0x63, 0x14,
+    0xee, 0x85, 0x83, 0x74, 0x76, 0xe1, 0x52, 0x95, 0xc3, 0xf7, 0xeb, 0x04,
+    0x04, 0x7b, 0xa7, 0x28, 0x1b, 0xcc, 0xea, 0x4a, 0x4e, 0x84, 0xda, 0xd8,
+    0x9c, 0x79, 0xd8, 0x9b, 0x66, 0x89, 0x2f, 0xcf, 0xac, 0xd7, 0x79, 0xf9,
+    0xa9, 0xd8, 0x45, 0x13, 0x78, 0xb9, 0x00, 0x14, 0xc9, 0x7e, 0x22, 0x51,
+    0x86, 0x67, 0xb0, 0x9f, 0x26, 0x11, 0x23, 0xc8, 0x38, 0xd7, 0x70, 0x1d,
+    0x15, 0x8e, 0x4d, 0x4f, 0x95, 0x97, 0x40, 0xa1, 0xc2, 0x7e, 0x01, 0x18,
+    0x72, 0xf4, 0x10, 0xe6, 0x8d, 0x52, 0x16, 0x7f, 0xf2, 0xc9, 0xf8, 0x33,
+    0x8b, 0x33, 0xb7, 0xce,
+};
+
+static unsigned char dsa2048_p[] = {
+    0xA0, 0x25, 0xFA, 0xAD, 0xF4, 0x8E, 0xB9, 0xE5, 0x99, 0xF3, 0x5D, 0x6F,
+    0x4F, 0x83, 0x34, 0xE2, 0x7E, 0xCF, 0x6F, 0xBF, 0x30, 0xAF, 0x6F, 0x81,
+    0xEB, 0xF8, 0xC4, 0x13, 0xD9, 0xA0, 0x5D, 0x8B, 0x5C, 0x8E, 0xDC, 0xC2,
+    0x1D, 0x0B, 0x41, 0x32, 0xB0, 0x1F, 0xFE, 0xEF, 0x0C, 0xC2, 0xA2, 0x7E,
+    0x68, 0x5C, 0x28, 0x21, 0xE9, 0xF5, 0xB1, 0x58, 0x12, 0x63, 0x4C, 0x19,
+    0x4E, 0xFF, 0x02, 0x4B, 0x92, 0xED, 0xD2, 0x07, 0x11, 0x4D, 0x8C, 0x58,
+    0x16, 0x5C, 0x55, 0x8E, 0xAD, 0xA3, 0x67, 0x7D, 0xB9, 0x86, 0x6E, 0x0B,
+    0xE6, 0x54, 0x6F, 0x40, 0xAE, 0x0E, 0x67, 0x4C, 0xF9, 0x12, 0x5B, 0x3C,
+    0x08, 0x7A, 0xF7, 0xFC, 0x67, 0x86, 0x69, 0xE7, 0x0A, 0x94, 0x40, 0xBF,
+    0x8B, 0x76, 0xFE, 0x26, 0xD1, 0xF2, 0xA1, 0x1A, 0x84, 0xA1, 0x43, 0x56,
+    0x28, 0xBC, 0x9A, 0x5F, 0xD7, 0x3B, 0x69, 0x89, 0x8A, 0x36, 0x2C, 0x51,
+    0xDF, 0x12, 0x77, 0x2F, 0x57, 0x7B, 0xA0, 0xAA, 0xDD, 0x7F, 0xA1, 0x62,
+    0x3B, 0x40, 0x7B, 0x68, 0x1A, 0x8F, 0x0D, 0x38, 0xBB, 0x21, 0x5D, 0x18,
+    0xFC, 0x0F, 0x46, 0xF7, 0xA3, 0xB0, 0x1D, 0x23, 0xC3, 0xD2, 0xC7, 0x72,
+    0x51, 0x18, 0xDF, 0x46, 0x95, 0x79, 0xD9, 0xBD, 0xB5, 0x19, 0x02, 0x2C,
+    0x87, 0xDC, 0xE7, 0x57, 0x82, 0x7E, 0xF1, 0x8B, 0x06, 0x3D, 0x00, 0xA5,
+    0x7B, 0x6B, 0x26, 0x27, 0x91, 0x0F, 0x6A, 0x77, 0xE4, 0xD5, 0x04, 0xE4,
+    0x12, 0x2C, 0x42, 0xFF, 0xD2, 0x88, 0xBB, 0xD3, 0x92, 0xA0, 0xF9, 0xC8,
+    0x51, 0x64, 0x14, 0x5C, 0xD8, 0xF9, 0x6C, 0x47, 0x82, 0xB4, 0x1C, 0x7F,
+    0x09, 0xB8, 0xF0, 0x25, 0x83, 0x1D, 0x3F, 0x3F, 0x05, 0xB3, 0x21, 0x0A,
+    0x5D, 0xA7, 0xD8, 0x54, 0xC3, 0x65, 0x7D, 0xC3, 0xB0, 0x1D, 0xBF, 0xAE,
+    0xF8, 0x68, 0xCF, 0x9B,
+};
+
+static unsigned char dsa2048_q[] = {
+    0x97, 0xE7, 0x33, 0x4D, 0xD3, 0x94, 0x3E, 0x0B, 0xDB, 0x62, 0x74, 0xC6,
+    0xA1, 0x08, 0xDD, 0x19, 0xA3, 0x75, 0x17, 0x1B,
+};
+
+static unsigned char dsa2048_g[] = {
+    0x2C, 0x78, 0x16, 0x59, 0x34, 0x63, 0xF4, 0xF3, 0x92, 0xFC, 0xB5, 0xA5,
+    0x4F, 0x13, 0xDE, 0x2F, 0x1C, 0xA4, 0x3C, 0xAE, 0xAD, 0x38, 0x3F, 0x7E,
+    0x90, 0xBF, 0x96, 0xA6, 0xAE, 0x25, 0x90, 0x72, 0xF5, 0x8E, 0x80, 0x0C,
+    0x39, 0x1C, 0xD9, 0xEC, 0xBA, 0x90, 0x5B, 0x3A, 0xE8, 0x58, 0x6C, 0x9E,
+    0x30, 0x42, 0x37, 0x02, 0x31, 0x82, 0xBC, 0x6A, 0xDF, 0x6A, 0x09, 0x29,
+    0xE3, 0xC0, 0x46, 0xD1, 0xCB, 0x85, 0xEC, 0x0C, 0x30, 0x5E, 0xEA, 0xC8,
+    0x39, 0x8E, 0x22, 0x9F, 0x22, 0x10, 0xD2, 0x34, 0x61, 0x68, 0x37, 0x3D,
+    0x2E, 0x4A, 0x5B, 0x9A, 0xF5, 0xC1, 0x48, 0xC6, 0xF6, 0xDC, 0x63, 0x1A,
+    0xD3, 0x96, 0x64, 0xBA, 0x34, 0xC9, 0xD1, 0xA0, 0xD1, 0xAE, 0x6C, 0x2F,
+    0x48, 0x17, 0x93, 0x14, 0x43, 0xED, 0xF0, 0x21, 0x30, 0x19, 0xC3, 0x1B,
+    0x5F, 0xDE, 0xA3, 0xF0, 0x70, 0x78, 0x18, 0xE1, 0xA8, 0xE4, 0xEE, 0x2E,
+    0x00, 0xA5, 0xE4, 0xB3, 0x17, 0xC8, 0x0C, 0x7D, 0x6E, 0x42, 0xDC, 0xB7,
+    0x46, 0x00, 0x36, 0x4D, 0xD4, 0x46, 0xAA, 0x3D, 0x3C, 0x46, 0x89, 0x40,
+    0xBF, 0x1D, 0x84, 0x77, 0x0A, 0x75, 0xF3, 0x87, 0x1D, 0x08, 0x4C, 0xA6,
+    0xD1, 0xA9, 0x1C, 0x1E, 0x12, 0x1E, 0xE1, 0xC7, 0x30, 0x28, 0x76, 0xA5,
+    0x7F, 0x6C, 0x85, 0x96, 0x2B, 0x6F, 0xDB, 0x80, 0x66, 0x26, 0xAE, 0xF5,
+    0x93, 0xC7, 0x8E, 0xAE, 0x9A, 0xED, 0xE4, 0xCA, 0x04, 0xEA, 0x3B, 0x72,
+    0xEF, 0xDC, 0x87, 0xED, 0x0D, 0xA5, 0x4C, 0x4A, 0xDD, 0x71, 0x22, 0x64,
+    0x59, 0x69, 0x4E, 0x8E, 0xBF, 0x43, 0xDC, 0xAB, 0x8E, 0x66, 0xBB, 0x01,
+    0xB6, 0xF4, 0xE7, 0xFD, 0xD2, 0xAD, 0x9F, 0x36, 0xC1, 0xA0, 0x29, 0x99,
+    0xD1, 0x96, 0x70, 0x59, 0x06, 0x78, 0x35, 0xBD, 0x65, 0x55, 0x52, 0x9E,
+    0xF8, 0xB2, 0xE5, 0x38,
+};
+
+DSA *get_dsa2048()
+{
+    DSA *dsa;
+
+    if ((dsa = DSA_new()) == NULL)
+        return (NULL);
+    dsa->priv_key = BN_bin2bn(dsa2048_priv, sizeof(dsa2048_priv), NULL);
+    dsa->pub_key = BN_bin2bn(dsa2048_pub, sizeof(dsa2048_pub), NULL);
+    dsa->p = BN_bin2bn(dsa2048_p, sizeof(dsa2048_p), NULL);
+    dsa->q = BN_bin2bn(dsa2048_q, sizeof(dsa2048_q), NULL);
+    dsa->g = BN_bin2bn(dsa2048_g, sizeof(dsa2048_g), NULL);
+    if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL)
+        || (dsa->q == NULL) || (dsa->g == NULL))
+        return (NULL);
+    return (dsa);
+}
+
+static const char rnd_seed[] =
+    "string to make the random number generator think it has entropy";
+static int rnd_fake = 0;
diff --git a/openssl/apps/testrsa.h b/openssl/apps/testrsa.h
new file mode 100644
index 0000000..a7913fd
--- /dev/null
+++ b/openssl/apps/testrsa.h
@@ -0,0 +1,518 @@
+/* apps/testrsa.h */
+/* used by apps/speed.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+static unsigned char test512[] = {
+    0x30, 0x82, 0x01, 0x3a, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00,
+    0xd6, 0x33, 0xb9, 0xc8, 0xfb, 0x4f, 0x3c, 0x7d, 0xc0, 0x01,
+    0x86, 0xd0, 0xe7, 0xa0, 0x55, 0xf2, 0x95, 0x93, 0xcc, 0x4f,
+    0xb7, 0x5b, 0x67, 0x5b, 0x94, 0x68, 0xc9, 0x34, 0x15, 0xde,
+    0xa5, 0x2e, 0x1c, 0x33, 0xc2, 0x6e, 0xfc, 0x34, 0x5e, 0x71,
+    0x13, 0xb7, 0xd6, 0xee, 0xd8, 0xa5, 0x65, 0x05, 0x72, 0x87,
+    0xa8, 0xb0, 0x77, 0xfe, 0x57, 0xf5, 0xfc, 0x5f, 0x55, 0x83,
+    0x87, 0xdd, 0x57, 0x49, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02,
+    0x41, 0x00, 0xa7, 0xf7, 0x91, 0xc5, 0x0f, 0x84, 0x57, 0xdc,
+    0x07, 0xf7, 0x6a, 0x7f, 0x60, 0x52, 0xb3, 0x72, 0xf1, 0x66,
+    0x1f, 0x7d, 0x97, 0x3b, 0x9e, 0xb6, 0x0a, 0x8f, 0x8c, 0xcf,
+    0x42, 0x23, 0x00, 0x04, 0xd4, 0x28, 0x0e, 0x1c, 0x90, 0xc4,
+    0x11, 0x25, 0x25, 0xa5, 0x93, 0xa5, 0x2f, 0x70, 0x02, 0xdf,
+    0x81, 0x9c, 0x49, 0x03, 0xa0, 0xf8, 0x6d, 0x54, 0x2e, 0x26,
+    0xde, 0xaa, 0x85, 0x59, 0xa8, 0x31, 0x02, 0x21, 0x00, 0xeb,
+    0x47, 0xd7, 0x3b, 0xf6, 0xc3, 0xdd, 0x5a, 0x46, 0xc5, 0xb9,
+    0x2b, 0x9a, 0xa0, 0x09, 0x8f, 0xa6, 0xfb, 0xf3, 0x78, 0x7a,
+    0x33, 0x70, 0x9d, 0x0f, 0x42, 0x6b, 0x13, 0x68, 0x24, 0xd3,
+    0x15, 0x02, 0x21, 0x00, 0xe9, 0x10, 0xb0, 0xb3, 0x0d, 0xe2,
+    0x82, 0x68, 0x77, 0x8a, 0x6e, 0x7c, 0xda, 0xbc, 0x3e, 0x53,
+    0x83, 0xfb, 0xd6, 0x22, 0xe7, 0xb5, 0xae, 0x6e, 0x80, 0xda,
+    0x00, 0x55, 0x97, 0xc1, 0xd0, 0x65, 0x02, 0x20, 0x4c, 0xf8,
+    0x73, 0xb1, 0x6a, 0x49, 0x29, 0x61, 0x1f, 0x46, 0x10, 0x0d,
+    0xf3, 0xc7, 0xe7, 0x58, 0xd7, 0x88, 0x15, 0x5e, 0x94, 0x9b,
+    0xbf, 0x7b, 0xa2, 0x42, 0x58, 0x45, 0x41, 0x0c, 0xcb, 0x01,
+    0x02, 0x20, 0x12, 0x11, 0xba, 0x31, 0x57, 0x9d, 0x3d, 0x11,
+    0x0e, 0x5b, 0x8c, 0x2f, 0x5f, 0xe2, 0x02, 0x4f, 0x05, 0x47,
+    0x8c, 0x15, 0x8e, 0xb3, 0x56, 0x3f, 0xb8, 0xfb, 0xad, 0xd4,
+    0xf4, 0xfc, 0x10, 0xc5, 0x02, 0x20, 0x18, 0xa1, 0x29, 0x99,
+    0x5b, 0xd9, 0xc8, 0xd4, 0xfc, 0x49, 0x7a, 0x2a, 0x21, 0x2c,
+    0x49, 0xe4, 0x4f, 0xeb, 0xef, 0x51, 0xf1, 0xab, 0x6d, 0xfb,
+    0x4b, 0x14, 0xe9, 0x4b, 0x52, 0xb5, 0x82, 0x2c,
+};
+
+static unsigned char test1024[] = {
+    0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81,
+    0x00, 0xdc, 0x98, 0x43, 0xe8, 0x3d, 0x43, 0x5b, 0xe4, 0x05,
+    0xcd, 0xd0, 0xa9, 0x3e, 0xcb, 0x83, 0x75, 0xf6, 0xb5, 0xa5,
+    0x9f, 0x6b, 0xe9, 0x34, 0x41, 0x29, 0x18, 0xfa, 0x6a, 0x55,
+    0x4d, 0x70, 0xfc, 0xec, 0xae, 0x87, 0x38, 0x0a, 0x20, 0xa9,
+    0xc0, 0x45, 0x77, 0x6e, 0x57, 0x60, 0x57, 0xf4, 0xed, 0x96,
+    0x22, 0xcb, 0x8f, 0xe1, 0x33, 0x3a, 0x17, 0x1f, 0xed, 0x37,
+    0xa5, 0x6f, 0xeb, 0xa6, 0xbc, 0x12, 0x80, 0x1d, 0x53, 0xbd,
+    0x70, 0xeb, 0x21, 0x76, 0x3e, 0xc9, 0x2f, 0x1a, 0x45, 0x24,
+    0x82, 0xff, 0xcd, 0x59, 0x32, 0x06, 0x2e, 0x12, 0x3b, 0x23,
+    0x78, 0xed, 0x12, 0x3d, 0xe0, 0x8d, 0xf9, 0x67, 0x4f, 0x37,
+    0x4e, 0x47, 0x02, 0x4c, 0x2d, 0xc0, 0x4f, 0x1f, 0xb3, 0x94,
+    0xe1, 0x41, 0x2e, 0x2d, 0x90, 0x10, 0xfc, 0x82, 0x91, 0x8b,
+    0x0f, 0x22, 0xd4, 0xf2, 0xfc, 0x2c, 0xab, 0x53, 0x55, 0x02,
+    0x03, 0x01, 0x00, 0x01, 0x02, 0x81, 0x80, 0x2b, 0xcc, 0x3f,
+    0x8f, 0x58, 0xba, 0x8b, 0x00, 0x16, 0xf6, 0xea, 0x3a, 0xf0,
+    0x30, 0xd0, 0x05, 0x17, 0xda, 0xb0, 0xeb, 0x9a, 0x2d, 0x4f,
+    0x26, 0xb0, 0xd6, 0x38, 0xc1, 0xeb, 0xf5, 0xd8, 0x3d, 0x1f,
+    0x70, 0xf7, 0x7f, 0xf4, 0xe2, 0xcf, 0x51, 0x51, 0x79, 0x88,
+    0xfa, 0xe8, 0x32, 0x0e, 0x7b, 0x2d, 0x97, 0xf2, 0xfa, 0xba,
+    0x27, 0xc5, 0x9c, 0xd9, 0xc5, 0xeb, 0x8a, 0x79, 0x52, 0x3c,
+    0x64, 0x34, 0x7d, 0xc2, 0xcf, 0x28, 0xc7, 0x4e, 0xd5, 0x43,
+    0x0b, 0xd1, 0xa6, 0xca, 0x6d, 0x03, 0x2d, 0x72, 0x23, 0xbc,
+    0x6d, 0x05, 0xfa, 0x16, 0x09, 0x2f, 0x2e, 0x5c, 0xb6, 0xee,
+    0x74, 0xdd, 0xd2, 0x48, 0x8e, 0x36, 0x0c, 0x06, 0x3d, 0x4d,
+    0xe5, 0x10, 0x82, 0xeb, 0x6a, 0xf3, 0x4b, 0x9f, 0xd6, 0xed,
+    0x11, 0xb1, 0x6e, 0xec, 0xf4, 0xfe, 0x8e, 0x75, 0x94, 0x20,
+    0x2f, 0xcb, 0xac, 0x46, 0xf1, 0x02, 0x41, 0x00, 0xf9, 0x8c,
+    0xa3, 0x85, 0xb1, 0xdd, 0x29, 0xaf, 0x65, 0xc1, 0x33, 0xf3,
+    0x95, 0xc5, 0x52, 0x68, 0x0b, 0xd4, 0xf1, 0xe5, 0x0e, 0x02,
+    0x9f, 0x4f, 0xfa, 0x77, 0xdc, 0x46, 0x9e, 0xc7, 0xa6, 0xe4,
+    0x16, 0x29, 0xda, 0xb0, 0x07, 0xcf, 0x5b, 0xa9, 0x12, 0x8a,
+    0xdd, 0x63, 0x0a, 0xde, 0x2e, 0x8c, 0x66, 0x8b, 0x8c, 0xdc,
+    0x19, 0xa3, 0x7e, 0xf4, 0x3b, 0xd0, 0x1a, 0x8c, 0xa4, 0xc2,
+    0xe1, 0xd3, 0x02, 0x41, 0x00, 0xe2, 0x4c, 0x05, 0xf2, 0x04,
+    0x86, 0x4e, 0x61, 0x43, 0xdb, 0xb0, 0xb9, 0x96, 0x86, 0x52,
+    0x2c, 0xca, 0x8d, 0x7b, 0xab, 0x0b, 0x13, 0x0d, 0x7e, 0x38,
+    0x5b, 0xe2, 0x2e, 0x7b, 0x0e, 0xe7, 0x19, 0x99, 0x38, 0xe7,
+    0xf2, 0x21, 0xbd, 0x85, 0x85, 0xe3, 0xfd, 0x28, 0x77, 0x20,
+    0x31, 0x71, 0x2c, 0xd0, 0xff, 0xfb, 0x2e, 0xaf, 0x85, 0xb4,
+    0x86, 0xca, 0xf3, 0xbb, 0xca, 0xaa, 0x0f, 0x95, 0x37, 0x02,
+    0x40, 0x0e, 0x41, 0x9a, 0x95, 0xe8, 0xb3, 0x59, 0xce, 0x4b,
+    0x61, 0xde, 0x35, 0xec, 0x38, 0x79, 0x9c, 0xb8, 0x10, 0x52,
+    0x41, 0x63, 0xab, 0x82, 0xae, 0x6f, 0x00, 0xa9, 0xf4, 0xde,
+    0xdd, 0x49, 0x0b, 0x7e, 0xb8, 0xa5, 0x65, 0xa9, 0x0c, 0x8f,
+    0x8f, 0xf9, 0x1f, 0x35, 0xc6, 0x92, 0xb8, 0x5e, 0xb0, 0x66,
+    0xab, 0x52, 0x40, 0xc0, 0xb6, 0x36, 0x6a, 0x7d, 0x80, 0x46,
+    0x04, 0x02, 0xe5, 0x9f, 0x41, 0x02, 0x41, 0x00, 0xc0, 0xad,
+    0xcc, 0x4e, 0x21, 0xee, 0x1d, 0x24, 0x91, 0xfb, 0xa7, 0x80,
+    0x8d, 0x9a, 0xb6, 0xb3, 0x2e, 0x8f, 0xc2, 0xe1, 0x82, 0xdf,
+    0x69, 0x18, 0xb4, 0x71, 0xff, 0xa6, 0x65, 0xde, 0xed, 0x84,
+    0x8d, 0x42, 0xb7, 0xb3, 0x21, 0x69, 0x56, 0x1c, 0x07, 0x60,
+    0x51, 0x29, 0x04, 0xff, 0x34, 0x06, 0xdd, 0xb9, 0x67, 0x2c,
+    0x7c, 0x04, 0x93, 0x0e, 0x46, 0x15, 0xbb, 0x2a, 0xb7, 0x1b,
+    0xe7, 0x87, 0x02, 0x40, 0x78, 0xda, 0x5d, 0x07, 0x51, 0x0c,
+    0x16, 0x7a, 0x9f, 0x29, 0x20, 0x84, 0x0d, 0x42, 0xfa, 0xd7,
+    0x00, 0xd8, 0x77, 0x7e, 0xb0, 0xb0, 0x6b, 0xd6, 0x5b, 0x53,
+    0xb8, 0x9b, 0x7a, 0xcd, 0xc7, 0x2b, 0xb8, 0x6a, 0x63, 0xa9,
+    0xfb, 0x6f, 0xa4, 0x72, 0xbf, 0x4c, 0x5d, 0x00, 0x14, 0xba,
+    0xfa, 0x59, 0x88, 0xed, 0xe4, 0xe0, 0x8c, 0xa2, 0xec, 0x14,
+    0x7e, 0x2d, 0xe2, 0xf0, 0x46, 0x49, 0x95, 0x45,
+};
+
+static unsigned char test2048[] = {
+    0x30, 0x82, 0x04, 0xa3, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01,
+    0x01, 0x00, 0xc0, 0xc0, 0xce, 0x3e, 0x3c, 0x53, 0x67, 0x3f,
+    0x4f, 0xc5, 0x2f, 0xa4, 0xc2, 0x5a, 0x2f, 0x58, 0xfd, 0x27,
+    0x52, 0x6a, 0xe8, 0xcf, 0x4a, 0x73, 0x47, 0x8d, 0x25, 0x0f,
+    0x5f, 0x03, 0x26, 0x78, 0xef, 0xf0, 0x22, 0x12, 0xd3, 0xde,
+    0x47, 0xb2, 0x1c, 0x0b, 0x38, 0x63, 0x1a, 0x6c, 0x85, 0x7a,
+    0x80, 0xc6, 0x8f, 0xa0, 0x41, 0xaf, 0x62, 0xc4, 0x67, 0x32,
+    0x88, 0xf8, 0xa6, 0x9c, 0xf5, 0x23, 0x1d, 0xe4, 0xac, 0x3f,
+    0x29, 0xf9, 0xec, 0xe1, 0x8b, 0x26, 0x03, 0x2c, 0xb2, 0xab,
+    0xf3, 0x7d, 0xb5, 0xca, 0x49, 0xc0, 0x8f, 0x1c, 0xdf, 0x33,
+    0x3a, 0x60, 0xda, 0x3c, 0xb0, 0x16, 0xf8, 0xa9, 0x12, 0x8f,
+    0x64, 0xac, 0x23, 0x0c, 0x69, 0x64, 0x97, 0x5d, 0x99, 0xd4,
+    0x09, 0x83, 0x9b, 0x61, 0xd3, 0xac, 0xf0, 0xde, 0xdd, 0x5e,
+    0x9f, 0x44, 0x94, 0xdb, 0x3a, 0x4d, 0x97, 0xe8, 0x52, 0x29,
+    0xf7, 0xdb, 0x94, 0x07, 0x45, 0x90, 0x78, 0x1e, 0x31, 0x0b,
+    0x80, 0xf7, 0x57, 0xad, 0x1c, 0x79, 0xc5, 0xcb, 0x32, 0xb0,
+    0xce, 0xcd, 0x74, 0xb3, 0xe2, 0x94, 0xc5, 0x78, 0x2f, 0x34,
+    0x1a, 0x45, 0xf7, 0x8c, 0x52, 0xa5, 0xbc, 0x8d, 0xec, 0xd1,
+    0x2f, 0x31, 0x3b, 0xf0, 0x49, 0x59, 0x5e, 0x88, 0x9d, 0x15,
+    0x92, 0x35, 0x32, 0xc1, 0xe7, 0x61, 0xec, 0x50, 0x48, 0x7c,
+    0xba, 0x05, 0xf9, 0xf8, 0xf8, 0xa7, 0x8c, 0x83, 0xe8, 0x66,
+    0x5b, 0xeb, 0xfe, 0xd8, 0x4f, 0xdd, 0x6d, 0x36, 0xc0, 0xb2,
+    0x90, 0x0f, 0xb8, 0x52, 0xf9, 0x04, 0x9b, 0x40, 0x2c, 0x27,
+    0xd6, 0x36, 0x8e, 0xc2, 0x1b, 0x44, 0xf3, 0x92, 0xd5, 0x15,
+    0x9e, 0x9a, 0xbc, 0xf3, 0x7d, 0x03, 0xd7, 0x02, 0x14, 0x20,
+    0xe9, 0x10, 0x92, 0xfd, 0xf9, 0xfc, 0x8f, 0xe5, 0x18, 0xe1,
+    0x95, 0xcc, 0x9e, 0x60, 0xa6, 0xfa, 0x38, 0x4d, 0x02, 0x03,
+    0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x00, 0xc3, 0xc3,
+    0x0d, 0xb4, 0x27, 0x90, 0x8d, 0x4b, 0xbf, 0xb8, 0x84, 0xaa,
+    0xd0, 0xb8, 0xc7, 0x5d, 0x99, 0xbe, 0x55, 0xf6, 0x3e, 0x7c,
+    0x49, 0x20, 0xcb, 0x8a, 0x8e, 0x19, 0x0e, 0x66, 0x24, 0xac,
+    0xaf, 0x03, 0x33, 0x97, 0xeb, 0x95, 0xd5, 0x3b, 0x0f, 0x40,
+    0x56, 0x04, 0x50, 0xd1, 0xe6, 0xbe, 0x84, 0x0b, 0x25, 0xd3,
+    0x9c, 0xe2, 0x83, 0x6c, 0xf5, 0x62, 0x5d, 0xba, 0x2b, 0x7d,
+    0x3d, 0x7a, 0x6c, 0xe1, 0xd2, 0x0e, 0x54, 0x93, 0x80, 0x01,
+    0x91, 0x51, 0x09, 0xe8, 0x5b, 0x8e, 0x47, 0xbd, 0x64, 0xe4,
+    0x0e, 0x03, 0x83, 0x55, 0xcf, 0x5a, 0x37, 0xf0, 0x25, 0xb5,
+    0x7d, 0x21, 0xd7, 0x69, 0xdf, 0x6f, 0xc2, 0xcf, 0x10, 0xc9,
+    0x8a, 0x40, 0x9f, 0x7a, 0x70, 0xc0, 0xe8, 0xe8, 0xc0, 0xe6,
+    0x9a, 0x15, 0x0a, 0x8d, 0x4e, 0x46, 0xcb, 0x7a, 0xdb, 0xb3,
+    0xcb, 0x83, 0x02, 0xc4, 0xf0, 0xab, 0xeb, 0x02, 0x01, 0x0e,
+    0x23, 0xfc, 0x1d, 0xc4, 0xbd, 0xd4, 0xaa, 0x5d, 0x31, 0x46,
+    0x99, 0xce, 0x9e, 0xf8, 0x04, 0x75, 0x10, 0x67, 0xc4, 0x53,
+    0x47, 0x44, 0xfa, 0xc2, 0x25, 0x73, 0x7e, 0xd0, 0x8e, 0x59,
+    0xd1, 0xb2, 0x5a, 0xf4, 0xc7, 0x18, 0x92, 0x2f, 0x39, 0xab,
+    0xcd, 0xa3, 0xb5, 0xc2, 0xb9, 0xc7, 0xb9, 0x1b, 0x9f, 0x48,
+    0xfa, 0x13, 0xc6, 0x98, 0x4d, 0xca, 0x84, 0x9c, 0x06, 0xca,
+    0xe7, 0x89, 0x01, 0x04, 0xc4, 0x6c, 0xfd, 0x29, 0x59, 0x35,
+    0xe7, 0xf3, 0xdd, 0xce, 0x64, 0x59, 0xbf, 0x21, 0x13, 0xa9,
+    0x9f, 0x0e, 0xc5, 0xff, 0xbd, 0x33, 0x00, 0xec, 0xac, 0x6b,
+    0x11, 0xef, 0x51, 0x5e, 0xad, 0x07, 0x15, 0xde, 0xb8, 0x5f,
+    0xc6, 0xb9, 0xa3, 0x22, 0x65, 0x46, 0x83, 0x14, 0xdf, 0xd0,
+    0xf1, 0x44, 0x8a, 0xe1, 0x9c, 0x23, 0x33, 0xb4, 0x97, 0x33,
+    0xe6, 0x6b, 0x81, 0x02, 0x81, 0x81, 0x00, 0xec, 0x12, 0xa7,
+    0x59, 0x74, 0x6a, 0xde, 0x3e, 0xad, 0xd8, 0x36, 0x80, 0x50,
+    0xa2, 0xd5, 0x21, 0x81, 0x07, 0xf1, 0xd0, 0x91, 0xf2, 0x6c,
+    0x12, 0x2f, 0x9d, 0x1a, 0x26, 0xf8, 0x30, 0x65, 0xdf, 0xe8,
+    0xc0, 0x9b, 0x6a, 0x30, 0x98, 0x82, 0x87, 0xec, 0xa2, 0x56,
+    0x87, 0x62, 0x6f, 0xe7, 0x9f, 0xf6, 0x56, 0xe6, 0x71, 0x8f,
+    0x49, 0x86, 0x93, 0x5a, 0x4d, 0x34, 0x58, 0xfe, 0xd9, 0x04,
+    0x13, 0xaf, 0x79, 0xb7, 0xad, 0x11, 0xd1, 0x30, 0x9a, 0x14,
+    0x06, 0xa0, 0xfa, 0xb7, 0x55, 0xdc, 0x6c, 0x5a, 0x4c, 0x2c,
+    0x59, 0x56, 0xf6, 0xe8, 0x9d, 0xaf, 0x0a, 0x78, 0x99, 0x06,
+    0x06, 0x9e, 0xe7, 0x9c, 0x51, 0x55, 0x43, 0xfc, 0x3b, 0x6c,
+    0x0b, 0xbf, 0x2d, 0x41, 0xa7, 0xaf, 0xb7, 0xe0, 0xe8, 0x28,
+    0x18, 0xb4, 0x13, 0xd1, 0xe6, 0x97, 0xd0, 0x9f, 0x6a, 0x80,
+    0xca, 0xdd, 0x1a, 0x7e, 0x15, 0x02, 0x81, 0x81, 0x00, 0xd1,
+    0x06, 0x0c, 0x1f, 0xe3, 0xd0, 0xab, 0xd6, 0xca, 0x7c, 0xbc,
+    0x7d, 0x13, 0x35, 0xce, 0x27, 0xcd, 0xd8, 0x49, 0x51, 0x63,
+    0x64, 0x0f, 0xca, 0x06, 0x12, 0xfc, 0x07, 0x3e, 0xaf, 0x61,
+    0x6d, 0xe2, 0x53, 0x39, 0x27, 0xae, 0xc3, 0x11, 0x9e, 0x94,
+    0x01, 0x4f, 0xe3, 0xf3, 0x67, 0xf9, 0x77, 0xf9, 0xe7, 0x95,
+    0x3a, 0x6f, 0xe2, 0x20, 0x73, 0x3e, 0xa4, 0x7a, 0x28, 0xd4,
+    0x61, 0x97, 0xf6, 0x17, 0xa0, 0x23, 0x10, 0x2b, 0xce, 0x84,
+    0x57, 0x7e, 0x25, 0x1f, 0xf4, 0xa8, 0x54, 0xd2, 0x65, 0x94,
+    0xcc, 0x95, 0x0a, 0xab, 0x30, 0xc1, 0x59, 0x1f, 0x61, 0x8e,
+    0xb9, 0x6b, 0xd7, 0x4e, 0xb9, 0x83, 0x43, 0x79, 0x85, 0x11,
+    0xbc, 0x0f, 0xae, 0x25, 0x20, 0x05, 0xbc, 0xd2, 0x48, 0xa1,
+    0x68, 0x09, 0x84, 0xf6, 0x12, 0x9a, 0x66, 0xb9, 0x2b, 0xbb,
+    0x76, 0x03, 0x17, 0x46, 0x4e, 0x97, 0x59, 0x02, 0x81, 0x80,
+    0x09, 0x4c, 0xfa, 0xd6, 0xe5, 0x65, 0x48, 0x78, 0x43, 0xb5,
+    0x1f, 0x00, 0x93, 0x2c, 0xb7, 0x24, 0xe8, 0xc6, 0x7d, 0x5a,
+    0x70, 0x45, 0x92, 0xc8, 0x6c, 0xa3, 0xcd, 0xe1, 0xf7, 0x29,
+    0x40, 0xfa, 0x3f, 0x5b, 0x47, 0x44, 0x39, 0xc1, 0xe8, 0x72,
+    0x9e, 0x7a, 0x0e, 0xda, 0xaa, 0xa0, 0x2a, 0x09, 0xfd, 0x54,
+    0x93, 0x23, 0xaa, 0x37, 0x85, 0x5b, 0xcc, 0xd4, 0xf9, 0xd8,
+    0xff, 0xc1, 0x61, 0x0d, 0xbd, 0x7e, 0x18, 0x24, 0x73, 0x6d,
+    0x40, 0x72, 0xf1, 0x93, 0x09, 0x48, 0x97, 0x6c, 0x84, 0x90,
+    0xa8, 0x46, 0x14, 0x01, 0x39, 0x11, 0xe5, 0x3c, 0x41, 0x27,
+    0x32, 0x75, 0x24, 0xed, 0xa1, 0xd9, 0x12, 0x29, 0x8a, 0x28,
+    0x71, 0x89, 0x8d, 0xca, 0x30, 0xb0, 0x01, 0xc4, 0x2f, 0x82,
+    0x19, 0x14, 0x4c, 0x70, 0x1c, 0xb8, 0x23, 0x2e, 0xe8, 0x90,
+    0x49, 0x97, 0x92, 0x97, 0x6b, 0x7a, 0x9d, 0xb9, 0x02, 0x81,
+    0x80, 0x0f, 0x0e, 0xa1, 0x76, 0xf6, 0xa1, 0x44, 0x8f, 0xaf,
+    0x7c, 0x76, 0xd3, 0x87, 0xbb, 0xbb, 0x83, 0x10, 0x88, 0x01,
+    0x18, 0x14, 0xd1, 0xd3, 0x75, 0x59, 0x24, 0xaa, 0xf5, 0x16,
+    0xa5, 0xe9, 0x9d, 0xd1, 0xcc, 0xee, 0xf4, 0x15, 0xd9, 0xc5,
+    0x7e, 0x27, 0xe9, 0x44, 0x49, 0x06, 0x72, 0xb9, 0xfc, 0xd3,
+    0x8a, 0xc4, 0x2c, 0x36, 0x7d, 0x12, 0x9b, 0x5a, 0xaa, 0xdc,
+    0x85, 0xee, 0x6e, 0xad, 0x54, 0xb3, 0xf4, 0xfc, 0x31, 0xa1,
+    0x06, 0x3a, 0x70, 0x57, 0x0c, 0xf3, 0x95, 0x5b, 0x3e, 0xe8,
+    0xfd, 0x1a, 0x4f, 0xf6, 0x78, 0x93, 0x46, 0x6a, 0xd7, 0x31,
+    0xb4, 0x84, 0x64, 0x85, 0x09, 0x38, 0x89, 0x92, 0x94, 0x1c,
+    0xbf, 0xe2, 0x3c, 0x2a, 0xe0, 0xff, 0x99, 0xa3, 0xf0, 0x2b,
+    0x31, 0xc2, 0x36, 0xcd, 0x60, 0xbf, 0x9d, 0x2d, 0x74, 0x32,
+    0xe8, 0x9c, 0x93, 0x6e, 0xbb, 0x91, 0x7b, 0xfd, 0xd9, 0x02,
+    0x81, 0x81, 0x00, 0xa2, 0x71, 0x25, 0x38, 0xeb, 0x2a, 0xe9,
+    0x37, 0xcd, 0xfe, 0x44, 0xce, 0x90, 0x3f, 0x52, 0x87, 0x84,
+    0x52, 0x1b, 0xae, 0x8d, 0x22, 0x94, 0xce, 0x38, 0xe6, 0x04,
+    0x88, 0x76, 0x85, 0x9a, 0xd3, 0x14, 0x09, 0xe5, 0x69, 0x9a,
+    0xff, 0x58, 0x92, 0x02, 0x6a, 0x7d, 0x7c, 0x1e, 0x2c, 0xfd,
+    0xa8, 0xca, 0x32, 0x14, 0x4f, 0x0d, 0x84, 0x0d, 0x37, 0x43,
+    0xbf, 0xe4, 0x5d, 0x12, 0xc8, 0x24, 0x91, 0x27, 0x8d, 0x46,
+    0xd9, 0x54, 0x53, 0xe7, 0x62, 0x71, 0xa8, 0x2b, 0x71, 0x41,
+    0x8d, 0x75, 0xf8, 0x3a, 0xa0, 0x61, 0x29, 0x46, 0xa6, 0xe5,
+    0x82, 0xfa, 0x3a, 0xd9, 0x08, 0xfa, 0xfc, 0x63, 0xfd, 0x6b,
+    0x30, 0xbc, 0xf4, 0x4e, 0x9e, 0x8c, 0x25, 0x0c, 0xb6, 0x55,
+    0xe7, 0x3c, 0xd4, 0x4e, 0x0b, 0xfd, 0x8b, 0xc3, 0x0e, 0x1d,
+    0x9c, 0x44, 0x57, 0x8f, 0x1f, 0x86, 0xf7, 0xd5, 0x1b, 0xe4,
+    0x95,
+};
+
+static unsigned char test4096[] = {
+    0x30, 0x82, 0x09, 0x29, 0x02, 0x01, 0x00, 0x02, 0x82, 0x02,
+    0x01, 0x00, 0xc0, 0x71, 0xac, 0x1a, 0x13, 0x88, 0x82, 0x43,
+    0x3b, 0x51, 0x57, 0x71, 0x8d, 0xb6, 0x2b, 0x82, 0x65, 0x21,
+    0x53, 0x5f, 0x28, 0x29, 0x4f, 0x8d, 0x7c, 0x8a, 0xb9, 0x44,
+    0xb3, 0x28, 0x41, 0x4f, 0xd3, 0xfa, 0x6a, 0xf8, 0xb9, 0x28,
+    0x50, 0x39, 0x67, 0x53, 0x2c, 0x3c, 0xd7, 0xcb, 0x96, 0x41,
+    0x40, 0x32, 0xbb, 0xeb, 0x70, 0xae, 0x1f, 0xb0, 0x65, 0xf7,
+    0x3a, 0xd9, 0x22, 0xfd, 0x10, 0xae, 0xbd, 0x02, 0xe2, 0xdd,
+    0xf3, 0xc2, 0x79, 0x3c, 0xc6, 0xfc, 0x75, 0xbb, 0xaf, 0x4e,
+    0x3a, 0x36, 0xc2, 0x4f, 0xea, 0x25, 0xdf, 0x13, 0x16, 0x4b,
+    0x20, 0xfe, 0x4b, 0x69, 0x16, 0xc4, 0x7f, 0x1a, 0x43, 0xa6,
+    0x17, 0x1b, 0xb9, 0x0a, 0xf3, 0x09, 0x86, 0x28, 0x89, 0xcf,
+    0x2c, 0xd0, 0xd4, 0x81, 0xaf, 0xc6, 0x6d, 0xe6, 0x21, 0x8d,
+    0xee, 0xef, 0xea, 0xdc, 0xb7, 0xc6, 0x3b, 0x63, 0x9f, 0x0e,
+    0xad, 0x89, 0x78, 0x23, 0x18, 0xbf, 0x70, 0x7e, 0x84, 0xe0,
+    0x37, 0xec, 0xdb, 0x8e, 0x9c, 0x3e, 0x6a, 0x19, 0xcc, 0x99,
+    0x72, 0xe6, 0xb5, 0x7d, 0x6d, 0xfa, 0xe5, 0xd3, 0xe4, 0x90,
+    0xb5, 0xb2, 0xb2, 0x12, 0x70, 0x4e, 0xca, 0xf8, 0x10, 0xf8,
+    0xa3, 0x14, 0xc2, 0x48, 0x19, 0xeb, 0x60, 0x99, 0xbb, 0x2a,
+    0x1f, 0xb1, 0x7a, 0xb1, 0x3d, 0x24, 0xfb, 0xa0, 0x29, 0xda,
+    0xbd, 0x1b, 0xd7, 0xa4, 0xbf, 0xef, 0x60, 0x2d, 0x22, 0xca,
+    0x65, 0x98, 0xf1, 0xc4, 0xe1, 0xc9, 0x02, 0x6b, 0x16, 0x28,
+    0x2f, 0xa1, 0xaa, 0x79, 0x00, 0xda, 0xdc, 0x7c, 0x43, 0xf7,
+    0x42, 0x3c, 0xa0, 0xef, 0x68, 0xf7, 0xdf, 0xb9, 0x69, 0xfb,
+    0x8e, 0x01, 0xed, 0x01, 0x42, 0xb5, 0x4e, 0x57, 0xa6, 0x26,
+    0xb8, 0xd0, 0x7b, 0x56, 0x6d, 0x03, 0xc6, 0x40, 0x8c, 0x8c,
+    0x2a, 0x55, 0xd7, 0x9c, 0x35, 0x00, 0x94, 0x93, 0xec, 0x03,
+    0xeb, 0x22, 0xef, 0x77, 0xbb, 0x79, 0x13, 0x3f, 0x15, 0xa1,
+    0x8f, 0xca, 0xdf, 0xfd, 0xd3, 0xb8, 0xe1, 0xd4, 0xcc, 0x09,
+    0x3f, 0x3c, 0x2c, 0xdb, 0xd1, 0x49, 0x7f, 0x38, 0x07, 0x83,
+    0x6d, 0xeb, 0x08, 0x66, 0xe9, 0x06, 0x44, 0x12, 0xac, 0x95,
+    0x22, 0x90, 0x23, 0x67, 0xd4, 0x08, 0xcc, 0xf4, 0xb7, 0xdc,
+    0xcc, 0x87, 0xd4, 0xac, 0x69, 0x35, 0x4c, 0xb5, 0x39, 0x36,
+    0xcd, 0xa4, 0xd2, 0x95, 0xca, 0x0d, 0xc5, 0xda, 0xc2, 0xc5,
+    0x22, 0x32, 0x28, 0x08, 0xe3, 0xd2, 0x8b, 0x38, 0x30, 0xdc,
+    0x8c, 0x75, 0x4f, 0x6a, 0xec, 0x7a, 0xac, 0x16, 0x3e, 0xa8,
+    0xd4, 0x6a, 0x45, 0xe1, 0xa8, 0x4f, 0x2e, 0x80, 0x34, 0xaa,
+    0x54, 0x1b, 0x02, 0x95, 0x7d, 0x8a, 0x6d, 0xcc, 0x79, 0xca,
+    0xf2, 0xa4, 0x2e, 0x8d, 0xfb, 0xfe, 0x15, 0x51, 0x10, 0x0e,
+    0x4d, 0x88, 0xb1, 0xc7, 0xf4, 0x79, 0xdb, 0xf0, 0xb4, 0x56,
+    0x44, 0x37, 0xca, 0x5a, 0xc1, 0x8c, 0x48, 0xac, 0xae, 0x48,
+    0x80, 0x83, 0x01, 0x3f, 0xde, 0xd9, 0xd3, 0x2c, 0x51, 0x46,
+    0xb1, 0x41, 0xb6, 0xc6, 0x91, 0x72, 0xf9, 0x83, 0x55, 0x1b,
+    0x8c, 0xba, 0xf3, 0x73, 0xe5, 0x2c, 0x74, 0x50, 0x3a, 0xbe,
+    0xc5, 0x2f, 0xa7, 0xb2, 0x6d, 0x8c, 0x9e, 0x13, 0x77, 0xa3,
+    0x13, 0xcd, 0x6d, 0x8c, 0x45, 0xe1, 0xfc, 0x0b, 0xb7, 0x69,
+    0xe9, 0x27, 0xbc, 0x65, 0xc3, 0xfa, 0x9b, 0xd0, 0xef, 0xfe,
+    0xe8, 0x1f, 0xb3, 0x5e, 0x34, 0xf4, 0x8c, 0xea, 0xfc, 0xd3,
+    0x81, 0xbf, 0x3d, 0x30, 0xb2, 0xb4, 0x01, 0xe8, 0x43, 0x0f,
+    0xba, 0x02, 0x23, 0x42, 0x76, 0x82, 0x31, 0x73, 0x91, 0xed,
+    0x07, 0x46, 0x61, 0x0d, 0x39, 0x83, 0x40, 0xce, 0x7a, 0xd4,
+    0xdb, 0x80, 0x2c, 0x1f, 0x0d, 0xd1, 0x34, 0xd4, 0x92, 0xe3,
+    0xd4, 0xf1, 0xc2, 0x01, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02,
+    0x82, 0x02, 0x01, 0x00, 0x97, 0x6c, 0xda, 0x6e, 0xea, 0x4f,
+    0xcf, 0xaf, 0xf7, 0x4c, 0xd9, 0xf1, 0x90, 0x00, 0x77, 0xdb,
+    0xf2, 0x97, 0x76, 0x72, 0xb9, 0xb7, 0x47, 0xd1, 0x9c, 0xdd,
+    0xcb, 0x4a, 0x33, 0x6e, 0xc9, 0x75, 0x76, 0xe6, 0xe4, 0xa5,
+    0x31, 0x8c, 0x77, 0x13, 0xb4, 0x29, 0xcd, 0xf5, 0x52, 0x17,
+    0xef, 0xf3, 0x08, 0x00, 0xe3, 0xbd, 0x2e, 0xbc, 0xd4, 0x52,
+    0x88, 0xe9, 0x30, 0x75, 0x0b, 0x02, 0xf5, 0xcd, 0x89, 0x0c,
+    0x6c, 0x57, 0x19, 0x27, 0x3d, 0x1e, 0x85, 0xb4, 0xc1, 0x2f,
+    0x1d, 0x92, 0x00, 0x5c, 0x76, 0x29, 0x4b, 0xa4, 0xe1, 0x12,
+    0xb3, 0xc8, 0x09, 0xfe, 0x0e, 0x78, 0x72, 0x61, 0xcb, 0x61,
+    0x6f, 0x39, 0x91, 0x95, 0x4e, 0xd5, 0x3e, 0xc7, 0x8f, 0xb8,
+    0xf6, 0x36, 0xfe, 0x9c, 0x93, 0x9a, 0x38, 0x25, 0x7a, 0xf4,
+    0x4a, 0x12, 0xd4, 0xa0, 0x13, 0xbd, 0xf9, 0x1d, 0x12, 0x3e,
+    0x21, 0x39, 0xfb, 0x72, 0xe0, 0x05, 0x3d, 0xc3, 0xe5, 0x50,
+    0xa8, 0x5d, 0x85, 0xa3, 0xea, 0x5f, 0x1c, 0xb2, 0x3f, 0xea,
+    0x6d, 0x03, 0x91, 0x55, 0xd8, 0x19, 0x0a, 0x21, 0x12, 0x16,
+    0xd9, 0x12, 0xc4, 0xe6, 0x07, 0x18, 0x5b, 0x26, 0xa4, 0xae,
+    0xed, 0x2b, 0xb7, 0xa6, 0xed, 0xf8, 0xad, 0xec, 0x77, 0xe6,
+    0x7f, 0x4f, 0x76, 0x00, 0xc0, 0xfa, 0x15, 0x92, 0xb4, 0x2c,
+    0x22, 0xc2, 0xeb, 0x6a, 0xad, 0x14, 0x05, 0xb2, 0xe5, 0x8a,
+    0x9e, 0x85, 0x83, 0xcc, 0x04, 0xf1, 0x56, 0x78, 0x44, 0x5e,
+    0xde, 0xe0, 0x60, 0x1a, 0x65, 0x79, 0x31, 0x23, 0x05, 0xbb,
+    0x01, 0xff, 0xdd, 0x2e, 0xb7, 0xb3, 0xaa, 0x74, 0xe0, 0xa5,
+    0x94, 0xaf, 0x4b, 0xde, 0x58, 0x0f, 0x55, 0xde, 0x33, 0xf6,
+    0xe3, 0xd6, 0x34, 0x36, 0x57, 0xd6, 0x79, 0x91, 0x2e, 0xbe,
+    0x3b, 0xd9, 0x4e, 0xb6, 0x9d, 0x21, 0x5c, 0xd3, 0x48, 0x14,
+    0x7f, 0x4a, 0xc4, 0x60, 0xa9, 0x29, 0xf8, 0x53, 0x7f, 0x88,
+    0x11, 0x2d, 0xb5, 0xc5, 0x2d, 0x6f, 0xee, 0x85, 0x0b, 0xf7,
+    0x8d, 0x9a, 0xbe, 0xb0, 0x42, 0xf2, 0x2e, 0x71, 0xaf, 0x19,
+    0x31, 0x6d, 0xec, 0xcd, 0x6f, 0x2b, 0x23, 0xdf, 0xb4, 0x40,
+    0xaf, 0x2c, 0x0a, 0xc3, 0x1b, 0x7d, 0x7d, 0x03, 0x1d, 0x4b,
+    0xf3, 0xb5, 0xe0, 0x85, 0xd8, 0xdf, 0x91, 0x6b, 0x0a, 0x69,
+    0xf7, 0xf2, 0x69, 0x66, 0x5b, 0xf1, 0xcf, 0x46, 0x7d, 0xe9,
+    0x70, 0xfa, 0x6d, 0x7e, 0x75, 0x4e, 0xa9, 0x77, 0xe6, 0x8c,
+    0x02, 0xf7, 0x14, 0x4d, 0xa5, 0x41, 0x8f, 0x3f, 0xc1, 0x62,
+    0x1e, 0x71, 0x5e, 0x38, 0xb4, 0xd6, 0xe6, 0xe1, 0x4b, 0xc2,
+    0x2c, 0x30, 0x83, 0x81, 0x6f, 0x49, 0x2e, 0x96, 0xe6, 0xc9,
+    0x9a, 0xf7, 0x5d, 0x09, 0xa0, 0x55, 0x02, 0xa5, 0x3a, 0x25,
+    0x23, 0xd0, 0x92, 0xc3, 0xa3, 0xe3, 0x0e, 0x12, 0x2f, 0x4d,
+    0xef, 0xf3, 0x55, 0x5a, 0xbe, 0xe6, 0x19, 0x86, 0x31, 0xab,
+    0x75, 0x9a, 0xd3, 0xf0, 0x2c, 0xc5, 0x41, 0x92, 0xd9, 0x1f,
+    0x5f, 0x11, 0x8c, 0x75, 0x1c, 0x63, 0xd0, 0x02, 0x80, 0x2c,
+    0x68, 0xcb, 0x93, 0xfb, 0x51, 0x73, 0x49, 0xb4, 0x60, 0xda,
+    0xe2, 0x26, 0xaf, 0xa9, 0x46, 0x12, 0xb8, 0xec, 0x50, 0xdd,
+    0x12, 0x06, 0x5f, 0xce, 0x59, 0xe6, 0xf6, 0x1c, 0xe0, 0x54,
+    0x10, 0xad, 0xf6, 0xcd, 0x98, 0xcc, 0x0f, 0xfb, 0xcb, 0x41,
+    0x14, 0x9d, 0xed, 0xe4, 0xb4, 0x74, 0x5f, 0x09, 0x60, 0xc7,
+    0x12, 0xf6, 0x7b, 0x3c, 0x8f, 0xa7, 0x20, 0xbc, 0xe4, 0xb1,
+    0xef, 0xeb, 0xa4, 0x93, 0xc5, 0x06, 0xca, 0x9a, 0x27, 0x9d,
+    0x87, 0xf3, 0xde, 0xca, 0xe5, 0xe7, 0xf6, 0x1c, 0x01, 0x65,
+    0x5b, 0xfb, 0x19, 0x79, 0x6e, 0x08, 0x26, 0xc5, 0xc8, 0x28,
+    0x0e, 0xb6, 0x3b, 0x07, 0x08, 0xc1, 0x02, 0x82, 0x01, 0x01,
+    0x00, 0xe8, 0x1c, 0x73, 0xa6, 0xb8, 0xe0, 0x0e, 0x6d, 0x8d,
+    0x1b, 0xb9, 0x53, 0xed, 0x58, 0x94, 0xe6, 0x1d, 0x60, 0x14,
+    0x5c, 0x76, 0x43, 0xc4, 0x58, 0x19, 0xc4, 0x24, 0xe8, 0xbc,
+    0x1b, 0x3b, 0x0b, 0x13, 0x24, 0x45, 0x54, 0x0e, 0xcc, 0x37,
+    0xf0, 0xe0, 0x63, 0x7d, 0xc3, 0xf7, 0xfb, 0x81, 0x74, 0x81,
+    0xc4, 0x0f, 0x1a, 0x21, 0x48, 0xaf, 0xce, 0xc1, 0xc4, 0x94,
+    0x18, 0x06, 0x44, 0x8d, 0xd3, 0xd2, 0x22, 0x2d, 0x2d, 0x3e,
+    0x5a, 0x31, 0xdc, 0x95, 0x8e, 0xf4, 0x41, 0xfc, 0x58, 0xc9,
+    0x40, 0x92, 0x17, 0x5f, 0xe3, 0xda, 0xac, 0x9e, 0x3f, 0x1c,
+    0x2a, 0x6b, 0x58, 0x5f, 0x48, 0x78, 0x20, 0xb1, 0xaf, 0x24,
+    0x9b, 0x3c, 0x20, 0x8b, 0x93, 0x25, 0x9e, 0xe6, 0x6b, 0xbc,
+    0x13, 0x42, 0x14, 0x6c, 0x36, 0x31, 0xff, 0x7a, 0xd1, 0xc1,
+    0x1a, 0x26, 0x14, 0x7f, 0xa9, 0x76, 0xa7, 0x0c, 0xf8, 0xcc,
+    0xed, 0x07, 0x6a, 0xd2, 0xdf, 0x62, 0xee, 0x0a, 0x7c, 0x84,
+    0xcb, 0x49, 0x90, 0xb2, 0x03, 0x0d, 0xa2, 0x82, 0x06, 0x77,
+    0xf1, 0xcd, 0x67, 0xf2, 0x47, 0x21, 0x02, 0x3f, 0x43, 0x21,
+    0xf0, 0x46, 0x30, 0x62, 0x51, 0x72, 0xb1, 0xe7, 0x48, 0xc6,
+    0x67, 0x12, 0xcd, 0x9e, 0xd6, 0x15, 0xe5, 0x21, 0xed, 0xfa,
+    0x8f, 0x30, 0xa6, 0x41, 0xfe, 0xb6, 0xfa, 0x8f, 0x34, 0x14,
+    0x19, 0xe8, 0x11, 0xf7, 0xa5, 0x77, 0x3e, 0xb7, 0xf9, 0x39,
+    0x07, 0x8c, 0x67, 0x2a, 0xab, 0x7b, 0x08, 0xf8, 0xb0, 0x06,
+    0xa8, 0xea, 0x2f, 0x8f, 0xfa, 0xcc, 0xcc, 0x40, 0xce, 0xf3,
+    0x70, 0x4f, 0x3f, 0x7f, 0xe2, 0x0c, 0xea, 0x76, 0x4a, 0x35,
+    0x4e, 0x47, 0xad, 0x2b, 0xa7, 0x97, 0x5d, 0x74, 0x43, 0x97,
+    0x90, 0xd2, 0xfb, 0xd9, 0xf9, 0x96, 0x01, 0x33, 0x05, 0xed,
+    0x7b, 0x03, 0x05, 0xad, 0xf8, 0x49, 0x03, 0x02, 0x82, 0x01,
+    0x01, 0x00, 0xd4, 0x40, 0x17, 0x66, 0x10, 0x92, 0x95, 0xc8,
+    0xec, 0x62, 0xa9, 0x7a, 0xcb, 0x93, 0x8e, 0xe6, 0x53, 0xd4,
+    0x80, 0x48, 0x27, 0x4b, 0x41, 0xce, 0x61, 0xdf, 0xbf, 0x94,
+    0xa4, 0x3d, 0x71, 0x03, 0x0b, 0xed, 0x25, 0x71, 0x98, 0xa4,
+    0xd6, 0xd5, 0x4a, 0x57, 0xf5, 0x6c, 0x1b, 0xda, 0x21, 0x7d,
+    0x35, 0x45, 0xb3, 0xf3, 0x6a, 0xd9, 0xd3, 0x43, 0xe8, 0x5c,
+    0x54, 0x1c, 0x83, 0x1b, 0xb4, 0x5f, 0xf2, 0x97, 0x24, 0x2e,
+    0xdc, 0x40, 0xde, 0x92, 0x23, 0x59, 0x8e, 0xbc, 0xd2, 0xa1,
+    0xf2, 0xe0, 0x4c, 0xdd, 0x0b, 0xd1, 0xe7, 0xae, 0x65, 0xbc,
+    0xb5, 0xf5, 0x5b, 0x98, 0xe9, 0xd7, 0xc2, 0xb7, 0x0e, 0x55,
+    0x71, 0x0e, 0x3c, 0x0a, 0x24, 0x6b, 0xa6, 0xe6, 0x14, 0x61,
+    0x11, 0xfd, 0x33, 0x42, 0x99, 0x2b, 0x84, 0x77, 0x74, 0x92,
+    0x91, 0xf5, 0x79, 0x79, 0xcf, 0xad, 0x8e, 0x04, 0xef, 0x80,
+    0x1e, 0x57, 0xf4, 0x14, 0xf5, 0x35, 0x09, 0x74, 0xb2, 0x13,
+    0x71, 0x58, 0x6b, 0xea, 0x32, 0x5d, 0xf3, 0xd3, 0x76, 0x48,
+    0x39, 0x10, 0x23, 0x84, 0x9d, 0xbe, 0x92, 0x77, 0x4a, 0xed,
+    0x70, 0x3e, 0x1a, 0xa2, 0x6c, 0xb3, 0x81, 0x00, 0xc3, 0xc9,
+    0xe4, 0x52, 0xc8, 0x24, 0x88, 0x0c, 0x41, 0xad, 0x87, 0x5a,
+    0xea, 0xa3, 0x7a, 0x85, 0x1c, 0x5e, 0x31, 0x7f, 0xc3, 0x35,
+    0xc6, 0xfa, 0x10, 0xc8, 0x75, 0x10, 0xc4, 0x96, 0x99, 0xe7,
+    0xfe, 0x01, 0xb4, 0x74, 0xdb, 0xb4, 0x11, 0xc3, 0xc8, 0x8c,
+    0xf6, 0xf7, 0x3b, 0x66, 0x50, 0xfc, 0xdb, 0xeb, 0xca, 0x47,
+    0x85, 0x89, 0xe1, 0x65, 0xd9, 0x62, 0x34, 0x3c, 0x70, 0xd8,
+    0x2e, 0xb4, 0x2f, 0x65, 0x3c, 0x4a, 0xa6, 0x2a, 0xe7, 0xc7,
+    0xd8, 0x41, 0x8f, 0x8a, 0x43, 0xbf, 0x42, 0xf2, 0x4d, 0xbc,
+    0xfc, 0x9e, 0x27, 0x95, 0xfb, 0x75, 0xff, 0xab, 0x02, 0x82,
+    0x01, 0x00, 0x41, 0x2f, 0x44, 0x57, 0x6d, 0x12, 0x17, 0x5b,
+    0x32, 0xc6, 0xb7, 0x6c, 0x57, 0x7a, 0x8a, 0x0e, 0x79, 0xef,
+    0x72, 0xa8, 0x68, 0xda, 0x2d, 0x38, 0xe4, 0xbb, 0x8d, 0xf6,
+    0x02, 0x65, 0xcf, 0x56, 0x13, 0xe1, 0x1a, 0xcb, 0x39, 0x80,
+    0xa6, 0xb1, 0x32, 0x03, 0x1e, 0xdd, 0xbb, 0x35, 0xd9, 0xac,
+    0x43, 0x89, 0x31, 0x08, 0x90, 0x92, 0x5e, 0x35, 0x3d, 0x7b,
+    0x9c, 0x6f, 0x86, 0xcb, 0x17, 0xdd, 0x85, 0xe4, 0xed, 0x35,
+    0x08, 0x8e, 0xc1, 0xf4, 0x05, 0xd8, 0x68, 0xc6, 0x63, 0x3c,
+    0xf7, 0xff, 0xf7, 0x47, 0x33, 0x39, 0xc5, 0x3e, 0xb7, 0x0e,
+    0x58, 0x35, 0x9d, 0x81, 0xea, 0xf8, 0x6a, 0x2c, 0x1c, 0x5a,
+    0x68, 0x78, 0x64, 0x11, 0x6b, 0xc1, 0x3e, 0x4e, 0x7a, 0xbd,
+    0x84, 0xcb, 0x0f, 0xc2, 0xb6, 0x85, 0x1d, 0xd3, 0x76, 0xc5,
+    0x93, 0x6a, 0x69, 0x89, 0x56, 0x34, 0xdc, 0x4a, 0x9b, 0xbc,
+    0xff, 0xa8, 0x0d, 0x6e, 0x35, 0x9c, 0x60, 0xa7, 0x23, 0x30,
+    0xc7, 0x06, 0x64, 0x39, 0x8b, 0x94, 0x89, 0xee, 0xba, 0x7f,
+    0x60, 0x8d, 0xfa, 0xb6, 0x97, 0x76, 0xdc, 0x51, 0x4a, 0x3c,
+    0xeb, 0x3a, 0x14, 0x2c, 0x20, 0x60, 0x69, 0x4a, 0x86, 0xfe,
+    0x8c, 0x21, 0x84, 0x49, 0x54, 0xb3, 0x20, 0xe1, 0x01, 0x7f,
+    0x58, 0xdf, 0x7f, 0xb5, 0x21, 0x51, 0x8c, 0x47, 0x9f, 0x91,
+    0xeb, 0x97, 0x3e, 0xf2, 0x54, 0xcf, 0x16, 0x46, 0xf9, 0xd9,
+    0xb6, 0xe7, 0x64, 0xc9, 0xd0, 0x54, 0xea, 0x2f, 0xa1, 0xcf,
+    0xa5, 0x7f, 0x28, 0x8d, 0x84, 0xec, 0xd5, 0x39, 0x03, 0x76,
+    0x5b, 0x2d, 0x8e, 0x43, 0xf2, 0x01, 0x24, 0xc9, 0x6f, 0xc0,
+    0xf5, 0x69, 0x6f, 0x7d, 0xb5, 0x85, 0xd2, 0x5f, 0x7f, 0x78,
+    0x40, 0x07, 0x7f, 0x09, 0x15, 0xb5, 0x1f, 0x28, 0x65, 0x10,
+    0xe4, 0x19, 0xa8, 0xc6, 0x9e, 0x8d, 0xdc, 0xcb, 0x02, 0x82,
+    0x01, 0x00, 0x13, 0x01, 0xee, 0x56, 0x80, 0x93, 0x70, 0x00,
+    0x7f, 0x52, 0xd2, 0x94, 0xa1, 0x98, 0x84, 0x4a, 0x92, 0x25,
+    0x4c, 0x9b, 0xa9, 0x91, 0x2e, 0xc2, 0x79, 0xb7, 0x5c, 0xe3,
+    0xc5, 0xd5, 0x8e, 0xc2, 0x54, 0x16, 0x17, 0xad, 0x55, 0x9b,
+    0x25, 0x76, 0x12, 0x63, 0x50, 0x22, 0x2f, 0x58, 0x58, 0x79,
+    0x6b, 0x04, 0xe3, 0xf9, 0x9f, 0x8f, 0x04, 0x41, 0x67, 0x94,
+    0xa5, 0x1f, 0xac, 0x8a, 0x15, 0x9c, 0x26, 0x10, 0x6c, 0xf8,
+    0x19, 0x57, 0x61, 0xd7, 0x3a, 0x7d, 0x31, 0xb0, 0x2d, 0x38,
+    0xbd, 0x94, 0x62, 0xad, 0xc4, 0xfa, 0x36, 0x42, 0x42, 0xf0,
+    0x24, 0x67, 0x65, 0x9d, 0x8b, 0x0b, 0x7c, 0x6f, 0x82, 0x44,
+    0x1a, 0x8c, 0xc8, 0xc9, 0xab, 0xbb, 0x4c, 0x45, 0xfc, 0x7b,
+    0x38, 0xee, 0x30, 0xe1, 0xfc, 0xef, 0x8d, 0xbc, 0x58, 0xdf,
+    0x2b, 0x5d, 0x0d, 0x54, 0xe0, 0x49, 0x4d, 0x97, 0x99, 0x8f,
+    0x22, 0xa8, 0x83, 0xbe, 0x40, 0xbb, 0x50, 0x2e, 0x78, 0x28,
+    0x0f, 0x95, 0x78, 0x8c, 0x8f, 0x98, 0x24, 0x56, 0xc2, 0x97,
+    0xf3, 0x2c, 0x43, 0xd2, 0x03, 0x82, 0x66, 0x81, 0x72, 0x5f,
+    0x53, 0x16, 0xec, 0xb1, 0xb1, 0x04, 0x5e, 0x40, 0x20, 0x48,
+    0x7b, 0x3f, 0x02, 0x97, 0x6a, 0xeb, 0x96, 0x12, 0x21, 0x35,
+    0xfe, 0x1f, 0x47, 0xc0, 0x95, 0xea, 0xc5, 0x8a, 0x08, 0x84,
+    0x4f, 0x5e, 0x63, 0x94, 0x60, 0x0f, 0x71, 0x5b, 0x7f, 0x4a,
+    0xec, 0x4f, 0x60, 0xc6, 0xba, 0x4a, 0x24, 0xf1, 0x20, 0x8b,
+    0xa7, 0x2e, 0x3a, 0xce, 0x8d, 0xe0, 0x27, 0x1d, 0xb5, 0x8e,
+    0xb4, 0x21, 0xc5, 0xe2, 0xa6, 0x16, 0x0a, 0x51, 0x83, 0x55,
+    0x88, 0xd1, 0x30, 0x11, 0x63, 0xd5, 0xd7, 0x8d, 0xae, 0x16,
+    0x12, 0x82, 0xc4, 0x85, 0x00, 0x4e, 0x27, 0x83, 0xa5, 0x7c,
+    0x90, 0x2e, 0xe5, 0xa2, 0xa3, 0xd3, 0x4c, 0x63, 0x02, 0x82,
+    0x01, 0x01, 0x00, 0x86, 0x08, 0x98, 0x98, 0xa5, 0x00, 0x05,
+    0x39, 0x77, 0xd9, 0x66, 0xb3, 0xcf, 0xca, 0xa0, 0x71, 0xb3,
+    0x50, 0xce, 0x3d, 0xb1, 0x93, 0x95, 0x35, 0xc4, 0xd4, 0x2e,
+    0x90, 0xdf, 0x0f, 0xfc, 0x60, 0xc1, 0x94, 0x68, 0x61, 0x43,
+    0xca, 0x9a, 0x23, 0x4a, 0x1e, 0x45, 0x72, 0x99, 0xb5, 0x1e,
+    0x61, 0x8d, 0x77, 0x0f, 0xa0, 0xbb, 0xd7, 0x77, 0xb4, 0x2a,
+    0x15, 0x11, 0x88, 0x2d, 0xb3, 0x56, 0x61, 0x5e, 0x6a, 0xed,
+    0xa4, 0x46, 0x4a, 0x3f, 0x50, 0x11, 0xd6, 0xba, 0xb6, 0xd7,
+    0x95, 0x65, 0x53, 0xc3, 0xa1, 0x8f, 0xe0, 0xa3, 0xf5, 0x1c,
+    0xfd, 0xaf, 0x6e, 0x43, 0xd7, 0x17, 0xa7, 0xd3, 0x81, 0x1b,
+    0xa4, 0xdf, 0xe0, 0x97, 0x8a, 0x46, 0x03, 0xd3, 0x46, 0x0e,
+    0x83, 0x48, 0x4e, 0xd2, 0x02, 0xcb, 0xc0, 0xad, 0x79, 0x95,
+    0x8c, 0x96, 0xba, 0x40, 0x34, 0x11, 0x71, 0x5e, 0xe9, 0x11,
+    0xf9, 0xc5, 0x4a, 0x5e, 0x91, 0x9d, 0xf5, 0x92, 0x4f, 0xeb,
+    0xc6, 0x70, 0x02, 0x2d, 0x3d, 0x04, 0xaa, 0xe9, 0x3a, 0x8e,
+    0xd5, 0xa8, 0xad, 0xf7, 0xce, 0x0d, 0x16, 0xb2, 0xec, 0x0a,
+    0x9c, 0xf5, 0x94, 0x39, 0xb9, 0x8a, 0xfc, 0x1e, 0xf9, 0xcc,
+    0xf2, 0x5f, 0x21, 0x31, 0x74, 0x72, 0x6b, 0x64, 0xae, 0x35,
+    0x61, 0x8d, 0x0d, 0xcb, 0xe7, 0xda, 0x39, 0xca, 0xf3, 0x21,
+    0x66, 0x0b, 0x95, 0xd7, 0x0a, 0x7c, 0xca, 0xa1, 0xa9, 0x5a,
+    0xe8, 0xac, 0xe0, 0x71, 0x54, 0xaf, 0x28, 0xcf, 0xd5, 0x70,
+    0x89, 0xe0, 0xf3, 0x9e, 0x43, 0x6c, 0x8d, 0x7b, 0x99, 0x01,
+    0x68, 0x4d, 0xa1, 0x45, 0x46, 0x0c, 0x43, 0xbc, 0xcc, 0x2c,
+    0xdd, 0xc5, 0x46, 0xc8, 0x4e, 0x0e, 0xbe, 0xed, 0xb9, 0x26,
+    0xab, 0x2e, 0xdb, 0xeb, 0x8f, 0xff, 0xdb, 0xb0, 0xc6, 0x55,
+    0xaf, 0xf8, 0x2a, 0x91, 0x9d, 0x50, 0x44, 0x21, 0x17,
+};
diff --git a/openssl/apps/timeouts.h b/openssl/apps/timeouts.h
new file mode 100644
index 0000000..f423010
--- /dev/null
+++ b/openssl/apps/timeouts.h
@@ -0,0 +1,67 @@
+/* apps/timeouts.h */
+/*
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef INCLUDED_TIMEOUTS_H
+# define INCLUDED_TIMEOUTS_H
+
+/* numbers in us */
+# define DGRAM_RCV_TIMEOUT         250000
+# define DGRAM_SND_TIMEOUT         250000
+
+#endif                          /* ! INCLUDED_TIMEOUTS_H */
diff --git a/openssl/apps/ts.c b/openssl/apps/ts.c
new file mode 100644
index 0000000..341a42b
--- /dev/null
+++ b/openssl/apps/ts.c
@@ -0,0 +1,1119 @@
+/* apps/ts.c */
+/*
+ * Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL project
+ * 2002.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/ts.h>
+#include <openssl/bn.h>
+
+#undef PROG
+#define PROG    ts_main
+
+/* Length of the nonce of the request in bits (must be a multiple of 8). */
+#define NONCE_LENGTH            64
+
+/* Macro definitions for the configuration file. */
+#define ENV_OID_FILE            "oid_file"
+
+/* Local function declarations. */
+
+static ASN1_OBJECT *txt2obj(const char *oid);
+static CONF *load_config_file(const char *configfile);
+
+/* Query related functions. */
+static int query_command(const char *data, char *digest,
+                         const EVP_MD *md, const char *policy, int no_nonce,
+                         int cert, const char *in, const char *out, int text);
+static BIO *BIO_open_with_default(const char *file, const char *mode,
+                                  FILE *default_fp);
+static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md,
+                            const char *policy, int no_nonce, int cert);
+static int create_digest(BIO *input, char *digest,
+                         const EVP_MD *md, unsigned char **md_value);
+static ASN1_INTEGER *create_nonce(int bits);
+
+/* Reply related functions. */
+static int reply_command(CONF *conf, char *section, char *engine,
+                         char *queryfile, char *passin, char *inkey,
+                         char *signer, char *chain, const char *policy,
+                         char *in, int token_in, char *out, int token_out,
+                         int text);
+static TS_RESP *read_PKCS7(BIO *in_bio);
+static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
+                                char *queryfile, char *passin, char *inkey,
+                                char *signer, char *chain,
+                                const char *policy);
+static ASN1_INTEGER *MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data);
+static ASN1_INTEGER *next_serial(const char *serialfile);
+static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
+
+/* Verify related functions. */
+static int verify_command(char *data, char *digest, char *queryfile,
+                          char *in, int token_in,
+                          char *ca_path, char *ca_file, char *untrusted);
+static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
+                                        char *queryfile,
+                                        char *ca_path, char *ca_file,
+                                        char *untrusted);
+static X509_STORE *create_cert_store(char *ca_path, char *ca_file);
+static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx);
+
+/* Main function definition. */
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    int ret = 1;
+    char *configfile = NULL;
+    char *section = NULL;
+    CONF *conf = NULL;
+    enum mode {
+        CMD_NONE, CMD_QUERY, CMD_REPLY, CMD_VERIFY
+    } mode = CMD_NONE;
+    char *data = NULL;
+    char *digest = NULL;
+    const EVP_MD *md = NULL;
+    char *rnd = NULL;
+    char *policy = NULL;
+    int no_nonce = 0;
+    int cert = 0;
+    char *in = NULL;
+    char *out = NULL;
+    int text = 0;
+    char *queryfile = NULL;
+    char *passin = NULL;        /* Password source. */
+    char *password = NULL;      /* Password itself. */
+    char *inkey = NULL;
+    char *signer = NULL;
+    char *chain = NULL;
+    char *ca_path = NULL;
+    char *ca_file = NULL;
+    char *untrusted = NULL;
+    char *engine = NULL;
+    /* Input is ContentInfo instead of TimeStampResp. */
+    int token_in = 0;
+    /* Output is ContentInfo instead of TimeStampResp. */
+    int token_out = 0;
+    int free_bio_err = 0;
+
+    ERR_load_crypto_strings();
+    apps_startup();
+
+    if (bio_err == NULL && (bio_err = BIO_new(BIO_s_file())) != NULL) {
+        free_bio_err = 1;
+        BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+    }
+
+    if (!load_config(bio_err, NULL))
+        goto cleanup;
+
+    for (argc--, argv++; argc > 0; argc--, argv++) {
+        if (strcmp(*argv, "-config") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            configfile = *++argv;
+        } else if (strcmp(*argv, "-section") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            section = *++argv;
+        } else if (strcmp(*argv, "-query") == 0) {
+            if (mode != CMD_NONE)
+                goto usage;
+            mode = CMD_QUERY;
+        } else if (strcmp(*argv, "-data") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            data = *++argv;
+        } else if (strcmp(*argv, "-digest") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            digest = *++argv;
+        } else if (strcmp(*argv, "-rand") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            rnd = *++argv;
+        } else if (strcmp(*argv, "-policy") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            policy = *++argv;
+        } else if (strcmp(*argv, "-no_nonce") == 0) {
+            no_nonce = 1;
+        } else if (strcmp(*argv, "-cert") == 0) {
+            cert = 1;
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            in = *++argv;
+        } else if (strcmp(*argv, "-token_in") == 0) {
+            token_in = 1;
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            out = *++argv;
+        } else if (strcmp(*argv, "-token_out") == 0) {
+            token_out = 1;
+        } else if (strcmp(*argv, "-text") == 0) {
+            text = 1;
+        } else if (strcmp(*argv, "-reply") == 0) {
+            if (mode != CMD_NONE)
+                goto usage;
+            mode = CMD_REPLY;
+        } else if (strcmp(*argv, "-queryfile") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            queryfile = *++argv;
+        } else if (strcmp(*argv, "-passin") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            passin = *++argv;
+        } else if (strcmp(*argv, "-inkey") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            inkey = *++argv;
+        } else if (strcmp(*argv, "-signer") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            signer = *++argv;
+        } else if (strcmp(*argv, "-chain") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            chain = *++argv;
+        } else if (strcmp(*argv, "-verify") == 0) {
+            if (mode != CMD_NONE)
+                goto usage;
+            mode = CMD_VERIFY;
+        } else if (strcmp(*argv, "-CApath") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            ca_path = *++argv;
+        } else if (strcmp(*argv, "-CAfile") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            ca_file = *++argv;
+        } else if (strcmp(*argv, "-untrusted") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            untrusted = *++argv;
+        } else if (strcmp(*argv, "-engine") == 0) {
+            if (argc-- < 1)
+                goto usage;
+            engine = *++argv;
+        } else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) {
+            /* empty. */
+        } else
+            goto usage;
+    }
+
+    /* Seed the random number generator if it is going to be used. */
+    if (mode == CMD_QUERY && !no_nonce) {
+        if (!app_RAND_load_file(NULL, bio_err, 1) && rnd == NULL)
+            BIO_printf(bio_err, "warning, not much extra random "
+                       "data, consider using the -rand option\n");
+        if (rnd != NULL)
+            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                       app_RAND_load_files(rnd));
+    }
+
+    /* Get the password if required. */
+    if (mode == CMD_REPLY && passin &&
+        !app_passwd(bio_err, passin, NULL, &password, NULL)) {
+        BIO_printf(bio_err, "Error getting password.\n");
+        goto cleanup;
+    }
+
+    /*
+     * Check consistency of parameters and execute the appropriate function.
+     */
+    switch (mode) {
+    case CMD_NONE:
+        goto usage;
+    case CMD_QUERY:
+        /*
+         * Data file and message imprint cannot be specified at the same
+         * time.
+         */
+        ret = data != NULL && digest != NULL;
+        if (ret)
+            goto usage;
+        /* Load the config file for possible policy OIDs. */
+        conf = load_config_file(configfile);
+        ret = !query_command(data, digest, md, policy, no_nonce, cert,
+                             in, out, text);
+        break;
+    case CMD_REPLY:
+        conf = load_config_file(configfile);
+        if (in == NULL) {
+            ret = !(queryfile != NULL && conf != NULL && !token_in);
+            if (ret)
+                goto usage;
+        } else {
+            /* 'in' and 'queryfile' are exclusive. */
+            ret = !(queryfile == NULL);
+            if (ret)
+                goto usage;
+        }
+
+        ret = !reply_command(conf, section, engine, queryfile,
+                             password, inkey, signer, chain, policy,
+                             in, token_in, out, token_out, text);
+        break;
+    case CMD_VERIFY:
+        ret = !(((queryfile && !data && !digest)
+                 || (!queryfile && data && !digest)
+                 || (!queryfile && !data && digest))
+                && in != NULL);
+        if (ret)
+            goto usage;
+
+        ret = !verify_command(data, digest, queryfile, in, token_in,
+                              ca_path, ca_file, untrusted);
+    }
+
+    goto cleanup;
+
+ usage:
+    BIO_printf(bio_err, "usage:\n"
+               "ts -query [-rand file%cfile%c...] [-config configfile] "
+               "[-data file_to_hash] [-digest digest_bytes]"
+               "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
+               "[-policy object_id] [-no_nonce] [-cert] "
+               "[-in request.tsq] [-out request.tsq] [-text]\n",
+               LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+    BIO_printf(bio_err, "or\n"
+               "ts -reply [-config configfile] [-section tsa_section] "
+               "[-queryfile request.tsq] [-passin password] "
+               "[-signer tsa_cert.pem] [-inkey private_key.pem] "
+               "[-chain certs_file.pem] [-policy object_id] "
+               "[-in response.tsr] [-token_in] "
+               "[-out response.tsr] [-token_out] [-text] [-engine id]\n");
+    BIO_printf(bio_err, "or\n"
+               "ts -verify [-data file_to_hash] [-digest digest_bytes] "
+               "[-queryfile request.tsq] "
+               "-in response.tsr [-token_in] "
+               "-CApath ca_path -CAfile ca_file.pem "
+               "-untrusted cert_file.pem\n");
+ cleanup:
+    /* Clean up. */
+    app_RAND_write_file(NULL, bio_err);
+    NCONF_free(conf);
+    OPENSSL_free(password);
+    OBJ_cleanup();
+    if (free_bio_err) {
+        BIO_free_all(bio_err);
+        bio_err = NULL;
+    }
+
+    OPENSSL_EXIT(ret);
+}
+
+/*
+ * Configuration file-related function definitions.
+ */
+
+static ASN1_OBJECT *txt2obj(const char *oid)
+{
+    ASN1_OBJECT *oid_obj = NULL;
+
+    if (!(oid_obj = OBJ_txt2obj(oid, 0)))
+        BIO_printf(bio_err, "cannot convert %s to OID\n", oid);
+
+    return oid_obj;
+}
+
+static CONF *load_config_file(const char *configfile)
+{
+    CONF *conf = NULL;
+    long errorline = -1;
+
+    if (!configfile)
+        configfile = getenv("OPENSSL_CONF");
+    if (!configfile)
+        configfile = getenv("SSLEAY_CONF");
+
+    if (configfile &&
+        (!(conf = NCONF_new(NULL)) ||
+         NCONF_load(conf, configfile, &errorline) <= 0)) {
+        if (errorline <= 0)
+            BIO_printf(bio_err, "error loading the config file "
+                       "'%s'\n", configfile);
+        else
+            BIO_printf(bio_err, "error on line %ld of config file "
+                       "'%s'\n", errorline, configfile);
+    }
+
+    if (conf != NULL) {
+        const char *p;
+
+        BIO_printf(bio_err, "Using configuration from %s\n", configfile);
+        p = NCONF_get_string(conf, NULL, ENV_OID_FILE);
+        if (p != NULL) {
+            BIO *oid_bio = BIO_new_file(p, "r");
+            if (!oid_bio)
+                ERR_print_errors(bio_err);
+            else {
+                OBJ_create_objects(oid_bio);
+                BIO_free_all(oid_bio);
+            }
+        } else
+            ERR_clear_error();
+        if (!add_oid_section(bio_err, conf))
+            ERR_print_errors(bio_err);
+    }
+    return conf;
+}
+
+/*
+ * Query-related method definitions.
+ */
+
+static int query_command(const char *data, char *digest, const EVP_MD *md,
+                         const char *policy, int no_nonce,
+                         int cert, const char *in, const char *out, int text)
+{
+    int ret = 0;
+    TS_REQ *query = NULL;
+    BIO *in_bio = NULL;
+    BIO *data_bio = NULL;
+    BIO *out_bio = NULL;
+
+    /* Build query object either from file or from scratch. */
+    if (in != NULL) {
+        if ((in_bio = BIO_new_file(in, "rb")) == NULL)
+            goto end;
+        query = d2i_TS_REQ_bio(in_bio, NULL);
+    } else {
+        /*
+         * Open the file if no explicit digest bytes were specified.
+         */
+        if (!digest && !(data_bio = BIO_open_with_default(data, "rb", stdin)))
+            goto end;
+        /* Creating the query object. */
+        query = create_query(data_bio, digest, md, policy, no_nonce, cert);
+        /* Saving the random number generator state. */
+    }
+    if (query == NULL)
+        goto end;
+
+    /* Write query either in ASN.1 or in text format. */
+    if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL)
+        goto end;
+    if (text) {
+        /* Text output. */
+        if (!TS_REQ_print_bio(out_bio, query))
+            goto end;
+    } else {
+        /* ASN.1 output. */
+        if (!i2d_TS_REQ_bio(out_bio, query))
+            goto end;
+    }
+
+    ret = 1;
+
+ end:
+    ERR_print_errors(bio_err);
+
+    /* Clean up. */
+    BIO_free_all(in_bio);
+    BIO_free_all(data_bio);
+    BIO_free_all(out_bio);
+    TS_REQ_free(query);
+
+    return ret;
+}
+
+static BIO *BIO_open_with_default(const char *file, const char *mode,
+                                  FILE *default_fp)
+{
+    return file == NULL ? BIO_new_fp(default_fp, BIO_NOCLOSE)
+        : BIO_new_file(file, mode);
+}
+
+static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md,
+                            const char *policy, int no_nonce, int cert)
+{
+    int ret = 0;
+    TS_REQ *ts_req = NULL;
+    int len;
+    TS_MSG_IMPRINT *msg_imprint = NULL;
+    X509_ALGOR *algo = NULL;
+    unsigned char *data = NULL;
+    ASN1_OBJECT *policy_obj = NULL;
+    ASN1_INTEGER *nonce_asn1 = NULL;
+
+    /* Setting default message digest. */
+    if (!md && !(md = EVP_get_digestbyname("sha1")))
+        goto err;
+
+    /* Creating request object. */
+    if (!(ts_req = TS_REQ_new()))
+        goto err;
+
+    /* Setting version. */
+    if (!TS_REQ_set_version(ts_req, 1))
+        goto err;
+
+    /* Creating and adding MSG_IMPRINT object. */
+    if (!(msg_imprint = TS_MSG_IMPRINT_new()))
+        goto err;
+
+    /* Adding algorithm. */
+    if (!(algo = X509_ALGOR_new()))
+        goto err;
+    if (!(algo->algorithm = OBJ_nid2obj(EVP_MD_type(md))))
+        goto err;
+    if (!(algo->parameter = ASN1_TYPE_new()))
+        goto err;
+    algo->parameter->type = V_ASN1_NULL;
+    if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo))
+        goto err;
+
+    /* Adding message digest. */
+    if ((len = create_digest(data_bio, digest, md, &data)) == 0)
+        goto err;
+    if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len))
+        goto err;
+
+    if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint))
+        goto err;
+
+    /* Setting policy if requested. */
+    if (policy && !(policy_obj = txt2obj(policy)))
+        goto err;
+    if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj))
+        goto err;
+
+    /* Setting nonce if requested. */
+    if (!no_nonce && !(nonce_asn1 = create_nonce(NONCE_LENGTH)))
+        goto err;
+    if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1))
+        goto err;
+
+    /* Setting certificate request flag if requested. */
+    if (!TS_REQ_set_cert_req(ts_req, cert))
+        goto err;
+
+    ret = 1;
+ err:
+    if (!ret) {
+        TS_REQ_free(ts_req);
+        ts_req = NULL;
+        BIO_printf(bio_err, "could not create query\n");
+    }
+    TS_MSG_IMPRINT_free(msg_imprint);
+    X509_ALGOR_free(algo);
+    OPENSSL_free(data);
+    ASN1_OBJECT_free(policy_obj);
+    ASN1_INTEGER_free(nonce_asn1);
+    return ts_req;
+}
+
+static int create_digest(BIO *input, char *digest, const EVP_MD *md,
+                         unsigned char **md_value)
+{
+    int md_value_len;
+
+    md_value_len = EVP_MD_size(md);
+    if (md_value_len < 0)
+        goto err;
+    if (input) {
+        /* Digest must be computed from an input file. */
+        EVP_MD_CTX md_ctx;
+        unsigned char buffer[4096];
+        int length;
+
+        *md_value = OPENSSL_malloc(md_value_len);
+        if (*md_value == 0)
+            goto err;
+
+        EVP_DigestInit(&md_ctx, md);
+        while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) {
+            EVP_DigestUpdate(&md_ctx, buffer, length);
+        }
+        EVP_DigestFinal(&md_ctx, *md_value, NULL);
+    } else {
+        /* Digest bytes are specified with digest. */
+        long digest_len;
+        *md_value = string_to_hex(digest, &digest_len);
+        if (!*md_value || md_value_len != digest_len) {
+            OPENSSL_free(*md_value);
+            *md_value = NULL;
+            BIO_printf(bio_err, "bad digest, %d bytes "
+                       "must be specified\n", md_value_len);
+            goto err;
+        }
+    }
+
+    return md_value_len;
+ err:
+    return 0;
+}
+
+static ASN1_INTEGER *create_nonce(int bits)
+{
+    unsigned char buf[20];
+    ASN1_INTEGER *nonce = NULL;
+    int len = (bits - 1) / 8 + 1;
+    int i;
+
+    /* Generating random byte sequence. */
+    if (len > (int)sizeof(buf))
+        goto err;
+    if (RAND_bytes(buf, len) <= 0)
+        goto err;
+
+    /* Find the first non-zero byte and creating ASN1_INTEGER object. */
+    for (i = 0; i < len && !buf[i]; ++i) ;
+    if (!(nonce = ASN1_INTEGER_new()))
+        goto err;
+    OPENSSL_free(nonce->data);
+    /* Allocate at least one byte. */
+    nonce->length = len - i;
+    if (!(nonce->data = OPENSSL_malloc(nonce->length + 1)))
+        goto err;
+    memcpy(nonce->data, buf + i, nonce->length);
+
+    return nonce;
+ err:
+    BIO_printf(bio_err, "could not create nonce\n");
+    ASN1_INTEGER_free(nonce);
+    return NULL;
+}
+
+/*
+ * Reply-related method definitions.
+ */
+
+static int reply_command(CONF *conf, char *section, char *engine,
+                         char *queryfile, char *passin, char *inkey,
+                         char *signer, char *chain, const char *policy,
+                         char *in, int token_in,
+                         char *out, int token_out, int text)
+{
+    int ret = 0;
+    TS_RESP *response = NULL;
+    BIO *in_bio = NULL;
+    BIO *query_bio = NULL;
+    BIO *inkey_bio = NULL;
+    BIO *signer_bio = NULL;
+    BIO *out_bio = NULL;
+
+    /* Build response object either from response or query. */
+    if (in != NULL) {
+        if ((in_bio = BIO_new_file(in, "rb")) == NULL)
+            goto end;
+        if (token_in) {
+            /*
+             * We have a ContentInfo (PKCS7) object, add 'granted' status
+             * info around it.
+             */
+            response = read_PKCS7(in_bio);
+        } else {
+            /* We have a ready-made TS_RESP object. */
+            response = d2i_TS_RESP_bio(in_bio, NULL);
+        }
+    } else {
+        response = create_response(conf, section, engine, queryfile,
+                                   passin, inkey, signer, chain, policy);
+        if (response)
+            BIO_printf(bio_err, "Response has been generated.\n");
+        else
+            BIO_printf(bio_err, "Response is not generated.\n");
+    }
+    if (response == NULL)
+        goto end;
+
+    /* Write response either in ASN.1 or text format. */
+    if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL)
+        goto end;
+    if (text) {
+        /* Text output. */
+        if (token_out) {
+            TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
+            if (!TS_TST_INFO_print_bio(out_bio, tst_info))
+                goto end;
+        } else {
+            if (!TS_RESP_print_bio(out_bio, response))
+                goto end;
+        }
+    } else {
+        /* ASN.1 DER output. */
+        if (token_out) {
+            PKCS7 *token = TS_RESP_get_token(response);
+            if (!i2d_PKCS7_bio(out_bio, token))
+                goto end;
+        } else {
+            if (!i2d_TS_RESP_bio(out_bio, response))
+                goto end;
+        }
+    }
+
+    ret = 1;
+
+ end:
+    ERR_print_errors(bio_err);
+
+    /* Clean up. */
+    BIO_free_all(in_bio);
+    BIO_free_all(query_bio);
+    BIO_free_all(inkey_bio);
+    BIO_free_all(signer_bio);
+    BIO_free_all(out_bio);
+    TS_RESP_free(response);
+
+    return ret;
+}
+
+/* Reads a PKCS7 token and adds default 'granted' status info to it. */
+static TS_RESP *read_PKCS7(BIO *in_bio)
+{
+    int ret = 0;
+    PKCS7 *token = NULL;
+    TS_TST_INFO *tst_info = NULL;
+    TS_RESP *resp = NULL;
+    TS_STATUS_INFO *si = NULL;
+
+    /* Read PKCS7 object and extract the signed time stamp info. */
+    if (!(token = d2i_PKCS7_bio(in_bio, NULL)))
+        goto end;
+    if (!(tst_info = PKCS7_to_TS_TST_INFO(token)))
+        goto end;
+
+    /* Creating response object. */
+    if (!(resp = TS_RESP_new()))
+        goto end;
+
+    /* Create granted status info. */
+    if (!(si = TS_STATUS_INFO_new()))
+        goto end;
+    if (!(ASN1_INTEGER_set(si->status, TS_STATUS_GRANTED)))
+        goto end;
+    if (!TS_RESP_set_status_info(resp, si))
+        goto end;
+
+    /* Setting encapsulated token. */
+    TS_RESP_set_tst_info(resp, token, tst_info);
+    token = NULL;               /* Ownership is lost. */
+    tst_info = NULL;            /* Ownership is lost. */
+
+    ret = 1;
+ end:
+    PKCS7_free(token);
+    TS_TST_INFO_free(tst_info);
+    if (!ret) {
+        TS_RESP_free(resp);
+        resp = NULL;
+    }
+    TS_STATUS_INFO_free(si);
+    return resp;
+}
+
+static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
+                                char *queryfile, char *passin, char *inkey,
+                                char *signer, char *chain, const char *policy)
+{
+    int ret = 0;
+    TS_RESP *response = NULL;
+    BIO *query_bio = NULL;
+    TS_RESP_CTX *resp_ctx = NULL;
+
+    if (!(query_bio = BIO_new_file(queryfile, "rb")))
+        goto end;
+
+    /* Getting TSA configuration section. */
+    if (!(section = TS_CONF_get_tsa_section(conf, section)))
+        goto end;
+
+    /* Setting up response generation context. */
+    if (!(resp_ctx = TS_RESP_CTX_new()))
+        goto end;
+
+    /* Setting serial number provider callback. */
+    if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
+        goto end;
+#ifndef OPENSSL_NO_ENGINE
+    /* Setting default OpenSSL engine. */
+    if (!TS_CONF_set_crypto_device(conf, section, engine))
+        goto end;
+#endif
+
+    /* Setting TSA signer certificate. */
+    if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
+        goto end;
+
+    /* Setting TSA signer certificate chain. */
+    if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
+        goto end;
+
+    /* Setting TSA signer private key. */
+    if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
+        goto end;
+
+    /* Setting default policy OID. */
+    if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
+        goto end;
+
+    /* Setting acceptable policy OIDs. */
+    if (!TS_CONF_set_policies(conf, section, resp_ctx))
+        goto end;
+
+    /* Setting the acceptable one-way hash algorithms. */
+    if (!TS_CONF_set_digests(conf, section, resp_ctx))
+        goto end;
+
+    /* Setting guaranteed time stamp accuracy. */
+    if (!TS_CONF_set_accuracy(conf, section, resp_ctx))
+        goto end;
+
+    /* Setting the precision of the time. */
+    if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx))
+        goto end;
+
+    /* Setting the ordering flaf if requested. */
+    if (!TS_CONF_set_ordering(conf, section, resp_ctx))
+        goto end;
+
+    /* Setting the TSA name required flag if requested. */
+    if (!TS_CONF_set_tsa_name(conf, section, resp_ctx))
+        goto end;
+
+    /* Setting the ESS cert id chain flag if requested. */
+    if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx))
+        goto end;
+
+    /* Creating the response. */
+    if (!(response = TS_RESP_create_response(resp_ctx, query_bio)))
+        goto end;
+
+    ret = 1;
+ end:
+    if (!ret) {
+        TS_RESP_free(response);
+        response = NULL;
+    }
+    TS_RESP_CTX_free(resp_ctx);
+    BIO_free_all(query_bio);
+
+    return response;
+}
+
+static ASN1_INTEGER *MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data)
+{
+    const char *serial_file = (const char *)data;
+    ASN1_INTEGER *serial = next_serial(serial_file);
+
+    if (!serial) {
+        TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
+                                    "Error during serial number "
+                                    "generation.");
+        TS_RESP_CTX_add_failure_info(ctx, TS_INFO_ADD_INFO_NOT_AVAILABLE);
+    } else
+        save_ts_serial(serial_file, serial);
+
+    return serial;
+}
+
+static ASN1_INTEGER *next_serial(const char *serialfile)
+{
+    int ret = 0;
+    BIO *in = NULL;
+    ASN1_INTEGER *serial = NULL;
+    BIGNUM *bn = NULL;
+
+    if (!(serial = ASN1_INTEGER_new()))
+        goto err;
+
+    if (!(in = BIO_new_file(serialfile, "r"))) {
+        ERR_clear_error();
+        BIO_printf(bio_err, "Warning: could not open file %s for "
+                   "reading, using serial number: 1\n", serialfile);
+        if (!ASN1_INTEGER_set(serial, 1))
+            goto err;
+    } else {
+        char buf[1024];
+        if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) {
+            BIO_printf(bio_err, "unable to load number from %s\n",
+                       serialfile);
+            goto err;
+        }
+        if (!(bn = ASN1_INTEGER_to_BN(serial, NULL)))
+            goto err;
+        ASN1_INTEGER_free(serial);
+        serial = NULL;
+        if (!BN_add_word(bn, 1))
+            goto err;
+        if (!(serial = BN_to_ASN1_INTEGER(bn, NULL)))
+            goto err;
+    }
+    ret = 1;
+ err:
+    if (!ret) {
+        ASN1_INTEGER_free(serial);
+        serial = NULL;
+    }
+    BIO_free_all(in);
+    BN_free(bn);
+    return serial;
+}
+
+static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial)
+{
+    int ret = 0;
+    BIO *out = NULL;
+
+    if (!(out = BIO_new_file(serialfile, "w")))
+        goto err;
+    if (i2a_ASN1_INTEGER(out, serial) <= 0)
+        goto err;
+    if (BIO_puts(out, "\n") <= 0)
+        goto err;
+    ret = 1;
+ err:
+    if (!ret)
+        BIO_printf(bio_err, "could not save serial number to %s\n",
+                   serialfile);
+    BIO_free_all(out);
+    return ret;
+}
+
+/*
+ * Verify-related method definitions.
+ */
+
+static int verify_command(char *data, char *digest, char *queryfile,
+                          char *in, int token_in,
+                          char *ca_path, char *ca_file, char *untrusted)
+{
+    BIO *in_bio = NULL;
+    PKCS7 *token = NULL;
+    TS_RESP *response = NULL;
+    TS_VERIFY_CTX *verify_ctx = NULL;
+    int ret = 0;
+
+    /* Decode the token (PKCS7) or response (TS_RESP) files. */
+    if (!(in_bio = BIO_new_file(in, "rb")))
+        goto end;
+    if (token_in) {
+        if (!(token = d2i_PKCS7_bio(in_bio, NULL)))
+            goto end;
+    } else {
+        if (!(response = d2i_TS_RESP_bio(in_bio, NULL)))
+            goto end;
+    }
+
+    if (!(verify_ctx = create_verify_ctx(data, digest, queryfile,
+                                         ca_path, ca_file, untrusted)))
+        goto end;
+
+    /* Checking the token or response against the request. */
+    ret = token_in ?
+        TS_RESP_verify_token(verify_ctx, token) :
+        TS_RESP_verify_response(verify_ctx, response);
+
+ end:
+    printf("Verification: ");
+    if (ret)
+        printf("OK\n");
+    else {
+        printf("FAILED\n");
+        /* Print errors, if there are any. */
+        ERR_print_errors(bio_err);
+    }
+
+    /* Clean up. */
+    BIO_free_all(in_bio);
+    PKCS7_free(token);
+    TS_RESP_free(response);
+    TS_VERIFY_CTX_free(verify_ctx);
+    return ret;
+}
+
+static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
+                                        char *queryfile,
+                                        char *ca_path, char *ca_file,
+                                        char *untrusted)
+{
+    TS_VERIFY_CTX *ctx = NULL;
+    BIO *input = NULL;
+    TS_REQ *request = NULL;
+    int ret = 0;
+
+    if (data != NULL || digest != NULL) {
+        if (!(ctx = TS_VERIFY_CTX_new()))
+            goto err;
+        ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER;
+        if (data != NULL) {
+            ctx->flags |= TS_VFY_DATA;
+            if (!(ctx->data = BIO_new_file(data, "rb")))
+                goto err;
+        } else if (digest != NULL) {
+            long imprint_len;
+            ctx->flags |= TS_VFY_IMPRINT;
+            if (!(ctx->imprint = string_to_hex(digest, &imprint_len))) {
+                BIO_printf(bio_err, "invalid digest string\n");
+                goto err;
+            }
+            ctx->imprint_len = imprint_len;
+        }
+
+    } else if (queryfile != NULL) {
+        /*
+         * The request has just to be read, decoded and converted to a verify
+         * context object.
+         */
+        if (!(input = BIO_new_file(queryfile, "rb")))
+            goto err;
+        if (!(request = d2i_TS_REQ_bio(input, NULL)))
+            goto err;
+        if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)))
+            goto err;
+    } else
+        return NULL;
+
+    /* Add the signature verification flag and arguments. */
+    ctx->flags |= TS_VFY_SIGNATURE;
+
+    /* Initialising the X509_STORE object. */
+    if (!(ctx->store = create_cert_store(ca_path, ca_file)))
+        goto err;
+
+    /* Loading untrusted certificates. */
+    if (untrusted && !(ctx->certs = TS_CONF_load_certs(untrusted)))
+        goto err;
+
+    ret = 1;
+ err:
+    if (!ret) {
+        TS_VERIFY_CTX_free(ctx);
+        ctx = NULL;
+    }
+    BIO_free_all(input);
+    TS_REQ_free(request);
+    return ctx;
+}
+
+static X509_STORE *create_cert_store(char *ca_path, char *ca_file)
+{
+    X509_STORE *cert_ctx = NULL;
+    X509_LOOKUP *lookup = NULL;
+    int i;
+
+    /* Creating the X509_STORE object. */
+    cert_ctx = X509_STORE_new();
+
+    /* Setting the callback for certificate chain verification. */
+    X509_STORE_set_verify_cb(cert_ctx, verify_cb);
+
+    /* Adding a trusted certificate directory source. */
+    if (ca_path) {
+        lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
+        if (lookup == NULL) {
+            BIO_printf(bio_err, "memory allocation failure\n");
+            goto err;
+        }
+        i = X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM);
+        if (!i) {
+            BIO_printf(bio_err, "Error loading directory %s\n", ca_path);
+            goto err;
+        }
+    }
+
+    /* Adding a trusted certificate file source. */
+    if (ca_file) {
+        lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
+        if (lookup == NULL) {
+            BIO_printf(bio_err, "memory allocation failure\n");
+            goto err;
+        }
+        i = X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM);
+        if (!i) {
+            BIO_printf(bio_err, "Error loading file %s\n", ca_file);
+            goto err;
+        }
+    }
+
+    return cert_ctx;
+ err:
+    X509_STORE_free(cert_ctx);
+    return NULL;
+}
+
+static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx)
+{
+    /*-
+    char buf[256];
+
+    if (!ok)
+            {
+            X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
+                              buf, sizeof(buf));
+            printf("%s\n", buf);
+            printf("error %d at %d depth lookup: %s\n",
+                   ctx->error, ctx->error_depth,
+                    X509_verify_cert_error_string(ctx->error));
+            }
+    */
+
+    return ok;
+}
diff --git a/openssl/apps/tsget b/openssl/apps/tsget
new file mode 100644
index 0000000..0d54e9f
--- /dev/null
+++ b/openssl/apps/tsget
@@ -0,0 +1,196 @@
+#!/usr/bin/perl -w
+# Written by Zoltan Glozik <zglozik@stones.com>.
+# Copyright (c) 2002 The OpenTSA Project.  All rights reserved.
+$::version = '$Id: tsget,v 1.1.2.2 2009/09/07 17:57:02 steve Exp $';
+
+use strict;
+use IO::Handle;
+use Getopt::Std;
+use File::Basename;
+use WWW::Curl::Easy;
+
+use vars qw(%options);
+
+# Callback for reading the body.
+sub read_body {
+    my ($maxlength, $state) = @_;
+    my $return_data = "";
+    my $data_len = length ${$state->{data}};
+    if ($state->{bytes} < $data_len) {
+	$data_len = $data_len - $state->{bytes};
+	$data_len = $maxlength if $data_len > $maxlength;
+	$return_data = substr ${$state->{data}}, $state->{bytes}, $data_len;
+	$state->{bytes} += $data_len;
+    }
+    return $return_data;
+}
+
+# Callback for writing the body into a variable.
+sub write_body {
+    my ($data, $pointer) = @_;
+    ${$pointer} .= $data;
+    return length($data);
+}
+
+# Initialise a new Curl object.
+sub create_curl {
+    my $url = shift;
+
+    # Create Curl object.
+    my $curl = WWW::Curl::Easy::new();
+
+    # Error-handling related options.
+    $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
+    $curl->setopt(CURLOPT_FAILONERROR, 1);
+    $curl->setopt(CURLOPT_USERAGENT, "OpenTSA tsget.pl/" . (split / /, $::version)[2]);
+
+    # Options for POST method.
+    $curl->setopt(CURLOPT_UPLOAD, 1);
+    $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST");
+    $curl->setopt(CURLOPT_HTTPHEADER,
+		["Content-Type: application/timestamp-query",
+		"Accept: application/timestamp-reply,application/timestamp-response"]);
+    $curl->setopt(CURLOPT_READFUNCTION, \&read_body);
+    $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); });
+
+    # Options for getting the result.
+    $curl->setopt(CURLOPT_WRITEFUNCTION, \&write_body);
+
+    # SSL related options.
+    $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM");
+    $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1);	# Verify server's certificate.
+    $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2);	# Check server's CN.
+    $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k});
+    $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p});
+    $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c});
+    $curl->setopt(CURLOPT_CAINFO, $options{C}) if defined($options{C});
+    $curl->setopt(CURLOPT_CAPATH, $options{P}) if defined($options{P});
+    $curl->setopt(CURLOPT_RANDOM_FILE, $options{r}) if defined($options{r});
+    $curl->setopt(CURLOPT_EGDSOCKET, $options{g}) if defined($options{g});
+
+    # Setting destination.
+    $curl->setopt(CURLOPT_URL, $url);
+
+    return $curl;
+}
+
+# Send a request and returns the body back.
+sub get_timestamp {
+    my $curl = shift;
+    my $body = shift;
+    my $ts_body;
+    local $::error_buf;
+
+    # Error-handling related options.
+    $curl->setopt(CURLOPT_ERRORBUFFER, "::error_buf");
+
+    # Options for POST method.
+    $curl->setopt(CURLOPT_INFILE, {data => $body, bytes => 0});
+    $curl->setopt(CURLOPT_INFILESIZE, length(${$body}));
+
+    # Options for getting the result.
+    $curl->setopt(CURLOPT_FILE, \$ts_body);
+
+    # Send the request...
+    my $error_code = $curl->perform();
+    my $error_string;
+    if ($error_code != 0) {
+        my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE);
+	$error_string = "could not get timestamp";
+	$error_string .= ", http code: $http_code" unless $http_code == 0;
+	$error_string .= ", curl code: $error_code";
+	$error_string .= " ($::error_buf)" if defined($::error_buf);
+    } else {
+        my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE);
+	if (lc($ct) ne "application/timestamp-reply"
+	    && lc($ct) ne "application/timestamp-response") {
+	    $error_string = "unexpected content type returned: $ct";
+        }
+    }
+    return ($ts_body, $error_string);
+
+}
+
+# Print usage information and exists.
+sub usage {
+
+    print STDERR "usage: $0 -h <server_url> [-e <extension>] [-o <output>] ";
+    print STDERR "[-v] [-d] [-k <private_key.pem>] [-p <key_password>] ";
+    print STDERR "[-c <client_cert.pem>] [-C <CA_certs.pem>] [-P <CA_path>] ";
+    print STDERR "[-r <file:file...>] [-g <EGD_socket>] [<request>]...\n";
+    exit 1;
+}
+
+# ----------------------------------------------------------------------
+#   Main program
+# ----------------------------------------------------------------------
+
+# Getting command-line options (default comes from TSGET environment variable).
+my $getopt_arg =  "h:e:o:vdk:p:c:C:P:r:g:";
+if (exists $ENV{TSGET}) {
+    my @old_argv = @ARGV;
+    @ARGV = split /\s+/, $ENV{TSGET};
+    getopts($getopt_arg, \%options) or usage;
+    @ARGV = @old_argv;
+}
+getopts($getopt_arg, \%options) or usage;
+
+# Checking argument consistency.
+if (!exists($options{h}) || (@ARGV == 0 && !exists($options{o}))
+    || (@ARGV > 1 && exists($options{o}))) {
+    print STDERR "Inconsistent command line options.\n";
+    usage;
+}
+# Setting defaults.
+@ARGV = ("-") unless @ARGV != 0;
+$options{e} = ".tsr" unless defined($options{e});
+
+# Processing requests.
+my $curl = create_curl $options{h};
+undef $/;   # For reading whole files.
+REQUEST: foreach (@ARGV) {
+    my $input = $_;
+    my ($base, $path) = fileparse($input, '\.[^.]*');
+    my $output_base = $base . $options{e};
+    my $output = defined($options{o}) ? $options{o} : $path . $output_base;
+
+    STDERR->printflush("$input: ") if $options{v};
+    # Read request.
+    my $body;
+    if ($input eq "-") {
+	# Read the request from STDIN;
+	$body = <STDIN>;
+    } else {
+	# Read the request from file.
+        open INPUT, "<" . $input
+	    or warn("$input: could not open input file: $!\n"), next REQUEST;
+        $body = <INPUT>;
+        close INPUT
+	    or warn("$input: could not close input file: $!\n"), next REQUEST;
+    }
+
+    # Send request.
+    STDERR->printflush("sending request") if $options{v};
+
+    my ($ts_body, $error) = get_timestamp $curl, \$body;
+    if (defined($error)) {
+	die "$input: fatal error: $error\n";
+    }
+    STDERR->printflush(", reply received") if $options{v};
+
+    # Write response.
+    if ($output eq "-") {
+	# Write to STDOUT.
+        print $ts_body;
+    } else {
+	# Write to file.
+        open OUTPUT, ">", $output
+	    or warn("$output: could not open output file: $!\n"), next REQUEST;
+        print OUTPUT $ts_body;
+        close OUTPUT
+	    or warn("$output: could not close output file: $!\n"), next REQUEST;
+    }
+    STDERR->printflush(", $output written.\n") if $options{v};
+}
+$curl->cleanup();
+WWW::Curl::Easy::global_cleanup();
diff --git a/openssl/apps/verify.c b/openssl/apps/verify.c
new file mode 100644
index 0000000..c4bd197
--- /dev/null
+++ b/openssl/apps/verify.c
@@ -0,0 +1,350 @@
+/* apps/verify.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG    verify_main
+
+static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx);
+static int check(X509_STORE *ctx, char *file,
+                 STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
+                 STACK_OF(X509_CRL) *crls, ENGINE *e);
+static int v_verbose = 0, vflags = 0;
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    int i, ret = 1, badarg = 0;
+    char *CApath = NULL, *CAfile = NULL;
+    char *untfile = NULL, *trustfile = NULL, *crlfile = NULL;
+    STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
+    STACK_OF(X509_CRL) *crls = NULL;
+    X509_STORE *cert_ctx = NULL;
+    X509_LOOKUP *lookup = NULL;
+    X509_VERIFY_PARAM *vpm = NULL;
+    int crl_download = 0;
+    char *engine = NULL;
+
+    cert_ctx = X509_STORE_new();
+    if (cert_ctx == NULL)
+        goto end;
+    X509_STORE_set_verify_cb(cert_ctx, cb);
+
+    ERR_load_crypto_strings();
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+
+    argc--;
+    argv++;
+    for (;;) {
+        if (argc >= 1) {
+            if (strcmp(*argv, "-CApath") == 0) {
+                if (argc-- < 1)
+                    goto usage;
+                CApath = *(++argv);
+            } else if (strcmp(*argv, "-CAfile") == 0) {
+                if (argc-- < 1)
+                    goto usage;
+                CAfile = *(++argv);
+            } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) {
+                if (badarg)
+                    goto usage;
+                continue;
+            } else if (strcmp(*argv, "-untrusted") == 0) {
+                if (argc-- < 1)
+                    goto usage;
+                untfile = *(++argv);
+            } else if (strcmp(*argv, "-trusted") == 0) {
+                if (argc-- < 1)
+                    goto usage;
+                trustfile = *(++argv);
+            } else if (strcmp(*argv, "-CRLfile") == 0) {
+                if (argc-- < 1)
+                    goto usage;
+                crlfile = *(++argv);
+            } else if (strcmp(*argv, "-crl_download") == 0)
+                crl_download = 1;
+#ifndef OPENSSL_NO_ENGINE
+            else if (strcmp(*argv, "-engine") == 0) {
+                if (--argc < 1)
+                    goto usage;
+                engine = *(++argv);
+            }
+#endif
+            else if (strcmp(*argv, "-help") == 0)
+                goto usage;
+            else if (strcmp(*argv, "-verbose") == 0)
+                v_verbose = 1;
+            else if (argv[0][0] == '-')
+                goto usage;
+            else
+                break;
+            argc--;
+            argv++;
+        } else
+            break;
+    }
+
+    e = setup_engine(bio_err, engine, 0);
+
+    if (vpm)
+        X509_STORE_set1_param(cert_ctx, vpm);
+
+    lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
+    if (lookup == NULL)
+        abort();
+    if (CAfile) {
+        i = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM);
+        if (!i) {
+            BIO_printf(bio_err, "Error loading file %s\n", CAfile);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    } else
+        X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
+
+    lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
+    if (lookup == NULL)
+        abort();
+    if (CApath) {
+        i = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM);
+        if (!i) {
+            BIO_printf(bio_err, "Error loading directory %s\n", CApath);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    } else
+        X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
+
+    ERR_clear_error();
+
+    if (untfile) {
+        untrusted = load_certs(bio_err, untfile, FORMAT_PEM,
+                               NULL, e, "untrusted certificates");
+        if (!untrusted)
+            goto end;
+    }
+
+    if (trustfile) {
+        trusted = load_certs(bio_err, trustfile, FORMAT_PEM,
+                             NULL, e, "trusted certificates");
+        if (!trusted)
+            goto end;
+    }
+
+    if (crlfile) {
+        crls = load_crls(bio_err, crlfile, FORMAT_PEM, NULL, e, "other CRLs");
+        if (!crls)
+            goto end;
+    }
+
+    ret = 0;
+
+    if (crl_download)
+        store_setup_crl_download(cert_ctx);
+    if (argc < 1) {
+        if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
+            ret = -1;
+    } else {
+        for (i = 0; i < argc; i++)
+            if (1 != check(cert_ctx, argv[i], untrusted, trusted, crls, e))
+                ret = -1;
+    }
+
+ usage:
+    if (ret == 1) {
+        BIO_printf(bio_err,
+                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
+        BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
+#ifndef OPENSSL_NO_ENGINE
+        BIO_printf(bio_err, " [-engine e]");
+#endif
+        BIO_printf(bio_err, " cert1 cert2 ...\n");
+
+        BIO_printf(bio_err, "recognized usages:\n");
+        for (i = 0; i < X509_PURPOSE_get_count(); i++) {
+            X509_PURPOSE *ptmp;
+            ptmp = X509_PURPOSE_get0(i);
+            BIO_printf(bio_err, "\t%-10s\t%s\n",
+                       X509_PURPOSE_get0_sname(ptmp),
+                       X509_PURPOSE_get0_name(ptmp));
+        }
+    }
+ end:
+    if (vpm)
+        X509_VERIFY_PARAM_free(vpm);
+    if (cert_ctx != NULL)
+        X509_STORE_free(cert_ctx);
+    sk_X509_pop_free(untrusted, X509_free);
+    sk_X509_pop_free(trusted, X509_free);
+    sk_X509_CRL_pop_free(crls, X509_CRL_free);
+    release_engine(e);
+    apps_shutdown();
+    OPENSSL_EXIT(ret < 0 ? 2 : ret);
+}
+
+static int check(X509_STORE *ctx, char *file,
+                 STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
+                 STACK_OF(X509_CRL) *crls, ENGINE *e)
+{
+    X509 *x = NULL;
+    int i = 0, ret = 0;
+    X509_STORE_CTX *csc;
+
+    x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file");
+    if (x == NULL)
+        goto end;
+    fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file);
+
+    csc = X509_STORE_CTX_new();
+    if (csc == NULL) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    X509_STORE_set_flags(ctx, vflags);
+    if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if (tchain)
+        X509_STORE_CTX_trusted_stack(csc, tchain);
+    if (crls)
+        X509_STORE_CTX_set0_crls(csc, crls);
+    i = X509_verify_cert(csc);
+    X509_STORE_CTX_free(csc);
+
+    ret = 0;
+ end:
+    if (i > 0) {
+        fprintf(stdout, "OK\n");
+        ret = 1;
+    } else
+        ERR_print_errors(bio_err);
+    if (x != NULL)
+        X509_free(x);
+
+    return (ret);
+}
+
+static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
+{
+    int cert_error = X509_STORE_CTX_get_error(ctx);
+    X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
+
+    if (!ok) {
+        if (current_cert) {
+            X509_NAME_print_ex_fp(stdout,
+                                  X509_get_subject_name(current_cert),
+                                  0, XN_FLAG_ONELINE);
+            printf("\n");
+        }
+        printf("%serror %d at %d depth lookup:%s\n",
+               X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "",
+               cert_error,
+               X509_STORE_CTX_get_error_depth(ctx),
+               X509_verify_cert_error_string(cert_error));
+        switch (cert_error) {
+        case X509_V_ERR_NO_EXPLICIT_POLICY:
+            policies_print(NULL, ctx);
+        case X509_V_ERR_CERT_HAS_EXPIRED:
+
+            /*
+             * since we are just checking the certificates, it is ok if they
+             * are self signed. But we should still warn the user.
+             */
+
+        case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+            /* Continue after extension errors too */
+        case X509_V_ERR_INVALID_CA:
+        case X509_V_ERR_INVALID_NON_CA:
+        case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+        case X509_V_ERR_INVALID_PURPOSE:
+        case X509_V_ERR_CRL_HAS_EXPIRED:
+        case X509_V_ERR_CRL_NOT_YET_VALID:
+        case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
+            ok = 1;
+
+        }
+
+        return ok;
+
+    }
+    if (cert_error == X509_V_OK && ok == 2)
+        policies_print(NULL, ctx);
+    if (!v_verbose)
+        ERR_clear_error();
+    return (ok);
+}
diff --git a/openssl/apps/version.c b/openssl/apps/version.c
new file mode 100644
index 0000000..8807d4c
--- /dev/null
+++ b/openssl/apps/version.c
@@ -0,0 +1,214 @@
+/* apps/version.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/evp.h>
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
+#ifndef OPENSSL_NO_MD2
+# include <openssl/md2.h>
+#endif
+#ifndef OPENSSL_NO_RC4
+# include <openssl/rc4.h>
+#endif
+#ifndef OPENSSL_NO_DES
+# include <openssl/des.h>
+#endif
+#ifndef OPENSSL_NO_IDEA
+# include <openssl/idea.h>
+#endif
+#ifndef OPENSSL_NO_BF
+# include <openssl/blowfish.h>
+#endif
+
+#undef PROG
+#define PROG    version_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    int i, ret = 0;
+    int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    if (argc == 1)
+        version = 1;
+    for (i = 1; i < argc; i++) {
+        if (strcmp(argv[i], "-v") == 0)
+            version = 1;
+        else if (strcmp(argv[i], "-b") == 0)
+            date = 1;
+        else if (strcmp(argv[i], "-f") == 0)
+            cflags = 1;
+        else if (strcmp(argv[i], "-o") == 0)
+            options = 1;
+        else if (strcmp(argv[i], "-p") == 0)
+            platform = 1;
+        else if (strcmp(argv[i], "-d") == 0)
+            dir = 1;
+        else if (strcmp(argv[i], "-a") == 0)
+            date = version = cflags = options = platform = dir = 1;
+        else {
+            BIO_printf(bio_err, "usage:version -[avbofpd]\n");
+            ret = 1;
+            goto end;
+        }
+    }
+
+    if (version) {
+        if (SSLeay() == SSLEAY_VERSION_NUMBER) {
+            printf("%s\n", SSLeay_version(SSLEAY_VERSION));
+        } else {
+            printf("%s (Library: %s)\n",
+                   OPENSSL_VERSION_TEXT, SSLeay_version(SSLEAY_VERSION));
+        }
+    }
+    if (date)
+        printf("%s\n", SSLeay_version(SSLEAY_BUILT_ON));
+    if (platform)
+        printf("%s\n", SSLeay_version(SSLEAY_PLATFORM));
+    if (options) {
+        printf("options:  ");
+        printf("%s ", BN_options());
+#ifndef OPENSSL_NO_MD2
+        printf("%s ", MD2_options());
+#endif
+#ifndef OPENSSL_NO_RC4
+        printf("%s ", RC4_options());
+#endif
+#ifndef OPENSSL_NO_DES
+        printf("%s ", DES_options());
+#endif
+#ifndef OPENSSL_NO_IDEA
+        printf("%s ", idea_options());
+#endif
+#ifndef OPENSSL_NO_BF
+        printf("%s ", BF_options());
+#endif
+        printf("\n");
+    }
+    if (cflags)
+        printf("%s\n", SSLeay_version(SSLEAY_CFLAGS));
+    if (dir)
+        printf("%s\n", SSLeay_version(SSLEAY_DIR));
+ end:
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
diff --git a/openssl/apps/vms_decc_init.c b/openssl/apps/vms_decc_init.c
new file mode 100644
index 0000000..3b6de11
--- /dev/null
+++ b/openssl/apps/vms_decc_init.c
@@ -0,0 +1,172 @@
+#if defined( __VMS) && !defined( OPENSSL_NO_DECC_INIT) && \
+ defined( __DECC) && !defined( __VAX) && (__CRTL_VER >= 70301000)
+# define USE_DECC_INIT 1
+#endif
+
+#ifdef USE_DECC_INIT
+
+/*-
+ * 2010-04-26 SMS.
+ *
+ *----------------------------------------------------------------------
+ *
+ *       decc_init()
+ *
+ *    On non-VAX systems, uses LIB$INITIALIZE to set a collection of C
+ *    RTL features without using the DECC$* logical name method.
+ *
+ *----------------------------------------------------------------------
+ */
+
+# include <stdio.h>
+# include <stdlib.h>
+# include <unixlib.h>
+
+/* Global storage. */
+
+/* Flag to sense if decc_init() was called. */
+
+int decc_init_done = -1;
+
+/* Structure to hold a DECC$* feature name and its desired value. */
+
+typedef struct {
+    char *name;
+    int value;
+} decc_feat_t;
+
+/*
+ * Array of DECC$* feature names and their desired values. Note:
+ * DECC$ARGV_PARSE_STYLE is the urgent one.
+ */
+
+decc_feat_t decc_feat_array[] = {
+    /* Preserve command-line case with SET PROCESS/PARSE_STYLE=EXTENDED */
+    {"DECC$ARGV_PARSE_STYLE", 1},
+
+    /* Preserve case for file names on ODS5 disks. */
+    {"DECC$EFS_CASE_PRESERVE", 1},
+
+    /*
+     * Enable multiple dots (and most characters) in ODS5 file names, while
+     * preserving VMS-ness of ";version".
+     */
+    {"DECC$EFS_CHARSET", 1},
+
+    /* List terminator. */
+    {(char *)NULL, 0}
+};
+
+/* LIB$INITIALIZE initialization function. */
+
+static void decc_init(void)
+{
+    char *openssl_debug_decc_init;
+    int verbose = 0;
+    int feat_index;
+    int feat_value;
+    int feat_value_max;
+    int feat_value_min;
+    int i;
+    int sts;
+
+    /* Get debug option. */
+    openssl_debug_decc_init = getenv("OPENSSL_DEBUG_DECC_INIT");
+    if (openssl_debug_decc_init != NULL) {
+        verbose = strtol(openssl_debug_decc_init, NULL, 10);
+        if (verbose <= 0) {
+            verbose = 1;
+        }
+    }
+
+    /* Set the global flag to indicate that LIB$INITIALIZE worked. */
+    decc_init_done = 1;
+
+    /* Loop through all items in the decc_feat_array[]. */
+
+    for (i = 0; decc_feat_array[i].name != NULL; i++) {
+        /* Get the feature index. */
+        feat_index = decc$feature_get_index(decc_feat_array[i].name);
+        if (feat_index >= 0) {
+            /* Valid item.  Collect its properties. */
+            feat_value = decc$feature_get_value(feat_index, 1);
+            feat_value_min = decc$feature_get_value(feat_index, 2);
+            feat_value_max = decc$feature_get_value(feat_index, 3);
+
+            /* Check the validity of our desired value. */
+            if ((decc_feat_array[i].value >= feat_value_min) &&
+                (decc_feat_array[i].value <= feat_value_max)) {
+                /* Valid value.  Set it if necessary. */
+                if (feat_value != decc_feat_array[i].value) {
+                    sts = decc$feature_set_value(feat_index,
+                                                 1, decc_feat_array[i].value);
+
+                    if (verbose > 1) {
+                        fprintf(stderr, " %s = %d, sts = %d.\n",
+                                decc_feat_array[i].name,
+                                decc_feat_array[i].value, sts);
+                    }
+                }
+            } else {
+                /* Invalid DECC feature value. */
+                fprintf(stderr,
+                        " INVALID DECC$FEATURE VALUE, %d: %d <= %s <= %d.\n",
+                        feat_value,
+                        feat_value_min, decc_feat_array[i].name,
+                        feat_value_max);
+            }
+        } else {
+            /* Invalid DECC feature name. */
+            fprintf(stderr,
+                    " UNKNOWN DECC$FEATURE: %s.\n", decc_feat_array[i].name);
+        }
+    }
+
+    if (verbose > 0) {
+        fprintf(stderr, " DECC_INIT complete.\n");
+    }
+}
+
+/* Get "decc_init()" into a valid, loaded LIB$INITIALIZE PSECT. */
+
+# pragma nostandard
+
+/*
+ * Establish the LIB$INITIALIZE PSECTs, with proper alignment and other
+ * attributes.  Note that "nopic" is significant only on VAX.
+ */
+# pragma extern_model save
+
+# if __INITIAL_POINTER_SIZE == 64
+#  define PSECT_ALIGN 3
+# else
+#  define PSECT_ALIGN 2
+# endif
+
+# pragma extern_model strict_refdef "LIB$INITIALIZ" PSECT_ALIGN, nopic, nowrt
+const int spare[8] = { 0 };
+
+# pragma extern_model strict_refdef "LIB$INITIALIZE" PSECT_ALIGN, nopic, nowrt
+void (*const x_decc_init) () = decc_init;
+
+# pragma extern_model restore
+
+/* Fake reference to ensure loading the LIB$INITIALIZE PSECT. */
+
+# pragma extern_model save
+
+int LIB$INITIALIZE(void);
+
+# pragma extern_model strict_refdef
+int dmy_lib$initialize = (int)LIB$INITIALIZE;
+
+# pragma extern_model restore
+
+# pragma standard
+
+#else                           /* def USE_DECC_INIT */
+
+/* Dummy code to avoid a %CC-W-EMPTYFILE complaint. */
+int decc_init_dummy(void);
+
+#endif                          /* def USE_DECC_INIT */
diff --git a/openssl/apps/vms_term_sock.c b/openssl/apps/vms_term_sock.c
new file mode 100755
index 0000000..a7d87ff
--- /dev/null
+++ b/openssl/apps/vms_term_sock.c
@@ -0,0 +1,590 @@
+/*
+ * Copyright 2016 VMS Software, Inc. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifdef __VMS
+# define OPENSSL_SYS_VMS
+# pragma message disable DOLLARID
+
+
+# include <openssl/opensslconf.h>
+
+# if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
+/*
+ * On VMS, you need to define this to get the declaration of fileno().  The
+ * value 2 is to make sure no function defined in POSIX-2 is left undefined.
+ */
+#  define _POSIX_C_SOURCE 2
+# endif
+
+# include <stdio.h>
+
+# undef _POSIX_C_SOURCE
+
+# include <sys/types.h>
+# include <sys/socket.h>
+# include <netinet/in.h>
+# include <inet.h>
+# include <unistd.h>
+# include <string.h>
+# include <errno.h>
+# include <starlet.h>
+# include <iodef.h>
+# ifdef __alpha
+#  include <iosbdef.h>
+# else
+typedef struct _iosb {           /* Copied from IOSBDEF.H for Alpha  */
+#  pragma __nomember_alignment
+    __union  {
+        __struct  {
+            unsigned short int iosb$w_status; /* Final I/O status           */
+            __union  {
+                __struct  {             /* 16-bit byte count variant        */
+                    unsigned short int iosb$w_bcnt; /* 16-bit byte count    */
+                    __union  {
+                        unsigned int iosb$l_dev_depend; /* 32-bit device dependent info */
+                        unsigned int iosb$l_pid; /* 32-bit pid              */
+                    } iosb$r_l;
+                } iosb$r_bcnt_16;
+                __struct  {             /* 32-bit byte count variant        */
+                    unsigned int iosb$l_bcnt; /* 32-bit byte count (unaligned) */
+                    unsigned short int iosb$w_dev_depend_high; /* 16-bit device dependent info */
+                } iosb$r_bcnt_32;
+            } iosb$r_devdepend;
+        } iosb$r_io_64;
+        __struct  {
+            __union  {
+                unsigned int iosb$l_getxxi_status; /* Final GETxxI status   */
+                unsigned int iosb$l_reg_status; /* Final $Registry status   */
+            } iosb$r_l_status;
+            unsigned int iosb$l_reserved; /* Reserved field                 */
+        } iosb$r_get_64;
+    } iosb$r_io_get;
+} IOSB;
+
+#  if !defined(__VAXC)
+#   define iosb$w_status iosb$r_io_get.iosb$r_io_64.iosb$w_status
+#   define iosb$w_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$w_bcnt
+#   define iosb$r_l        iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$r_l
+#   define iosb$l_dev_depend iosb$r_l.iosb$l_dev_depend
+#   define iosb$l_pid iosb$r_l.iosb$l_pid
+#   define iosb$l_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$l_bcnt
+#   define iosb$w_dev_depend_high iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$w_dev_depend_high
+#   define iosb$l_getxxi_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_getxxi_status
+#   define iosb$l_reg_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_reg_status
+#  endif          /* #if !defined(__VAXC) */
+
+# endif  /* End of IOSBDEF */
+
+# include <efndef.h>
+# include <stdlib.h>
+# include <ssdef.h>
+# include <time.h>
+# include <stdarg.h>
+# include <descrip.h>
+
+# include "vms_term_sock.h"
+
+# ifdef __alpha
+static struct _iosb TerminalDeviceIosb;
+# else
+IOSB TerminalDeviceIosb;
+# endif
+
+static char TerminalDeviceBuff[255 + 2];
+static int TerminalSocketPair[2] = {0, 0};
+static unsigned short TerminalDeviceChan = 0;
+
+static int CreateSocketPair (int, int, int, int *);
+static void SocketPairTimeoutAst (int);
+static int TerminalDeviceAst (int);
+static void LogMessage (char *, ...);
+
+/*
+** Socket Pair Timeout Value (must be 0-59 seconds)
+*/
+# define SOCKET_PAIR_TIMEOUT_VALUE 20
+
+/*
+** Socket Pair Timeout Block which is passed to timeout AST
+*/
+typedef struct _SocketPairTimeoutBlock {
+    unsigned short SockChan1;
+    unsigned short SockChan2;
+} SPTB;
+
+# ifdef TERM_SOCK_TEST
+
+/*----------------------------------------------------------------------------*/
+/*                                                                            */
+/*----------------------------------------------------------------------------*/
+int main (int argc, char *argv[], char *envp[])
+{
+    char TermBuff[80];
+    int TermSock,
+        status,
+        len;
+
+    LogMessage ("Enter 'q' or 'Q' to quit ...");
+    while (strcasecmp (TermBuff, "Q")) {
+        /*
+        ** Create the terminal socket
+        */
+        status = TerminalSocket (TERM_SOCK_CREATE, &TermSock);
+        if (status != TERM_SOCK_SUCCESS)
+            exit (1);
+
+        /*
+        ** Process the terminal input
+        */
+        LogMessage ("Waiting on terminal I/O ...\n");
+        len = recv (TermSock, TermBuff, sizeof (TermBuff), 0) ;
+        TermBuff[len] = '\0';
+        LogMessage ("Received terminal I/O [%s]", TermBuff);
+
+        /*
+        ** Delete the terminal socket
+        */
+        status = TerminalSocket (TERM_SOCK_DELETE, &TermSock);
+        if (status != TERM_SOCK_SUCCESS)
+            exit (1);
+    }
+
+    return 1;
+
+}
+# endif
+
+/*----------------------------------------------------------------------------*/
+/*                                                                            */
+/*----------------------------------------------------------------------------*/
+int TerminalSocket (int FunctionCode, int *ReturnSocket)
+{
+    int status;
+    $DESCRIPTOR (TerminalDeviceDesc, "SYS$COMMAND");
+
+    /*
+    ** Process the requested function code
+    */
+    switch (FunctionCode) {
+    case TERM_SOCK_CREATE:
+        /*
+        ** Create a socket pair
+        */
+        status = CreateSocketPair (AF_INET, SOCK_STREAM, 0, TerminalSocketPair);
+        if (status == -1) {
+            LogMessage ("TerminalSocket: CreateSocketPair () - %08X", status);
+            if (TerminalSocketPair[0])
+                close (TerminalSocketPair[0]);
+            if (TerminalSocketPair[1])
+                close (TerminalSocketPair[1]);
+            return (TERM_SOCK_FAILURE);
+        }
+
+        /*
+        ** Assign a channel to the terminal device
+        */
+        status = sys$assign (&TerminalDeviceDesc,
+                             &TerminalDeviceChan,
+                             0, 0, 0);
+        if (! (status & 1)) {
+            LogMessage ("TerminalSocket: SYS$ASSIGN () - %08X", status);
+            close (TerminalSocketPair[0]);
+            close (TerminalSocketPair[1]);
+            return (TERM_SOCK_FAILURE);
+        }
+
+        /*
+        ** Queue an async IO to the terminal device
+        */
+        status = sys$qio (EFN$C_ENF,
+                          TerminalDeviceChan,
+                          IO$_READVBLK,
+                          &TerminalDeviceIosb,
+                          TerminalDeviceAst,
+                          0,
+                          TerminalDeviceBuff,
+                          sizeof (TerminalDeviceBuff) - 2,
+                          0, 0, 0, 0);
+        if (! (status & 1)) {
+            LogMessage ("TerminalSocket: SYS$QIO () - %08X", status);
+            close (TerminalSocketPair[0]);
+            close (TerminalSocketPair[1]);
+            return (TERM_SOCK_FAILURE);
+        }
+
+        /*
+        ** Return the input side of the socket pair
+        */
+        *ReturnSocket = TerminalSocketPair[1];
+        break;
+
+    case TERM_SOCK_DELETE:
+        /*
+        ** Cancel any pending IO on the terminal channel
+        */
+        status = sys$cancel (TerminalDeviceChan);
+        if (! (status & 1)) {
+            LogMessage ("TerminalSocket: SYS$CANCEL () - %08X", status);
+            close (TerminalSocketPair[0]);
+            close (TerminalSocketPair[1]);
+            return (TERM_SOCK_FAILURE);
+        }
+
+        /*
+	** Deassign the terminal channel
+	*/
+        status = sys$dassgn (TerminalDeviceChan);
+        if (! (status & 1)) {
+            LogMessage ("TerminalSocket: SYS$DASSGN () - %08X", status);
+            close (TerminalSocketPair[0]);
+            close (TerminalSocketPair[1]);
+            return (TERM_SOCK_FAILURE);
+        }
+
+        /*
+        ** Close the terminal socket pair
+        */
+        close (TerminalSocketPair[0]);
+        close (TerminalSocketPair[1]);
+
+        /*
+	** Return the initialized socket
+	*/
+        *ReturnSocket = 0;
+        break;
+
+    default:
+        /*
+	** Invalid function code
+	*/
+        LogMessage ("TerminalSocket: Invalid Function Code - %d", FunctionCode);
+        return (TERM_SOCK_FAILURE);
+        break;
+    }
+
+    /*
+    ** Return success
+    */
+    return (TERM_SOCK_SUCCESS);
+
+}
+
+/*----------------------------------------------------------------------------*/
+/*                                                                            */
+/*----------------------------------------------------------------------------*/
+static int CreateSocketPair (int SocketFamily,
+                             int SocketType,
+                             int SocketProtocol,
+                             int *SocketPair)
+{
+    struct dsc$descriptor AscTimeDesc = {0, DSC$K_DTYPE_T, DSC$K_CLASS_S, NULL};
+    static const char* LocalHostAddr = {"127.0.0.1"};
+    unsigned short TcpAcceptChan = 0,
+        TcpDeviceChan = 0;
+    unsigned long BinTimeBuff[2];
+    struct sockaddr_in sin;
+    char AscTimeBuff[32];
+    short LocalHostPort;
+    int status;
+    unsigned int slen;
+
+# ifdef __alpha
+    struct _iosb iosb;
+# else
+    IOSB iosb;
+# endif
+
+    int SockDesc1 = 0,
+        SockDesc2 = 0;
+    SPTB sptb;
+    $DESCRIPTOR (TcpDeviceDesc, "TCPIP$DEVICE");
+
+    /*
+    ** Create a socket
+    */
+    SockDesc1 = socket (SocketFamily, SocketType, 0);
+    if (SockDesc1 < 0) {
+        LogMessage ("CreateSocketPair: socket () - %d", errno);
+        return (-1);
+    }
+
+    /*
+    ** Initialize the socket information
+    */
+    slen = sizeof (sin);
+    memset ((char *) &sin, 0, slen);
+    sin.sin_family = SocketFamily;
+    sin.sin_addr.s_addr = inet_addr (LocalHostAddr);
+    sin.sin_port = 0;
+
+    /*
+    ** Bind the socket to the local IP
+    */
+    status = bind (SockDesc1, (struct sockaddr *) &sin, slen);
+    if (status < 0) {
+        LogMessage ("CreateSocketPair: bind () - %d", errno);
+        close (SockDesc1);
+        return (-1);
+    }
+
+    /*
+    ** Get the socket name so we can save the port number
+    */
+    status = getsockname (SockDesc1, (struct sockaddr *) &sin, &slen);
+    if (status < 0) {
+        LogMessage ("CreateSocketPair: getsockname () - %d", errno);
+        close (SockDesc1);
+        return (-1);
+    } else
+        LocalHostPort = sin.sin_port;
+
+    /*
+    ** Setup a listen for the socket
+    */
+    listen (SockDesc1, 5);
+
+    /*
+    ** Get the binary (64-bit) time of the specified timeout value
+    */
+    sprintf (AscTimeBuff, "0 0:0:%02d.00", SOCKET_PAIR_TIMEOUT_VALUE);
+    AscTimeDesc.dsc$w_length = strlen (AscTimeBuff);
+    AscTimeDesc.dsc$a_pointer = AscTimeBuff;
+    status = sys$bintim (&AscTimeDesc, BinTimeBuff);
+    if (! (status & 1)) {
+        LogMessage ("CreateSocketPair: SYS$BINTIM () - %08X", status);
+        close (SockDesc1);
+        return (-1);
+    }
+
+    /*
+    ** Assign another channel to the TCP/IP device for the accept.
+    ** This is the channel that ends up being connected to.
+    */
+    status = sys$assign (&TcpDeviceDesc, &TcpDeviceChan, 0, 0, 0);
+    if (! (status & 1)) {
+        LogMessage ("CreateSocketPair: SYS$ASSIGN () - %08X", status);
+        close (SockDesc1);
+        return (-1);
+    }
+
+    /*
+    ** Get the channel of the first socket for the accept
+    */
+    TcpAcceptChan = decc$get_sdc (SockDesc1);
+
+    /*
+    ** Perform the accept using $QIO so we can do this asynchronously
+    */
+    status = sys$qio (EFN$C_ENF,
+                      TcpAcceptChan,
+                      IO$_ACCESS | IO$M_ACCEPT,
+                      &iosb,
+                      0, 0, 0, 0, 0,
+                      &TcpDeviceChan,
+                      0, 0);
+    if (! (status & 1)) {
+        LogMessage ("CreateSocketPair: SYS$QIO () - %08X", status);
+        close (SockDesc1);
+        sys$dassgn (TcpDeviceChan);
+        return (-1);
+    }
+
+    /*
+    ** Create the second socket to do the connect
+    */
+    SockDesc2 = socket (SocketFamily, SocketType, 0);
+    if (SockDesc2 < 0) {
+        LogMessage ("CreateSocketPair: socket () - %d", errno);
+        sys$cancel (TcpAcceptChan);
+        close (SockDesc1);
+        sys$dassgn (TcpDeviceChan);
+        return (-1) ;
+    }
+
+    /*
+    ** Setup the Socket Pair Timeout Block
+    */
+    sptb.SockChan1 = TcpAcceptChan;
+    sptb.SockChan2 = decc$get_sdc (SockDesc2);
+
+    /*
+    ** Before we block on the connect, set a timer that can cancel I/O on our
+    ** two sockets if it never connects.
+    */
+    status = sys$setimr (EFN$C_ENF,
+                         BinTimeBuff,
+                         SocketPairTimeoutAst,
+                         &sptb,
+                         0);
+    if (! (status & 1)) {
+        LogMessage ("CreateSocketPair: SYS$SETIMR () - %08X", status);
+        sys$cancel (TcpAcceptChan);
+        close (SockDesc1);
+        close (SockDesc2);
+        sys$dassgn (TcpDeviceChan);
+        return (-1);
+    }
+
+    /*
+    ** Now issue the connect
+    */
+    memset ((char *) &sin, 0, sizeof (sin)) ;
+    sin.sin_family = SocketFamily;
+    sin.sin_addr.s_addr = inet_addr (LocalHostAddr) ;
+    sin.sin_port = LocalHostPort ;
+
+    status = connect (SockDesc2, (struct sockaddr *) &sin, sizeof (sin));
+    if (status < 0 ) {
+        LogMessage ("CreateSocketPair: connect () - %d", errno);
+        sys$cantim (&sptb, 0);
+        sys$cancel (TcpAcceptChan);
+        close (SockDesc1);
+        close (SockDesc2);
+        sys$dassgn (TcpDeviceChan);
+        return (-1);
+    }
+
+    /*
+    ** Wait for the asynch $QIO to finish.  Note that if the I/O was aborted
+    ** (SS$_ABORT), then we probably canceled it from the AST routine - so log
+    ** a timeout.
+    */
+    status = sys$synch (EFN$C_ENF, &iosb);
+    if (! (iosb.iosb$w_status & 1)) {
+        if (iosb.iosb$w_status == SS$_ABORT)
+            LogMessage ("CreateSocketPair: SYS$QIO(iosb) timeout");
+        else {
+            LogMessage ("CreateSocketPair: SYS$QIO(iosb) - %d",
+                        iosb.iosb$w_status);
+            sys$cantim (&sptb, 0);
+        }
+        close (SockDesc1);
+        close (SockDesc2);
+        sys$dassgn (TcpDeviceChan);
+        return (-1);
+    }
+
+    /*
+    ** Here we're successfully connected, so cancel the timer, convert the
+    ** I/O channel to a socket fd, close the listener socket and return the
+    ** connected pair.
+    */
+    sys$cantim (&sptb, 0);
+
+    close (SockDesc1) ;
+    SocketPair[0] = SockDesc2 ;
+    SocketPair[1] = socket_fd (TcpDeviceChan);
+
+    return (0) ;
+
+}
+
+/*----------------------------------------------------------------------------*/
+/*                                                                            */
+/*----------------------------------------------------------------------------*/
+static void SocketPairTimeoutAst (int astparm)
+{
+    SPTB *sptb = (SPTB *) astparm;
+
+    sys$cancel (sptb->SockChan2); /* Cancel the connect() */
+    sys$cancel (sptb->SockChan1); /* Cancel the accept() */
+
+    return;
+
+}
+
+/*----------------------------------------------------------------------------*/
+/*                                                                            */
+/*----------------------------------------------------------------------------*/
+static int TerminalDeviceAst (int astparm)
+{
+    int status;
+
+    /*
+    ** Terminate the terminal buffer
+    */
+    TerminalDeviceBuff[TerminalDeviceIosb.iosb$w_bcnt] = '\0';
+    strcat (TerminalDeviceBuff, "\n");
+
+    /*
+    ** Send the data read from the terminal device throught the socket pair
+    */
+    send (TerminalSocketPair[0], TerminalDeviceBuff,
+          TerminalDeviceIosb.iosb$w_bcnt + 1, 0);
+
+    /*
+    ** Queue another async IO to the terminal device
+    */
+    status = sys$qio (EFN$C_ENF,
+                      TerminalDeviceChan,
+                      IO$_READVBLK,
+                      &TerminalDeviceIosb,
+                      TerminalDeviceAst,
+                      0,
+                      TerminalDeviceBuff,
+                      sizeof (TerminalDeviceBuff) - 1,
+                      0, 0, 0, 0);
+
+    /*
+    ** Return status
+    */
+    return status;
+
+}
+
+/*----------------------------------------------------------------------------*/
+/*                                                                            */
+/*----------------------------------------------------------------------------*/
+static void LogMessage (char *msg, ...)
+{
+    char *Month[] = {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
+                     "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
+    static unsigned int pid = 0;
+    va_list args;
+    time_t CurTime;
+    struct tm *LocTime;
+    char MsgBuff[256];
+
+    /*
+    ** Get the process pid
+    */
+    if (pid == 0)
+        pid = getpid ();
+
+    /*
+    ** Convert the current time into local time
+    */
+    CurTime = time (NULL);
+    LocTime = localtime (&CurTime);
+
+    /*
+    ** Format the message buffer
+    */
+    sprintf (MsgBuff, "%02d-%s-%04d %02d:%02d:%02d [%08X] %s\n",
+             LocTime->tm_mday, Month[LocTime->tm_mon],
+             (LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min,
+             LocTime->tm_sec, pid, msg);
+
+    /*
+    ** Get any variable arguments and add them to the print of the message
+    ** buffer
+    */
+    va_start (args, msg);
+    vfprintf (stderr, MsgBuff, args);
+    va_end (args);
+
+    /*
+    ** Flush standard error output
+    */
+    fsync (fileno (stderr));
+
+    return;
+
+}
+#endif
diff --git a/openssl/apps/vms_term_sock.h b/openssl/apps/vms_term_sock.h
new file mode 100755
index 0000000..662fa0a
--- /dev/null
+++ b/openssl/apps/vms_term_sock.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright 2016 VMS Software, Inc. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef TERM_SOCK_H
+# define TERM_SOCK_H
+
+/*
+** Terminal Socket Function Codes
+*/
+# define TERM_SOCK_CREATE       1
+# define TERM_SOCK_DELETE       2
+
+/*
+** Terminal Socket Status Codes
+*/
+# define TERM_SOCK_FAILURE      0
+# define TERM_SOCK_SUCCESS      1
+
+/*
+** Terminal Socket Prototype
+*/
+int TerminalSocket (int FunctionCode, int *ReturnSocket);
+
+#endif
diff --git a/openssl/apps/winrand.c b/openssl/apps/winrand.c
new file mode 100644
index 0000000..44f57a3
--- /dev/null
+++ b/openssl/apps/winrand.c
@@ -0,0 +1,146 @@
+/* apps/winrand.c */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*-
+ * Usage: winrand [filename]
+ *
+ * Collects entropy from mouse movements and other events and writes
+ * random data to filename or .rnd
+ */
+
+#include <windows.h>
+#include <openssl/opensslv.h>
+#include <openssl/rand.h>
+
+LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
+const char *filename;
+
+int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
+                   PSTR cmdline, int iCmdShow)
+{
+    static char appname[] = "OpenSSL";
+    HWND hwnd;
+    MSG msg;
+    WNDCLASSEX wndclass;
+    char buffer[200];
+
+    if (cmdline[0] == '\0')
+        filename = RAND_file_name(buffer, sizeof buffer);
+    else
+        filename = cmdline;
+
+    RAND_load_file(filename, -1);
+
+    wndclass.cbSize = sizeof(wndclass);
+    wndclass.style = CS_HREDRAW | CS_VREDRAW;
+    wndclass.lpfnWndProc = WndProc;
+    wndclass.cbClsExtra = 0;
+    wndclass.cbWndExtra = 0;
+    wndclass.hInstance = hInstance;
+    wndclass.hIcon = LoadIcon(NULL, IDI_APPLICATION);
+    wndclass.hCursor = LoadCursor(NULL, IDC_ARROW);
+    wndclass.hbrBackground = (HBRUSH) GetStockObject(WHITE_BRUSH);
+    wndclass.lpszMenuName = NULL;
+    wndclass.lpszClassName = appname;
+    wndclass.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
+    RegisterClassEx(&wndclass);
+
+    hwnd = CreateWindow(appname, OPENSSL_VERSION_TEXT,
+                        WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT,
+                        CW_USEDEFAULT, CW_USEDEFAULT, NULL, NULL, hInstance,
+                        NULL);
+
+    ShowWindow(hwnd, iCmdShow);
+    UpdateWindow(hwnd);
+
+    while (GetMessage(&msg, NULL, 0, 0)) {
+        TranslateMessage(&msg);
+        DispatchMessage(&msg);
+    }
+
+    return msg.wParam;
+}
+
+LRESULT CALLBACK WndProc(HWND hwnd, UINT iMsg, WPARAM wParam, LPARAM lParam)
+{
+    HDC hdc;
+    PAINTSTRUCT ps;
+    RECT rect;
+    static int seeded = 0;
+
+    switch (iMsg) {
+    case WM_PAINT:
+        hdc = BeginPaint(hwnd, &ps);
+        GetClientRect(hwnd, &rect);
+        DrawText(hdc, "Seeding the PRNG. Please move the mouse!", -1,
+                 &rect, DT_SINGLELINE | DT_CENTER | DT_VCENTER);
+        EndPaint(hwnd, &ps);
+        return 0;
+
+    case WM_DESTROY:
+        PostQuitMessage(0);
+        return 0;
+    }
+
+    if (RAND_event(iMsg, wParam, lParam) == 1 && seeded == 0) {
+        seeded = 1;
+        if (RAND_write_file(filename) <= 0)
+            MessageBox(hwnd, "Couldn't write random file!",
+                       "OpenSSL", MB_OK | MB_ICONERROR);
+        PostQuitMessage(0);
+    }
+
+    return DefWindowProc(hwnd, iMsg, wParam, lParam);
+}
diff --git a/openssl/apps/x509.c b/openssl/apps/x509.c
new file mode 100644
index 0000000..ad9fc98
--- /dev/null
+++ b/openssl/apps/x509.c
@@ -0,0 +1,1278 @@
+/* apps/x509.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/asn1.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/objects.h>
+#include <openssl/pem.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+
+#undef PROG
+#define PROG x509_main
+
+#undef POSTFIX
+#define POSTFIX ".srl"
+#define DEF_DAYS        30
+
+static const char *x509_usage[] = {
+    "usage: x509 args\n",
+    " -inform arg     - input format - default PEM (one of DER, NET or PEM)\n",
+    " -outform arg    - output format - default PEM (one of DER, NET or PEM)\n",
+    " -keyform arg    - private key format - default PEM\n",
+    " -CAform arg     - CA format - default PEM\n",
+    " -CAkeyform arg  - CA key format - default PEM\n",
+    " -in arg         - input file - default stdin\n",
+    " -out arg        - output file - default stdout\n",
+    " -passin arg     - private key password source\n",
+    " -serial         - print serial number value\n",
+    " -subject_hash   - print subject hash value\n",
+#ifndef OPENSSL_NO_MD5
+    " -subject_hash_old   - print old-style (MD5) subject hash value\n",
+#endif
+    " -issuer_hash    - print issuer hash value\n",
+#ifndef OPENSSL_NO_MD5
+    " -issuer_hash_old    - print old-style (MD5) issuer hash value\n",
+#endif
+    " -hash           - synonym for -subject_hash\n",
+    " -subject        - print subject DN\n",
+    " -issuer         - print issuer DN\n",
+    " -email          - print email address(es)\n",
+    " -startdate      - notBefore field\n",
+    " -enddate        - notAfter field\n",
+    " -purpose        - print out certificate purposes\n",
+    " -dates          - both Before and After dates\n",
+    " -modulus        - print the RSA key modulus\n",
+    " -pubkey         - output the public key\n",
+    " -fingerprint    - print the certificate fingerprint\n",
+    " -alias          - output certificate alias\n",
+    " -noout          - no certificate output\n",
+    " -ocspid         - print OCSP hash values for the subject name and public key\n",
+    " -ocsp_uri       - print OCSP Responder URL(s)\n",
+    " -trustout       - output a \"trusted\" certificate\n",
+    " -clrtrust       - clear all trusted purposes\n",
+    " -clrreject      - clear all rejected purposes\n",
+    " -addtrust arg   - trust certificate for a given purpose\n",
+    " -addreject arg  - reject certificate for a given purpose\n",
+    " -setalias arg   - set certificate alias\n",
+    " -days arg       - How long till expiry of a signed certificate - def 30 days\n",
+    " -checkend arg   - check whether the cert expires in the next arg seconds\n",
+    "                   exit 1 if so, 0 if not\n",
+    " -signkey arg    - self sign cert with arg\n",
+    " -x509toreq      - output a certification request object\n",
+    " -req            - input is a certificate request, sign and output.\n",
+    " -CA arg         - set the CA certificate, must be PEM format.\n",
+    " -CAkey arg      - set the CA key, must be PEM format\n",
+    "                   missing, it is assumed to be in the CA file.\n",
+    " -CAcreateserial - create serial number file if it does not exist\n",
+    " -CAserial arg   - serial file\n",
+    " -set_serial     - serial number to use\n",
+    " -text           - print the certificate in text form\n",
+    " -C              - print out C code forms\n",
+    " -md2/-md5/-sha1/-mdc2 - digest to use\n",
+    " -extfile        - configuration file with X509V3 extensions to add\n",
+    " -extensions     - section from config file with X509V3 extensions to add\n",
+    " -clrext         - delete extensions before signing and input certificate\n",
+    " -nameopt arg    - various certificate name options\n",
+#ifndef OPENSSL_NO_ENGINE
+    " -engine e       - use engine e, possibly a hardware device.\n",
+#endif
+    " -certopt arg    - various certificate text options\n",
+    " -checkhost host - check certificate matches \"host\"\n",
+    " -checkemail email - check certificate matches \"email\"\n",
+    " -checkip ipaddr - check certificate matches \"ipaddr\"\n",
+    NULL
+};
+
+static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
+static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
+                const EVP_MD *digest, CONF *conf, char *section);
+static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
+                        X509 *x, X509 *xca, EVP_PKEY *pkey,
+                        STACK_OF(OPENSSL_STRING) *sigopts, char *serial,
+                        int create, int days, int clrext, CONF *conf,
+                        char *section, ASN1_INTEGER *sno);
+static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
+static int reqfile = 0;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+static int force_version = 2;
+#endif
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+    ENGINE *e = NULL;
+    int ret = 1;
+    X509_REQ *req = NULL;
+    X509 *x = NULL, *xca = NULL;
+    ASN1_OBJECT *objtmp;
+    STACK_OF(OPENSSL_STRING) *sigopts = NULL;
+    EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL;
+    ASN1_INTEGER *sno = NULL;
+    int i, num, badops = 0, badsig = 0;
+    BIO *out = NULL;
+    BIO *STDout = NULL;
+    STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
+    int informat, outformat, keyformat, CAformat, CAkeyformat;
+    char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL;
+    char *CAkeyfile = NULL, *CAserial = NULL;
+    char *fkeyfile = NULL;
+    char *alias = NULL;
+    int text = 0, serial = 0, subject = 0, issuer = 0, startdate =
+        0, enddate = 0;
+    int next_serial = 0;
+    int subject_hash = 0, issuer_hash = 0, ocspid = 0;
+#ifndef OPENSSL_NO_MD5
+    int subject_hash_old = 0, issuer_hash_old = 0;
+#endif
+    int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0;
+    int ocsp_uri = 0;
+    int trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0, clrext = 0;
+    int C = 0;
+    int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0;
+    int pprint = 0;
+    const char **pp;
+    X509_STORE *ctx = NULL;
+    X509_REQ *rq = NULL;
+    int fingerprint = 0;
+    char buf[256];
+    const EVP_MD *md_alg, *digest = NULL;
+    CONF *extconf = NULL;
+    char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
+    int need_rand = 0;
+    int checkend = 0, checkoffset = 0;
+    unsigned long nmflag = 0, certflag = 0;
+    char *checkhost = NULL;
+    char *checkemail = NULL;
+    char *checkip = NULL;
+    char *engine = NULL;
+
+    reqfile = 0;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+    if (!load_config(bio_err, NULL))
+        goto end;
+    STDout = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+    {
+        BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+        STDout = BIO_push(tmpbio, STDout);
+    }
+#endif
+
+    informat = FORMAT_PEM;
+    outformat = FORMAT_PEM;
+    keyformat = FORMAT_PEM;
+    CAformat = FORMAT_PEM;
+    CAkeyformat = FORMAT_PEM;
+
+    ctx = X509_STORE_new();
+    if (ctx == NULL)
+        goto end;
+    X509_STORE_set_verify_cb(ctx, callb);
+
+    argc--;
+    argv++;
+    num = 0;
+    while (argc >= 1) {
+        if (strcmp(*argv, "-inform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            informat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-outform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-keyform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keyformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-req") == 0) {
+            reqfile = 1;
+            need_rand = 1;
+        } else if (strcmp(*argv, "-CAform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            CAformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-CAkeyform") == 0) {
+            if (--argc < 1)
+                goto bad;
+            CAkeyformat = str2fmt(*(++argv));
+        } else if (strcmp(*argv, "-sigopt") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!sigopts)
+                sigopts = sk_OPENSSL_STRING_new_null();
+            if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
+                goto bad;
+        }
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+        else if (strcmp(*argv, "-force_version") == 0) {
+            if (--argc < 1)
+                goto bad;
+            force_version = atoi(*(++argv)) - 1;
+        }
+#endif
+        else if (strcmp(*argv, "-days") == 0) {
+            if (--argc < 1)
+                goto bad;
+            days = atoi(*(++argv));
+            if (days == 0) {
+                BIO_printf(bio_err, "bad number of days\n");
+                goto bad;
+            }
+        } else if (strcmp(*argv, "-passin") == 0) {
+            if (--argc < 1)
+                goto bad;
+            passargin = *(++argv);
+        } else if (strcmp(*argv, "-extfile") == 0) {
+            if (--argc < 1)
+                goto bad;
+            extfile = *(++argv);
+        } else if (strcmp(*argv, "-extensions") == 0) {
+            if (--argc < 1)
+                goto bad;
+            extsect = *(++argv);
+        } else if (strcmp(*argv, "-in") == 0) {
+            if (--argc < 1)
+                goto bad;
+            infile = *(++argv);
+        } else if (strcmp(*argv, "-out") == 0) {
+            if (--argc < 1)
+                goto bad;
+            outfile = *(++argv);
+        } else if (strcmp(*argv, "-signkey") == 0) {
+            if (--argc < 1)
+                goto bad;
+            keyfile = *(++argv);
+            sign_flag = ++num;
+            need_rand = 1;
+        } else if (strcmp(*argv, "-CA") == 0) {
+            if (--argc < 1)
+                goto bad;
+            CAfile = *(++argv);
+            CA_flag = ++num;
+            need_rand = 1;
+        } else if (strcmp(*argv, "-CAkey") == 0) {
+            if (--argc < 1)
+                goto bad;
+            CAkeyfile = *(++argv);
+        } else if (strcmp(*argv, "-CAserial") == 0) {
+            if (--argc < 1)
+                goto bad;
+            CAserial = *(++argv);
+        } else if (strcmp(*argv, "-set_serial") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
+                goto bad;
+        } else if (strcmp(*argv, "-force_pubkey") == 0) {
+            if (--argc < 1)
+                goto bad;
+            fkeyfile = *(++argv);
+        } else if (strcmp(*argv, "-addtrust") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+                BIO_printf(bio_err, "Invalid trust object value %s\n", *argv);
+                goto bad;
+            }
+            if (!trust)
+                trust = sk_ASN1_OBJECT_new_null();
+            sk_ASN1_OBJECT_push(trust, objtmp);
+            trustout = 1;
+        } else if (strcmp(*argv, "-addreject") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+                BIO_printf(bio_err,
+                           "Invalid reject object value %s\n", *argv);
+                goto bad;
+            }
+            if (!reject)
+                reject = sk_ASN1_OBJECT_new_null();
+            sk_ASN1_OBJECT_push(reject, objtmp);
+            trustout = 1;
+        } else if (strcmp(*argv, "-setalias") == 0) {
+            if (--argc < 1)
+                goto bad;
+            alias = *(++argv);
+            trustout = 1;
+        } else if (strcmp(*argv, "-certopt") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!set_cert_ex(&certflag, *(++argv)))
+                goto bad;
+        } else if (strcmp(*argv, "-nameopt") == 0) {
+            if (--argc < 1)
+                goto bad;
+            if (!set_name_ex(&nmflag, *(++argv)))
+                goto bad;
+        }
+#ifndef OPENSSL_NO_ENGINE
+        else if (strcmp(*argv, "-engine") == 0) {
+            if (--argc < 1)
+                goto bad;
+            engine = *(++argv);
+        }
+#endif
+        else if (strcmp(*argv, "-C") == 0)
+            C = ++num;
+        else if (strcmp(*argv, "-email") == 0)
+            email = ++num;
+        else if (strcmp(*argv, "-ocsp_uri") == 0)
+            ocsp_uri = ++num;
+        else if (strcmp(*argv, "-serial") == 0)
+            serial = ++num;
+        else if (strcmp(*argv, "-next_serial") == 0)
+            next_serial = ++num;
+        else if (strcmp(*argv, "-modulus") == 0)
+            modulus = ++num;
+        else if (strcmp(*argv, "-pubkey") == 0)
+            pubkey = ++num;
+        else if (strcmp(*argv, "-x509toreq") == 0)
+            x509req = ++num;
+        else if (strcmp(*argv, "-text") == 0)
+            text = ++num;
+        else if (strcmp(*argv, "-hash") == 0
+                 || strcmp(*argv, "-subject_hash") == 0)
+            subject_hash = ++num;
+#ifndef OPENSSL_NO_MD5
+        else if (strcmp(*argv, "-subject_hash_old") == 0)
+            subject_hash_old = ++num;
+#endif
+        else if (strcmp(*argv, "-issuer_hash") == 0)
+            issuer_hash = ++num;
+#ifndef OPENSSL_NO_MD5
+        else if (strcmp(*argv, "-issuer_hash_old") == 0)
+            issuer_hash_old = ++num;
+#endif
+        else if (strcmp(*argv, "-subject") == 0)
+            subject = ++num;
+        else if (strcmp(*argv, "-issuer") == 0)
+            issuer = ++num;
+        else if (strcmp(*argv, "-fingerprint") == 0)
+            fingerprint = ++num;
+        else if (strcmp(*argv, "-dates") == 0) {
+            startdate = ++num;
+            enddate = ++num;
+        } else if (strcmp(*argv, "-purpose") == 0)
+            pprint = ++num;
+        else if (strcmp(*argv, "-startdate") == 0)
+            startdate = ++num;
+        else if (strcmp(*argv, "-enddate") == 0)
+            enddate = ++num;
+        else if (strcmp(*argv, "-checkend") == 0) {
+            if (--argc < 1)
+                goto bad;
+            checkoffset = atoi(*(++argv));
+            checkend = 1;
+        } else if (strcmp(*argv, "-checkhost") == 0) {
+            if (--argc < 1)
+                goto bad;
+            checkhost = *(++argv);
+        } else if (strcmp(*argv, "-checkemail") == 0) {
+            if (--argc < 1)
+                goto bad;
+            checkemail = *(++argv);
+        } else if (strcmp(*argv, "-checkip") == 0) {
+            if (--argc < 1)
+                goto bad;
+            checkip = *(++argv);
+        } else if (strcmp(*argv, "-noout") == 0)
+            noout = ++num;
+        else if (strcmp(*argv, "-trustout") == 0)
+            trustout = 1;
+        else if (strcmp(*argv, "-clrtrust") == 0)
+            clrtrust = ++num;
+        else if (strcmp(*argv, "-clrreject") == 0)
+            clrreject = ++num;
+        else if (strcmp(*argv, "-alias") == 0)
+            aliasout = ++num;
+        else if (strcmp(*argv, "-CAcreateserial") == 0)
+            CA_createserial = ++num;
+        else if (strcmp(*argv, "-clrext") == 0)
+            clrext = 1;
+#if 1                           /* stay backwards-compatible with 0.9.5; this
+                                 * should go away soon */
+        else if (strcmp(*argv, "-crlext") == 0) {
+            BIO_printf(bio_err, "use -clrext instead of -crlext\n");
+            clrext = 1;
+        }
+#endif
+        else if (strcmp(*argv, "-ocspid") == 0)
+            ocspid = ++num;
+        else if (strcmp(*argv, "-badsig") == 0)
+            badsig = 1;
+        else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
+            /* ok */
+            digest = md_alg;
+        } else {
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
+            badops = 1;
+            break;
+        }
+        argc--;
+        argv++;
+    }
+
+    if (badops) {
+ bad:
+        for (pp = x509_usage; (*pp != NULL); pp++)
+            BIO_printf(bio_err, "%s", *pp);
+        goto end;
+    }
+    e = setup_engine(bio_err, engine, 0);
+
+    if (need_rand)
+        app_RAND_load_file(NULL, bio_err, 0);
+
+    ERR_load_crypto_strings();
+
+    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+
+    if (!X509_STORE_set_default_paths(ctx)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (fkeyfile) {
+        fkey = load_pubkey(bio_err, fkeyfile, keyformat, 0,
+                           NULL, e, "Forced key");
+        if (fkey == NULL)
+            goto end;
+    }
+
+    if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) {
+        CAkeyfile = CAfile;
+    } else if ((CA_flag) && (CAkeyfile == NULL)) {
+        BIO_printf(bio_err,
+                   "need to specify a CAkey if using the CA command\n");
+        goto end;
+    }
+
+    if (extfile) {
+        long errorline = -1;
+        X509V3_CTX ctx2;
+        extconf = NCONF_new(NULL);
+        if (!NCONF_load(extconf, extfile, &errorline)) {
+            if (errorline <= 0)
+                BIO_printf(bio_err,
+                           "error loading the config file '%s'\n", extfile);
+            else
+                BIO_printf(bio_err,
+                           "error on line %ld of config file '%s'\n",
+                           errorline, extfile);
+            goto end;
+        }
+        if (!extsect) {
+            extsect = NCONF_get_string(extconf, "default", "extensions");
+            if (!extsect) {
+                ERR_clear_error();
+                extsect = "default";
+            }
+        }
+        X509V3_set_ctx_test(&ctx2);
+        X509V3_set_nconf(&ctx2, extconf);
+        if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) {
+            BIO_printf(bio_err,
+                       "Error Loading extension section %s\n", extsect);
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (reqfile) {
+        EVP_PKEY *pkey;
+        BIO *in;
+
+        if (!sign_flag && !CA_flag) {
+            BIO_printf(bio_err, "We need a private key to sign with\n");
+            goto end;
+        }
+        in = BIO_new(BIO_s_file());
+        if (in == NULL) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        if (infile == NULL)
+            BIO_set_fp(in, stdin, BIO_NOCLOSE | BIO_FP_TEXT);
+        else {
+            if (BIO_read_filename(in, infile) <= 0) {
+                perror(infile);
+                BIO_free(in);
+                goto end;
+            }
+        }
+        req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
+        BIO_free(in);
+
+        if (req == NULL) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        if ((req->req_info == NULL) ||
+            (req->req_info->pubkey == NULL) ||
+            (req->req_info->pubkey->public_key == NULL) ||
+            (req->req_info->pubkey->public_key->data == NULL)) {
+            BIO_printf(bio_err,
+                       "The certificate request appears to corrupted\n");
+            BIO_printf(bio_err, "It does not contain a public key\n");
+            goto end;
+        }
+        if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
+            BIO_printf(bio_err, "error unpacking public key\n");
+            goto end;
+        }
+        i = X509_REQ_verify(req, pkey);
+        EVP_PKEY_free(pkey);
+        if (i < 0) {
+            BIO_printf(bio_err, "Signature verification error\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (i == 0) {
+            BIO_printf(bio_err,
+                       "Signature did not match the certificate request\n");
+            goto end;
+        } else
+            BIO_printf(bio_err, "Signature ok\n");
+
+        print_name(bio_err, "subject=", X509_REQ_get_subject_name(req),
+                   nmflag);
+
+        if ((x = X509_new()) == NULL)
+            goto end;
+
+        if (sno == NULL) {
+            sno = ASN1_INTEGER_new();
+            if (!sno || !rand_serial(NULL, sno))
+                goto end;
+            if (!X509_set_serialNumber(x, sno))
+                goto end;
+            ASN1_INTEGER_free(sno);
+            sno = NULL;
+        } else if (!X509_set_serialNumber(x, sno))
+            goto end;
+
+        if (!X509_set_issuer_name(x, req->req_info->subject))
+            goto end;
+        if (!X509_set_subject_name(x, req->req_info->subject))
+            goto end;
+
+        X509_gmtime_adj(X509_get_notBefore(x), 0);
+        X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL);
+        if (fkey)
+            X509_set_pubkey(x, fkey);
+        else {
+            pkey = X509_REQ_get_pubkey(req);
+            X509_set_pubkey(x, pkey);
+            EVP_PKEY_free(pkey);
+        }
+    } else
+        x = load_cert(bio_err, infile, informat, NULL, e, "Certificate");
+
+    if (x == NULL)
+        goto end;
+    if (CA_flag) {
+        xca = load_cert(bio_err, CAfile, CAformat, NULL, e, "CA Certificate");
+        if (xca == NULL)
+            goto end;
+    }
+
+    if (!noout || text || next_serial) {
+        OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3");
+
+        out = BIO_new(BIO_s_file());
+        if (out == NULL) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        if (outfile == NULL) {
+            BIO_set_fp(out, stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+            {
+                BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+                out = BIO_push(tmpbio, out);
+            }
+#endif
+        } else {
+            if (BIO_write_filename(out, outfile) <= 0) {
+                perror(outfile);
+                goto end;
+            }
+        }
+    }
+
+    if (alias)
+        X509_alias_set1(x, (unsigned char *)alias, -1);
+
+    if (clrtrust)
+        X509_trust_clear(x);
+    if (clrreject)
+        X509_reject_clear(x);
+
+    if (trust) {
+        for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
+            objtmp = sk_ASN1_OBJECT_value(trust, i);
+            X509_add1_trust_object(x, objtmp);
+        }
+    }
+
+    if (reject) {
+        for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
+            objtmp = sk_ASN1_OBJECT_value(reject, i);
+            X509_add1_reject_object(x, objtmp);
+        }
+    }
+
+    if (num) {
+        for (i = 1; i <= num; i++) {
+            if (issuer == i) {
+                print_name(STDout, "issuer= ",
+                           X509_get_issuer_name(x), nmflag);
+            } else if (subject == i) {
+                print_name(STDout, "subject= ",
+                           X509_get_subject_name(x), nmflag);
+            } else if (serial == i) {
+                BIO_printf(STDout, "serial=");
+                i2a_ASN1_INTEGER(STDout, X509_get_serialNumber(x));
+                BIO_printf(STDout, "\n");
+            } else if (next_serial == i) {
+                BIGNUM *bnser;
+                ASN1_INTEGER *ser;
+                ser = X509_get_serialNumber(x);
+                bnser = ASN1_INTEGER_to_BN(ser, NULL);
+                if (!bnser)
+                    goto end;
+                if (!BN_add_word(bnser, 1))
+                    goto end;
+                ser = BN_to_ASN1_INTEGER(bnser, NULL);
+                if (!ser)
+                    goto end;
+                BN_free(bnser);
+                i2a_ASN1_INTEGER(out, ser);
+                ASN1_INTEGER_free(ser);
+                BIO_puts(out, "\n");
+            } else if ((email == i) || (ocsp_uri == i)) {
+                int j;
+                STACK_OF(OPENSSL_STRING) *emlst;
+                if (email == i)
+                    emlst = X509_get1_email(x);
+                else
+                    emlst = X509_get1_ocsp(x);
+                for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
+                    BIO_printf(STDout, "%s\n",
+                               sk_OPENSSL_STRING_value(emlst, j));
+                X509_email_free(emlst);
+            } else if (aliasout == i) {
+                unsigned char *alstr;
+                alstr = X509_alias_get0(x, NULL);
+                if (alstr)
+                    BIO_printf(STDout, "%s\n", alstr);
+                else
+                    BIO_puts(STDout, "<No Alias>\n");
+            } else if (subject_hash == i) {
+                BIO_printf(STDout, "%08lx\n", X509_subject_name_hash(x));
+            }
+#ifndef OPENSSL_NO_MD5
+            else if (subject_hash_old == i) {
+                BIO_printf(STDout, "%08lx\n", X509_subject_name_hash_old(x));
+            }
+#endif
+            else if (issuer_hash == i) {
+                BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash(x));
+            }
+#ifndef OPENSSL_NO_MD5
+            else if (issuer_hash_old == i) {
+                BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash_old(x));
+            }
+#endif
+            else if (pprint == i) {
+                X509_PURPOSE *ptmp;
+                int j;
+                BIO_printf(STDout, "Certificate purposes:\n");
+                for (j = 0; j < X509_PURPOSE_get_count(); j++) {
+                    ptmp = X509_PURPOSE_get0(j);
+                    purpose_print(STDout, x, ptmp);
+                }
+            } else if (modulus == i) {
+                EVP_PKEY *pkey;
+
+                pkey = X509_get_pubkey(x);
+                if (pkey == NULL) {
+                    BIO_printf(bio_err, "Modulus=unavailable\n");
+                    ERR_print_errors(bio_err);
+                    goto end;
+                }
+                BIO_printf(STDout, "Modulus=");
+#ifndef OPENSSL_NO_RSA
+                if (pkey->type == EVP_PKEY_RSA)
+                    BN_print(STDout, pkey->pkey.rsa->n);
+                else
+#endif
+#ifndef OPENSSL_NO_DSA
+                if (pkey->type == EVP_PKEY_DSA)
+                    BN_print(STDout, pkey->pkey.dsa->pub_key);
+                else
+#endif
+                    BIO_printf(STDout, "Wrong Algorithm type");
+                BIO_printf(STDout, "\n");
+                EVP_PKEY_free(pkey);
+            } else if (pubkey == i) {
+                EVP_PKEY *pkey;
+
+                pkey = X509_get_pubkey(x);
+                if (pkey == NULL) {
+                    BIO_printf(bio_err, "Error getting public key\n");
+                    ERR_print_errors(bio_err);
+                    goto end;
+                }
+                PEM_write_bio_PUBKEY(STDout, pkey);
+                EVP_PKEY_free(pkey);
+            } else if (C == i) {
+                unsigned char *d;
+                char *m;
+                int y, z;
+
+                X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof buf);
+                BIO_printf(STDout, "/* subject:%s */\n", buf);
+                m = X509_NAME_oneline(X509_get_issuer_name(x), buf,
+                                      sizeof buf);
+                BIO_printf(STDout, "/* issuer :%s */\n", buf);
+
+                z = i2d_X509(x, NULL);
+                m = OPENSSL_malloc(z);
+                if (!m) {
+                    BIO_printf(bio_err, "Out of memory\n");
+                    ERR_print_errors(bio_err);
+                    goto end;
+                }
+
+                d = (unsigned char *)m;
+                z = i2d_X509_NAME(X509_get_subject_name(x), &d);
+                BIO_printf(STDout, "unsigned char XXX_subject_name[%d]={\n",
+                           z);
+                d = (unsigned char *)m;
+                for (y = 0; y < z; y++) {
+                    BIO_printf(STDout, "0x%02X,", d[y]);
+                    if ((y & 0x0f) == 0x0f)
+                        BIO_printf(STDout, "\n");
+                }
+                if (y % 16 != 0)
+                    BIO_printf(STDout, "\n");
+                BIO_printf(STDout, "};\n");
+
+                z = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d);
+                BIO_printf(STDout, "unsigned char XXX_public_key[%d]={\n", z);
+                d = (unsigned char *)m;
+                for (y = 0; y < z; y++) {
+                    BIO_printf(STDout, "0x%02X,", d[y]);
+                    if ((y & 0x0f) == 0x0f)
+                        BIO_printf(STDout, "\n");
+                }
+                if (y % 16 != 0)
+                    BIO_printf(STDout, "\n");
+                BIO_printf(STDout, "};\n");
+
+                z = i2d_X509(x, &d);
+                BIO_printf(STDout, "unsigned char XXX_certificate[%d]={\n",
+                           z);
+                d = (unsigned char *)m;
+                for (y = 0; y < z; y++) {
+                    BIO_printf(STDout, "0x%02X,", d[y]);
+                    if ((y & 0x0f) == 0x0f)
+                        BIO_printf(STDout, "\n");
+                }
+                if (y % 16 != 0)
+                    BIO_printf(STDout, "\n");
+                BIO_printf(STDout, "};\n");
+
+                OPENSSL_free(m);
+            } else if (text == i) {
+                X509_print_ex(STDout, x, nmflag, certflag);
+            } else if (startdate == i) {
+                BIO_puts(STDout, "notBefore=");
+                ASN1_TIME_print(STDout, X509_get_notBefore(x));
+                BIO_puts(STDout, "\n");
+            } else if (enddate == i) {
+                BIO_puts(STDout, "notAfter=");
+                ASN1_TIME_print(STDout, X509_get_notAfter(x));
+                BIO_puts(STDout, "\n");
+            } else if (fingerprint == i) {
+                int j;
+                unsigned int n;
+                unsigned char md[EVP_MAX_MD_SIZE];
+                const EVP_MD *fdig = digest;
+
+                if (!fdig)
+                    fdig = EVP_sha1();
+
+                if (!X509_digest(x, fdig, md, &n)) {
+                    BIO_printf(bio_err, "out of memory\n");
+                    goto end;
+                }
+                BIO_printf(STDout, "%s Fingerprint=",
+                           OBJ_nid2sn(EVP_MD_type(fdig)));
+                for (j = 0; j < (int)n; j++) {
+                    BIO_printf(STDout, "%02X%c", md[j], (j + 1 == (int)n)
+                               ? '\n' : ':');
+                }
+            }
+
+            /* should be in the library */
+            else if ((sign_flag == i) && (x509req == 0)) {
+                BIO_printf(bio_err, "Getting Private key\n");
+                if (Upkey == NULL) {
+                    Upkey = load_key(bio_err,
+                                     keyfile, keyformat, 0,
+                                     passin, e, "Private key");
+                    if (Upkey == NULL)
+                        goto end;
+                }
+
+                assert(need_rand);
+                if (!sign(x, Upkey, days, clrext, digest, extconf, extsect))
+                    goto end;
+            } else if (CA_flag == i) {
+                BIO_printf(bio_err, "Getting CA Private Key\n");
+                if (CAkeyfile != NULL) {
+                    CApkey = load_key(bio_err,
+                                      CAkeyfile, CAkeyformat,
+                                      0, passin, e, "CA Private Key");
+                    if (CApkey == NULL)
+                        goto end;
+                }
+
+                assert(need_rand);
+                if (!x509_certify(ctx, CAfile, digest, x, xca,
+                                  CApkey, sigopts,
+                                  CAserial, CA_createserial, days, clrext,
+                                  extconf, extsect, sno))
+                    goto end;
+            } else if (x509req == i) {
+                EVP_PKEY *pk;
+
+                BIO_printf(bio_err, "Getting request Private Key\n");
+                if (keyfile == NULL) {
+                    BIO_printf(bio_err, "no request key file specified\n");
+                    goto end;
+                } else {
+                    pk = load_key(bio_err,
+                                  keyfile, keyformat, 0,
+                                  passin, e, "request key");
+                    if (pk == NULL)
+                        goto end;
+                }
+
+                BIO_printf(bio_err, "Generating certificate request\n");
+
+                rq = X509_to_X509_REQ(x, pk, digest);
+                EVP_PKEY_free(pk);
+                if (rq == NULL) {
+                    ERR_print_errors(bio_err);
+                    goto end;
+                }
+                if (!noout) {
+                    X509_REQ_print(out, rq);
+                    PEM_write_bio_X509_REQ(out, rq);
+                }
+                noout = 1;
+            } else if (ocspid == i) {
+                X509_ocspid_print(out, x);
+            }
+        }
+    }
+
+    if (checkend) {
+        time_t tcheck = time(NULL) + checkoffset;
+
+        if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) {
+            BIO_printf(out, "Certificate will expire\n");
+            ret = 1;
+        } else {
+            BIO_printf(out, "Certificate will not expire\n");
+            ret = 0;
+        }
+        goto end;
+    }
+
+    print_cert_checks(STDout, x, checkhost, checkemail, checkip);
+
+    if (noout) {
+        ret = 0;
+        goto end;
+    }
+
+    if (badsig)
+        x->signature->data[x->signature->length - 1] ^= 0x1;
+
+    if (outformat == FORMAT_ASN1)
+        i = i2d_X509_bio(out, x);
+    else if (outformat == FORMAT_PEM) {
+        if (trustout)
+            i = PEM_write_bio_X509_AUX(out, x);
+        else
+            i = PEM_write_bio_X509(out, x);
+    } else if (outformat == FORMAT_NETSCAPE) {
+        NETSCAPE_X509 nx;
+        ASN1_OCTET_STRING hdr;
+
+        hdr.data = (unsigned char *)NETSCAPE_CERT_HDR;
+        hdr.length = strlen(NETSCAPE_CERT_HDR);
+        nx.header = &hdr;
+        nx.cert = x;
+
+        i = ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509), out, &nx);
+    } else {
+        BIO_printf(bio_err, "bad output format specified for outfile\n");
+        goto end;
+    }
+    if (!i) {
+        BIO_printf(bio_err, "unable to write certificate\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    ret = 0;
+ end:
+    if (need_rand)
+        app_RAND_write_file(NULL, bio_err);
+    OBJ_cleanup();
+    NCONF_free(extconf);
+    BIO_free_all(out);
+    BIO_free_all(STDout);
+    X509_STORE_free(ctx);
+    X509_REQ_free(req);
+    X509_free(x);
+    X509_free(xca);
+    EVP_PKEY_free(Upkey);
+    EVP_PKEY_free(CApkey);
+    EVP_PKEY_free(fkey);
+    if (sigopts)
+        sk_OPENSSL_STRING_free(sigopts);
+    X509_REQ_free(rq);
+    ASN1_INTEGER_free(sno);
+    sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
+    sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
+    release_engine(e);
+    if (passin)
+        OPENSSL_free(passin);
+    apps_shutdown();
+    OPENSSL_EXIT(ret);
+}
+
+static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile,
+                                      int create)
+{
+    char *buf = NULL, *p;
+    ASN1_INTEGER *bs = NULL;
+    BIGNUM *serial = NULL;
+    size_t len;
+
+    len = ((serialfile == NULL)
+           ? (strlen(CAfile) + strlen(POSTFIX) + 1)
+           : (strlen(serialfile))) + 1;
+    buf = OPENSSL_malloc(len);
+    if (buf == NULL) {
+        BIO_printf(bio_err, "out of mem\n");
+        goto end;
+    }
+    if (serialfile == NULL) {
+        BUF_strlcpy(buf, CAfile, len);
+        for (p = buf; *p; p++)
+            if (*p == '.') {
+                *p = '\0';
+                break;
+            }
+        BUF_strlcat(buf, POSTFIX, len);
+    } else
+        BUF_strlcpy(buf, serialfile, len);
+
+    serial = load_serial(buf, create, NULL);
+    if (serial == NULL)
+        goto end;
+
+    if (!BN_add_word(serial, 1)) {
+        BIO_printf(bio_err, "add_word failure\n");
+        goto end;
+    }
+
+    if (!save_serial(buf, NULL, serial, &bs))
+        goto end;
+
+ end:
+    if (buf)
+        OPENSSL_free(buf);
+    BN_free(serial);
+    return bs;
+}
+
+static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
+                        X509 *x, X509 *xca, EVP_PKEY *pkey,
+                        STACK_OF(OPENSSL_STRING) *sigopts,
+                        char *serialfile, int create,
+                        int days, int clrext, CONF *conf, char *section,
+                        ASN1_INTEGER *sno)
+{
+    int ret = 0;
+    ASN1_INTEGER *bs = NULL;
+    X509_STORE_CTX xsc;
+    EVP_PKEY *upkey;
+
+    upkey = X509_get_pubkey(xca);
+    if (upkey == NULL)  {
+        BIO_printf(bio_err, "Error obtaining CA X509 public key\n");
+        goto end;
+    }
+    EVP_PKEY_copy_parameters(upkey, pkey);
+    EVP_PKEY_free(upkey);
+
+    if (!X509_STORE_CTX_init(&xsc, ctx, x, NULL)) {
+        BIO_printf(bio_err, "Error initialising X509 store\n");
+        goto end;
+    }
+    if (sno)
+        bs = sno;
+    else if (!(bs = x509_load_serial(CAfile, serialfile, create)))
+        goto end;
+
+/*      if (!X509_STORE_add_cert(ctx,x)) goto end;*/
+
+    /*
+     * NOTE: this certificate can/should be self signed, unless it was a
+     * certificate request in which case it is not.
+     */
+    X509_STORE_CTX_set_cert(&xsc, x);
+    X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
+    if (!reqfile && X509_verify_cert(&xsc) <= 0)
+        goto end;
+
+    if (!X509_check_private_key(xca, pkey)) {
+        BIO_printf(bio_err,
+                   "CA certificate and CA private key do not match\n");
+        goto end;
+    }
+
+    if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+        goto end;
+    if (!X509_set_serialNumber(x, bs))
+        goto end;
+
+    if (X509_gmtime_adj(X509_get_notBefore(x), 0L) == NULL)
+        goto end;
+
+    /* hardwired expired */
+    if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL)
+        goto end;
+
+    if (clrext) {
+        while (X509_get_ext_count(x) > 0)
+            X509_delete_ext(x, 0);
+    }
+
+    if (conf) {
+        X509V3_CTX ctx2;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+        X509_set_version(x, force_version);
+#else
+        X509_set_version(x, 2); /* version 3 certificate */
+#endif
+        X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
+        X509V3_set_nconf(&ctx2, conf);
+        if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
+            goto end;
+    }
+
+    if (!do_X509_sign(bio_err, x, pkey, digest, sigopts))
+        goto end;
+    ret = 1;
+ end:
+    X509_STORE_CTX_cleanup(&xsc);
+    if (!ret)
+        ERR_print_errors(bio_err);
+    if (!sno)
+        ASN1_INTEGER_free(bs);
+    return ret;
+}
+
+static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
+{
+    int err;
+    X509 *err_cert;
+
+    /*
+     * it is ok to use a self signed certificate This case will catch both
+     * the initial ok == 0 and the final ok == 1 calls to this function
+     */
+    err = X509_STORE_CTX_get_error(ctx);
+    if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+        return 1;
+
+    /*
+     * BAD we should have gotten an error.  Normally if everything worked
+     * X509_STORE_CTX_get_error(ctx) will still be set to
+     * DEPTH_ZERO_SELF_....
+     */
+    if (ok) {
+        BIO_printf(bio_err,
+                   "error with certificate to be certified - should be self signed\n");
+        return 0;
+    } else {
+        err_cert = X509_STORE_CTX_get_current_cert(ctx);
+        print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0);
+        BIO_printf(bio_err,
+                   "error with certificate - error %d at depth %d\n%s\n", err,
+                   X509_STORE_CTX_get_error_depth(ctx),
+                   X509_verify_cert_error_string(err));
+        return 1;
+    }
+}
+
+/* self sign */
+static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
+                const EVP_MD *digest, CONF *conf, char *section)
+{
+
+    EVP_PKEY *pktmp;
+
+    pktmp = X509_get_pubkey(x);
+    if (pktmp == NULL)
+        goto err;
+    EVP_PKEY_copy_parameters(pktmp, pkey);
+    EVP_PKEY_save_parameters(pktmp, 1);
+    EVP_PKEY_free(pktmp);
+
+    if (!X509_set_issuer_name(x, X509_get_subject_name(x)))
+        goto err;
+    if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
+        goto err;
+
+    if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL)
+        goto err;
+
+    if (!X509_set_pubkey(x, pkey))
+        goto err;
+    if (clrext) {
+        while (X509_get_ext_count(x) > 0)
+            X509_delete_ext(x, 0);
+    }
+    if (conf) {
+        X509V3_CTX ctx;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+        X509_set_version(x, force_version);
+#else
+        X509_set_version(x, 2); /* version 3 certificate */
+#endif
+        X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
+        X509V3_set_nconf(&ctx, conf);
+        if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))
+            goto err;
+    }
+    if (!X509_sign(x, pkey, digest))
+        goto err;
+    return 1;
+ err:
+    ERR_print_errors(bio_err);
+    return 0;
+}
+
+static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
+{
+    int id, i, idret;
+    char *pname;
+    id = X509_PURPOSE_get_id(pt);
+    pname = X509_PURPOSE_get0_name(pt);
+    for (i = 0; i < 2; i++) {
+        idret = X509_check_purpose(cert, id, i);
+        BIO_printf(bio, "%s%s : ", pname, i ? " CA" : "");
+        if (idret == 1)
+            BIO_printf(bio, "Yes\n");
+        else if (idret == 0)
+            BIO_printf(bio, "No\n");
+        else
+            BIO_printf(bio, "Yes (WARNING code=%d)\n", idret);
+    }
+    return 1;
+}
author	William Joye <wjoye@cfa.harvard.edu>	2017-05-02 16:41:35 (GMT)
committer	William Joye <wjoye@cfa.harvard.edu>	2017-05-02 16:41:35 (GMT)
commit	3d328008deedc58cd7a11c79063cefa7d662d4fc (patch)
tree	cb41a048885ce7b493f406360cf5f6edf689c468 /openssl/apps
parent	0a2b8b8e0bc2e91a9f10659b30e2e4f5b79ce692 (diff)
download	blt-3d328008deedc58cd7a11c79063cefa7d662d4fc.zip blt-3d328008deedc58cd7a11c79063cefa7d662d4fc.tar.gz blt-3d328008deedc58cd7a11c79063cefa7d662d4fc.tar.bz2