diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f123a44
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/xmlsec1-1.2.20.tar.gz
diff --git a/.xmlsec1.metadata b/.xmlsec1.metadata
new file mode 100644
index 0000000..1111e32
--- /dev/null
+++ b/.xmlsec1.metadata
@@ -0,0 +1 @@
+40117ab0f788e43deef6eaf028c88f6abc3a30d0 SOURCES/xmlsec1-1.2.20.tar.gz
diff --git a/README.md b/README.md
deleted file mode 100644
index 98f42b4..0000000
--- a/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/xmlsec1-1.2.20-covscan-fixes.patch b/SOURCES/xmlsec1-1.2.20-covscan-fixes.patch
new file mode 100644
index 0000000..54de012
--- /dev/null
+++ b/SOURCES/xmlsec1-1.2.20-covscan-fixes.patch
@@ -0,0 +1,965 @@
+diff --git a/apps/cmdline.c b/apps/cmdline.c
+index b9ecafb..eb95d9a 100644
+--- a/apps/cmdline.c
++++ b/apps/cmdline.c
+@@ -152,7 +152,7 @@ xmlSecAppCmdLineValueCreate(xmlSecAppCmdLineParamPtr param, int pos) {
+ assert(param != NULL);
+ value = (xmlSecAppCmdLineValuePtr) malloc(sizeof(xmlSecAppCmdLineValue));
+ if(value == NULL) {
+- fprintf(stderr, "Error: malloc failed (%d bytes).\n", sizeof(xmlSecAppCmdLineValue));
++ fprintf(stderr, "Error: malloc failed (%d bytes).\n", (int)sizeof(xmlSecAppCmdLineValue));
+ return(NULL);
+ }
+ memset(value, 0, sizeof(xmlSecAppCmdLineValue));
+@@ -284,7 +284,7 @@ xmlSecAppCmdLineParamRead(xmlSecAppCmdLineParamPtr param, const char** argv, int
+ value->strValue = argv[++pos];
+ buf = (char*)malloc(strlen(value->strValue) + 2);
+ if(buf == NULL) {
+- fprintf(stderr, "Error: failed to allocate memory (%d bytes).\n", strlen(value->strValue) + 2);
++ fprintf(stderr, "Error: failed to allocate memory (%d bytes).\n", (int)strlen(value->strValue) + 2);
+ return(-1);
+ }
+ memset(buf, 0, strlen(value->strValue) + 2);
+diff --git a/apps/xmlsec.c b/apps/xmlsec.c
+index c2f3196..c9e5534 100644
+--- a/apps/xmlsec.c
++++ b/apps/xmlsec.c
+@@ -2986,7 +2986,7 @@ xmlSecAppWriteResult(xmlDocPtr doc, xmlSecBufferPtr buffer) {
+ if(doc != NULL) {
+ xmlDocDump(f, doc);
+ } else if((buffer != NULL) && (xmlSecBufferGetData(buffer) != NULL)) {
+- fwrite(xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer), 1, f);
++ (void)fwrite(xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer), 1, f);
+ } else {
+ fprintf(stderr, "Error: both result doc and result buffer are null\n");
+ xmlSecAppCloseFile(f);
+diff --git a/docs/index.html b/docs/index.html
+index c46aefe..96fea05 100644
+--- a/docs/index.html
++++ b/docs/index.html
+@@ -70,7 +70,7 @@ see the Copyright file in the distribution for details.<br><br></p>
+ The <a href="download.html">XML Security Library 1.2.20</a> release fixes a number of miscellaneous bugs and
+ updates expired or soon-to-be-expired certificates in the test suite.
+ </li>
+-<li>March 24 2013<br>
++<br><li>March 24 2013<br>
+ The <a href="download.html">XML Security Library 1.2.19</a> release adds support for DSA-SHA256, ECDSA-SHA1,
+ ECDSA-SHA224, ECDSA-SHA256, ECDSA-SHA384, ECDSA-SHA512 and fixes a number of miscellaneous bugs.
+ </li>
+diff --git a/docs/news.html b/docs/news.html
+index c0ff702..8aaa252 100644
+--- a/docs/news.html
++++ b/docs/news.html
+@@ -51,7 +51,7 @@
+ The <a href="download.html">XML Security Library 1.2.20</a> release fixes a number of miscellaneous bugs and
+ updates expired or soon-to-be-expired certificates in the test suite.
+ </li>
+-<li>March 24 2013<br>
++<br><li>March 24 2013<br>
+ The <a href="download.html">XML Security Library 1.2.19</a> release adds support for DSA-SHA256, ECDSA-SHA1,
+ ECDSA-SHA224, ECDSA-SHA256, ECDSA-SHA384, ECDSA-SHA512 and fixes a number of miscellaneous bugs.
+ </li>
+diff --git a/include/xmlsec/openssl/crypto.h b/include/xmlsec/openssl/crypto.h
+index aec5fb3..b2fbea9 100644
+--- a/include/xmlsec/openssl/crypto.h
++++ b/include/xmlsec/openssl/crypto.h
+@@ -308,7 +308,7 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecOpenSSLTransformGost2001GostR3411_9
+ * The GOSTR3411_94 signature transform klass.
+ */
+ #define xmlSecOpenSSLTransformGostR3411_94Id \
+- xmlSecOpenSSLTransformGostR3411_94GetKlass()
++ xmlSecOpenSSLTransformGostR3411_94GetKlass()
+ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecOpenSSLTransformGostR3411_94GetKlass(void);
+
+ #endif /* XMLSEC_NO_GOST */
+diff --git a/src/base64.c b/src/base64.c
+index 53e6694..0546582 100644
+--- a/src/base64.c
++++ b/src/base64.c
+@@ -161,7 +161,7 @@ xmlSecBase64CtxCreate(int encode, int columns) {
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecBase64Ctx)=%d",
+- sizeof(xmlSecBase64Ctx));
++ (int)sizeof(xmlSecBase64Ctx));
+ return(NULL);
+ }
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 0efbfed..52c5fc9 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -67,7 +67,7 @@ xmlSecBufferCreate(xmlSecSize size) {
+ NULL,
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+- "sizeof(xmlSecBuffer)=%d", sizeof(xmlSecBuffer));
++ "sizeof(xmlSecBuffer)=%d", (int)sizeof(xmlSecBuffer));
+ return(NULL);
+ }
+
+diff --git a/src/dl.c b/src/dl.c
+index 5ffc2ff..255818f 100644
+--- a/src/dl.c
++++ b/src/dl.c
+@@ -102,7 +102,7 @@ xmlSecCryptoDLLibraryCreate(const xmlChar* name) {
+ NULL,
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+- "size=%d", sizeof(lib));
++ "size=%d", (int)sizeof(lib));
+ return(NULL);
+ }
+ memset(lib, 0, sizeof(xmlSecCryptoDLLibrary));
+diff --git a/src/gcrypt/asn1.c b/src/gcrypt/asn1.c
+index 9a2b5cf..f718139 100644
+--- a/src/gcrypt/asn1.c
++++ b/src/gcrypt/asn1.c
+@@ -304,11 +304,11 @@ xmlSecGCryptParseDer(const xmlSecByte * der, xmlSecSize derlen,
+ case 3:
+ /* Public RSA */
+ type = xmlSecGCryptDerKeyTypePublicRsa;
+- break;
++ break;
+ case 5:
+ /* Public DSA */
+ type = xmlSecGCryptDerKeyTypePublicDsa;
+- break;
++ break;
+ case 6:
+ /* Private DSA */
+ type = xmlSecGCryptDerKeyTypePrivateDsa;
+diff --git a/src/io.c b/src/io.c
+index 42e9133..3f3b9ef 100644
+--- a/src/io.c
++++ b/src/io.c
+@@ -66,7 +66,7 @@ xmlSecIOCallbackCreate(xmlInputMatchCallback matchFunc, xmlInputOpenCallback ope
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecIOCallback)=%d",
+- sizeof(xmlSecIOCallback));
++ (int)sizeof(xmlSecIOCallback));
+ return(NULL);
+ }
+ memset(callbacks, 0, sizeof(xmlSecIOCallback));
+diff --git a/src/keyinfo.c b/src/keyinfo.c
+index 00390fa..7fc6a4b 100644
+--- a/src/keyinfo.c
++++ b/src/keyinfo.c
+@@ -227,7 +227,7 @@ xmlSecKeyInfoCtxCreate(xmlSecKeysMngrPtr keysMngr) {
+ NULL,
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+- "size=%d", sizeof(xmlSecKeyInfoCtx));
++ "size=%d", (int)sizeof(xmlSecKeyInfoCtx));
+ return(NULL);
+ }
+
+@@ -761,7 +761,16 @@ xmlSecKeyDataNameXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlNodePtr node,
+
+ /* finally set key name if it is not there */
+ if(xmlSecKeyGetName(key) == NULL) {
+- xmlSecKeySetName(key, newName);
++ ret = xmlSecKeySetName(key, newName);
++ if(ret < 0) {
++ xmlSecError(XMLSEC_ERRORS_HERE,
++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
++ "xmlSecKeySetName",
++ XMLSEC_ERRORS_R_XMLSEC_FAILED,
++ XMLSEC_ERRORS_NO_MESSAGE);
++ xmlFree(newName);
++ return(-1);
++ }
+ }
+ xmlFree(newName);
+ return(0);
+diff --git a/src/keys.c b/src/keys.c
+index 1d2f733..27f3690 100644
+--- a/src/keys.c
++++ b/src/keys.c
+@@ -112,7 +112,7 @@ xmlSecKeyUseWithCreate(const xmlChar* application, const xmlChar* identifier) {
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecKeyUseWith)=%d",
+- sizeof(xmlSecKeyUseWith));
++ (int)sizeof(xmlSecKeyUseWith));
+ return(NULL);
+ }
+ memset(keyUseWith, 0, sizeof(xmlSecKeyUseWith));
+@@ -548,7 +548,7 @@ xmlSecKeyCreate(void) {
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecKey)=%d",
+- sizeof(xmlSecKey));
++ (int)sizeof(xmlSecKey));
+ return(NULL);
+ }
+ memset(key, 0, sizeof(xmlSecKey));
+diff --git a/src/keysdata.c b/src/keysdata.c
+index de854ba..0367b16 100644
+--- a/src/keysdata.c
++++ b/src/keysdata.c
+@@ -255,7 +255,7 @@ xmlSecKeyDataDuplicate(xmlSecKeyDataPtr data) {
+ }
+
+ ret = (data->id->duplicate)(newData, data);
+- if(newData == NULL) {
++ if(ret < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+ "id->duplicate",
+diff --git a/src/keysmngr.c b/src/keysmngr.c
+index 31a03e9..ad253c9 100644
+--- a/src/keysmngr.c
++++ b/src/keysmngr.c
+@@ -53,7 +53,7 @@ xmlSecKeysMngrCreate(void) {
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecKeysMngr)=%d",
+- sizeof(xmlSecKeysMngr));
++ (int)sizeof(xmlSecKeysMngr));
+ return(NULL);
+ }
+ memset(mngr, 0, sizeof(xmlSecKeysMngr));
+diff --git a/src/list.c b/src/list.c
+index d1a0053..1d48cc6 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -65,7 +65,7 @@ xmlSecPtrListCreate(xmlSecPtrListId id) {
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecPtrList)=%d",
+- sizeof(xmlSecPtrList));
++ (int)sizeof(xmlSecPtrList));
+ return(NULL);
+ }
+
+@@ -479,7 +479,7 @@ xmlSecPtrListEnsureSize(xmlSecPtrListPtr list, xmlSecSize size) {
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecPtr)*%d=%d",
+- newSize, sizeof(xmlSecPtr) * newSize);
++ newSize, (int)(sizeof(xmlSecPtr) * newSize));
+ return(-1);
+ }
+
+diff --git a/src/mscrypto/x509vfy.c b/src/mscrypto/x509vfy.c
+index 16b63db..6541a6c 100644
+--- a/src/mscrypto/x509vfy.c
++++ b/src/mscrypto/x509vfy.c
+@@ -1183,7 +1183,7 @@ xmlSecMSCryptoX509GetCertName(const xmlChar * name) {
+ "xmlSecMSCryptoConvertUtf8ToTstr",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+- xmlFree(name2);
++ xmlFree(name2);
+ return(NULL);
+ }
+
+diff --git a/src/nodeset.c b/src/nodeset.c
+index 04ae810..fbb3ecd 100644
+--- a/src/nodeset.c
++++ b/src/nodeset.c
+@@ -57,7 +57,7 @@ xmlSecNodeSetCreate(xmlDocPtr doc, xmlNodeSetPtr nodes, xmlSecNodeSetType type)
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecNodeSet)=%d",
+- sizeof(xmlSecNodeSet));
++ (int)sizeof(xmlSecNodeSet));
+ return(NULL);
+ }
+ memset(nset, 0, sizeof(xmlSecNodeSet));
+diff --git a/src/nss/keysstore.c b/src/nss/keysstore.c
+index f07e44b..057fc45 100644
+--- a/src/nss/keysstore.c
++++ b/src/nss/keysstore.c
+@@ -271,7 +271,7 @@ xmlSecNssKeysStoreInitialize(xmlSecKeyStorePtr store) {
+ xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
+
+ ss = xmlSecNssKeysStoreGetSS(store);
+- xmlSecAssert2((*ss == NULL), -1);
++ xmlSecAssert2(((ss == NULL) || (*ss == NULL)), -1);
+
+ *ss = xmlSecKeyStoreCreate(xmlSecSimpleKeysStoreId);
+ if(*ss == NULL) {
+diff --git a/src/nss/pkikeys.c b/src/nss/pkikeys.c
+index ae9e29b..5ede4cc 100644
+--- a/src/nss/pkikeys.c
++++ b/src/nss/pkikeys.c
+@@ -752,6 +752,15 @@ xmlSecNssKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
+ }
+
+ handle = PK11_ImportPublicKey(slot, pubkey, PR_FALSE);
++ if(handle == CK_INVALID_HANDLE) {
++ xmlSecError(XMLSEC_ERRORS_HERE,
++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
++ "PK11_ImportPublicKey",
++ XMLSEC_ERRORS_R_CRYPTO_FAILED,
++ XMLSEC_ERRORS_NO_MESSAGE);
++ ret = -1;
++ goto done;
++ }
+
+ data = xmlSecKeyDataCreate(id);
+ if(data == NULL ) {
+diff --git a/src/nss/x509vfy.c b/src/nss/x509vfy.c
+index fdb866f..9e957fe 100644
+--- a/src/nss/x509vfy.c
++++ b/src/nss/x509vfy.c
+@@ -233,7 +233,8 @@ xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs,
+ NULL,
+ XMLSEC_ERRORS_R_CERT_ISSUER_FAILED,
+ "cert with subject name %s could not be verified because the issuer's cert is expired/invalid or not found",
+- cert->subjectName);
++ (cert != NULL) ? cert->subjectName : "(NULL)"
++ );
+ break;
+ case SEC_ERROR_EXPIRED_CERTIFICATE:
+ xmlSecError(XMLSEC_ERRORS_HERE,
+@@ -241,7 +242,8 @@ xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs,
+ NULL,
+ XMLSEC_ERRORS_R_CERT_HAS_EXPIRED,
+ "cert with subject name %s has expired",
+- cert->subjectName);
++ (cert != NULL) ? cert->subjectName : "(NULL)"
++ );
+ break;
+ case SEC_ERROR_REVOKED_CERTIFICATE:
+ xmlSecError(XMLSEC_ERRORS_HERE,
+@@ -249,15 +251,16 @@ xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs,
+ NULL,
+ XMLSEC_ERRORS_R_CERT_REVOKED,
+ "cert with subject name %s has been revoked",
+- cert->subjectName);
++ (cert != NULL) ? cert->subjectName : "(NULL)"
++ );
+ break;
+ default:
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+ NULL,
+ XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
+- "cert with subject name %s could not be verified, errcode %d",
+- cert->subjectName,
++ "cert with subject name %s could not be verified, errcode %d",
++ (cert != NULL) ? cert->subjectName : "(NULL)",
+ PORT_GetError());
+ break;
+ }
+@@ -690,11 +693,10 @@ xmlSecNssX509NameRead(xmlSecByte *str, int len) {
+ }
+ memcpy(p, value, valueLen);
+ p+=valueLen;
+- if (len > 0)
++ if (len > 0) {
+ *p++=',';
++ }
+ }
+- } else {
+- valueLen = 0;
+ }
+ if(len > 0) {
+ ++str; --len;
+diff --git a/src/openssl/app.c b/src/openssl/app.c
+index 4f8f79e..4154d2e 100644
+--- a/src/openssl/app.c
++++ b/src/openssl/app.c
+@@ -255,7 +255,7 @@ xmlSecOpenSSLAppKeyLoadBIO(BIO* bio, xmlSecKeyDataFormat format,
+ }
+ if(pKey == NULL) {
+ /* go to start of the file and try to read public key */
+- BIO_reset(bio);
++ (void)BIO_reset(bio);
+ pKey = PEM_read_bio_PUBKEY(bio, NULL,
+ XMLSEC_PTR_TO_FUNC(pem_password_cb, pwdCallback),
+ pwdCallbackCtx);
+@@ -274,7 +274,7 @@ xmlSecOpenSSLAppKeyLoadBIO(BIO* bio, xmlSecKeyDataFormat format,
+ pKey = d2i_PrivateKey_bio(bio, NULL);
+ if(pKey == NULL) {
+ /* go to start of the file and try to read public key */
+- BIO_reset(bio);
++ (void)BIO_reset(bio);
+ pKey = d2i_PUBKEY_bio(bio, NULL);
+ if(pKey == NULL) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+diff --git a/src/openssl/digests.c b/src/openssl/digests.c
+index fa26fa6..b103035 100644
+--- a/src/openssl/digests.c
++++ b/src/openssl/digests.c
+@@ -174,15 +174,14 @@ xmlSecOpenSSLEvpDigestInitialize(xmlSecTransformPtr transform) {
+ #ifndef XMLSEC_NO_GOST
+ if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGostR3411_94Id)) {
+ ctx->digest = EVP_get_digestbyname("md_gost94");
+- if (!ctx->digest)
+- {
+- xmlSecError(XMLSEC_ERRORS_HERE,
+- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
+- NULL,
+- XMLSEC_ERRORS_R_INVALID_TRANSFORM,
+- XMLSEC_ERRORS_NO_MESSAGE);
+- return(-1);
+- }
++ if (!ctx->digest) {
++ xmlSecError(XMLSEC_ERRORS_HERE,
++ xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
++ NULL,
++ XMLSEC_ERRORS_R_INVALID_TRANSFORM,
++ XMLSEC_ERRORS_NO_MESSAGE);
++ return(-1);
++ }
+ } else
+ #endif /* XMLSEC_NO_GOST*/
+
+diff --git a/src/openssl/evp.c b/src/openssl/evp.c
+index e042f26..464a5a3 100644
+--- a/src/openssl/evp.c
++++ b/src/openssl/evp.c
+@@ -1060,8 +1060,8 @@ static xmlSecKeyDataKlass xmlSecOpenSSLKeyDataEcdsaKlass = {
+ NULL, /* xmlSecKeyDataGetIdentifier getIdentifier; */
+
+ /* read/write */
+- NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */
+- NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
++ NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */
++ NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
+ NULL, /* xmlSecKeyDataBinReadMethod binRead; */
+ NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */
+
+@@ -1887,17 +1887,17 @@ static xmlSecKeyDataKlass xmlSecOpenSSLKeyDataGost2001Klass = {
+ /* get info */
+ xmlSecOpenSSLKeyDataGost2001GetType, /* xmlSecKeyDataGetTypeMethod getType; */
+ xmlSecOpenSSLKeyDataGost2001GetSize, /* xmlSecKeyDataGetSizeMethod getSize; */
+- NULL, /* xmlSecKeyDataGetIdentifier getIdentifier; */
++ NULL, /* xmlSecKeyDataGetIdentifier getIdentifier; */
+
+ /* read/write */
+- NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */
+- NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
+- NULL, /* xmlSecKeyDataBinReadMethod binRead; */
+- NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */
++ NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */
++ NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
++ NULL, /* xmlSecKeyDataBinReadMethod binRead; */
++ NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */
+
+ /* debug */
+ xmlSecOpenSSLKeyDataGost2001DebugDump, /* xmlSecKeyDataDebugDumpMethod debugDump; */
+- xmlSecOpenSSLKeyDataGost2001DebugXmlDump,/* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
++ xmlSecOpenSSLKeyDataGost2001DebugXmlDump, /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
+
+ /* reserved for the future */
+ NULL, /* void* reserved0; */
+@@ -1941,9 +1941,9 @@ xmlSecOpenSSLKeyDataGost2001Finalize(xmlSecKeyDataPtr data) {
+
+ static xmlSecKeyDataType
+ xmlSecOpenSSLKeyDataGost2001GetType(xmlSecKeyDataPtr data) {
+- /* Now I don't know how to find whether we have both private and public key
+- or the public only*/
+- return(xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate);
++ /* Now I don't know how to find whether we have both private and public key
++ or the public only*/
++ return(xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate);
+ }
+
+ static xmlSecSize
+diff --git a/src/openssl/kt_rsa.c b/src/openssl/kt_rsa.c
+index 1cf1aba..8c022d5 100644
+--- a/src/openssl/kt_rsa.c
++++ b/src/openssl/kt_rsa.c
+@@ -845,7 +845,12 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr
+ }
+ outSize = ret;
+ } else {
+- xmlSecAssert2("we could not be here" == NULL, -1);
++ xmlSecError(XMLSEC_ERRORS_HERE,
++ xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
++ "",
++ XMLSEC_ERRORS_R_XMLSEC_FAILED,
++ "Unexpected trasnform operation: %d; paramsSize: %d",
++ (int)transform->operation, (int)paramsSize);
+ return(-1);
+ }
+
+diff --git a/src/openssl/signatures.c b/src/openssl/signatures.c
+index 7e3dbc7..6751ba0 100644
+--- a/src/openssl/signatures.c
++++ b/src/openssl/signatures.c
+@@ -345,15 +345,14 @@ xmlSecOpenSSLEvpSignatureInitialize(xmlSecTransformPtr transform) {
+ if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGost2001GostR3411_94Id)) {
+ ctx->keyId = xmlSecOpenSSLKeyDataGost2001Id;
+ ctx->digest = EVP_get_digestbyname("md_gost94");
+- if (!ctx->digest)
+- {
+- xmlSecError(XMLSEC_ERRORS_HERE,
++ if (!ctx->digest) {
++ xmlSecError(XMLSEC_ERRORS_HERE,
+ xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
+ NULL,
+ XMLSEC_ERRORS_R_INVALID_TRANSFORM,
+ XMLSEC_ERRORS_NO_MESSAGE);
+- return(-1);
+- }
++ return(-1);
++ }
+ } else
+ #endif /* XMLSEC_NO_GOST*/
+
+diff --git a/src/openssl/x509.c b/src/openssl/x509.c
+index 459a312..11f4571 100644
+--- a/src/openssl/x509.c
++++ b/src/openssl/x509.c
+@@ -1941,7 +1941,7 @@ xmlSecOpenSSLX509CertBase64DerWrite(X509* cert, int base64LineWrap) {
+
+ /* todo: add error checks */
+ i2d_X509_bio(mem, cert);
+- BIO_flush(mem);
++ (void)BIO_flush(mem);
+
+ size = BIO_get_mem_data(mem, &p);
+ if((size <= 0) || (p == NULL)){
+@@ -2055,7 +2055,7 @@ xmlSecOpenSSLX509CrlBase64DerWrite(X509_CRL* crl, int base64LineWrap) {
+
+ /* todo: add error checks */
+ i2d_X509_CRL_bio(mem, crl);
+- BIO_flush(mem);
++ (void)BIO_flush(mem);
+
+ size = BIO_get_mem_data(mem, &p);
+ if((size <= 0) || (p == NULL)){
+@@ -2111,7 +2111,7 @@ xmlSecOpenSSLX509NameWrite(X509_NAME* nm) {
+ return(NULL);
+ }
+
+- BIO_flush(mem); /* should call flush ? */
++ (void)BIO_flush(mem); /* should call flush ? */
+
+ size = BIO_pending(mem);
+ res = xmlMalloc(size + 1);
+diff --git a/src/openssl/x509vfy.c b/src/openssl/x509vfy.c
+index ca5a462..370694d 100644
+--- a/src/openssl/x509vfy.c
++++ b/src/openssl/x509vfy.c
+@@ -178,7 +178,7 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509*
+ X509 * cert;
+ X509 * err_cert = NULL;
+ char buf[256];
+- int err = 0, depth;
++ int err = 0;
+ int i;
+ int ret;
+
+@@ -287,49 +287,43 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509*
+ if(xmlSecOpenSSLX509FindNextChainCert(certs2, cert) == NULL) {
+ X509_STORE_CTX xsc;
+
+-#if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097)
+- X509_VERIFY_PARAM * vpm = NULL;
+- unsigned long vpm_flags = 0;
+-
+- vpm = X509_VERIFY_PARAM_new();
+- if(vpm == NULL) {
+- xmlSecError(XMLSEC_ERRORS_HERE,
+- xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+- "X509_VERIFY_PARAM_new",
+- XMLSEC_ERRORS_R_CRYPTO_FAILED,
+- XMLSEC_ERRORS_NO_MESSAGE);
+- goto done;
+- }
+- vpm_flags = vpm->flags;
+-/*
+- vpm_flags &= (~X509_V_FLAG_X509_STRICT);
+-*/
+- vpm_flags &= (~X509_V_FLAG_CRL_CHECK);
+-
+- X509_VERIFY_PARAM_set_depth(vpm, 9);
+- X509_VERIFY_PARAM_set_flags(vpm, vpm_flags);
+-#endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */
+-
+-
+ X509_STORE_CTX_init (&xsc, ctx->xst, cert, certs2);
+-
+ if(keyInfoCtx->certsVerificationTime > 0) {
+-#if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097)
+- vpm_flags |= X509_V_FLAG_USE_CHECK_TIME;
+- X509_VERIFY_PARAM_set_time(vpm, keyInfoCtx->certsVerificationTime);
+-#endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */
+ X509_STORE_CTX_set_time(&xsc, 0, keyInfoCtx->certsVerificationTime);
+ }
+
+ #if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097)
+- X509_STORE_CTX_set0_param(&xsc, vpm);
++ {
++ X509_VERIFY_PARAM * vpm = NULL;
++ unsigned long vpm_flags = 0;
++
++ vpm = X509_VERIFY_PARAM_new();
++ if(vpm == NULL) {
++ xmlSecError(XMLSEC_ERRORS_HERE,
++ xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
++ "X509_VERIFY_PARAM_new",
++ XMLSEC_ERRORS_R_CRYPTO_FAILED,
++ XMLSEC_ERRORS_NO_MESSAGE);
++ goto done;
++ }
++ vpm_flags = vpm->flags;
++ vpm_flags &= (~X509_V_FLAG_CRL_CHECK);
++
++ if(keyInfoCtx->certsVerificationTime > 0) {
++ vpm_flags |= X509_V_FLAG_USE_CHECK_TIME;
++ X509_VERIFY_PARAM_set_time(vpm, keyInfoCtx->certsVerificationTime);
++ }
++
++ X509_VERIFY_PARAM_set_depth(vpm, 9);
++ X509_VERIFY_PARAM_set_flags(vpm, vpm_flags);
++ X509_STORE_CTX_set0_param(&xsc, vpm);
++ }
+ #endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */
+
+
+ ret = X509_verify_cert(&xsc);
+ err_cert = X509_STORE_CTX_get_current_cert(&xsc);
+ err = X509_STORE_CTX_get_error(&xsc);
+- depth = X509_STORE_CTX_get_error_depth(&xsc);
+
+ X509_STORE_CTX_cleanup (&xsc);
+
+diff --git a/src/parser.c b/src/parser.c
+index 990ff98..dd902d4 100644
+--- a/src/parser.c
++++ b/src/parser.c
+@@ -159,7 +159,7 @@ xmlSecParserPushBin(xmlSecTransformPtr transform, const xmlSecByte* data,
+ /* required for c14n! */
+ ctx->parserCtx->loadsubset = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
+ ctx->parserCtx->replaceEntities = 1;
+- ctx->parserCtx->options = XML_PARSE_NONET;
++ ctx->parserCtx->options = XML_PARSE_NONET;
+
+ transform->status = xmlSecTransformStatusWorking;
+ } else if(transform->status == xmlSecTransformStatusFinished) {
+@@ -317,7 +317,7 @@ xmlSecParserPopXml(xmlSecTransformPtr transform, xmlSecNodeSetPtr* nodes,
+ }
+
+ ret = inputPush(ctxt, input);
+- if(input == NULL) {
++ if(ret < 0) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
+ "inputPush",
+diff --git a/src/transforms.c b/src/transforms.c
+index 8a2ded2..d384a0e 100644
+--- a/src/transforms.c
++++ b/src/transforms.c
+@@ -355,7 +355,7 @@ xmlSecTransformCtxCreate(void) {
+ NULL,
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+- "size=%d", sizeof(xmlSecTransformCtx));
++ "size=%d", (int)sizeof(xmlSecTransformCtx));
+ return(NULL);
+ }
+
+@@ -876,7 +876,7 @@ xmlSecTransformCtxSetUri(xmlSecTransformCtxPtr ctx, const xmlChar* uri, xmlNodeP
+ NULL,
+ NULL,
+ XMLSEC_ERRORS_R_STRDUP_FAILED,
+- "size=%d", xptr - uri);
++ "size=%d", (int)(xptr - uri));
+ return(-1);
+ }
+
+@@ -932,6 +932,9 @@ xmlSecTransformCtxSetUri(xmlSecTransformCtxPtr ctx, const xmlChar* uri, xmlNodeP
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "transform=%s",
+ xmlSecErrorsSafeString(xmlSecTransformKlassGetName(xmlSecTransformXPointerId)));
++ if(buf != NULL) {
++ xmlFree(buf);
++ }
+ return(-1);
+ }
+
+@@ -965,6 +968,9 @@ xmlSecTransformCtxSetUri(xmlSecTransformCtxPtr ctx, const xmlChar* uri, xmlNodeP
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "transform=%s",
+ xmlSecErrorsSafeString(xmlSecTransformKlassGetName(xmlSecTransformVisa3DHackId)));
++ if(buf != NULL) {
++ xmlFree(buf);
++ }
+ return(-1);
+ }
+
+@@ -2810,7 +2816,7 @@ xmlSecTransformIOBufferCreate(xmlSecTransformIOBufferMode mode, xmlSecTransformP
+ NULL,
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+- "size=%d", sizeof(xmlSecTransformIOBuffer));
++ "size=%d", (int)sizeof(xmlSecTransformIOBuffer));
+ return(NULL);
+ }
+ memset(buffer, 0, sizeof(xmlSecTransformIOBuffer));
+diff --git a/src/xmldsig.c b/src/xmldsig.c
+index b08b8b1..10ba03f 100644
+--- a/src/xmldsig.c
++++ b/src/xmldsig.c
+@@ -73,7 +73,7 @@ xmlSecDSigCtxCreate(xmlSecKeysMngrPtr keysMngr) {
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecDSigCtx)=%d",
+- sizeof(xmlSecDSigCtx));
++ (int)sizeof(xmlSecDSigCtx));
+ return(NULL);
+ }
+
+@@ -160,10 +160,26 @@ xmlSecDSigCtxInitialize(xmlSecDSigCtxPtr dsigCtx, xmlSecKeysMngrPtr keysMngr) {
+ }
+
+ /* references lists from SignedInfo and Manifest elements */
+- xmlSecPtrListInitialize(&(dsigCtx->signedInfoReferences),
+- xmlSecDSigReferenceCtxListId);
+- xmlSecPtrListInitialize(&(dsigCtx->manifestReferences),
+- xmlSecDSigReferenceCtxListId);
++ ret = xmlSecPtrListInitialize(&(dsigCtx->signedInfoReferences),
++ xmlSecDSigReferenceCtxListId);
++ if(ret != 0) {
++ xmlSecError(XMLSEC_ERRORS_HERE,
++ NULL,
++ "xmlSecPtrListInitialize",
++ XMLSEC_ERRORS_R_XMLSEC_FAILED,
++ XMLSEC_ERRORS_NO_MESSAGE);
++ return(ret);
++ }
++ ret = xmlSecPtrListInitialize(&(dsigCtx->manifestReferences),
++ xmlSecDSigReferenceCtxListId);
++ if(ret != 0) {
++ xmlSecError(XMLSEC_ERRORS_HERE,
++ NULL,
++ "xmlSecPtrListInitialize",
++ XMLSEC_ERRORS_R_XMLSEC_FAILED,
++ XMLSEC_ERRORS_NO_MESSAGE);
++ return(ret);
++ }
+
+ dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeAny;
+ return(0);
+@@ -773,7 +789,9 @@ xmlSecDSigCtxProcessSignedInfoNode(xmlSecDSigCtxPtr dsigCtx, xmlNodePtr node) {
+ dsigCtx->signMethod->operation = dsigCtx->operation;
+
+ /* calculate references */
+- cur = xmlSecGetNextElementNode(cur->next);
++ if(cur != NULL) {
++ cur = xmlSecGetNextElementNode(cur->next);
++ }
+ while((cur != NULL) && (xmlSecCheckNodeName(cur, xmlSecNodeReference, xmlSecDSigNs))) {
+ /* create reference */
+ dsigRefCtx = xmlSecDSigReferenceCtxCreate(dsigCtx, xmlSecDSigReferenceOriginSignedInfo);
+@@ -1118,9 +1136,9 @@ xmlSecDSigCtxDebugDump(xmlSecDSigCtxPtr dsigCtx, FILE* output) {
+ (xmlSecBufferGetData(dsigCtx->result) != NULL)) {
+
+ fprintf(output, "== Result - start buffer:\n");
+- fwrite(xmlSecBufferGetData(dsigCtx->result),
+- xmlSecBufferGetSize(dsigCtx->result),
+- 1, output);
++ (void)fwrite(xmlSecBufferGetData(dsigCtx->result),
++ xmlSecBufferGetSize(dsigCtx->result),
++ 1, output);
+ fprintf(output, "\n== Result - end buffer\n");
+ }
+ if(((dsigCtx->flags & XMLSEC_DSIG_FLAGS_STORE_SIGNATURE) != 0) &&
+@@ -1128,9 +1146,9 @@ xmlSecDSigCtxDebugDump(xmlSecDSigCtxPtr dsigCtx, FILE* output) {
+ (xmlSecBufferGetData(xmlSecDSigCtxGetPreSignBuffer(dsigCtx)) != NULL)) {
+
+ fprintf(output, "== PreSigned data - start buffer:\n");
+- fwrite(xmlSecBufferGetData(xmlSecDSigCtxGetPreSignBuffer(dsigCtx)),
+- xmlSecBufferGetSize(xmlSecDSigCtxGetPreSignBuffer(dsigCtx)),
+- 1, output);
++ (void)fwrite(xmlSecBufferGetData(xmlSecDSigCtxGetPreSignBuffer(dsigCtx)),
++ xmlSecBufferGetSize(xmlSecDSigCtxGetPreSignBuffer(dsigCtx)),
++ 1, output);
+ fprintf(output, "\n== PreSigned data - end buffer\n");
+ }
+ }
+@@ -1207,9 +1225,9 @@ xmlSecDSigCtxDebugXmlDump(xmlSecDSigCtxPtr dsigCtx, FILE* output) {
+ (xmlSecBufferGetData(dsigCtx->result) != NULL)) {
+
+ fprintf(output, "<Result>");
+- fwrite(xmlSecBufferGetData(dsigCtx->result),
+- xmlSecBufferGetSize(dsigCtx->result),
+- 1, output);
++ (void)fwrite(xmlSecBufferGetData(dsigCtx->result),
++ xmlSecBufferGetSize(dsigCtx->result),
++ 1, output);
+ fprintf(output, "</Result>\n");
+ }
+ if(((dsigCtx->flags & XMLSEC_DSIG_FLAGS_STORE_SIGNATURE) != 0) &&
+@@ -1217,9 +1235,9 @@ xmlSecDSigCtxDebugXmlDump(xmlSecDSigCtxPtr dsigCtx, FILE* output) {
+ (xmlSecBufferGetData(xmlSecDSigCtxGetPreSignBuffer(dsigCtx)) != NULL)) {
+
+ fprintf(output, "<PreSignedData>");
+- fwrite(xmlSecBufferGetData(xmlSecDSigCtxGetPreSignBuffer(dsigCtx)),
+- xmlSecBufferGetSize(xmlSecDSigCtxGetPreSignBuffer(dsigCtx)),
+- 1, output);
++ (void)fwrite(xmlSecBufferGetData(xmlSecDSigCtxGetPreSignBuffer(dsigCtx)),
++ xmlSecBufferGetSize(xmlSecDSigCtxGetPreSignBuffer(dsigCtx)),
++ 1, output);
+ fprintf(output, "</PreSignedData>\n");
+ }
+
+@@ -1260,7 +1278,7 @@ xmlSecDSigReferenceCtxCreate(xmlSecDSigCtxPtr dsigCtx, xmlSecDSigReferenceOrigin
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecDSigReferenceCtx)=%d",
+- sizeof(xmlSecDSigReferenceCtx));
++ (int)sizeof(xmlSecDSigReferenceCtx));
+ return(NULL);
+ }
+
+@@ -1669,9 +1687,9 @@ xmlSecDSigReferenceCtxDebugDump(xmlSecDSigReferenceCtxPtr dsigRefCtx, FILE* outp
+ (xmlSecBufferGetData(xmlSecDSigReferenceCtxGetPreDigestBuffer(dsigRefCtx)) != NULL)) {
+
+ fprintf(output, "== PreDigest data - start buffer:\n");
+- fwrite(xmlSecBufferGetData(xmlSecDSigReferenceCtxGetPreDigestBuffer(dsigRefCtx)),
+- xmlSecBufferGetSize(xmlSecDSigReferenceCtxGetPreDigestBuffer(dsigRefCtx)),
+- 1, output);
++ (void)fwrite(xmlSecBufferGetData(xmlSecDSigReferenceCtxGetPreDigestBuffer(dsigRefCtx)),
++ xmlSecBufferGetSize(xmlSecDSigReferenceCtxGetPreDigestBuffer(dsigRefCtx)),
++ 1, output);
+ fprintf(output, "\n== PreDigest data - end buffer\n");
+ }
+
+@@ -1679,9 +1697,9 @@ xmlSecDSigReferenceCtxDebugDump(xmlSecDSigReferenceCtxPtr dsigRefCtx, FILE* outp
+ (xmlSecBufferGetData(dsigRefCtx->result) != NULL)) {
+
+ fprintf(output, "== Result - start buffer:\n");
+- fwrite(xmlSecBufferGetData(dsigRefCtx->result),
+- xmlSecBufferGetSize(dsigRefCtx->result), 1,
+- output);
++ (void)fwrite(xmlSecBufferGetData(dsigRefCtx->result),
++ xmlSecBufferGetSize(dsigRefCtx->result), 1,
++ output);
+ fprintf(output, "\n== Result - end buffer\n");
+ }
+ }
+@@ -1742,9 +1760,9 @@ xmlSecDSigReferenceCtxDebugXmlDump(xmlSecDSigReferenceCtxPtr dsigRefCtx, FILE* o
+ (xmlSecBufferGetData(dsigRefCtx->result) != NULL)) {
+
+ fprintf(output, "<Result>");
+- fwrite(xmlSecBufferGetData(dsigRefCtx->result),
+- xmlSecBufferGetSize(dsigRefCtx->result), 1,
+- output);
++ (void)fwrite(xmlSecBufferGetData(dsigRefCtx->result),
++ xmlSecBufferGetSize(dsigRefCtx->result), 1,
++ output);
+ fprintf(output, "</Result>\n");
+ }
+
+@@ -1752,9 +1770,9 @@ xmlSecDSigReferenceCtxDebugXmlDump(xmlSecDSigReferenceCtxPtr dsigRefCtx, FILE* o
+ (xmlSecBufferGetData(xmlSecDSigReferenceCtxGetPreDigestBuffer(dsigRefCtx)) != NULL)) {
+
+ fprintf(output, "<PreDigestData>");
+- fwrite(xmlSecBufferGetData(xmlSecDSigReferenceCtxGetPreDigestBuffer(dsigRefCtx)),
+- xmlSecBufferGetSize(xmlSecDSigReferenceCtxGetPreDigestBuffer(dsigRefCtx)),
+- 1, output);
++ (void)fwrite(xmlSecBufferGetData(xmlSecDSigReferenceCtxGetPreDigestBuffer(dsigRefCtx)),
++ xmlSecBufferGetSize(xmlSecDSigReferenceCtxGetPreDigestBuffer(dsigRefCtx)),
++ 1, output);
+ fprintf(output, "</PreDigestData>\n");
+ }
+ if(dsigRefCtx->dsigCtx->operation == xmlSecTransformOperationSign) {
+diff --git a/src/xmlenc.c b/src/xmlenc.c
+index 44c9877..3d4e0d2 100644
+--- a/src/xmlenc.c
++++ b/src/xmlenc.c
+@@ -65,7 +65,7 @@ xmlSecEncCtxCreate(xmlSecKeysMngrPtr keysMngr) {
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecEncCtx)=%d",
+- sizeof(xmlSecEncCtx));
++ (int)sizeof(xmlSecEncCtx));
+ return(NULL);
+ }
+
+@@ -1218,9 +1218,9 @@ xmlSecEncCtxDebugDump(xmlSecEncCtxPtr encCtx, FILE* output) {
+ (encCtx->resultBase64Encoded != 0)) {
+
+ fprintf(output, "== Result - start buffer:\n");
+- fwrite(xmlSecBufferGetData(encCtx->result),
+- xmlSecBufferGetSize(encCtx->result), 1,
+- output);
++ (void)fwrite(xmlSecBufferGetData(encCtx->result),
++ xmlSecBufferGetSize(encCtx->result), 1,
++ output);
+ fprintf(output, "\n== Result - end buffer\n");
+ }
+ }
+@@ -1311,9 +1311,9 @@ xmlSecEncCtxDebugXmlDump(xmlSecEncCtxPtr encCtx, FILE* output) {
+ (encCtx->resultBase64Encoded != 0)) {
+
+ fprintf(output, "<Result>");
+- fwrite(xmlSecBufferGetData(encCtx->result),
+- xmlSecBufferGetSize(encCtx->result), 1,
+- output);
++ (void)fwrite(xmlSecBufferGetData(encCtx->result),
++ xmlSecBufferGetSize(encCtx->result), 1,
++ output);
+ fprintf(output, "</Result>\n");
+ }
+
+diff --git a/src/xpath.c b/src/xpath.c
+index e67631e..2c96192 100644
+--- a/src/xpath.c
++++ b/src/xpath.c
+@@ -91,7 +91,7 @@ xmlSecXPathDataCreate(xmlSecXPathDataType type) {
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "sizeof(xmlSecXPathData)=%d",
+- sizeof(xmlSecXPathData));
++ (int)sizeof(xmlSecXPathData));
+ return(NULL);
+ }
+ memset(data, 0, sizeof(xmlSecXPathData));
+@@ -285,17 +285,17 @@ xmlSecXPathDataExecute(xmlSecXPathDataPtr data, xmlDocPtr doc, xmlNodePtr hereNo
+ to reserve NULL for our own purposes so we simply create an empty
+ node set here */
+ if(xpathObj->nodesetval == NULL) {
+- xpathObj->nodesetval = xmlXPathNodeSetCreate(NULL);
+- if(xpathObj->nodesetval == NULL) {
+- xmlXPathFreeObject(xpathObj);
+- xmlSecError(XMLSEC_ERRORS_HERE,
+- NULL,
++ xpathObj->nodesetval = xmlXPathNodeSetCreate(NULL);
++ if(xpathObj->nodesetval == NULL) {
++ xmlXPathFreeObject(xpathObj);
++ xmlSecError(XMLSEC_ERRORS_HERE,
++ NULL,
+ "xmlXPathNodeSetCreate",
+ XMLSEC_ERRORS_R_XML_FAILED,
+ "expr=%s",
+ xmlSecErrorsSafeString(data->expr));
+- return(NULL);
+- }
++ return(NULL);
++ }
+ }
+
+ nodes = xmlSecNodeSetCreate(doc, xpathObj->nodesetval, data->nodeSetType);
+@@ -613,7 +613,7 @@ xmlSecTransformXPathNodeRead(xmlSecTransformPtr transform, xmlNodePtr node, xmlS
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "size=%d",
+- xmlStrlen(data->expr) + strlen(xpathPattern) + 1);
++ (int)(xmlStrlen(data->expr) + strlen(xpathPattern) + 1));
+ return(-1);
+ }
+ sprintf((char*)tmp, xpathPattern, (char*)data->expr);
+diff --git a/src/xslt.c b/src/xslt.c
+index 0353a25..0a010bd 100644
+--- a/src/xslt.c
++++ b/src/xslt.c
+@@ -584,7 +584,7 @@ xmlSecXsApplyStylesheet(xmlSecXsltCtxPtr ctx, xmlDocPtr doc) {
+ XMLSEC_ERRORS_R_XSLT_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ goto done;
+- }
++ }
+
+ /* set security prefs */
+ ret = xsltSetCtxtSecurityPrefs(g_xslt_default_security_prefs, xsltCtx);
diff --git a/SPECS/xmlsec1.spec b/SPECS/xmlsec1.spec
new file mode 100644
index 0000000..1696256
--- /dev/null
+++ b/SPECS/xmlsec1.spec
@@ -0,0 +1,389 @@
+Summary: Library providing support for "XML Signature" and "XML Encryption" standards
+Name: xmlsec1
+Version: 1.2.20
+Release: 5%{?dist}%{?extra_release}
+License: MIT
+Group: System Environment/Libraries
+Source0: http://www.aleksey.com/xmlsec/download/xmlsec1-%{version}.tar.gz
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+URL: http://www.aleksey.com/xmlsec/
+BuildRequires: libxml2-devel >= 2.6.0
+BuildRequires: libxslt-devel >= 1.1.0
+BuildRequires: openssl-devel >= 0.9.6
+BuildRequires: libgcrypt-devel >= 1.2.0
+BuildRequires: gnutls-devel >= 1.0.20
+BuildRequires: nss-devel >= 3.2
+BuildRequires: nspr-devel
+BuildRequires: libtool-ltdl-devel
+
+# extra build deps needed for autoreconf after Patch1
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: gettext-devel
+BuildRequires: libtool
+
+Patch3: xmlsec1-1.2.20-covscan-fixes.patch
+
+%description
+XML Security Library is a C library based on LibXML2 and OpenSSL.
+The library was created with a goal to support major XML security
+standards "XML Digital Signature" and "XML Encryption".
+
+%package devel
+Summary: Libraries, includes, etc. to develop applications with XML Digital Signatures and XML Encryption support.
+Group: Development/Libraries
+Requires: xmlsec1%{?_isa} = %{version}-%{release}
+Requires: libxml2-devel%{?_isa} >= 2.6.0
+Requires: libxslt-devel%{?_isa} >= 1.1.0
+Requires: openssl-devel%{?_isa} >= 0.9.6
+Requires: zlib-devel%{?_isa}
+# pkgconfig deps are automatic in Fedora and EL>=6
+%if 0%{?rhel} == 5
+Requires: pkgconfig
+%endif
+
+%description devel
+Libraries, includes, etc. you can use to develop applications with XML Digital
+Signatures and XML Encryption support.
+
+%package openssl
+Summary: OpenSSL crypto plugin for XML Security Library
+Group: Development/Libraries
+Requires: xmlsec1%{?_isa} = %{version}-%{release}
+
+%description openssl
+OpenSSL plugin for XML Security Library provides OpenSSL based crypto services
+for the xmlsec library.
+
+%package openssl-devel
+Summary: OpenSSL crypto plugin for XML Security Library
+Group: Development/Libraries
+Requires: xmlsec1-devel%{?_isa} = %{version}-%{release}
+Requires: xmlsec1-openssl%{?_isa} = %{version}-%{release}
+
+%description openssl-devel
+Libraries, includes, etc. for developing XML Security applications with OpenSSL
+
+%package gcrypt
+Summary: GCrypt crypto plugin for XML Security Library
+Group: Development/Libraries
+Requires: xmlsec1%{?_isa} = %{version}-%{release}
+
+%description gcrypt
+GCrypt plugin for XML Security Library provides GCrypt based crypto services
+for the xmlsec library.
+
+%package gcrypt-devel
+Summary: GCrypt crypto plugin for XML Security Library
+Group: Development/Libraries
+Requires: xmlsec1-devel%{?_isa} = %{version}-%{release}
+Requires: xmlsec1-gnutls-devel%{?_isa} = %{version}-%{release}
+
+%description gcrypt-devel
+Libraries, includes, etc. for developing XML Security applications with GCrypt.
+
+%package gnutls
+Summary: GNUTls crypto plugin for XML Security Library
+Group: Development/Libraries
+Requires: xmlsec1%{?_isa} = %{version}-%{release}
+Requires: xmlsec1-gcrypt%{?_isa} = %{version}-%{release}
+
+%description gnutls
+GNUTls plugin for XML Security Library provides GNUTls based crypto services
+for the xmlsec library.
+
+%package gnutls-devel
+Summary: GNUTls crypto plugin for XML Security Library
+Group: Development/Libraries
+Requires: xmlsec1-devel%{?_isa} = %{version}-%{release}
+Requires: xmlsec1-openssl-devel%{?_isa} = %{version}-%{release}
+Requires: libgcrypt-devel%{?_isa} >= 1.2.0
+Requires: gnutls-devel%{?_isa} >= 1.0.20
+
+%description gnutls-devel
+Libraries, includes, etc. for developing XML Security applications with GNUTls.
+
+%package nss
+Summary: NSS crypto plugin for XML Security Library
+Group: Development/Libraries
+Requires: xmlsec1%{?_isa} = %{version}-%{release}
+
+%description nss
+NSS plugin for XML Security Library provides NSS based crypto services
+for the xmlsec library
+
+%package nss-devel
+Summary: NSS crypto plugin for XML Security Library
+Group: Development/Libraries
+Requires: xmlsec1-devel%{?_isa} = %{version}-%{release}
+Requires: xmlsec1-nss%{?_isa} = %{version}-%{release}
+Requires: nss-devel%{?_isa} >= 3.2
+Requires: nspr-devel%{?_isa}
+
+%description nss-devel
+Libraries, includes, etc. for developing XML Security applications with NSS.
+
+%prep
+%setup -q
+%patch3 -p1 -b .covscan
+
+%build
+autoreconf -if
+%configure --disable-static
+sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+V=1 make
+
+# positively ugly but only sane way to get around #192756
+sed 's+/lib64+/$archlib+g' < xmlsec1-config | sed 's+/lib+/$archlib+g' | sed 's+ -DXMLSEC_NO_SIZE_T++' > xmlsec1-config.$$ && mv xmlsec1-config.$$ xmlsec1-config
+
+%check
+make check
+
+%install
+rm -rf $RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT/usr/bin
+mkdir -p $RPM_BUILD_ROOT/usr/include/xmlsec1
+mkdir -p $RPM_BUILD_ROOT%{_libdir}
+mkdir -p $RPM_BUILD_ROOT/usr/man/man1
+
+make DESTDIR=$RPM_BUILD_ROOT install
+rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
+
+# move installed docs to include them in -devel package via %%doc magic
+rm -rf __tmp_doc ; mkdir __tmp_doc
+mv ${RPM_BUILD_ROOT}%{_docdir}/xmlsec1/* __tmp_doc
+
+%clean
+rm -fr ${RPM_BUILD_ROOT}
+
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
+
+%post gnutls -p /sbin/ldconfig
+%postun gnutls -p /sbin/ldconfig
+
+%post openssl -p /sbin/ldconfig
+%postun openssl -p /sbin/ldconfig
+
+%files
+%doc AUTHORS ChangeLog NEWS README Copyright
+%{_mandir}/man1/xmlsec1.1*
+%{_libdir}/libxmlsec1.so.*
+%{_bindir}/xmlsec1
+
+%files devel
+%{_bindir}/xmlsec1-config
+%dir %{_includedir}/xmlsec1
+%dir %{_includedir}/xmlsec1/xmlsec
+%dir %{_includedir}/xmlsec1/xmlsec/private
+%{_includedir}/xmlsec1/xmlsec/*.h
+%{_includedir}/xmlsec1/xmlsec/private/*.h
+%{_libdir}/libxmlsec1.so
+%{_libdir}/pkgconfig/xmlsec1.pc
+%{_libdir}/xmlsec1Conf.sh
+%{_datadir}/aclocal/xmlsec1.m4
+%{_mandir}/man1/xmlsec1-config.1*
+%doc HACKING __tmp_doc/*
+
+%files openssl
+%{_libdir}/libxmlsec1-openssl.so.*
+%{_libdir}/libxmlsec1-openssl.so
+
+%files openssl-devel
+%{_includedir}/xmlsec1/xmlsec/openssl/
+%{_libdir}/pkgconfig/xmlsec1-openssl.pc
+
+%files gcrypt
+%{_libdir}/libxmlsec1-gcrypt.so.*
+%{_libdir}/libxmlsec1-gcrypt.so
+
+%files gcrypt-devel
+%{_includedir}/xmlsec1/xmlsec/gcrypt/
+%{_libdir}/pkgconfig/xmlsec1-gcrypt.pc
+
+%files gnutls
+%{_libdir}/libxmlsec1-gnutls.so.*
+%{_libdir}/libxmlsec1-gnutls.so
+
+%files gnutls-devel
+%{_includedir}/xmlsec1/xmlsec/gnutls/
+%{_libdir}/pkgconfig/xmlsec1-gnutls.pc
+
+%files nss
+%{_libdir}/libxmlsec1-nss.so.*
+%{_libdir}/libxmlsec1-nss.so
+
+%files nss-devel
+%{_includedir}/xmlsec1/xmlsec/nss/
+%{_libdir}/pkgconfig/xmlsec1-nss.pc
+
+%changelog
+* Fri Sep 5 2014 Simo Sorce <simo@redhat.com> - 1.2.20-5
+- Add package to RHEL7
+- Resolves: #1118038
+
+* Thu Jun 5 2014 Simo Sorce <simo@redhat.com> - 1.2.20-4
+- Add fixes from upstream
+- These were sent by us after covscan checks revelead errors
+
+* Tue Jun 3 2014 Simo Sorce <simo@redhat.com> - 1.2.20-3
+- Make RPMDiff happy by adding a strict require on subpackage
+
+* Wed May 28 2014 Simo Sorce <simo@redhat.com> - 1.2.20-2
+- Update pkg-config fix patch to apply w/o fuzz
+
+* Wed May 28 2014 Simo Sorce <simo@redhat.com> - 1.2.20-1
+- New upstrema version with memleaks, crl checks and other fixes
+- enable make check during build
+- drop ecdsa patch as it has been included upstream
+
+* Fri May 23 2014 Simo Sorce <simo@redhat.com> - 1.2.19-6
+- Fix incomplete patch
+
+* Fri May 23 2014 Simo Sorce <simo@redhat.com> - 1.2.19-5
+- Add patch to deal with different behavior of pkg-config in RHEL6
+
+* Thu Apr 24 2014 Tomáš Mráz <tmraz@redhat.com> - 1.2.19-4
+- Rebuild for new libgcrypt
+
+* Fri Dec 13 2013 Michael Schwendt <mschwendt@fedoraproject.org> - 1.2.19-3
+- Fix duplicate documentation (#1001250)
+- Turn on verbose build output via V=1 make
+- Use %%?_isa in explicit package deps
+- Fix base package Group tag to "System Environment/Libraries"
+- Remove %%defattr
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.19-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Mar 25 2013 Daniel Veillard <veillard@redhat.com> - 1.2.19-1
+- Update to upstream release 1.2.19
+
+* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.18-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Sun Jul 22 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.18-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu May 12 2011 Daniel Veillard <veillard@redhat.com> - 1.2.18-1
+- Update to upstream release 1.2.18
+
+* Mon Apr 11 2011 Daniel Veillard <veillard@redhat.com> - 1.2.17-1
+- Update to upstream release 1.2.17
+- fixes CVE-2011-1425 on xslt file creation
+
+* Tue Mar 22 2011 Daniel Veillard <veillard@redhat.com> - 1.2.16-4
+- Fix missing links to unversioned shared library files 541599
+
+* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.16-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Jun 2 2010 Tom "spot" Callaway <tcallawa@redhat.com> - 1.2.16-2
+- add missing BuildRequires: libtool-ltdl-devel
+
+* Wed Jun 2 2010 Tom "spot" Callaway <tcallawa@redhat.com> - 1.2.16-1
+- update to 1.2.16
+- cleanup spec file
+- disable static libs
+- disable rpath
+- enable gcrypt subpackage
+
+* Wed Aug 26 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.12-2
+- rebuilt with new openssl
+
+* Tue Aug 11 2009 Daniel Veillard <veillard@redhat.com> - 1.2.12-1
+- update to new upstream release 1.2.12
+- includes fix for CVE-2009-0217
+- cleanup spec file
+
+* Mon Jul 27 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.11-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.11-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Sun Jan 18 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.11-2
+- rebuild with new openssl
+
+* Fri Jul 11 2008 Daniel Veillard <veillard@redhat.com> - 1.2.11-1
+- update to new upstream release 1.2.11
+- rebuild for gnutls update
+
+* Wed Feb 20 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.2.9-10.1
+- Autorebuild for GCC 4.3
+
+* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.2.9-9
+ - Rebuild for deps
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.2.9-8.1
+- rebuild
+
+* Wed Jun 14 2006 Tomas Mraz <tmraz@redhat.com> - 1.2.9-8
+- rebuilt with new gnutls
+
+* Thu Jun 8 2006 Daniel Veillard <veillard@redhat.com> - 1.2.9-7
+- oops libxmlsec1.la was still there, should fix #171410 and #154142
+
+* Thu Jun 8 2006 Daniel Veillard <veillard@redhat.com> - 1.2.9-6
+- Ugly patch and sed based changes to work around #192756 xmlsec1-config
+ multilib problem
+
+* Wed Jun 7 2006 Jeremy Katz <katzj@redhat.com> - 1.2.9-5
+- move .so symlinks to -devel subpackage
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.2.9-4.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.2.9-4.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 1.2.9-4
+- NSS has been split out of the mozilla package, so require that now
+ and update separate_nspr.patch to account for the new NSS as well
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Wed Nov 23 2005 Tomas Mraz <tmraz@redhat.com> 1.2.9-3
+- rebuilt due to gnutls library revision
+* Wed Nov 9 2005 <veillard@redhat.com> 1.2.9-2
+- rebuilt due to openssl library revision
+* Tue Sep 20 2005 <veillard@redhat.com> 1.2.9-1
+- update from upstream, release done in July
+- apparently nss is now available on ppc64
+* Mon Aug 8 2005 <veillard@redhat.com> 1.2.8-3
+- rebuilt with new gnutls
+- nspr has been split to a separate package
+* Fri Jul 8 2005 Daniel Veillard <veillard@redhat.com> 1.2.8-2
+- Enabling the mozilla-nss crypto backend
+* Fri Jul 8 2005 Daniel Veillard <veillard@redhat.com> 1.2.8-1
+- update from upstream, needed for openoffice
+* Tue Mar 8 2005 Daniel Veillard <veillard@redhat.com> 1.2.7-4
+- rebuilt with gcc4
+* Wed Feb 23 2005 Daniel Veillard <veillard@redhat.com> 1.2.7-1
+- Upstream release of 1.2.7, mostly bug fixes plus new functions
+ to GetKeys from simple store and X509 handling.
+* Wed Feb 9 2005 Daniel Veillard <veillard@redhat.com> 1.2.6-4
+- Adding support for GNUTls crypto backend
+* Wed Sep 1 2004 Daniel Veillard <veillard@redhat.com> 1.2.6-3
+- adding missing ldconfig calls
+* Thu Aug 26 2004 Daniel Veillard <veillard@redhat.com> 1.2.6-2
+- updated with upstream release from Aleksey
+* Mon Jun 21 2004 Daniel Veillard <veillard@redhat.com> 1.2.5-2
+- rebuilt
+* Mon Apr 19 2004 Daniel Veillard <veillard@redhat.com> 1.2.5-1
+- updated with upstream release from Aleksey
+* Wed Feb 11 2004 Daniel Veillard <veillard@redhat.com> 1.2.4-1
+- updated with upstream release from Aleksey
+* Tue Jan 6 2004 Daniel Veillard <veillard@redhat.com> 1.2.3-1
+- updated with upstream release from Aleksey
+* Wed Nov 12 2003 Daniel Veillard <veillard@redhat.com> 1.2.2-1
+- updated with upstream release from Aleksey, specific patches should
+ have been integrated now.
+* Thu Nov 6 2003 Daniel Veillard <veillard@redhat.com> 1.2.1-1
+- initial packaging based on the upstream one and libxml2 one.
+- desactivated mozilla-nss due to detection/architecture problems