OpenSSL 0.9.4 merge

13 files changed, 1032 insertions, 516 deletions

diff --git a/lib/libcrypto/pkcs7/Makefile.ssl b/lib/libcrypto/pkcs7/Makefile.ssl
index a88359b3202..436442a7a1f 100644
--- a/lib/libcrypto/pkcs7/Makefile.ssl
+++ b/lib/libcrypto/pkcs7/Makefile.ssl
@@ -7,16 +7,16 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I../../include
 CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=		make -f Makefile.ssl
-MAKEDEPEND=	makedepend -f Makefile.ssl
+MAKEDEPEND=	$(TOP)/util/domd $(TOP)
 MAKEFILE=	Makefile.ssl
 AR=		ar r
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
-ERR=pkcs7
-ERRC=pkcs7err
 GENERAL=Makefile README
 TEST=
 APPS=
@@ -39,26 +39,39 @@ test:
 
 all:	lib
 
+testapps: enc dec sign verify
+
+enc: enc.o lib
+	$(CC) $(CFLAGS) -o enc enc.o $(LIB)
+
+dec: dec.o lib
+	$(CC) $(CFLAGS) -o dec dec.o $(LIB)
+
+sign: sign.o lib
+	$(CC) $(CFLAGS) -o sign sign.o $(LIB)
+
+verify: verify.o example.o lib
+	$(CC) $(CFLAGS) -o verify verify.o example.o $(LIB)
+
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	sh $(TOP)/util/ranlib.sh $(LIB)
+	$(RANLIB) $(LIB)
 	@touch lib
 
 files:
-	perl $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
 
 links:
-	/bin/rm -f Makefile
-	$(TOP)/util/point.sh Makefile.ssl Makefile ;
-	$(TOP)/util/mklink.sh ../../include $(EXHEADER)
-	$(TOP)/util/mklink.sh ../../test $(TEST)
-	$(TOP)/util/mklink.sh ../../apps $(APPS)
+	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
 	@for i in $(EXHEADER) ; \
 	do  \
-	(cp $$i $(INSTALLTOP)/include/$$i; \
-	chmod 644 $(INSTALLTOP)/include/$$i ); \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
 
 tags:
@@ -70,17 +83,63 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
 
 dclean:
-	perl -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
 	mv -f Makefile.new $(MAKEFILE)
 
 clean:
-	/bin/rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-
-errors:
-	perl $(TOP)/util/err-ins.pl $(ERR).err $(ERR).h
-	perl ../err/err_genc.pl -s $(ERR).h $(ERRC).c
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
+
+pk7_doit.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_doit.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_doit.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_doit.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pk7_doit.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pk7_doit.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pk7_doit.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_doit.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk7_doit.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_doit.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_doit.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_doit.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
+pk7_doit.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pk7_doit.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pk7_doit.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_doit.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+pk7_doit.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+pk7_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pk7_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pk7_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+pk7_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pk7_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pk7_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pk7_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_lib.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pk7_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pk7_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pk7_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pk7_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_lib.o: ../cryptlib.h
+pkcs7err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pkcs7err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+pkcs7err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+pkcs7err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+pkcs7err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pkcs7err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pkcs7err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+pkcs7err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pkcs7err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pkcs7err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+pkcs7err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+pkcs7err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+pkcs7err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pkcs7err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pkcs7err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
diff --git a/lib/libcrypto/pkcs7/enc.c b/lib/libcrypto/pkcs7/enc.c
index 625a7c22852..43bfd10a238 100644
--- a/lib/libcrypto/pkcs7/enc.c
+++ b/lib/libcrypto/pkcs7/enc.c
@@ -56,61 +56,82 @@
  * [including the GNU Public Licence.]
  */
 #include <stdio.h>
-#include "bio.h"
-#include "x509.h"
-#include "pem.h"
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
 
-main(argc,argv)
+int main(argc,argv)
 int argc;
 char *argv[];
 	{
 	X509 *x509;
-	EVP_PKEY *pkey;
 	PKCS7 *p7;
-	PKCS7 *p7_data;
-	PKCS7_SIGNER_INFO *si;
 	BIO *in;
 	BIO *data,*p7bio;
 	char buf[1024*4];
-	int i,j;
-	int nodetach=0;
+	int i;
+	int nodetach=1;
+	char *keyfile = NULL;
+	const EVP_CIPHER *cipher=NULL;
+	STACK_OF(X509) *recips=NULL;
 
-	EVP_add_digest(EVP_sha1());
-	EVP_add_cipher(EVP_des_cbc());
+	SSLeay_add_all_algorithms();
 
 	data=BIO_new(BIO_s_file());
-again:
-	if (argc > 1)
+	while(argc > 1)
 		{
 		if (strcmp(argv[1],"-nd") == 0)
 			{
 			nodetach=1;
 			argv++; argc--;
-			goto again;
 			}
-		if (!BIO_read_filename(data,argv[1]))
-			goto err;
-		}
-	else
-		BIO_set_fp(data,stdin,BIO_NOCLOSE);
+		else if ((strcmp(argv[1],"-c") == 0) && (argc >= 2)) {
+			if(!(cipher = EVP_get_cipherbyname(argv[2]))) {
+				fprintf(stderr, "Unknown cipher %s\n", argv[2]);
+				goto err;
+			}
+			argc-=2;
+			argv+=2;
+		} else if ((strcmp(argv[1],"-k") == 0) && (argc >= 2)) {
+			keyfile = argv[2];
+			argc-=2;
+			argv+=2;
+			if (!(in=BIO_new_file(keyfile,"r"))) goto err;
+			if (!(x509=PEM_read_bio_X509(in,NULL,NULL))) goto err;
+			if(!recips) recips = sk_X509_new_null();
+			sk_X509_push(recips, x509);
+			BIO_free(in);
+		} else break;
+	}
 
-	if ((in=BIO_new_file("server.pem","r")) == NULL) goto err;
-	if ((x509=PEM_read_bio_X509(in,NULL,NULL)) == NULL) goto err;
+	if(!recips) {
+		fprintf(stderr, "No recipients\n");
+		goto err;
+	}
+
+	if (!BIO_read_filename(data,argv[1])) goto err;
+
+	p7=PKCS7_new();
+#if 0
 	BIO_reset(in);
 	if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL)) == NULL) goto err;
 	BIO_free(in);
-
-	p7=PKCS7_new();
 	PKCS7_set_type(p7,NID_pkcs7_signedAndEnveloped);
 	 
 	if (PKCS7_add_signature(p7,x509,pkey,EVP_sha1()) == NULL) goto err;
-
-	if (!PKCS7_set_cipher(p7,EVP_des_cbc())) goto err;
-	if (PKCS7_add_recipient(p7,x509) == NULL) goto err;
-
 	/* we may want to add more */
 	PKCS7_add_certificate(p7,x509);
-
+#else
+	PKCS7_set_type(p7,NID_pkcs7_enveloped);
+#endif
+	if(!cipher) cipher = EVP_des_ede3_cbc();
+
+	if (!PKCS7_set_cipher(p7,cipher)) goto err;
+	for(i = 0; i < sk_X509_num(recips); i++) {
+		if (!PKCS7_add_recipient(p7,sk_X509_value(recips, i))) goto err;
+	}
+	sk_X509_pop_free(recips, X509_free);
 
 	/* Set the content of the signed to 'data' */
 	/* PKCS7_content_new(p7,NID_pkcs7_data); not used in envelope */
@@ -129,7 +150,7 @@ again:
 		}
 	BIO_flush(p7bio);
 
-	if (!PKCS7_dataSign(p7,p7bio)) goto err;
+	if (!PKCS7_dataFinal(p7,p7bio)) goto err;
 	BIO_free(p7bio);
 
 	PEM_write_PKCS7(stdout,p7);
diff --git a/lib/libcrypto/pkcs7/mf.p7 b/lib/libcrypto/pkcs7/mf.p7
deleted file mode 100644
index 524335b4b30..00000000000
--- a/lib/libcrypto/pkcs7/mf.p7
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN PKCS7-----
-MIAGCSqGSIb3DQEHAqCAMIIC2QIBATEMMAoGCCqGSIb3DQIFMIAGCSqGSIb3DQEH
-AQAAoIIB7TCCAekwggFSAgEAMA0GCSqGSIb3DQEBBAUAMFsxCzAJBgNVBAYTAkFV
-MRMwEQYDVQQIEwpRdWVlbnNsYW5kMRowGAYDVQQKExFDcnlwdFNvZnQgUHR5IEx0
-ZDEbMBkGA1UEAxMSVGVzdCBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0NloX
-DTk4MDYwOTEzNTc0NlowYzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xh
-bmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYDVQQDExpTZXJ2ZXIg
-dGVzdCBjZXJ0ICg1MTIgYml0KTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCfs8OE
-J5X/EjFSDxXvRhHErYDmNlsP3YDXYY3g/HJFCTT+VWZFQ0xol2r+qKCl3194/+7X
-ZLg/BMtv/yr+/rntAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAeEzEdgr2nChPcALL
-vY8gl/GIlpoAjPmKD+pLeGZI9s+SEX5u1q8nCrJ6ZzkfrRnqgI5Anmev9+qPZfdU
-bz5zdVSf4sUL9nX9ChXjK9NCJA3UzQHSFqhZErGUwGNkAHYHp2+zAdY6Ho6rmMzt
-g0CDu/sKR4qzm6REsQGS8kgpjz4xgcUwgcICAQEwYDBbMQswCQYDVQQGEwJBVTET
-MBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQx
-GzAZBgNVBAMTElRlc3QgQ0EgKDEwMjQgYml0KQIBADAKBggqhkiG9w0CBTANBgkq
-hkiG9w0BAQQFAARALnrxJiOX9XZf2D+3vL8SKMQmMq55LltomwOLGUru/q1uVXzi
-ARg7FSCegOpA1nunsTURMUGgrPXKK4XmL4IseQAAAAA=
------END PKCS7-----
diff --git a/lib/libcrypto/pkcs7/p7.tst b/lib/libcrypto/pkcs7/p7.tst
deleted file mode 100644
index 6d14dce1634..00000000000
--- a/lib/libcrypto/pkcs7/p7.tst
+++ /dev/null
@@ -1,33 +0,0 @@
------BEGIN PKCS7-----
-MIAGCSqGSIb3DQEHAqCAMIIFsQIBATELMAkGBSsOAwIaBQAwgAYJKoZIhvcNAQcB
-AACgggQdMIICJTCCAc+gAwIBAgIBIjANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UE
-BhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRow
-GAYDVQQKExFDcnlwdFNvZnQgUHR5IEx0ZDEUMBIGA1UECxMLZGV2ZWxvcG1lbnQx
-GTAXBgNVBAMTEENyeXB0U29mdCBEZXYgQ0EwHhcNOTcwNjEzMTgxMDE3WhcNOTgw
-NjEzMTgxMDE3WjCBiDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
-ETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdFNvZnQgUHR5IEx0ZDEU
-MBIGA1UECxMLSUlTIHRlc3RpbmcxDjAMBgNVBAMTBXRlc3QxMQ8wDQYJKoZIhvcN
-AQkBFgAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxtWiv59VH42+rotrmFAyDxTc
-J2osFt5uy/zEllx3vvjtwewqQxGUOwf6cjqFOTrnpEdVvwywpEhIQ5364bJqIwID
-AQABoygwJjAkBglghkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0G
-CSqGSIb3DQEBBAUAA0EAMnYkNV2AdpeHPy/qlcdZx6MDGIJgrLhklhcn6Or6KiAP
-t9+nv9XdOGHyMyQr9ufsweuQfAgJ9yjKPZR2/adTjTCCAfAwggGaAgEAMA0GCSqG
-SIb3DQEBBAUAMIGCMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDER
-MA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRQw
-EgYDVQQLEwtkZXZlbG9wbWVudDEZMBcGA1UEAxMQQ3J5cHRTb2Z0IERldiBDQTAe
-Fw05NzAzMjIxMzM0MDRaFw05ODAzMjIxMzM0MDRaMIGCMQswCQYDVQQGEwJBVTET
-MBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoT
-EUNyeXB0U29mdCBQdHkgTHRkMRQwEgYDVQQLEwtkZXZlbG9wbWVudDEZMBcGA1UE
-AxMQQ3J5cHRTb2Z0IERldiBDQTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDgDgKq
-IBuUMAJi4c8juAqEZ8f8FcuDWT+HcScvNztRJy9K8DnbGpiSrzzix4El6N4A7vbl
-crwn/0CZmQJguZpfAgMBAAEwDQYJKoZIhvcNAQEEBQADQQA0UUvxlXXe6wKkVukn
-ZoCyXbjlNsqt2rwbvfZEam6fQP3S7uq+o1Pnj+KDgE33WxWbQAA9h8fY1LWN7X3a
-yTm/MYIBbTCCAWkCAQEwgYgwgYIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVl
-bnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0
-eSBMdGQxFDASBgNVBAsTC2RldmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQg
-RGV2IENBAgEiMAkGBSsOAwIaBQCgfTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB
-MCMGCSqGSIb3DQEJBDEWBBSUVhbGkNE+KGqpOK13+FkfOkaoizAcBgkqhkiG9w0B
-CQUxDxcNOTcwNzAxMDE0MzM0WjAeBgkqhkiG9w0BCQ8xETAPMA0GCCqGSIb3DQMC
-AgEoMA0GCSqGSIb3DQEBAQUABECa9Jpo4w/fZOc3Vy78wZFAVF8kvpn7il99Ldsr
-AQ4JiBmcfiSwEBBY6WuKT+/SYtFwZl1oXkTwB5AVCFIC/IFNAAAAAA==
------END PKCS7-----
diff --git a/lib/libcrypto/pkcs7/pk7_dgst.c b/lib/libcrypto/pkcs7/pk7_dgst.c
index 7769abeb1e7..90edfa5001f 100644
--- a/lib/libcrypto/pkcs7/pk7_dgst.c
+++ b/lib/libcrypto/pkcs7/pk7_dgst.c
@@ -58,9 +58,9 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include "evp.h"
-#include "rand.h"
-#include "objects.h"
-#include "x509.h"
-#include "pkcs7.h"
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
 
diff --git a/lib/libcrypto/pkcs7/pk7_doit.c b/lib/libcrypto/pkcs7/pk7_doit.c
index b5689b3fe4c..dee81b547ad 100644
--- a/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/lib/libcrypto/pkcs7/pk7_doit.c
@@ -58,20 +58,23 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include "rand.h"
-#include "objects.h"
-#include "x509.h"
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
 
-BIO *PKCS7_dataInit(p7,bio)
-PKCS7 *p7;
-BIO *bio;
+static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
+			 void *value);
+static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid);
+
+BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 	{
 	int i,j;
-	BIO *out=NULL,*btmp;
+	BIO *out=NULL,*btmp=NULL;
 	X509_ALGOR *xa;
-	EVP_MD *evp_md;
-	EVP_CIPHER *evp_cipher=NULL;
-	STACK *md_sk=NULL,*rsk=NULL;
+	const EVP_MD *evp_md;
+	const EVP_CIPHER *evp_cipher=NULL;
+	STACK_OF(X509_ALGOR) *md_sk=NULL;
+	STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
 	X509_ALGOR *xalg=NULL;
 	PKCS7_RECIP_INFO *ri=NULL;
 	EVP_PKEY *pkey;
@@ -87,13 +90,25 @@ BIO *bio;
 	case NID_pkcs7_signedAndEnveloped:
 		rsk=p7->d.signed_and_enveloped->recipientinfo;
 		md_sk=p7->d.signed_and_enveloped->md_algs;
-		evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(p7->d.signed_and_enveloped->enc_data->algorithm->algorithm)));
+		xalg=p7->d.signed_and_enveloped->enc_data->algorithm;
+		evp_cipher=p7->d.signed_and_enveloped->enc_data->cipher;
 		if (evp_cipher == NULL)
 			{
-			PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
+			PKCS7err(PKCS7_F_PKCS7_DATAINIT,
+						PKCS7_R_CIPHER_NOT_INITIALIZED);
+			goto err;
+			}
+		break;
+	case NID_pkcs7_enveloped:
+		rsk=p7->d.enveloped->recipientinfo;
+		xalg=p7->d.enveloped->enc_data->algorithm;
+		evp_cipher=p7->d.enveloped->enc_data->cipher;
+		if (evp_cipher == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATAINIT,
+						PKCS7_R_CIPHER_NOT_INITIALIZED);
 			goto err;
 			}
-		xalg=p7->d.signed_and_enveloped->enc_data->algorithm;
 		break;
 	default:
 		PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
@@ -102,10 +117,14 @@ BIO *bio;
 
 	if (md_sk != NULL)
 		{
-		for (i=0; i<sk_num(md_sk); i++)
+		for (i=0; i<sk_X509_ALGOR_num(md_sk); i++)
 			{
-			xa=(X509_ALGOR *)sk_value(md_sk,i);
-			if ((btmp=BIO_new(BIO_f_md())) == NULL) goto err;
+			xa=sk_X509_ALGOR_value(md_sk,i);
+			if ((btmp=BIO_new(BIO_f_md())) == NULL)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB);
+				goto err;
+				}
 
 			j=OBJ_obj2nid(xa->algorithm);
 			evp_md=EVP_get_digestbyname(OBJ_nid2sn(j));
@@ -120,6 +139,7 @@ BIO *bio;
 				out=btmp;
 			else
 				BIO_push(out,btmp);
+			btmp=NULL;
 			}
 		}
 
@@ -130,49 +150,70 @@ BIO *bio;
 		int keylen,ivlen;
 		int jj,max;
 		unsigned char *tmp;
+		EVP_CIPHER_CTX *ctx;
 
-		if ((btmp=BIO_new(BIO_f_cipher())) == NULL) goto err;
+		if ((btmp=BIO_new(BIO_f_cipher())) == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB);
+			goto err;
+			}
+		BIO_get_cipher_ctx(btmp, &ctx);
 		keylen=EVP_CIPHER_key_length(evp_cipher);
 		ivlen=EVP_CIPHER_iv_length(evp_cipher);
-
-		if (ivlen > 0)
-			{
-			ASN1_OCTET_STRING *os;
-
-			RAND_bytes(iv,ivlen);
-			os=ASN1_OCTET_STRING_new();
-			ASN1_OCTET_STRING_set(os,iv,ivlen);
-		/*	ASN1_TYPE_set(xalg->parameter,V_ASN1_OCTET_STRING,
-				(char *)os);
-		*/	}
 		RAND_bytes(key,keylen);
+		xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
+		if (ivlen > 0) RAND_bytes(iv,ivlen);
+		EVP_CipherInit(ctx, evp_cipher, key, iv, 1);
+
+		if (ivlen > 0) {
+			if (xalg->parameter == NULL) 
+						xalg->parameter=ASN1_TYPE_new();
+			if(EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0)
+								       goto err;
+		}
 
 		/* Lets do the pub key stuff :-) */
 		max=0;
-		for (i=0; i<sk_num(rsk); i++)
+		for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
 			{
-			ri=(PKCS7_RECIP_INFO *)sk_value(rsk,i);
-			if (ri->cert == NULL) abort();
+			ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
+			if (ri->cert == NULL)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_MISSING_CERIPEND_INFO);
+				goto err;
+				}
 			pkey=X509_get_pubkey(ri->cert);
 			jj=EVP_PKEY_size(pkey);
+			EVP_PKEY_free(pkey);
 			if (max < jj) max=jj;
 			}
-		if ((tmp=(unsigned char *)Malloc(max)) == NULL) abort();
-		for (i=0; i<sk_num(rsk); i++)
+		if ((tmp=(unsigned char *)Malloc(max)) == NULL)
 			{
-			ri=(PKCS7_RECIP_INFO *)sk_value(rsk,i);
+			PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
+			{
+			ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
 			pkey=X509_get_pubkey(ri->cert);
 			jj=EVP_PKEY_encrypt(tmp,key,keylen,pkey);
-			if (jj <= 0) abort();
+			EVP_PKEY_free(pkey);
+			if (jj <= 0)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_EVP_LIB);
+				Free(tmp);
+				goto err;
+				}
 			ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
 			}
-
-		BIO_set_cipher(btmp,evp_cipher,key,iv,1);
+		Free(tmp);
+		memset(key, 0, keylen);
 
 		if (out == NULL)
 			out=btmp;
 		else
 			BIO_push(out,btmp);
+		btmp=NULL;
 		}
 
 	if (bio == NULL) /* ??????????? */
@@ -182,6 +223,11 @@ BIO *bio;
 		else
 			{
 			bio=BIO_new(BIO_s_mem());
+			/* We need to set this so that when we have read all
+			 * the data, the encrypt BIO, if present, will read
+			 * EOF and encode the last few bytes */
+			BIO_set_mem_eof_return(bio,0);
+
 			if (PKCS7_type_is_signed(p7) &&
 				PKCS7_type_is_data(p7->d.sign->contents))
 				{
@@ -195,14 +241,222 @@ BIO *bio;
 			}
 		}
 	BIO_push(out,bio);
+	bio=NULL;
+	if (0)
+		{
+err:
+		if (out != NULL)
+			BIO_free_all(out);
+		if (btmp != NULL)
+			BIO_free_all(btmp);
+		out=NULL;
+		}
 	return(out);
+	}
+
+/* int */
+BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
+	{
+	int i,j;
+	BIO *out=NULL,*btmp=NULL,*etmp=NULL,*bio=NULL;
+	char *tmp=NULL;
+	X509_ALGOR *xa;
+	ASN1_OCTET_STRING *data_body=NULL;
+	const EVP_MD *evp_md;
+	const EVP_CIPHER *evp_cipher=NULL;
+	EVP_CIPHER_CTX *evp_ctx=NULL;
+	X509_ALGOR *enc_alg=NULL;
+	STACK_OF(X509_ALGOR) *md_sk=NULL;
+	STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
+	X509_ALGOR *xalg=NULL;
+	PKCS7_RECIP_INFO *ri=NULL;
+/*	EVP_PKEY *pkey; */
+#if 0
+	X509_STORE_CTX s_ctx;
+#endif
+
+	i=OBJ_obj2nid(p7->type);
+	p7->state=PKCS7_S_HEADER;
+
+	switch (i)
+		{
+	case NID_pkcs7_signed:
+		data_body=p7->d.sign->contents->d.data;
+		md_sk=p7->d.sign->md_algs;
+		break;
+	case NID_pkcs7_signedAndEnveloped:
+		rsk=p7->d.signed_and_enveloped->recipientinfo;
+		md_sk=p7->d.signed_and_enveloped->md_algs;
+		data_body=p7->d.signed_and_enveloped->enc_data->enc_data;
+		enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm;
+		evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm)));
+		if (evp_cipher == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
+			goto err;
+			}
+		xalg=p7->d.signed_and_enveloped->enc_data->algorithm;
+		break;
+	case NID_pkcs7_enveloped:
+		rsk=p7->d.enveloped->recipientinfo;
+		enc_alg=p7->d.enveloped->enc_data->algorithm;
+		data_body=p7->d.enveloped->enc_data->enc_data;
+		evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm)));
+		if (evp_cipher == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
+			goto err;
+			}
+		xalg=p7->d.enveloped->enc_data->algorithm;
+		break;
+	default:
+		PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
+	        goto err;
+		}
+
+	/* We will be checking the signature */
+	if (md_sk != NULL)
+		{
+		for (i=0; i<sk_X509_ALGOR_num(md_sk); i++)
+			{
+			xa=sk_X509_ALGOR_value(md_sk,i);
+			if ((btmp=BIO_new(BIO_f_md())) == NULL)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB);
+				goto err;
+				}
+
+			j=OBJ_obj2nid(xa->algorithm);
+			evp_md=EVP_get_digestbyname(OBJ_nid2sn(j));
+			if (evp_md == NULL)
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNKNOWN_DIGEST_TYPE);
+				goto err;
+				}
+
+			BIO_set_md(btmp,evp_md);
+			if (out == NULL)
+				out=btmp;
+			else
+				BIO_push(out,btmp);
+			btmp=NULL;
+			}
+		}
+
+	if (evp_cipher != NULL)
+		{
+#if 0
+		unsigned char key[EVP_MAX_KEY_LENGTH];
+		unsigned char iv[EVP_MAX_IV_LENGTH];
+		unsigned char *p;
+		int keylen,ivlen;
+		int max;
+		X509_OBJECT ret;
+#endif
+		int jj;
+
+		if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB);
+			goto err;
+			}
+
+		/* It was encrypted, we need to decrypt the secret key
+		 * with the private key */
+
+		/* Find the recipientInfo which matches the passed certificate
+		 * (if any)
+		 */
+
+		for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) {
+			ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
+			if(!X509_NAME_cmp(ri->issuer_and_serial->issuer,
+					pcert->cert_info->issuer) &&
+			     !ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
+					ri->issuer_and_serial->serial)) break;
+			ri=NULL;
+		}
+		if (ri == NULL) {
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+				 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE);
+			return(NULL);
+		}
+
+		jj=EVP_PKEY_size(pkey);
+		tmp=Malloc(jj+10);
+		if (tmp == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+
+		jj=EVP_PKEY_decrypt((unsigned char *)tmp,
+			ASN1_STRING_data(ri->enc_key),
+			ASN1_STRING_length(ri->enc_key),
+			pkey);
+		if (jj <= 0)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_EVP_LIB);
+			goto err;
+			}
+
+		evp_ctx=NULL;
+		BIO_get_cipher_ctx(etmp,&evp_ctx);
+		EVP_CipherInit(evp_ctx,evp_cipher,NULL,NULL,0);
+		if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
+			return(NULL);
+
+		if (jj != EVP_CIPHER_CTX_key_length(evp_ctx))
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+					PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH);
+			goto err;
+			}
+		EVP_CipherInit(evp_ctx,NULL,(unsigned char *)tmp,NULL,0);
+
+		memset(tmp,0,jj);
+
+		if (out == NULL)
+			out=etmp;
+		else
+			BIO_push(out,etmp);
+		etmp=NULL;
+		}
+
+#if 1
+	if (p7->detached || (in_bio != NULL))
+		{
+		bio=in_bio;
+		}
+	else 
+		{
+		bio=BIO_new(BIO_s_mem());
+		/* We need to set this so that when we have read all
+		 * the data, the encrypt BIO, if present, will read
+		 * EOF and encode the last few bytes */
+		BIO_set_mem_eof_return(bio,0);
+
+		if (data_body->length > 0)
+			BIO_write(bio,(char *)data_body->data,data_body->length);
+		}
+	BIO_push(out,bio);
+	bio=NULL;
+#endif
+	if (0)
+		{
 err:
-	return(NULL);
+		if (out != NULL) BIO_free_all(out);
+		if (btmp != NULL) BIO_free_all(btmp);
+		if (etmp != NULL) BIO_free_all(etmp);
+		if (bio != NULL) BIO_free_all(bio);
+		out=NULL;
+		}
+	if (tmp != NULL)
+		Free(tmp);
+	return(out);
 	}
 
-int PKCS7_dataSign(p7,bio)
-PKCS7 *p7;
-BIO *bio;
+int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 	{
 	int ret=0;
 	int i,j;
@@ -211,7 +465,8 @@ BIO *bio;
 	BUF_MEM *buf=NULL;
 	PKCS7_SIGNER_INFO *si;
 	EVP_MD_CTX *mdc,ctx_tmp;
-	STACK *sk,*si_sk=NULL;
+	STACK_OF(X509_ATTRIBUTE) *sk;
+	STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
 	unsigned char *p,*pp=NULL;
 	int x;
 	ASN1_OCTET_STRING *os=NULL;
@@ -227,22 +482,35 @@ BIO *bio;
 		os=ASN1_OCTET_STRING_new();
 		p7->d.signed_and_enveloped->enc_data->enc_data=os;
 		break;
+	case NID_pkcs7_enveloped:
+		/* XXXXXXXXXXXXXXXX */
+		os=ASN1_OCTET_STRING_new();
+		p7->d.enveloped->enc_data->enc_data=os;
+		break;
 	case NID_pkcs7_signed:
 		si_sk=p7->d.sign->signer_info;
 		os=p7->d.sign->contents->d.data;
+		/* If detached data then the content is excluded */
+		if(p7->detached) {
+			ASN1_OCTET_STRING_free(os);
+			p7->d.sign->contents->d.data = NULL;
+		}
 		break;
 		}
 
 	if (si_sk != NULL)
 		{
-		if ((buf=BUF_MEM_new()) == NULL) goto err;
-		for (i=0; i<sk_num(si_sk); i++)
+		if ((buf=BUF_MEM_new()) == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
+			goto err;
+			}
+		for (i=0; i<sk_PKCS7_SIGNER_INFO_num(si_sk); i++)
 			{
-			si=(PKCS7_SIGNER_INFO *)
-				sk_value(si_sk,i);
-			if (si->pkey == NULL)
-				continue;
-			j=OBJ_obj2nid(si->digest_enc_alg->algorithm);
+			si=sk_PKCS7_SIGNER_INFO_value(si_sk,i);
+			if (si->pkey == NULL) continue;
+
+			j=OBJ_obj2nid(si->digest_alg->algorithm);
 
 			btmp=bio;
 			for (;;)
@@ -259,7 +527,7 @@ BIO *bio;
 					PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_INTERNAL_ERROR);
 					goto err;
 					}
-				if (EVP_MD_pkey_type(EVP_MD_CTX_type(mdc)) == j)
+				if (EVP_MD_type(EVP_MD_CTX_type(mdc)) == j)
 					break;
 				else
 					btmp=btmp->next_bio;
@@ -269,75 +537,117 @@ BIO *bio;
 			 * signing. */
 			memcpy(&ctx_tmp,mdc,sizeof(ctx_tmp));
 			if (!BUF_MEM_grow(buf,EVP_PKEY_size(si->pkey)))
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
 				goto err;
+				}
 
 			sk=si->auth_attr;
-			if ((sk != NULL) && (sk_num(sk) != 0))
+
+			/* If there are attributes, we add the digest
+			 * attribute and only sign the attributes */
+			if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
 				{
-				x=i2d_ASN1_SET(sk,NULL,i2d_X509_ATTRIBUTE,
-					V_ASN1_SET,V_ASN1_UNIVERSAL);
-				pp=(unsigned char *)Malloc(i);
+				unsigned char md_data[EVP_MAX_MD_SIZE];
+				unsigned int md_len;
+				ASN1_OCTET_STRING *digest;
+				ASN1_UTCTIME *sign_time;
+				const EVP_MD *md_tmp;
+
+				/* Add signing time */
+				sign_time=X509_gmtime_adj(NULL,0);
+				PKCS7_add_signed_attribute(si,
+					NID_pkcs9_signingTime,
+					V_ASN1_UTCTIME,sign_time);
+
+				/* Add digest */
+				md_tmp=EVP_MD_CTX_type(&ctx_tmp);
+				EVP_DigestFinal(&ctx_tmp,md_data,&md_len);
+				digest=ASN1_OCTET_STRING_new();
+				ASN1_OCTET_STRING_set(digest,md_data,md_len);
+				PKCS7_add_signed_attribute(si,
+					NID_pkcs9_messageDigest,
+					V_ASN1_OCTET_STRING,digest);
+
+				/* Now sign the mess */
+				EVP_SignInit(&ctx_tmp,md_tmp);
+				x=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL,
+					   i2d_X509_ATTRIBUTE,
+					   V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
+				pp=(unsigned char *)Malloc(x);
 				p=pp;
-				i2d_ASN1_SET(sk,&p,i2d_X509_ATTRIBUTE,
-					V_ASN1_SET,V_ASN1_UNIVERSAL);
+				i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p,
+				           i2d_X509_ATTRIBUTE,
+					   V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
 				EVP_SignUpdate(&ctx_tmp,pp,x);
 				Free(pp);
+				pp=NULL;
 				}
 
+			if (si->pkey->type == EVP_PKEY_DSA)
+				ctx_tmp.digest=EVP_dss1();
+
 			if (!EVP_SignFinal(&ctx_tmp,(unsigned char *)buf->data,
 				(unsigned int *)&buf->length,si->pkey))
+				{
+				PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_EVP_LIB);
 				goto err;
+				}
 			if (!ASN1_STRING_set(si->enc_digest,
 				(unsigned char *)buf->data,buf->length))
-				goto err;
-			}
-		if (p7->detached)
-			ASN1_OCTET_STRING_set(os,(unsigned char *)"",0);
-		else
-			{
-			btmp=BIO_find_type(bio,BIO_TYPE_MEM);
-			if (btmp == NULL)
 				{
-				PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
+				PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_ASN1_LIB);
 				goto err;
 				}
-			BIO_get_mem_ptr(btmp,&buf_mem);
-			ASN1_OCTET_STRING_set(os,
-				(unsigned char *)buf_mem->data,buf_mem->length);
 			}
-		if (pp != NULL) Free(pp);
-		pp=NULL;
 		}
 
+	if (!p7->detached)
+		{
+		btmp=BIO_find_type(bio,BIO_TYPE_MEM);
+		if (btmp == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
+			goto err;
+			}
+		BIO_get_mem_ptr(btmp,&buf_mem);
+		ASN1_OCTET_STRING_set(os,
+			(unsigned char *)buf_mem->data,buf_mem->length);
+		}
+	if (pp != NULL) Free(pp);
+	pp=NULL;
+
 	ret=1;
 err:
 	if (buf != NULL) BUF_MEM_free(buf);
 	return(ret);
 	}
 
-int PKCS7_dataVerify(cert_store,ctx,bio,p7,si)
-X509_STORE *cert_store;
-X509_STORE_CTX *ctx;
-BIO *bio;
-PKCS7 *p7;
-PKCS7_SIGNER_INFO *si;
+int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
+	     PKCS7 *p7, PKCS7_SIGNER_INFO *si)
 	{
-	PKCS7_SIGNED *s;
-	ASN1_OCTET_STRING *os;
-	EVP_MD_CTX mdc_tmp,*mdc;
-	unsigned char *pp,*p;
 	PKCS7_ISSUER_AND_SERIAL *ias;
-	int ret=0,md_type,i;
-	STACK *sk;
-	BIO *btmp;
+	int ret=0,i;
+	STACK_OF(X509) *cert;
 	X509 *x509;
 
-	if (!PKCS7_type_is_signed(p7)) abort();
+	if (PKCS7_type_is_signed(p7))
+		{
+		cert=p7->d.sign->cert;
+		}
+	else if (PKCS7_type_is_signedAndEnveloped(p7))
+		{
+		cert=p7->d.signed_and_enveloped->cert;
+		}
+	else
+		{
+		PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_WRONG_PKCS7_TYPE);
+		goto err;
+		}
 	/* XXXXXXXXXXXXXXXXXXXXXXX */
 	ias=si->issuer_and_serial;
-	s=p7->d.sign;
 
-	x509=X509_find_by_issuer_and_serial(s->cert,ias->issuer,ias->serial);
+	x509=X509_find_by_issuer_and_serial(cert,ias->issuer,ias->serial);
 
 	/* were we able to find the cert in passed to us */
 	if (x509 == NULL)
@@ -347,12 +657,39 @@ PKCS7_SIGNER_INFO *si;
 		}
 
 	/* Lets verify */
-	X509_STORE_CTX_init(ctx,cert_store,x509,s->cert);
+	X509_STORE_CTX_init(ctx,cert_store,x509,cert);
 	i=X509_verify_cert(ctx);
-	if (i <= 0) goto err;
+	if (i <= 0) 
+		{
+		PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
+		goto err;
+		}
 	X509_STORE_CTX_cleanup(ctx);
 
-	/* So we like 'x509', lets check the signature. */
+	return PKCS7_signatureVerify(bio, p7, si, x509);
+	err:
+	return ret;
+	}
+
+int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
+								X509 *x509)
+	{
+	ASN1_OCTET_STRING *os;
+	EVP_MD_CTX mdc_tmp,*mdc;
+	unsigned char *pp,*p;
+	int ret=0,i;
+	int md_type;
+	STACK_OF(X509_ATTRIBUTE) *sk;
+	BIO *btmp;
+	EVP_PKEY *pkey;
+
+	if (!PKCS7_type_is_signed(p7) && 
+				!PKCS7_type_is_signedAndEnveloped(p7)) {
+		PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+						PKCS7_R_WRONG_PKCS7_TYPE);
+		goto err;
+	}
+
 	md_type=OBJ_obj2nid(si->digest_alg->algorithm);
 
 	btmp=bio;
@@ -361,13 +698,15 @@ PKCS7_SIGNER_INFO *si;
 		if ((btmp == NULL) ||
 			((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) == NULL))
 			{
-			PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
+			PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+					PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
 			goto err;
 			}
 		BIO_get_md_ctx(btmp,&mdc);
 		if (mdc == NULL)
 			{
-			PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_INTERNAL_ERROR);
+			PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+							PKCS7_R_INTERNAL_ERROR);
 			goto err;
 			}
 		if (EVP_MD_type(EVP_MD_CTX_type(mdc)) == md_type)
@@ -375,28 +714,68 @@ PKCS7_SIGNER_INFO *si;
 		btmp=btmp->next_bio;	
 		}
 
-	/* mdc is the digest ctx that we want */
+	/* mdc is the digest ctx that we want, unless there are attributes,
+	 * in which case the digest is the signed attributes */
 	memcpy(&mdc_tmp,mdc,sizeof(mdc_tmp));
 
 	sk=si->auth_attr;
-	if ((sk != NULL) && (sk_num(sk) != 0))
+	if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
 		{
-		i=i2d_ASN1_SET(sk,NULL,i2d_X509_ATTRIBUTE,
-			V_ASN1_SET,V_ASN1_UNIVERSAL);
-		pp=(unsigned char *)malloc(i);
+		unsigned char md_dat[EVP_MAX_MD_SIZE];
+                unsigned int md_len;
+		ASN1_OCTET_STRING *message_digest;
+
+		EVP_DigestFinal(&mdc_tmp,md_dat,&md_len);
+		message_digest=PKCS7_digest_from_attributes(sk);
+		if (!message_digest)
+			{
+			PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+					PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
+			goto err;
+			}
+		if ((message_digest->length != (int)md_len) ||
+			(memcmp(message_digest->data,md_dat,md_len)))
+			{
+#if 0
+{
+int ii;
+for (ii=0; ii<message_digest->length; ii++)
+	printf("%02X",message_digest->data[ii]); printf(" sent\n");
+for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
+}
+#endif
+			PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+							PKCS7_R_DIGEST_FAILURE);
+			ret= -1;
+			goto err;
+			}
+
+		EVP_VerifyInit(&mdc_tmp,EVP_get_digestbynid(md_type));
+		/* Note: when forming the encoding of the attributes we
+		 * shouldn't reorder them or this will break the signature.
+		 * This is done by using the IS_SEQUENCE flag.
+		 */
+		i=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL,i2d_X509_ATTRIBUTE,
+			V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE);
+		pp=Malloc(i);
 		p=pp;
-		i2d_ASN1_SET(sk,&p,i2d_X509_ATTRIBUTE,
-			V_ASN1_SET,V_ASN1_UNIVERSAL);
+		i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p,i2d_X509_ATTRIBUTE,
+			V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE);
 		EVP_VerifyUpdate(&mdc_tmp,pp,i);
-		free(pp);
+
+		Free(pp);
 		}
 
 	os=si->enc_digest;
-	i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length,
-		X509_get_pubkey(x509));
+	pkey = X509_get_pubkey(x509);
+	if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();
+
+	i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey);
+	EVP_PKEY_free(pkey);
 	if (i <= 0)
 		{
-		PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_SIGNATURE_FAILURE);
+		PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
+						PKCS7_R_SIGNATURE_FAILURE);
 		ret= -1;
 		goto err;
 		}
@@ -406,3 +785,138 @@ err:
 	return(ret);
 	}
 
+PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx)
+	{
+	STACK_OF(PKCS7_RECIP_INFO) *rsk;
+	PKCS7_RECIP_INFO *ri;
+	int i;
+
+	i=OBJ_obj2nid(p7->type);
+	if (i != NID_pkcs7_signedAndEnveloped) return(NULL);
+	rsk=p7->d.signed_and_enveloped->recipientinfo;
+	ri=sk_PKCS7_RECIP_INFO_value(rsk,0);
+	if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) return(NULL);
+	ri=sk_PKCS7_RECIP_INFO_value(rsk,idx);
+	return(ri->issuer_and_serial);
+	}
+
+ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid)
+	{
+	return(get_attribute(si->auth_attr,nid));
+	}
+
+ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid)
+	{
+	return(get_attribute(si->unauth_attr,nid));
+	}
+
+static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid)
+	{
+	int i;
+	X509_ATTRIBUTE *xa;
+	ASN1_OBJECT *o;
+
+	o=OBJ_nid2obj(nid);
+	if (!o || !sk) return(NULL);
+	for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
+		{
+		xa=sk_X509_ATTRIBUTE_value(sk,i);
+		if (OBJ_cmp(xa->object,o) == 0)
+			{
+			if (xa->set && sk_ASN1_TYPE_num(xa->value.set))
+				return(sk_ASN1_TYPE_value(xa->value.set,0));
+			else
+				return(NULL);
+			}
+		}
+	return(NULL);
+	}
+
+ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
+{
+	ASN1_TYPE *astype;
+	if(!(astype = get_attribute(sk, NID_pkcs9_messageDigest))) return NULL;
+	return astype->value.octet_string;
+}
+
+int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
+				STACK_OF(X509_ATTRIBUTE) *sk)
+	{
+	int i;
+
+	if (p7si->auth_attr != NULL)
+		sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr,X509_ATTRIBUTE_free);
+	p7si->auth_attr=sk_X509_ATTRIBUTE_dup(sk);
+	for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
+		{
+		if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr,i,
+			X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i))))
+		    == NULL)
+			return(0);
+		}
+	return(1);
+	}
+
+int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk)
+	{
+	int i;
+
+	if (p7si->unauth_attr != NULL)
+		sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr,
+					   X509_ATTRIBUTE_free);
+	p7si->unauth_attr=sk_X509_ATTRIBUTE_dup(sk);
+	for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
+		{
+		if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr,i,
+                        X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i))))
+		    == NULL)
+			return(0);
+		}
+	return(1);
+	}
+
+int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
+	     void *value)
+	{
+	return(add_attribute(&(p7si->auth_attr),nid,atrtype,value));
+	}
+
+int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
+	     void *value)
+	{
+	return(add_attribute(&(p7si->unauth_attr),nid,atrtype,value));
+	}
+
+static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
+			 void *value)
+	{
+	X509_ATTRIBUTE *attr=NULL;
+
+	if (*sk == NULL)
+		{
+		*sk = sk_X509_ATTRIBUTE_new(NULL);
+new_attrib:
+		attr=X509_ATTRIBUTE_create(nid,atrtype,value);
+		sk_X509_ATTRIBUTE_push(*sk,attr);
+		}
+	else
+		{
+		int i;
+
+		for (i=0; i<sk_X509_ATTRIBUTE_num(*sk); i++)
+			{
+			attr=sk_X509_ATTRIBUTE_value(*sk,i);
+			if (OBJ_obj2nid(attr->object) == nid)
+				{
+				X509_ATTRIBUTE_free(attr);
+				attr=X509_ATTRIBUTE_create(nid,atrtype,value);
+				sk_X509_ATTRIBUTE_set(*sk,i,attr);
+				goto end;
+				}
+			}
+		goto new_attrib;
+		}
+end:
+	return(1);
+	}
+
diff --git a/lib/libcrypto/pkcs7/pk7_enc.c b/lib/libcrypto/pkcs7/pk7_enc.c
index a5b6dc463f0..acbb189c59a 100644
--- a/lib/libcrypto/pkcs7/pk7_enc.c
+++ b/lib/libcrypto/pkcs7/pk7_enc.c
@@ -58,11 +58,11 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include "evp.h"
-#include "rand.h"
-#include "objects.h"
-#include "x509.h"
-#include "pkcs7.h"
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
 
 PKCS7_in_bio(PKCS7 *p7,BIO *in);
 PKCS7_out_bio(PKCS7 *p7,BIO *out);
diff --git a/lib/libcrypto/pkcs7/pk7_lib.c b/lib/libcrypto/pkcs7/pk7_lib.c
index 7d14ad11734..8b863d05583 100644
--- a/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/lib/libcrypto/pkcs7/pk7_lib.c
@@ -58,14 +58,10 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include "objects.h"
-#include "x509.h"
-
-long PKCS7_ctrl(p7,cmd,larg,parg)
-PKCS7 *p7;
-int cmd;
-long larg;
-char *parg;
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
 	{
 	int nid;
 	long ret;
@@ -98,14 +94,13 @@ char *parg;
 			
 		break;
 	default:
-		abort();
+		PKCS7err(PKCS7_F_PKCS7_CTRL,PKCS7_R_UNKNOWN_OPERATION);
+		ret=0;
 		}
 	return(ret);
 	}
 
-int PKCS7_content_new(p7,type)
-PKCS7 *p7;
-int type;
+int PKCS7_content_new(PKCS7 *p7, int type)
 	{
 	PKCS7 *ret=NULL;
 
@@ -119,9 +114,7 @@ err:
 	return(0);
 	}
 
-int PKCS7_set_content(p7,p7_data)
-PKCS7 *p7;
-PKCS7 *p7_data;
+int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data)
 	{
 	int i;
 
@@ -147,9 +140,7 @@ err:
 	return(0);
 	}
 
-int PKCS7_set_type(p7,type)
-PKCS7 *p7;
-int type;
+int PKCS7_set_type(PKCS7 *p7, int type)
 	{
 	ASN1_OBJECT *obj;
 
@@ -172,12 +163,19 @@ int type;
 	case NID_pkcs7_signedAndEnveloped:
 		p7->type=obj;
 		if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new())
-			== NULL)
-			goto err;
-		ASN1_INTEGER_set(p7->d.sign->version,1);
+			== NULL) goto err;
+		ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1);
+/*		p7->d.signed_and_enveloped->enc_data->content_type=
+			OBJ_nid2obj(NID_pkcs7_encrypted);*/
+			
 		break;
-	case NID_pkcs7_digest:
 	case NID_pkcs7_enveloped:
+		p7->type=obj;
+		if ((p7->d.enveloped=PKCS7_ENVELOPE_new())
+			== NULL) goto err;
+		ASN1_INTEGER_set(p7->d.enveloped->version,0);
+		break;
+	case NID_pkcs7_digest:
 	case NID_pkcs7_encrypted:
 	default:
 		PKCS7err(PKCS7_F_PKCS7_SET_TYPE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
@@ -188,14 +186,12 @@ err:
 	return(0);
 	}
 
-int PKCS7_add_signer(p7,psi)
-PKCS7 *p7;
-PKCS7_SIGNER_INFO *psi;
+int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi)
 	{
 	int i,j,nid;
 	X509_ALGOR *alg;
-	STACK *signer_sk;
-	STACK *md_sk;
+	STACK_OF(PKCS7_SIGNER_INFO) *signer_sk;
+	STACK_OF(X509_ALGOR) *md_sk;
 
 	i=OBJ_obj2nid(p7->type);
 	switch (i)
@@ -217,9 +213,9 @@ PKCS7_SIGNER_INFO *psi;
 
 	/* If the digest is not currently listed, add it */
 	j=0;
-	for (i=0; i<sk_num(md_sk); i++)
+	for (i=0; i<sk_X509_ALGOR_num(md_sk); i++)
 		{
-		alg=(X509_ALGOR *)sk_value(md_sk,i);
+		alg=sk_X509_ALGOR_value(md_sk,i);
 		if (OBJ_obj2nid(alg->algorithm) == nid)
 			{
 			j=1;
@@ -230,19 +226,17 @@ PKCS7_SIGNER_INFO *psi;
 		{
 		alg=X509_ALGOR_new();
 		alg->algorithm=OBJ_nid2obj(nid);
-		sk_push(md_sk,(char *)alg);
+		sk_X509_ALGOR_push(md_sk,alg);
 		}
 
-	sk_push(signer_sk,(char *)psi);
+	sk_PKCS7_SIGNER_INFO_push(signer_sk,psi);
 	return(1);
 	}
 
-int PKCS7_add_certificate(p7,x509)
-PKCS7 *p7;
-X509 *x509;
+int PKCS7_add_certificate(PKCS7 *p7, X509 *x509)
 	{
 	int i;
-	STACK **sk;
+	STACK_OF(X509) **sk;
 
 	i=OBJ_obj2nid(p7->type);
 	switch (i)
@@ -259,18 +253,16 @@ X509 *x509;
 		}
 
 	if (*sk == NULL)
-		*sk=sk_new_null();
+		*sk=sk_X509_new_null();
 	CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
-	sk_push(*sk,(char *)x509);
+	sk_X509_push(*sk,x509);
 	return(1);
 	}
 
-int PKCS7_add_crl(p7,crl)
-PKCS7 *p7;
-X509_CRL *crl;
+int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
 	{
 	int i;
-	STACK **sk;
+	STACK_OF(X509_CRL) **sk;
 
 	i=OBJ_obj2nid(p7->type);
 	switch (i)
@@ -287,18 +279,15 @@ X509_CRL *crl;
 		}
 
 	if (*sk == NULL)
-		*sk=sk_new_null();
+		*sk=sk_X509_CRL_new_null();
 
 	CRYPTO_add(&crl->references,1,CRYPTO_LOCK_X509_CRL);
-	sk_push(*sk,(char *)crl);
+	sk_X509_CRL_push(*sk,crl);
 	return(1);
 	}
 
-int PKCS7_SIGNER_INFO_set(p7i,x509,pkey,dgst)
-PKCS7_SIGNER_INFO *p7i;
-X509 *x509;
-EVP_PKEY *pkey;
-EVP_MD *dgst;
+int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
+	     EVP_MD *dgst)
 	{
 	/* We now need to add another PKCS7_SIGNER_INFO entry */
 	ASN1_INTEGER_set(p7i->version,1);
@@ -316,27 +305,32 @@ EVP_MD *dgst;
 	p7i->pkey=pkey;
 
 	/* Set the algorithms */
-	p7i->digest_alg->algorithm=OBJ_nid2obj(EVP_MD_type(dgst));
-	p7i->digest_enc_alg->algorithm=OBJ_nid2obj(EVP_MD_pkey_type(dgst));
+	if (pkey->type == EVP_PKEY_DSA)
+		p7i->digest_alg->algorithm=OBJ_nid2obj(NID_sha1);
+	else	
+		p7i->digest_alg->algorithm=OBJ_nid2obj(EVP_MD_type(dgst));
+
+	if (p7i->digest_alg->parameter != NULL)
+		ASN1_TYPE_free(p7i->digest_alg->parameter);
+	if ((p7i->digest_alg->parameter=ASN1_TYPE_new()) == NULL)
+		goto err;
+	p7i->digest_alg->parameter->type=V_ASN1_NULL;
+
+	p7i->digest_enc_alg->algorithm=OBJ_nid2obj(EVP_PKEY_type(pkey->type));
 
-#if 1
 	if (p7i->digest_enc_alg->parameter != NULL)
 		ASN1_TYPE_free(p7i->digest_enc_alg->parameter);
 	if ((p7i->digest_enc_alg->parameter=ASN1_TYPE_new()) == NULL)
 		goto err;
 	p7i->digest_enc_alg->parameter->type=V_ASN1_NULL;
-#endif
 
 	return(1);
 err:
 	return(0);
 	}
 
-PKCS7_SIGNER_INFO *PKCS7_add_signature(p7,x509,pkey,dgst)
-PKCS7 *p7;
-X509 *x509;
-EVP_PKEY *pkey;
-EVP_MD *dgst;
+PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
+	     EVP_MD *dgst)
 	{
 	PKCS7_SIGNER_INFO *si;
 
@@ -348,20 +342,21 @@ err:
 	return(NULL);
 	}
 
-STACK *PKCS7_get_signer_info(p7)
-PKCS7 *p7;
+STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
 	{
 	if (PKCS7_type_is_signed(p7))
 		{
 		return(p7->d.sign->signer_info);
 		}
+	else if (PKCS7_type_is_signedAndEnveloped(p7))
+		{
+		return(p7->d.signed_and_enveloped->signer_info);
+		}
 	else
 		return(NULL);
 	}
 
-PKCS7_RECIP_INFO *PKCS7_add_recipient(p7,x509)
-PKCS7 *p7;
-X509 *x509;
+PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509)
 	{
 	PKCS7_RECIP_INFO *ri;
 
@@ -373,12 +368,10 @@ err:
 	return(NULL);
 	}
 
-int PKCS7_add_recipient_info(p7,ri)
-PKCS7 *p7;
-PKCS7_RECIP_INFO *ri;
+int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
 	{
 	int i;
-	STACK *sk;
+	STACK_OF(PKCS7_RECIP_INFO) *sk;
 
 	i=OBJ_obj2nid(p7->type);
 	switch (i)
@@ -386,18 +379,19 @@ PKCS7_RECIP_INFO *ri;
 	case NID_pkcs7_signedAndEnveloped:
 		sk=	p7->d.signed_and_enveloped->recipientinfo;
 		break;
+	case NID_pkcs7_enveloped:
+		sk=	p7->d.enveloped->recipientinfo;
+		break;
 	default:
 		PKCS7err(PKCS7_F_PKCS7_ADD_RECIPIENT_INFO,PKCS7_R_WRONG_CONTENT_TYPE);
 		return(0);
 		}
 
-	sk_push(sk,(char *)ri);
+	sk_PKCS7_RECIP_INFO_push(sk,ri);
 	return(1);
 	}
 
-int PKCS7_RECIP_INFO_set(p7i,x509)
-PKCS7_RECIP_INFO *p7i;
-X509 *x509;
+int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
 	{
 	ASN1_INTEGER_set(p7i->version,0);
 	X509_NAME_set(&p7i->issuer_and_serial->issuer,
@@ -407,15 +401,18 @@ X509 *x509;
 	p7i->issuer_and_serial->serial=
 		ASN1_INTEGER_dup(X509_get_serialNumber(x509));
 
+	X509_ALGOR_free(p7i->key_enc_algor);
+	p7i->key_enc_algor=(X509_ALGOR *)ASN1_dup(i2d_X509_ALGOR,
+		(char *(*)())d2i_X509_ALGOR,
+		(char *)x509->cert_info->key->algor);
+
 	CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
 	p7i->cert=x509;
 
 	return(1);
 	}
 
-X509 *PKCS7_cert_from_signer_info(p7,si)
-PKCS7 *p7;
-PKCS7_SIGNER_INFO *si;
+X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
 	{
 	if (PKCS7_type_is_signed(p7))
 		return(X509_find_by_issuer_and_serial(p7->d.sign->cert,
@@ -425,9 +422,7 @@ PKCS7_SIGNER_INFO *si;
 		return(NULL);
 	}
 
-int PKCS7_set_cipher(p7,cipher)
-PKCS7 *p7;
-EVP_CIPHER *cipher;
+int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
 	{
 	int i;
 	PKCS7_ENC_CONTENT *ec;
@@ -438,12 +433,17 @@ EVP_CIPHER *cipher;
 	case NID_pkcs7_signedAndEnveloped:
 		ec=p7->d.signed_and_enveloped->enc_data;
 		break;
+	case NID_pkcs7_enveloped:
+		ec=p7->d.enveloped->enc_data;
+		break;
 	default:
 		PKCS7err(PKCS7_F_PKCS7_SET_CIPHER,PKCS7_R_WRONG_CONTENT_TYPE);
 		return(0);
 		}
 
-	ec->algorithm->algorithm=OBJ_nid2obj(EVP_CIPHER_nid(cipher));
-	return(ec->algorithm->algorithm != NULL);
+	/* Setup cipher OID */
+
+	ec->cipher = cipher;
+	return 1;
 	}
 
diff --git a/lib/libcrypto/pkcs7/pkcs7.err b/lib/libcrypto/pkcs7/pkcs7.err
deleted file mode 100644
index 91413aae432..00000000000
--- a/lib/libcrypto/pkcs7/pkcs7.err
+++ /dev/null
@@ -1,26 +0,0 @@
-/* Error codes for the PKCS7 functions. */
-
-/* Function codes. */
-#define PKCS7_F_PKCS7_ADD_CERTIFICATE			 100
-#define PKCS7_F_PKCS7_ADD_CRL				 101
-#define PKCS7_F_PKCS7_ADD_RECIPIENT_INFO		 102
-#define PKCS7_F_PKCS7_ADD_SIGNER			 103
-#define PKCS7_F_PKCS7_CTRL				 104
-#define PKCS7_F_PKCS7_DATAINIT				 105
-#define PKCS7_F_PKCS7_DATASIGN				 106
-#define PKCS7_F_PKCS7_DATAVERIFY			 107
-#define PKCS7_F_PKCS7_SET_CIPHER			 108
-#define PKCS7_F_PKCS7_SET_CONTENT			 109
-#define PKCS7_F_PKCS7_SET_TYPE				 110
-
-/* Reason codes. */
-#define PKCS7_R_INTERNAL_ERROR				 100
-#define PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE	 101
-#define PKCS7_R_SIGNATURE_FAILURE			 102
-#define PKCS7_R_UNABLE_TO_FIND_CERTIFICATE		 103
-#define PKCS7_R_UNABLE_TO_FIND_MEM_BIO			 104
-#define PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST		 105
-#define PKCS7_R_UNKNOWN_DIGEST_TYPE			 106
-#define PKCS7_R_UNSUPPORTED_CIPHER_TYPE			 107
-#define PKCS7_R_UNSUPPORTED_CONTENT_TYPE		 108
-#define PKCS7_R_WRONG_CONTENT_TYPE			 109
diff --git a/lib/libcrypto/pkcs7/pkcs7.h b/lib/libcrypto/pkcs7/pkcs7.h
index ee12f670a85..c42bd6d391f 100644
--- a/lib/libcrypto/pkcs7/pkcs7.h
+++ b/lib/libcrypto/pkcs7/pkcs7.h
@@ -63,8 +63,17 @@
 extern "C" {
 #endif
 
-#include "bio.h"
-#include "x509.h"
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+
+#ifdef VMS
+#include <openssl/vms_idhacks.h>
+#endif
+
+#ifdef WIN32
+/* Under Win32 this is defined in wincrypt.h */
+#undef PKCS7_ISSUER_AND_SERIAL
+#endif
 
 /*
 Encryption_ID		DES-CBC
@@ -84,15 +93,18 @@ typedef struct pkcs7_signer_info_st
 	ASN1_INTEGER 			*version;	/* version 1 */
 	PKCS7_ISSUER_AND_SERIAL		*issuer_and_serial;
 	X509_ALGOR			*digest_alg;
-	STACK /* X509_ATTRIBUTE */	*auth_attr;	/* [ 0 ] */
+	STACK_OF(X509_ATTRIBUTE)	*auth_attr;	/* [ 0 ] */
 	X509_ALGOR			*digest_enc_alg;
 	ASN1_OCTET_STRING		*enc_digest;
-	STACK /* X509_ATTRIBUTE */	*unauth_attr;	/* [ 1 ] */
+	STACK_OF(X509_ATTRIBUTE)	*unauth_attr;	/* [ 1 ] */
 
 	/* The private key to sign with */
 	EVP_PKEY			*pkey;
 	} PKCS7_SIGNER_INFO;
 
+DECLARE_STACK_OF(PKCS7_SIGNER_INFO)
+DECLARE_ASN1_SET_OF(PKCS7_SIGNER_INFO)
+
 typedef struct pkcs7_recip_info_st
 	{
 	ASN1_INTEGER			*version;	/* version 0 */
@@ -102,13 +114,16 @@ typedef struct pkcs7_recip_info_st
 	X509				*cert; /* get the pub-key from this */
 	} PKCS7_RECIP_INFO;
 
+DECLARE_STACK_OF(PKCS7_RECIP_INFO)
+DECLARE_ASN1_SET_OF(PKCS7_RECIP_INFO)
+
 typedef struct pkcs7_signed_st
 	{
 	ASN1_INTEGER			*version;	/* version 1 */
-	STACK /* X509_ALGOR's */	*md_algs;	/* md used */
-	STACK /* X509 */		*cert;		/* [ 0 ] */
-	STACK /* X509_CRL */		*crl;		/* [ 1 ] */
-	STACK /* PKCS7_SIGNER_INFO */	*signer_info;
+	STACK_OF(X509_ALGOR)		*md_algs;	/* md used */
+	STACK_OF(X509)			*cert;		/* [ 0 ] */
+	STACK_OF(X509_CRL)		*crl;		/* [ 1 ] */
+	STACK_OF(PKCS7_SIGNER_INFO)	*signer_info;
 
 	struct pkcs7_st			*contents;
 	} PKCS7_SIGNED;
@@ -120,25 +135,26 @@ typedef struct pkcs7_enc_content_st
 	ASN1_OBJECT			*content_type;
 	X509_ALGOR			*algorithm;
 	ASN1_OCTET_STRING		*enc_data;	/* [ 0 ] */
+	const EVP_CIPHER		*cipher;
 	} PKCS7_ENC_CONTENT;
 
 typedef struct pkcs7_enveloped_st
 	{
 	ASN1_INTEGER			*version;	/* version 0 */
-	STACK /* PKCS7_RECIP_INFO */	*recipientinfo;
+	STACK_OF(PKCS7_RECIP_INFO)	*recipientinfo;
 	PKCS7_ENC_CONTENT		*enc_data;
 	} PKCS7_ENVELOPE;
-	
+
 typedef struct pkcs7_signedandenveloped_st
 	{
 	ASN1_INTEGER			*version;	/* version 1 */
-	STACK /* X509_ALGOR's */	*md_algs;	/* md used */
-	STACK /* X509 */		*cert;		/* [ 0 ] */
-	STACK /* X509_CRL */		*crl;		/* [ 1 ] */
-	STACK /* PKCS7_SIGNER_INFO */	*signer_info;
+	STACK_OF(X509_ALGOR)		*md_algs;	/* md used */
+	STACK_OF(X509)			*cert;		/* [ 0 ] */
+	STACK_OF(X509_CRL)		*crl;		/* [ 1 ] */
+	STACK_OF(PKCS7_SIGNER_INFO)	*signer_info;
 
 	PKCS7_ENC_CONTENT		*enc_data;
-	STACK /* PKCS7_RECIP_INFO */	*recipientinfo;
+	STACK_OF(PKCS7_RECIP_INFO)	*recipientinfo;
 	} PKCS7_SIGN_ENVELOPE;
 
 typedef struct pkcs7_digest_st
@@ -199,7 +215,12 @@ typedef struct pkcs7_st
 #define PKCS7_OP_SET_DETACHED_SIGNATURE	1
 #define PKCS7_OP_GET_DETACHED_SIGNATURE	2
 
+#define PKCS7_get_signed_attributes(si)	((si)->auth_attr)
+#define PKCS7_get_attributes(si)	((si)->unauth_attr)
+
 #define PKCS7_type_is_signed(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_signed)
+#define PKCS7_type_is_signedAndEnveloped(a) \
+		(OBJ_obj2nid((a)->type) == NID_pkcs7_signedAndEnveloped)
 #define PKCS7_type_is_data(a)   (OBJ_obj2nid((a)->type) == NID_pkcs7_data)
 
 #define PKCS7_set_detached(p,v) \
@@ -208,14 +229,14 @@ typedef struct pkcs7_st
 		PKCS7_ctrl(p,PKCS7_OP_GET_DETACHED_SIGNATURE,0,NULL)
 
 #ifdef SSLEAY_MACROS
-
+#ifndef PKCS7_ISSUER_AND_SERIAL_digest
 #define PKCS7_ISSUER_AND_SERIAL_digest(data,type,md,len) \
         ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,\
 	                (char *)data,md,len)
 #endif
+#endif
 
 
-#ifndef NOPROTO
 PKCS7_ISSUER_AND_SERIAL *PKCS7_ISSUER_AND_SERIAL_new(void );
 void			PKCS7_ISSUER_AND_SERIAL_free(
 				PKCS7_ISSUER_AND_SERIAL *a);
@@ -229,11 +250,11 @@ PKCS7_ISSUER_AND_SERIAL *d2i_PKCS7_ISSUER_AND_SERIAL(
 int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,EVP_MD *type,
 	unsigned char *md,unsigned int *len);
 #ifndef NO_FP_API
-PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 *p7);
+PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 **p7);
 int i2d_PKCS7_fp(FILE *fp,PKCS7 *p7);
 #endif
 PKCS7 *PKCS7_dup(PKCS7 *p7);
-PKCS7 *d2i_PKCS7_bio(BIO *bp,PKCS7 *p7);
+PKCS7 *d2i_PKCS7_bio(BIO *bp,PKCS7 **p7);
 int i2d_PKCS7_bio(BIO *bp,PKCS7 *p7);
 #endif
 
@@ -314,107 +335,45 @@ int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *p7i);
 int PKCS7_add_certificate(PKCS7 *p7, X509 *x509);
 int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509);
 int PKCS7_content_new(PKCS7 *p7, int nid);
-int PKCS7_dataSign(PKCS7 *p7, BIO *bio);
 int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx,
 	BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si); 
+int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
+								X509 *x509);
 
 BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio);
-/*int PKCS7_DataFinal(PKCS7 *p7, BIO *bio); */
+int PKCS7_dataFinal(PKCS7 *p7, BIO *bio);
+BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert);
+
 
 PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509,
 	EVP_PKEY *pkey, EVP_MD *dgst);
 X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
-STACK *PKCS7_get_signer_info(PKCS7 *p7);
+STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7);
 
 PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509);
 int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri);
 int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509);
-int PKCS7_set_cipher(PKCS7 *p7, EVP_CIPHER *cipher);
-
+int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher);
 
+PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx);
+ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk);
+int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si,int nid,int type,
+	void *data);
+int PKCS7_add_attribute (PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
+	void *value);
+ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid);
+ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid);
+int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
+				STACK_OF(X509_ATTRIBUTE) *sk);
+int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si,STACK_OF(X509_ATTRIBUTE) *sk);
 
-#else
 
-PKCS7_ISSUER_AND_SERIAL *PKCS7_ISSUER_AND_SERIAL_new();
-void			PKCS7_ISSUER_AND_SERIAL_free();
-int 			i2d_PKCS7_ISSUER_AND_SERIAL();
-PKCS7_ISSUER_AND_SERIAL *d2i_PKCS7_ISSUER_AND_SERIAL();
-
-#ifndef SSLEAY_MACROS
-int			PKCS7_ISSUER_AND_SERIAL_digest();
-#ifndef NO_FP_API
-PKCS7 *d2i_PKCS7_fp();
-int i2d_PKCS7_fp();
-#endif
-PKCS7 *PKCS7_dup();
-PKCS7 *d2i_PKCS7_bio();
-int i2d_PKCS7_bio();
-
-#endif
-
-PKCS7_SIGNER_INFO	*PKCS7_SIGNER_INFO_new();
-void			PKCS7_SIGNER_INFO_free();
-int 			i2d_PKCS7_SIGNER_INFO();
-PKCS7_SIGNER_INFO	*d2i_PKCS7_SIGNER_INFO();
-PKCS7_RECIP_INFO	*PKCS7_RECIP_INFO_new();
-void			PKCS7_RECIP_INFO_free();
-int 			i2d_PKCS7_RECIP_INFO();
-PKCS7_RECIP_INFO	*d2i_PKCS7_RECIP_INFO();
-PKCS7_SIGNED		*PKCS7_SIGNED_new();
-void			PKCS7_SIGNED_free();
-int 			i2d_PKCS7_SIGNED();
-PKCS7_SIGNED		*d2i_PKCS7_SIGNED();
-PKCS7_ENC_CONTENT	*PKCS7_ENC_CONTENT_new();
-void			PKCS7_ENC_CONTENT_free();
-int 			i2d_PKCS7_ENC_CONTENT();
-PKCS7_ENC_CONTENT	*d2i_PKCS7_ENC_CONTENT();
-PKCS7_ENVELOPE		*PKCS7_ENVELOPE_new();
-void			PKCS7_ENVELOPE_free();
-int 			i2d_PKCS7_ENVELOPE();
-PKCS7_ENVELOPE		*d2i_PKCS7_ENVELOPE();
-PKCS7_SIGN_ENVELOPE	*PKCS7_SIGN_ENVELOPE_new();
-void			PKCS7_SIGN_ENVELOPE_free();
-int 			i2d_PKCS7_SIGN_ENVELOPE();
-PKCS7_SIGN_ENVELOPE	*d2i_PKCS7_SIGN_ENVELOPE();
-PKCS7_DIGEST		*PKCS7_DIGEST_new();
-void			PKCS7_DIGEST_free();
-int 			i2d_PKCS7_DIGEST();
-PKCS7_DIGEST		*d2i_PKCS7_DIGEST();
-PKCS7_ENCRYPT		*PKCS7_ENCRYPT_new();
-void			PKCS7_ENCRYPT_free();
-int 			i2d_PKCS7_ENCRYPT();
-PKCS7_ENCRYPT		*d2i_PKCS7_ENCRYPT();
-PKCS7			*PKCS7_new();
-void			PKCS7_free();
-void			PKCS7_content_free();
-int 			i2d_PKCS7();
-PKCS7			*d2i_PKCS7();
-
-void ERR_load_PKCS7_strings();
-
-long PKCS7_ctrl();
-int PKCS7_set_type();
-int PKCS7_set_content();
-int PKCS7_SIGNER_INFO_set();
-int PKCS7_add_signer();
-int PKCS7_add_certificate();
-int PKCS7_add_crl();
-int PKCS7_content_new();
-int PKCS7_dataSign();
-int PKCS7_dataVerify();
-BIO *PKCS7_dataInit();
-PKCS7_SIGNER_INFO *PKCS7_add_signature();
-X509 *PKCS7_cert_from_signer_info();
-STACK *PKCS7_get_signer_info();
-
-PKCS7_RECIP_INFO *PKCS7_add_recipient();
-int PKCS7_add_recipient_info();
-int PKCS7_RECIP_INFO_set();
-int PKCS7_set_cipher();
-
-#endif
 
 /* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
 /* Error codes for the PKCS7 functions. */
 
 /* Function codes. */
@@ -423,25 +382,34 @@ int PKCS7_set_cipher();
 #define PKCS7_F_PKCS7_ADD_RECIPIENT_INFO		 102
 #define PKCS7_F_PKCS7_ADD_SIGNER			 103
 #define PKCS7_F_PKCS7_CTRL				 104
+#define PKCS7_F_PKCS7_DATADECODE			 112
 #define PKCS7_F_PKCS7_DATAINIT				 105
 #define PKCS7_F_PKCS7_DATASIGN				 106
 #define PKCS7_F_PKCS7_DATAVERIFY			 107
 #define PKCS7_F_PKCS7_SET_CIPHER			 108
 #define PKCS7_F_PKCS7_SET_CONTENT			 109
 #define PKCS7_F_PKCS7_SET_TYPE				 110
+#define PKCS7_F_PKCS7_SIGNATUREVERIFY			 113
 
 /* Reason codes. */
-#define PKCS7_R_INTERNAL_ERROR				 100
-#define PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE	 101
-#define PKCS7_R_SIGNATURE_FAILURE			 102
-#define PKCS7_R_UNABLE_TO_FIND_CERTIFICATE		 103
-#define PKCS7_R_UNABLE_TO_FIND_MEM_BIO			 104
-#define PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST		 105
-#define PKCS7_R_UNKNOWN_DIGEST_TYPE			 106
-#define PKCS7_R_UNSUPPORTED_CIPHER_TYPE			 107
-#define PKCS7_R_UNSUPPORTED_CONTENT_TYPE		 108
-#define PKCS7_R_WRONG_CONTENT_TYPE			 109
- 
+#define PKCS7_R_CIPHER_NOT_INITIALIZED			 116
+#define PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH		 100
+#define PKCS7_R_DIGEST_FAILURE				 101
+#define PKCS7_R_INTERNAL_ERROR				 102
+#define PKCS7_R_MISSING_CERIPEND_INFO			 103
+#define PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE	 115
+#define PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE	 104
+#define PKCS7_R_SIGNATURE_FAILURE			 105
+#define PKCS7_R_UNABLE_TO_FIND_CERTIFICATE		 106
+#define PKCS7_R_UNABLE_TO_FIND_MEM_BIO			 107
+#define PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST		 108
+#define PKCS7_R_UNKNOWN_DIGEST_TYPE			 109
+#define PKCS7_R_UNKNOWN_OPERATION			 110
+#define PKCS7_R_UNSUPPORTED_CIPHER_TYPE			 111
+#define PKCS7_R_UNSUPPORTED_CONTENT_TYPE		 112
+#define PKCS7_R_WRONG_CONTENT_TYPE			 113
+#define PKCS7_R_WRONG_PKCS7_TYPE			 114
+
 #ifdef  __cplusplus
 }
 #endif
diff --git a/lib/libcrypto/pkcs7/pkcs7err.c b/lib/libcrypto/pkcs7/pkcs7err.c
index f8510574229..82be3c2ca1e 100644
--- a/lib/libcrypto/pkcs7/pkcs7err.c
+++ b/lib/libcrypto/pkcs7/pkcs7err.c
@@ -1,63 +1,65 @@
-/* lib/pkcs7/pkcs7_err.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
+/* crypto/pkcs7/pkcs7err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
  *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
  * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
  */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
 #include <stdio.h>
-#include "err.h"
-#include "pkcs7.h"
+#include <openssl/err.h>
+#include <openssl/pkcs7.h>
 
 /* BEGIN ERROR CODES */
 #ifndef NO_ERR
@@ -68,38 +70,47 @@ static ERR_STRING_DATA PKCS7_str_functs[]=
 {ERR_PACK(0,PKCS7_F_PKCS7_ADD_RECIPIENT_INFO,0),	"PKCS7_add_recipient_info"},
 {ERR_PACK(0,PKCS7_F_PKCS7_ADD_SIGNER,0),	"PKCS7_add_signer"},
 {ERR_PACK(0,PKCS7_F_PKCS7_CTRL,0),	"PKCS7_ctrl"},
+{ERR_PACK(0,PKCS7_F_PKCS7_DATADECODE,0),	"PKCS7_dataDecode"},
 {ERR_PACK(0,PKCS7_F_PKCS7_DATAINIT,0),	"PKCS7_dataInit"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATASIGN,0),	"PKCS7_dataSign"},
+{ERR_PACK(0,PKCS7_F_PKCS7_DATASIGN,0),	"PKCS7_DATASIGN"},
 {ERR_PACK(0,PKCS7_F_PKCS7_DATAVERIFY,0),	"PKCS7_dataVerify"},
 {ERR_PACK(0,PKCS7_F_PKCS7_SET_CIPHER,0),	"PKCS7_set_cipher"},
 {ERR_PACK(0,PKCS7_F_PKCS7_SET_CONTENT,0),	"PKCS7_set_content"},
 {ERR_PACK(0,PKCS7_F_PKCS7_SET_TYPE,0),	"PKCS7_set_type"},
-{0,NULL},
+{ERR_PACK(0,PKCS7_F_PKCS7_SIGNATUREVERIFY,0),	"PKCS7_signatureVerify"},
+{0,NULL}
 	};
 
 static ERR_STRING_DATA PKCS7_str_reasons[]=
 	{
+{PKCS7_R_CIPHER_NOT_INITIALIZED          ,"cipher not initialized"},
+{PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH   ,"decrypted key is wrong length"},
+{PKCS7_R_DIGEST_FAILURE                  ,"digest failure"},
 {PKCS7_R_INTERNAL_ERROR                  ,"internal error"},
+{PKCS7_R_MISSING_CERIPEND_INFO           ,"missing ceripend info"},
+{PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE,"no recipient matches certificate"},
 {PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE,"operation not supported on this type"},
 {PKCS7_R_SIGNATURE_FAILURE               ,"signature failure"},
 {PKCS7_R_UNABLE_TO_FIND_CERTIFICATE      ,"unable to find certificate"},
 {PKCS7_R_UNABLE_TO_FIND_MEM_BIO          ,"unable to find mem bio"},
 {PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST   ,"unable to find message digest"},
 {PKCS7_R_UNKNOWN_DIGEST_TYPE             ,"unknown digest type"},
+{PKCS7_R_UNKNOWN_OPERATION               ,"unknown operation"},
 {PKCS7_R_UNSUPPORTED_CIPHER_TYPE         ,"unsupported cipher type"},
 {PKCS7_R_UNSUPPORTED_CONTENT_TYPE        ,"unsupported content type"},
 {PKCS7_R_WRONG_CONTENT_TYPE              ,"wrong content type"},
-{0,NULL},
+{PKCS7_R_WRONG_PKCS7_TYPE                ,"wrong pkcs7 type"},
+{0,NULL}
 	};
 
 #endif
 
-void ERR_load_PKCS7_strings()
+void ERR_load_PKCS7_strings(void)
 	{
 	static int init=1;
 
-	if (init);
-		{;
+	if (init)
+		{
 		init=0;
 #ifndef NO_ERR
 		ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_functs);
diff --git a/lib/libcrypto/pkcs7/sign.c b/lib/libcrypto/pkcs7/sign.c
index ead1cb65cae..d5f11540064 100644
--- a/lib/libcrypto/pkcs7/sign.c
+++ b/lib/libcrypto/pkcs7/sign.c
@@ -56,23 +56,23 @@
  * [including the GNU Public Licence.]
  */
 #include <stdio.h>
-#include "bio.h"
-#include "x509.h"
-#include "pem.h"
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
 
-main(argc,argv)
+int main(argc,argv)
 int argc;
 char *argv[];
 	{
 	X509 *x509;
 	EVP_PKEY *pkey;
 	PKCS7 *p7;
-	PKCS7 *p7_data;
 	PKCS7_SIGNER_INFO *si;
 	BIO *in;
 	BIO *data,*p7bio;
 	char buf[1024*4];
-	int i,j;
+	int i;
 	int nodetach=0;
 
 	EVP_add_digest(EVP_md2());
@@ -105,7 +105,12 @@ again:
 	p7=PKCS7_new();
 	PKCS7_set_type(p7,NID_pkcs7_signed);
 	 
-	if (PKCS7_add_signature(p7,x509,pkey,EVP_sha1()) == NULL) goto err;
+	si=PKCS7_add_signature(p7,x509,pkey,EVP_sha1());
+	if (si == NULL) goto err;
+
+	/* If you do this then you get signing time automatically added */
+	PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
+						OBJ_nid2obj(NID_pkcs7_data));
 
 	/* we may want to add more */
 	PKCS7_add_certificate(p7,x509);
@@ -125,7 +130,7 @@ again:
 		BIO_write(p7bio,buf,i);
 		}
 
-	if (!PKCS7_dataSign(p7,p7bio)) goto err;
+	if (!PKCS7_dataFinal(p7,p7bio)) goto err;
 	BIO_free(p7bio);
 
 	PEM_write_PKCS7(stdout,p7);
diff --git a/lib/libcrypto/pkcs7/verify.c b/lib/libcrypto/pkcs7/verify.c
index 0e1c1b26dcb..32d9783e451 100644
--- a/lib/libcrypto/pkcs7/verify.c
+++ b/lib/libcrypto/pkcs7/verify.c
@@ -56,41 +56,41 @@
  * [including the GNU Public Licence.]
  */
 #include <stdio.h>
-#include "asn1.h"
-#include "bio.h"
-#include "x509.h"
-#include "pem.h"
+#include <openssl/bio.h>
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include "example.h"
 
 int verify_callback(int ok, X509_STORE_CTX *ctx);
 
 BIO *bio_err=NULL;
+BIO *bio_out=NULL;
 
-main(argc,argv)
+int main(argc,argv)
 int argc;
 char *argv[];
 	{
-	X509 *x509,*x;
 	PKCS7 *p7;
-	PKCS7_SIGNED *s;
 	PKCS7_SIGNER_INFO *si;
-	PKCS7_ISSUER_AND_SERIAL *ias;
 	X509_STORE_CTX cert_ctx;
 	X509_STORE *cert_store=NULL;
-	X509_LOOKUP *lookup=NULL;
 	BIO *data,*detached=NULL,*p7bio=NULL;
 	char buf[1024*4];
-	unsigned char *p,*pp;
-	int i,j,printit=0;
-	STACK *sk;
+	char *pp;
+	int i,printit=0;
+	STACK_OF(PKCS7_SIGNER_INFO) *sk;
 
 	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+	bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
 	EVP_add_digest(EVP_md2());
 	EVP_add_digest(EVP_md5());
 	EVP_add_digest(EVP_sha1());
 	EVP_add_digest(EVP_mdc2());
 
 	data=BIO_new(BIO_s_file());
-again:
+
 	pp=NULL;
 	while (argc > 1)
 		{
@@ -131,10 +131,10 @@ again:
 	X509_STORE_load_locations(cert_store,NULL,"../../certs");
 	X509_STORE_set_verify_cb_func(cert_store,verify_callback);
 
-	ERR_clear_errors();
+	ERR_clear_error();
 
 	/* We need to process the data */
-	if (PKCS7_get_detached(p7))
+	if ((PKCS7_get_detached(p7) || detached))
 		{
 		if (detached == NULL)
 			{
@@ -166,12 +166,29 @@ again:
 		}
 
 	/* Ok, first we need to, for each subject entry, see if we can verify */
-	for (i=0; i<sk_num(sk); i++)
+	for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sk); i++)
 		{
-		si=(PKCS7_SIGNER_INFO *)sk_value(sk,i);
+		ASN1_UTCTIME *tm;
+		char *str1,*str2;
+
+		si=sk_PKCS7_SIGNER_INFO_value(sk,i);
 		i=PKCS7_dataVerify(cert_store,&cert_ctx,p7bio,p7,si);
 		if (i <= 0)
 			goto err;
+		printf("signer info\n");
+		if ((tm=get_signed_time(si)) != NULL)
+			{
+			BIO_printf(bio_out,"Signed time:");
+			ASN1_UTCTIME_print(bio_out,tm);
+			ASN1_UTCTIME_free(tm);
+			BIO_printf(bio_out,"\n");
+			}
+		if (get_signed_seq2string(si,&str1,&str2))
+			{
+			BIO_printf(bio_out,"String 1 is %s\n",str1);
+			BIO_printf(bio_out,"String 2 is %s\n",str2);
+			}
+
 		}
 
 	X509_STORE_free(cert_store);
@@ -185,9 +202,7 @@ err:
 	}
 
 /* should be X509 * but we can just have them as char *. */
-int verify_callback(ok, ctx)
-int ok;
-X509_STORE_CTX *ctx;
+int verify_callback(int ok, X509_STORE_CTX *ctx)
 	{
 	char buf[256];
 	X509 *err_cert;