diff -ur openssl-1.0.1f/apps/enc.c openssl-1.0.1f-work/apps/enc.c
--- openssl-1.0.1f/apps/enc.c	2014-01-06 05:47:42.000000000 -0800
+++ openssl-1.0.1f-work/apps/enc.c	2014-01-21 00:32:28.579824071 -0800
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -113,6 +114,9 @@
 	char *str=NULL, *passarg = NULL, *pass = NULL;
 	char *hkey=NULL,*hiv=NULL,*hsalt = NULL;
 	char *md=NULL;
+	unsigned char key_iv[EVP_MAX_KEY_LENGTH+EVP_MAX_IV_LENGTH];
+	int use_pbkdf2=0;
+	unsigned long iter_count=1;
 	int enc=1,printkey=0,i,base64=0;
 #ifdef ZLIB
 	int do_zlib=0;
@@ -291,6 +295,18 @@
 			}
 		else if (strcmp(*argv,"-none") == 0)
 			cipher=NULL;
+		else if (strcmp(*argv,"-c") == 0)
+			{
+			if (--argc < 1) goto bad;
+			const char *iter_count_str = *(++argv);
+			iter_count = strtoul(iter_count_str, NULL, 10);
+			if ((LONG_MIN == iter_count || LONG_MAX == iter_count) && ERANGE == errno)
+				goto bad;
+			if (iter_count < 0 || iter_count > INT_MAX)
+				goto bad;
+			}
+		else if (strcmp(*argv,"-pbkdf2") == 0)
+			use_pbkdf2= 1;
 		else
 			{
 			BIO_printf(bio_err,"unknown option '%s'\n",*argv);
@@ -308,6 +324,8 @@
 			BIO_printf(bio_err,"%-14s   from a passphrase.  One of md2, md5, sha or sha1\n","");
 			BIO_printf(bio_err,"%-14s salt in hex is the next argument\n","-S");
 			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
+			BIO_printf(bio_err,"%-14s use PBKDF2\n","-pbkdf2");
+			BIO_printf(bio_err,"%-14s iteration count\n","-c");
 			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
 			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
 			BIO_printf(bio_err,"%-14s disable standard block padding\n","-nopad");
@@ -552,9 +570,21 @@
 				sptr = salt;
 			}
 
+			if (use_pbkdf2)
+			{
+			PKCS5_PBKDF2_HMAC((unsigned char *)str, strlen(str),
+				(unsigned char*)salt, strlen(salt),
+				iter_count, dgst,
+				cipher->key_len + cipher->iv_len, key_iv);
+			strncpy(key, key_iv, cipher->key_len);
+			strncpy(iv, key_iv+cipher->key_len, cipher->iv_len);
+			}
+			else
+			{
 			EVP_BytesToKey(cipher,dgst,sptr,
 				(unsigned char *)str,
-				strlen(str),1,key,iv);
+				strlen(str),(int)iter_count,key,iv);
+			}
 			/* zero the complete buffer or the string
 			 * passed from the command line
 			 * bug picked up by