change prototype of the ecdh KDF: make input parameter const and the outlen argument  more flexible
diff --git a/apps/speed.c b/apps/speed.c
index 451a92e..19b08ce 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -449,11 +449,13 @@
 
 
 static const int KDF1_SHA1_len = 20;
-static void *KDF1_SHA1(void *in, size_t inlen, void *out, size_t outlen)
+static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
 	{
 #ifndef OPENSSL_NO_SHA
-	if (outlen != SHA_DIGEST_LENGTH)
+	if (*outlen < SHA_DIGEST_LENGTH)
 		return NULL;
+	else
+		*outlen = SHA_DIGEST_LENGTH;
 	return SHA1(in, inlen, out);
 #else
 	return NULL;
@@ -2189,7 +2191,7 @@
 					 * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt).
 					 */
 					int field_size, outlen;
-					void *(*kdf)(void *in, size_t inlen, void *out, size_t xoutlen);
+					void *(*kdf)(const void *in, size_t inlen, void *out, size_t *xoutlen);
 					field_size = EC_GROUP_get_degree(ecdh_a[j]->group);
 					if (field_size <= 24 * 8)
 						{
diff --git a/crypto/ecdh/ecdh.h b/crypto/ecdh/ecdh.h
index f9189e0..28aa853 100644
--- a/crypto/ecdh/ecdh.h
+++ b/crypto/ecdh/ecdh.h
@@ -92,7 +92,7 @@
 	{
 	const char *name;
 	int (*compute_key)(void *key, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh,
-	                   void *(*KDF)(void *in, size_t inlen, void *out, size_t outlen));
+	                   void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
 #if 0
 	int (*init)(EC_KEY *eckey);
 	int (*finish)(EC_KEY *eckey);
@@ -127,7 +127,7 @@
 int 	  ECDH_set_method(EC_KEY *, const ECDH_METHOD *);
 
 int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh,
-                     void *(*KDF)(void *in, size_t inlen, void *out, size_t outlen));
+                     void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
 
 int 	  ECDH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new 
 		*new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
diff --git a/crypto/ecdh/ecdhtest.c b/crypto/ecdh/ecdhtest.c
index f9162b7..2a6baf4 100644
--- a/crypto/ecdh/ecdhtest.c
+++ b/crypto/ecdh/ecdhtest.c
@@ -105,11 +105,13 @@
 
 
 static const int KDF1_SHA1_len = 20;
-static void *KDF1_SHA1(void *in, size_t inlen, void *out, size_t outlen)
+static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
 	{
 #ifndef OPENSSL_NO_SHA
-	if (outlen != SHA_DIGEST_LENGTH)
+	if (*outlen < SHA_DIGEST_LENGTH)
 		return NULL;
+	else
+		*outlen = SHA_DIGEST_LENGTH;
 	return SHA1(in, inlen, out);
 #else
 	return NULL;
diff --git a/crypto/ecdh/ech_key.c b/crypto/ecdh/ech_key.c
index 7d1bb32..ea23a0d 100644
--- a/crypto/ecdh/ech_key.c
+++ b/crypto/ecdh/ech_key.c
@@ -72,8 +72,9 @@
 #include <openssl/engine.h>
 #endif
 
-int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *eckey,
-                     void *(*KDF)(void *in, size_t inlen, void *out, size_t outlen))
+int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
+	EC_KEY *eckey,
+	void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))
 {
 	ECDH_DATA *ecdh = ecdh_check(eckey);
 	if (ecdh == NULL)
diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c
index d61e54f..b1c634b 100644
--- a/crypto/ecdh/ech_ossl.c
+++ b/crypto/ecdh/ech_ossl.c
@@ -79,8 +79,9 @@
 #include <openssl/obj_mac.h>
 #include <openssl/bn.h>
 
-static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key, EC_KEY *ecdh,
-                            void *(*KDF)(void *in, size_t inlen, void *out, size_t outlen));
+static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key,
+	EC_KEY *ecdh, 
+	void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
 
 static ECDH_METHOD openssl_ecdh_meth = {
 	"OpenSSL ECDH method",
@@ -104,8 +105,9 @@
  *  - ECSVDP-DH
  * Finally an optional KDF is applied.
  */
-static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh,
-                            void *(*KDF)(void *in, size_t inlen, void *out, size_t outlen))
+static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
+	EC_KEY *ecdh,
+	void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen))
 	{
 	BN_CTX *ctx;
 	EC_POINT *tmp=NULL;
@@ -182,7 +184,7 @@
 
 	if (KDF != 0)
 		{
-		if (KDF(buf, buflen, out, outlen) == NULL)
+		if (KDF(buf, buflen, out, &outlen) == NULL)
 			{
 			ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_KDF_FAILED);
 			goto err;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 54598f0..e6a83fb 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1579,11 +1579,13 @@
 
 
 static const int KDF1_SHA1_len = 20;
-static void *KDF1_SHA1(void *in, size_t inlen, void *out, size_t outlen)
+static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
 	{
 #ifndef OPENSSL_NO_SHA
-	if (outlen != SHA_DIGEST_LENGTH)
+	if (*outlen < SHA_DIGEST_LENGTH)
 		return NULL;
+	else
+		*outlen = SHA_DIGEST_LENGTH;
 	return SHA1(in, inlen, out);
 #else
 	return NULL;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 4d19637..62a6cf7 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1588,11 +1588,13 @@
 
 
 static const int KDF1_SHA1_len = 20;
-static void *KDF1_SHA1(void *in, size_t inlen, void *out, size_t outlen)
+static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
 	{
 #ifndef OPENSSL_NO_SHA
-	if (outlen != SHA_DIGEST_LENGTH)
+	if (*outlen < SHA_DIGEST_LENGTH)
 		return NULL;
+	else
+		*outlen = SHA_DIGEST_LENGTH;
 	return SHA1(in, inlen, out);
 #else
 	return NULL;