diff --git a/CHANGES b/CHANGES
index 33130ff46243760f2456219d76b4729bad29752e..6d77412f7aad507a9411894436ea090a4c36d240 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,10 +4,14 @@
 
  Changes between 0.9.4 and 0.9.5  [xx XXX 1999]
 
+  *) Changed obj_dat.pl script so it takes its input and output files on
+     the command line. This should avoid shell escape redirection problems
+     under Win32.
+     [Steve Henson]
+
   *) Initial support for certificate extension requests, these are included
-     in things like Xenroll certificate requests. They will later be used to
-     allow PKCS#10 requests to include a list of "requested extensions" which
-     can be added.
+     in things like Xenroll certificate requests. Included functions to allow
+     extensions to be obtained and added.
      [Steve Henson]
 
   *) -crlf option to s_client and s_server for sending newlines as
diff --git a/Configure b/Configure
index fdad0c238c1afcb790811748797b2d7f493e7d02..d0917d85b7e913d8f258e911fb730adda1cdf307 100755
--- a/Configure
+++ b/Configure
@@ -724,7 +724,7 @@ if($IsWindows) {
 EOF
 	close(OUT);
 
-	system "perl crypto/objects/obj_dat.pl <crypto\\objects\\objects.h >crypto\\objects\\obj_dat.h";
+	system "perl crypto/objects/obj_dat.pl crypto/objects/objects.h crypto/objects/obj_dat.h";
 } else {
 	(system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?;
 	### (system 'make depend') == 0 or exit $? if $depflags ne "";
diff --git a/crypto/objects/Makefile.ssl b/crypto/objects/Makefile.ssl
index a3a15c13c1f73f57aa79abaf1adb123f8f93989f..8b15ab0d6c270313b9ccdba9639a1891e52e8bc8 100644
--- a/crypto/objects/Makefile.ssl
+++ b/crypto/objects/Makefile.ssl
@@ -38,7 +38,7 @@ top:
 all:	obj_dat.h lib
 
 obj_dat.h: objects.h obj_dat.pl
-	$(PERL) ./obj_dat.pl < objects.h > obj_dat.h
+	$(PERL) ./obj_dat.pl objects.h obj_dat.h
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
diff --git a/crypto/objects/obj_dat.pl b/crypto/objects/obj_dat.pl
index 5043daef2a20bfb1f1beb69cb62c58d2cae48be7..e6e3c3b9c02087e76b64b4143893c44bec5437e6 100644
--- a/crypto/objects/obj_dat.pl
+++ b/crypto/objects/obj_dat.pl
@@ -38,7 +38,10 @@ sub expand_obj
 	return(%objn);
 	}
 
-while (<>)
+open (IN,"$ARGV[0]") || die "Can't open input file $ARGV[0]";
+open (OUT,">$ARGV[1]") || die "Can't open output file $ARGV[1]";
+
+while (<IN>)
 	{
 	next unless /^\#define\s+(\S+)\s+(.*)$/;
 	$v=$1;
@@ -55,6 +58,7 @@ while (<>)
 		$objd{$v}=$d;
 		}
 	}
+close IN;
 
 %ob=&expand_obj(*objd);
 
@@ -132,7 +136,7 @@ foreach (sort obj_cmp @a)
 	push(@ob,sprintf("&(nid_objs[%2d]),/* %-32s %s */\n",$_,$m,$v));
 	}
 
-print <<'EOF';
+print OUT <<'EOF';
 /* lib/obj/obj_dat.h */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
@@ -193,21 +197,21 @@ print <<'EOF';
 
 /* THIS FILE IS GENERATED FROM Objects.h by obj_dat.pl via the
  * following command:
- * perl obj_dat.pl < objects.h > obj_dat.h
+ * perl obj_dat.pl objects.h obj_dat.h
  */
 
 EOF
 
-printf "#define NUM_NID %d\n",$n;
-printf "#define NUM_SN %d\n",$#sn+1;
-printf "#define NUM_LN %d\n",$#ln+1;
-printf "#define NUM_OBJ %d\n\n",$#ob+1;
+printf OUT "#define NUM_NID %d\n",$n;
+printf OUT "#define NUM_SN %d\n",$#sn+1;
+printf OUT "#define NUM_LN %d\n",$#ln+1;
+printf OUT "#define NUM_OBJ %d\n\n",$#ob+1;
 
-printf "static unsigned char lvalues[%d]={\n",$lvalues+1;
-print @lvalues;
-print "};\n\n";
+printf OUT "static unsigned char lvalues[%d]={\n",$lvalues+1;
+print OUT @lvalues;
+print OUT "};\n\n";
 
-printf "static ASN1_OBJECT nid_objs[NUM_NID]={\n";
+printf OUT "static ASN1_OBJECT nid_objs[NUM_NID]={\n";
 foreach (@out)
 	{
 	if (length($_) > 75)
@@ -218,30 +222,32 @@ foreach (@out)
 			$t=$out.$_.",";
 			if (length($t) > 70)
 				{
-				print "$out\n";
+				print OUT "$out\n";
 				$t="\t$_,";
 				}
 			$out=$t;
 			}
 		chop $out;
-		print "$out";
+		print OUT "$out";
 		}
 	else
-		{ print $_; }
+		{ print OUT $_; }
 	}
-print  "};\n\n";
+print  OUT "};\n\n";
+
+printf OUT "static ASN1_OBJECT *sn_objs[NUM_SN]={\n";
+print  OUT @sn;
+print  OUT "};\n\n";
 
-printf "static ASN1_OBJECT *sn_objs[NUM_SN]={\n";
-print  @sn;
-print  "};\n\n";
+printf OUT "static ASN1_OBJECT *ln_objs[NUM_LN]={\n";
+print  OUT @ln;
+print  OUT "};\n\n";
 
-printf "static ASN1_OBJECT *ln_objs[NUM_LN]={\n";
-print  @ln;
-print  "};\n\n";
+printf OUT "static ASN1_OBJECT *obj_objs[NUM_OBJ]={\n";
+print  OUT @ob;
+print  OUT "};\n\n";
 
-printf "static ASN1_OBJECT *obj_objs[NUM_OBJ]={\n";
-print  @ob;
-print  "};\n\n";
+close OUT;
 
 sub der_it
 	{
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 80ca680594f5060255d01c610ecbd3eaeef62356..7bb4dbf1255143021b2618353c16daed444450b0 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -791,6 +791,9 @@ int		X509_REQ_extension_nid(int nid);
 int *		X509_REQ_get_extesion_nids(void);
 void		X509_REQ_set_extension_nids(int *nids);
 STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
+int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
+				int nid);
+int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts);
 
 int		X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
 
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index 6544f03f2ceb5f6272b29a5ca269f0dbf716279d..b52a59c263173a6067d3d0d14349060b26718915 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -169,3 +169,48 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
 			d2i_X509_EXTENSION, X509_EXTENSION_free,
 			V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
 }
+
+/* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
+ * in case we want to create a non standard one.
+ */
+
+int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
+				int nid)
+{
+	unsigned char *p = NULL, *q;
+	long len;
+	ASN1_TYPE *at = NULL;
+	X509_ATTRIBUTE *attr = NULL;
+	if(!(at = ASN1_TYPE_new()) ||
+		!(at->value.sequence = ASN1_STRING_new())) goto err;
+
+	at->type = V_ASN1_SEQUENCE;
+	/* Generate encoding of extensions */
+	len = i2d_ASN1_SET_OF_X509_EXTENSION(exts, NULL, i2d_X509_EXTENSION,
+			V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
+	if(!(p = Malloc(len))) goto err;
+	q = p;
+	i2d_ASN1_SET_OF_X509_EXTENSION(exts, &q, i2d_X509_EXTENSION,
+			V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
+	at->value.sequence->data = p;
+	p = NULL;
+	at->value.sequence->length = len;
+	if(!(attr = X509_ATTRIBUTE_new())) goto err;
+	if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
+	if(!sk_ASN1_TYPE_push(attr->value.set, at)) goto err;
+	at = NULL;
+	attr->set = 1;
+	attr->object = OBJ_nid2obj(nid);
+	if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
+	return 1;
+	err:
+	if(p) Free(p);
+	X509_ATTRIBUTE_free(attr);
+	ASN1_TYPE_free(at);
+	return 0;
+}
+/* This is the normal usage: use the "official" OID */
+int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts)
+{
+	return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
+}
diff --git a/doc/openssl.txt b/doc/openssl.txt
index 2f50038d1770636d9416cc54af609152b263cb6b..2a84be420ac1fbea1dfec946853823da6427d95a 100644
--- a/doc/openssl.txt
+++ b/doc/openssl.txt
@@ -561,7 +561,7 @@ takes the NID of the extension rather than its name.
 For example to produce basicConstraints with the CA flag and a path length of
 10:
 
-x = X509V3_EXT_conf_nid(NULL, NULL, NID_basicConstraints, "CA:TRUE,pathlen:10");
+x = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,"CA:TRUE,pathlen:10");
 
 
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);