Things merged from the main trunk, among others some well needed Win32

fixes.
2000-06-23 22:24:53 +00:00 · 2000-06-23 22:24:53 +00:00 · 1b2f8b6e2a
commit 1b2f8b6e2a
parent ccd98b43ed
48 changed files with 1256 additions and 1103 deletions
--- a/25
+++ b/25
@ -4,6 +4,27 @@

 Changes between 0.9.5a and 0.9.6  [xx XXX 2000]

+  *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
+     [Bodo Moeller]
+
+  *) Addition of the command line parameter '-rand file' to 'openssl req'.
+     The given file adds to whatever has already been seeded into the
+     random pool through the RANDFILE configuration file option or
+     environment variable, or the default random state file.
+     [Richard Levitte]
+
+  *) mkstack.pl now sorts each macro group into lexical order.
+     Previously the output order depended on the order the files
+     appeared in the directory, resulting in needless rewriting
+     of safestack.h .
+     [Steve Henson]
+
+  *) Patches to make OpenSSL compile under Win32 again. Mostly
+     work arounds for the VC++ problem that it treats func() as
+     func(void). Also stripped out the parts of mkdef.pl that
+     added extra typesafe functions: these no longer exist.
+     [Steve Henson]
+
  *) Reorganisation of the stack code. The macros are now all 
     collected in safestack.h . Each macro is defined in terms of
     a "stack macro" of the form SKM_<name>(type, a, b). The 
@ -13,8 +34,8 @@
     then the non typesafe macros are used instead. Also modified the
     mkstack.pl script to handle the new form. Needs testing to see
     if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
-     the default if no major problems. Also need analagous stuff for
-     ASN1_SET_OF etc.
+     the default if no major problems. Similar behaviour for ASN1_SET_OF
+     and PKCS12_STACK_OF.
     [Steve Henson]

  *) When some versions of IIS use the 'NET' form of private key the
--- a/2
+++ b/2
@ -383,7 +383,7 @@ my %table=(

 # Some OpenBSD from Bob Beck <beck@obtuse.com>
 "OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:::",
-"OpenBSD-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+"OpenBSD-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn",
 "OpenBSD",      "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL:::",
 "OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::",

--- a/2
+++ b/2
@ -268,7 +268,7 @@ $cast_obj     = asm/cx86-out.o
 $rc4_obj      = asm/rx86-out.o
 $rmd160_obj   = asm/rm86-out.o
 $rc5_obj      = asm/r586-out.o
-$dso_scheme   = 
+$dso_scheme   = dlfcn

 *** ReliantUNIX
 $cc           = cc
--- a/apps/Makefile.ssl
+++ b/apps/Makefile.ssl
@ -166,11 +166,13 @@ apps.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 apps.o: ../include/openssl/crypto.h ../include/openssl/des.h
 apps.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 apps.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
-apps.o: ../include/openssl/evp.h ../include/openssl/idea.h
-apps.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-apps.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-apps.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-apps.o: ../include/openssl/opensslv.h ../include/openssl/pkcs7.h
+apps.o: ../include/openssl/err.h ../include/openssl/evp.h
+apps.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+apps.o: ../include/openssl/md2.h ../include/openssl/md5.h
+apps.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+apps.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+apps.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+apps.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
 apps.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 apps.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 apps.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
--- a/apps/apps.c
+++ b/apps/apps.c
@ -64,6 +64,11 @@
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs12.h>
+#include <openssl/safestack.h>

 #ifdef WINDOWS
 #  include "bss_file.c"
@ -159,6 +164,10 @@ int str2fmt(char *s)
 		return(FORMAT_PEM);
 	else if ((*s == 'N') || (*s == 'n'))
 		return(FORMAT_NETSCAPE);
+	else if ((*s == '1')
+		|| (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0)
+		|| (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0))
+		return(FORMAT_PKCS12);
 	else
 		return(FORMAT_UNDEF);
 	}
@ -414,3 +423,231 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio)
 	if(tmp) *tmp = 0;
 	return BUF_strdup(tpass);
 }
+
+int add_oid_section(BIO *err, LHASH *conf)
+{	
+	char *p;
+	STACK_OF(CONF_VALUE) *sktmp;
+	CONF_VALUE *cnf;
+	int i;
+	if(!(p=CONF_get_string(conf,NULL,"oid_section"))) return 1;
+	if(!(sktmp = CONF_get_section(conf, p))) {
+		BIO_printf(err, "problem loading oid section %s\n", p);
+		return 0;
+	}
+	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
+		cnf = sk_CONF_VALUE_value(sktmp, i);
+		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
+			BIO_printf(err, "problem creating object %s=%s\n",
+							 cnf->name, cnf->value);
+			return 0;
+		}
+	}
+	return 1;
+}
+
+X509 *load_cert(BIO *err, char *file, int format)
+	{
+	ASN1_HEADER *ah=NULL;
+	BUF_MEM *buf=NULL;
+	X509 *x=NULL;
+	BIO *cert;
+
+	if ((cert=BIO_new(BIO_s_file())) == NULL)
+		{
+		ERR_print_errors(err);
+		goto end;
+		}
+
+	if (file == NULL)
+		BIO_set_fp(cert,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(cert,file) <= 0)
+			{
+			perror(file);
+			goto end;
+			}
+		}
+
+	if 	(format == FORMAT_ASN1)
+		x=d2i_X509_bio(cert,NULL);
+	else if (format == FORMAT_NETSCAPE)
+		{
+		unsigned char *p,*op;
+		int size=0,i;
+
+		/* We sort of have to do it this way because it is sort of nice
+		 * to read the header first and check it, then
+		 * try to read the certificate */
+		buf=BUF_MEM_new();
+		for (;;)
+			{
+			if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10)))
+				goto end;
+			i=BIO_read(cert,&(buf->data[size]),1024*10);
+			size+=i;
+			if (i == 0) break;
+			if (i < 0)
+				{
+				perror("reading certificate");
+				goto end;
+				}
+			}
+		p=(unsigned char *)buf->data;
+		op=p;
+
+		/* First load the header */
+		if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL)
+			goto end;
+		if ((ah->header == NULL) || (ah->header->data == NULL) ||
+			(strncmp(NETSCAPE_CERT_HDR,(char *)ah->header->data,
+			ah->header->length) != 0))
+			{
+			BIO_printf(err,"Error reading header on certificate\n");
+			goto end;
+			}
+		/* header is ok, so now read the object */
+		p=op;
+		ah->meth=X509_asn1_meth();
+		if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL)
+			goto end;
+		x=(X509 *)ah->data;
+		ah->data=NULL;
+		}
+	else if (format == FORMAT_PEM)
+		x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL);
+	else if (format == FORMAT_PKCS12)
+		{
+		PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL);
+
+		PKCS12_parse(p12, NULL, NULL, &x, NULL);
+		PKCS12_free(p12);
+		p12 = NULL;
+		}
+	else	{
+		BIO_printf(err,"bad input format specified for input cert\n");
+		goto end;
+		}
+end:
+	if (x == NULL)
+		{
+		BIO_printf(err,"unable to load certificate\n");
+		ERR_print_errors(err);
+		}
+	if (ah != NULL) ASN1_HEADER_free(ah);
+	if (cert != NULL) BIO_free(cert);
+	if (buf != NULL) BUF_MEM_free(buf);
+	return(x);
+	}
+
+EVP_PKEY *load_key(BIO *err, char *file, int format, char *pass)
+	{
+	BIO *key=NULL;
+	EVP_PKEY *pkey=NULL;
+
+	if (file == NULL)
+		{
+		BIO_printf(err,"no keyfile specified\n");
+		goto end;
+		}
+	key=BIO_new(BIO_s_file());
+	if (key == NULL)
+		{
+		ERR_print_errors(err);
+		goto end;
+		}
+	if (BIO_read_filename(key,file) <= 0)
+		{
+		perror(file);
+		goto end;
+		}
+	if (format == FORMAT_ASN1)
+		{
+		pkey=d2i_PrivateKey_bio(key, NULL);
+		}
+	else if (format == FORMAT_PEM)
+		{
+		pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,pass);
+		}
+	else if (format == FORMAT_PKCS12)
+		{
+		PKCS12 *p12 = d2i_PKCS12_bio(key, NULL);
+
+		PKCS12_parse(p12, pass, &pkey, NULL, NULL);
+		PKCS12_free(p12);
+		p12 = NULL;
+		}
+	else
+		{
+		BIO_printf(err,"bad input format specified for key\n");
+		goto end;
+		}
+ end:
+	if (key != NULL) BIO_free(key);
+	if (pkey == NULL)
+		BIO_printf(err,"unable to load Private Key\n");
+	return(pkey);
+	}
+
+STACK_OF(X509) *load_certs(BIO *err, char *file, int format)
+	{
+	BIO *certs;
+	int i;
+	STACK_OF(X509) *othercerts = NULL;
+	STACK_OF(X509_INFO) *allcerts = NULL;
+	X509_INFO *xi;
+
+	if((certs = BIO_new(BIO_s_file())) == NULL)
+		{
+		ERR_print_errors(err);
+		goto end;
+		}
+
+	if (file == NULL)
+		BIO_set_fp(certs,stdin,BIO_NOCLOSE);
+	else
+		{
+		if (BIO_read_filename(certs,file) <= 0)
+			{
+			perror(file);
+			goto end;
+			}
+		}
+
+	if      (format == FORMAT_PEM)
+		{
+		othercerts = sk_X509_new(NULL);
+		if(!othercerts)
+			{
+			sk_X509_free(othercerts);
+			othercerts = NULL;
+			goto end;
+			}
+		allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL);
+		for(i = 0; i < sk_X509_INFO_num(allcerts); i++)
+			{
+			xi = sk_X509_INFO_value (allcerts, i);
+			if (xi->x509)
+				{
+				sk_X509_push(othercerts, xi->x509);
+				xi->x509 = NULL;
+				}
+			}
+		goto end;
+		}
+	else	{
+		BIO_printf(err,"bad input format specified for input cert\n");
+		goto end;
+		}
+end:
+	if (othercerts == NULL)
+		{
+		BIO_printf(err,"unable to load certificates\n");
+		ERR_print_errors(err);
+		}
+	if (allcerts) sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
+	if (certs != NULL) BIO_free(certs);
+	return(othercerts);
+	}
+
--- a/apps/apps.h
+++ b/apps/apps.h
@ -65,6 +65,7 @@
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
+#include <openssl/lhash.h>

 int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
 int app_RAND_write_file(const char *file, BIO *bio_e);
@ -146,11 +147,19 @@ int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]);
 int dump_cert_text(BIO *out, X509 *x);
 #endif
 int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
+int add_oid_section(BIO *err, LHASH *conf);
+X509 *load_cert(BIO *err, char *file, int format);
+EVP_PKEY *load_key(BIO *err, char *file, int format, char *pass);
+STACK_OF(X509) *load_certs(BIO *err, char *file, int format);
+
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
 #define FORMAT_TEXT     2
 #define FORMAT_PEM      3
 #define FORMAT_NETSCAPE 4
+#define FORMAT_PKCS12   5
+
+#define NETSCAPE_CERT_HDR	"certificate"

 #define APP_PASS_LEN	1024

--- a/apps/ca.c
+++ b/apps/ca.c
@ -176,7 +176,6 @@ extern int EF_PROTECT_BELOW;
 extern int EF_ALIGNMENT;
 #endif

-static int add_oid_section(LHASH *conf);
 static void lookup_fail(char *name,char *tag);
 static unsigned long index_serial_hash(char **a);
 static int index_serial_cmp(char **a, char **b);
@ -498,7 +497,7 @@ bad:
 				BIO_free(oid_bio);
 				}
 			}
-		if(!add_oid_section(conf)) 
+		if(!add_oid_section(bio_err,conf)) 
 			{
 			ERR_print_errors(bio_err);
 			goto err;
@ -2100,28 +2099,6 @@ static int check_time_format(char *str)
 	return(ASN1_UTCTIME_check(&tm));
 	}

-static int add_oid_section(LHASH *hconf)
-{	
-	char *p;
-	STACK_OF(CONF_VALUE) *sktmp;
-	CONF_VALUE *cnf;
-	int i;
-	if(!(p=CONF_get_string(hconf,NULL,"oid_section"))) return 1;
-	if(!(sktmp = CONF_get_section(hconf, p))) {
-		BIO_printf(bio_err, "problem loading oid section %s\n", p);
-		return 0;
-	}
-	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
-		cnf = sk_CONF_VALUE_value(sktmp, i);
-		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
-			BIO_printf(bio_err, "problem creating object %s=%s\n",
-							 cnf->name, cnf->value);
-			return 0;
-		}
-	}
-	return 1;
-}
-
 static int do_revoke(X509 *x509, TXT_DB *db)
 {
 	ASN1_UTCTIME *tm=NULL, *revtm=NULL;
--- a/apps/passwd.c
+++ b/apps/passwd.c
@ -1,10 +1,10 @@
 /* apps/passwd.c */

 #if defined NO_MD5 || defined CHARSET_EBCDIC
-# define NO_APR1
+# define NO_MD5CRYPT_1
 #endif

-#if !defined(NO_DES) || !defined(NO_APR1)
+#if !defined(NO_DES) || !defined(NO_MD5CRYPT_1)

 #include <assert.h>
 #include <string.h>
@ -19,7 +19,7 @@
 #ifndef NO_DES
 # include <openssl/des.h>
 #endif
-#ifndef NO_APR1
+#ifndef NO_MD5CRYPT_1
 # include <openssl/md5.h>
 #endif

@ -42,10 +42,11 @@ static unsigned const char cov_2char[64]={

 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	char *passwd, BIO *out, int quiet, int table, int reverse,
-	size_t pw_maxlen, int usecrypt, int useapr1);
+	size_t pw_maxlen, int usecrypt, int use1, int useapr1);

 /* -crypt        - standard Unix password algorithm (default, only choice)
- * -apr1         - MD5-based password algorithm
+ * -1            - MD5-based password algorithm
+ * -apr1         - MD5-based password algorithm, Apache variant
 * -salt string  - salt
 * -in file      - read passwords from file
 * -stdin        - read passwords from stdin
@ -68,7 +69,7 @@ int MAIN(int argc, char **argv)
 	BIO *in = NULL, *out = NULL;
 	int i, badopt, opt_done;
 	int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
-	int usecrypt = 0, useapr1 = 0;
+	int usecrypt = 0, use1 = 0, useapr1 = 0;
 	size_t pw_maxlen = 0;

 	apps_startup();
@ -87,6 +88,8 @@ int MAIN(int argc, char **argv)
 		{
 		if (strcmp(argv[i], "-crypt") == 0)
 			usecrypt = 1;
+		else if (strcmp(argv[i], "-1") == 0)
+			use1 = 1;
 		else if (strcmp(argv[i], "-apr1") == 0)
 			useapr1 = 1;
 		else if (strcmp(argv[i], "-salt") == 0)
@ -138,17 +141,17 @@ int MAIN(int argc, char **argv)
 			badopt = 1;
 		}

-	if (!usecrypt && !useapr1) /* use default */
+	if (!usecrypt && !use1 && !useapr1) /* use default */
 		usecrypt = 1;
-	if (usecrypt + useapr1 > 1) /* conflict */
+	if (usecrypt + use1 + useapr1 > 1) /* conflict */
 		badopt = 1;

 	/* reject unsupported algorithms */
 #ifdef NO_DES
 	if (usecrypt) badopt = 1;
 #endif
-#ifdef NO_APR1
-	if (useapr1) badopt = 1;
+#ifdef NO_MD5CRYPT_1
+	if (use1 || useapr1) badopt = 1;
 #endif

 	if (badopt) 
@ -158,8 +161,9 @@ int MAIN(int argc, char **argv)
 #ifndef NO_DES
 		BIO_printf(bio_err, "-crypt             standard Unix password algorithm (default)\n");
 #endif
-#ifndef NO_APR1
-		BIO_printf(bio_err, "-apr1              MD5-based password algorithm\n");
+#ifndef NO_MD5CRYPT_1
+		BIO_printf(bio_err, "-1                 MD5-based password algorithm\n");
+		BIO_printf(bio_err, "-apr1              MD5-based password algorithm, Apache variant\n");
 #endif
 		BIO_printf(bio_err, "-salt string       use provided salt\n");
 		BIO_printf(bio_err, "-in file           read passwords from file\n");
@ -191,7 +195,7 @@ int MAIN(int argc, char **argv)
 	
 	if (usecrypt)
 		pw_maxlen = 8;
-	else if (useapr1)
+	else if (use1 || useapr1)
 		pw_maxlen = 256; /* arbitrary limit, should be enough for most passwords */

 	if (passwds == NULL)
@ -226,7 +230,7 @@ int MAIN(int argc, char **argv)
 			{
 			passwd = *passwds++;
 			if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
-				quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
+				quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
 				goto err;
 			}
 		while (*passwds != NULL);
@ -255,7 +259,7 @@ int MAIN(int argc, char **argv)
 					}
 				
 				if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
-					quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
+					quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
 					goto err;
 				}
 			done = (r <= 0);
@ -277,11 +281,18 @@ err:
 	}


-#ifndef NO_APR1
-/* MD5-based password algorithm compatible to the one found in Apache
- * (should probably be available as a library function;
- * then the static buffer would not be acceptable) */
-static char *apr1_crypt(const char *passwd, const char *salt)
+#ifndef NO_MD5CRYPT_1
+/* MD5-based password algorithm (should probably be available as a library
+ * function; then the static buffer would not be acceptable).
+ * For magic string "1", this should be compatible to the MD5-based BSD
+ * password algorithm.
+ * For 'magic' string "apr1", this is compatible to the MD5-based Apache
+ * password algorithm.
+ * (Apparently, the Apache password algorithm is identical except that the
+ * 'magic' string was changed -- the laziest application of the NIH principle
+ * I've ever encountered.)
+ */
+static char *md5crypt(const char *passwd, const char *magic, const char *salt)
 	{
 	static char out_buf[6 + 9 + 24 + 2]; /* "$apr1$..salt..$.......md5hash..........\0" */
 	unsigned char buf[MD5_DIGEST_LENGTH];
@ -291,7 +302,11 @@ static char *apr1_crypt(const char *passwd, const char *salt)
 	size_t passwd_len, salt_len;

 	passwd_len = strlen(passwd);
-	strcpy(out_buf, "$apr1$");
+	out_buf[0] = '$';
+	out_buf[1] = 0;
+	assert(strlen(magic) <= 4); /* "1" or "apr1" */
+	strncat(out_buf, magic, 4);
+	strncat(out_buf, "$", 1);
 	strncat(out_buf, salt, 8);
 	assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
 	salt_out = out_buf + 6;
@ -300,7 +315,9 @@ static char *apr1_crypt(const char *passwd, const char *salt)
 	
 	MD5_Init(&md);
 	MD5_Update(&md, passwd, passwd_len);
-	MD5_Update(&md, "$apr1$", 6);
+	MD5_Update(&md, "$", 1);
+	MD5_Update(&md, magic, strlen(magic));
+	MD5_Update(&md, "$", 1);
 	MD5_Update(&md, salt_out, salt_len);
 	
 	 {
@ -384,7 +401,7 @@ static char *apr1_crypt(const char *passwd, const char *salt)

 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	char *passwd, BIO *out,	int quiet, int table, int reverse,
-	size_t pw_maxlen, int usecrypt, int useapr1)
+	size_t pw_maxlen, int usecrypt, int use1, int useapr1)
 	{
 	char *hash = NULL;

@ -415,8 +432,8 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 			}
 #endif /* !NO_DES */

-#ifndef NO_APR1
-		if (useapr1)
+#ifndef NO_MD5CRYPT_1
+		if (use1 || useapr1)
 			{
 			int i;
 			
@ -433,7 +450,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 				(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
 			(*salt_p)[8] = 0;
 			}
-#endif /* !NO_APR1 */
+#endif /* !NO_MD5CRYPT_1 */
 		}
 	
 	assert(*salt_p != NULL);
@ -452,9 +469,9 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	if (usecrypt)
 		hash = des_crypt(passwd, *salt_p);
 #endif
-#ifndef NO_APR1
-	if (useapr1)
-		hash = apr1_crypt(passwd, *salt_p);
+#ifndef NO_MD5CRYPT_1
+	if (use1 || useapr1)
+		hash = md5crypt(passwd, (use1 ? "1" : "apr1"), *salt_p);
 #endif
 	assert(hash != NULL);

--- a/apps/pem_mail.c
+++ b/apps/pem_mail.c
@ -1,170 +0,0 @@
-/* apps/pem_mail.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef NO_RSA
-#include <stdio.h>
-#include <openssl/rsa.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#include <openssl/err.h>
-#include <openssl/pem.h>
-#include "apps.h"
-
-#undef PROG
-#define PROG	pem_mail_main
-
-static char *usage[]={
-"usage: pem_mail args\n",
-"\n",
-" -in arg         - input file - default stdin\n",
-" -out arg        - output file - default stdout\n",
-" -cert arg       - the certificate to use\n",
-" -key arg        - the private key to use\n",
-" -MIC           - sign the message\n",
-" -enc arg        - encrypt with one of cbc-des\n",
-NULL
-};
-
-
-typedef struct lines_St
-	{
-	char *line;
-	struct lines_st *next;
-	} LINES;
-
-int main(int argc, char **argv)
-	{
-	FILE *in;
-	RSA *rsa=NULL;
-	EVP_MD_CTX ctx;
-	unsigned int mic=0,i,n;
-	unsigned char buf[1024*15];
-	char *prog,*infile=NULL,*outfile=NULL,*key=NULL;
-	int badops=0;
-
-	apps_startup();
-
-	prog=argv[0];
-	argc--;
-	argv++;
-	while (argc >= 1)
-		{
-		if (strcmp(*argv,"-key") == 0)
-			{
-			if (--argc < 1) goto bad;
-			key= *(++argv);
-			}
-		else if (strcmp(*argv,"-in") == 0)
-			{
-			if (--argc < 1) goto bad;
-			infile= *(++argv);
-			}
-		else if (strcmp(*argv,"-out") == 0)
-			{
-			if (--argc < 1) goto bad;
-			outfile= *(++argv);
-			}
-		else if (strcmp(*argv,"-mic") == 0)
-			mic=1;
-		else
-			{
-			BIO_printf(bio_err,"unknown option %s\n",*argv);
-			badops=1;
-			break;
-			}
-		argc--;
-		argv++;
-		}
-
-	if (badops)
-		{
-bad:
-		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
-		BIO_printf(bio_err,"where options  are\n");
-		EXIT(1);
-		}
-
-	if (key == NULL)
-		{ BIO_printf(bio_err,"you need to specify a key\n"); EXIT(1); }
-	in=fopen(key,"r");
-	if (in == NULL) { perror(key); EXIT(1); }
-	rsa=PEM_read_RSAPrivateKey(in,NULL,NULL);
-	if (rsa == NULL)
-		{
-		BIO_printf(bio_err,"unable to load Private Key\n");
-		ERR_print_errors(bio_err);
-		EXIT(1);
-		}
-	fclose(in);
-
-	PEM_SignInit(&ctx,EVP_md5());
-	for (;;)
-		{
-		i=fread(buf,1,1024*10,stdin);
-		if (i <= 0) break;
-		PEM_SignUpdate(&ctx,buf,i);
-		}
-	if (!PEM_SignFinal(&ctx,buf,&n,rsa)) goto err;
-	BIO_printf(bio_err,"%s\n",buf);
-	EXIT(0);
-err:
-	ERR_print_errors(bio_err);
-	EXIT(1);
-	}
-#endif
--- a/apps/req.c
+++ b/apps/req.c
@ -102,6 +102,7 @@
 * -config file	- Load configuration file.
 * -key file	- make a request using key in file (or use it for verification).
 * -keyform	- key file format.
+ * -rand file(s) - load the file(s) into the PRNG.
 * -newkey	- make a key and a request.
 * -modulus	- print RSA modulus.
 * -x509	- output a self signed X509 structure instead.
@ -125,7 +126,6 @@ static void MS_CALLBACK req_cb(int p,int n,void *arg);
 #endif
 static int req_check_len(int len,int min,int max);
 static int check_end(char *str, char *end);
-static int add_oid_section(LHASH *conf);
 #ifndef MONOLITH
 static char *default_config_file=NULL;
 static LHASH *config=NULL;
@ -156,6 +156,7 @@ int MAIN(int argc, char **argv)
 	char *req_exts = NULL;
 	EVP_CIPHER *cipher=NULL;
 	int modulus=0;
+	char *inrand=NULL;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 	char *p;
@ -239,6 +240,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
+		else if (strcmp(*argv,"-rand") == 0)
+			{
+			if (--argc < 1) goto bad;
+			inrand= *(++argv);
+			}
 		else if (strcmp(*argv,"-newkey") == 0)
 			{
 			int is_numeric;
@ -372,6 +378,9 @@ bad:
 		BIO_printf(bio_err," -key file	use the private key contained in file\n");
 		BIO_printf(bio_err," -keyform arg   key file format\n");
 		BIO_printf(bio_err," -keyout arg    file to send the key to\n");
+		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+		BIO_printf(bio_err,"                load the file (or the files in the directory) into\n");
+		BIO_printf(bio_err,"                the random number generator\n");
 		BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
 		BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");

@ -457,7 +466,7 @@ bad:
 				}
 			}
 		}
-		if(!add_oid_section(req_conf)) goto end;
+		if(!add_oid_section(bio_err, req_conf)) goto end;

 	if ((md_alg == NULL) &&
 		((p=CONF_get_string(req_conf,SECTION,"default_md")) != NULL))
@ -544,6 +553,8 @@ bad:
 		{
 		char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE");
 		app_RAND_load_file(randfile, bio_err, 0);
+		if (inrand)
+			app_RAND_load_files(inrand);
 	
 		if (newkey <= 0)
 			{
@ -1256,25 +1267,3 @@ static int check_end(char *str, char *end)
 	tmp = str + slen - elen;
 	return strcmp(tmp, end);
 }
-
-static int add_oid_section(LHASH *conf)
-{	
-	char *p;
-	STACK_OF(CONF_VALUE) *sktmp;
-	CONF_VALUE *cnf;
-	int i;
-	if(!(p=CONF_get_string(conf,NULL,"oid_section"))) return 1;
-	if(!(sktmp = CONF_get_section(conf, p))) {
-		BIO_printf(bio_err, "problem loading oid section %s\n", p);
-		return 0;
-	}
-	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
-		cnf = sk_CONF_VALUE_value(sktmp, i);
-		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
-			BIO_printf(bio_err, "problem creating object %s=%s\n",
-							 cnf->name, cnf->value);
-			return 0;
-		}
-	}
-	return 1;
-}
--- a/apps/smime.c
+++ b/apps/smime.c
@ -67,9 +67,6 @@

 #undef PROG
 #define PROG smime_main
-static X509 *load_cert(char *file);
-static EVP_PKEY *load_key(char *file, char *pass);
-static STACK_OF(X509) *load_certs(char *file);
 static X509_STORE *setup_verify(char *CAfile, char *CApath);
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);

@ -311,7 +308,7 @@ int MAIN(int argc, char **argv)
 		}
 		encerts = sk_X509_new_null();
 		while (*args) {
-			if(!(cert = load_cert(*args))) {
+			if(!(cert = load_cert(bio_err,*args,FORMAT_PEM))) {
 				BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args);
 				goto end;
 			}
@ -322,14 +319,14 @@ int MAIN(int argc, char **argv)
 	}

 	if(signerfile && (operation == SMIME_SIGN)) {
-		if(!(signer = load_cert(signerfile))) {
+		if(!(signer = load_cert(bio_err,signerfile,FORMAT_PEM))) {
 			BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile);
 			goto end;
 		}
 	}

 	if(certfile) {
-		if(!(other = load_certs(certfile))) {
+		if(!(other = load_certs(bio_err,certfile,FORMAT_PEM))) {
 			BIO_printf(bio_err, "Can't read certificate file %s\n", certfile);
 			ERR_print_errors(bio_err);
 			goto end;
@ -337,7 +334,7 @@ int MAIN(int argc, char **argv)
 	}

 	if(recipfile && (operation == SMIME_DECRYPT)) {
-		if(!(recip = load_cert(recipfile))) {
+		if(!(recip = load_cert(bio_err,recipfile,FORMAT_PEM))) {
 			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile);
 			ERR_print_errors(bio_err);
 			goto end;
@ -351,7 +348,7 @@ int MAIN(int argc, char **argv)
 	} else keyfile = NULL;

 	if(keyfile) {
-		if(!(key = load_key(keyfile, passin))) {
+		if(!(key = load_key(bio_err,keyfile, FORMAT_PEM, passin))) {
 			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", keyfile);
 			ERR_print_errors(bio_err);
 			goto end;
@ -447,49 +444,6 @@ end:
 	return (ret);
 }

-static X509 *load_cert(char *file)
-{
-	BIO *in;
-	X509 *cert;
-	if(!(in = BIO_new_file(file, "r"))) return NULL;
-	cert = PEM_read_bio_X509(in, NULL, NULL,NULL);
-	BIO_free(in);
-	return cert;
-}
-
-static EVP_PKEY *load_key(char *file, char *pass)
-{
-	BIO *in;
-	EVP_PKEY *key;
-	if(!(in = BIO_new_file(file, "r"))) return NULL;
-	key = PEM_read_bio_PrivateKey(in, NULL,NULL,pass);
-	BIO_free(in);
-	return key;
-}
-
-static STACK_OF(X509) *load_certs(char *file)
-{
-	BIO *in;
-	int i;
-	STACK_OF(X509) *othercerts;
-	STACK_OF(X509_INFO) *allcerts;
-	X509_INFO *xi;
-	if(!(in = BIO_new_file(file, "r"))) return NULL;
-	othercerts = sk_X509_new(NULL);
-	if(!othercerts) return NULL;
-	allcerts = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
-	for(i = 0; i < sk_X509_INFO_num(allcerts); i++) {
-		xi = sk_X509_INFO_value (allcerts, i);
-		if (xi->x509) {
-			sk_X509_push(othercerts, xi->x509);
-			xi->x509 = NULL;
-		}
-	}
-	sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
-	BIO_free(in);
-	return othercerts;
-}
-
 static X509_STORE *setup_verify(char *CAfile, char *CApath)
 {
 	X509_STORE *store;
--- a/apps/x509.c
+++ b/apps/x509.c
@ -81,8 +81,6 @@
 #define	POSTFIX	".srl"
 #define DEF_DAYS	30

-#define CERT_HDR	"certificate"
-
 static char *x509_usage[]={
 "usage: x509 args\n",
 " -inform arg     - input format - default PEM (one of DER, NET or PEM)\n",
@ -134,8 +132,6 @@ NULL
 };

 static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static EVP_PKEY *load_key(char *file, int format, char *passin);
-static X509 *load_cert(char *file, int format);
 static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest,
 						LHASH *conf, char *section);
 static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
@ -547,12 +543,12 @@ bad:
 		EVP_PKEY_free(pkey);
 		}
 	else
-		x=load_cert(infile,informat);
+		x=load_cert(bio_err,infile,informat);

 	if (x == NULL) goto end;
 	if (CA_flag)
 		{
-		xca=load_cert(CAfile,CAformat);
+		xca=load_cert(bio_err,CAfile,CAformat);
 		if (xca == NULL) goto end;
 		}

@ -791,7 +787,8 @@ bad:
 				BIO_printf(bio_err,"Getting Private key\n");
 				if (Upkey == NULL)
 					{
-					Upkey=load_key(keyfile,keyformat, passin);
+					Upkey=load_key(bio_err,
+						keyfile,keyformat, passin);
 					if (Upkey == NULL) goto end;
 					}
 #ifndef NO_DSA
@ -808,7 +805,8 @@ bad:
 				BIO_printf(bio_err,"Getting CA Private Key\n");
 				if (CAkeyfile != NULL)
 					{
-					CApkey=load_key(CAkeyfile,CAkeyformat, passin);
+					CApkey=load_key(bio_err,
+						CAkeyfile,CAkeyformat, passin);
 					if (CApkey == NULL) goto end;
 					}
 #ifndef NO_DSA
@ -834,7 +832,8 @@ bad:
 					}
 				else
 					{
-					pk=load_key(keyfile,FORMAT_PEM, passin);
+					pk=load_key(bio_err,
+						keyfile,FORMAT_PEM, passin);
 					if (pk == NULL) goto end;
 					}

@ -894,8 +893,8 @@ bad:
 		ASN1_HEADER ah;
 		ASN1_OCTET_STRING os;

-		os.data=(unsigned char *)CERT_HDR;
-		os.length=strlen(CERT_HDR);
+		os.data=(unsigned char *)NETSCAPE_CERT_HDR;
+		os.length=strlen(NETSCAPE_CERT_HDR);
 		ah.header= &os;
 		ah.data=(char *)x;
 		ah.meth=X509_asn1_meth();
@ -1114,133 +1113,6 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
 		}
 	}

-static EVP_PKEY *load_key(char *file, int format, char *passin)
-	{
-	BIO *key=NULL;
-	EVP_PKEY *pkey=NULL;
-
-	if (file == NULL)
-		{
-		BIO_printf(bio_err,"no keyfile specified\n");
-		goto end;
-		}
-	key=BIO_new(BIO_s_file());
-	if (key == NULL)
-		{
-		ERR_print_errors(bio_err);
-		goto end;
-		}
-	if (BIO_read_filename(key,file) <= 0)
-		{
-		perror(file);
-		goto end;
-		}
-	if (format == FORMAT_ASN1)
-		{
-		pkey=d2i_PrivateKey_bio(key, NULL);
-		}
-	else if (format == FORMAT_PEM)
-		{
-		pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,passin);
-		}
-	else
-		{
-		BIO_printf(bio_err,"bad input format specified for key\n");
-		goto end;
-		}
-end:
-	if (key != NULL) BIO_free(key);
-	if (pkey == NULL)
-		BIO_printf(bio_err,"unable to load Private Key\n");
-	return(pkey);
-	}
-
-static X509 *load_cert(char *file, int format)
-	{
-	ASN1_HEADER *ah=NULL;
-	BUF_MEM *buf=NULL;
-	X509 *x=NULL;
-	BIO *cert;
-
-	if ((cert=BIO_new(BIO_s_file())) == NULL)
-		{
-		ERR_print_errors(bio_err);
-		goto end;
-		}
-
-	if (file == NULL)
-		BIO_set_fp(cert,stdin,BIO_NOCLOSE);
-	else
-		{
-		if (BIO_read_filename(cert,file) <= 0)
-			{
-			perror(file);
-			goto end;
-			}
-		}
-	if 	(format == FORMAT_ASN1)
-		x=d2i_X509_bio(cert,NULL);
-	else if (format == FORMAT_NETSCAPE)
-		{
-		unsigned char *p,*op;
-		int size=0,i;
-
-		/* We sort of have to do it this way because it is sort of nice
-		 * to read the header first and check it, then
-		 * try to read the certificate */
-		buf=BUF_MEM_new();
-		for (;;)
-			{
-			if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10)))
-				goto end;
-			i=BIO_read(cert,&(buf->data[size]),1024*10);
-			size+=i;
-			if (i == 0) break;
-			if (i < 0)
-				{
-				perror("reading certificate");
-				goto end;
-				}
-			}
-		p=(unsigned char *)buf->data;
-		op=p;
-
-		/* First load the header */
-		if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL)
-			goto end;
-		if ((ah->header == NULL) || (ah->header->data == NULL) ||
-			(strncmp(CERT_HDR,(char *)ah->header->data,
-			ah->header->length) != 0))
-			{
-			BIO_printf(bio_err,"Error reading header on certificate\n");
-			goto end;
-			}
-		/* header is ok, so now read the object */
-		p=op;
-		ah->meth=X509_asn1_meth();
-		if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL)
-			goto end;
-		x=(X509 *)ah->data;
-		ah->data=NULL;
-		}
-	else if (format == FORMAT_PEM)
-		x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL);
-	else	{
-		BIO_printf(bio_err,"bad input format specified for input cert\n");
-		goto end;
-		}
-end:
-	if (x == NULL)
-		{
-		BIO_printf(bio_err,"unable to load certificate\n");
-		ERR_print_errors(bio_err);
-		}
-	if (ah != NULL) ASN1_HEADER_free(ah);
-	if (cert != NULL) BIO_free(cert);
-	if (buf != NULL) BUF_MEM_free(buf);
-	return(x);
-	}
-
 /* self sign */
 static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, 
 						LHASH *conf, char *section)
--- a/crypto/asn1/a_set.c
+++ b/crypto/asn1/a_set.c
@ -152,7 +152,7 @@ SetBlob
        }

 STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
-	     char *(*func)(), void (*free_func)(), int ex_tag, int ex_class)
+	     char *(*func)(), void (*free_func)(void *), int ex_tag, int ex_class)
 	{
 	ASN1_CTX c;
 	STACK *ret=NULL;
--- a/crypto/asn1/a_strnid.c
+++ b/crypto/asn1/a_strnid.c
@ -67,7 +67,7 @@ static STACK_OF(ASN1_STRING_TABLE) *stable = NULL;
 static void st_free(ASN1_STRING_TABLE *tbl);
 static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
 			const ASN1_STRING_TABLE * const *b);
-static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b);
+static int table_cmp(const void *a, const void *b);


 /* This is the global mask for the mbstring functions: this is use to
@ -180,9 +180,10 @@ static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
 	return (*a)->nid - (*b)->nid;
 }

-static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b)
+static int table_cmp(const void *a, const void *b)
 {
-	return a->nid - b->nid;
+	const ASN1_STRING_TABLE *sa = a, *sb = b;
+	return sa->nid - sb->nid;
 }

 ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
@ -194,7 +195,7 @@ ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
 	ttmp = (ASN1_STRING_TABLE *) OBJ_bsearch((char *)&fnd,
 					(char *)tbl_standard, 
 			sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE),
-			sizeof(ASN1_STRING_TABLE), (int(*)())table_cmp);
+			sizeof(ASN1_STRING_TABLE), table_cmp);
 	if(ttmp) return ttmp;
 	if(!stable) return NULL;
 	idx = sk_ASN1_STRING_TABLE_find(stable, &fnd);
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@ -145,49 +145,8 @@ extern "C" {

 struct X509_algor_st;

-#define DECLARE_ASN1_SET_OF(type) \
-int i2d_ASN1_SET_OF_##type(STACK_OF(type) *a,unsigned char **pp, \
-			   int (*func)(type *,unsigned char **), int ex_tag, \
-			   int ex_class, int is_set); \
-STACK_OF(type) *d2i_ASN1_SET_OF_##type(STACK_OF(type) **a,unsigned char **pp, \
-				       long length, \
-				       type *(*func)(type **, \
-						     unsigned char **,long), \
-				       void (*free_func)(type *), \
-				       int ex_tag,int ex_class); \
-unsigned char *ASN1_seq_pack_##type(STACK_OF(type) *st, \
-				    int (*i2d)(type *,unsigned char **), \
-				    unsigned char **buf,int *len); \
-STACK_OF(type) *ASN1_seq_unpack_##type(unsigned char *buf,int len, \
-				       type *(*d2i)(type **,unsigned char **, \
-						    long), \
-				       void (*free_func)(type *));
-
-#define IMPLEMENT_ASN1_SET_OF(type) \
-int i2d_ASN1_SET_OF_##type(STACK_OF(type) *a,unsigned char **pp, \
-			   int (*func)(type *,unsigned char **), int ex_tag, \
-			   int ex_class, int is_set) \
-    { return i2d_ASN1_SET((STACK *)a,pp,func,ex_tag,ex_class,is_set); } \
-STACK_OF(type) *d2i_ASN1_SET_OF_##type(STACK_OF(type) **a,unsigned char **pp, \
-				       long length, \
-				       type *(*func)(type **, \
-						     unsigned char **,long), \
-				       void (*free_func)(type *), \
-				       int ex_tag,int ex_class) \
-    { return (STACK_OF(type) *)d2i_ASN1_SET((STACK **)a,pp,length, \
-					    (char *(*)())func, \
-					    (void (*)())free_func, \
-					    ex_tag,ex_class); } \
-unsigned char *ASN1_seq_pack_##type(STACK_OF(type) *st, \
-				    int (*i2d)(type *,unsigned char **), \
-				    unsigned char **buf,int *len) \
-    { return ASN1_seq_pack((STACK *)st,i2d,buf,len); } \
-STACK_OF(type) *ASN1_seq_unpack_##type(unsigned char *buf,int len, \
-				       type *(*d2i)(type **,unsigned char **, \
-						    long), \
-				       void (*free_func)(type *)) \
-    { return (STACK_OF(type) *)ASN1_seq_unpack(buf,len,(char *(*)())d2i, \
-					       (void(*)(void *))free_func); }
+#define DECLARE_ASN1_SET_OF(type) /* filled in by mkstack.pl */
+#define IMPLEMENT_ASN1_SET_OF(type) /* nothing, no longer needed */

 typedef struct asn1_ctx_st
 	{
@ -699,7 +658,7 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t);
 int		i2d_ASN1_SET(STACK *a, unsigned char **pp,
 			int (*func)(), int ex_tag, int ex_class, int is_set);
 STACK *		d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
-			char *(*func)(), void (*free_func)(),
+			char *(*func)(), void (*free_func)(void *),
 			int ex_tag, int ex_class);

 #ifndef NO_BIO
@ -794,7 +753,7 @@ int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num,
 	unsigned char *data, int max_len);

 STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
-						 void (*free_func)() ); 
+						 void (*free_func)(void *) ); 
 unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
 			     int *len );
 void *ASN1_unpack_string(ASN1_STRING *oct, char *(*d2i)());
--- a/crypto/asn1/asn_pack.c
+++ b/crypto/asn1/asn_pack.c
@ -65,7 +65,7 @@
 /* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */

 STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
-	     void (*free_func)())
+	     void (*free_func)(void *))
 {
    STACK *sk;
    unsigned char *pbuf;
--- a/crypto/bf/Makefile.ssl
+++ b/crypto/bf/Makefile.ssl
@ -77,7 +77,9 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)

-install:
+install: installs
+
+installs:
 	@for i in $(EXHEADER) ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
--- a/crypto/bio/bf_buff.c
+++ b/crypto/bio/bf_buff.c
@ -69,7 +69,7 @@ static int buffer_gets(BIO *h, char *str, int size);
 static long buffer_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int buffer_new(BIO *h);
 static int buffer_free(BIO *data);
-static long buffer_callback_ctrl(BIO *h, int cmd, void (*fp)());
+static long buffer_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
 #define DEFAULT_BUFFER_SIZE	1024

 static BIO_METHOD methods_buffer=
@ -439,7 +439,7 @@ malloc_error:
 	return(0);
 	}

-static long buffer_callback_ctrl(BIO *b, int cmd, void (*fp)())
+static long buffer_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	{
 	long ret=1;

--- a/crypto/bio/bf_nbio.c
+++ b/crypto/bio/bf_nbio.c
@ -73,7 +73,7 @@ static int nbiof_gets(BIO *h,char *str,int size);
 static long nbiof_ctrl(BIO *h,int cmd,long arg1,void *arg2);
 static int nbiof_new(BIO *h);
 static int nbiof_free(BIO *data);
-static long nbiof_callback_ctrl(BIO *h,int cmd,void (*fp)());
+static long nbiof_callback_ctrl(BIO *h,int cmd,bio_info_cb *fp);
 typedef struct nbio_test_st
 	{
 	/* only set if we sent a 'should retry' error */
@ -226,7 +226,7 @@ static long nbiof_ctrl(BIO *b, int cmd, long num, void *ptr)
 	return(ret);
 	}

-static long nbiof_callback_ctrl(BIO *b, int cmd, void (*fp)())
+static long nbiof_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	{
 	long ret=1;

--- a/crypto/bio/bf_null.c
+++ b/crypto/bio/bf_null.c
@ -72,7 +72,7 @@ static int nullf_gets(BIO *h, char *str, int size);
 static long nullf_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int nullf_new(BIO *h);
 static int nullf_free(BIO *data);
-static long nullf_callback_ctrl(BIO *h, int cmd, void (*fp)());
+static long nullf_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
 static BIO_METHOD methods_nullf=
 	{
 	BIO_TYPE_NULL_FILTER,
@ -154,7 +154,7 @@ static long nullf_ctrl(BIO *b, int cmd, long num, void *ptr)
 	return(ret);
 	}

-static long nullf_callback_ctrl(BIO *b, int cmd, void (*fp)())
+static long nullf_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	{
 	long ret=1;

--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@ -211,6 +211,8 @@ extern "C" {

 typedef struct bio_st BIO;

+typedef void bio_info_cb(struct bio_st *, int, const char *, int, long, long);
+
 #ifndef WIN16
 typedef struct bio_method_st
 	{
@ -223,7 +225,7 @@ typedef struct bio_method_st
 	long (*ctrl)(BIO *, int, long, void *);
 	int (*create)(BIO *);
 	int (*destroy)(BIO *);
-	long (*callback_ctrl)(BIO *, int, void (*)(struct bio_st *, int, const char *, int, long, long));
+        long (*callback_ctrl)(BIO *, int, bio_info_cb *);
 	} BIO_METHOD;
 #else
 typedef struct bio_method_st
@ -460,8 +462,8 @@ int BIO_read_filename(BIO *b,const char *name);
 size_t BIO_ctrl_pending(BIO *b);
 size_t BIO_ctrl_wpending(BIO *b);
 #define BIO_flush(b)		(int)BIO_ctrl(b,BIO_CTRL_FLUSH,0,NULL)
-#define BIO_get_info_callback(b,cbp) (int)BIO_ctrl(b,BIO_CTRL_GET_CALLBACK,0,(void (**)())(cbp))
-#define BIO_set_info_callback(b,cb) (int)BIO_callback_ctrl(b,BIO_CTRL_SET_CALLBACK,(void (*)())(cb))
+#define BIO_get_info_callback(b,cbp) (int)BIO_ctrl(b,BIO_CTRL_GET_CALLBACK,0,(bio_info_cb **)(cbp))
+#define BIO_set_info_callback(b,cb) (int)BIO_callback_ctrl(b,BIO_CTRL_SET_CALLBACK,(bio_info_cb *)(cb))

 /* For the BIO_f_buffer() type */
 #define BIO_buffer_get_num_lines(b) BIO_ctrl(b,BIO_CTRL_GET,0,NULL)
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@ -104,7 +104,7 @@ static int conn_puts(BIO *h, const char *str);
 static long conn_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int conn_new(BIO *h);
 static int conn_free(BIO *data);
-static long conn_callback_ctrl(BIO *h, int cmd, void (*fp)());
+static long conn_callback_ctrl(BIO *h, int cmd, bio_info_cb *);

 static int conn_state(BIO *b, BIO_CONNECT *c);
 static void conn_close_socket(BIO *data);
@ -574,7 +574,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
 		if (data->param_hostname)
 			BIO_set_conn_hostname(dbio,data->param_hostname);
 		BIO_set_nbio(dbio,data->nbio);
-		(void)BIO_set_info_callback(dbio,(void *(*)())(data->info_callback));
+                (void)BIO_set_info_callback(dbio,data->info_callback);
 		}
 		break;
 	case BIO_CTRL_SET_CALLBACK:
@ -602,7 +602,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
 	return(ret);
 	}

-static long conn_callback_ctrl(BIO *b, int cmd, void (*fp)())
+static long conn_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	{
 	long ret=1;
 	BIO_CONNECT *data;
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@ -451,7 +451,7 @@ int BN_mod_exp_mont(BIGNUM *rr, BIGNUM *a, const BIGNUM *p,
 		start=0;
 		if (wstart < 0) break;
 		}
-	BN_from_montgomery(rr,r,mont,ctx);
+	if (!BN_from_montgomery(rr,r,mont,ctx)) goto err;
 	ret=1;
 err:
 	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
@ -466,14 +466,20 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 	{
 	BN_MONT_CTX *mont = NULL;
 	int b, bits, ret=0;
+	int r_is_one;
 	BN_ULONG w, next_w;
 	BIGNUM *d, *r, *t;
 	BIGNUM *swap_tmp;
 #define BN_MOD_MUL_WORD(r, w, m) \
 		(BN_mul_word(r, (w)) && \
-		(BN_ucmp(r, (m)) >= 0 ? \
-			(BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1)) : \
-			1))
+		(/* BN_ucmp(r, (m)) < 0 ? 1 :*/  \
+			(BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))
+		/* BN_MOD_MUL_WORD is only used with 'w' large,
+		  * so the BN_ucmp test is probably more overhead
+		  * than always using BN_mod (which uses BN_copy if
+		  * a similar test returns true). */
+#define BN_TO_MONTGOMERY_WORD(r, w, mont) \
+		(BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))

 	bn_check_top(p);
 	bn_check_top(m);
@ -503,7 +509,7 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 		if (!BN_MONT_CTX_set(mont, m, ctx)) goto err;
 		}

-	if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) goto err;
+	r_is_one = 1; /* except for Montgomery factor */

 	/* bits-1 >= 0 */

@ -515,13 +521,22 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 		next_w = w*w;
 		if ((next_w/w) != w) /* overflow */
 			{
-			if (!BN_MOD_MUL_WORD(r, w, m))
-				goto err;
+			if (r_is_one)
+				{
+				if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) goto err;
+				r_is_one = 0;
+				}
+			else
+				{
+				if (!BN_MOD_MUL_WORD(r, w, m)) goto err;
+				}
 			next_w = 1;
 			}
 		w = next_w;
-		if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
-			goto err;
+		if (!r_is_one)
+			{
+			if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) goto err;
+			}

 		/* Second, multiply r*w by 'a' if exponent bit is set. */
 		if (BN_is_bit_set(p, b))
@ -529,21 +544,43 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 			next_w = w*a;
 			if ((next_w/a) != w) /* overflow */
 				{
-				if (!BN_MOD_MUL_WORD(r, w, m))
-					goto err;
+				if (r_is_one)
+					{
+					if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) goto err;
+					r_is_one = 0;
+					}
+				else
+					{
+					if (!BN_MOD_MUL_WORD(r, w, m)) goto err;
+					}
 				next_w = a;
 				}
 			w = next_w;
 			}
 		}
+
 	/* Finally, set r:=r*w. */
 	if (w != 1)
 		{
-		if (!BN_MOD_MUL_WORD(r, w, m))
-			goto err;
+		if (r_is_one)
+			{
+			if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) goto err;
+			r_is_one = 0;
+			}
+		else
+			{
+			if (!BN_MOD_MUL_WORD(r, w, m)) goto err;
+			}
 		}

-	BN_from_montgomery(rr, r, mont, ctx);
+	if (r_is_one) /* can happen only if a == 1*/
+		{
+		if (!BN_one(rr)) goto err;
+		}
+	else
+		{
+		if (!BN_from_montgomery(rr, r, mont, ctx)) goto err;
+		}
 	ret = 1;
 err:
 	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@ -85,7 +85,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,

 	if (a == b)
 		{
-#if 0
+#if 1 
 		bn_wexpand(tmp,a->top*2);
 		bn_wexpand(tmp2,a->top*4);
 		bn_sqr_recursive(tmp->d,a->d,a->top,tmp2->d);
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@ -66,8 +66,8 @@
 static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */
 #endif

-DECLARE_STACK_OF(CRYPTO_dynlock);
-IMPLEMENT_STACK_OF(CRYPTO_dynlock);
+DECLARE_STACK_OF(CRYPTO_dynlock)
+IMPLEMENT_STACK_OF(CRYPTO_dynlock)

 /* real #defines in crypto.h, keep these upto date */
 static const char* lock_names[CRYPTO_NUM_LOCKS] =
@ -176,7 +176,7 @@ int CRYPTO_get_new_dynlockid(void)
 		}
 	CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK);
 	if ((dyn_locks == NULL)
-		&& ((dyn_locks=sk_new_null()) == NULL))
+		&& ((dyn_locks=sk_CRYPTO_dynlock_new_null()) == NULL))
 		{
 		CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
 		CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID,ERR_R_MALLOC_FAILURE);
--- a/crypto/dso/dso_dlfcn.c
+++ b/crypto/dso/dso_dlfcn.c
@ -106,6 +106,26 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
 	return(&dso_meth_dlfcn);
 	}

+/* Prior to using the dlopen() function, we should decide on the flag
+ * we send. There's a few different ways of doing this and it's a
+ * messy venn-diagram to match up which platforms support what. So
+ * as we don't have autoconf yet, I'm implementing a hack that could
+ * be hacked further relatively easily to deal with cases as we find
+ * them. Initially this is to cope with OpenBSD. */
+#ifdef __OpenBSD__
+#	ifdef DL_LAZY
+#		define DLOPEN_FLAG DL_LAZY
+#	else
+#		ifdef RTLD_NOW
+#			define DLOPEN_FLAG RTLD_NOW
+#		else
+#			define DLOPEN_FLAG 0
+#		endif
+#	endif
+#else
+#	define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+#endif
+
 /* For this DSO_METHOD, our meth_data STACK will contain;
 * (i) the handle (void*) returned from dlopen().
 */
@ -126,11 +146,11 @@ static int dlfcn_load(DSO *dso, const char *filename)
 			(strstr(filename, "/") == NULL))
 		{
 		sprintf(translated, "lib%s.so", filename);
-		ptr = dlopen(translated, RTLD_NOW);
+		ptr = dlopen(translated, DLOPEN_FLAG);
 		}
 	else
 		{
-		ptr = dlopen(filename, RTLD_NOW);
+		ptr = dlopen(filename, DLOPEN_FLAG);
 		}
 	if(ptr == NULL)
 		{
--- a/crypto/dso/dso_win32.c
+++ b/crypto/dso/dso_win32.c
@ -141,14 +141,14 @@ static int win32_load(DSO *dso, const char *filename)
 	if(p == NULL)
 		{
 		DSOerr(DSO_F_WIN32_LOAD,ERR_R_MALLOC_FAILURE);
-		OPENSSL_freeLibrary(h);
+		FreeLibrary(h);
 		return(0);
 		}
 	*p = h;
 	if(!sk_push(dso->meth_data, (char *)p))
 		{
 		DSOerr(DSO_F_WIN32_LOAD,DSO_R_STACK_ERROR);
-		OPENSSL_freeLibrary(h);
+		FreeLibrary(h);
 		OPENSSL_free(p);
 		return(0);
 		}
@ -171,7 +171,7 @@ static int win32_unload(DSO *dso)
 		DSOerr(DSO_F_WIN32_UNLOAD,DSO_R_NULL_HANDLE);
 		return(0);
 		}
-	if(!OPENSSL_freeLibrary(p))
+	if(!FreeLibrary(*p))
 		{
 		DSOerr(DSO_F_WIN32_UNLOAD,DSO_R_UNLOAD_FAILED);
 		/* We should push the value back onto the stack in
--- a/crypto/evp/bio_b64.c
+++ b/crypto/evp/bio_b64.c
@ -69,7 +69,7 @@ static int b64_read(BIO *h, char *buf, int size);
 static long b64_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int b64_new(BIO *h);
 static int b64_free(BIO *data);
-static long b64_callback_ctrl(BIO *h,int cmd,void (*fp)());
+static long b64_callback_ctrl(BIO *h,int cmd,bio_info_cb *fp);
 #define B64_BLOCK_SIZE	1024
 #define B64_BLOCK_SIZE2	768
 #define B64_NONE	0
@ -524,7 +524,7 @@ again:
 	return(ret);
 	}

-static long b64_callback_ctrl(BIO *b, int cmd, void (*fp)())
+static long b64_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	{
 	long ret=1;

--- a/crypto/evp/bio_enc.c
+++ b/crypto/evp/bio_enc.c
@ -69,7 +69,7 @@ static int enc_read(BIO *h, char *buf, int size);
 static long enc_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int enc_new(BIO *h);
 static int enc_free(BIO *data);
-static long enc_callback_ctrl(BIO *h, int cmd, void (*fp)());
+static long enc_callback_ctrl(BIO *h, int cmd, bio_info_cb *fps);
 #define ENC_BLOCK_SIZE	(1024*4)

 typedef struct enc_struct
@ -370,7 +370,7 @@ again:
 	return(ret);
 	}

-static long enc_callback_ctrl(BIO *b, int cmd, void (*fp)())
+static long enc_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	{
 	long ret=1;

--- a/crypto/evp/bio_md.c
+++ b/crypto/evp/bio_md.c
@ -72,7 +72,7 @@ static int md_gets(BIO *h, char *str, int size);
 static long md_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int md_new(BIO *h);
 static int md_free(BIO *data);
-static long md_callback_ctrl(BIO *h,int cmd,void (*fp)());
+static long md_callback_ctrl(BIO *h,int cmd,bio_info_cb *fp);

 static BIO_METHOD methods_md=
 	{
@ -223,7 +223,7 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
 	return(ret);
 	}

-static long md_callback_ctrl(BIO *b, int cmd, void (*fp)())
+static long md_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	{
 	long ret=1;

--- a/crypto/evp/bio_ok.c
+++ b/crypto/evp/bio_ok.c
@ -130,7 +130,7 @@ static int ok_read(BIO *h, char *buf, int size);
 static long ok_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int ok_new(BIO *h);
 static int ok_free(BIO *data);
-static long ok_callback_ctrl(BIO *h, int cmd, void (*fp)());
+static long ok_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);

 static void sig_out(BIO* b);
 static void sig_in(BIO* b);
@ -431,7 +431,7 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr)
 	return(ret);
 	}

-static long ok_callback_ctrl(BIO *b, int cmd, void (*fp)())
+static long ok_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	{
 	long ret=1;

--- a/crypto/evp/evp_pbe.c
+++ b/crypto/evp/evp_pbe.c
@ -104,8 +104,9 @@ int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
 	return 1;	
 }

-static int pbe_cmp (EVP_PBE_CTL **pbe1, EVP_PBE_CTL **pbe2)
+static int pbe_cmp(const char * const *a, const char * const *b)
 {
+	EVP_PBE_CTL **pbe1 = (EVP_PBE_CTL **) a,  **pbe2 = (EVP_PBE_CTL **)b;
 	return ((*pbe1)->pbe_nid - (*pbe2)->pbe_nid);
 }

@ -115,7 +116,7 @@ int EVP_PBE_alg_add (int nid, EVP_CIPHER *cipher, EVP_MD *md,
 	     EVP_PBE_KEYGEN *keygen)
 {
 	EVP_PBE_CTL *pbe_tmp;
-	if (!pbe_algs) pbe_algs = sk_new ((int (*)())pbe_cmp);
+	if (!pbe_algs) pbe_algs = sk_new(pbe_cmp);
 	if (!(pbe_tmp = (EVP_PBE_CTL*) OPENSSL_malloc (sizeof(EVP_PBE_CTL)))) {
 		EVPerr(EVP_F_EVP_PBE_ALG_ADD,ERR_R_MALLOC_FAILURE);
 		return 0;
--- a/crypto/md5/Makefile.ssl
+++ b/crypto/md5/Makefile.ssl
@ -30,7 +30,7 @@ ASFLAGS=$(CFLAGS)

 GENERAL=Makefile
 TEST=md5test.c
-APPS=md5.c
+APPS=

 LIB=$(TOP)/libcrypto.a
 LIBSRC=md5_dgst.c md5_one.c
--- a/crypto/objects/o_names.c
+++ b/crypto/objects/o_names.c
@ -36,8 +36,9 @@ int OBJ_NAME_init(void)
 	return(names_lh != NULL);
 	}

-int OBJ_NAME_new_index(unsigned long (*hash_func)(), int (*cmp_func)(),
-	     void (*free_func)())
+int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
+	int (*cmp_func)(const void *, const void *),
+	void (*free_func)(const char *, int, const char *))
 	{
 	int ret;
 	int i;
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@ -79,9 +79,9 @@ static ASN1_OBJECT *ln_objs[1];
 static ASN1_OBJECT *obj_objs[1];
 #endif

-static int sn_cmp(ASN1_OBJECT **a, ASN1_OBJECT **b);
-static int ln_cmp(ASN1_OBJECT **a, ASN1_OBJECT **b);
-static int obj_cmp(ASN1_OBJECT **a, ASN1_OBJECT **b);
+static int sn_cmp(const void *a, const void *b);
+static int ln_cmp(const void *a, const void *b);
+static int obj_cmp(const void *a, const void *b);
 #define ADDED_DATA	0
 #define ADDED_SNAME	1
 #define ADDED_LNAME	2
@ -96,11 +96,17 @@ typedef struct added_obj_st
 static int new_nid=NUM_NID;
 static LHASH *added=NULL;

-static int sn_cmp(ASN1_OBJECT **ap, ASN1_OBJECT **bp)
-	{ return(strcmp((*ap)->sn,(*bp)->sn)); }
+static int sn_cmp(const void *a, const void *b)
+	{
+	const ASN1_OBJECT * const *ap = a, * const *bp = b;
+	return(strcmp((*ap)->sn,(*bp)->sn));
+	}

-static int ln_cmp(ASN1_OBJECT **ap, ASN1_OBJECT **bp)
-	{ return(strcmp((*ap)->ln,(*bp)->ln)); }
+static int ln_cmp(const void *a, const void *b)
+	{ 
+	const ASN1_OBJECT * const *ap = a, * const *bp = b;
+	return(strcmp((*ap)->ln,(*bp)->ln));
+	}

 static unsigned long add_hash(ADDED_OBJ *ca)
 	{
@ -365,7 +371,7 @@ int OBJ_obj2nid(ASN1_OBJECT *a)
 		if (adp != NULL) return (adp->obj->nid);
 		}
 	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&a,(char *)obj_objs,NUM_OBJ,
-		sizeof(ASN1_OBJECT *),(int (*)())obj_cmp);
+		sizeof(ASN1_OBJECT *),obj_cmp);
 	if (op == NULL)
 		return(NID_undef);
 	return((*op)->nid);
@ -504,7 +510,7 @@ int OBJ_ln2nid(const char *s)
 		if (adp != NULL) return (adp->obj->nid);
 		}
 	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&oo,(char *)ln_objs,NUM_LN,
-		sizeof(ASN1_OBJECT *),(int (*)())ln_cmp);
+		sizeof(ASN1_OBJECT *),ln_cmp);
 	if (op == NULL) return(NID_undef);
 	return((*op)->nid);
 	}
@ -523,23 +529,23 @@ int OBJ_sn2nid(const char *s)
 		if (adp != NULL) return (adp->obj->nid);
 		}
 	op=(ASN1_OBJECT **)OBJ_bsearch((char *)&oo,(char *)sn_objs,NUM_SN,
-		sizeof(ASN1_OBJECT *),(int (*)())sn_cmp);
+		sizeof(ASN1_OBJECT *),sn_cmp);
 	if (op == NULL) return(NID_undef);
 	return((*op)->nid);
 	}

-static int obj_cmp(ASN1_OBJECT **ap, ASN1_OBJECT **bp)
+static int obj_cmp(const void *ap, const void *bp)
 	{
 	int j;
-	ASN1_OBJECT *a= *ap;
-	ASN1_OBJECT *b= *bp;
+	ASN1_OBJECT *a= *(ASN1_OBJECT **)ap;
+	ASN1_OBJECT *b= *(ASN1_OBJECT **)bp;

 	j=(a->length - b->length);
        if (j) return(j);
 	return(memcmp(a->data,b->data,a->length));
        }

-char *OBJ_bsearch(char *key, char *base, int num, int size, int (*cmp)())
+char *OBJ_bsearch(char *key, char *base, int num, int size, int (*cmp)(const void *, const void *))
 	{
 	int l,h,i,c;
 	char *p;
--- a/crypto/pkcs12/p12_decr.c
+++ b/crypto/pkcs12/p12_decr.c
@ -109,7 +109,7 @@ unsigned char * PKCS12_pbe_crypt (X509_ALGOR *algor, const char *pass,
 */

 char * PKCS12_decrypt_d2i (X509_ALGOR *algor, char * (*d2i)(),
-	     void (*free_func)(), const char *pass, int passlen,
+	     void (*free_func)(void *), const char *pass, int passlen,
 	     ASN1_OCTET_STRING *oct, int seq)
 {
 	unsigned char *out, *p;
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@ -135,9 +135,9 @@ int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,

 err:

-	if (pkey && *pkey) EVP_PKEY_free (*pkey);
-	if (cert && *cert) X509_free (*cert);
-	if (ca) sk_X509_pop_free (*ca, X509_free);
+	if (pkey && *pkey) EVP_PKEY_free(*pkey);
+	if (cert && *cert) X509_free(*cert);
+	if (ca) sk_X509_pop_free(*ca, X509_free);
 	return 0;

 }
@ -159,12 +159,12 @@ static int parse_pk12 (PKCS12 *p12, const char *pass, int passlen,
 		p7 = sk_PKCS7_value (asafes, i);
 		bagnid = OBJ_obj2nid (p7->type);
 		if (bagnid == NID_pkcs7_data) {
-			bags = M_PKCS12_unpack_p7data (p7);
+			bags = M_PKCS12_unpack_p7data(p7);
 		} else if (bagnid == NID_pkcs7_encrypted) {
-			bags = M_PKCS12_unpack_p7encdata (p7, pass, passlen);
+			bags = M_PKCS12_unpack_p7encdata(p7, pass, passlen);
 		} else continue;
 		if (!bags) {
-			sk_PKCS7_pop_free (asafes, PKCS7_free);
+			sk_PKCS7_pop_free(asafes, PKCS7_free);
 			return 0;
 		}
 	    	if (!parse_bags(bags, pass, passlen, pkey, cert, ca,
--- a/crypto/pkcs12/pkcs12.h
+++ b/crypto/pkcs12/pkcs12.h
@ -146,24 +146,24 @@ union {
 #define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type

 #define M_PKCS12_x5092certbag(x509) \
-PKCS12_pack_safebag ((char *)(x509), i2d_X509, NID_x509Certificate, NID_certBag)
+PKCS12_pack_safebag((char *)(x509), i2d_X509, NID_x509Certificate, NID_certBag)

 #define M_PKCS12_x509crl2certbag(crl) \
-PKCS12_pack_safebag ((char *)(crl), i2d_X509CRL, NID_x509Crl, NID_crlBag)
+PKCS12_pack_safebag((char *)(crl), i2d_X509CRL, NID_x509Crl, NID_crlBag)

 #define M_PKCS12_certbag2x509(bg) \
-(X509 *) ASN1_unpack_string ((bg)->value.bag->value.octet, \
+(X509 *) ASN1_unpack_string((bg)->value.bag->value.octet, \
 (char *(*)())d2i_X509)

 #define M_PKCS12_certbag2x509crl(bg) \
-(X509CRL *) ASN1_unpack_string ((bg)->value.bag->value.octet, \
+(X509CRL *) ASN1_unpack_string((bg)->value.bag->value.octet, \
 (char *(*)())d2i_X509CRL)

 /*#define M_PKCS12_pkcs82rsa(p8) \
-(RSA *) ASN1_unpack_string ((p8)->pkey, (char *(*)())d2i_RSAPrivateKey)*/
+(RSA *) ASN1_unpack_string((p8)->pkey, (char *(*)())d2i_RSAPrivateKey)*/

 #define M_PKCS12_unpack_p7data(p7) \
-ASN1_seq_unpack_PKCS12_SAFEBAG ((p7)->d.data->data, p7->d.data->length, \
+ASN1_seq_unpack_PKCS12_SAFEBAG((p7)->d.data->data, p7->d.data->length, \
 			        d2i_PKCS12_SAFEBAG, PKCS12_SAFEBAG_free)

 #define M_PKCS12_pack_authsafes(p12, safes) \
@ -175,20 +175,20 @@ ASN1_seq_unpack_PKCS7((p12)->authsafes->d.data->data, \
 		(p12)->authsafes->d.data->length, d2i_PKCS7, PKCS7_free)

 #define M_PKCS12_unpack_p7encdata(p7, pass, passlen) \
-PKCS12_decrypt_d2i_PKCS12_SAFEBAG ((p7)->d.encrypted->enc_data->algorithm,\
+PKCS12_decrypt_d2i_PKCS12_SAFEBAG((p7)->d.encrypted->enc_data->algorithm,\
 			           d2i_PKCS12_SAFEBAG, PKCS12_SAFEBAG_free, \
 				   (pass), (passlen), \
 			           (p7)->d.encrypted->enc_data->enc_data, 3)

 #define M_PKCS12_decrypt_skey(bag, pass, passlen) \
-(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i ((bag)->value.shkeybag->algor, \
-(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free, \
+(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i((bag)->value.shkeybag->algor, \
+(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, (void (*)(void *))PKCS8_PRIV_KEY_INFO_free, \
 						(pass), (passlen), \
 			 (bag)->value.shkeybag->digest, 2)

 #define M_PKCS8_decrypt(p8, pass, passlen) \
-(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i ((p8)->algor, \
-(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free,\
+(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i((p8)->algor, \
+(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, (void (*)(void *))PKCS8_PRIV_KEY_INFO_free,\
 			 (pass), (passlen), (p8)->digest, 2)

 #define PKCS12_get_attr(bag, attr_nid) \
@ -226,7 +226,7 @@ unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
 				int passlen, unsigned char *in, int inlen,
 				unsigned char **data, int *datalen, int en_de);
 char *PKCS12_decrypt_d2i(X509_ALGOR *algor, char *(*d2i)(),
-			 void (*free_func)(), const char *pass, int passlen,
+			 void (*free_func)(void *), const char *pass, int passlen,
 			 ASN1_STRING *oct, int seq);
 ASN1_STRING *PKCS12_i2d_encrypt(X509_ALGOR *algor, int (*i2d)(),
 				const char *pass, int passlen, char *obj,
--- a/crypto/rand/rand_win.c
+++ b/crypto/rand/rand_win.c
@ -110,7 +110,8 @@
 */


-#ifdef WINDOWS
+#if defined(WINDOWS) || defined(WIN32)
+#include "cryptlib.h"
 #include <windows.h>
 #include <openssl/rand.h>
 /* XXX There are probably other includes missing here ... */
--- a/crypto/ripemd/Makefile.ssl
+++ b/crypto/ripemd/Makefile.ssl
@ -22,7 +22,7 @@ CFLAGS= $(INCLUDES) $(CFLAG)

 GENERAL=Makefile
 TEST=rmdtest.c
-APPS=rmd160.c
+APPS=

 LIB=$(TOP)/libcrypto.a
 LIBSRC=rmd_dgst.c rmd_one.c
--- a/crypto/stack/safestack.h
+++ b/crypto/stack/safestack.h
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@ -102,26 +102,8 @@ extern "C" {
 #endif

  /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
-#define DECLARE_PKCS12_STACK_OF(type) \
-STACK_OF(type) *PKCS12_decrypt_d2i_##type(struct X509_algor_st *algor, \
-				          type *(*d2i)(type **, \
-						       unsigned char **, \
-						       long), \
-					  void (*free_func)(type *), \
-					  const char *pass, int passlen, \
-					  ASN1_STRING *oct, int seq);
-
-#define IMPLEMENT_PKCS12_STACK_OF(type) \
-STACK_OF(type) *PKCS12_decrypt_d2i_##type(struct X509_algor_st *algor, \
-				          type *(*d2i)(type **, \
-						       unsigned char **, \
-						       long), \
-					  void (*free_func)(type *), \
-					  const char *pass, int passlen, \
-					  ASN1_STRING *oct, int seq) \
-    { return (STACK_OF(type) *)PKCS12_decrypt_d2i(algor,(char *(*)())d2i, \
-						  (void(*)(void *))free_func, \
-						  pass,passlen,oct,seq); }
+#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
+#define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */

 #define X509_FILETYPE_PEM	1
 #define X509_FILETYPE_ASN1	2
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@ -19,6 +19,7 @@ B<openssl> B<req>
 [B<-verify>]
 [B<-modulus>]
 [B<-new>]
+[B<-rand file(s)>]
 [B<-newkey rsa:bits>]
 [B<-newkey dsa:file>]
 [B<-nodes>]
@ -104,6 +105,14 @@ in the configuration file and any requested extensions.
 If the B<-key> option is not used it will generate a new RSA private
 key using information specified in the configuration file.

+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
 =item B<-newkey arg>

 this option creates a new certificate request and a new private
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@ -71,7 +71,7 @@ static int ssl_puts(BIO *h, const char *str);
 static long ssl_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int ssl_new(BIO *h);
 static int ssl_free(BIO *data);
-static long ssl_callback_ctrl(BIO *h, int cmd, void (*fp)());
+static long ssl_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
 typedef struct bio_ssl_st
 	{
 	SSL *ssl; /* The ssl handle :-) */
@ -470,7 +470,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
 	return(ret);
 	}

-static long ssl_callback_ctrl(BIO *b, int cmd, void (*fp)())
+static long ssl_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	{
 	SSL *ssl;
 	BIO_SSL *bs;
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@ -384,7 +384,7 @@ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
 	cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
 		(char *)sorted,
 		SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-		(int (*)())ssl_cipher_ptr_id_cmp);
+		FP_ICC ssl_cipher_ptr_id_cmp);
 	if ((cpp == NULL) || !(*cpp)->valid)
 		return(NULL);
 	else
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -1041,7 +1041,7 @@ SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
 	cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
 		(char *)sorted,
 		SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-		(int (*)())ssl_cipher_ptr_id_cmp);
+		FP_ICC ssl_cipher_ptr_id_cmp);
 	if ((cpp == NULL) || !(*cpp)->valid)
 		return(NULL);
 	else
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@ -271,37 +271,10 @@ sub do_defs
 			} elsif (/^\#/) {
 				next;
 			}
-			if (!$safe_stack_def &&
-				/^\s*DECLARE_STACK_OF\s*\(\s*(\w*)\s*\)/) {
+			if (/^\s*DECLARE_STACK_OF\s*\(\s*(\w*)\s*\)/) {
 				next;
-			} elsif ($safe_stack_def &&
-				/^\s*DECLARE_STACK_OF\s*\(\s*(\w*)\s*\)/) {
-				$funcs{"sk_${1}_new"} = 1;
-				$funcs{"sk_${1}_new_null"} = 1;
-				$funcs{"sk_${1}_free"} = 1;
-				$funcs{"sk_${1}_num"} = 1;
-				$funcs{"sk_${1}_value"} = 1;
-				$funcs{"sk_${1}_set"} = 1;
-				$funcs{"sk_${1}_zero"} = 1;
-				$funcs{"sk_${1}_push"} = 1;
-				$funcs{"sk_${1}_unshift"} = 1;
-				$funcs{"sk_${1}_find"} = 1;
-				$funcs{"sk_${1}_delete"} = 1;
-				$funcs{"sk_${1}_delete_ptr"} = 1;
-				$funcs{"sk_${1}_insert"} = 1;
-				$funcs{"sk_${1}_set_cmp_func"} = 1;
-				$funcs{"sk_${1}_dup"} = 1;
-				$funcs{"sk_${1}_pop_free"} = 1;
-				$funcs{"sk_${1}_shift"} = 1;
-				$funcs{"sk_${1}_pop"} = 1;
-				$funcs{"sk_${1}_sort"} = 1;
-			} if (!$safe_stack_def &&
-				/^\s*DECLARE_ASN1_SET_OF\s*\(\s*(\w*)\s*\)/) {
+			} elsif (/^\s*DECLARE_ASN1_SET_OF\s*\(\s*(\w*)\s*\)/) {
 				next;
-			} elsif ($safe_stack_def &&
-				/^\s*DECLARE_ASN1_SET_OF\s*\(\s*(\w*)\s*\)/) {
-				$funcs{"d2i_ASN1_SET_OF_${1}"} = 1;
-				$funcs{"i2d_ASN1_SET_OF_${1}"} = 1;
 			} elsif (/^DECLARE_PEM_rw\s*\(\s*(\w*)\s*,/ ||
 				     /^DECLARE_PEM_rw_cb\s*\(\s*(\w*)\s*,/ ) {
 				if (!($no_rsa && ($1 eq "RSAPrivateKey" ||
--- a/util/mkstack.pl
+++ b/util/mkstack.pl
@ -31,12 +31,17 @@ foreach $file (@source) {
 	while(<IN>) {
 		if (/^DECLARE_STACK_OF\(([^)]+)\)/) {
 			push @stacklst, $1;
+		} if (/^DECLARE_ASN1_SET_OF\(([^)]+)\)/) {
+			push @asn1setlst, $1;
+		} if (/^DECLARE_PKCS12_STACK_OF\(([^)]+)\)/) {
+			push @p12stklst, $1;
 		}
 	}
 	close(IN);
 }


+
 my $old_stackfile = "";
 my $new_stackfile = "";
 my $inside_block = 0;
@ -57,7 +62,7 @@ while(<IN>) {
 	next if($inside_block != 1);
 	$new_stackfile .= "/* This block of defines is updated by util/mkstack.pl, please do not touch! */";
 		
-	foreach $type_thing (@stacklst) {
+	foreach $type_thing (sort @stacklst) {
 		$new_stackfile .= <<EOF;

 #define sk_${type_thing}_new(st) SKM_sk_new($type_thing, (st))
@ -79,6 +84,26 @@ while(<IN>) {
 #define sk_${type_thing}_shift(st) SKM_sk_shift($type_thing, (st))
 #define sk_${type_thing}_pop(st) SKM_sk_pop($type_thing, (st))
 #define sk_${type_thing}_sort(st) SKM_sk_sort($type_thing, (st))
+EOF
+	}
+	foreach $type_thing (sort @asn1setlst) {
+		$new_stackfile .= <<EOF;
+
+#define d2i_ASN1_SET_OF_${type_thing}(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \\
+	SKM_ASN1_SET_OF_d2i($type_thing, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 
+#define i2d_ASN1_SET_OF_${type_thing}(st, pp, i2d_func, ex_tag, ex_class, is_set) \\
+	SKM_ASN1_SET_OF_i2d($type_thing, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
+#define ASN1_seq_pack_${type_thing}(st, i2d_func, buf, len) \\
+	SKM_ASN1_seq_pack($type_thing, (st), (i2d_func), (buf), (len))
+#define ASN1_seq_unpack_${type_thing}(buf, len, d2i_func, free_func) \\
+	SKM_ASN1_seq_unpack($type_thing, (buf), (len), (d2i_func), (free_func))
+EOF
+	}
+	foreach $type_thing (sort @p12stklst) {
+		$new_stackfile .= <<EOF;
+
+#define PKCS12_decrypt_d2i_${type_thing}(algor, d2i_func, free_func, pass, passlen, oct, seq) \\
+	SKM_PKCS12_decrypt_d2i($type_thing, (algor), (d2i_func), (free_func), (pass), (passlen), (oct), (seq))
 EOF
 	}
 	$new_stackfile .= "/* End of util/mkstack.pl block, you may now edit :-) */\n";