From 1e6c9fc26f33a58bab5b2cba90841109534de982 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Tue, 13 Mar 2001 06:58:57 +0000
Subject: [PATCH] Merge of the 0.9.6-stable branch (continued after network
 interrupt).

---
 CHANGES                    | 203 +++++++++++++++++++++++++++++++++++++
 Configure                  |  25 +++--
 LICENSE                    |   2 +-
 Makefile.org               |   3 +-
 TABLE                      | 152 +++++++++++++++++++++++++--
 apps/app_rand.c            |   6 +-
 apps/ca-cert.srl           |   2 +-
 apps/dsaparam.c            |   2 +-
 apps/passwd.c              |   2 +-
 apps/pca-cert.srl          |   2 +-
 apps/req.c                 |   9 +-
 apps/rsautl.c              |   4 +
 apps/s_client.c            |  11 +-
 apps/s_server.c            |  13 ++-
 apps/server.pem            |  16 +--
 certs/rsa-ssca.pem         |  19 ----
 config                     |  23 +++--
 crypto/Makefile.ssl        |   7 +-
 crypto/asn1/Makefile.ssl   |   3 +-
 crypto/asn1/a_strnid.c     |   2 +-
 crypto/asn1/asn1_mac.h     |  23 +++++
 crypto/asn1/x_crl.c        |  10 +-
 crypto/asn1/x_name.c       |   5 +-
 crypto/bf/Makefile.ssl     |   3 +-
 crypto/bio/Makefile.ssl    |   3 +-
 crypto/bio/b_sock.c        |  14 +--
 crypto/bn/Makefile.ssl     |   3 +-
 crypto/bn/asm/pa-risc2.s   |   2 +-
 crypto/bn/asm/pa-risc2W.s  |   2 +-
 crypto/bn/bn.h             |   8 +-
 crypto/bn/bn_div.c         |   6 +-
 crypto/bn/bn_err.c         |   3 +
 crypto/bn/bn_lib.c         |   7 ++
 crypto/bn/bn_rand.c        | 107 ++++++++++++++++---
 crypto/bn/bn_shift.c       |   5 +
 crypto/bn/bntest.c         |  64 ++++++------
 crypto/buffer/Makefile.ssl |   3 +-
 crypto/cast/Makefile.ssl   |   3 +-
 crypto/comp/Makefile.ssl   |   3 +-
 crypto/conf/Makefile.ssl   |   3 +-
 crypto/conf/conf.h         |   2 +
 crypto/conf/conf_err.c     |   2 +
 crypto/conf/conf_lib.c     |  84 +++++++++++----
 crypto/crypto.h            |   2 +
 crypto/des/Makefile.ssl    |   3 +-
 crypto/dh/Makefile.ssl     |   3 +-
 crypto/dh/dh_key.c         |  11 +-
 crypto/dh/dh_lib.c         |   8 +-
 crypto/dsa/Makefile.ssl    |   3 +-
 crypto/dsa/dsa_key.c       |  13 +--
 crypto/dsa/dsa_lib.c       |   8 +-
 crypto/dsa/dsa_ossl.c      |  10 +-
 crypto/dso/Makefile.ssl    |   3 +-
 crypto/dso/dso_dl.c        |   4 +-
 crypto/err/Makefile.ssl    |   3 +-
 crypto/err/err.c           |  10 +-
 crypto/ex_data.c           |   2 +-
 crypto/mem_dbg.c           |  98 +++++++++++-------
 crypto/opensslv.h          |   4 +-
 e_os.h                     |   2 +
 openssl.spec               |   4 +-
 61 files changed, 812 insertions(+), 250 deletions(-)
 delete mode 100644 certs/rsa-ssca.pem

diff --git a/CHANGES b/CHANGES
index 87853c3b29..b2075c769e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,209 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.6 and 0.9.6a  [xx XXX 2001]
+
+  *) Fix a memory leak in err.c: free err_data string if necessary.
+     [Bodo Moeller]
+
+  *) Implement ssl23_peek (analogous to ssl23_read), which previously
+     did not exist.
+     [Bodo Moeller]
+
+  *) Replace rdtsc with _emit statements for VC++ version 5.
+     [Jeremy Cooper <jeremy@baymoo.org>]
+
+  *) Make it possible to reuse SSLv2 sessions.
+     [Richard Levitte]
+
+  *) In copy_email() check for >= 0 as a return value for
+     X509_NAME_get_index_by_NID() since 0 is a valid index.
+     [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>]
+
+  *) Use better test patterns in bntest.
+     [Ulf Möller]
+
+  *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
+     the method-specific "init()" handler. Also clean up ex_data after
+     calling the method-specific "finish()" handler. Previously, this was
+     happening the other way round.
+     [Geoff Thorpe]
+
+  *) Avoid coredump with unsupported or invalid public keys by checking if
+     X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
+     PKCS7_verify() fails with non detached data.
+     [Steve Henson]
+
+  *) Don't use getenv in library functions when run as setuid/setgid.
+     New function OPENSSL_issetugid().
+     [Ulf Moeller]
+
+  *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
+     due to incorrect handling of multi-threading:
+
+     1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
+
+     2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
+
+     3. Count how many times MemCheck_off() has been called so that
+        nested use can be treated correctly.  This also avoids 
+        inband-signalling in the previous code (which relied on the
+        assumption that thread ID 0 is impossible).
+     [Bodo Moeller]
+
+  *) Add "-rand" option also to s_client and s_server.
+     [Lutz Jaenicke]
+
+  *) Fix CPU detection on Irix 6.x.
+     [Kurt Hockenbury <khockenb@stevens-tech.edu> and
+      "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
+
+  *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME
+     was empty.
+     [Steve Henson]
+
+  *) Use the cached encoding of an X509_NAME structure rather than
+     copying it. This is apparently the reason for the libsafe "errors"
+     but the code is actually correct.
+     [Steve Henson]
+
+  *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
+     Bleichenbacher's DSA attack.
+     Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
+     to be set and top=0 forces the highest bit to be set; top=-1 is new
+     and leaves the highest bit random.
+     [Ulf Moeller]
+
+  *) In the NCONF_...-based implementations for CONF_... queries
+     (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
+     a temporary CONF structure with the data component set to NULL
+     (which gives segmentation faults in lh_retrieve).
+     Instead, use NULL for the CONF pointer in CONF_get_string and
+     CONF_get_number (which may use environment variables) and directly
+     return NULL from CONF_get_section.
+     [Bodo Moeller]
+
+  *) Fix potential buffer overrun for EBCDIC.
+     [Ulf Moeller]
+
+  *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
+     keyUsage if basicConstraints absent for a CA.
+     [Steve Henson]
+
+  *) Make SMIME_write_PKCS7() write mail header values with a format that
+     is more generally accepted (no spaces before the semicolon), since
+     some programs can't parse those values properly otherwise.  Also make
+     sure BIO's that break lines after each write do not create invalid
+     headers.
+     [Richard Levitte]
+
+  *) Make the CRL encoding routines work with empty SEQUENCE OF. The
+     macros previously used would not encode an empty SEQUENCE OF
+     and break the signature.
+     [Steve Henson]
+
+  *) Zero the premaster secret after deriving the master secret in
+     DH ciphersuites.
+     [Steve Henson]
+
+  *) Add some EVP_add_digest_alias registrations (as found in
+     OpenSSL_add_all_digests()) to SSL_library_init()
+     aka OpenSSL_add_ssl_algorithms().  This provides improved
+     compatibility with peers using X.509 certificates
+     with unconventional AlgorithmIdentifier OIDs.
+     [Bodo Moeller]
+
+  *) Fix for Irix with NO_ASM.
+     ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
+
+  *) ./config script fixes.
+     [Ulf Moeller, Richard Levitte]
+
+  *) Fix 'openssl passwd -1'.
+     [Bodo Moeller]
+
+  *) Change PKCS12_key_gen_asc() so it can cope with non null
+     terminated strings whose length is passed in the passlen
+     parameter, for example from PEM callbacks. This was done
+     by adding an extra length parameter to asc2uni().
+     [Steve Henson, reported by <oddissey@samsung.co.kr>]
+
+  *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
+     call failed, free the DSA structure.
+     [Bodo Moeller]
+
+  *) Fix to uni2asc() to cope with zero length Unicode strings.
+     These are present in some PKCS#12 files.
+     [Steve Henson]
+
+  *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
+     Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
+     when writing a 32767 byte record.
+     [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
+
+  *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
+     obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
+
+     (RSA objects have a reference count access to which is protected
+     by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
+     so they are meant to be shared between threads.)
+     [Bodo Moeller, Geoff Thorpe; original patch submitted by
+     "Reddie, Steven" <Steven.Reddie@ca.com>]
+
+  *) Fix a deadlock in CRYPTO_mem_leaks().
+     [Bodo Moeller]
+
+  *) rand_win.c fix for Borland C.
+     [Ulf Möller]
+ 
+  *) BN_rshift bugfix for n == 0.
+     [Bodo Moeller]
+
+  *) Store verify_result within SSL_SESSION also for client side to
+     avoid potential security hole. (Re-used sessions on the client side
+     always resulted in verify_result==X509_V_OK, not using the original
+     result of the server certificate verification.)
+     [Lutz Jaenicke]
+
+  *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
+     SSL3_RT_APPLICATION_DATA, return 0.
+     Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
+     [Bodo Moeller]
+
+  *) Fix SSL_peek:
+     Both ssl2_peek and ssl3_peek, which were totally broken in earlier
+     releases, have been re-implemented by renaming the previous
+     implementations of ssl2_read and ssl3_read to ssl2_read_internal
+     and ssl3_read_internal, respectively, and adding 'peek' parameters
+     to them.  The new ssl[23]_{read,peek} functions are calls to
+     ssl[23]_read_internal with the 'peek' flag set appropriately.
+     A 'peek' parameter has also been added to ssl3_read_bytes, which
+     does the actual work for ssl3_read_internal.
+     [Bodo Moeller]
+
+  *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
+     The previous value, 12, was not always sufficient for BN_mod_exp().
+     [Bodo Moeller]
+
+  *) Fix typo in get_cert_by_subject() in by_dir.c
+     [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]
+
+  *) Fix SSL_CTX_set_read_ahead macro to actually use its argument.
+
+     Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
+     and not in SSL_clear because the latter is also used by the
+     accept/connect functions; previously, the settings made by
+     SSL_set_read_ahead would be lost during the handshake.
+     [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]     
+
+  *) Correct util/mkdef.pl to be selective about disabled algorithms.
+     Previously, it would create entries for disableed algorithms no
+     matter what.
+     [Richard Levitte]
+
+  *) Added several new manual pages for SSL_* function.
+     [Lutz Jaenicke]
+
  Changes between 0.9.5a and 0.9.6  [24 Sep 2000]
 
   *) In ssl23_get_client_hello, generate an error message when faced
diff --git a/Configure b/Configure
index f6aefa204a..f300b4a342 100755
--- a/Configure
+++ b/Configure
@@ -158,7 +158,7 @@ my %table=(
 "solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC",
 "solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC",
 "solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC",
-"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC",
+"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:/usr/ccs/bin/ar rs",
 ####
 "debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC",
 "debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC",
@@ -289,8 +289,8 @@ my %table=(
 #
 #					<appro@fy.chalmers.se>
 #
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::",
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::",
+"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC",
+"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC",
 "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
 "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
 
@@ -306,6 +306,7 @@ my %table=(
 "linux-mips",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
 "linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
 "linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
+"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
 "linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::",
 "NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
 "NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
@@ -451,10 +452,10 @@ my $md5_obj="";
 my $sha1_obj="";
 my $rmd160_obj="";
 my $processor="";
-my $ranlib;
+my $default_ranlib;
 my $perl;
 
-$ranlib=&which("ranlib") or $ranlib="true";
+$default_ranlib= &which("ranlib") or $default_ranlib="true";
 $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
   or $perl="perl";
 
@@ -653,7 +654,7 @@ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//;
 print "IsWindows=$IsWindows\n";
 
 (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj,
- $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag)=
+ $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag, my $ranlib)=
 	split(/\s*:\s*/,$table{$target} . ":" x 22 , -1);
 $cflags="$flags$cflags" if ($flags ne "");
 
@@ -740,6 +741,15 @@ if ($shared_cflag ne "")
 		$shared_mark2 = ".shlib.";
 		}
 	}
+else
+	{
+	$no_shared = 1;
+	}
+
+if ($ranlib eq "")
+	{
+	$ranlib = $default_ranlib;
+	}
 
 #my ($bn1)=split(/\s+/,$bn_obj);
 #$bn1 = "" unless defined $bn1;
@@ -1133,7 +1143,7 @@ sub print_table_entry
 	(my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,
 	my $bn_obj,my $des_obj,my $bf_obj,
 	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
-	my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag)=
+	my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,my $ranlib)=
 	split(/\s*:\s*/,$table{$target} . ":" x 22 , -1);
 			
 	print <<EOF
@@ -1157,5 +1167,6 @@ sub print_table_entry
 \$dso_scheme   = $dso_scheme
 \$shared_target= $shared_target
 \$shared_cflag = $shared_cflag
+\$ranlib       = $ranlib
 EOF
 	}
diff --git a/LICENSE b/LICENSE
index bdd5f7bdd0..3fd259ac32 100644
--- a/LICENSE
+++ b/LICENSE
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/Makefile.org b/Makefile.org
index d1fd33e56c..c617706a89 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -462,7 +462,8 @@ install: all install_docs
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
 			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+			(echo $$i | grep '\\.a$$' > /dev/null 2>&1) \
+			&& $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
 		fi \
 	done
diff --git a/TABLE b/TABLE
index f18080cfe7..051730760f 100644
--- a/TABLE
+++ b/TABLE
@@ -19,6 +19,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** BC-32
 $cc           = bcc32
@@ -39,6 +40,7 @@ $rc5_obj      =
 $dso_scheme   = win32
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** BS2000-OSD
 $cc           = c89
@@ -59,6 +61,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** CygWin32
 $cc           = gcc
@@ -79,6 +82,7 @@ $rc5_obj      =
 $dso_scheme   = win32
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** FreeBSD
 $cc           = gcc
@@ -99,6 +103,7 @@ $rc5_obj      = asm/r586-out.o
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** FreeBSD-alpha
 $cc           = gcc
@@ -119,6 +124,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** FreeBSD-elf
 $cc           = gcc
@@ -139,6 +145,7 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** MPE/iX-gcc
 $cc           = gcc
@@ -159,6 +166,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** Mingw32
 $cc           = gcc
@@ -179,6 +187,7 @@ $rc5_obj      =
 $dso_scheme   = win32
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** NetBSD-m68
 $cc           = gcc
@@ -199,6 +208,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** NetBSD-sparc
 $cc           = gcc
@@ -219,6 +229,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** NetBSD-x86
 $cc           = gcc
@@ -239,6 +250,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** OpenBSD
 $cc           = gcc
@@ -259,6 +271,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** OpenBSD-alpha
 $cc           = gcc
@@ -279,6 +292,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** OpenBSD-mips
 $cc           = gcc
@@ -299,6 +313,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** OpenBSD-x86
 $cc           = gcc
@@ -319,6 +334,7 @@ $rc5_obj      = asm/r586-out.o
 $dso_scheme   = dlfcn
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** ReliantUNIX
 $cc           = cc
@@ -339,6 +355,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** SINIX
 $cc           = cc
@@ -359,6 +376,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** SINIX-N
 $cc           = /usr/ucb/cc
@@ -379,6 +397,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** VC-MSDOS
 $cc           = cl
@@ -399,6 +418,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** VC-NT
 $cc           = cl
@@ -419,6 +439,7 @@ $rc5_obj      =
 $dso_scheme   = win32
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** VC-W31-16
 $cc           = cl
@@ -439,6 +460,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** VC-W31-32
 $cc           = cl
@@ -459,6 +481,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** VC-WIN16
 $cc           = cl
@@ -479,6 +502,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** VC-WIN32
 $cc           = cl
@@ -499,6 +523,7 @@ $rc5_obj      =
 $dso_scheme   = win32
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** aix-cc
 $cc           = cc
@@ -519,6 +544,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** aix-gcc
 $cc           = gcc
@@ -539,6 +565,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** alpha-cc
 $cc           = cc
@@ -559,6 +586,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= true64-shared
 $shared_cflag = 
+$ranlib       = 
 
 *** alpha-gcc
 $cc           = gcc
@@ -579,6 +607,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= true64-shared
 $shared_cflag = 
+$ranlib       = 
 
 *** alpha164-cc
 $cc           = cc
@@ -599,6 +628,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= true64-shared
 $shared_cflag = 
+$ranlib       = 
 
 *** bsdi-elf-gcc
 $cc           = gcc
@@ -619,6 +649,7 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** bsdi-gcc
 $cc           = gcc
@@ -639,6 +670,7 @@ $rc5_obj      = asm/r586bsdi.o
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** cc
 $cc           = cc
@@ -659,6 +691,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** cray-t3e
 $cc           = cc
@@ -679,6 +712,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** cray-t90-cc
 $cc           = cc
@@ -699,6 +733,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** debug
 $cc           = gcc
@@ -719,6 +754,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** debug-ben
 $cc           = gcc
@@ -739,6 +775,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** debug-ben-debug
 $cc           = gcc
@@ -759,6 +796,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** debug-ben-strict
 $cc           = gcc
@@ -779,6 +817,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** debug-bodo
 $cc           = gcc
@@ -799,6 +838,7 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** debug-levitte-linux-elf
 $cc           = gcc
@@ -819,6 +859,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** debug-linux-elf
 $cc           = gcc
@@ -839,6 +880,7 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = dlfcn
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** debug-linux-elf-noefence
 $cc           = gcc
@@ -859,6 +901,7 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = dlfcn
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** debug-rse
 $cc           = cc
@@ -879,6 +922,7 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** debug-solaris-sparcv8-cc
 $cc           = cc
@@ -899,6 +943,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
+$ranlib       = 
 
 *** debug-solaris-sparcv8-gcc
 $cc           = gcc
@@ -919,6 +964,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -fPIC
+$ranlib       = 
 
 *** debug-solaris-sparcv9-cc
 $cc           = cc
@@ -939,6 +985,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
+$ranlib       = 
 
 *** debug-solaris-sparcv9-gcc
 $cc           = gcc
@@ -959,6 +1006,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -fPIC
+$ranlib       = 
 
 *** debug-steve
 $cc           = gcc
@@ -979,6 +1027,7 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** debug-ulf
 $cc           = gcc
@@ -999,6 +1048,7 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** dgux-R3-gcc
 $cc           = gcc
@@ -1019,6 +1069,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** dgux-R4-gcc
 $cc           = gcc
@@ -1039,6 +1090,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** dgux-R4-x86-gcc
 $cc           = gcc
@@ -1059,6 +1111,7 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** dist
 $cc           = cc
@@ -1079,6 +1132,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** gcc
 $cc           = gcc
@@ -1099,6 +1153,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux-brokencc
 $cc           = cc
@@ -1119,6 +1174,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux-brokengcc
 $cc           = gcc
@@ -1139,6 +1195,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux-cc
 $cc           = cc
@@ -1159,6 +1216,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux-gcc
 $cc           = gcc
@@ -1179,6 +1237,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux-parisc-cc
 $cc           = cc
@@ -1199,6 +1258,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux-parisc-cc-o4
 $cc           = cc
@@ -1219,6 +1279,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux-parisc-gcc
 $cc           = gcc
@@ -1239,6 +1300,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux-parisc1_1-cc
 $cc           = cc
@@ -1259,6 +1321,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux-parisc2-cc
 $cc           = cc
@@ -1279,6 +1342,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux10-brokencc
 $cc           = cc
@@ -1299,6 +1363,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux10-brokengcc
 $cc           = gcc
@@ -1319,6 +1384,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux10-cc
 $cc           = cc
@@ -1339,6 +1405,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux10-gcc
 $cc           = gcc
@@ -1359,6 +1426,7 @@ $rc5_obj      =
 $dso_scheme   = dl
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux64-parisc-cc
 $cc           = cc
@@ -1379,6 +1447,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** hpux64-parisc2-cc
 $cc           = cc
@@ -1399,6 +1468,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** irix-cc
 $cc           = cc
@@ -1419,6 +1489,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** irix-gcc
 $cc           = gcc
@@ -1439,6 +1510,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** irix-mips3-cc
 $cc           = cc
@@ -1459,6 +1531,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** irix-mips3-gcc
 $cc           = gcc
@@ -1479,6 +1552,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** irix64-mips4-cc
 $cc           = cc
@@ -1499,6 +1573,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** irix64-mips4-gcc
 $cc           = gcc
@@ -1519,6 +1594,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** linux-alpha+bwx-ccc
 $cc           = ccc
@@ -1539,13 +1615,14 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** linux-alpha+bwx-gcc
 $cc           = gcc
 $cflags       = -O3 -DL_ENDIAN -DTERMIO
 $unistd       = 
 $thread_cflag = -D_REENTRANT
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL
 $bn_obj       = asm/alpha.o
 $des_obj      = 
@@ -1556,9 +1633,10 @@ $cast_obj     =
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+$ranlib       = 
 
 *** linux-alpha-ccc
 $cc           = ccc
@@ -1579,13 +1657,14 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** linux-alpha-gcc
 $cc           = gcc
 $cflags       = -O3 -DL_ENDIAN -DTERMIO
 $unistd       = 
 $thread_cflag = -D_REENTRANT
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL
 $bn_obj       = asm/alpha.o
 $des_obj      = 
@@ -1596,9 +1675,10 @@ $cast_obj     =
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+$ranlib       = 
 
 *** linux-aout
 $cc           = gcc
@@ -1619,6 +1699,7 @@ $rc5_obj      = asm/r586-out.o
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** linux-elf
 $cc           = gcc
@@ -1639,6 +1720,7 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
 $shared_cflag = -fPIC
+$ranlib       = 
 
 *** linux-elf-arm
 $cc           = gcc
@@ -1659,6 +1741,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
 $shared_cflag = -fPIC
+$ranlib       = 
 
 *** linux-ia64
 $cc           = gcc
@@ -1679,6 +1762,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** linux-m68k
 $cc           = gcc
@@ -1699,6 +1783,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** linux-mips
 $cc           = gcc
@@ -1719,6 +1804,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** linux-ppc
 $cc           = gcc
@@ -1739,6 +1825,28 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
+
+*** linux-s390
+$cc           = gcc
+$cflags       = -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$lflags       = 
+$bn_ops       = BN_LLONG
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$ranlib       = 
 
 *** linux-sparcv7
 $cc           = gcc
@@ -1759,6 +1867,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** linux-sparcv8
 $cc           = gcc
@@ -1779,6 +1888,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** linux-sparcv9
 $cc           = gcc
@@ -1799,6 +1909,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** ncr-scde
 $cc           = cc
@@ -1819,6 +1930,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** newsos4-gcc
 $cc           = gcc
@@ -1839,6 +1951,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** nextstep
 $cc           = cc
@@ -1859,6 +1972,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** nextstep3.3
 $cc           = cc
@@ -1879,6 +1993,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** purify
 $cc           = purify gcc
@@ -1899,6 +2014,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** qnx4
 $cc           = cc
@@ -1919,6 +2035,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** rhapsody-ppc-cc
 $cc           = cc
@@ -1939,6 +2056,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** sco5-cc
 $cc           = cc
@@ -1959,6 +2077,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** sco5-gcc
 $cc           = gcc
@@ -1979,6 +2098,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** solaris-sparc-sc3
 $cc           = cc
@@ -1999,6 +2119,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
+$ranlib       = 
 
 *** solaris-sparcv7-cc
 $cc           = cc
@@ -2019,6 +2140,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
+$ranlib       = 
 
 *** solaris-sparcv7-gcc
 $cc           = gcc
@@ -2039,6 +2161,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -fPIC
+$ranlib       = 
 
 *** solaris-sparcv8-cc
 $cc           = cc
@@ -2059,6 +2182,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
+$ranlib       = 
 
 *** solaris-sparcv8-gcc
 $cc           = gcc
@@ -2079,6 +2203,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -fPIC
+$ranlib       = 
 
 *** solaris-sparcv9-cc
 $cc           = cc
@@ -2099,6 +2224,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
+$ranlib       = 
 
 *** solaris-sparcv9-gcc
 $cc           = gcc
@@ -2119,6 +2245,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -fPIC
+$ranlib       = 
 
 *** solaris-sparcv9-gcc27
 $cc           = gcc
@@ -2139,6 +2266,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -fPIC
+$ranlib       = 
 
 *** solaris-x86-gcc
 $cc           = gcc
@@ -2159,6 +2287,7 @@ $rc5_obj      = asm/r586-sol.o
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -fPIC
+$ranlib       = 
 
 *** solaris64-sparcv9-cc
 $cc           = cc
@@ -2179,6 +2308,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
+$ranlib       = /usr/ccs/bin/ar rs
 
 *** sunos-gcc
 $cc           = gcc
@@ -2199,6 +2329,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** ultrix-cc
 $cc           = cc
@@ -2219,6 +2350,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** ultrix-gcc
 $cc           = gcc
@@ -2239,6 +2371,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** unixware-2.0
 $cc           = cc
@@ -2259,6 +2392,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** unixware-2.0-pentium
 $cc           = cc
@@ -2279,6 +2413,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
 
 *** unixware-7
 $cc           = cc
@@ -2299,3 +2434,4 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
+$ranlib       = 
diff --git a/apps/app_rand.c b/apps/app_rand.c
index 1146f9f7f3..8a78e12eb7 100644
--- a/apps/app_rand.c
+++ b/apps/app_rand.c
@@ -177,8 +177,10 @@ long app_RAND_load_files(char *name)
 		if (*n == '\0') break;
 
 		egd=RAND_egd(n);
-		if (egd > 0) tot+=egd;
-		tot+=RAND_load_file(n,-1);
+		if (egd > 0)
+			tot+=egd;
+		else
+			tot+=RAND_load_file(n,-1);
 		if (last) break;
 		}
 	if (tot > 512)
diff --git a/apps/ca-cert.srl b/apps/ca-cert.srl
index eeee65ec41..2c7456e3eb 100644
--- a/apps/ca-cert.srl
+++ b/apps/ca-cert.srl
@@ -1 +1 @@
-05
+07
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index 67f054c645..34230b2cfb 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -313,7 +313,7 @@ bad:
 		printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n",
 			bits_p,bits_p);
 		printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n");
-		printf("\t\treturn(NULL);\n");
+		printf("\t\t{ DSA_free(dsa); return(NULL); }\n");
 		printf("\treturn(dsa);\n\t}\n");
 		}
 
diff --git a/apps/passwd.c b/apps/passwd.c
index 6851a9927d..533b4692d0 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -315,7 +315,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
 	strncat(out_buf, "$", 1);
 	strncat(out_buf, salt, 8);
 	assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
-	salt_out = out_buf + 6;
+	salt_out = out_buf + 2 + strlen(magic);
 	salt_len = strlen(salt_out);
 	assert(salt_len <= 8);
 	
diff --git a/apps/pca-cert.srl b/apps/pca-cert.srl
index 8a0f05e166..2c7456e3eb 100644
--- a/apps/pca-cert.srl
+++ b/apps/pca-cert.srl
@@ -1 +1 @@
-01
+07
diff --git a/apps/req.c b/apps/req.c
index 0751d92201..ca8dc87957 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -725,16 +725,15 @@ loop:
 
 	if (newreq || x509)
 		{
-#ifndef NO_DSA
-		if (pkey->type == EVP_PKEY_DSA)
-			digest=EVP_dss1();
-#endif
-
 		if (pkey == NULL)
 			{
 			BIO_printf(bio_err,"you need to specify a private key\n");
 			goto end;
 			}
+#ifndef NO_DSA
+		if (pkey->type == EVP_PKEY_DSA)
+			digest=EVP_dss1();
+#endif
 		if (req == NULL)
 			{
 			req=X509_REQ_new();
diff --git a/apps/rsautl.c b/apps/rsautl.c
index 2ef75649dd..95fce436bb 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -55,6 +55,9 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+
+#ifndef NO_RSA
+
 #include "apps.h"
 #include <string.h>
 #include <openssl/err.h>
@@ -313,3 +316,4 @@ static void usage()
 	BIO_printf(bio_err, "-hexdump        hex dump output\n");
 }
 
+#endif
diff --git a/apps/s_client.c b/apps/s_client.c
index e0898795ee..e1f48444d5 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -153,8 +153,8 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
 	BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
 	BIO_printf(bio_err,"                 command to see what is available\n");
+	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
-
 	}
 
 int MAIN(int, char **);
@@ -347,7 +347,14 @@ bad:
 		goto end;
 		}
 
-	app_RAND_load_file(NULL, bio_err, 0);
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
+		&& !RAND_status())
+		{
+		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
+		}
+	if (inrand != NULL)
+		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+			app_RAND_load_files(inrand));
 
 	if (bio_c_out == NULL)
 		{
diff --git a/apps/s_server.c b/apps/s_server.c
index 3a7c62350a..314ff4c79e 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -245,6 +245,7 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
 	BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
 	BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
+	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 	}
 
@@ -598,7 +599,14 @@ bad:
 		goto end;
 		}
 
-	app_RAND_load_file(NULL, bio_err, 0);
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
+		&& !RAND_status())
+		{
+		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
+		}
+	if (inrand != NULL)
+		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+			app_RAND_load_files(inrand));
 
 	if (bio_s_out == NULL)
 		{
@@ -716,7 +724,8 @@ bad:
 
 #ifndef NO_RSA
 #if 1
-	SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
+	if (!no_tmp_rsa)
+		SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
 #else
 	if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
 		{
diff --git a/apps/server.pem b/apps/server.pem
index c57b32507d..56248e57a3 100644
--- a/apps/server.pem
+++ b/apps/server.pem
@@ -1,17 +1,17 @@
 issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
+subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
 -----BEGIN CERTIFICATE-----
-MIIB6TCCAVICAQQwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
+MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
 BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
-VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTgwNjI5MjM1MjQwWhcNMDAwNjI4
-MjM1MjQwWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0
+MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
 A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl
 cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP
 Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//
-Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCVvvfkGSe2GHgDFfmOua4Isjb9
-JVhImWMASiOClkZlMESDJjsszg/6+d/W+8TrbObhazpl95FivXBVucbj9dudh7AO
-IZu1h1MAPlyknc9Ud816vz3FejB4qqUoaXjnlkrIgEbr/un7jSS86WOe0hRhwHkJ
-FUGcPZf9ND22Etc+AQ==
+Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4
+GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM
+k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz
+itAE+OjGF+PFKbwX8Q==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
 MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD
diff --git a/certs/rsa-ssca.pem b/certs/rsa-ssca.pem
deleted file mode 100644
index c9403212d1..0000000000
--- a/certs/rsa-ssca.pem
+++ /dev/null
@@ -1,19 +0,0 @@
-subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
-issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
-notBefore=941109235417Z
-notAfter =991231235417Z
------BEGIN X509 CERTIFICATE-----
-
-MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
-HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
-IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda
-Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0
-YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB
-roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12
-aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc
-HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A
-iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7
-suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h
-cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk=
------END X509 CERTIFICATE-----
diff --git a/config b/config
index 5920084e82..346ad35048 100755
--- a/config
+++ b/config
@@ -168,7 +168,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
         ;;
 
     NetBSD:*:*:*386*)
-        echo "`/usr/sbin/sysctl -n hw.model | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
+        echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
 	;;
 
     NetBSD:*)
@@ -393,10 +393,16 @@ case "$GUESSOS" in
 	;;
   mips4-sgi-irix64)
 	echo "WARNING! If you wish to build 64-bit library, then you have to"
-	echo "         invoke './Configre irix64-mips4-$CC' *manually*."
-	echo "         Type Ctrl-C if you don't want to continue."
+	echo "         invoke './Configure irix64-mips4-$CC' *manually*."
+	echo "         Type return if you want to continue, Ctrl-C to abort."
 	read waste < /dev/tty
-	options="$options -mips4"
+        CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+        CPU=${CPU:-0}
+        if [ $CPU -ge 5000 ]; then
+                options="$options -mips4"
+        else
+                options="$options -mips3"
+        fi
 	OUT="irix-mips3-$CC"
 	;;
   alpha-*-linux2)
@@ -423,11 +429,11 @@ case "$GUESSOS" in
 	#till 64-bit glibc for SPARC is operational:-(
 	#echo "WARNING! If you wish to build 64-bit library, then you have to"
 	#echo "         invoke './Configure linux64-sparcv9' *manually*."
-	#echo "         Type Ctrl-C if you don't want to continue."
+	#echo "         Type return if you want to continue, Ctrl-C to abort."
 	#read waste < /dev/tty
 	OUT="linux-sparcv9" ;;
   sparc-*-linux2)
-	KARCH=`awk '/type/{print$3}' /proc/cpuinfo`
+	KARCH=`awk '/^type/{print$3}' /proc/cpuinfo`
 	case ${KARCH:-sun4} in
 	sun4u*)	OUT="linux-sparcv9" ;;
 	sun4m)	OUT="linux-sparcv8" ;;
@@ -435,6 +441,7 @@ case "$GUESSOS" in
 	*)	OUT="linux-sparcv7" ;;
 	esac ;;
   arm*-*-linux2) OUT="linux-elf-arm" ;;
+  s390-*-linux2) OUT="linux-s390" ;;
   *-*-linux2) OUT="linux-elf" ;;
   *-*-linux1) OUT="linux-aout" ;;
   sun4u*-*-solaris2)
@@ -442,7 +449,7 @@ case "$GUESSOS" in
 	if [ "$ISA64" != "" -a "$CC" = "cc" -a $CCVER -ge 50 ]; then
 		echo "WARNING! If you wish to build 64-bit library, then you have to"
 		echo "         invoke './Configure solaris64-sparcv9-cc' *manually*."
-		echo "         Type Ctrl-C if you don't want to continue."
+		echo "         Type return if you want to continue, Ctrl-C to abort."
 		read waste < /dev/tty
 	fi
 	OUT="solaris-sparcv9-$CC" ;;
@@ -573,7 +580,7 @@ OUT="$PREFIX$OUT"
 
 $PERL ./Configure LIST | grep "$OUT" > /dev/null
 if [ $? = "0" ]; then
-  #echo Configuring for $OUT
+  echo Configuring for $OUT
 
   if [ "$TEST" = "true" ]; then
     echo $PERL ./Configure $OUT $options
diff --git a/crypto/Makefile.ssl b/crypto/Makefile.ssl
index 37c5d9f916..7108e2c1e0 100644
--- a/crypto/Makefile.ssl
+++ b/crypto/Makefile.ssl
@@ -34,8 +34,8 @@ SDIRS=	md2 md5 sha mdc2 hmac ripemd \
 GENERAL=Makefile README crypto-lib.com install.com
 
 LIB= $(TOP)/libcrypto.a
-LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o
+LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c
+LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o
 
 SRC= $(LIBSRC)
 
@@ -90,7 +90,8 @@ links:
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 libs:
diff --git a/crypto/asn1/Makefile.ssl b/crypto/asn1/Makefile.ssl
index eae97f321d..269af44593 100644
--- a/crypto/asn1/Makefile.ssl
+++ b/crypto/asn1/Makefile.ssl
@@ -75,7 +75,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 files:
diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c
index 6b10cff994..732e68fe46 100644
--- a/crypto/asn1/a_strnid.c
+++ b/crypto/asn1/a_strnid.c
@@ -133,7 +133,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
 	if(tbl) {
 		mask = tbl->mask;
 		if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask;
-		ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask,
+		ret = ASN1_mbstring_ncopy(out, in, inlen, inform, mask,
 					tbl->minsize, tbl->maxsize);
 	} else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask);
 	if(ret <= 0) return NULL;
diff --git a/crypto/asn1/asn1_mac.h b/crypto/asn1/asn1_mac.h
index 4512ba6cc6..af0e664b2d 100644
--- a/crypto/asn1/asn1_mac.h
+++ b/crypto/asn1/asn1_mac.h
@@ -196,6 +196,9 @@ err:\
 	if ((a != NULL) && (sk_##type##_num(a) != 0)) \
 		M_ASN1_I2D_put_SEQUENCE_type(type,a,f);
 
+#define M_ASN1_I2D_put_SEQUENCE_opt_ex_type(type,a,f) \
+	if (a) M_ASN1_I2D_put_SEQUENCE_type(type,a,f);
+
 #define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \
 	if ((c.slen != 0) && \
 		(M_ASN1_next == \
@@ -389,6 +392,9 @@ err:\
 		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
 			M_ASN1_I2D_len_SEQUENCE_type(type,a,f);
 
+#define M_ASN1_I2D_len_SEQUENCE_opt_ex_type(type,a,f) \
+		if (a) M_ASN1_I2D_len_SEQUENCE_type(type,a,f);
+
 #define M_ASN1_I2D_len_IMP_SET(a,f,x) \
 		ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET);
 
@@ -452,6 +458,15 @@ err:\
 			ret+=ASN1_object_size(1,v,mtag); \
 			}
 
+#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \
+		if (a)\
+			{ \
+			v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \
+						 V_ASN1_UNIVERSAL, \
+						 IS_SEQUENCE); \
+			ret+=ASN1_object_size(1,v,mtag); \
+			}
+
 /* Put Macros */
 #define M_ASN1_I2D_put(a,f)	f(a,&p)
 
@@ -536,6 +551,14 @@ err:\
 					       IS_SEQUENCE); \
 			}
 
+#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \
+		if (a) \
+			{ \
+			ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
+			i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \
+					       IS_SEQUENCE); \
+			}
+
 #define M_ASN1_I2D_seq_total() \
 		r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \
 		if (pp == NULL) return(r); \
diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c
index 1f302d0e01..51518cdf35 100644
--- a/crypto/asn1/x_crl.c
+++ b/crypto/asn1/x_crl.c
@@ -71,14 +71,14 @@ int i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **pp)
 
 	M_ASN1_I2D_len(a->serialNumber,i2d_ASN1_INTEGER);
 	M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_TIME);
-	M_ASN1_I2D_len_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+	M_ASN1_I2D_len_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
 					 i2d_X509_EXTENSION);
 
 	M_ASN1_I2D_seq_total();
 
 	M_ASN1_I2D_put(a->serialNumber,i2d_ASN1_INTEGER);
 	M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_TIME);
-	M_ASN1_I2D_put_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+	M_ASN1_I2D_put_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
 					 i2d_X509_EXTENSION);
 
 	M_ASN1_I2D_finish();
@@ -121,7 +121,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp)
 		{ M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_TIME); }
 	M_ASN1_I2D_len_SEQUENCE_opt_type(X509_REVOKED,a->revoked,
 					 i2d_X509_REVOKED);
-	M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+	M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
 					     i2d_X509_EXTENSION,0,
 					     V_ASN1_SEQUENCE,v1);
 
@@ -138,7 +138,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp)
 		{ M_ASN1_I2D_put(a->nextUpdate,i2d_ASN1_TIME); }
 	M_ASN1_I2D_put_SEQUENCE_opt_type(X509_REVOKED,a->revoked,
 					 i2d_X509_REVOKED);
-	M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
+	M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
 					     i2d_X509_EXTENSION,0,
 					     V_ASN1_SEQUENCE,v1);
 
@@ -260,7 +260,7 @@ X509_CRL_INFO *X509_CRL_INFO_new(void)
 	M_ASN1_New(ret->lastUpdate,M_ASN1_UTCTIME_new);
 	ret->nextUpdate=NULL;
 	M_ASN1_New(ret->revoked,sk_X509_REVOKED_new_null);
-	M_ASN1_New(ret->extensions,sk_X509_EXTENSION_new_null);
+	ret->extensions = NULL;
 	sk_X509_REVOKED_set_cmp_func(ret->revoked,X509_REVOKED_cmp);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_X509_CRL_INFO_NEW);
diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
index b832deb928..585a375c48 100644
--- a/crypto/asn1/x_name.c
+++ b/crypto/asn1/x_name.c
@@ -141,8 +141,9 @@ static int i2d_X509_NAME_entries(X509_NAME *a)
 			}
 		size+=i2d_X509_NAME_ENTRY(ne,NULL);
 		}
-
-	ret+=ASN1_object_size(1,size,V_ASN1_SET);
+	/* If empty no extra SET OF needed */
+	if (ret)
+		ret+=ASN1_object_size(1,size,V_ASN1_SET);
 	if (fe != NULL)
 		fe->size=size;
 
diff --git a/crypto/bf/Makefile.ssl b/crypto/bf/Makefile.ssl
index adc9eec3c6..2d61ec50f4 100644
--- a/crypto/bf/Makefile.ssl
+++ b/crypto/bf/Makefile.ssl
@@ -44,7 +44,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 # elf
diff --git a/crypto/bio/Makefile.ssl b/crypto/bio/Makefile.ssl
index af5998b102..00caa9f7eb 100644
--- a/crypto/bio/Makefile.ssl
+++ b/crypto/bio/Makefile.ssl
@@ -49,7 +49,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 files:
diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c
index 64310058b4..62cc3f1a0c 100644
--- a/crypto/bio/b_sock.c
+++ b/crypto/bio/b_sock.c
@@ -113,8 +113,8 @@ int BIO_get_host_ip(const char *str, unsigned char *ip)
 
 	/* At this point, we have something that is most probably correct
 	   in some way, so let's init the socket. */
-	if (!BIO_sock_init())
-		return(0); /* don't generate another error code here */
+	if (BIO_sock_init() != 1)
+		return 0; /* don't generate another error code here */
 
 	/* If the string actually contained an IP address, we need not do
 	   anything more */
@@ -519,15 +519,15 @@ int BIO_get_accept_socket(char *host, int bind_mode)
 	{
 	int ret=0;
 	struct sockaddr_in server,client;
-	int s= -1,cs;
+	int s=INVALID_SOCKET,cs;
 	unsigned char ip[4];
 	unsigned short port;
-	char *str,*e;
+	char *str=NULL,*e;
 	const char *h,*p;
 	unsigned long l;
 	int err_num;
 
-	if (!BIO_sock_init()) return(INVALID_SOCKET);
+	if (BIO_sock_init() != 1) return(INVALID_SOCKET);
 
 	if ((str=BUF_strdup(host)) == NULL) return(INVALID_SOCKET);
 
@@ -553,7 +553,7 @@ int BIO_get_accept_socket(char *host, int bind_mode)
 		h="*";
 		}
 
-	if (!BIO_get_port(p,&port)) return(INVALID_SOCKET);
+	if (!BIO_get_port(p,&port)) goto err;
 
 	memset((char *)&server,0,sizeof(server));
 	server.sin_family=AF_INET;
@@ -563,7 +563,7 @@ int BIO_get_accept_socket(char *host, int bind_mode)
 		server.sin_addr.s_addr=INADDR_ANY;
 	else
 		{
-		if (!BIO_get_host_ip(h,&(ip[0]))) return(INVALID_SOCKET);
+                if (!BIO_get_host_ip(h,&(ip[0]))) goto err;
 		l=(unsigned long)
 			((unsigned long)ip[0]<<24L)|
 			((unsigned long)ip[1]<<16L)|
diff --git a/crypto/bn/Makefile.ssl b/crypto/bn/Makefile.ssl
index 85be16a5b6..ad36267e26 100644
--- a/crypto/bn/Makefile.ssl
+++ b/crypto/bn/Makefile.ssl
@@ -68,7 +68,8 @@ bnbug: bnbug.c ../../libcrypto.a top
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 # elf
diff --git a/crypto/bn/asm/pa-risc2.s b/crypto/bn/asm/pa-risc2.s
index 7239aa2c76..af9730d062 100644
--- a/crypto/bn/asm/pa-risc2.s
+++ b/crypto/bn/asm/pa-risc2.s
@@ -1611,7 +1611,7 @@ bn_mul_comba4
 	.IMPORT	$global$,DATA
 	.SPACE	$TEXT$
 	.SUBSPA	$CODE$
-	.SUBSPA	$LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16
+	.SUBSPA	$LIT$,ACCESS=0x2c
 C$7
 	.ALIGN	8
 	.STRINGZ	"Division would overflow (%d)\n"
diff --git a/crypto/bn/asm/pa-risc2W.s b/crypto/bn/asm/pa-risc2W.s
index 54b6606252..a99545754d 100644
--- a/crypto/bn/asm/pa-risc2W.s
+++ b/crypto/bn/asm/pa-risc2W.s
@@ -1598,7 +1598,7 @@ bn_mul_comba4
 	.IMPORT	$global$,DATA
 	.SPACE	$TEXT$
 	.SUBSPA	$CODE$
-	.SUBSPA	$LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16
+	.SUBSPA	$LIT$,ACCESS=0x2c
 C$4
 	.ALIGN	8
 	.STRINGZ	"Division would overflow (%d)\n"
diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
index 1eb8395b25..b232c2ceae 100644
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -239,7 +239,7 @@ typedef struct bignum_st
 	} BIGNUM;
 
 /* Used for temp variables */
-#define BN_CTX_NUM	12
+#define BN_CTX_NUM	16
 #define BN_CTX_NUM_POS	12
 typedef struct bignum_ctx
 	{
@@ -328,6 +328,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx);
 void	BN_CTX_end(BN_CTX *ctx);
 int     BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
 int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom);
+int	BN_rand_range(BIGNUM *rnd, BIGNUM *range);
 int	BN_num_bits(const BIGNUM *a);
 int	BN_num_bits_word(BN_ULONG);
 BIGNUM *BN_new(void);
@@ -467,6 +468,8 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
 # define bn_dump(a,b)
 #endif
 
+int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -493,16 +496,19 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
 #define BN_F_BN_MPI2BN					 112
 #define BN_F_BN_NEW					 113
 #define BN_F_BN_RAND					 114
+#define BN_F_BN_RAND_RANGE				 122
 #define BN_F_BN_USUB					 115
 
 /* Reason codes. */
 #define BN_R_ARG2_LT_ARG3				 100
 #define BN_R_BAD_RECIPROCAL				 101
+#define BN_R_BIGNUM_TOO_LONG				 114
 #define BN_R_CALLED_WITH_EVEN_MODULUS			 102
 #define BN_R_DIV_BY_ZERO				 103
 #define BN_R_ENCODING_ERROR				 104
 #define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA		 105
 #define BN_R_INVALID_LENGTH				 106
+#define BN_R_INVALID_RANGE				 115
 #define BN_R_NOT_INITIALIZED				 107
 #define BN_R_NO_INVERSE					 108
 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES		 109
diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index c3772c243b..891b602631 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -180,13 +180,13 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 
 	BN_CTX_start(ctx);
 	tmp=BN_CTX_get(ctx);
-	tmp->neg=0;
 	snum=BN_CTX_get(ctx);
 	sdiv=BN_CTX_get(ctx);
 	if (dv == NULL)
 		res=BN_CTX_get(ctx);
 	else	res=dv;
-	if (res == NULL) goto err;
+	if (sdiv==NULL || res == NULL) goto err;
+	tmp->neg=0;
 
 	/* First we normalise the numbers */
 	norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
@@ -237,7 +237,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	for (i=0; i<loop-1; i++)
 		{
 		BN_ULONG q,l0;
-#ifdef BN_DIV3W
+#if defined(BN_DIV3W) && !defined(NO_ASM)
 		q=bn_div_3_words(wnump,d1,d0);
 #else
 		BN_ULONG n0,n1,rem=0;
diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c
index 86550c4c21..adc6a214fc 100644
--- a/crypto/bn/bn_err.c
+++ b/crypto/bn/bn_err.c
@@ -84,6 +84,7 @@ static ERR_STRING_DATA BN_str_functs[]=
 {ERR_PACK(0,BN_F_BN_MPI2BN,0),	"BN_mpi2bn"},
 {ERR_PACK(0,BN_F_BN_NEW,0),	"BN_new"},
 {ERR_PACK(0,BN_F_BN_RAND,0),	"BN_rand"},
+{ERR_PACK(0,BN_F_BN_RAND_RANGE,0),	"BN_rand_range"},
 {ERR_PACK(0,BN_F_BN_USUB,0),	"BN_usub"},
 {0,NULL}
 	};
@@ -92,11 +93,13 @@ static ERR_STRING_DATA BN_str_reasons[]=
 	{
 {BN_R_ARG2_LT_ARG3                       ,"arg2 lt arg3"},
 {BN_R_BAD_RECIPROCAL                     ,"bad reciprocal"},
+{BN_R_BIGNUM_TOO_LONG                    ,"bignum too long"},
 {BN_R_CALLED_WITH_EVEN_MODULUS           ,"called with even modulus"},
 {BN_R_DIV_BY_ZERO                        ,"div by zero"},
 {BN_R_ENCODING_ERROR                     ,"encoding error"},
 {BN_R_EXPAND_ON_STATIC_BIGNUM_DATA       ,"expand on static bignum data"},
 {BN_R_INVALID_LENGTH                     ,"invalid length"},
+{BN_R_INVALID_RANGE                      ,"invalid range"},
 {BN_R_NOT_INITIALIZED                    ,"not initialized"},
 {BN_R_NO_INVERSE                         ,"no inverse"},
 {BN_R_TOO_MANY_TEMPORARY_VARIABLES       ,"too many temporary variables"},
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index b6b0ce4b3c..7767d65170 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -62,6 +62,7 @@
 #endif
 
 #include <assert.h>
+#include <limits.h>
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
@@ -319,6 +320,12 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
 
 	if (words > b->dmax)
 		{
+		if (words > (INT_MAX/(4*BN_BITS2)))
+			{
+			BNerr(BN_F_BN_EXPAND2,BN_R_BIGNUM_TOO_LONG);
+			return NULL;
+			}
+			
 		bn_check_top(b);	
 		if (BN_get_flags(b,BN_FLG_STATIC_DATA))
 			{
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index 21ecbc04ed..acd0619921 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -76,7 +76,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 
 	bytes=(bits+7)/8;
 	bit=(bits-1)%8;
-	mask=0xff<<bit;
+	mask=0xff<<(bit+1);
 
 	buf=(unsigned char *)OPENSSL_malloc(bytes);
 	if (buf == NULL)
@@ -100,25 +100,48 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 			goto err;
 		}
 
-	if (top)
+#if 1
+	if (pseudorand == 2)
 		{
-		if (bit == 0)
+		/* generate patterns that are more likely to trigger BN
+		   library bugs */
+		int i;
+		unsigned char c;
+
+		for (i = 0; i < bytes; i++)
+			{
+			RAND_pseudo_bytes(&c, 1);
+			if (c >= 128 && i > 0)
+				buf[i] = buf[i-1];
+			else if (c < 42)
+				buf[i] = 0;
+			else if (c < 84)
+				buf[i] = 255;
+			}
+		}
+#endif
+
+	if (top != -1)
+		{
+		if (top)
 			{
-			buf[0]=1;
-			buf[1]|=0x80;
+			if (bit == 0)
+				{
+				buf[0]=1;
+				buf[1]|=0x80;
+				}
+			else
+				{
+				buf[0]|=(3<<(bit-1));
+				}
 			}
 		else
 			{
-			buf[0]|=(3<<(bit-1));
-			buf[0]&= ~(mask<<1);
+			buf[0]|=(1<<bit);
 			}
 		}
-	else
-		{
-		buf[0]|=(1<<bit);
-		buf[0]&= ~(mask<<1);
-		}
-	if (bottom) /* set bottom bits to whatever odd is */
+	buf[0] &= ~mask;
+	if (bottom) /* set bottom bit if requested */
 		buf[bytes-1]|=1;
 	if (!BN_bin2bn(buf,bytes,rnd)) goto err;
 	ret=1;
@@ -140,3 +163,61 @@ int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)
 	{
 	return bnrand(1, rnd, bits, top, bottom);
 	}
+
+#if 1
+int     BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom)
+	{
+	return bnrand(2, rnd, bits, top, bottom);
+	}
+#endif
+
+/* random number r:  0 <= r < range */
+int	BN_rand_range(BIGNUM *r, BIGNUM *range)
+	{
+	int n;
+
+	if (range->neg || BN_is_zero(range))
+		{
+		BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE);
+		return 0;
+		}
+
+	n = BN_num_bits(range); /* n > 0 */
+
+	if (n == 1)
+		{
+		if (!BN_zero(r)) return 0;
+		}
+	else if (BN_is_bit_set(range, n - 2))
+		{
+		do
+			{
+			/* range = 11..._2, so each iteration succeeds with probability >= .75 */
+			if (!BN_rand(r, n, -1, 0)) return 0;
+			}
+		while (BN_cmp(r, range) >= 0);
+		}
+	else
+		{
+		/* range = 10..._2,
+		 * so  3*range (= 11..._2)  is exactly one bit longer than  range */
+		do
+			{
+			if (!BN_rand(r, n + 1, -1, 0)) return 0;
+			/* If  r < 3*range,  use  r := r MOD range
+			 * (which is either  r, r - range,  or  r - 2*range).
+			 * Otherwise, iterate once more.
+			 * Since  3*range = 11..._2, each iteration succeeds with
+			 * probability >= .75. */
+			if (BN_cmp(r ,range) >= 0)
+				{
+				if (!BN_sub(r, r, range)) return 0;
+				if (BN_cmp(r, range) >= 0)
+					if (!BN_sub(r, r, range)) return 0;
+				}
+			}
+		while (BN_cmp(r, range) >= 0);
+		}
+
+	return 1;
+	}
diff --git a/crypto/bn/bn_shift.c b/crypto/bn/bn_shift.c
index 0883247384..c2608f9f4a 100644
--- a/crypto/bn/bn_shift.c
+++ b/crypto/bn/bn_shift.c
@@ -172,6 +172,11 @@ int BN_rshift(BIGNUM *r, BIGNUM *a, int n)
 		r->neg=a->neg;
 		if (bn_wexpand(r,a->top-nw+1) == NULL) return(0);
 		}
+	else
+		{
+		if (n == 0)
+			return 1; /* or the copying loop will go berserk */
+		}
 
 	f= &(a->d[nw]);
 	t=r->d;
diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 0a97af69c5..af0c2629e8 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -107,11 +107,9 @@ static const char rnd_seed[] = "string to make the random number generator think
 static void message(BIO *out, char *m)
 	{
 	fprintf(stderr, "test %s\n", m);
-#if defined(linux) || defined(__FreeBSD__) /* can we use GNU bc features? */
 	BIO_puts(out, "print \"test ");
 	BIO_puts(out, m);
 	BIO_puts(out, "\\n\"\n");
-#endif
 	}
 
 int main(int argc, char *argv[])
@@ -122,9 +120,7 @@ int main(int argc, char *argv[])
 
 	results = 0;
 
-	RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't
-	                                       * even check its return value
-	                                       * (which we should) */
+	RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
 
 	argc--;
 	argv++;
@@ -253,10 +249,10 @@ int test_add(BIO *bp)
 	BN_init(&b);
 	BN_init(&c);
 
-	BN_rand(&a,512,0,0);
+	BN_bntest_rand(&a,512,0,0);
 	for (i=0; i<num0; i++)
 		{
-		BN_rand(&b,450+i,0,0);
+		BN_bntest_rand(&b,450+i,0,0);
 		a.neg=rand_neg();
 		b.neg=rand_neg();
 		if (bp == NULL)
@@ -305,14 +301,14 @@ int test_sub(BIO *bp)
 		{
 		if (i < num1)
 			{
-			BN_rand(&a,512,0,0);
+			BN_bntest_rand(&a,512,0,0);
 			BN_copy(&b,&a);
 			if (BN_set_bit(&a,i)==0) return(0);
 			BN_add_word(&b,i);
 			}
 		else
 			{
-			BN_rand(&b,400+i-num1,0,0);
+			BN_bntest_rand(&b,400+i-num1,0,0);
 			a.neg=rand_neg();
 			b.neg=rand_neg();
 			}
@@ -362,13 +358,13 @@ int test_div(BIO *bp, BN_CTX *ctx)
 		{
 		if (i < num1)
 			{
-			BN_rand(&a,400,0,0);
+			BN_bntest_rand(&a,400,0,0);
 			BN_copy(&b,&a);
 			BN_lshift(&a,&a,i);
 			BN_add_word(&a,i);
 			}
 		else
-			BN_rand(&b,50+3*(i-num1),0,0);
+			BN_bntest_rand(&b,50+3*(i-num1),0,0);
 		a.neg=rand_neg();
 		b.neg=rand_neg();
 		if (bp == NULL)
@@ -432,13 +428,13 @@ int test_div_recp(BIO *bp, BN_CTX *ctx)
 		{
 		if (i < num1)
 			{
-			BN_rand(&a,400,0,0);
+			BN_bntest_rand(&a,400,0,0);
 			BN_copy(&b,&a);
 			BN_lshift(&a,&a,i);
 			BN_add_word(&a,i);
 			}
 		else
-			BN_rand(&b,50+3*(i-num1),0,0);
+			BN_bntest_rand(&b,50+3*(i-num1),0,0);
 		a.neg=rand_neg();
 		b.neg=rand_neg();
 		BN_RECP_CTX_set(&recp,&b,ctx);
@@ -509,11 +505,11 @@ int test_mul(BIO *bp)
 		{
 		if (i <= num1)
 			{
-			BN_rand(&a,100,0,0);
-			BN_rand(&b,100,0,0);
+			BN_bntest_rand(&a,100,0,0);
+			BN_bntest_rand(&b,100,0,0);
 			}
 		else
-			BN_rand(&b,i-num1,0,0);
+			BN_bntest_rand(&b,i-num1,0,0);
 		a.neg=rand_neg();
 		b.neg=rand_neg();
 		if (bp == NULL)
@@ -562,7 +558,7 @@ int test_sqr(BIO *bp, BN_CTX *ctx)
 
 	for (i=0; i<num0; i++)
 		{
-		BN_rand(&a,40+i*10,0,0);
+		BN_bntest_rand(&a,40+i*10,0,0);
 		a.neg=rand_neg();
 		if (bp == NULL)
 			for (j=0; j<100; j++)
@@ -613,15 +609,15 @@ int test_mont(BIO *bp, BN_CTX *ctx)
 
 	mont=BN_MONT_CTX_new();
 
-	BN_rand(&a,100,0,0); /**/
-	BN_rand(&b,100,0,0); /**/
+	BN_bntest_rand(&a,100,0,0); /**/
+	BN_bntest_rand(&b,100,0,0); /**/
 	for (i=0; i<num2; i++)
 		{
 		int bits = (200*(i+1))/num2;
 
 		if (bits == 0)
 			continue;
-		BN_rand(&n,bits,0,1);
+		BN_bntest_rand(&n,bits,0,1);
 		BN_MONT_CTX_set(mont,&n,ctx);
 
 		BN_to_montgomery(&A,&a,mont,ctx);
@@ -683,10 +679,10 @@ int test_mod(BIO *bp, BN_CTX *ctx)
 	d=BN_new();
 	e=BN_new();
 
-	BN_rand(a,1024,0,0); /**/
+	BN_bntest_rand(a,1024,0,0); /**/
 	for (i=0; i<num0; i++)
 		{
-		BN_rand(b,450+i*10,0,0); /**/
+		BN_bntest_rand(b,450+i*10,0,0); /**/
 		a->neg=rand_neg();
 		b->neg=rand_neg();
 		if (bp == NULL)
@@ -732,11 +728,11 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
 	d=BN_new();
 	e=BN_new();
 
-	BN_rand(c,1024,0,0); /**/
+	BN_bntest_rand(c,1024,0,0); /**/
 	for (i=0; i<num0; i++)
 		{
-		BN_rand(a,475+i*10,0,0); /**/
-		BN_rand(b,425+i*11,0,0); /**/
+		BN_bntest_rand(a,475+i*10,0,0); /**/
+		BN_bntest_rand(b,425+i*11,0,0); /**/
 		a->neg=rand_neg();
 		b->neg=rand_neg();
 	/*	if (bp == NULL)
@@ -794,11 +790,11 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
 	d=BN_new();
 	e=BN_new();
 
-	BN_rand(c,30,0,1); /* must be odd for montgomery */
+	BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
 	for (i=0; i<num2; i++)
 		{
-		BN_rand(a,20+i*5,0,0); /**/
-		BN_rand(b,2+i,0,0); /**/
+		BN_bntest_rand(a,20+i*5,0,0); /**/
+		BN_bntest_rand(b,2+i,0,0); /**/
 
 		if (!BN_mod_exp(d,a,b,c,ctx))
 			return(00);
@@ -848,8 +844,8 @@ int test_exp(BIO *bp, BN_CTX *ctx)
 
 	for (i=0; i<num2; i++)
 		{
-		BN_rand(a,20+i*5,0,0); /**/
-		BN_rand(b,2+i,0,0); /**/
+		BN_bntest_rand(a,20+i*5,0,0); /**/
+		BN_bntest_rand(b,2+i,0,0); /**/
 
 		if (!BN_exp(d,a,b,ctx))
 			return(00);
@@ -899,7 +895,7 @@ int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_)
 	else
 	    {
 	    a=BN_new();
-	    BN_rand(a,200,0,0); /**/
+	    BN_bntest_rand(a,200,0,0); /**/
 	    a->neg=rand_neg();
 	    }
 	for (i=0; i<num0; i++)
@@ -951,7 +947,7 @@ int test_lshift1(BIO *bp)
 	b=BN_new();
 	c=BN_new();
 
-	BN_rand(a,200,0,0); /**/
+	BN_bntest_rand(a,200,0,0); /**/
 	a->neg=rand_neg();
 	for (i=0; i<num0; i++)
 		{
@@ -995,7 +991,7 @@ int test_rshift(BIO *bp,BN_CTX *ctx)
 	e=BN_new();
 	BN_one(c);
 
-	BN_rand(a,200,0,0); /**/
+	BN_bntest_rand(a,200,0,0); /**/
 	a->neg=rand_neg();
 	for (i=0; i<num0; i++)
 		{
@@ -1038,7 +1034,7 @@ int test_rshift1(BIO *bp)
 	b=BN_new();
 	c=BN_new();
 
-	BN_rand(a,200,0,0); /**/
+	BN_bntest_rand(a,200,0,0); /**/
 	a->neg=rand_neg();
 	for (i=0; i<num0; i++)
 		{
diff --git a/crypto/buffer/Makefile.ssl b/crypto/buffer/Makefile.ssl
index 4e11038c8b..c088ec6b3c 100644
--- a/crypto/buffer/Makefile.ssl
+++ b/crypto/buffer/Makefile.ssl
@@ -39,7 +39,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 files:
diff --git a/crypto/cast/Makefile.ssl b/crypto/cast/Makefile.ssl
index afba084e8b..0aa1cbc55a 100644
--- a/crypto/cast/Makefile.ssl
+++ b/crypto/cast/Makefile.ssl
@@ -47,7 +47,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 # elf
diff --git a/crypto/comp/Makefile.ssl b/crypto/comp/Makefile.ssl
index 3064df2447..ba705c2a1c 100644
--- a/crypto/comp/Makefile.ssl
+++ b/crypto/comp/Makefile.ssl
@@ -42,7 +42,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 files:
diff --git a/crypto/conf/Makefile.ssl b/crypto/conf/Makefile.ssl
index ea82d46727..a96212252a 100644
--- a/crypto/conf/Makefile.ssl
+++ b/crypto/conf/Makefile.ssl
@@ -40,7 +40,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 files:
diff --git a/crypto/conf/conf.h b/crypto/conf/conf.h
index 2f70634455..cd40a0db21 100644
--- a/crypto/conf/conf.h
+++ b/crypto/conf/conf.h
@@ -167,6 +167,8 @@ int NCONF_dump_bio(CONF *conf, BIO *out);
 #define CONF_R_MISSING_EQUAL_SIGN			 101
 #define CONF_R_NO_CLOSE_BRACE				 102
 #define CONF_R_NO_CONF					 105
+#define CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE		 106
+#define CONF_R_NO_SECTION				 107
 #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION		 103
 #define CONF_R_VARIABLE_HAS_NO_VALUE			 104
 
diff --git a/crypto/conf/conf_err.c b/crypto/conf/conf_err.c
index 06d3163573..8c2bc6f1c4 100644
--- a/crypto/conf/conf_err.c
+++ b/crypto/conf/conf_err.c
@@ -87,6 +87,8 @@ static ERR_STRING_DATA CONF_str_reasons[]=
 {CONF_R_MISSING_EQUAL_SIGN               ,"missing equal sign"},
 {CONF_R_NO_CLOSE_BRACE                   ,"no close brace"},
 {CONF_R_NO_CONF                          ,"no conf"},
+{CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE  ,"no conf or environment variable"},
+{CONF_R_NO_SECTION                       ,"no section"},
 {CONF_R_UNABLE_TO_CREATE_NEW_SECTION     ,"unable to create new section"},
 {CONF_R_VARIABLE_HAS_NO_VALUE            ,"variable has no value"},
 {0,NULL}
diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c
index 4c8ca9e9ae..11ec639732 100644
--- a/crypto/conf/conf_lib.c
+++ b/crypto/conf/conf_lib.c
@@ -131,38 +131,59 @@ LHASH *CONF_load_bio(LHASH *conf, BIO *bp,long *eline)
 
 STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section)
 	{
-	CONF ctmp;
+	if (conf == NULL)
+		{
+		return NULL;
+		}
+	else
+		{
+		CONF ctmp;
 
-	if (default_CONF_method == NULL)
-		default_CONF_method = NCONF_default();
+		if (default_CONF_method == NULL)
+			default_CONF_method = NCONF_default();
 
-	default_CONF_method->init(&ctmp);
-	ctmp.data = conf;
-	return NCONF_get_section(&ctmp, section);
+		default_CONF_method->init(&ctmp);
+		ctmp.data = conf;
+		return NCONF_get_section(&ctmp, section);
+		}
 	}
 
 char *CONF_get_string(LHASH *conf,char *group,char *name)
 	{
-	CONF ctmp;
+	if (conf == NULL)
+		{
+		return NCONF_get_string(NULL, group, name);
+		}
+	else
+		{
+		CONF ctmp;
 
-	if (default_CONF_method == NULL)
-		default_CONF_method = NCONF_default();
+		if (default_CONF_method == NULL)
+			default_CONF_method = NCONF_default();
 
-	default_CONF_method->init(&ctmp);
-	ctmp.data = conf;
-	return NCONF_get_string(&ctmp, group, name);
+		default_CONF_method->init(&ctmp);
+		ctmp.data = conf;
+		return NCONF_get_string(&ctmp, group, name);
+		}
 	}
 
 long CONF_get_number(LHASH *conf,char *group,char *name)
 	{
-	CONF ctmp;
+	if (conf == NULL)
+		{
+		return NCONF_get_number(NULL, group, name);
+		}
+	else
+		{
+		CONF ctmp;
 
-	if (default_CONF_method == NULL)
-		default_CONF_method = NCONF_default();
+		if (default_CONF_method == NULL)
+			default_CONF_method = NCONF_default();
 
-	default_CONF_method->init(&ctmp);
-	ctmp.data = conf;
-	return NCONF_get_number(&ctmp, group, name);
+		default_CONF_method->init(&ctmp);
+		ctmp.data = conf;
+		return NCONF_get_number(&ctmp, group, name);
+		}
 	}
 
 void CONF_free(LHASH *conf)
@@ -299,27 +320,46 @@ STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section)
 		return NULL;
 		}
 
+	if (section == NULL)
+		{
+		CONFerr(CONF_F_NCONF_GET_SECTION,CONF_R_NO_SECTION);
+		return NULL;
+		}
+
 	return _CONF_get_section_values(conf, section);
 	}
 
 char *NCONF_get_string(CONF *conf,char *group,char *name)
 	{
+	char *s = _CONF_get_string(conf, group, name);
+
+        /* Since we may get a value from an environment variable even
+           if conf is NULL, let's check the value first */
+        if (s) return s;
+
 	if (conf == NULL)
 		{
-		CONFerr(CONF_F_NCONF_GET_STRING,CONF_R_NO_CONF);
+		CONFerr(CONF_F_NCONF_GET_STRING,
+                        CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE);
 		return NULL;
 		}
-
-	return _CONF_get_string(conf, group, name);
+	return NULL;
 	}
 
 long NCONF_get_number(CONF *conf,char *group,char *name)
 	{
+#if 0 /* As with _CONF_get_string(), we rely on the possibility of finding
+         an environment variable with a suitable name.  Unfortunately, there's
+         no way with the current API to see if we found one or not...
+         The meaning of this is that if a number is not found anywhere, it
+         will always default to 0. */
 	if (conf == NULL)
 		{
-		CONFerr(CONF_F_NCONF_GET_NUMBER,CONF_R_NO_CONF);
+		CONFerr(CONF_F_NCONF_GET_NUMBER,
+                        CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE);
 		return 0;
 		}
+#endif
 	
 	return _CONF_get_number(conf, group, name);
 	}
diff --git a/crypto/crypto.h b/crypto/crypto.h
index 52ee97b71a..9257673279 100644
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -278,6 +278,8 @@ int CRYPTO_is_mem_check_on(void);
 const char *SSLeay_version(int type);
 unsigned long SSLeay(void);
 
+int OPENSSL_issetugid(void);
+
 int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long argl, void *argp,
 	     CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val);
diff --git a/crypto/des/Makefile.ssl b/crypto/des/Makefile.ssl
index b3cfe3dab6..28e58f4207 100644
--- a/crypto/des/Makefile.ssl
+++ b/crypto/des/Makefile.ssl
@@ -57,7 +57,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 des: des.o cbc3_enc.o lib
diff --git a/crypto/dh/Makefile.ssl b/crypto/dh/Makefile.ssl
index 4616ca2b20..ec0e1ec5a3 100644
--- a/crypto/dh/Makefile.ssl
+++ b/crypto/dh/Makefile.ssl
@@ -39,7 +39,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 files:
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 6915d79dcc..22b087b778 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -100,7 +100,6 @@ DH_METHOD *DH_OpenSSL(void)
 static int generate_key(DH *dh)
 	{
 	int ok=0;
-	unsigned int i;
 	BN_CTX ctx;
 	BN_MONT_CTX *mont;
 	BIGNUM *pub_key=NULL,*priv_key=NULL;
@@ -109,15 +108,11 @@ static int generate_key(DH *dh)
 
 	if (dh->priv_key == NULL)
 		{
-		i=dh->length;
-		if (i == 0)
-			{
-			/* Make the number p-1 bits long */
-			i=BN_num_bits(dh->p)-1;
-			}
 		priv_key=BN_new();
 		if (priv_key == NULL) goto err;
-		if (!BN_rand(priv_key,i,0,0)) goto err;
+		do
+			if (!BN_rand_range(priv_key, dh->p)) goto err;
+		while (BN_is_zero(priv_key));
 		}
 	else
 		priv_key=dh->priv_key;
diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c
index 66803b5565..96f118c153 100644
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -168,13 +168,13 @@ DH *DH_new_method(ENGINE *engine)
 	ret->method_mont_p=NULL;
 	ret->references = 1;
 	ret->flags=meth->flags;
+	CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data);
 	if ((meth->init != NULL) && !meth->init(ret))
 		{
+		CRYPTO_free_ex_data(dh_meth,ret,&ret->ex_data);
 		OPENSSL_free(ret);
 		ret=NULL;
 		}
-	else
-		CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data);
 	return(ret);
 	}
 
@@ -196,12 +196,12 @@ void DH_free(DH *r)
 	}
 #endif
 
-	CRYPTO_free_ex_data(dh_meth, r, &r->ex_data);
-
 	meth = ENGINE_get_DH(r->engine);
 	if(meth->finish) meth->finish(r);
 	ENGINE_finish(r->engine);
 
+	CRYPTO_free_ex_data(dh_meth, r, &r->ex_data);
+
 	if (r->p != NULL) BN_clear_free(r->p);
 	if (r->g != NULL) BN_clear_free(r->g);
 	if (r->q != NULL) BN_clear_free(r->q);
diff --git a/crypto/dsa/Makefile.ssl b/crypto/dsa/Makefile.ssl
index 24758c64cd..70899e8278 100644
--- a/crypto/dsa/Makefile.ssl
+++ b/crypto/dsa/Makefile.ssl
@@ -41,7 +41,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 files:
diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c
index af3c56d770..86cacfb3b9 100644
--- a/crypto/dsa/dsa_key.c
+++ b/crypto/dsa/dsa_key.c
@@ -68,7 +68,6 @@
 int DSA_generate_key(DSA *dsa)
 	{
 	int ok=0;
-	unsigned int i;
 	BN_CTX *ctx=NULL;
 	BIGNUM *pub_key=NULL,*priv_key=NULL;
 
@@ -81,15 +80,9 @@ int DSA_generate_key(DSA *dsa)
 	else
 		priv_key=dsa->priv_key;
 
-	i=BN_num_bits(dsa->q);
-	for (;;)
-		{
-		if (!BN_rand(priv_key,i,0,0))
-			goto err;
-		if (BN_cmp(priv_key,dsa->q) >= 0)
-			BN_sub(priv_key,priv_key,dsa->q);
-		if (!BN_is_zero(priv_key)) break;
-		}
+	do
+		if (!BN_rand_range(priv_key,dsa->q)) goto err;
+	while (BN_is_zero(priv_key));
 
 	if (dsa->pub_key == NULL)
 		{
diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c
index b31b946ad3..15f667a203 100644
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -173,13 +173,13 @@ DSA *DSA_new_method(ENGINE *engine)
 
 	ret->references=1;
 	ret->flags=meth->flags;
+	CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data);
 	if ((meth->init != NULL) && !meth->init(ret))
 		{
+		CRYPTO_free_ex_data(dsa_meth,ret,&ret->ex_data);
 		OPENSSL_free(ret);
 		ret=NULL;
 		}
-	else
-		CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data);
 	
 	return(ret);
 	}
@@ -204,12 +204,12 @@ void DSA_free(DSA *r)
 		}
 #endif
 
-	CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data);
-
 	meth = ENGINE_get_DSA(r->engine);
 	if(meth->finish) meth->finish(r);
 	ENGINE_finish(r->engine);
 
+	CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data);
+
 	if (r->p != NULL) BN_clear_free(r->p);
 	if (r->q != NULL) BN_clear_free(r->q);
 	if (r->g != NULL) BN_clear_free(r->g);
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 96295dc24f..72878e193f 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -180,13 +180,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	kinv=NULL;
 
 	/* Get random k */
-	for (;;)
-		{
-		if (!BN_rand(&k, BN_num_bits(dsa->q), 0, 0)) goto err;
-		if (BN_cmp(&k,dsa->q) >= 0)
-			BN_sub(&k,&k,dsa->q);
-		if (!BN_is_zero(&k)) break;
-		}
+	do
+		if (!BN_rand_range(&k, dsa->q)) goto err;
+	while (BN_is_zero(&k));
 
 	if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
 		{
diff --git a/crypto/dso/Makefile.ssl b/crypto/dso/Makefile.ssl
index effc46d2dc..33630e0bbb 100644
--- a/crypto/dso/Makefile.ssl
+++ b/crypto/dso/Makefile.ssl
@@ -41,7 +41,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 files:
diff --git a/crypto/dso/dso_dl.c b/crypto/dso/dso_dl.c
index 69810fc3bb..f661ec5bfb 100644
--- a/crypto/dso/dso_dl.c
+++ b/crypto/dso/dso_dl.c
@@ -187,7 +187,7 @@ static void *dl_bind_var(DSO *dso, const char *symname)
 		DSOerr(DSO_F_DL_BIND_VAR,DSO_R_NULL_HANDLE);
 		return(NULL);
 		}
-	if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0)
+	if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0)
 		{
 		DSOerr(DSO_F_DL_BIND_VAR,DSO_R_SYM_FAILURE);
 		return(NULL);
@@ -216,7 +216,7 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname)
 		DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_NULL_HANDLE);
 		return(NULL);
 		}
-	if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0)
+	if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0)
 		{
 		DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_SYM_FAILURE);
 		return(NULL);
diff --git a/crypto/err/Makefile.ssl b/crypto/err/Makefile.ssl
index c4cfaef3f0..0e6d307e3b 100644
--- a/crypto/err/Makefile.ssl
+++ b/crypto/err/Makefile.ssl
@@ -39,7 +39,8 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
+	- $(RANLIB) $(LIB)
 	@touch lib
 
 files:
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 99272e437c..92b7891c26 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -464,7 +464,15 @@ static unsigned long get_error_values(int inc, const char **file, int *line,
 			}
 		}
 
-	if (data != NULL)
+	if (data == NULL)
+		{
+		if (inc && (es->err_data[i] != NULL) && (es->err_data_flags[i] & ERR_TXT_MALLOCED))
+			{
+			OPENSSL_free(es->err_data[i]);
+			es->err_data[i] = NULL;
+			}
+		}
+	else
 		{
 		if (es->err_data[i] == NULL)
 			{
diff --git a/crypto/ex_data.c b/crypto/ex_data.c
index 1ee88da2a8..739e543d78 100644
--- a/crypto/ex_data.c
+++ b/crypto/ex_data.c
@@ -101,7 +101,7 @@ int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long
 	ret=idx;
 err:
 	MemCheck_on();
-	return(idx);
+	return(ret);
 	}
 
 int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val)
diff --git a/crypto/mem_dbg.c b/crypto/mem_dbg.c
index 866c53e73a..ef19d8f844 100644
--- a/crypto/mem_dbg.c
+++ b/crypto/mem_dbg.c
@@ -81,7 +81,8 @@ static int mh_mode=CRYPTO_MEM_CHECK_OFF;
  */
 
 static unsigned long order = 0; /* number of memory requests */
-static LHASH *mh=NULL; /* hash-table of memory requests (address as key) */
+static LHASH *mh=NULL; /* hash-table of memory requests (address as key);
+                        * access requires MALLOC2 lock */
 
 
 typedef struct app_mem_info_st
@@ -103,7 +104,8 @@ typedef struct app_mem_info_st
 
 static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's
                           * that are at the top of their thread's stack
-                          * (with `thread' as key) */
+                          * (with `thread' as key);
+                          * access requires MALLOC2 lock */
 
 typedef struct mem_st
 /* memory-block description */
@@ -128,7 +130,15 @@ static long options =             /* extra information to be recorded */
 	0;
 
 
-static unsigned long disabling_thread = 0;
+static unsigned int num_disable = 0; /* num_disable > 0
+                                      *     iff
+                                      * mh_mode == CRYPTO_MEM_CHECK_ON (w/o ..._ENABLE)
+                                      */
+static unsigned long disabling_thread = 0; /* Valid iff num_disable > 0.
+                                            * CRYPTO_LOCK_MALLOC2 is locked
+                                            * exactly in this case (by the
+                                            * thread named in disabling_thread).
+                                            */
 
 int CRYPTO_mem_ctrl(int mode)
 	{
@@ -137,22 +147,23 @@ int CRYPTO_mem_ctrl(int mode)
 	CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
 	switch (mode)
 		{
-	/* for applications: */
+	/* for applications (not to be called while multiple threads
+	 * use the library): */
 	case CRYPTO_MEM_CHECK_ON: /* aka MemCheck_start() */
 		mh_mode = CRYPTO_MEM_CHECK_ON|CRYPTO_MEM_CHECK_ENABLE;
-		disabling_thread = 0;
+		num_disable = 0;
 		break;
 	case CRYPTO_MEM_CHECK_OFF: /* aka MemCheck_stop() */
 		mh_mode = 0;
-		disabling_thread = 0;
+		num_disable = 0; /* should be true *before* MemCheck_stop is used,
+		                    or there'll be a lot of confusion */
 		break;
 
 	/* switch off temporarily (for library-internal use): */
 	case CRYPTO_MEM_CHECK_DISABLE: /* aka MemCheck_off() */
 		if (mh_mode & CRYPTO_MEM_CHECK_ON)
 			{
-			mh_mode&= ~CRYPTO_MEM_CHECK_ENABLE;
-			if (disabling_thread != CRYPTO_thread_id()) /* otherwise we already have the MALLOC2 lock */
+			if (!num_disable || (disabling_thread != CRYPTO_thread_id())) /* otherwise we already have the MALLOC2 lock */
 				{
 				/* Long-time lock CRYPTO_LOCK_MALLOC2 must not be claimed while
 				 * we're holding CRYPTO_LOCK_MALLOC, or we'll deadlock if
@@ -169,18 +180,23 @@ int CRYPTO_mem_ctrl(int mode)
 				 * OpenSSL threads. */
 				CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
 				CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+				mh_mode &= ~CRYPTO_MEM_CHECK_ENABLE;
 				disabling_thread=CRYPTO_thread_id();
 				}
+			num_disable++;
 			}
 		break;
 	case CRYPTO_MEM_CHECK_ENABLE: /* aka MemCheck_on() */
 		if (mh_mode & CRYPTO_MEM_CHECK_ON)
 			{
-			mh_mode|=CRYPTO_MEM_CHECK_ENABLE;
-			if (disabling_thread != 0)
+			if (num_disable) /* always true, or something is going wrong */
 				{
-				disabling_thread=0;
-				CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
+				num_disable--;
+				if (num_disable == 0)
+					{
+					mh_mode|=CRYPTO_MEM_CHECK_ENABLE;
+					CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
+					}
 				}
 			}
 		break;
@@ -198,12 +214,12 @@ int CRYPTO_is_mem_check_on(void)
 
 	if (mh_mode & CRYPTO_MEM_CHECK_ON)
 		{
-		CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+		CRYPTO_r_lock(CRYPTO_LOCK_MALLOC);
 
 		ret = (mh_mode & CRYPTO_MEM_CHECK_ENABLE)
-			&& disabling_thread != CRYPTO_thread_id();
+			|| (disabling_thread != CRYPTO_thread_id());
 
-		CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+		CRYPTO_r_unlock(CRYPTO_LOCK_MALLOC);
 		}
 	return(ret);
 	}	
@@ -293,7 +309,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line)
 
 	if (is_MemCheck_on())
 		{
-		MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+		MemCheck_off(); /* obtain MALLOC2 lock */
 
 		if ((ami = (APP_INFO *)OPENSSL_malloc(sizeof(APP_INFO))) == NULL)
 			{
@@ -330,7 +346,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line)
 			ami->next=amim;
 			}
  err:
-		MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+		MemCheck_on(); /* release MALLOC2 lock */
 		}
 
 	return(ret);
@@ -342,11 +358,11 @@ int CRYPTO_pop_info(void)
 
 	if (is_MemCheck_on()) /* _must_ be true, or something went severely wrong */
 		{
-		MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+		MemCheck_off(); /* obtain MALLOC2 lock */
 
 		ret=(pop_info() != NULL);
 
-		MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+		MemCheck_on(); /* release MALLOC2 lock */
 		}
 	return(ret);
 	}
@@ -357,12 +373,12 @@ int CRYPTO_remove_all_info(void)
 
 	if (is_MemCheck_on()) /* _must_ be true */
 		{
-		MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+		MemCheck_off(); /* obtain MALLOC2 lock */
 
 		while(pop_info() != NULL)
 			ret++;
 
-		MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+		MemCheck_on(); /* release MALLOC2 lock */
 		}
 	return(ret);
 	}
@@ -385,11 +401,12 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line,
 
 		if (is_MemCheck_on())
 			{
-			MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+			MemCheck_off(); /* make sure we hold MALLOC2 lock */
 			if ((m=(MEM *)OPENSSL_malloc(sizeof(MEM))) == NULL)
 				{
 				OPENSSL_free(addr);
-				MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+				MemCheck_on(); /* release MALLOC2 lock
+				                * if num_disabled drops to 0 */
 				return;
 				}
 			if (mh == NULL)
@@ -448,7 +465,8 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line,
 				OPENSSL_free(mm);
 				}
 		err:
-			MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+			MemCheck_on(); /* release MALLOC2 lock
+			                * if num_disabled drops to 0 */
 			}
 		break;
 		}
@@ -467,7 +485,7 @@ void CRYPTO_dbg_free(void *addr, int before_p)
 
 		if (is_MemCheck_on() && (mh != NULL))
 			{
-			MemCheck_off();
+			MemCheck_off(); /* make sure we hold MALLOC2 lock */
 
 			m.addr=addr;
 			mp=(MEM *)lh_delete(mh,(char *)&m);
@@ -484,7 +502,8 @@ void CRYPTO_dbg_free(void *addr, int before_p)
 				OPENSSL_free(mp);
 				}
 
-			MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+			MemCheck_on(); /* release MALLOC2 lock
+			                * if num_disabled drops to 0 */
 			}
 		break;
 	case 1:
@@ -518,7 +537,7 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num,
 
 		if (is_MemCheck_on())
 			{
-			MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+			MemCheck_off(); /* make sure we hold MALLOC2 lock */
 
 			m.addr=addr1;
 			mp=(MEM *)lh_delete(mh,(char *)&m);
@@ -535,7 +554,8 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num,
 				lh_insert(mh,(char *)mp);
 				}
 
-			MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+			MemCheck_on(); /* release MALLOC2 lock
+			                * if num_disabled drops to 0 */
 			}
 		break;
 		}
@@ -642,10 +662,12 @@ void CRYPTO_mem_leaks(BIO *b)
 
 	if (mh == NULL && amih == NULL)
 		return;
+
+	MemCheck_off(); /* obtain MALLOC2 lock */
+
 	ml.bio=b;
 	ml.bytes=0;
 	ml.chunks=0;
-	MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
 	if (mh != NULL)
 		lh_doall_arg(mh,(void (*)())print_leak,(char *)&ml);
 	if (ml.chunks != 0)
@@ -671,7 +693,15 @@ void CRYPTO_mem_leaks(BIO *b)
 		 * void_fn_to_char kludge in CRYPTO_mem_leaks_cb.
 		 * Otherwise the code police will come and get us.)
 		 */
+		int old_mh_mode;
+
 		CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+
+		/* avoid deadlock when lh_free() uses CRYPTO_dbg_free(),
+		 * which uses CRYPTO_is_mem_check_on */
+		old_mh_mode = mh_mode;
+		mh_mode = CRYPTO_MEM_CHECK_OFF;
+
 		if (mh != NULL)
 			{
 			lh_free(mh);
@@ -685,15 +715,11 @@ void CRYPTO_mem_leaks(BIO *b)
 				amih = NULL;
 				}
 			}
+
+		mh_mode = old_mh_mode;
 		CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
 		}
-	MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
-
-#if 0
-	lh_stats_bio(mh,b);
-	lh_node_stats_bio(mh,b);
-	lh_node_usage_stats_bio(mh,b);
-#endif
+	MemCheck_on(); /* release MALLOC2 lock */
 	}
 
 #ifndef NO_FP_API
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 6b5aedeea6..92a5e4e678 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,8 +25,8 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x0090600fL
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.6 [engine] 24 Sep 2000"
+#define OPENSSL_VERSION_NUMBER	0x00906010L
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.6a-dev [engine] XX xxx XXXX"
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
 
diff --git a/e_os.h b/e_os.h
index 0c0784f9a9..4f9c983ef1 100644
--- a/e_os.h
+++ b/e_os.h
@@ -355,12 +355,14 @@ extern HINSTANCE _hInstance;
 #    if defined(VMS) && !defined(__DECC)
 #      include <socket.h>
 #      include <in.h>
+#      include <inet.h>
 #    else
 #      include <sys/socket.h>
 #      ifdef FILIO_H
 #        include <sys/filio.h> /* Added for FIONBIO under unixware */
 #      endif
 #      include <netinet/in.h>
+#      include <arpa/inet.h>
 #    endif
 
 #    if defined(NeXT) || defined(_NEXT_SOURCE)
diff --git a/openssl.spec b/openssl.spec
index 1c8f4e9d81..33a47116d6 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -96,8 +96,8 @@ perl util/perlpath.pl /usr/bin/perl
 #!#./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-ppc shared
 %endif
 %ifarch alpha
-./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha
-#!#./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha shared
+./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha-gcc
+#!#./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha-gcc shared
 %endif
 LD_LIBRARY_PATH=`pwd` make
 LD_LIBRARY_PATH=`pwd` make rehash
-- 
2.25.1