update to openssl-0.9.8i; tested by several, especially krw@

190 files changed, 5824 insertions, 3245 deletions

diff --git a/src/lib/libcrypto/asn1/asn_mime.c b/src/lib/libcrypto/asn1/asn_mime.c
index fe7c4ec7ab..bc80b20d63 100644
--- a/src/lib/libcrypto/asn1/asn_mime.c
+++ b/src/lib/libcrypto/asn1/asn_mime.c
@@ -526,6 +526,8 @@ int SMIME_text(BIO *in, BIO *out)
         sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
         while ((len = BIO_read(in, iobuf, sizeof(iobuf))) > 0)
                                                 BIO_write(out, iobuf, len);
+        if (len < 0)
+                return 0;
         return 1;
 }
 
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index 26d3361722..cb76c32c8d 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -393,8 +393,9 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm)
         d= (v[6]-'0')*10+(v[7]-'0');
         h= (v[8]-'0')*10+(v[9]-'0');
         m=  (v[10]-'0')*10+(v[11]-'0');
-        if (    (v[12] >= '0') && (v[12] <= '9') &&
-                (v[13] >= '0') && (v[13] <= '9'))
+        if (i >= 14 &&
+            (v[12] >= '0') && (v[12] <= '9') &&
+            (v[13] >= '0') && (v[13] <= '9'))
                 s=  (v[12]-'0')*10+(v[13]-'0');
 
         if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
@@ -428,8 +429,9 @@ int ASN1_UTCTIME_print(BIO *bp, ASN1_UTCTIME *tm)
         d= (v[4]-'0')*10+(v[5]-'0');
         h= (v[6]-'0')*10+(v[7]-'0');
         m=  (v[8]-'0')*10+(v[9]-'0');
-        if (    (v[10] >= '0') && (v[10] <= '9') &&
-                (v[11] >= '0') && (v[11] <= '9'))
+        if (i >=12 &&
+            (v[10] >= '0') && (v[10] <= '9') &&
+            (v[11] >= '0') && (v[11] <= '9'))
                 s=  (v[10]-'0')*10+(v[11]-'0');
 
         if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
@@ -501,4 +503,3 @@ err:
         OPENSSL_free(b);
         return(ret);
         }
-
diff --git a/src/lib/libcrypto/bio/bss_dgram.c b/src/lib/libcrypto/bio/bss_dgram.c
index ea2c3fff63..c3da6dc82f 100644
--- a/src/lib/libcrypto/bio/bss_dgram.c
+++ b/src/lib/libcrypto/bio/bss_dgram.c
@@ -82,7 +82,7 @@ static int dgram_new(BIO *h);
 static int dgram_free(BIO *data);
 static int dgram_clear(BIO *bio);
 
-int BIO_dgram_should_retry(int s);
+static int BIO_dgram_should_retry(int s);
 
 static BIO_METHOD methods_dgramp=
         {
@@ -345,30 +345,90 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 
         memcpy(&(data->peer), to, sizeof(struct sockaddr));
         break;
+#if defined(SO_RCVTIMEO)
         case BIO_CTRL_DGRAM_SET_RECV_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                struct timeval *tv = (struct timeval *)ptr;
+                int timeout = tv->tv_sec * 1000 + tv->tv_usec/1000;
+                if (setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
+                        (void*)&timeout, sizeof(timeout)) < 0)
+                        { perror("setsockopt"); ret = -1; }
+                }
+#else
                 if ( setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, ptr,
                         sizeof(struct timeval)) < 0)
                         { perror("setsockopt"); ret = -1; }
+#endif
                 break;
         case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                int timeout, sz = sizeof(timeout);
+                struct timeval *tv = (struct timeval *)ptr;
+                if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
+                        (void*)&timeout, &sz) < 0)
+                        { perror("getsockopt"); ret = -1; }
+                else
+                        {
+                        tv->tv_sec = timeout / 1000;
+                        tv->tv_usec = (timeout % 1000) * 1000;
+                        ret = sizeof(*tv);
+                        }
+                }
+#else
                 if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 
                         ptr, (void *)&ret) < 0)
                         { perror("getsockopt"); ret = -1; }
+#endif
                 break;
+#endif
+#if defined(SO_SNDTIMEO)
         case BIO_CTRL_DGRAM_SET_SEND_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                struct timeval *tv = (struct timeval *)ptr;
+                int timeout = tv->tv_sec * 1000 + tv->tv_usec/1000;
+                if (setsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
+                        (void*)&timeout, sizeof(timeout)) < 0)
+                        { perror("setsockopt"); ret = -1; }
+                }
+#else
                 if ( setsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, ptr,
                         sizeof(struct timeval)) < 0)
                         { perror("setsockopt"); ret = -1; }
+#endif
                 break;
         case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                int timeout, sz = sizeof(timeout);
+                struct timeval *tv = (struct timeval *)ptr;
+                if (getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
+                        (void*)&timeout, &sz) < 0)
+                        { perror("getsockopt"); ret = -1; }
+                else
+                        {
+                        tv->tv_sec = timeout / 1000;
+                        tv->tv_usec = (timeout % 1000) * 1000;
+                        ret = sizeof(*tv);
+                        }
+                }
+#else
                 if ( getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, 
                         ptr, (void *)&ret) < 0)
                         { perror("getsockopt"); ret = -1; }
+#endif
                 break;
+#endif
         case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP:
                 /* fall-through */
         case BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP:
+#ifdef OPENSSL_SYS_WINDOWS
+                if ( data->_errno == WSAETIMEDOUT)
+#else
                 if ( data->_errno == EAGAIN)
+#endif
                         {
                         ret = 1;
                         data->_errno = 0;
@@ -403,7 +463,7 @@ static int dgram_puts(BIO *bp, const char *str)
         return(ret);
         }
 
-int BIO_dgram_should_retry(int i)
+static int BIO_dgram_should_retry(int i)
         {
         int err;
 
diff --git a/src/lib/libcrypto/bn/Makefile b/src/lib/libcrypto/bn/Makefile
index e97c751390..0491e3db4c 100644
--- a/src/lib/libcrypto/bn/Makefile
+++ b/src/lib/libcrypto/bn/Makefile
@@ -116,6 +116,7 @@ linux_ppc64.s: asm/ppc.pl;	$(PERL) $< $@
 aix_ppc32.s: asm/ppc.pl;        $(PERL) asm/ppc.pl $@
 aix_ppc64.s: asm/ppc.pl;        $(PERL) asm/ppc.pl $@
 osx_ppc32.s: asm/ppc.pl;        $(PERL) $< $@
+osx_ppc64.s: asm/ppc.pl;        $(PERL) $< $@
 
 files:
         $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index 8655eb118e..1e8e57626b 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -187,6 +187,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
         BN_ULONG d0,d1;
         int num_n,div_n;
 
+        /* Invalid zero-padding would have particularly bad consequences
+         * in the case of 'num', so don't just rely on bn_check_top() for this one
+         * (bn_check_top() works only for BN_DEBUG builds) */
+        if (num->top > 0 && num->d[num->top - 1] == 0)
+                {
+                BNerr(BN_F_BN_DIV,BN_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        bn_check_top(num);
+
         if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
                 {
                 return BN_div_no_branch(dv, rm, num, divisor, ctx);
@@ -194,7 +205,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 
         bn_check_top(dv);
         bn_check_top(rm);
-        bn_check_top(num);
+        /* bn_check_top(num); */ /* 'num' has been checked already */
         bn_check_top(divisor);
 
         if (BN_is_zero(divisor))
@@ -419,7 +430,7 @@ static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
 
         bn_check_top(dv);
         bn_check_top(rm);
-        bn_check_top(num);
+        /* bn_check_top(num); */ /* 'num' has been checked in BN_div() */
         bn_check_top(divisor);
 
         if (BN_is_zero(divisor))
diff --git a/src/lib/libcrypto/bn/bn_gf2m.c b/src/lib/libcrypto/bn/bn_gf2m.c
index 6a793857e1..306f029f27 100644
--- a/src/lib/libcrypto/bn/bn_gf2m.c
+++ b/src/lib/libcrypto/bn/bn_gf2m.c
@@ -384,7 +384,11 @@ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])
                 if (zz == 0) break;
                 d1 = BN_BITS2 - d0;
                 
-                if (d0) z[dN] = (z[dN] << d1) >> d1; /* clear up the top d1 bits */
+                /* clear up the top d1 bits */
+                if (d0)
+                        z[dN] = (z[dN] << d1) >> d1;
+                else
+                        z[dN] = 0;
                 z[0] ^= zz; /* reduction t^0 component */
 
                 for (k = 1; p[k] != 0; k++)
diff --git a/src/lib/libcrypto/bn/bn_nist.c b/src/lib/libcrypto/bn/bn_nist.c
index e14232fdbb..1fc94f55c3 100644
--- a/src/lib/libcrypto/bn/bn_nist.c
+++ b/src/lib/libcrypto/bn/bn_nist.c
@@ -59,6 +59,7 @@
 #include "bn_lcl.h"
 #include "cryptlib.h"
 
+
 #define BN_NIST_192_TOP (192+BN_BITS2-1)/BN_BITS2
 #define BN_NIST_224_TOP (224+BN_BITS2-1)/BN_BITS2
 #define BN_NIST_256_TOP (256+BN_BITS2-1)/BN_BITS2
@@ -101,60 +102,98 @@ static const BN_ULONG _nist_p_521[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
         0xFFFFFFFF,0x000001FF};
 #endif
 
+
+static const BIGNUM _bignum_nist_p_192 =
+        {
+        (BN_ULONG *)_nist_p_192,
+        BN_NIST_192_TOP,
+        BN_NIST_192_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_224 =
+        {
+        (BN_ULONG *)_nist_p_224,
+        BN_NIST_224_TOP,
+        BN_NIST_224_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_256 =
+        {
+        (BN_ULONG *)_nist_p_256,
+        BN_NIST_256_TOP,
+        BN_NIST_256_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_384 =
+        {
+        (BN_ULONG *)_nist_p_384,
+        BN_NIST_384_TOP,
+        BN_NIST_384_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_521 =
+        {
+        (BN_ULONG *)_nist_p_521,
+        BN_NIST_521_TOP,
+        BN_NIST_521_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+
 const BIGNUM *BN_get0_nist_prime_192(void)
         {
-        static BIGNUM const_nist_192 = { (BN_ULONG *)_nist_p_192,
-                BN_NIST_192_TOP, BN_NIST_192_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_192;
+        return &_bignum_nist_p_192;
         }
 
 const BIGNUM *BN_get0_nist_prime_224(void)
         {
-        static BIGNUM const_nist_224 = { (BN_ULONG *)_nist_p_224,
-                BN_NIST_224_TOP, BN_NIST_224_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_224;
+        return &_bignum_nist_p_224;
         }
 
 const BIGNUM *BN_get0_nist_prime_256(void)
         {
-        static BIGNUM const_nist_256 = { (BN_ULONG *)_nist_p_256,
-                BN_NIST_256_TOP, BN_NIST_256_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_256;
+        return &_bignum_nist_p_256;
         }
 
 const BIGNUM *BN_get0_nist_prime_384(void)
         {
-        static BIGNUM const_nist_384 = { (BN_ULONG *)_nist_p_384,
-                BN_NIST_384_TOP, BN_NIST_384_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_384;
+        return &_bignum_nist_p_384;
         }
 
 const BIGNUM *BN_get0_nist_prime_521(void)
         {
-        static BIGNUM const_nist_521 = { (BN_ULONG *)_nist_p_521,
-                BN_NIST_521_TOP, BN_NIST_521_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_521;
+        return &_bignum_nist_p_521;
         }
 
-#define BN_NIST_ADD_ONE(a)      while (!(*(a)=(*(a)+1)&BN_MASK2)) ++(a);
 
 static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
-        {
+        {
         int i;
-        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
-        for (i = (top); i != 0; i--)
-                *_tmp1++ = *_tmp2++;
-        for (i = (max) - (top); i != 0; i--)
-                *_tmp1++ = (BN_ULONG) 0;
-        }
+        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
+
+        OPENSSL_assert(top <= max);
+        for (i = (top); i != 0; i--)
+                *_tmp1++ = *_tmp2++;
+        for (i = (max) - (top); i != 0; i--)
+                *_tmp1++ = (BN_ULONG) 0;
+        }
 
 static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
-        { 
+        { 
         int i;
-        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
-        for (i = (top); i != 0; i--)
-                *_tmp1++ = *_tmp2++;
-        }
+        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
+        for (i = (top); i != 0; i--)
+                *_tmp1++ = *_tmp2++;
+        }
 
 #if BN_BITS2 == 64
 #define bn_cp_64(to, n, from, m)        (to)[n] = (m>=0)?((from)[m]):0;
@@ -199,6 +238,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_192; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_192_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -208,9 +252,6 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a) ? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_192_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_192_TOP))
@@ -245,6 +286,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_192_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
         }
 
@@ -272,6 +318,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_224; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_224_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -281,9 +332,6 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_224_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_224_TOP))
@@ -333,6 +381,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_224_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
 #else   /* BN_BITS!=32 */
         return 0;
@@ -364,6 +417,11 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_256; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_256_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -373,9 +431,6 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_256_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_256_TOP))
@@ -470,6 +525,11 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_256_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
 #else   /* BN_BITS!=32 */
         return 0;
@@ -505,6 +565,11 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_384; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_384_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -514,9 +579,6 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_384_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_384_TOP))
@@ -631,6 +693,11 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_384_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
 #else   /* BN_BITS!=32 */
         return 0;
@@ -646,14 +713,35 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 #define BN_NIST_521_TOP_MASK    (BN_ULONG)0x1FF
 #endif
         int     top, ret = 0;
-        BN_ULONG *r_d;
         BIGNUM  *tmp;
 
+        field = &_bignum_nist_p_521; /* just to make sure */
+
+        if (BN_is_negative(a))
+                return BN_nnmod(r, field, a, ctx);
+
         /* check whether a reduction is necessary */
         top = a->top;
         if (top < BN_NIST_521_TOP  || ( top == BN_NIST_521_TOP &&
-           (!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
-                return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+            (!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
+                {
+                int i = BN_ucmp(field, a);
+                if (i == 0)
+                        {
+                        BN_zero(r);
+                        return 1;
+                        }
+                else
+                        {
+#ifdef BN_DEBUG
+                        OPENSSL_assert(i > 0); /* because 'field' is 1111...1111 */
+#endif
+                        return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+                        }
+                }
+
+        if (BN_num_bits(a) > 2*521)
+                return BN_nnmod(r, field, a, ctx);
 
         BN_CTX_start(ctx);
         tmp = BN_CTX_get(ctx);
@@ -673,15 +761,11 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
         if (!BN_uadd(r, tmp, r))
                 goto err;
-        top = r->top;
-        r_d = r->d;
-        if (top == BN_NIST_521_TOP  && 
-           (r_d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))
+
+        if (BN_ucmp(field, r) <= 0)
                 {
-                BN_NIST_ADD_ONE(r_d)
-                r->d[BN_NIST_521_TOP-1] &= BN_NIST_521_TOP_MASK; 
+                if (!BN_usub(r, r, field)) goto err;
                 }
-        bn_correct_top(r);
 
         ret = 1;
 err:
diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c
index f79c504e91..b35d28d411 100644
--- a/src/lib/libcrypto/cms/cms_smime.c
+++ b/src/lib/libcrypto/cms/cms_smime.c
@@ -89,11 +89,13 @@ static int cms_copy_content(BIO *out, BIO *in, unsigned int flags)
                                 if (!BIO_get_cipher_status(in))
                                         goto err;
                                 }
+                        if (i < 0)
+                                goto err;
                         break;
                         }
                                 
-                if (tmpout)
-                        BIO_write(tmpout, buf, i);
+                if (tmpout && (BIO_write(tmpout, buf, i) != i))
+                        goto err;
         }
 
         if(flags & CMS_TEXT)
diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h
index 5ceaa964b5..fc249c57f3 100644
--- a/src/lib/libcrypto/cryptlib.h
+++ b/src/lib/libcrypto/cryptlib.h
@@ -103,7 +103,6 @@ extern unsigned long OPENSSL_ia32cap_P;
 void OPENSSL_showfatal(const char *,...);
 void *OPENSSL_stderr(void);
 extern int OPENSSL_NONPIC_relocated;
-int OPENSSL_isservice(void);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index d2b5ffe332..fe2c1d6403 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -521,6 +521,7 @@ void OpenSSLDie(const char *file,int line,const char *assertion);
 
 unsigned long *OPENSSL_ia32cap_loc(void);
 #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
+int OPENSSL_isservice(void);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
diff --git a/src/lib/libcrypto/dh/Makefile b/src/lib/libcrypto/dh/Makefile
index d368e33b4c..950cad9c5b 100644
--- a/src/lib/libcrypto/dh/Makefile
+++ b/src/lib/libcrypto/dh/Makefile
@@ -123,11 +123,17 @@ dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dh_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dh_key.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_key.c
-dh_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
-dh_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dh_lib.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
+dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dh_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+dh_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 dh_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dh_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_lib.c
+dh_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+dh_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+dh_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dh_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dh_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+dh_lib.o: ../cryptlib.h dh_lib.c
diff --git a/src/lib/libcrypto/dsa/Makefile b/src/lib/libcrypto/dsa/Makefile
index 676baf7d49..5493f19e85 100644
--- a/src/lib/libcrypto/dsa/Makefile
+++ b/src/lib/libcrypto/dsa/Makefile
@@ -126,11 +126,16 @@ dsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-dsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+dsa_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+dsa_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+dsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+dsa_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 dsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+dsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+dsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 dsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dsa_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 dsa_lib.o: ../cryptlib.h dsa_lib.c
 dsa_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
diff --git a/src/lib/libcrypto/ecdh/Makefile b/src/lib/libcrypto/ecdh/Makefile
index 95aa69fea5..65d8904ee8 100644
--- a/src/lib/libcrypto/ecdh/Makefile
+++ b/src/lib/libcrypto/ecdh/Makefile
@@ -84,20 +84,30 @@ ech_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 ech_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 ech_err.o: ech_err.c
 ech_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ech_key.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ech_key.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-ech_key.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ech_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ech_key.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ech_key.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ech_key.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
+ech_key.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ech_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 ech_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ech_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ech_key.o: ../../include/openssl/symhacks.h ech_key.c ech_locl.h
+ech_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ech_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ech_key.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ech_key.o: ../../include/openssl/x509_vfy.h ech_key.c ech_locl.h
 ech_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ech_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ech_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+ech_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ech_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ech_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 ech_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-ech_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-ech_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ech_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ech_lib.o: ../../include/openssl/symhacks.h ech_lib.c ech_locl.h
+ech_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+ech_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ech_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ech_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+ech_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ech_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ech_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ech_lib.o: ech_lib.c ech_locl.h
 ech_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
 ech_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 ech_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
diff --git a/src/lib/libcrypto/ecdsa/Makefile b/src/lib/libcrypto/ecdsa/Makefile
index 16a93cd3ae..9b48d5641f 100644
--- a/src/lib/libcrypto/ecdsa/Makefile
+++ b/src/lib/libcrypto/ecdsa/Makefile
@@ -92,14 +92,18 @@ ecs_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 ecs_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 ecs_err.o: ecs_err.c
 ecs_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ecs_lib.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-ecs_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+ecs_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ecs_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 ecs_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
-ecs_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-ecs_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-ecs_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-ecs_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ecs_lib.o: ecs_lib.c ecs_locl.h
+ecs_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ecs_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ecs_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+ecs_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ecs_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ecs_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ecs_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ecs_lib.o: ../../include/openssl/x509_vfy.h ecs_lib.c ecs_locl.h
 ecs_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 ecs_ossl.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 ecs_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -110,16 +114,26 @@ ecs_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ecs_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 ecs_ossl.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_ossl.c
 ecs_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ecs_sign.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ecs_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
-ecs_sign.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ecs_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ecs_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_sign.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ecs_sign.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
+ecs_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ecs_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 ecs_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ecs_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ecs_sign.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_sign.c
+ecs_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ecs_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ecs_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ecs_sign.o: ../../include/openssl/x509_vfy.h ecs_locl.h ecs_sign.c
 ecs_vrf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ecs_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ecs_vrf.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
-ecs_vrf.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ecs_vrf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ecs_vrf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_vrf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ecs_vrf.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
+ecs_vrf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ecs_vrf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 ecs_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ecs_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ecs_vrf.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_vrf.c
+ecs_vrf.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ecs_vrf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ecs_vrf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ecs_vrf.o: ../../include/openssl/x509_vfy.h ecs_locl.h ecs_vrf.c
diff --git a/src/lib/libcrypto/engine/Makefile b/src/lib/libcrypto/engine/Makefile
index 13f211a0ae..47cc619b8a 100644
--- a/src/lib/libcrypto/engine/Makefile
+++ b/src/lib/libcrypto/engine/Makefile
@@ -82,88 +82,142 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-eng_all.o: ../../e_os.h ../../include/openssl/bio.h
-eng_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_all.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-eng_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_all.o: ../cryptlib.h eng_all.c eng_int.h
-eng_cnf.o: ../../e_os.h ../../include/openssl/bio.h
-eng_cnf.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-eng_cnf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_all.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_all.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_all.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_all.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_all.c eng_int.h
+eng_cnf.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_cnf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_cnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+eng_cnf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_cnf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_cnf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_cnf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-eng_cnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_cnf.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_cnf.c eng_int.h
+eng_cnf.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_cnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_cnf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_cnf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_cnf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_cnf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_cnf.o: ../cryptlib.h eng_cnf.c eng_int.h
 eng_cryptodev.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-eng_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-eng_cryptodev.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/obj_mac.h
+eng_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+eng_cryptodev.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_cryptodev.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_cryptodev.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_cryptodev.o: ../../include/openssl/obj_mac.h
 eng_cryptodev.o: ../../include/openssl/objects.h
 eng_cryptodev.o: ../../include/openssl/opensslconf.h
 eng_cryptodev.o: ../../include/openssl/opensslv.h
-eng_cryptodev.o: ../../include/openssl/ossl_typ.h
-eng_cryptodev.o: ../../include/openssl/safestack.h
+eng_cryptodev.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_cryptodev.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 eng_cryptodev.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_cryptodev.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 eng_cryptodev.o: eng_cryptodev.c
-eng_ctrl.o: ../../e_os.h ../../include/openssl/bio.h
-eng_ctrl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_ctrl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_ctrl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_ctrl.o: ../../include/openssl/opensslconf.h
+eng_ctrl.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_ctrl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_ctrl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_ctrl.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_ctrl.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_ctrl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_ctrl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_ctrl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_ctrl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_ctrl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_ctrl.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_ctrl.c eng_int.h
-eng_dyn.o: ../../e_os.h ../../include/openssl/bio.h
-eng_dyn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_dyn.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+eng_ctrl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_ctrl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_ctrl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_ctrl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_ctrl.c eng_int.h
+eng_dyn.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_dyn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_dyn.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
+eng_dyn.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_dyn.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_dyn.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_dyn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-eng_dyn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_dyn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_dyn.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_dyn.c eng_int.h
-eng_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-eng_err.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+eng_dyn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_dyn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_dyn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_dyn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_dyn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_dyn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_dyn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_dyn.o: ../cryptlib.h eng_dyn.c eng_int.h
+eng_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+eng_err.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+eng_err.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_err.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+eng_err.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+eng_err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 eng_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+eng_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 eng_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 eng_err.o: eng_err.c
-eng_fat.o: ../../e_os.h ../../include/openssl/bio.h
-eng_fat.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-eng_fat.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_fat.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_fat.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_fat.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+eng_fat.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_fat.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_fat.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_fat.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-eng_fat.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_fat.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_fat.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_fat.c eng_int.h
-eng_init.o: ../../e_os.h ../../include/openssl/bio.h
-eng_init.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_init.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_init.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_init.o: ../../include/openssl/opensslconf.h
+eng_fat.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_fat.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_fat.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_fat.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_fat.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_fat.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_fat.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_fat.o: ../cryptlib.h eng_fat.c eng_int.h
+eng_init.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_init.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_init.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_init.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_init.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_init.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_init.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_init.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_init.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_init.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_init.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_init.c eng_int.h
-eng_lib.o: ../../e_os.h ../../include/openssl/bio.h
-eng_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-eng_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_lib.c
-eng_list.o: ../../e_os.h ../../include/openssl/bio.h
-eng_list.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_list.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_list.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_list.o: ../../include/openssl/opensslconf.h
+eng_init.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_init.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_init.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_init.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_init.c eng_int.h
+eng_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+eng_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_lib.o: ../cryptlib.h eng_int.h eng_lib.c
+eng_list.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_list.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_list.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_list.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_list.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_list.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_list.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_list.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_list.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_list.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_list.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_list.c
+eng_list.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_list.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_list.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_list.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h eng_list.c
 eng_openssl.o: ../../e_os.h ../../include/openssl/asn1.h
 eng_openssl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 eng_openssl.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
@@ -183,106 +237,166 @@ eng_openssl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 eng_openssl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 eng_openssl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_openssl.c
 eng_padlock.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-eng_padlock.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-eng_padlock.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+eng_padlock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_padlock.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
+eng_padlock.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_padlock.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_padlock.o: ../../include/openssl/engine.h ../../include/openssl/err.h
 eng_padlock.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 eng_padlock.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 eng_padlock.o: ../../include/openssl/opensslconf.h
 eng_padlock.o: ../../include/openssl/opensslv.h
-eng_padlock.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-eng_padlock.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_padlock.o: ../../include/openssl/symhacks.h eng_padlock.c
-eng_pkey.o: ../../e_os.h ../../include/openssl/bio.h
-eng_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_pkey.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_pkey.o: ../../include/openssl/opensslconf.h
+eng_padlock.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_padlock.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+eng_padlock.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_padlock.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_padlock.o: ../../include/openssl/x509_vfy.h eng_padlock.c
+eng_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_pkey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_pkey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_pkey.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_pkey.c
+eng_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h eng_pkey.c
 eng_table.o: ../../e_os.h ../../include/openssl/asn1.h
 eng_table.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 eng_table.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-eng_table.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_table.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-eng_table.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_table.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_table.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_table.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_table.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_table.o: ../../include/openssl/objects.h
 eng_table.o: ../../include/openssl/opensslconf.h
 eng_table.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_table.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_table.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+eng_table.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_table.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
 eng_table.o: eng_table.c
-tb_cipher.o: ../../e_os.h ../../include/openssl/bio.h
-tb_cipher.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_cipher.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_cipher.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_cipher.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_cipher.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_cipher.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_cipher.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_cipher.o: ../../include/openssl/objects.h
 tb_cipher.o: ../../include/openssl/opensslconf.h
 tb_cipher.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_cipher.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_cipher.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+tb_cipher.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_cipher.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_cipher.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_cipher.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
 tb_cipher.o: tb_cipher.c
-tb_dh.o: ../../e_os.h ../../include/openssl/bio.h
+tb_dh.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 tb_dh.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_dh.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_dh.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_dh.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+tb_dh.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+tb_dh.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+tb_dh.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+tb_dh.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 tb_dh.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_dh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+tb_dh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+tb_dh.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 tb_dh.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_dh.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 tb_dh.o: ../cryptlib.h eng_int.h tb_dh.c
-tb_digest.o: ../../e_os.h ../../include/openssl/bio.h
-tb_digest.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_digest.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_digest.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_digest.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_digest.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_digest.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_digest.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_digest.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_digest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_digest.o: ../../include/openssl/objects.h
 tb_digest.o: ../../include/openssl/opensslconf.h
 tb_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_digest.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_digest.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+tb_digest.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_digest.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_digest.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
 tb_digest.o: tb_digest.c
-tb_dsa.o: ../../e_os.h ../../include/openssl/bio.h
+tb_dsa.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 tb_dsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_dsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_dsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_dsa.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+tb_dsa.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+tb_dsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+tb_dsa.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+tb_dsa.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 tb_dsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_dsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+tb_dsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+tb_dsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 tb_dsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_dsa.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 tb_dsa.o: ../cryptlib.h eng_int.h tb_dsa.c
-tb_ecdh.o: ../../e_os.h ../../include/openssl/bio.h
-tb_ecdh.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_ecdh.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_ecdh.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_ecdh.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_ecdh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-tb_ecdh.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_ecdh.o: ../cryptlib.h eng_int.h tb_ecdh.c
-tb_ecdsa.o: ../../e_os.h ../../include/openssl/bio.h
-tb_ecdsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_ecdsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_ecdsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_ecdsa.o: ../../include/openssl/opensslconf.h
+tb_ecdh.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_ecdh.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_ecdh.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_ecdh.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_ecdh.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_ecdh.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_ecdh.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_ecdh.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_ecdh.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_ecdh.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_ecdh.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_ecdh.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_ecdh.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_ecdh.c
+tb_ecdsa.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_ecdsa.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_ecdsa.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_ecdsa.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_ecdsa.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_ecdsa.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_ecdsa.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_ecdsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 tb_ecdsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_ecdsa.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_ecdsa.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h tb_ecdsa.c
-tb_rand.o: ../../e_os.h ../../include/openssl/bio.h
-tb_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_rand.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-tb_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_rand.o: ../cryptlib.h eng_int.h tb_rand.c
-tb_rsa.o: ../../e_os.h ../../include/openssl/bio.h
+tb_ecdsa.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_ecdsa.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_ecdsa.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_ecdsa.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_ecdsa.c
+tb_rand.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_rand.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_rand.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_rand.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_rand.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_rand.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_rand.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_rand.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_rand.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_rand.c
+tb_rsa.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 tb_rsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_rsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_rsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_rsa.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+tb_rsa.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+tb_rsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+tb_rsa.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+tb_rsa.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 tb_rsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_rsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+tb_rsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+tb_rsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 tb_rsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_rsa.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 tb_rsa.o: ../cryptlib.h eng_int.h tb_rsa.c
-tb_store.o: ../../e_os.h ../../include/openssl/bio.h
-tb_store.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_store.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_store.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_store.o: ../../include/openssl/opensslconf.h
+tb_store.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_store.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_store.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_store.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_store.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_store.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_store.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_store.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 tb_store.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_store.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_store.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h tb_store.c
+tb_store.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_store.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_store.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_store.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_store.c
diff --git a/src/lib/libcrypto/engine/eng_all.c b/src/lib/libcrypto/engine/eng_all.c
index 8599046717..d29cd57dc2 100644
--- a/src/lib/libcrypto/engine/eng_all.c
+++ b/src/lib/libcrypto/engine/eng_all.c
@@ -107,6 +107,9 @@ void ENGINE_load_builtin_engines(void)
 #if defined(__OpenBSD__) || defined(__FreeBSD__)
         ENGINE_load_cryptodev();
 #endif
+#if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
+        ENGINE_load_capi();
+#endif
 #endif
         }
 
diff --git a/src/lib/libcrypto/engine/eng_cnf.c b/src/lib/libcrypto/engine/eng_cnf.c
index a97e01e619..8417ddaaef 100644
--- a/src/lib/libcrypto/engine/eng_cnf.c
+++ b/src/lib/libcrypto/engine/eng_cnf.c
@@ -98,6 +98,8 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
         CONF_VALUE *ecmd;
         char *ctrlname, *ctrlvalue;
         ENGINE *e = NULL;
+        int soft = 0;
+
         name = skip_dot(name);
 #ifdef ENGINE_CONF_DEBUG
         fprintf(stderr, "Configuring engine %s\n", name);
@@ -125,6 +127,8 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                 /* Override engine name to use */
                 if (!strcmp(ctrlname, "engine_id"))
                         name = ctrlvalue;
+                else if (!strcmp(ctrlname, "soft_load"))
+                        soft = 1;
                 /* Load a dynamic ENGINE */
                 else if (!strcmp(ctrlname, "dynamic_path"))
                         {
@@ -147,6 +151,11 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                         if (!e)
                                 {
                                 e = ENGINE_by_id(name);
+                                if (!e && soft)
+                                        {
+                                        ERR_clear_error();
+                                        return 1;
+                                        }
                                 if (!e)
                                         return 0;
                                 }
diff --git a/src/lib/libcrypto/engine/eng_err.c b/src/lib/libcrypto/engine/eng_err.c
index 369f2e22d3..574ffbb5c0 100644
--- a/src/lib/libcrypto/engine/eng_err.c
+++ b/src/lib/libcrypto/engine/eng_err.c
@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -92,6 +92,7 @@ static ERR_STRING_DATA ENGINE_str_functs[]=
 {ERR_FUNC(ENGINE_F_ENGINE_LIST_REMOVE), "ENGINE_LIST_REMOVE"},
 {ERR_FUNC(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY),    "ENGINE_load_private_key"},
 {ERR_FUNC(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY),     "ENGINE_load_public_key"},
+{ERR_FUNC(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT),        "ENGINE_load_ssl_client_cert"},
 {ERR_FUNC(ENGINE_F_ENGINE_NEW), "ENGINE_new"},
 {ERR_FUNC(ENGINE_F_ENGINE_REMOVE),      "ENGINE_remove"},
 {ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_STRING),  "ENGINE_set_default_string"},
diff --git a/src/lib/libcrypto/engine/eng_int.h b/src/lib/libcrypto/engine/eng_int.h
index a5b1edebf4..a66f107a44 100644
--- a/src/lib/libcrypto/engine/eng_int.h
+++ b/src/lib/libcrypto/engine/eng_int.h
@@ -170,6 +170,8 @@ struct engine_st
         ENGINE_LOAD_KEY_PTR load_privkey;
         ENGINE_LOAD_KEY_PTR load_pubkey;
 
+        ENGINE_SSL_CLIENT_CERT_PTR load_ssl_client_cert;
+
         const ENGINE_CMD_DEFN *cmd_defns;
         int flags;
         /* reference count on the structure itself */
diff --git a/src/lib/libcrypto/engine/eng_pkey.c b/src/lib/libcrypto/engine/eng_pkey.c
index bc8b21abec..1dfa2e3664 100644
--- a/src/lib/libcrypto/engine/eng_pkey.c
+++ b/src/lib/libcrypto/engine/eng_pkey.c
@@ -69,6 +69,13 @@ int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f)
         return 1;
         }
 
+int ENGINE_set_load_ssl_client_cert_function(ENGINE *e,
+                                ENGINE_SSL_CLIENT_CERT_PTR loadssl_f)
+        {
+        e->load_ssl_client_cert = loadssl_f;
+        return 1;
+        }
+
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e)
         {
         return e->load_privkey;
@@ -79,6 +86,11 @@ ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e)
         return e->load_pubkey;
         }
 
+ENGINE_SSL_CLIENT_CERT_PTR ENGINE_get_ssl_client_cert_function(const ENGINE *e)
+        {
+        return e->load_ssl_client_cert;
+        }
+
 /* API functions to load public/private keys */
 
 EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
@@ -152,3 +164,33 @@ EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
                 }
         return pkey;
         }
+
+int ENGINE_load_ssl_client_cert(ENGINE *e, SSL *s,
+        STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **ppkey,
+        STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data)
+        {
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(e->funct_ref == 0)
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                        ENGINE_R_NOT_INITIALISED);
+                return 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if (!e->load_ssl_client_cert)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                        ENGINE_R_NO_LOAD_FUNCTION);
+                return 0;
+                }
+        return e->load_ssl_client_cert(e, s, ca_dn, pcert, ppkey, pother,
+                                        ui_method, callback_data);
+        }
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
index 3ec59338ff..f503595ece 100644
--- a/src/lib/libcrypto/engine/engine.h
+++ b/src/lib/libcrypto/engine/engine.h
@@ -93,6 +93,8 @@
 #include <openssl/err.h>
 #endif
 
+#include <openssl/x509.h>
+
 #include <openssl/ossl_typ.h>
 #include <openssl/symhacks.h>
 
@@ -278,6 +280,9 @@ typedef int (*ENGINE_CTRL_FUNC_PTR)(ENGINE *, int, long, void *, void (*f)(void)
 /* Generic load_key function pointer */
 typedef EVP_PKEY * (*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *,
         UI_METHOD *ui_method, void *callback_data);
+typedef int (*ENGINE_SSL_CLIENT_CERT_PTR)(ENGINE *, SSL *ssl,
+        STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
+        STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data);
 /* These callback types are for an ENGINE's handler for cipher and digest logic.
  * These handlers have these prototypes;
  *   int foo(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
@@ -334,6 +339,9 @@ void ENGINE_load_ubsec(void);
 void ENGINE_load_cryptodev(void);
 void ENGINE_load_padlock(void);
 void ENGINE_load_builtin_engines(void);
+#ifndef OPENSSL_NO_CAPIENG
+void ENGINE_load_capi(void);
+#endif
 
 /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
  * "registry" handling. */
@@ -459,6 +467,8 @@ int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
 int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f);
 int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f);
 int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f);
+int ENGINE_set_load_ssl_client_cert_function(ENGINE *e,
+                                ENGINE_SSL_CLIENT_CERT_PTR loadssl_f);
 int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f);
 int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f);
 int ENGINE_set_flags(ENGINE *e, int flags);
@@ -494,6 +504,7 @@ ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e);
 ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e);
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e);
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e);
+ENGINE_SSL_CLIENT_CERT_PTR ENGINE_get_ssl_client_cert_function(const ENGINE *e);
 ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e);
 ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e);
 const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid);
@@ -529,6 +540,10 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
         UI_METHOD *ui_method, void *callback_data);
 EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
         UI_METHOD *ui_method, void *callback_data);
+int ENGINE_load_ssl_client_cert(ENGINE *e, SSL *s,
+        STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **ppkey,
+        STACK_OF(X509) **pother,
+        UI_METHOD *ui_method, void *callback_data);
 
 /* This returns a pointer for the current ENGINE structure that
  * is (by default) performing any RSA operations. The value returned
@@ -723,6 +738,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_LIST_REMOVE                      121
 #define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY                 150
 #define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY                  151
+#define ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT             192
 #define ENGINE_F_ENGINE_NEW                              122
 #define ENGINE_F_ENGINE_REMOVE                           123
 #define ENGINE_F_ENGINE_SET_DEFAULT_STRING               189
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index b6ff070e8f..7952e70ab0 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -149,6 +149,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
 {ERR_PACK(ERR_LIB_DSO,0,0)              ,"DSO support routines"},
 {ERR_PACK(ERR_LIB_ENGINE,0,0)           ,"engine routines"},
 {ERR_PACK(ERR_LIB_OCSP,0,0)             ,"OCSP routines"},
+{ERR_PACK(ERR_LIB_FIPS,0,0)             ,"FIPS routines"},
 {ERR_PACK(ERR_LIB_CMS,0,0)              ,"CMS routines"},
 {0,NULL},
         };
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index bf28fce492..8d9f0da172 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -140,7 +140,8 @@ typedef struct err_state_st
 #define ERR_LIB_ECDSA           42
 #define ERR_LIB_ECDH            43
 #define ERR_LIB_STORE           44
-#define ERR_LIB_CMS             45
+#define ERR_LIB_FIPS            45
+#define ERR_LIB_CMS             46
 
 #define ERR_LIB_USER            128
 
@@ -172,6 +173,7 @@ typedef struct err_state_st
 #define ECDSAerr(f,r)  ERR_PUT_error(ERR_LIB_ECDSA,(f),(r),__FILE__,__LINE__)
 #define ECDHerr(f,r)  ERR_PUT_error(ERR_LIB_ECDH,(f),(r),__FILE__,__LINE__)
 #define STOREerr(f,r) ERR_PUT_error(ERR_LIB_STORE,(f),(r),__FILE__,__LINE__)
+#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__)
 #define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),__FILE__,__LINE__)
 
 /* Borland C seems too stupid to be able to shift and do longs in
diff --git a/src/lib/libcrypto/evp/Makefile b/src/lib/libcrypto/evp/Makefile
index 8f2555c7e5..9de56dc03d 100644
--- a/src/lib/libcrypto/evp/Makefile
+++ b/src/lib/libcrypto/evp/Makefile
@@ -135,13 +135,17 @@ bio_ok.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 bio_ok.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_ok.c
 c_all.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-c_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-c_all.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-c_all.o: ../../include/openssl/symhacks.h ../cryptlib.h c_all.c
+c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+c_all.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+c_all.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+c_all.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+c_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+c_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+c_all.o: ../cryptlib.h c_all.c
 c_allc.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_allc.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 c_allc.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -170,13 +174,17 @@ c_alld.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 c_alld.o: ../cryptlib.h c_alld.c
 digest.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 digest.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-digest.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-digest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-digest.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-digest.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-digest.o: ../../include/openssl/symhacks.h ../cryptlib.h digest.c
+digest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+digest.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+digest.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+digest.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+digest.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+digest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+digest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+digest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+digest.o: ../cryptlib.h digest.c
 e_aes.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
 e_aes.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 e_aes.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -312,13 +320,17 @@ evp_acnf.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_acnf.c
 evp_enc.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_enc.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-evp_enc.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-evp_enc.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-evp_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-evp_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+evp_enc.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+evp_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_enc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+evp_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+evp_enc.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index c19d764c15..1aa2d6fb35 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -303,6 +303,8 @@ struct env_md_ctx_st
                                                 * cleaned */
 #define EVP_MD_CTX_FLAG_REUSE           0x0004 /* Don't free up ctx->md_data
                                                 * in EVP_MD_CTX_cleanup */
+#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW  0x0008  /* Allow use of non FIPS digest
+                                                 * in FIPS mode */
 
 struct evp_cipher_st
         {
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index a1904993bf..6e582c458d 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -279,7 +279,12 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         {
         int i,j,bl;
 
-        OPENSSL_assert(inl > 0);
+        if (inl <= 0)
+                {
+                *outl = 0;
+                return inl == 0;
+                }
+
         if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
                 {
                 if(ctx->cipher->do_cipher(ctx,out,in,inl))
@@ -381,10 +386,10 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         int fix_len;
         unsigned int b;
 
-        if (inl == 0)
+        if (inl <= 0)
                 {
-                *outl=0;
-                return 1;
+                *outl = 0;
+                return inl == 0;
                 }
 
         if (ctx->flags & EVP_CIPH_NO_PADDING)
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index c45e001492..1d140f7adb 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -171,3 +171,10 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
         return(md);
         }
 
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
+        {
+        EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
+        EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
+        EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
+        }
+
diff --git a/src/lib/libcrypto/hmac/hmac.h b/src/lib/libcrypto/hmac/hmac.h
index 719fc408ac..fc38ffb52b 100644
--- a/src/lib/libcrypto/hmac/hmac.h
+++ b/src/lib/libcrypto/hmac/hmac.h
@@ -100,6 +100,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
                     const unsigned char *d, size_t n, unsigned char *md,
                     unsigned int *md_len);
 
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/md32_common.h b/src/lib/libcrypto/md32_common.h
index 089c450290..61bcd9786f 100644
--- a/src/lib/libcrypto/md32_common.h
+++ b/src/lib/libcrypto/md32_common.h
@@ -301,7 +301,7 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, size_t len)
                 {
                 p=(unsigned char *)c->data;
 
-                if ((n+len) >= HASH_CBLOCK)
+                if (len >= HASH_CBLOCK || len+n >= HASH_CBLOCK)
                         {
                         memcpy (p+n,data,HASH_CBLOCK-n);
                         HASH_BLOCK_DATA_ORDER (c,p,1);
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 47815b1e4e..53c9cb0d6a 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -788,3 +788,69 @@ id_ct_asciiTextWithCRLF		787
 id_aes128_wrap          788
 id_aes192_wrap          789
 id_aes256_wrap          790
+ecdsa_with_Recommended          791
+ecdsa_with_Specified            792
+ecdsa_with_SHA224               793
+ecdsa_with_SHA256               794
+ecdsa_with_SHA384               795
+ecdsa_with_SHA512               796
+hmacWithMD5             797
+hmacWithSHA224          798
+hmacWithSHA256          799
+hmacWithSHA384          800
+hmacWithSHA512          801
+dsa_with_SHA224         802
+dsa_with_SHA256         803
+whirlpool               804
+cryptopro               805
+cryptocom               806
+id_GostR3411_94_with_GostR3410_2001             807
+id_GostR3411_94_with_GostR3410_94               808
+id_GostR3411_94         809
+id_HMACGostR3411_94             810
+id_GostR3410_2001               811
+id_GostR3410_94         812
+id_Gost28147_89         813
+gost89_cnt              814
+id_Gost28147_89_MAC             815
+id_GostR3411_94_prf             816
+id_GostR3410_2001DH             817
+id_GostR3410_94DH               818
+id_Gost28147_89_CryptoPro_KeyMeshing            819
+id_Gost28147_89_None_KeyMeshing         820
+id_GostR3411_94_TestParamSet            821
+id_GostR3411_94_CryptoProParamSet               822
+id_Gost28147_89_TestParamSet            823
+id_Gost28147_89_CryptoPro_A_ParamSet            824
+id_Gost28147_89_CryptoPro_B_ParamSet            825
+id_Gost28147_89_CryptoPro_C_ParamSet            826
+id_Gost28147_89_CryptoPro_D_ParamSet            827
+id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet            828
+id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet            829
+id_Gost28147_89_CryptoPro_RIC_1_ParamSet                830
+id_GostR3410_94_TestParamSet            831
+id_GostR3410_94_CryptoPro_A_ParamSet            832
+id_GostR3410_94_CryptoPro_B_ParamSet            833
+id_GostR3410_94_CryptoPro_C_ParamSet            834
+id_GostR3410_94_CryptoPro_D_ParamSet            835
+id_GostR3410_94_CryptoPro_XchA_ParamSet         836
+id_GostR3410_94_CryptoPro_XchB_ParamSet         837
+id_GostR3410_94_CryptoPro_XchC_ParamSet         838
+id_GostR3410_2001_TestParamSet          839
+id_GostR3410_2001_CryptoPro_A_ParamSet          840
+id_GostR3410_2001_CryptoPro_B_ParamSet          841
+id_GostR3410_2001_CryptoPro_C_ParamSet          842
+id_GostR3410_2001_CryptoPro_XchA_ParamSet               843
+id_GostR3410_2001_CryptoPro_XchB_ParamSet               844
+id_GostR3410_94_a               845
+id_GostR3410_94_aBis            846
+id_GostR3410_94_b               847
+id_GostR3410_94_bBis            848
+id_Gost28147_89_cc              849
+id_GostR3410_94_cc              850
+id_GostR3410_2001_cc            851
+id_GostR3411_94_with_GostR3410_94_cc            852
+id_GostR3411_94_with_GostR3410_2001_cc          853
+id_GostR3410_2001_ParamSet_cc           854
+hmac            855
+LocalKeySet             856
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index 34c8d1d647..e009702e55 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -79,6 +79,12 @@ X9-62_primeCurve 7	 	: prime256v1
 !Alias id-ecSigType ansi-X9-62 4
 !global
 X9-62_id-ecSigType 1            : ecdsa-with-SHA1
+X9-62_id-ecSigType 2            : ecdsa-with-Recommended
+X9-62_id-ecSigType 3            : ecdsa-with-Specified
+ecdsa-with-Specified 1          : ecdsa-with-SHA224
+ecdsa-with-Specified 2          : ecdsa-with-SHA256
+ecdsa-with-Specified 3          : ecdsa-with-SHA384
+ecdsa-with-Specified 4          : ecdsa-with-SHA512
 
 # SECG curve OIDs from "SEC 2: Recommended Elliptic Curve Domain Parameters"
 # (http://www.secg.org/)
@@ -313,6 +319,7 @@ pkcs9 20		:			: friendlyName
 pkcs9 21                :                       : localKeyID
 !Cname ms-csp-name
 1 3 6 1 4 1 311 17 1    : CSPName               : Microsoft CSP Name
+1 3 6 1 4 1 311 17 2    : LocalKeySet           : Microsoft Local Key set
 !Alias certTypes pkcs9 22
 certTypes 1             :                       : x509Certificate
 certTypes 2             :                       : sdsiCertificate
@@ -348,7 +355,15 @@ rsadsi 2 2		: MD2			: md2
 rsadsi 2 4              : MD4                   : md4
 rsadsi 2 5              : MD5                   : md5
                         : MD5-SHA1              : md5-sha1
+rsadsi 2 6              :                       : hmacWithMD5
 rsadsi 2 7              :                       : hmacWithSHA1
+
+# From RFC4231
+rsadsi 2 8              :                       : hmacWithSHA224
+rsadsi 2 9              :                       : hmacWithSHA256
+rsadsi 2 10             :                       : hmacWithSHA384
+rsadsi 2 11             :                       : hmacWithSHA512
+
 rsadsi 3 2              : RC2-CBC               : rc2-cbc
                         : RC2-ECB               : rc2-ecb
 !Cname rc2-cfb64
@@ -833,6 +848,11 @@ nist_hashalgs 2		: SHA384		: sha384
 nist_hashalgs 3         : SHA512                : sha512
 nist_hashalgs 4         : SHA224                : sha224
 
+# OIDs for dsa-with-sha224 and dsa-with-sha256
+!Alias dsa_with_sha2 nistAlgorithms 3
+dsa_with_sha2 1         : dsa_with_SHA224
+dsa_with_sha2 2         : dsa_with_SHA256
+
 # Hold instruction CRL entry extension
 !Cname hold-instruction-code
 id-ce 23                : holdInstructionCode   : Hold Instruction Code
@@ -1070,13 +1090,93 @@ rsadsi 1 1 6		: rsaOAEPEncryptionSET
                         : Oakley-EC2N-3         : ipsec3
                         : Oakley-EC2N-4         : ipsec4
 
+iso 0 10118 3 0 55      : whirlpool
+
+# GOST OIDs
+
+member-body 643 2 2     : cryptopro
+member-body 643 2 9     : cryptocom
+
+cryptopro 3             : id-GostR3411-94-with-GostR3410-2001 : GOST R 34.11-94 with GOST R 34.10-2001
+cryptopro 4             : id-GostR3411-94-with-GostR3410-94 : GOST R 34.11-94 with GOST R 34.10-94
+!Cname id-GostR3411-94
+cryptopro 9             : md_gost94             : GOST R 34.11-94
+cryptopro 10            : id-HMACGostR3411-94   : HMAC GOST 34.11-94
+!Cname id-GostR3410-2001
+cryptopro 19            : gost2001      : GOST R 34.10-2001
+!Cname id-GostR3410-94
+cryptopro 20            : gost94        : GOST R 34.10-94
+!Cname id-Gost28147-89
+cryptopro 21            : gost89                : GOST 28147-89
+                        : gost89-cnt
+!Cname id-Gost28147-89-MAC
+cryptopro 22            : gost-mac      : GOST 28147-89 MAC
+!Cname id-GostR3411-94-prf
+cryptopro 23            : prf-gostr3411-94      : GOST R 34.11-94 PRF
+cryptopro 98            : id-GostR3410-2001DH   : GOST R 34.10-2001 DH
+cryptopro 99            : id-GostR3410-94DH     : GOST R 34.10-94 DH
+
+cryptopro 14 1          : id-Gost28147-89-CryptoPro-KeyMeshing
+cryptopro 14 0          : id-Gost28147-89-None-KeyMeshing
+
+# GOST parameter set OIDs
+
+cryptopro 30 0          : id-GostR3411-94-TestParamSet
+cryptopro 30 1          : id-GostR3411-94-CryptoProParamSet
+
+cryptopro 31 0          : id-Gost28147-89-TestParamSet
+cryptopro 31 1          : id-Gost28147-89-CryptoPro-A-ParamSet
+cryptopro 31 2          : id-Gost28147-89-CryptoPro-B-ParamSet
+cryptopro 31 3          : id-Gost28147-89-CryptoPro-C-ParamSet
+cryptopro 31 4          : id-Gost28147-89-CryptoPro-D-ParamSet
+cryptopro 31 5          : id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet
+cryptopro 31 6          : id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet
+cryptopro 31 7          : id-Gost28147-89-CryptoPro-RIC-1-ParamSet
+
+cryptopro 32 0          : id-GostR3410-94-TestParamSet
+cryptopro 32 2          : id-GostR3410-94-CryptoPro-A-ParamSet
+cryptopro 32 3          : id-GostR3410-94-CryptoPro-B-ParamSet
+cryptopro 32 4          : id-GostR3410-94-CryptoPro-C-ParamSet
+cryptopro 32 5          : id-GostR3410-94-CryptoPro-D-ParamSet
+
+cryptopro 33 1          : id-GostR3410-94-CryptoPro-XchA-ParamSet
+cryptopro 33 2          : id-GostR3410-94-CryptoPro-XchB-ParamSet
+cryptopro 33 3          : id-GostR3410-94-CryptoPro-XchC-ParamSet
+
+cryptopro 35 0          : id-GostR3410-2001-TestParamSet
+cryptopro 35 1          : id-GostR3410-2001-CryptoPro-A-ParamSet
+cryptopro 35 2          : id-GostR3410-2001-CryptoPro-B-ParamSet
+cryptopro 35 3          : id-GostR3410-2001-CryptoPro-C-ParamSet
+
+cryptopro 36 0          : id-GostR3410-2001-CryptoPro-XchA-ParamSet
+cryptopro 36 1          : id-GostR3410-2001-CryptoPro-XchB-ParamSet
+
+id-GostR3410-94 1       : id-GostR3410-94-a
+id-GostR3410-94 2       : id-GostR3410-94-aBis
+id-GostR3410-94 3       : id-GostR3410-94-b
+id-GostR3410-94 4       : id-GostR3410-94-bBis
+
+# Cryptocom LTD GOST OIDs
+
+cryptocom 1 6 1         : id-Gost28147-89-cc    : GOST 28147-89 Cryptocom ParamSet
+!Cname id-GostR3410-94-cc
+cryptocom 1 5 3         : gost94cc      : GOST 34.10-94 Cryptocom
+!Cname id-GostR3410-2001-cc
+cryptocom 1 5 4         : gost2001cc    : GOST 34.10-2001 Cryptocom
+
+cryptocom 1 3 3         : id-GostR3411-94-with-GostR3410-94-cc : GOST R 34.11-94 with GOST R 34.10-94 Cryptocom
+cryptocom 1 3 4         : id-GostR3411-94-with-GostR3410-2001-cc : GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom
+
+cryptocom 1 8 1         : id-GostR3410-2001-ParamSet-cc : GOST R 3410-2001 Parameter Set Cryptocom
 
 # Definitions for Camellia cipher - CBC MODE
+
 1 2 392 200011 61 1 1 1 2 : CAMELLIA-128-CBC            : camellia-128-cbc
 1 2 392 200011 61 1 1 1 3 : CAMELLIA-192-CBC            : camellia-192-cbc
 1 2 392 200011 61 1 1 1 4 : CAMELLIA-256-CBC            : camellia-256-cbc
 
 # Definitions for Camellia cipher - ECB, CFB, OFB MODE
+
 !Alias ntt-ds 0 3 4401 5
 !Alias camellia ntt-ds 3 1 9 
 
@@ -1107,7 +1207,6 @@ camellia 44		: CAMELLIA-256-CFB		: camellia-256-cfb
                         : CAMELLIA-192-CFB8             : camellia-192-cfb8
                         : CAMELLIA-256-CFB8             : camellia-256-cfb8
 
-
 # Definitions for SEED cipher - ECB, CBC, OFB mode
 
 member-body 410 200004  : KISA          : kisa
@@ -1117,3 +1216,7 @@ kisa 1 4                : SEED-CBC      : seed-cbc
 kisa 1 5                : SEED-CFB      : seed-cfb
 !Cname seed-ofb128
 kisa 1 6                : SEED-OFB      : seed-ofb
+
+# There is no OID that just denotes "HMAC" oddly enough...
+
+                        : HMAC                          : hmac
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index b308894f18..5bdd370ac9 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x0090808fL
+#define OPENSSL_VERSION_NUMBER  0x0090809fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8h-fips 28 May 2008"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8i-fips 15 Sep 2008"
 #else
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8h 28 May 2008"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8i 15 Sep 2008"
 #endif
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/src/lib/libcrypto/ossl_typ.h b/src/lib/libcrypto/ossl_typ.h
index 345fb1dc4d..734200428f 100644
--- a/src/lib/libcrypto/ossl_typ.h
+++ b/src/lib/libcrypto/ossl_typ.h
@@ -140,6 +140,8 @@ typedef struct X509_crl_st X509_CRL;
 typedef struct X509_name_st X509_NAME;
 typedef struct x509_store_st X509_STORE;
 typedef struct x509_store_ctx_st X509_STORE_CTX;
+typedef struct ssl_st SSL;
+typedef struct ssl_ctx_st SSL_CTX;
 
 typedef struct v3_ext_ctx X509V3_CTX;
 typedef struct conf_st CONF;
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index dbafda17b6..9748256b6f 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -63,6 +63,19 @@
 
 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
 
+static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
+        {
+        int idx;
+        X509_ATTRIBUTE *attr;
+        idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1);
+        if (idx < 0)
+                return 1;
+        attr = EVP_PKEY_get_attr(pkey, idx);
+        if (!X509at_add1_attr(&bag->attrib, attr))
+                return 0;
+        return 1;
+        }
+
 PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
              STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,
              int keytype)
@@ -122,20 +135,15 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 
         if (pkey)
                 {
-                int cspidx;
                 bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
 
                 if (!bag)
                         goto err;
 
-                cspidx = EVP_PKEY_get_attr_by_NID(pkey, NID_ms_csp_name, -1);
-                if (cspidx >= 0)
-                        {
-                        X509_ATTRIBUTE *cspattr;
-                        cspattr = EVP_PKEY_get_attr(pkey, cspidx);
-                        if (!X509at_add1_attr(&bag->attrib, cspattr))
-                                goto err;
-                        }
+                if (!copy_bag_attr(bag, pkey, NID_ms_csp_name))
+                        goto err;
+                if (!copy_bag_attr(bag, pkey, NID_LocalKeySet))
+                        goto err;
 
                 if(name && !PKCS12_add_friendlyname(bag, name, -1))
                         goto err;
diff --git a/src/lib/libcrypto/rand/Makefile b/src/lib/libcrypto/rand/Makefile
index 3c1ab5bbae..27694aa664 100644
--- a/src/lib/libcrypto/rand/Makefile
+++ b/src/lib/libcrypto/rand/Makefile
@@ -97,14 +97,19 @@ rand_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rand_err.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 rand_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 rand_err.o: rand_err.c
-rand_lib.o: ../../e_os.h ../../include/openssl/bio.h
-rand_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rand_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-rand_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rand_lib.o: ../../include/openssl/opensslconf.h
+rand_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+rand_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+rand_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rand_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rand_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 rand_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rand_lib.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+rand_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rand_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 rand_lib.o: ../cryptlib.h rand_lib.c
 rand_nw.o: ../../e_os.h ../../include/openssl/asn1.h
 rand_nw.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
diff --git a/src/lib/libcrypto/rsa/Makefile b/src/lib/libcrypto/rsa/Makefile
index 13900812ac..8f1c611800 100644
--- a/src/lib/libcrypto/rsa/Makefile
+++ b/src/lib/libcrypto/rsa/Makefile
@@ -133,12 +133,17 @@ rsa_gen.o: ../cryptlib.h rsa_gen.c
 rsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-rsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+rsa_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+rsa_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+rsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+rsa_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 rsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-rsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+rsa_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 rsa_lib.o: ../cryptlib.h rsa_lib.c
 rsa_none.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_none.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 6b5e4f8a9a..3699afaaaf 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -281,6 +281,7 @@ int	RSA_print_fp(FILE *fp, const RSA *r,int offset);
 int     RSA_print(BIO *bp, const RSA *r,int offset);
 #endif
 
+#ifndef OPENSSL_NO_RC4
 int i2d_RSA_NET(const RSA *a, unsigned char **pp,
                 int (*cb)(char *buf, int len, const char *prompt, int verify),
                 int sgckey);
@@ -294,6 +295,7 @@ int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
 RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
                       int (*cb)(char *buf, int len, const char *prompt,
                                 int verify));
+#endif
 
 /* The following 2 functions sign and verify a X509_SIG ASN1 object
  * inside PKCS#1 padded RSA encryption */
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 272c5eed18..5a6eda7961 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -150,16 +150,6 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
         return(&rsa_pkcs1_eay_meth);
         }
 
-/* Usage example;
- *    MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
- */
-#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
-        if ((pre_cond) && ((method_mod) == NULL) && \
-                        !BN_MONT_CTX_set_locked(&(method_mod), \
-                                CRYPTO_LOCK_RSA, \
-                                (m), (ctx))) \
-                err_instr
-
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
@@ -233,7 +223,9 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                 goto err;
                 }
 
-        MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                        goto err;
 
         if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
                 rsa->_method_mod_n)) goto err;
@@ -460,7 +452,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                 else
                         d= rsa->d;
 
-                MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+                if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                        if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                                goto err;
 
                 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
                                 rsa->_method_mod_n)) goto err;
@@ -581,7 +575,9 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                 else
                         d = rsa->d;
 
-                MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+                if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                                goto err;
                 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
                                 rsa->_method_mod_n))
                   goto err;
@@ -691,7 +687,9 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                 goto err;
                 }
 
-        MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                        goto err;
 
         if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
                 rsa->_method_mod_n)) goto err;
@@ -769,11 +767,18 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
                         q = rsa->q;
                         }
 
-                MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
-                MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+                if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
+                        {
+                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
+                                goto err;
+                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
+                                goto err;
+                        }
         }
 
-        MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                        goto err;
 
         /* compute I mod q */
         if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
diff --git a/src/lib/libcrypto/rsa/rsa_ssl.c b/src/lib/libcrypto/rsa/rsa_ssl.c
index ea72629494..cfeff15bc9 100644
--- a/src/lib/libcrypto/rsa/rsa_ssl.c
+++ b/src/lib/libcrypto/rsa/rsa_ssl.c
@@ -130,7 +130,7 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
                 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
                 return(-1);
                 }
-        for (k= -8; k<0; k++)
+        for (k = -9; k<-1; k++)
                 {
                 if (p[k] !=  0x03) break;
                 }
diff --git a/src/lib/libcrypto/sha/asm/sha1-586.pl b/src/lib/libcrypto/sha/asm/sha1-586.pl
index 0b4dab2bd5..a787dd37da 100644
--- a/src/lib/libcrypto/sha/asm/sha1-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-586.pl
@@ -149,7 +149,7 @@ sub BODY_40_59
         &add($f,$e);                    # f+=ROTATE(a,5)
         }
 
-&function_begin("sha1_block_data_order",16);
+&function_begin("sha1_block_data_order");
         &mov($tmp1,&wparam(0)); # SHA_CTX *c
         &mov($T,&wparam(1));    # const void *input
         &mov($A,&wparam(2));    # size_t num
diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h
index 78cc485e6d..40b17902e0 100644
--- a/src/lib/libcrypto/stack/safestack.h
+++ b/src/lib/libcrypto/stack/safestack.h
@@ -986,6 +986,50 @@ STACK_OF(type) \
 #define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
 #define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
 
+#define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st))
+#define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER)
+#define sk_MIME_HEADER_free(st) SKM_sk_free(MIME_HEADER, (st))
+#define sk_MIME_HEADER_num(st) SKM_sk_num(MIME_HEADER, (st))
+#define sk_MIME_HEADER_value(st, i) SKM_sk_value(MIME_HEADER, (st), (i))
+#define sk_MIME_HEADER_set(st, i, val) SKM_sk_set(MIME_HEADER, (st), (i), (val))
+#define sk_MIME_HEADER_zero(st) SKM_sk_zero(MIME_HEADER, (st))
+#define sk_MIME_HEADER_push(st, val) SKM_sk_push(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_unshift(st, val) SKM_sk_unshift(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_find(st, val) SKM_sk_find(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_find_ex(st, val) SKM_sk_find_ex(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_delete(st, i) SKM_sk_delete(MIME_HEADER, (st), (i))
+#define sk_MIME_HEADER_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_HEADER, (st), (ptr))
+#define sk_MIME_HEADER_insert(st, val, i) SKM_sk_insert(MIME_HEADER, (st), (val), (i))
+#define sk_MIME_HEADER_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_HEADER, (st), (cmp))
+#define sk_MIME_HEADER_dup(st) SKM_sk_dup(MIME_HEADER, st)
+#define sk_MIME_HEADER_pop_free(st, free_func) SKM_sk_pop_free(MIME_HEADER, (st), (free_func))
+#define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st))
+#define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st))
+#define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
+#define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
+
+#define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
+#define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
+#define sk_MIME_PARAM_free(st) SKM_sk_free(MIME_PARAM, (st))
+#define sk_MIME_PARAM_num(st) SKM_sk_num(MIME_PARAM, (st))
+#define sk_MIME_PARAM_value(st, i) SKM_sk_value(MIME_PARAM, (st), (i))
+#define sk_MIME_PARAM_set(st, i, val) SKM_sk_set(MIME_PARAM, (st), (i), (val))
+#define sk_MIME_PARAM_zero(st) SKM_sk_zero(MIME_PARAM, (st))
+#define sk_MIME_PARAM_push(st, val) SKM_sk_push(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_unshift(st, val) SKM_sk_unshift(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_find(st, val) SKM_sk_find(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_find_ex(st, val) SKM_sk_find_ex(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_delete(st, i) SKM_sk_delete(MIME_PARAM, (st), (i))
+#define sk_MIME_PARAM_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_PARAM, (st), (ptr))
+#define sk_MIME_PARAM_insert(st, val, i) SKM_sk_insert(MIME_PARAM, (st), (val), (i))
+#define sk_MIME_PARAM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_PARAM, (st), (cmp))
+#define sk_MIME_PARAM_dup(st) SKM_sk_dup(MIME_PARAM, st)
+#define sk_MIME_PARAM_pop_free(st, free_func) SKM_sk_pop_free(MIME_PARAM, (st), (free_func))
+#define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st))
+#define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st))
+#define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st))
+#define sk_MIME_PARAM_is_sorted(st) SKM_sk_is_sorted(MIME_PARAM, (st))
+
 #define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
 #define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
 #define sk_MIME_PARAM_free(st) SKM_sk_free(MIME_PARAM, (st))
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 2989500c4b..62664f3c37 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -725,7 +725,7 @@ d2i_DSAPublicKey                        731	EXIST::FUNCTION:DSA
 d2i_DSAparams                           732     EXIST::FUNCTION:DSA
 d2i_NETSCAPE_SPKAC                      733     EXIST::FUNCTION:
 d2i_NETSCAPE_SPKI                       734     EXIST::FUNCTION:
-d2i_Netscape_RSA                        735     EXIST::FUNCTION:RSA
+d2i_Netscape_RSA                        735     EXIST::FUNCTION:RC4,RSA
 d2i_PKCS7                               736     EXIST::FUNCTION:
 d2i_PKCS7_DIGEST                        737     EXIST::FUNCTION:
 d2i_PKCS7_ENCRYPT                       738     EXIST::FUNCTION:
@@ -827,7 +827,7 @@ i2d_DSAPublicKey                        834	EXIST::FUNCTION:DSA
 i2d_DSAparams                           835     EXIST::FUNCTION:DSA
 i2d_NETSCAPE_SPKAC                      836     EXIST::FUNCTION:
 i2d_NETSCAPE_SPKI                       837     EXIST::FUNCTION:
-i2d_Netscape_RSA                        838     EXIST::FUNCTION:RSA
+i2d_Netscape_RSA                        838     EXIST::FUNCTION:RC4,RSA
 i2d_PKCS7                               839     EXIST::FUNCTION:
 i2d_PKCS7_DIGEST                        840     EXIST::FUNCTION:
 i2d_PKCS7_ENCRYPT                       841     EXIST::FUNCTION:
@@ -1814,9 +1814,9 @@ RAND_egd_bytes                          2402	EXIST::FUNCTION:
 X509_REQ_get1_email                     2403    EXIST::FUNCTION:
 X509_get1_email                         2404    EXIST::FUNCTION:
 X509_email_free                         2405    EXIST::FUNCTION:
-i2d_RSA_NET                             2406    EXIST::FUNCTION:RSA
+i2d_RSA_NET                             2406    EXIST::FUNCTION:RC4,RSA
 d2i_RSA_NET_2                           2407    NOEXIST::FUNCTION:
-d2i_RSA_NET                             2408    EXIST::FUNCTION:RSA
+d2i_RSA_NET                             2408    EXIST::FUNCTION:RC4,RSA
 DSO_bind_func                           2409    EXIST::FUNCTION:
 CRYPTO_get_new_dynlockid                2410    EXIST::FUNCTION:
 sk_new_null                             2411    EXIST::FUNCTION:
@@ -2843,7 +2843,7 @@ FIPS_selftest_failed                    3284	NOEXIST::FUNCTION:
 sk_is_sorted                            3285    EXIST::FUNCTION:
 X509_check_ca                           3286    EXIST::FUNCTION:
 private_idea_set_encrypt_key            3287    NOEXIST::FUNCTION:
-HMAC_CTX_set_flags                      3288    NOEXIST::FUNCTION:
+HMAC_CTX_set_flags                      3288    EXIST::FUNCTION:HMAC
 private_SHA_Init                        3289    NOEXIST::FUNCTION:
 private_CAST_set_key                    3290    NOEXIST::FUNCTION:
 private_RIPEMD160_Init                  3291    NOEXIST::FUNCTION:
@@ -3652,3 +3652,51 @@ CMS_set1_eContentType                   4040	EXIST::FUNCTION:CMS
 CMS_ReceiptRequest_create0              4041    EXIST::FUNCTION:CMS
 CMS_add1_signer                         4042    EXIST::FUNCTION:CMS
 CMS_RecipientInfo_set0_pkey             4043    EXIST::FUNCTION:CMS
+ENGINE_set_load_ssl_client_cert_function 4044   EXIST::FUNCTION:ENGINE
+ENGINE_get_ssl_client_cert_function     4045    EXIST::FUNCTION:ENGINE
+ENGINE_load_ssl_client_cert             4046    EXIST::FUNCTION:ENGINE
+ENGINE_load_capi                        4047    EXIST::FUNCTION:CAPIENG,ENGINE
+OPENSSL_isservice                       4048    EXIST::FUNCTION:
+FIPS_dsa_sig_decode                     4049    NOEXIST::FUNCTION:
+EVP_CIPHER_CTX_clear_flags              4050    NOEXIST::FUNCTION:
+FIPS_rand_status                        4051    NOEXIST::FUNCTION:
+FIPS_rand_set_key                       4052    NOEXIST::FUNCTION:
+CRYPTO_set_mem_info_functions           4053    NOEXIST::FUNCTION:
+RSA_X931_generate_key_ex                4054    NOEXIST::FUNCTION:
+int_ERR_set_state_func                  4055    NOEXIST::FUNCTION:
+int_EVP_MD_set_engine_callbacks         4056    NOEXIST::FUNCTION:
+int_CRYPTO_set_do_dynlock_callback      4057    NOEXIST::FUNCTION:
+FIPS_rng_stick                          4058    NOEXIST::FUNCTION:
+EVP_CIPHER_CTX_set_flags                4059    NOEXIST::FUNCTION:
+BN_X931_generate_prime_ex               4060    NOEXIST::FUNCTION:
+FIPS_selftest_check                     4061    NOEXIST::FUNCTION:
+FIPS_rand_set_dt                        4062    NOEXIST::FUNCTION:
+CRYPTO_dbg_pop_info                     4063    NOEXIST::FUNCTION:
+FIPS_dsa_free                           4064    NOEXIST::FUNCTION:
+RSA_X931_derive_ex                      4065    NOEXIST::FUNCTION:
+FIPS_rsa_new                            4066    NOEXIST::FUNCTION:
+FIPS_rand_bytes                         4067    NOEXIST::FUNCTION:
+fips_cipher_test                        4068    NOEXIST::FUNCTION:
+EVP_CIPHER_CTX_test_flags               4069    NOEXIST::FUNCTION:
+CRYPTO_malloc_debug_init                4070    NOEXIST::FUNCTION:
+CRYPTO_dbg_push_info                    4071    NOEXIST::FUNCTION:
+FIPS_corrupt_rsa_keygen                 4072    NOEXIST::FUNCTION:
+FIPS_dh_new                             4073    NOEXIST::FUNCTION:
+FIPS_corrupt_dsa_keygen                 4074    NOEXIST::FUNCTION:
+FIPS_dh_free                            4075    NOEXIST::FUNCTION:
+fips_pkey_signature_test                4076    NOEXIST::FUNCTION:
+EVP_add_alg_module                      4077    NOEXIST::FUNCTION:
+int_RAND_init_engine_callbacks          4078    NOEXIST::FUNCTION:
+int_EVP_CIPHER_set_engine_callbacks     4079    NOEXIST::FUNCTION:
+int_EVP_MD_init_engine_callbacks        4080    NOEXIST::FUNCTION:
+FIPS_rand_test_mode                     4081    NOEXIST::FUNCTION:
+FIPS_rand_reset                         4082    NOEXIST::FUNCTION:
+FIPS_dsa_new                            4083    NOEXIST::FUNCTION:
+int_RAND_set_callbacks                  4084    NOEXIST::FUNCTION:
+BN_X931_derive_prime_ex                 4085    NOEXIST::FUNCTION:
+int_ERR_lib_init                        4086    NOEXIST::FUNCTION:
+int_EVP_CIPHER_init_engine_callbacks    4087    NOEXIST::FUNCTION:
+FIPS_rsa_free                           4088    NOEXIST::FUNCTION:
+FIPS_dsa_sig_encode                     4089    NOEXIST::FUNCTION:
+CRYPTO_dbg_remove_all_info              4090    NOEXIST::FUNCTION:
+OPENSSL_init                            4091    NOEXIST::FUNCTION:
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index 1ac5fd3a50..7ba804ce33 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -221,6 +221,7 @@ $cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2;
 $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
 $cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext;
 $cflags.=" -DOPENSSL_NO_CMS" if $no_cms;
+$cflags.=" -DOPENSSL_NO_CAPIENG" if $no_capieng;
 $cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
 $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
@@ -1017,6 +1018,7 @@ sub read_options
                 "no-ssl3" => \$no_ssl3,
                 "no-tlsext" => \$no_tlsext,
                 "no-cms" => \$no_cms,
+                "no-capieng" => \$no_capieng,
                 "no-err" => \$no_err,
                 "no-sock" => \$no_sock,
                 "no-krb5" => \$no_krb5,
@@ -1100,7 +1102,7 @@ sub read_options
                                 }
                         }
                 }
-        elsif (/^([^=]*)=(.*)$/){ $VARS{$1}=$2; }
+        elsif (/^([^=]*)=(.*)$/ && !/^-D/){ $VARS{$1}=$2; }
         elsif (/^-[lL].*$/)     { $l_flags.="$_ "; }
         elsif ((!/^-help/) && (!/^-h/) && (!/^-\?/) && /^-.*$/)
                 { $c_flags.="$_ "; }
diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl
index ef1cc6e513..8ecfde1848 100644
--- a/src/lib/libcrypto/util/mkdef.pl
+++ b/src/lib/libcrypto/util/mkdef.pl
@@ -100,6 +100,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                          "TLSEXT",
                          # CMS
                          "CMS",
+                         # CryptoAPI Engine
+                         "CAPIENG",
                          # Deprecated functions
                          "DEPRECATED" );
 
@@ -120,7 +122,7 @@ my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
 my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_camellia;
 my $no_seed;
 my $no_fp_api; my $no_static_engine; my $no_gmp; my $no_deprecated;
-my $no_rfc3779; my $no_tlsext; my $no_cms;
+my $no_rfc3779; my $no_tlsext; my $no_cms; my $no_capieng;
 
 
 foreach (@ARGV, split(/ /, $options))
@@ -206,6 +208,7 @@ foreach (@ARGV, split(/ /, $options))
         elsif (/^no-rfc3779$/)  { $no_rfc3779=1; }
         elsif (/^no-tlsext$/)   { $no_tlsext=1; }
         elsif (/^no-cms$/)      { $no_cms=1; }
+        elsif (/^no-capieng$/)  { $no_capieng=1; }
         }
 
 
@@ -1131,6 +1134,7 @@ sub is_valid
                         if ($keyword eq "RFC3779" && $no_rfc3779) { return 0; }
                         if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; }
                         if ($keyword eq "CMS" && $no_cms) { return 0; }
+                        if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
                         if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; }
 
                         # Nothing recognise as true
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index 9cb2ab7e99..1e254119e6 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -138,7 +138,7 @@ if ($FLAVOR =~ /CE/)
         }
 else
         {
-        $ex_libs.=' gdi32.lib advapi32.lib user32.lib';
+        $ex_libs.=' gdi32.lib crypt32.lib advapi32.lib user32.lib';
         $ex_libs.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
         }
 
@@ -259,7 +259,6 @@ sub do_lib_rule
                 $name =~ tr/a-z/A-Z/;
                 $name = "/def:ms/${name}.def";
                 }
-
 #       $target="\$(LIB_D)$o$target";
         $ret.="$target: $objs\n";
         if (!$shlib)
@@ -274,6 +273,10 @@ sub do_lib_rule
                 if ($name eq "")
                         {
                         $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
+                        if ($target =~ /capi/)
+                                {
+                                $ex.=' crypt32.lib advapi32.lib';
+                                }
                         }
                 elsif ($FLAVOR =~ /CE/)
                         {
@@ -283,6 +286,7 @@ sub do_lib_rule
                         {
                         $ex.=' unicows.lib' if ($FLAVOR =~ /NT/);
                         $ex.=' wsock32.lib gdi32.lib advapi32.lib user32.lib';
+                        $ex.=' crypt32.lib';
                         $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
                         }
                 $ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
diff --git a/src/lib/libcrypto/util/ssleay.num b/src/lib/libcrypto/util/ssleay.num
index b3ac136a56..2055cc1597 100644
--- a/src/lib/libcrypto/util/ssleay.num
+++ b/src/lib/libcrypto/util/ssleay.num
@@ -241,3 +241,4 @@ SSL_CTX_sess_get_remove_cb              289	EXIST::FUNCTION:
 SSL_set_SSL_CTX                         290     EXIST::FUNCTION:
 SSL_get_servername                      291     EXIST::FUNCTION:TLSEXT
 SSL_get_servername_type                 292     EXIST::FUNCTION:TLSEXT
+SSL_CTX_set_client_cert_engine          293     EXIST::FUNCTION:ENGINE
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
index 511b49d589..98460e8921 100644
--- a/src/lib/libcrypto/x509/x509_att.c
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -245,7 +245,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
                 goto err;
         if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
                 goto err;
-        
+
         if ((attr != NULL) && (*attr == NULL)) *attr=ret;
         return(ret);
 err:
@@ -302,8 +302,15 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
                 atype = attrtype;
         }
         if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
+        attr->single = 0;
+        /* This is a bit naughty because the attribute should really have
+         * at least one value but some types use and zero length SET and
+         * require this.
+         */
+        if (attrtype == 0)
+                return 1;
         if(!(ttmp = ASN1_TYPE_new())) goto err;
-        if (len == -1)
+        if ((len == -1) && !(attrtype & MBSTRING_FLAG))
                 {
                 if (!ASN1_TYPE_set1(ttmp, attrtype, data))
                         goto err;
@@ -311,7 +318,6 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
         else
                 ASN1_TYPE_set(ttmp, atype, stmp);
         if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
-        attr->single = 0;
         return 1;
         err:
         X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 9a62ebcf67..336c40ddd7 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -394,7 +394,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 #ifdef OPENSSL_NO_CHAIN_VERIFY
         return 1;
 #else
-        int i, ok=0, must_be_ca;
+        int i, ok=0, must_be_ca, plen = 0;
         X509 *x;
         int (*cb)(int xok,X509_STORE_CTX *xctx);
         int proxy_path_length = 0;
@@ -495,9 +495,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                                 if (!ok) goto end;
                                 }
                         }
-                /* Check pathlen */
-                if ((i > 1) && (x->ex_pathlen != -1)
-                           && (i > (x->ex_pathlen + proxy_path_length + 1)))
+                /* Check pathlen if not self issued */
+                if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
+                           && (x->ex_pathlen != -1)
+                           && (plen > (x->ex_pathlen + proxy_path_length + 1)))
                         {
                         ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                         ctx->error_depth = i;
@@ -505,6 +506,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                         ok=cb(0,ctx);
                         if (!ok) goto end;
                         }
+                /* Increment path length if not self issued */
+                if (!(x->ex_flags & EXFLAG_SI))
+                        plen++;
                 /* If this certificate is a proxy certificate, the next
                    certificate must be another proxy certificate or a EE
                    certificate.  If not, the next certificate must be a
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
index 614d2b4935..4711b1ee92 100644
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ b/src/lib/libcrypto/x509v3/pcy_data.c
@@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
         X509_POLICY_DATA *ret;
         if (!policy && !id)
                 return NULL;
+        if (id)
+                {
+                id = OBJ_dup(id);
+                if (!id)
+                        return NULL;
+                }
         ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
         if (!ret)
                 return NULL;
@@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
         if (!ret->expected_policy_set)
                 {
                 OPENSSL_free(ret);
+                if (id)
+                        ASN1_OBJECT_free(id);
                 return NULL;
                 }
 
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
index 4fda1d419a..b1ce77b9af 100644
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ b/src/lib/libcrypto/x509v3/pcy_tree.c
@@ -130,9 +130,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                         ret = 2;
                 if (explicit_policy > 0)
                         {
-                        explicit_policy--;
-                        if (!(x->ex_flags & EXFLAG_SS)
-                                && (cache->explicit_skip != -1)
+                        if (!(x->ex_flags & EXFLAG_SI))
+                                explicit_policy--;
+                        if ((cache->explicit_skip != -1)
                                 && (cache->explicit_skip < explicit_policy))
                                 explicit_policy = cache->explicit_skip;
                         }
@@ -197,13 +197,14 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                         /* Any matching allowed if certificate is self
                          * issued and not the last in the chain.
                          */
-                        if (!(x->ex_flags & EXFLAG_SS) || (i == 0))
+                        if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
                                 level->flags |= X509_V_FLAG_INHIBIT_ANY;
                         }
                 else
                         {
-                        any_skip--;
-                        if ((cache->any_skip > 0)
+                        if (!(x->ex_flags & EXFLAG_SI))
+                                any_skip--;
+                        if ((cache->any_skip >= 0)
                                 && (cache->any_skip < any_skip))
                                 any_skip = cache->any_skip;
                         }
@@ -213,7 +214,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                 else
                         {
                         map_skip--;
-                        if ((cache->map_skip > 0)
+                        if ((cache->map_skip >= 0)
                                 && (cache->map_skip < map_skip))
                                 map_skip = cache->map_skip;
                         }
@@ -310,7 +311,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
 
                 if (data == NULL)
                         return 0;
-                data->qualifier_set = curr->anyPolicy->data->qualifier_set;
+                /* Curr may not have anyPolicy */
+                data->qualifier_set = cache->anyPolicy->qualifier_set;
                 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
                 if (!level_add_node(curr, data, node, tree))
                         {
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
index ed9847b307..c6730ab3fd 100644
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -594,10 +594,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
     return NULL;
   switch (afi) {
   case IANA_AFI_IPV4:
-    sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
     break;
   case IANA_AFI_IPV6:
-    sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
     break;
   }
   f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
@@ -854,7 +854,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
       if (!make_addressRange(&merged, a_min, b_max, length))
         return 0;
       sk_IPAddressOrRange_set(aors, i, merged);
-      sk_IPAddressOrRange_delete(aors, i + 1);
+      (void)sk_IPAddressOrRange_delete(aors, i + 1);
       IPAddressOrRange_free(a);
       IPAddressOrRange_free(b);
       --i;
@@ -1122,7 +1122,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
     return 1;
   if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
     return 0;
-  sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
+  (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
   for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
     IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
     int j = sk_IPAddressFamily_find(b, fa);
@@ -1183,7 +1183,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
   }
   if (!v3_addr_is_canonical(ext))
     validation_err(X509_V_ERR_INVALID_EXTENSION);
-  sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
+  (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
   if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
     X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
     ret = 0;
@@ -1209,7 +1209,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
       }
       continue;
     }
-    sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
+    (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
     for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
       IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
       int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
diff --git a/src/lib/libcrypto/x509v3/v3_asid.c b/src/lib/libcrypto/x509v3/v3_asid.c
index 271930f967..abd497ed1f 100644
--- a/src/lib/libcrypto/x509v3/v3_asid.c
+++ b/src/lib/libcrypto/x509v3/v3_asid.c
@@ -466,7 +466,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
         break;
       }
       ASIdOrRange_free(b);
-      sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
+      (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
       i--;
       continue;
     }
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index b2f5cdfa05..c54e7887c7 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -291,7 +291,9 @@ int X509_supported_extension(X509_EXTENSION *ex)
                 NID_sbgp_ipAddrBlock,   /* 290 */
                 NID_sbgp_autonomousSysNum, /* 291 */
 #endif
-                NID_proxyCertInfo       /* 661 */
+                NID_policy_constraints, /* 401 */
+                NID_proxyCertInfo,      /* 661 */
+                NID_inhibit_any_policy  /* 748 */
         };
 
         int ex_nid;
@@ -325,7 +327,7 @@ static void x509v3_cache_extensions(X509 *x)
 #endif
         /* Does subject name match issuer ? */
         if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                         x->ex_flags |= EXFLAG_SS;
+                         x->ex_flags |= EXFLAG_SI;
         /* V1 should mean no extensions ... */
         if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
         /* Handle basic constraints */
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index db2b0482c1..5ba59f71c9 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -363,6 +363,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_NSCERT           0x8
 
 #define EXFLAG_CA               0x10
+/* Really self issued not necessarily self signed */
+#define EXFLAG_SI               0x20
 #define EXFLAG_SS               0x20
 #define EXFLAG_V1               0x40
 #define EXFLAG_INVALID          0x80
@@ -370,7 +372,7 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_CRITICAL         0x200
 #define EXFLAG_PROXY            0x400
 
-#define EXFLAG_INVALID_POLICY   0x400
+#define EXFLAG_INVALID_POLICY   0x800
 
 #define KU_DIGITAL_SIGNATURE    0x0080
 #define KU_NON_REPUDIATION      0x0040
diff --git a/src/lib/libssl/crypto/Makefile b/src/lib/libssl/crypto/Makefile
index 114e1fc1d4..b1677cd664 100644
--- a/src/lib/libssl/crypto/Makefile
+++ b/src/lib/libssl/crypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.49 2008/09/08 07:23:38 djm Exp $
+# $OpenBSD: Makefile,v 1.50 2009/01/05 21:36:37 djm Exp $
 
 LIB=    crypto
 WANTLINT=
@@ -36,6 +36,7 @@ CFLAGS+= -DOPENSSL_NO_MDC2
 CFLAGS+= -DOPENSSL_NO_HW_4758_CCA
 CFLAGS+= -DOPENSSL_NO_HW_AEP
 CFLAGS+= -DOPENSSL_NO_HW_ATALLA
+CFLAGS+= -DOPENSSL_NO_CAPIENG
 CFLAGS+= -DOPENSSL_NO_HW_CSWIFT
 CFLAGS+= -DOPENSSL_NO_HW_NCIPHER
 CFLAGS+= -DOPENSSL_NO_HW_NURON
@@ -307,7 +308,7 @@ obj_dat.h: obj_mac.h
         /usr/bin/perl ${SSL_OBJECTS}/obj_dat.pl obj_mac.h obj_dat.h
 
 .if (${MACHINE_ARCH} == "vax")
-# egcs bombs optimising this file on vax
+# egcs bombs optimising these files
 a_strnid.o:
         ${CC} ${CFLAGS} -O0 ${CPPFLAGS} -c ${.IMPSRC}
 a_strnid.po:           
diff --git a/src/lib/libssl/crypto/arch/alpha/opensslconf.h b/src/lib/libssl/crypto/arch/alpha/opensslconf.h
index 0d759a5784..58b46616b5 100644
--- a/src/lib/libssl/crypto/arch/alpha/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/alpha/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/amd64/opensslconf.h b/src/lib/libssl/crypto/arch/amd64/opensslconf.h
index fd992553a7..b7c7908adf 100644
--- a/src/lib/libssl/crypto/arch/amd64/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/amd64/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/arm/opensslconf.h b/src/lib/libssl/crypto/arch/arm/opensslconf.h
index 94d322270b..ef50032293 100644
--- a/src/lib/libssl/crypto/arch/arm/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/arm/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/hppa/opensslconf.h b/src/lib/libssl/crypto/arch/hppa/opensslconf.h
index 94d322270b..ef50032293 100644
--- a/src/lib/libssl/crypto/arch/hppa/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/hppa/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/i386/opensslconf.h b/src/lib/libssl/crypto/arch/i386/opensslconf.h
index 98b7b58408..b93cff97fc 100644
--- a/src/lib/libssl/crypto/arch/i386/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/i386/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/m68k/opensslconf.h b/src/lib/libssl/crypto/arch/m68k/opensslconf.h
index 94d322270b..ef50032293 100644
--- a/src/lib/libssl/crypto/arch/m68k/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/m68k/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/m88k/opensslconf.h b/src/lib/libssl/crypto/arch/m88k/opensslconf.h
index 94d322270b..ef50032293 100644
--- a/src/lib/libssl/crypto/arch/m88k/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/m88k/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/mips64/opensslconf.h b/src/lib/libssl/crypto/arch/mips64/opensslconf.h
index 0d759a5784..58b46616b5 100644
--- a/src/lib/libssl/crypto/arch/mips64/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/mips64/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/powerpc/opensslconf.h b/src/lib/libssl/crypto/arch/powerpc/opensslconf.h
index 94d322270b..ef50032293 100644
--- a/src/lib/libssl/crypto/arch/powerpc/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/powerpc/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/sh/opensslconf.h b/src/lib/libssl/crypto/arch/sh/opensslconf.h
index 94d322270b..ef50032293 100644
--- a/src/lib/libssl/crypto/arch/sh/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/sh/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/sparc/opensslconf.h b/src/lib/libssl/crypto/arch/sparc/opensslconf.h
index 94d322270b..ef50032293 100644
--- a/src/lib/libssl/crypto/arch/sparc/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/sparc/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/sparc64/opensslconf.h b/src/lib/libssl/crypto/arch/sparc64/opensslconf.h
index 0d759a5784..58b46616b5 100644
--- a/src/lib/libssl/crypto/arch/sparc64/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/sparc64/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/arch/vax/opensslconf.h b/src/lib/libssl/crypto/arch/vax/opensslconf.h
index 94d322270b..ef50032293 100644
--- a/src/lib/libssl/crypto/arch/vax/opensslconf.h
+++ b/src/lib/libssl/crypto/arch/vax/opensslconf.h
@@ -7,6 +7,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 # define OPENSSL_NO_CAMELLIA
 #endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
 #ifndef OPENSSL_NO_CMS
 # define OPENSSL_NO_CMS
 #endif
diff --git a/src/lib/libssl/crypto/shlib_version b/src/lib/libssl/crypto/shlib_version
index 7791322042..84e2c2920d 100644
--- a/src/lib/libssl/crypto/shlib_version
+++ b/src/lib/libssl/crypto/shlib_version
@@ -1,2 +1,2 @@
-major=15
+major=16
 minor=0
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 5e59dc845a..49c6760d19 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1095,8 +1095,7 @@ int dtls1_send_client_certificate(SSL *s)
                  * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
                  * We then get retied later */
                 i=0;
-                if (s->ctx->client_cert_cb != NULL)
-                        i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+                i = ssl_do_client_cert_cb(s, &x509, &pkey);
                 if (i < 0)
                         {
                         s->rwstate=SSL_X509_LOOKUP;
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 377696deac..b2765ba801 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -811,6 +811,14 @@ start:
              *  may be fragmented--don't always expect dest_maxlen bytes */
                         if ( rr->length < dest_maxlen)
                                 {
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                                /*
+                                 * for normal alerts rr->length is 2, while
+                                 * dest_maxlen is 7 if we were to handle this
+                                 * non-existing alert...
+                                 */
+                                FIX ME
+#endif
                                 s->rstate=SSL_ST_READ_HEADER;
                                 rr->length = 0;
                                 goto start;
@@ -1251,7 +1259,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
         else 
                 s->s3->wnum += i;
 
-        return tot + i;
+        return i;
         }
 
 int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
@@ -1576,7 +1584,7 @@ int dtls1_dispatch_alert(SSL *s)
         {
         int i,j;
         void (*cb)(const SSL *ssl,int type,int val)=NULL;
-        unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */
+        unsigned char buf[DTLS1_AL_HEADER_LENGTH];
         unsigned char *ptr = &buf[0];
 
         s->s3->alert_dispatch=0;
@@ -1585,6 +1593,7 @@ int dtls1_dispatch_alert(SSL *s)
         *ptr++ = s->s3->send_alert[0];
         *ptr++ = s->s3->send_alert[1];
 
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
         if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
                 {       
                 s2n(s->d1->handshake_read_seq, ptr);
@@ -1600,6 +1609,7 @@ int dtls1_dispatch_alert(SSL *s)
 #endif
                 l2n3(s->d1->r_msg_hdr.frag_off, ptr);
                 }
+#endif
 
         i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
         if (i <= 0)
@@ -1609,8 +1619,11 @@ int dtls1_dispatch_alert(SSL *s)
                 }
         else
                 {
-                if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
-                        s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+                if (s->s3->send_alert[0] == SSL3_AL_FATAL
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                    || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+#endif
+                   )
                         (void)BIO_flush(s->wbio);
 
                 if (s->msg_callback)
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 927b01f3c4..0bbf8ae7f3 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -732,7 +732,7 @@ int dtls1_send_server_hello(SSL *s)
 
                 d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
 
-                s->state=SSL3_ST_CW_CLNT_HELLO_B;
+                s->state=SSL3_ST_SW_SRVR_HELLO_B;
                 /* number of bytes to write */
                 s->init_num=p-buf;
                 s->init_off=0;
@@ -741,7 +741,7 @@ int dtls1_send_server_hello(SSL *s)
                 dtls1_buffer_message(s, 0);
                 }
 
-        /* SSL3_ST_CW_CLNT_HELLO_B */
+        /* SSL3_ST_SW_SRVR_HELLO_B */
         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
         }
 
@@ -765,7 +765,7 @@ int dtls1_send_server_done(SSL *s)
                 dtls1_buffer_message(s, 0);
                 }
 
-        /* SSL3_ST_CW_CLNT_HELLO_B */
+        /* SSL3_ST_SW_SRVR_DONE_B */
         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
         }
 
diff --git a/src/lib/libssl/dtls1.h b/src/lib/libssl/dtls1.h
index a663cf85f2..f159d37110 100644
--- a/src/lib/libssl/dtls1.h
+++ b/src/lib/libssl/dtls1.h
@@ -70,7 +70,10 @@ extern "C" {
 #define DTLS1_VERSION                   0xFEFF
 #define DTLS1_BAD_VER                   0x0100
 
+#if 0
+/* this alert description is not specified anywhere... */
 #define DTLS1_AD_MISSING_HANDSHAKE_MESSAGE    110
+#endif
 
 /* lengths of messages */
 #define DTLS1_COOKIE_LENGTH                     32
@@ -84,7 +87,11 @@ extern "C" {
 
 #define DTLS1_CCS_HEADER_LENGTH                  1
 
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
 #define DTLS1_AL_HEADER_LENGTH                   7
+#else
+#define DTLS1_AL_HEADER_LENGTH                   2
+#endif
 
 
 typedef struct dtls1_bitmap_st
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index c45a8e0a04..bc918170e1 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -257,6 +257,14 @@ static int ssl23_client_hello(SSL *s)
                         version_major = TLS1_VERSION_MAJOR;
                         version_minor = TLS1_VERSION_MINOR;
                         }
+#ifdef OPENSSL_FIPS
+                else if(FIPS_mode())
+                        {
+                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                        return -1;
+                        }
+#endif
                 else if (version == SSL3_VERSION)
                         {
                         version_major = SSL3_VERSION_MAJOR;
@@ -536,6 +544,14 @@ static int ssl23_get_server_hello(SSL *s)
                 if ((p[2] == SSL3_VERSION_MINOR) &&
                         !(s->options & SSL_OP_NO_SSLv3))
                         {
+#ifdef OPENSSL_FIPS
+                        if(FIPS_mode())
+                                {
+                                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                                goto err;
+                                }
+#endif
                         s->version=SSL3_VERSION;
                         s->method=SSLv3_client_method();
                         }
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 6637bb9549..ba06e7ae2e 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s)
                         }
                 }
 
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (s->version < TLS1_VERSION))
+                {
+                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                goto err;
+                }
+#endif
+
         if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
                 {
                 /* we have SSLv3/TLSv1 in an SSLv2 header
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 9a87c1cfb3..9b823fddbd 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -130,10 +130,17 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/md5.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
 #include <openssl/bn.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 
 static SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
@@ -1415,6 +1422,8 @@ int ssl3_get_key_exchange(SSL *s)
                         q=md_buf;
                         for (num=2; num > 0; num--)
                                 {
+                                EVP_MD_CTX_set_flags(&md_ctx,
+                                        EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                 EVP_DigestInit_ex(&md_ctx,(num == 2)
                                         ?s->ctx->md5:s->ctx->sha1, NULL);
                                 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -2061,12 +2070,12 @@ int ssl3_send_client_key_exchange(SSL *s)
                         {
                         DH *dh_srvr,*dh_clnt;
 
-                        if (s->session->sess_cert == NULL) 
-                                {
-                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-                                goto err;
-                                }
+                        if (s->session->sess_cert == NULL) 
+                                {
+                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
+                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+                                goto err;
+                                }
 
                         if (s->session->sess_cert->peer_dh_tmp != NULL)
                                 dh_srvr=s->session->sess_cert->peer_dh_tmp;
@@ -2448,8 +2457,7 @@ int ssl3_send_client_certificate(SSL *s)
                  * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
                  * We then get retied later */
                 i=0;
-                if (s->ctx->client_cert_cb != NULL)
-                        i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+                i = ssl_do_client_cert_cb(s, &x509, &pkey);
                 if (i < 0)
                         {
                         s->rwstate=SSL_X509_LOOKUP;
@@ -2716,3 +2724,21 @@ static int ssl3_check_finished(SSL *s)
         return 1;
         }
 #endif
+
+int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
+        {
+        int i = 0;
+#ifndef OPENSSL_NO_ENGINE
+        if (s->ctx->client_cert_engine)
+                {
+                i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
+                                                SSL_get_client_CA_list(s),
+                                                px509, ppkey, NULL, NULL, NULL);
+                if (i != 0)
+                        return i;
+                }
+#endif
+        if (s->ctx->client_cert_cb)
+                i = s->ctx->client_cert_cb(s,px509,ppkey);
+        return i;
+        }
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index bdbcd44f27..8916a0b1b3 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -158,7 +158,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_RSA_NULL_SHA,
         SSL3_CK_RSA_NULL_SHA,
         SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_STRONG_NONE,
+        SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
         0,
         0,
         0,
@@ -264,7 +264,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_RSA_DES_192_CBC3_SHA,
         SSL3_CK_RSA_DES_192_CBC3_SHA,
         SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -304,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
         SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
         SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -343,7 +343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
         SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
         SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -384,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
         SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
         SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -423,7 +423,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
         SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
         SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -488,7 +488,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_ADH_DES_192_CBC_SHA,
         SSL3_CK_ADH_DES_192_CBC_SHA,
         SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -563,7 +563,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_KRB5_DES_192_CBC3_SHA,
         SSL3_CK_KRB5_DES_192_CBC3_SHA,
         SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -747,7 +747,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_RSA_WITH_AES_128_SHA,
         TLS1_CK_RSA_WITH_AES_128_SHA,
         SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -760,7 +760,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
         TLS1_CK_DH_DSS_WITH_AES_128_SHA,
         SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -773,7 +773,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
         TLS1_CK_DH_RSA_WITH_AES_128_SHA,
         SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -786,7 +786,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
         TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
         SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -799,7 +799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
         TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
         SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -812,7 +812,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_ADH_WITH_AES_128_SHA,
         TLS1_CK_ADH_WITH_AES_128_SHA,
         SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -826,7 +826,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_RSA_WITH_AES_256_SHA,
         TLS1_CK_RSA_WITH_AES_256_SHA,
         SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
@@ -839,7 +839,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
         TLS1_CK_DH_DSS_WITH_AES_256_SHA,
         SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
@@ -852,7 +852,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
         TLS1_CK_DH_RSA_WITH_AES_256_SHA,
         SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
@@ -865,7 +865,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
         TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
         SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
@@ -878,7 +878,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
         TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
         SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
@@ -891,7 +891,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_ADH_WITH_AES_256_SHA,
         TLS1_CK_ADH_WITH_AES_256_SHA,
         SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 44c7c143fe..72853a2e72 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1225,6 +1225,13 @@ int ssl3_do_change_cipher_spec(SSL *s)
 
         if (s->s3->tmp.key_block == NULL)
                 {
+                if (s->session == NULL) 
+                        {
+                        /* might happen if dtls1_read_bytes() calls this */
+                        SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
+                        return (0);
+                        }
+
                 s->session->cipher=s->s3->tmp.new_cipher;
                 if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
                 }
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 903522ab59..398ce469d6 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1172,13 +1172,13 @@ int ssl3_send_server_hello(SSL *s)
                 *(d++)=SSL3_MT_SERVER_HELLO;
                 l2n3(l,d);
 
-                s->state=SSL3_ST_CW_CLNT_HELLO_B;
+                s->state=SSL3_ST_SW_SRVR_HELLO_B;
                 /* number of bytes to write */
                 s->init_num=p-buf;
                 s->init_off=0;
                 }
 
-        /* SSL3_ST_CW_CLNT_HELLO_B */
+        /* SSL3_ST_SW_SRVR_HELLO_B */
         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
         }
 
@@ -1202,7 +1202,7 @@ int ssl3_send_server_done(SSL *s)
                 s->init_off=0;
                 }
 
-        /* SSL3_ST_CW_CLNT_HELLO_B */
+        /* SSL3_ST_SW_SRVR_DONE_B */
         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
         }
 
@@ -1540,6 +1540,8 @@ int ssl3_send_server_key_exchange(SSL *s)
                                 j=0;
                                 for (num=2; num > 0; num--)
                                         {
+                                        EVP_MD_CTX_set_flags(&md_ctx,
+                                                EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                         EVP_DigestInit_ex(&md_ctx,(num == 2)
                                                 ?s->ctx->md5:s->ctx->sha1, NULL);
                                         EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index 56246d02b2..262f3bc13b 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,2 +1,2 @@
-major=12
+major=13
 minor=0
diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES
index 217aa70dcb..72cc168f6a 100644
--- a/src/lib/libssl/src/CHANGES
+++ b/src/lib/libssl/src/CHANGES
@@ -2,6 +2,60 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
+
+  *) Fix a state transitition in s3_srvr.c and d1_srvr.c
+     (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
+     [Nagendra Modadugu]
+
+  *) The fix in 0.9.8c that supposedly got rid of unsafe
+     double-checked locking was incomplete for RSA blinding,
+     addressing just one layer of what turns out to have been
+     doubly unsafe triple-checked locking.
+
+     So now fix this for real by retiring the MONT_HELPER macro
+     in crypto/rsa/rsa_eay.c.
+
+     [Bodo Moeller; problem pointed out by Marius Schilder]
+
+  *) Various precautionary measures:
+
+     - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
+
+     - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
+       (NB: This would require knowledge of the secret session ticket key
+       to exploit, in which case you'd be SOL either way.)
+
+     - Change bn_nist.c so that it will properly handle input BIGNUMs
+       outside the expected range.
+
+     - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
+       builds.
+
+     [Neel Mehta, Bodo Moeller]
+
+  *) Add support for Local Machine Keyset attribute in PKCS#12 files.
+     [Steve Henson]
+
+  *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
+     [Huang Ying]
+
+  *) Expand ENGINE to support engine supplied SSL client certificate functions.
+
+     This work was sponsored by Logica.
+     [Steve Henson]
+
+  *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
+     keystores. Support for SSL/TLS client authentication too.
+     Not compiled unless enable-capieng specified to Configure.
+
+     This work was sponsored by Logica.
+     [Steve Henson]
+
+  *) Allow engines to be "soft loaded" - i.e. optionally don't die if
+     the load fails. Useful for distros.
+     [Ben Laurie and the FreeBSD team]
+
  Changes between 0.9.8g and 0.9.8h  [28 May 2008]
 
   *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
diff --git a/src/lib/libssl/src/ChangeLog.0_9_7-stable_not-in-head b/src/lib/libssl/src/ChangeLog.0_9_7-stable_not-in-head
index 1203a22158..e69de29bb2 100644
--- a/src/lib/libssl/src/ChangeLog.0_9_7-stable_not-in-head
+++ b/src/lib/libssl/src/ChangeLog.0_9_7-stable_not-in-head
@@ -1,163 +0,0 @@
-This file, together with ChangeLog.0_9_7-stable_not-in-head_FIPS,
-provides a collection of those CVS change log entries for the
-0.9.7 branch (OpenSSL_0_9_7-stable) that do not appear similarly in
-0.9.8-dev (CVS head).
-    
-ChangeLog.0_9_7-stable_not-in-head_FIPS  -  "FIPS" related changes
-ChangeLog.0_9_7-stable_not-in-head       -  everything else
-
-Some obvious false positives have been eliminated: e.g., we do not
-care about a simple "make update"; and we don't care about changes
-identified to the 0.9.7 branch that were explicitly identified as
-backports from head.
-    
-Eliminating all other entries (and finally this file and its
-compantion), either as false positives or as things that should go
-into 0.9.8, remains to be done.  Any additional changes to 0.9.7 that
-are not immediately put into 0.9.8, but belong there as well, should
-be added to the end of this file.
-
-
-2002-11-04 17:33  levitte
-
-        Changed:
-                Configure (1.314.2.38), "Exp", lines: +4 -2
-
-        Return my normal debug targets to something not so extreme, and
-        make the extreme ones special (or 'extreme', if you will :-)).
-
-2002-12-16 19:17  appro
-
-        Changed:
-                crypto/bn/bn_lcl.h (1.23.2.3), "Exp", lines: +3 -0
-                crypto/bn/bn_mul.c (1.28.2.4), "Exp", lines: +84 -445
-
-        This is rollback to 0.9.6h bn_mul.c to address problem reported in
-        RT#272.
-
-2003-07-27 15:46  ben
-
-        Changed:
-                crypto/aes/aes.h (1.1.2.5), "Exp", lines: +3 -0
-                crypto/aes/aes_cfb.c (1.1.2.4), "Exp", lines: +57 -0
-
-        Add untested CFB-r mode. Will be tested soon.
-
-2003-07-28 17:07  ben
-
-        Changed:
-                Makefile.org (1.154.2.69), "Exp", lines: +5 -1
-                crypto/aes/aes.h (1.1.2.6), "Exp", lines: +3 -0
-                crypto/aes/aes_cfb.c (1.1.2.5), "Exp", lines: +19 -0
-                crypto/dsa/Makefile.ssl (1.49.2.6), "Exp", lines: +3 -2
-                crypto/err/Makefile.ssl (1.48.2.4), "Exp", lines: +17 -16
-                crypto/evp/e_aes.c (1.6.2.5), "Exp", lines: +8 -0
-                crypto/evp/e_des.c (1.5.2.2), "Exp", lines: +1 -1
-                crypto/evp/e_des3.c (1.8.2.3), "Exp", lines: +2 -2
-                crypto/evp/evp.h (1.86.2.11), "Exp", lines: +28 -11
-                crypto/evp/evp_locl.h (1.7.2.3), "Exp", lines: +2 -2
-                crypto/objects/obj_dat.h (1.49.2.13), "Exp", lines: +10 -5
-                crypto/objects/obj_mac.h (1.19.2.13), "Exp", lines: +5 -0
-                crypto/objects/obj_mac.num (1.15.2.9), "Exp", lines: +1 -0
-                crypto/objects/objects.txt (1.20.2.14), "Exp", lines: +4 -0
-                fips/Makefile.ssl (1.1.2.3), "Exp", lines: +7 -0
-                fips/aes/Makefile.ssl (1.1.2.2), "Exp", lines: +23 -1
-                fips/aes/fips_aesavs.c (1.1.2.3), "Exp", lines: +9 -1
-                test/Makefile.ssl (1.84.2.30), "Exp", lines: +101 -43
-
-        Add support for partial CFB modes, make tests work, update
-        dependencies.
-
-2003-07-29 12:56  ben
-
-        Changed:
-                crypto/aes/aes_cfb.c (1.1.2.6), "Exp", lines: +9 -6
-                crypto/evp/c_allc.c (1.8.2.3), "Exp", lines: +1 -0
-                crypto/evp/evp_test.c (1.14.2.11), "Exp", lines: +17 -8
-                crypto/evp/evptests.txt (1.9.2.2), "Exp", lines: +48 -1
-
-        Working CFB1 and test vectors.
-
-2003-07-29 15:24  ben
-
-        Changed:
-                crypto/evp/e_aes.c (1.6.2.6), "Exp", lines: +14 -0
-                crypto/objects/obj_dat.h (1.49.2.14), "Exp", lines: +15 -5
-                crypto/objects/obj_mac.h (1.19.2.14), "Exp", lines: +10 -0
-                crypto/objects/obj_mac.num (1.15.2.10), "Exp", lines: +2 -0
-                crypto/objects/objects.txt (1.20.2.15), "Exp", lines: +2 -0
-                fips/aes/Makefile.ssl (1.1.2.3), "Exp", lines: +1 -1
-                fips/aes/fips_aesavs.c (1.1.2.4), "Exp", lines: +34 -19
-
-        The rest of the keysizes for CFB1, working AES AVS test for CFB1.
-
-2003-07-29 19:05  ben
-
-        Changed:
-                crypto/aes/aes.h (1.1.2.7), "Exp", lines: +3 -0
-                crypto/aes/aes_cfb.c (1.1.2.7), "Exp", lines: +14 -0
-                crypto/evp/c_allc.c (1.8.2.4), "Exp", lines: +1 -0
-                crypto/evp/e_aes.c (1.6.2.7), "Exp", lines: +4 -9
-                crypto/evp/evptests.txt (1.9.2.3), "Exp", lines: +48 -0
-                crypto/objects/obj_dat.h (1.49.2.15), "Exp", lines: +20 -5
-                crypto/objects/obj_mac.h (1.19.2.15), "Exp", lines: +15 -0
-                crypto/objects/obj_mac.num (1.15.2.11), "Exp", lines: +3 -0
-                crypto/objects/objects.txt (1.20.2.16), "Exp", lines: +3 -0
-                fips/aes/fips_aesavs.c (1.1.2.7), "Exp", lines: +11 -0
-
-        AES CFB8.
-
-2003-07-30 20:30  ben
-
-        Changed:
-                Makefile.org (1.154.2.70), "Exp", lines: +16 -5
-                crypto/des/cfb_enc.c (1.7.2.1), "Exp", lines: +2 -1
-                crypto/des/des_enc.c (1.11.2.2), "Exp", lines: +4 -0
-                crypto/evp/e_aes.c (1.6.2.8), "Exp", lines: +7 -14
-                crypto/evp/e_des.c (1.5.2.3), "Exp", lines: +37 -1
-                crypto/evp/evp.h (1.86.2.12), "Exp", lines: +6 -0
-                crypto/evp/evp_locl.h (1.7.2.4), "Exp", lines: +9 -0
-                crypto/objects/obj_dat.h (1.49.2.16), "Exp", lines: +48 -23
-                crypto/objects/obj_mac.h (1.19.2.16), "Exp", lines: +31 -6
-                crypto/objects/obj_mac.num (1.15.2.12), "Exp", lines: +5 -0
-                crypto/objects/objects.txt (1.20.2.17), "Exp", lines: +12 -6
-                fips/Makefile.ssl (1.1.2.4), "Exp", lines: +8 -1
-                fips/fips_make_sha1 (1.1.2.3), "Exp", lines: +3 -0
-                fips/aes/Makefile.ssl (1.1.2.4), "Exp", lines: +1 -1
-                fips/des/.cvsignore (1.1.2.1), "Exp", lines: +3 -0
-                fips/des/Makefile.ssl (1.1.2.1), "Exp", lines: +96 -0
-                fips/des/fingerprint.sha1 (1.1.2.1), "Exp", lines: +2 -0
-                fips/des/fips_des_enc.c (1.1.2.1), "Exp", lines: +288 -0
-                fips/des/fips_des_locl.h (1.1.2.1), "Exp", lines: +428 -0
-                fips/des/fips_desmovs.c (1.1.2.1), "Exp", lines: +659 -0
-
-        Whoops, forgot FIPS DES, also add EVPs for DES CFB1 and 8.
-
-2003-08-01 12:25  ben
-
-        Changed:
-                crypto/des/cfb_enc.c (1.7.2.2), "Exp", lines: +45 -36
-                crypto/evp/c_allc.c (1.8.2.5), "Exp", lines: +2 -0
-                crypto/evp/e_des.c (1.5.2.4), "Exp", lines: +8 -3
-                crypto/evp/evptests.txt (1.9.2.4), "Exp", lines: +6 -0
-
-        Fix DES CFB-r.
-
-2003-08-01 12:31  ben
-
-        Changed:
-                crypto/evp/evptests.txt (1.9.2.5), "Exp", lines: +4 -0
-
-        DES CFB8 test.
-
-2005-04-19 16:21  appro
-
-        Changed:
-                Configure (1.314.2.117), "Exp", lines: +24 -21
-                Makefile.org (1.154.2.100), "Exp", lines: +1 -11
-                TABLE (1.99.2.52), "Exp", lines: +20 -20
-                apps/Makefile (1.1.4.15), "Exp", lines: +1 -1
-                test/Makefile (1.1.4.12), "Exp", lines: +1 -1
-
-        Enable shared link on HP-UX.
-
diff --git a/src/lib/libssl/src/ChangeLog.0_9_7-stable_not-in-head_FIPS b/src/lib/libssl/src/ChangeLog.0_9_7-stable_not-in-head_FIPS
index 1e6c88f77a..e69de29bb2 100644
--- a/src/lib/libssl/src/ChangeLog.0_9_7-stable_not-in-head_FIPS
+++ b/src/lib/libssl/src/ChangeLog.0_9_7-stable_not-in-head_FIPS
@@ -1,1494 +0,0 @@
-See file ChangeLog.0_9_7-stable_not-in-head for explanations.
-This is the "FIPS"-related part.
-
-
-
-2003-07-27 19:00  ben
-
-        Changed:
-                Configure (1.314.2.85), "Exp", lines: +2 -0
-                Makefile.org (1.154.2.67), "Exp", lines: +12 -3
-                crypto/cryptlib.c (1.32.2.9), "Exp", lines: +5 -0
-                crypto/md32_common.h (1.22.2.4), "Exp", lines: +11 -0
-                crypto/aes/Makefile.ssl (1.4.2.6), "Exp", lines: +2 -1
-                crypto/aes/aes_core.c (1.1.2.4), "Exp", lines: +4 -0
-                crypto/des/des.h (1.40.2.4), "Exp", lines: +1 -1
-                crypto/des/des_old.c (1.11.2.4), "Exp", lines: +1 -1
-                crypto/des/destest.c (1.30.2.6), "Exp", lines: +2 -2
-                crypto/des/ecb3_enc.c (1.8.2.1), "Exp", lines: +1 -3
-                crypto/dsa/Makefile.ssl (1.49.2.5), "Exp", lines: +7 -4
-                crypto/dsa/dsa_ossl.c (1.12.2.4), "Exp", lines: +2 -0
-                crypto/dsa/dsa_sign.c (1.10.2.3), "Exp", lines: +12 -0
-                crypto/dsa/dsa_vrf.c (1.10.2.3), "Exp", lines: +8 -0
-                crypto/engine/engine.h (1.36.2.6), "Exp", lines: +4 -0
-                crypto/err/err.h (1.35.2.3), "Exp", lines: +2 -0
-                crypto/err/err_all.c (1.17.2.2), "Exp", lines: +4 -0
-                crypto/err/openssl.ec (1.11.2.1), "Exp", lines: +1 -0
-                crypto/evp/Makefile.ssl (1.64.2.8), "Exp", lines: +8 -7
-                crypto/evp/c_all.c (1.7.8.7), "Exp", lines: +1 -0
-                crypto/evp/e_aes.c (1.6.2.4), "Exp", lines: +12 -4
-                crypto/evp/e_des3.c (1.8.2.2), "Exp", lines: +1 -1
-                crypto/evp/evp.h (1.86.2.10), "Exp", lines: +2 -0
-                crypto/evp/evp_err.c (1.23.2.1), "Exp", lines: +3 -1
-                crypto/md4/Makefile.ssl (1.6.2.4), "Exp", lines: +7 -4
-                crypto/md5/Makefile.ssl (1.33.2.7), "Exp", lines: +7 -4
-                crypto/rand/Makefile.ssl (1.56.2.4), "Exp", lines: +17 -15
-                crypto/rand/md_rand.c (1.69.2.2), "Exp", lines: +9 -0
-                crypto/rand/rand.h (1.26.2.5), "Exp", lines: +2 -0
-                crypto/rand/rand_err.c (1.6.2.1), "Exp", lines: +3 -1
-                crypto/rand/rand_lib.c (1.15.2.2), "Exp", lines: +11 -0
-                crypto/ripemd/Makefile.ssl (1.25.2.5), "Exp", lines: +7 -2
-                crypto/sha/Makefile.ssl (1.26.2.5), "Exp", lines: +16 -6
-                fips/.cvsignore (1.1.2.1), "Exp", lines: +1 -0
-                fips/Makefile.ssl (1.1.2.1), "Exp", lines: +155 -0
-                fips/fingerprint.sha1 (1.1.2.1), "Exp", lines: +3 -0
-                fips/fips.c (1.1.2.1), "Exp", lines: +74 -0
-                fips/fips.h (1.1.2.1), "Exp", lines: +85 -0
-                fips/fips_check_sha1 (1.1.2.1), "Exp", lines: +7 -0
-                fips/fips_err.c (1.1.2.1), "Exp", lines: +96 -0
-                fips/fips_make_sha1 (1.1.2.1), "Exp", lines: +21 -0
-                fips/lib (1.1.2.1), "Exp", lines: +0 -0
-                fips/aes/.cvsignore (1.1.2.1), "Exp", lines: +4 -0
-                fips/aes/Makefile.ssl (1.1.2.1), "Exp", lines: +95 -0
-                fips/aes/fingerprint.sha1 (1.1.2.1), "Exp", lines: +2 -0
-                fips/aes/fips_aes_core.c (1.1.2.1), "Exp", lines: +1260 -0
-                fips/aes/fips_aes_locl.h (1.1.2.1), "Exp", lines: +85 -0
-                fips/aes/fips_aesavs.c (1.1.2.1), "Exp", lines: +896 -0
-                fips/dsa/.cvsignore (1.1.2.1), "Exp", lines: +2 -0
-                fips/dsa/Makefile.ssl (1.1.2.1), "Exp", lines: +95 -0
-                fips/dsa/fingerprint.sha1 (1.1.2.1), "Exp", lines: +1 -0
-                fips/dsa/fips_dsa_ossl.c (1.1.2.1), "Exp", lines: +366 -0
-                fips/dsa/fips_dsatest.c (1.1.2.1), "Exp", lines: +252 -0
-                fips/rand/.cvsignore (1.1.2.1), "Exp", lines: +2 -0
-                fips/rand/Makefile.ssl (1.1.2.1), "Exp", lines: +94 -0
-                fips/rand/fingerprint.sha1 (1.1.2.1), "Exp", lines: +2 -0
-                fips/rand/fips_rand.c (1.1.2.1), "Exp", lines: +236 -0
-                fips/rand/fips_rand.h (1.1.2.1), "Exp", lines: +55 -0
-                fips/rand/fips_randtest.c (1.1.2.1), "Exp", lines: +348 -0
-                fips/sha1/.cvsignore (1.1.2.1), "Exp", lines: +3 -0
-                fips/sha1/Makefile.ssl (1.1.2.1), "Exp", lines: +94 -0
-                fips/sha1/fingerprint.sha1 (1.1.2.1), "Exp", lines: +3 -0
-                fips/sha1/fips_md32_common.h (1.1.2.1), "Exp", lines: +637 -0
-                fips/sha1/fips_sha1dgst.c (1.1.2.1), "Exp", lines: +76 -0
-                fips/sha1/fips_sha1test.c (1.1.2.1), "Exp", lines: +128 -0
-                fips/sha1/fips_sha_locl.h (1.1.2.1), "Exp", lines: +472 -0
-                fips/sha1/fips_standalone_sha1.c (1.1.2.1), "Exp", lines: +101 -0
-                fips/sha1/standalone.sha1 (1.1.2.1), "Exp", lines: +4 -0
-                test/Makefile.ssl (1.84.2.29), "Exp", lines: +81 -13
-                util/mkerr.pl (1.18.2.4), "Exp", lines: +2 -1
-
-        Unfinished FIPS stuff for review/improvement.
-
-2003-07-27 19:19  ben
-
-        Changed:
-                fips/fips_check_sha1 (1.1.2.2), "Exp", lines: +1 -1
-
-        Use unified diff.
-
-2003-07-27 19:23  ben
-
-        Changed:
-                fips/Makefile.ssl (1.1.2.2), "Exp", lines: +3 -3
-                fips/fingerprint.sha1 (1.1.2.2), "Exp", lines: +2 -1
-                fips/fips_make_sha1 (1.1.2.2), "Exp", lines: +1 -1
-
-        Build in non-FIPS mode.
-
-2003-07-27 23:13  ben
-
-        Changed:
-                Makefile.org (1.154.2.68), "Exp", lines: +1 -1
-                fips/fips_check_sha1 (1.1.2.3), "Exp", lines: +2 -1
-                fips/aes/fips_aesavs.c (1.1.2.2), "Exp", lines: +2 -0
-                fips/dsa/fips_dsa_ossl.c (1.1.2.2), "Exp", lines: +8 -0
-                fips/dsa/fips_dsatest.c (1.1.2.2), "Exp", lines: +2 -1
-                fips/sha1/fingerprint.sha1 (1.1.2.2), "Exp", lines: +1 -1
-                fips/sha1/fips_sha1dgst.c (1.1.2.2), "Exp", lines: +5 -1
-                fips/sha1/fips_standalone_sha1.c (1.1.2.2), "Exp", lines: +2 -0
-                fips/sha1/standalone.sha1 (1.1.2.2), "Exp", lines: +1 -1
-
-        Build when not FIPS.
-
-2003-07-28 11:56  ben
-
-        Changed:
-                fips/dsa/fingerprint.sha1 (1.1.2.2), "Exp", lines: +1 -1
-                fips/sha1/standalone.sha1 (1.1.2.3), "Exp", lines: +1 -1
-
-        New fingerprints.
-
-2003-07-29 16:06  ben
-
-        Changed:
-                fips/aes/fips_aesavs.c (1.1.2.5), "Exp", lines: +295 -303
-
-        Reformat.
-
-2003-07-29 16:34  ben
-
-        Changed:
-                fips/aes/fips_aesavs.c (1.1.2.6), "Exp", lines: +43 -17
-
-        MMT for CFB1
-
-2003-07-29 17:17  ben
-
-        Changed:
-                fips/fips_err_wrapper.c (1.1.2.1), "Exp", lines: +5 -0
-                fips/sha1/sha1hashes.txt (1.1.2.1), "Exp", lines: +342 -0
-                fips/sha1/sha1vectors.txt (1.1.2.1), "Exp", lines: +2293 -0
-
-        Missing files.
-
-2003-07-31 23:30  levitte
-
-        Changed:
-                Makefile.org (1.154.2.71), "Exp", lines: +2 -0
-
-        If FDIRS is to be treated like SDIRS, let's not forget to
-        initialize it in Makefile.org.
-
-2003-07-31 23:41  levitte
-
-        Changed:
-                fips/sha1/fips_sha1test.c (1.1.2.2), "Exp", lines: +3 -3
-
-        No C++ comments in C programs!
-
-2003-08-01 15:07  steve
-
-        Changed:
-                fips/aes/fips_aesavs.c (1.1.2.8), "Exp", lines: +3 -3
-
-        Replace C++ style comments.
-
-2003-08-03 14:22  ben
-
-        Changed:
-                fips/des/fips_desmovs.c (1.1.2.2), "Exp", lines: +55 -37
-
-        Make tests work (CFB1 still doesn't produce the right answers,
-        strangely).
-
-2003-08-08 12:08  levitte
-
-        Changed:
-                fips/des/fips_des_enc.c (1.1.2.2), "Exp", lines: +9 -0
-
-        Avoid clashing with the regular DES functions when not compiling
-        with -DFIPS.  This is basically only visible when building with
-        shared library supoort...
-
-2003-08-11 11:36  levitte
-
-        Deleted:
-                fips/sha1/.cvsignore (1.1.2.2)
-                fips/sha1/Makefile.ssl (1.1.2.3)
-                fips/sha1/fingerprint.sha1 (1.1.2.3)
-                fips/sha1/fips_md32_common.h (1.1.2.2)
-                fips/sha1/fips_sha1dgst.c (1.1.2.3)
-                fips/sha1/fips_sha1test.c (1.1.2.3)
-                fips/sha1/fips_sha_locl.h (1.1.2.2)
-                fips/sha1/fips_standalone_sha1.c (1.1.2.3)
-                fips/sha1/sha1hashes.txt (1.1.2.2)
-                fips/sha1/sha1vectors.txt (1.1.2.2)
-                fips/sha1/standalone.sha1 (1.1.2.4)
-                fips/dsa/.cvsignore (1.1.2.2)
-                fips/dsa/Makefile.ssl (1.1.2.2)
-                fips/dsa/fingerprint.sha1 (1.1.2.3)
-                fips/dsa/fips_dsa_ossl.c (1.1.2.3)
-                fips/dsa/fips_dsatest.c (1.1.2.3)
-                fips/rand/.cvsignore (1.1.2.2)
-                fips/rand/Makefile.ssl (1.1.2.2)
-                fips/rand/fingerprint.sha1 (1.1.2.2)
-                fips/rand/fips_rand.c (1.1.2.2)
-                fips/rand/fips_rand.h (1.1.2.2)
-                fips/rand/fips_randtest.c (1.1.2.2)
-                fips/des/.cvsignore (1.1.2.2)
-                fips/des/Makefile.ssl (1.1.2.3)
-                fips/des/fingerprint.sha1 (1.1.2.2)
-                fips/des/fips_des_enc.c (1.1.2.3)
-                fips/des/fips_des_locl.h (1.1.2.2)
-                fips/des/fips_desmovs.c (1.1.2.3)
-                fips/aes/.cvsignore (1.1.2.2)
-                fips/aes/Makefile.ssl (1.1.2.5)
-                fips/aes/fingerprint.sha1 (1.1.2.2)
-                fips/aes/fips_aes_core.c (1.1.2.2)
-                fips/aes/fips_aes_locl.h (1.1.2.2)
-                fips/aes/fips_aesavs.c (1.1.2.9)
-                fips/.cvsignore (1.1.2.2)
-                fips/Makefile.ssl (1.1.2.6)
-                fips/fingerprint.sha1 (1.1.2.3)
-                fips/fips.c (1.1.2.2)
-                fips/fips.h (1.1.2.2)
-                fips/fips_check_sha1 (1.1.2.4)
-                fips/fips_err.c (1.1.2.2)
-                fips/fips_err_wrapper.c (1.1.2.2)
-                fips/fips_make_sha1 (1.1.2.4)
-                fips/lib (1.1.2.2)
-        Changed:
-                util/libeay.num (1.173.2.16), "Exp", lines: +11 -38
-                util/mkerr.pl (1.18.2.5), "Exp", lines: +1 -2
-                test/Makefile.ssl (1.84.2.31), "Exp", lines: +54 -180
-                crypto/ripemd/Makefile.ssl (1.25.2.6), "Exp", lines: +2 -7
-                crypto/sha/Makefile.ssl (1.26.2.6), "Exp", lines: +6 -16
-                crypto/rand/Makefile.ssl (1.56.2.5), "Exp", lines: +15 -17
-                crypto/rand/md_rand.c (1.69.2.3), "Exp", lines: +0 -9
-                crypto/rand/rand.h (1.26.2.6), "Exp", lines: +0 -2
-                crypto/rand/rand_err.c (1.6.2.2), "Exp", lines: +1 -3
-                crypto/rand/rand_lib.c (1.15.2.3), "Exp", lines: +0 -11
-                crypto/objects/obj_dat.h (1.49.2.18), "Exp", lines: +3 -27
-                crypto/objects/obj_mac.h (1.19.2.18), "Exp", lines: +0 -32
-                crypto/objects/obj_mac.num (1.15.2.14), "Exp", lines: +0 -8
-                crypto/objects/objects.txt (1.20.2.19), "Exp", lines: +0 -11
-                crypto/md4/Makefile.ssl (1.6.2.5), "Exp", lines: +4 -7
-                crypto/md5/Makefile.ssl (1.33.2.8), "Exp", lines: +4 -7
-                crypto/evp/Makefile.ssl (1.64.2.9), "Exp", lines: +7 -8
-                crypto/evp/c_allc.c (1.8.2.6), "Exp", lines: +0 -4
-                crypto/evp/e_aes.c (1.6.2.9), "Exp", lines: +4 -22
-                crypto/evp/e_des.c (1.5.2.5), "Exp", lines: +2 -43
-                crypto/evp/e_des3.c (1.8.2.4), "Exp", lines: +3 -3
-                crypto/evp/evp.h (1.86.2.13), "Exp", lines: +11 -36
-                crypto/evp/evp_err.c (1.23.2.2), "Exp", lines: +1 -3
-                crypto/evp/evp_lib.c (1.6.8.3), "Exp", lines: +0 -24
-                crypto/evp/evp_locl.h (1.7.2.5), "Exp", lines: +2 -11
-                crypto/evp/evp_test.c (1.14.2.12), "Exp", lines: +8 -17
-                crypto/evp/evptests.txt (1.9.2.6), "Exp", lines: +1 -106
-                crypto/dsa/Makefile.ssl (1.49.2.7), "Exp", lines: +6 -10
-                crypto/dsa/dsa_ossl.c (1.12.2.5), "Exp", lines: +0 -2
-                crypto/dsa/dsa_sign.c (1.10.2.4), "Exp", lines: +0 -12
-                crypto/dsa/dsa_vrf.c (1.10.2.4), "Exp", lines: +0 -8
-                crypto/err/Makefile.ssl (1.48.2.5), "Exp", lines: +16 -17
-                crypto/err/err.h (1.35.2.4), "Exp", lines: +0 -2
-                crypto/err/err_all.c (1.17.2.3), "Exp", lines: +0 -4
-                crypto/err/openssl.ec (1.11.2.2), "Exp", lines: +0 -1
-                crypto/des/des.h (1.40.2.5), "Exp", lines: +1 -1
-                crypto/des/des_enc.c (1.11.2.3), "Exp", lines: +0 -4
-                crypto/des/des_old.c (1.11.2.5), "Exp", lines: +1 -1
-                crypto/des/destest.c (1.30.2.7), "Exp", lines: +2 -2
-                crypto/des/ecb3_enc.c (1.8.2.2), "Exp", lines: +3 -1
-                crypto/aes/Makefile.ssl (1.4.2.7), "Exp", lines: +1 -2
-                crypto/aes/aes.h (1.1.2.8), "Exp", lines: +0 -9
-                crypto/aes/aes_cfb.c (1.1.2.8), "Exp", lines: +0 -93
-                crypto/aes/aes_core.c (1.1.2.5), "Exp", lines: +0 -4
-                crypto/cryptlib.c (1.32.2.10), "Exp", lines: +0 -5
-                crypto/md32_common.h (1.22.2.5), "Exp", lines: +0 -11
-                Configure (1.314.2.86), "Exp", lines: +0 -2
-                Makefile.org (1.154.2.72), "Exp", lines: +8 -34
-                TABLE (1.99.2.30), "Exp", lines: +0 -50
-
-        A new branch for FIPS-related changes has been created with the
-        name OpenSSL-fips-0_9_7-stable.
-
-                Since the 0.9.7-stable branch is supposed to be in freeze
-        and should only contain bug corrections, this change removes the
-        FIPS changes from that branch.
-
-2004-05-11 14:44  ben
-
-        Deleted:
-                apps/Makefile.ssl (1.100.2.27)
-                crypto/Makefile.ssl (1.84.2.12)
-                crypto/aes/Makefile.ssl (1.4.2.9)
-                crypto/asn1/Makefile.ssl (1.77.2.7)
-                crypto/bf/Makefile.ssl (1.25.2.6)
-                crypto/bio/Makefile.ssl (1.52.2.4)
-                crypto/bn/Makefile.ssl (1.65.2.9)
-                crypto/buffer/Makefile.ssl (1.32.2.4)
-                crypto/cast/Makefile.ssl (1.31.2.6)
-                crypto/comp/Makefile.ssl (1.32.2.4)
-                crypto/conf/Makefile.ssl (1.38.2.8)
-                crypto/des/Makefile.ssl (1.61.2.13)
-                crypto/dh/Makefile.ssl (1.43.2.5)
-                crypto/dsa/Makefile.ssl (1.49.2.9)
-                crypto/dso/Makefile.ssl (1.11.2.4)
-                crypto/ec/Makefile.ssl (1.7.2.4)
-                crypto/engine/Makefile.ssl (1.30.2.13)
-                crypto/err/Makefile.ssl (1.48.2.7)
-                crypto/evp/Makefile.ssl (1.64.2.12)
-                crypto/hmac/Makefile.ssl (1.33.2.6)
-                crypto/idea/Makefile.ssl (1.20.2.4)
-                crypto/krb5/Makefile.ssl (1.5.2.6)
-                crypto/lhash/Makefile.ssl (1.28.2.4)
-                crypto/md2/Makefile.ssl (1.29.2.5)
-                crypto/md4/Makefile.ssl (1.6.2.7)
-                crypto/md5/Makefile.ssl (1.33.2.10)
-                crypto/mdc2/Makefile.ssl (1.30.2.4)
-                crypto/objects/Makefile.ssl (1.46.2.6)
-                crypto/ocsp/Makefile.ssl (1.19.2.7)
-                crypto/pem/Makefile.ssl (1.51.2.5)
-                crypto/pkcs12/Makefile.ssl (1.37.2.5)
-                crypto/pkcs7/Makefile.ssl (1.47.2.5)
-                crypto/rand/Makefile.ssl (1.56.2.8)
-                crypto/rc2/Makefile.ssl (1.20.2.4)
-                crypto/rc4/Makefile.ssl (1.25.2.6)
-                crypto/rc5/Makefile.ssl (1.22.2.6)
-                crypto/ripemd/Makefile.ssl (1.25.2.9)
-                crypto/rsa/Makefile.ssl (1.53.2.6)
-                crypto/sha/Makefile.ssl (1.26.2.9)
-                crypto/stack/Makefile.ssl (1.28.2.4)
-                crypto/txt_db/Makefile.ssl (1.26.2.4)
-                crypto/ui/Makefile.ssl (1.10.2.6)
-                crypto/x509/Makefile.ssl (1.56.2.5)
-                crypto/x509v3/Makefile.ssl (1.62.2.5)
-                ssl/Makefile.ssl (1.53.2.11)
-                test/Makefile.ssl (1.84.2.36)
-                tools/Makefile.ssl (1.9.2.4)
-        Changed:
-                .cvsignore (1.7.6.2), "Exp", lines: +2 -1
-                Configure (1.314.2.92), "Exp", lines: +38 -8
-                FAQ (1.61.2.31), "Exp", lines: +1 -1
-                INSTALL (1.45.2.9), "Exp", lines: +2 -2
-                INSTALL.W32 (1.30.2.14), "Exp", lines: +9 -4
-                Makefile.org (1.154.2.78), "Exp", lines: +51 -19
-                PROBLEMS (1.4.2.10), "Exp", lines: +2 -2
-                e_os.h (1.56.2.17), "Exp", lines: +20 -1
-                apps/.cvsignore (1.5.8.1), "Exp", lines: +1 -0
-                apps/Makefile (1.1.4.1), "Exp", lines: +1147 -0
-                apps/apps.c (1.49.2.27), "Exp", lines: +0 -10
-                apps/ca.c (1.102.2.31), "Exp", lines: +0 -10
-                apps/dgst.c (1.23.2.10), "Exp", lines: +39 -11
-                apps/openssl.c (1.48.2.9), "Exp", lines: +19 -0
-                crypto/Makefile (1.1.4.1), "Exp", lines: +217 -0
-                crypto/cryptlib.c (1.32.2.11), "Exp", lines: +5 -0
-                crypto/crypto-lib.com (1.53.2.12), "Exp", lines: +1 -1
-                crypto/md32_common.h (1.22.2.6), "Exp", lines: +12 -0
-                crypto/aes/Makefile (1.1.4.1), "Exp", lines: +102 -0
-                crypto/aes/aes.h (1.1.2.9), "Exp", lines: +9 -0
-                crypto/aes/aes_cfb.c (1.1.2.9), "Exp", lines: +93 -0
-                crypto/aes/aes_core.c (1.1.2.6), "Exp", lines: +4 -0
-                crypto/asn1/Makefile (1.1.4.1), "Exp", lines: +1150 -0
-                crypto/bf/Makefile (1.1.4.1), "Exp", lines: +113 -0
-                crypto/bio/Makefile (1.1.4.1), "Exp", lines: +214 -0
-                crypto/bio/bio.h (1.56.2.6), "Exp", lines: +1 -0
-                crypto/bn/Makefile (1.1.4.1), "Exp", lines: +324 -0
-                crypto/bn/bntest.c (1.55.2.4), "Exp", lines: +1 -1
-                crypto/buffer/Makefile (1.1.4.1), "Exp", lines: +92 -0
-                crypto/cast/Makefile (1.1.4.1), "Exp", lines: +118 -0
-                crypto/cast/asm/.cvsignore (1.2.8.1), "Exp", lines: +1 -0
-                crypto/comp/Makefile (1.1.4.1), "Exp", lines: +112 -0
-                crypto/conf/Makefile (1.1.4.1), "Exp", lines: +181 -0
-                crypto/des/Makefile (1.1.4.1), "Exp", lines: +314 -0
-                crypto/des/cfb64ede.c (1.6.2.4), "Exp", lines: +111 -0
-                crypto/des/des.h (1.40.2.6), "Exp", lines: +5 -1
-                crypto/des/des_enc.c (1.11.2.4), "Exp", lines: +8 -0
-                crypto/des/des_old.c (1.11.2.6), "Exp", lines: +1 -1
-                crypto/des/destest.c (1.30.2.8), "Exp", lines: +2 -2
-                crypto/des/ecb3_enc.c (1.8.2.3), "Exp", lines: +1 -3
-                crypto/des/set_key.c (1.18.2.2), "Exp", lines: +4 -0
-                crypto/dh/Makefile (1.1.4.1), "Exp", lines: +131 -0
-                crypto/dsa/Makefile (1.1.4.1), "Exp", lines: +173 -0
-                crypto/dsa/dsa_gen.c (1.19.2.1), "Exp", lines: +4 -1
-                crypto/dsa/dsa_key.c (1.9.2.1), "Exp", lines: +2 -0
-                crypto/dsa/dsa_ossl.c (1.12.2.6), "Exp", lines: +2 -0
-                crypto/dsa/dsa_sign.c (1.10.2.5), "Exp", lines: +12 -0
-                crypto/dsa/dsa_vrf.c (1.10.2.5), "Exp", lines: +8 -0
-                crypto/dso/Makefile (1.1.4.1), "Exp", lines: +140 -0
-                crypto/ec/Makefile (1.1.4.1), "Exp", lines: +126 -0
-                crypto/engine/Makefile (1.1.4.1), "Exp", lines: +536 -0
-                crypto/engine/hw_cryptodev.c (1.1.2.6), "Exp", lines: +6 -2
-                crypto/err/Makefile (1.1.4.1), "Exp", lines: +118 -0
-                crypto/err/err.h (1.35.2.6), "Exp", lines: +2 -0
-                crypto/err/err_all.c (1.17.2.4), "Exp", lines: +4 -0
-                crypto/err/openssl.ec (1.11.2.3), "Exp", lines: +1 -0
-                crypto/evp/Makefile (1.1.4.1), "Exp", lines: +1057 -0
-                crypto/evp/bio_md.c (1.11.2.1), "Exp", lines: +6 -0
-                crypto/evp/c_allc.c (1.8.2.7), "Exp", lines: +8 -0
-                crypto/evp/e_aes.c (1.6.2.10), "Exp", lines: +22 -4
-                crypto/evp/e_des.c (1.5.2.8), "Exp", lines: +36 -3
-                crypto/evp/e_des3.c (1.8.2.7), "Exp", lines: +43 -4
-                crypto/evp/evp.h (1.86.2.15), "Exp", lines: +39 -11
-                crypto/evp/evp_err.c (1.23.2.3), "Exp", lines: +3 -1
-                crypto/evp/evp_lib.c (1.6.8.4), "Exp", lines: +24 -0
-                crypto/evp/evp_locl.h (1.7.2.6), "Exp", lines: +11 -2
-                crypto/evp/evp_test.c (1.14.2.13), "Exp", lines: +17 -8
-                crypto/evp/evptests.txt (1.9.2.7), "Exp", lines: +106 -1
-                crypto/hmac/Makefile (1.1.4.1), "Exp", lines: +99 -0
-                crypto/idea/Makefile (1.1.4.1), "Exp", lines: +89 -0
-                crypto/krb5/Makefile (1.1.4.1), "Exp", lines: +88 -0
-                crypto/lhash/Makefile (1.1.4.1), "Exp", lines: +91 -0
-                crypto/md2/Makefile (1.1.4.1), "Exp", lines: +91 -0
-                crypto/md4/Makefile (1.1.4.1), "Exp", lines: +93 -0
-                crypto/md5/Makefile (1.1.4.1), "Exp", lines: +129 -0
-                crypto/mdc2/Makefile (1.1.4.1), "Exp", lines: +96 -0
-                crypto/objects/Makefile (1.1.4.1), "Exp", lines: +121 -0
-                crypto/objects/obj_dat.h (1.49.2.19), "Exp", lines: +33 -3
-                crypto/objects/obj_mac.h (1.19.2.19), "Exp", lines: +40 -0
-                crypto/objects/obj_mac.num (1.15.2.15), "Exp", lines: +10 -0
-                crypto/objects/objects.txt (1.20.2.20), "Exp", lines: +13 -0
-                crypto/ocsp/Makefile (1.1.4.1), "Exp", lines: +291 -0
-                crypto/pem/Makefile (1.1.4.1), "Exp", lines: +334 -0
-                crypto/pkcs12/Makefile (1.1.4.1), "Exp", lines: +415 -0
-                crypto/pkcs7/Makefile (1.1.4.1), "Exp", lines: +241 -0
-                crypto/rand/Makefile (1.1.4.1), "Exp", lines: +196 -0
-                crypto/rand/md_rand.c (1.69.2.4), "Exp", lines: +9 -0
-                crypto/rand/rand.h (1.26.2.7), "Exp", lines: +3 -0
-                crypto/rand/rand_err.c (1.6.2.3), "Exp", lines: +4 -1
-                crypto/rand/rand_lib.c (1.15.2.4), "Exp", lines: +11 -0
-                crypto/rc2/Makefile (1.1.4.1), "Exp", lines: +89 -0
-                crypto/rc4/Makefile (1.1.4.1), "Exp", lines: +108 -0
-                crypto/rc5/Makefile (1.1.4.1), "Exp", lines: +106 -0
-                crypto/ripemd/Makefile (1.1.4.1), "Exp", lines: +111 -0
-                crypto/rsa/Makefile (1.1.4.1), "Exp", lines: +239 -0
-                crypto/rsa/rsa_eay.c (1.28.2.9), "Exp", lines: +1 -1
-                crypto/rsa/rsa_gen.c (1.8.6.1), "Exp", lines: +3 -0
-                crypto/sha/Makefile (1.1.4.1), "Exp", lines: +118 -0
-                crypto/sha/sha1dgst.c (1.21.2.1), "Exp", lines: +8 -0
-                crypto/stack/Makefile (1.1.4.1), "Exp", lines: +86 -0
-                crypto/txt_db/Makefile (1.1.4.1), "Exp", lines: +86 -0
-                crypto/ui/Makefile (1.1.4.1), "Exp", lines: +115 -0
-                crypto/x509/Makefile (1.1.4.1), "Exp", lines: +592 -0
-                crypto/x509v3/Makefile (1.1.4.1), "Exp", lines: +601 -0
-                fips/Makefile (1.1.4.1), "Exp", lines: +202 -0
-                fips/fingerprint.sha1 (1.1.2.4), "Exp", lines: +4 -4
-                fips/fips.c (1.1.2.3), "Exp", lines: +120 -5
-                fips/fips.h (1.1.2.3), "Exp", lines: +42 -2
-                fips/fips_check_sha1 (1.1.2.5), "Exp", lines: +2 -2
-                fips/fips_err.h (1.1.4.1), "Exp", lines: +117 -0
-                fips/fips_err_wrapper.c (1.1.2.3), "Exp", lines: +4 -2
-                fips/fips_locl.h (1.1.4.1), "Exp", lines: +62 -0
-                fips/fips_make_sha1 (1.1.2.5), "Exp", lines: +9 -6
-                fips/fips_test_suite.c (1.1.4.1), "Exp", lines: +302 -0
-                fips/openssl_fips_fingerprint (1.1.4.1), "Exp", lines: +25 -0
-                fips/aes/Makefile (1.1.4.1), "Exp", lines: +131 -0
-                fips/aes/fingerprint.sha1 (1.1.2.3), "Exp", lines: +3 -2
-                fips/aes/fips_aes_core.c (1.1.2.3), "Exp", lines: +5 -2
-                fips/aes/fips_aes_locl.h (1.1.2.3), "Exp", lines: +0 -0
-                fips/aes/fips_aes_selftest.c (1.1.4.1), "Exp", lines: +112 -0
-                fips/aes/fips_aesavs.c (1.1.2.10), "Exp", lines: +12 -6
-                fips/des/Makefile (1.1.4.1), "Exp", lines: +155 -0
-                fips/des/fingerprint.sha1 (1.1.2.3), "Exp", lines: +5 -2
-                fips/des/fips_des_enc.c (1.1.2.4), "Exp", lines: +16 -3
-                fips/des/fips_des_locl.h (1.1.2.3), "Exp", lines: +1 -1
-                fips/des/fips_des_selftest.c (1.1.4.1), "Exp", lines: +200 -0
-                fips/des/fips_desmovs.c (1.1.2.4), "Exp", lines: +186 -79
-                fips/des/fips_set_key.c (1.1.4.1), "Exp", lines: +415 -0
-                fips/des/asm/fips-dx86-elf.s (1.1.4.1), "Exp", lines: +2697 -0
-                fips/dsa/Makefile (1.1.4.1), "Exp", lines: +159 -0
-                fips/dsa/fingerprint.sha1 (1.1.2.4), "Exp", lines: +3 -1
-                fips/dsa/fips_dsa_gen.c (1.1.4.1), "Exp", lines: +373 -0
-                fips/dsa/fips_dsa_ossl.c (1.1.2.4), "Exp", lines: +16 -3
-                fips/dsa/fips_dsa_selftest.c (1.1.4.1), "Exp", lines: +168 -0
-                fips/dsa/fips_dsatest.c (1.1.2.4), "Exp", lines: +10 -6
-                fips/dsa/fips_dssvs.c (1.1.4.1), "Exp", lines: +306 -0
-                fips/rand/Makefile (1.1.4.1), "Exp", lines: +104 -0
-                fips/rand/fingerprint.sha1 (1.1.2.3), "Exp", lines: +2 -2
-                fips/rand/fips_rand.c (1.1.2.3), "Exp", lines: +60 -10
-                fips/rand/fips_rand.h (1.1.2.3), "Exp", lines: +19 -1
-                fips/rand/fips_randtest.c (1.1.2.3), "Exp", lines: +31 -10
-                fips/rsa/Makefile (1.1.4.1), "Exp", lines: +112 -0
-                fips/rsa/fingerprint.sha1 (1.1.4.1), "Exp", lines: +3 -0
-                fips/rsa/fips_rsa_eay.c (1.1.4.1), "Exp", lines: +735 -0
-                fips/rsa/fips_rsa_gen.c (1.1.4.1), "Exp", lines: +249 -0
-                fips/rsa/fips_rsa_selftest.c (1.1.4.1), "Exp", lines: +207 -0
-                fips/sha1/.cvsignore (1.1.2.3), "Exp", lines: +1 -2
-                fips/sha1/Makefile (1.1.4.1), "Exp", lines: +158 -0
-                fips/sha1/fingerprint.sha1 (1.1.2.4), "Exp", lines: +5 -3
-                fips/sha1/fips_md32_common.h (1.1.2.3), "Exp", lines: +0 -0
-                fips/sha1/fips_sha1_selftest.c (1.1.4.1), "Exp", lines: +97 -0
-                fips/sha1/fips_sha1dgst.c (1.1.2.4), "Exp", lines: +4 -4
-                fips/sha1/fips_sha1test.c (1.1.2.4), "Exp", lines: +17 -0
-                fips/sha1/fips_sha_locl.h (1.1.2.3), "Exp", lines: +7 -0
-                fips/sha1/fips_standalone_sha1.c (1.1.2.4), "Exp", lines: +60 -7
-                fips/sha1/sha1hashes.txt (1.1.2.3), "Exp", lines: +0 -0
-                fips/sha1/sha1vectors.txt (1.1.2.3), "Exp", lines: +0 -0
-                fips/sha1/standalone.sha1 (1.1.2.5), "Exp", lines: +6 -4
-                fips/sha1/asm/sx86-elf.s (1.1.4.1), "Exp", lines: +1568 -0
-                ms/do_masm.bat (1.1.8.2), "Exp", lines: +12 -10
-                ms/do_ms.bat (1.4.8.2), "Exp", lines: +11 -11
-                ms/do_nasm.bat (1.1.8.2), "Exp", lines: +12 -11
-                ms/do_nt.bat (1.2.8.1), "Exp", lines: +4 -4
-                shlib/hpux10-cc.sh (1.3.2.2), "Exp", lines: +3 -3
-                ssl/Makefile (1.1.4.1), "Exp", lines: +1019 -0
-                ssl/s3_clnt.c (1.53.2.16), "Exp", lines: +10 -0
-                ssl/s3_srvr.c (1.85.2.21), "Exp", lines: +9 -0
-                ssl/ssl_cert.c (1.48.2.7), "Exp", lines: +9 -0
-                ssl/ssl_lib.c (1.110.2.12), "Exp", lines: +13 -1
-                ssl/ssltest.c (1.53.2.23), "Exp", lines: +33 -1
-                ssl/t1_enc.c (1.27.2.8), "Exp", lines: +19 -1
-                test/.cvsignore (1.4.8.1), "Exp", lines: +4 -0
-                test/Makefile (1.1.4.1), "Exp", lines: +941 -0
-                test/bctest (1.14.2.1), "Exp", lines: +1 -1
-                test/testenc (1.3.8.1), "Exp", lines: +1 -1
-                test/testfipsssl (1.1.4.1), "Exp", lines: +113 -0
-                tools/Makefile (1.1.4.1), "Exp", lines: +61 -0
-                util/cygwin.sh (1.1.2.5), "Exp", lines: +3 -3
-                util/domd (1.6.2.3), "Exp", lines: +5 -5
-                util/fixNT.sh (1.1.1.2.8.1), "Exp", lines: +3 -3
-                util/libeay.num (1.173.2.19), "Exp", lines: +55 -11
-                util/mk1mf.pl (1.41.2.10), "Exp", lines: +6 -4
-                util/mkdef.pl (1.67.2.7), "Exp", lines: +11 -4
-                util/mkerr.pl (1.18.2.6), "Exp", lines: +2 -1
-                util/mkfiles.pl (1.12.2.1), "Exp", lines: +8 -1
-                util/pod2mantest (1.1.2.7), "Exp", lines: +1 -1
-                util/selftest.pl (1.18.2.1), "Exp", lines: +2 -2
-                util/pl/BC-16.pl (1.2.2.1), "Exp", lines: +1 -1
-                util/pl/BC-32.pl (1.11.2.4), "Exp", lines: +1 -1
-                util/pl/Mingw32.pl (1.12.6.5), "Exp", lines: +1 -1
-                util/pl/OS2-EMX.pl (1.1.2.3), "Exp", lines: +1 -1
-                util/pl/VC-16.pl (1.3.2.1), "Exp", lines: +2 -2
-                util/pl/VC-32.pl (1.11.2.3), "Exp", lines: +2 -2
-                util/pl/VC-CE.pl (1.1.2.5), "Exp", lines: +1 -1
-                util/pl/ultrix.pl (1.2.8.1), "Exp", lines: +1 -1
-
-        Pull FIPS back into stable.
-
-2004-05-12 10:27  levitte
-
-        Changed:
-                apps/Makefile (1.1.4.2), "Exp", lines: +3 -1
-
-        Only check for FIPS signatures when FIPS is enabled.
-
-2004-05-12 10:28  levitte
-
-        Changed:
-                crypto/des/FILES0 (1.1.4.2), "Exp", lines: +1 -1
-
-        Makefile.ssl changed name to Makefile.
-
-2004-05-12 10:28  levitte
-
-        Changed:
-                fips/rand/fips_rand.c (1.1.2.4), "Exp", lines: +5 -1
-
-        Only really build this file when OPENSSL_FIPS is defined.  And oh,
-        let's keep internal variables static.
-
-2004-05-12 10:42  levitte
-
-        Changed:
-                fips/rand/fingerprint.sha1 (1.1.2.4), "Exp", lines: +1 -1
-
-        I forgot to modify the signature for fips_rand.c...
-
-2004-05-12 10:46  levitte
-
-        Changed:
-                fips/rsa/.cvsignore (1.1.4.1), "Exp", lines: +1 -0
-                fips/.cvsignore (1.1.2.3), "Exp", lines: +1 -1
-                fips/aes/.cvsignore (1.1.2.3), "Exp", lines: +0 -3
-                fips/des/.cvsignore (1.1.2.3), "Exp", lines: +0 -2
-                fips/dsa/.cvsignore (1.1.2.3), "Exp", lines: +0 -1
-                fips/rand/.cvsignore (1.1.2.3), "Exp", lines: +0 -1
-
-        Ignore the 'lib' timestamp file.
-
-2004-05-12 12:07  levitte
-
-        Changed:
-                fips/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
-                fips/aes/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
-                fips/des/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
-                fips/dsa/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
-                fips/rand/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
-                fips/rsa/.cvsignore (1.1.4.2), "Exp", lines: +1 -0
-                fips/sha1/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
-
-        Ignore 'Makefile.save'
-
-2004-05-12 16:11  ben
-
-        Changed:
-                crypto/rand/rand.h (1.26.2.8), "Exp", lines: +2 -0
-                crypto/rand/rand_err.c (1.6.2.4), "Exp", lines: +2 -0
-                fips/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
-                fips/fips.c (1.1.2.4), "Exp", lines: +5 -1
-                fips/rand/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
-                fips/rand/fips_rand.c (1.1.2.5), "Exp", lines: +29 -0
-
-        Blow up in people's faces if they don't reseed.
-
-2004-05-15 19:51  ben
-
-        Changed:
-                crypto/dh/dh.h (1.23.2.6), "Exp", lines: +1 -0
-                crypto/dh/dh_err.c (1.6.2.3), "Exp", lines: +2 -1
-                crypto/dh/dh_gen.c (1.8.8.2), "Exp", lines: +9 -0
-                fips/fips_test_suite.c (1.1.4.2), "Exp", lines: +4 -3
-                fips/aes/fips_aesavs.c (1.1.2.11), "Exp", lines: +49 -1
-                fips/des/fingerprint.sha1 (1.1.2.4), "Exp", lines: +1 -1
-                fips/des/fips_desmovs.c (1.1.2.5), "Exp", lines: +49 -1
-                fips/des/fips_set_key.c (1.1.4.2), "Exp", lines: +2 -0
-                fips/sha1/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
-                fips/sha1/fips_md32_common.h (1.1.2.4), "Exp", lines: +3 -0
-                fips/sha1/standalone.sha1 (1.1.2.6), "Exp", lines: +1 -1
-
-        Fix self-tests, ban some things in FIPS mode, fix copyrights.
-
-2004-05-17 06:28  levitte
-
-        Changed:
-                util/mk1mf.pl (1.41.2.11), "Exp", lines: +8 -2
-                util/pl/BC-16.pl (1.2.2.2), "Exp", lines: +9 -4
-                util/pl/BC-32.pl (1.11.2.5), "Exp", lines: +8 -3
-                util/pl/Mingw32.pl (1.12.6.6), "Exp", lines: +7 -2
-                util/pl/OS2-EMX.pl (1.1.2.4), "Exp", lines: +7 -2
-                util/pl/VC-16.pl (1.3.2.2), "Exp", lines: +7 -2
-                util/pl/VC-32.pl (1.11.2.4), "Exp", lines: +7 -2
-                util/pl/VC-CE.pl (1.1.2.6), "Exp", lines: +7 -2
-                util/pl/linux.pl (1.3.6.1), "Exp", lines: +7 -2
-                util/pl/ultrix.pl (1.2.8.2), "Exp", lines: +7 -2
-                util/pl/unix.pl (1.2.8.1), "Exp", lines: +7 -2
-
-        Generate SHA1 files on Windows and other platforms supported by
-        mk1mf.pl, when building in FIPS mode.
-
-                Note: UNTESTED!
-
-2004-05-17 06:30  levitte
-
-        Changed:
-                apps/apps.h (1.44.2.14), "Exp", lines: +3 -0
-                apps/openssl.c (1.48.2.10), "Exp", lines: +9 -5
-
-        Make sure the applications know when we are running in FIPS mode.
-        We can't use the variable in libcrypto, since it's supposedly
-        unknown.
-
-                Note: currently only supported in MONOLITH mode.
-
-2004-05-17 06:31  levitte
-
-        Changed:
-                apps/enc.c (1.35.2.9), "Exp", lines: +10 -1
-
-        When in FIPS mode, use SHA1 to digest the key, rather than MD5, as
-        MD5 isn't a FIPS-approved algorithm.
-
-                Note: this means the user needs to keep track of this, and
-        we need to add support for that...
-
-2004-05-19 16:16  levitte
-
-        Changed:
-                fips/rsa/fingerprint.sha1 (1.1.4.2), "Exp", lines: +2 -2
-                fips/rsa/fips_rsa_eay.c (1.1.4.2), "Exp", lines: +8 -8
-                fips/rsa/fips_rsa_gen.c (1.1.4.2), "Exp", lines: +1 -1
-                fips/dsa/fingerprint.sha1 (1.1.2.5), "Exp", lines: +2 -2
-                fips/dsa/fips_dsa_gen.c (1.1.4.2), "Exp", lines: +2 -2
-                fips/dsa/fips_dsa_ossl.c (1.1.2.5), "Exp", lines: +4 -4
-                fips/aes/fingerprint.sha1 (1.1.2.4), "Exp", lines: +1 -1
-                fips/aes/fips_aes_core.c (1.1.2.4), "Exp", lines: +5 -5
-                crypto/rsa/rsa.h (1.36.2.11), "Exp", lines: +4 -0
-                crypto/aes/aes.h (1.1.2.10), "Exp", lines: +6 -0
-                crypto/dsa/dsa.h (1.26.2.5), "Exp", lines: +4 -0
-
-        Define FIPS_*_SIZE_T for AES, DSA and RSA as well, in preparation
-        for size_t-ification of those algorithms in future version of
-        OpenSSL...
-
-2004-05-27 11:33  levitte
-
-        Changed:
-                makevms.com (1.35.2.3), "Exp", lines: +27 -0
-
-        Copy the FIPS files to the temporary openssl include directory.
-
-2004-05-27 12:04  levitte
-
-        Changed:
-                fips/fips-lib.com (1.1.2.1), "Exp", lines: +1179 -0
-                makevms.com (1.35.2.4), "Exp", lines: +8 -0
-
-        Compile the FIPS directory on VMS as well.  fips-lib.com is
-        essentially a copy of crypto-lib.com, with just a few edits.
-
-2004-05-27 12:07  levitte
-
-        Changed:
-                fips/install.com (1.1.2.1), "Exp", lines: +55 -0
-                install.com (1.4.2.2), "Exp", lines: +6 -6
-
-        Run an installation of FIPS stuff as well.
-
-2004-05-27 12:19  levitte
-
-        Changed:
-                test/maketests.com (1.13.2.5), "Exp", lines: +3 -3
-                apps/makeapps.com (1.18.2.5), "Exp", lines: +3 -3
-
-        Make sure o_str.h is reachable.
-
-2004-06-19 15:15  ben
-
-        Changed:
-                Makefile.org (1.154.2.80), "Exp", lines: +1 -1
-                crypto/dh/dh.h (1.23.2.7), "Exp", lines: +0 -1
-                crypto/dh/dh_check.c (1.6.2.1), "Exp", lines: +4 -0
-                crypto/dh/dh_err.c (1.6.2.4), "Exp", lines: +0 -1
-                crypto/dh/dh_gen.c (1.8.8.3), "Exp", lines: +5 -9
-                crypto/dh/dh_key.c (1.16.2.3), "Exp", lines: +4 -0
-                fips/Makefile (1.1.4.2), "Exp", lines: +13 -14
-                fips/fingerprint.sha1 (1.1.2.6), "Exp", lines: +2 -2
-                fips/fips.h (1.1.2.4), "Exp", lines: +1 -0
-                fips/fips_err.h (1.1.4.2), "Exp", lines: +1 -0
-                fips/fips_make_sha1 (1.1.2.6), "Exp", lines: +3 -0
-                fips/fips_test_suite.c (1.1.4.3), "Exp", lines: +13 -9
-                fips/openssl_fips_fingerprint (1.1.4.2), "Exp", lines: +1 -2
-
-        The version that was actually submitted for FIPS testing.
-
-2004-06-19 15:16  ben
-
-        Changed:
-                fips/dh/Makefile (1.1.2.1), "Exp", lines: +92 -0
-                fips/dh/fingerprint.sha1 (1.1.2.1), "Exp", lines: +3 -0
-                fips/dh/fips_dh_check.c (1.1.2.1), "Exp", lines: +119 -0
-                fips/dh/fips_dh_gen.c (1.1.2.1), "Exp", lines: +182 -0
-                fips/dh/fips_dh_key.c (1.1.2.1), "Exp", lines: +222 -0
-
-        Add Diffie-Hellman to FIPS.
-
-2004-06-19 15:18  ben
-
-        Changed:
-                fips/.cvsignore (1.1.2.5), "Exp", lines: +2 -0
-                fips/dh/.cvsignore (1.1.2.1), "Exp", lines: +1 -0
-
-        Update ignores.
-
-2004-06-21 11:07  levitte
-
-        Changed:
-                fips/aes/Makefile (1.1.4.2), "Exp", lines: +7 -5
-                fips/des/Makefile (1.1.4.2), "Exp", lines: +7 -5
-                fips/dh/Makefile (1.1.2.2), "Exp", lines: +7 -6
-                fips/dsa/Makefile (1.1.4.2), "Exp", lines: +7 -6
-                fips/rsa/Makefile (1.1.4.2), "Exp", lines: +7 -6
-                fips/sha1/Makefile (1.1.4.2), "Exp", lines: +7 -5
-
-        Make sure we don't try to loop over an empty EXHEADER.  In the
-        Makefiles where this was fixed by commenting away code, change it
-        to check for an empty EXHEADER instead, so we have less hassle in a
-        future where EXHEADER changes.
-
-                PR: 900
-
-2004-06-21 20:05  levitte
-
-        Changed:
-                Makefile.org (1.154.2.82), "Exp", lines: +3 -1
-
-        Standard sh doesn't tolerate ! as part of the conditional command.
-
-                PR: 900
-
-2004-06-28 22:33  levitte
-
-        Changed:
-                fips/dh/fips_dh_check.c (1.1.2.2), "Exp", lines: +6 -0
-                fips/dh/fips_dh_gen.c (1.1.2.2), "Exp", lines: +6 -2
-                fips/dh/fips_dh_key.c (1.1.2.2), "Exp", lines: +8 -0
-
-        Make sure the FIPS stuff is only really compiled when in FIPS mode.
-
-2004-07-12 19:59  ben
-
-        Changed:
-                fips/fips_test_suite.c (1.1.4.4), "Exp", lines: +39 -6
-                fips/dh/fingerprint.sha1 (1.1.2.2), "Exp", lines: +3 -3
-
-        Corrected test program.
-
-2004-07-17 14:48  appro
-
-        Changed:
-                fips/des/Makefile (1.1.4.3), "Exp", lines: +1 -1
-
-        Eliminate enforced -g from CFLAGS. It switches off optimization
-        with some compilers, e.g. DEC C.
-
-2004-07-21 19:41  steve
-
-        Changed:
-                crypto/pem/pem_all.c (1.20.2.1), "Exp", lines: +119 -0
-
-        When in FIPS mode write private keys in PKCS#8 and PBES2 format to
-        avoid use of prohibited MD5 algorithm.
-
-2004-07-23 15:20  ben
-
-        Changed:
-                fips/rand/fingerprint.sha1 (1.1.2.7), "Exp", lines: +1 -1
-                fips/rand/fips_rand.c (1.1.2.7), "Exp", lines: +22 -7
-                fips/rand/fips_randtest.c (1.1.2.5), "Exp", lines: +2 -2
-
-        Convert to X9.31.
-
-2004-07-21 19:35  steve
-
-        Changed:
-                fips/fingerprint.sha1 (1.1.2.7), "Exp", lines: +1 -1
-                fips/fips.c (1.1.2.5), "Exp", lines: +3 -3
-                fips/rsa/fingerprint.sha1 (1.1.4.3), "Exp", lines: +1 -1
-                fips/rsa/fips_rsa_selftest.c (1.1.4.2), "Exp", lines: +8 -8
-
-        Avoid compiler warnings.
-
-2004-07-27 02:17  steve
-
-        Changed:
-                fips/fips_test_suite.c (1.1.4.5), "Exp", lines: +9 -8
-
-        Stop compiler warnings.
-
-2004-07-27 02:20  steve
-
-        Changed:
-                crypto/err/err.c (1.51.2.6), "Exp", lines: +1 -0
-
-        Add FIPS name to error library.
-
-2004-07-27 14:22  steve
-
-        Changed:
-                Makefile.org (1.154.2.84), "Exp", lines: +3 -3
-                fips/fips_check_sha1 (1.1.2.6), "Exp", lines: +1 -1
-                fips/openssl_fips_fingerprint (1.1.4.3), "Exp", lines: +1 -1
-
-        Rename libcrypto.sha1 to libcrypto.a.sha1
-
-2004-07-27 20:28  steve
-
-        Changed:
-                ssl/s3_lib.c (1.57.2.11), "Exp", lines: +33 -33
-                ssl/ssl.h (1.126.2.20), "Exp", lines: +1 -0
-                ssl/ssl_ciph.c (1.33.2.9), "Exp", lines: +11 -0
-                ssl/ssl_locl.h (1.47.2.3), "Exp", lines: +2 -1
-
-        New cipher "strength" FIPS which specifies that a cipher suite is
-        FIPS compatible.
-
-                New cipherstring "FIPS" is all FIPS compatible ciphersuites
-        except eNULL.
-
-                Only allow FIPS ciphersuites in FIPS mode.
-
-2004-07-28 04:24  levitte
-
-        Changed:
-                makevms.com (1.35.2.6), "Exp", lines: +2 -2
-
-        From the FIPS directory, darnit!
-
-2004-07-28 15:47  levitte
-
-        Changed:
-                makevms.com (1.35.2.7), "Exp", lines: +5 -1
-
-        Define OPENSSL_FIPS in opensslconf.h if a logical name with the
-        same name is defined.
-
-                Go up one directory level before dealing with FIPS stuff.
-
-2004-07-30 00:26  levitte
-
-        Changed:
-                fips/fips-lib.com (1.1.2.2), "Exp", lines: +3 -3
-
-        We're building crypto stuff, not ssl stuff.  Additionally, we're in
-        the fips subdirectory, not the crypto one...
-
-2004-07-30 16:37  levitte
-
-        Changed:
-                fips/sha1/fingerprint.sha1 (1.1.2.7), "Exp", lines: +2 -2
-                fips/sha1/fips_md32_common.h (1.1.2.6), "Exp", lines: +1 -1
-                fips/sha1/fips_sha_locl.h (1.1.2.5), "Exp", lines: +2 -2
-                fips/sha1/fips_standalone_sha1.c (1.1.2.5), "Exp", lines: +1 -1
-                fips/sha1/standalone.sha1 (1.1.2.8), "Exp", lines: +3 -3
-                ssl/ssl_ciph.c (1.33.2.10), "Exp", lines: +2 -2
-                fips/rsa/fingerprint.sha1 (1.1.4.4), "Exp", lines: +2 -2
-                fips/rsa/fips_rsa_eay.c (1.1.4.3), "Exp", lines: +1 -1
-                fips/rsa/fips_rsa_gen.c (1.1.4.3), "Exp", lines: +1 -1
-                fips/dh/fingerprint.sha1 (1.1.2.3), "Exp", lines: +1 -1
-                fips/dh/fips_dh_gen.c (1.1.2.3), "Exp", lines: +1 -1
-                fips/dsa/fingerprint.sha1 (1.1.2.6), "Exp", lines: +2 -2
-                fips/dsa/fips_dsa_gen.c (1.1.4.3), "Exp", lines: +4 -3
-                fips/dsa/fips_dsa_ossl.c (1.1.2.6), "Exp", lines: +2 -2
-                fips/des/fingerprint.sha1 (1.1.2.5), "Exp", lines: +2 -2
-                fips/des/fips_des_enc.c (1.1.2.5), "Exp", lines: +2 -2
-                fips/des/fips_set_key.c (1.1.4.3), "Exp", lines: +3 -3
-                fips/fingerprint.sha1 (1.1.2.8), "Exp", lines: +2 -2
-                fips/fips.c (1.1.2.6), "Exp", lines: +76 -23
-                fips/fips.h (1.1.2.5), "Exp", lines: +2 -3
-                fips/fips_locl.h (1.1.4.2), "Exp", lines: +7 -2
-                fips/aes/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
-                fips/aes/fips_aes_core.c (1.1.2.5), "Exp", lines: +1 -1
-                crypto/rand/md_rand.c (1.69.2.5), "Exp", lines: +1 -1
-                crypto/rand/rand_lib.c (1.15.2.5), "Exp", lines: +2 -1
-                crypto/dsa/dsa_sign.c (1.10.2.6), "Exp", lines: +2 -2
-                crypto/dsa/dsa_vrf.c (1.10.2.6), "Exp", lines: +1 -1
-                crypto/pem/pem_all.c (1.20.2.2), "Exp", lines: +2 -2
-                crypto/cryptlib.c (1.32.2.12), "Exp", lines: +122 -6
-                crypto/crypto.h (1.62.2.8), "Exp", lines: +8 -1
-                crypto/md32_common.h (1.22.2.7), "Exp", lines: +2 -2
-
-        To protect FIPS-related global variables, add locking mechanisms
-        around them.
-
-                NOTE: because two new locks are added, this adds potential
-        binary incompatibility with earlier versions in the 0.9.7 series.
-        However, those locks will only ever be touched when FIPS_mode_set()
-        is called and after, thanks to a variable that's only changed from
-        0 to 1 once (when FIPS_mode_set() is called).  So basically, as
-        long as FIPS mode hasn't been engaged explicitely by the calling
-        application, the new locks are treated as if they didn't exist at
-        all, thus not becoming a problem.  Applications that are built or
-        rebuilt to use FIPS functionality will need to be recompiled in any
-        case, thus not being a problem either.
-
-2004-08-02 16:15  levitte
-
-        Changed:
-                crypto/cryptlib.c (1.32.2.13), "Exp", lines: +4 -4
-
-        Let's lock a write lock when changing values, shall we?
-
-                Thanks to Dr Stephen Henson <shenson@drh-consultancy.co.uk>
-        for making me aware of this error.
-
-2004-08-05 20:11  steve
-
-        Changed:
-                fips/fingerprint.sha1 (1.1.2.9), "Exp", lines: +1 -1
-                fips/fips.c (1.1.2.7), "Exp", lines: +1 -1
-
-        Stop compiler giving bogus shadow warning.
-
-2004-08-09 14:13  levitte
-
-        Changed:
-                makevms.com (1.35.2.8), "Exp", lines: +1 -1
-
-        In the fips directory, we use FIPS-LIB.COM, not CRYPTO-LIB.COM...
-
-2004-08-09 14:14  levitte
-
-        Changed:
-                fips/fips-lib.com (1.1.2.3), "Exp", lines: +4 -4
-
-        Correct typos and include directory specifications.
-
-2004-08-10 11:11  levitte
-
-        Changed:
-                fips/fips-lib.com (1.1.2.4), "Exp", lines: +2 -1
-
-        Update the VMS fips library builder with the DH library.
-
-2004-08-10 12:04  levitte
-
-        Changed:
-                fips/rand/fingerprint.sha1 (1.1.2.8), "Exp", lines: +1 -1
-                fips/rand/fips_rand.c (1.1.2.8), "Exp", lines: +7 -1
-
-        With DEC C in ANSI C mode, we need to define _XOPEN_SOURCE_EXTENDED
-        to get struct timeval and gettimeofday().
-
-2004-09-06 16:19  levitte
-
-        Changed:
-                fips/fips.c (1.1.2.8), "Exp", lines: +5 -4
-
-        Replace the bogus checks of n with proper uses of feof(), ferror()
-        and clearerr().
-
-2004-09-06 16:21  levitte
-
-        Changed:
-                fips/sha1/fips_sha_locl.h (1.1.2.6), "Exp", lines: +2 -2
-
-        num is an unsigned long, but since it was transfered from
-        crypto/sha/sha_locl.h, where it is in fact an int, we need to check
-        for less-than-zero as if it was an int...
-
-2004-10-08 12:03  ben
-
-        Changed:
-                fips/fingerprint.sha1 (1.1.2.10), "Exp", lines: +1 -1
-                fips/sha1/fingerprint.sha1 (1.1.2.8), "Exp", lines: +1 -1
-                fips/sha1/standalone.sha1 (1.1.2.9), "Exp", lines: +1 -1
-
-        Update fingerprints.
-
-2004-10-14 07:51  levitte
-
-        Changed:
-                VMS/mkshared.com (1.3.2.1), "Exp", lines: +8 -0
-
-        We need to check for OPENSSL_FIPS when building shared libraries,
-        so we get correct transfer vectors for those functions when
-        required.
-
-2004-10-26 13:47  steve
-
-        Changed:
-                util/mkfiles.pl (1.12.2.2), "Exp", lines: +1 -0
-
-        Add fips/dh directory to mkfiles.pl
-
-2004-10-26 14:17  levitte
-
-        Changed:
-                fips/sha1/Makefile (1.1.4.4), "Exp", lines: +3 -1
-                util/mkfiles.pl (1.12.2.3), "Exp", lines: +1 -0
-                fips/Makefile (1.1.4.5), "Exp", lines: +7 -1
-                crypto/sha/Makefile (1.1.4.4), "Exp", lines: +1 -7
-
-        fips/dh was missing in mkfiles.pl.  make update
-
-2004-10-26 15:01  steve
-
-        Changed:
-                util/mkfiles.pl (1.12.2.4), "Exp", lines: +0 -1
-
-        Only add fips/dh once...
-
-2004-11-01 09:20  levitte
-
-        Changed:
-                fips/rand/fingerprint.sha1 (1.1.2.9), "Exp", lines: +1 -1
-                fips/rand/fips_rand.c (1.1.2.9), "Exp", lines: +3 -1
-
-        Make sure _XOPEN_SOURCE_EXTENDED is correctly defined, and only if
-        not already defined.
-
-2004-12-09 19:03  appro
-
-        vChanged:
-                crypto/Makefile (1.1.4.4), "Exp", lines: +2 -0
-
-        Postpone linking of shared libcrypto in FIPS build.
-
-2004-12-09 19:13  appro
-
-        Changed:
-                fips/fingerprint.sha1 (1.1.2.11), "Exp", lines: +1 -1
-                fips/fips.c (1.1.2.9), "Exp", lines: +13 -1
-                fips/openssl_fips_fingerprint (1.1.4.4), "Exp", lines: +4 -2
-
-        Cygwin specific FIPS fix-ups.
-
-2004-12-09 23:43  appro
-
-        Changed:
-                Configure (1.314.2.100), "Exp", lines: +2 -3
-                crypto/des/des_enc.c (1.11.2.5), "Exp", lines: +2 -2
-
-        Eliminate false dependency on 386 config option is FIPS context.
-        At the same time limit assembler support to ELF platforms [that's
-        what is there, ELF modules].
-
-2004-12-10 12:37  appro
-
-        Changed:
-                Configure (1.314.2.101), "Exp", lines: +10 -3
-                crypto/des/des_enc.c (1.11.2.6), "Exp", lines: +2 -2
-
-        Respect no-asm with fips option and disable FIPS DES assembler in
-        shared context [because it's not PIC].
-
-2004-12-10 14:15  appro
-
-        Changed:
-                fips/sha1/fingerprint.sha1 (1.1.2.10), "Exp", lines: +1 -1
-                fips/sha1/standalone.sha1 (1.1.2.11), "Exp", lines: +1 -1
-                fips/sha1/asm/sx86-elf.s (1.1.4.3), "Exp", lines: +32 -32
-
-        Solaris x86 assembler update.
-
-2004-12-10 17:30  appro
-
-        Changed:
-                fips/fips_check_sha1 (1.1.2.7), "Exp", lines: +1 -1
-                fips/openssl_fips_fingerprint (1.1.4.5), "Exp", lines: +1 -1
-                fips/sha1/Makefile (1.1.4.6), "Exp", lines: +1 -1
-
-        Adapt FIPS sub-tree for mingw.
-
-2005-01-03 18:46  steve
-
-        Changed:
-                fips/rsa/fingerprint.sha1 (1.1.4.5), "Exp", lines: +1 -1
-                fips/rsa/fips_rsa_selftest.c (1.1.4.3), "Exp", lines: +55 -11
-
-        RSA KAT.
-
-2005-01-11 17:54  levitte
-
-        Changed:
-                fips/rsa/fingerprint.sha1 (1.1.4.6), "Exp", lines: +1 -1
-                fips/rsa/fips_rsa_selftest.c (1.1.4.4), "Exp", lines: +2 -2
-
-        Clear signed vs. unsigned conflicts.  Change the fingerprint
-        accordingly.
-
-2005-01-11 19:25  levitte
-
-        Changed:
-                ssl/ssltest.c (1.53.2.24), "Exp", lines: +2 -2
-                fips/rand/fips_randtest.c (1.1.2.6), "Exp", lines: +3 -3
-                fips/sha1/fips_sha1test.c (1.1.2.5), "Exp", lines: +10 -4
-                fips/des/fips_desmovs.c (1.1.2.6), "Exp", lines: +8 -7
-                fips/dsa/fips_dsatest.c (1.1.2.5), "Exp", lines: +2 -2
-                apps/openssl.c (1.48.2.12), "Exp", lines: +1 -1
-                fips/aes/fips_aesavs.c (1.1.2.12), "Exp", lines: +8 -7
-
-        Use EXIT() instead of exit().
-
-2005-01-26 21:00  steve
-
-        Changed:
-                apps/dgst.c (1.23.2.13), "Exp", lines: +10 -0
-                apps/pkcs12.c (1.60.2.13), "Exp", lines: +8 -1
-                crypto/crypto.h (1.62.2.9), "Exp", lines: +49 -0
-                crypto/md32_common.h (1.22.2.9), "Exp", lines: +1 -1
-                crypto/bf/bf_skey.c (1.6.2.1), "Exp", lines: +2 -1
-                crypto/bf/blowfish.h (1.9.2.1), "Exp", lines: +4 -1
-                crypto/cast/c_skey.c (1.5.6.1), "Exp", lines: +3 -1
-                crypto/cast/cast.h (1.7.2.1), "Exp", lines: +4 -1
-                crypto/evp/bio_md.c (1.11.2.3), "Exp", lines: +2 -7
-                crypto/evp/digest.c (1.21.2.7), "Exp", lines: +11 -0
-                crypto/evp/e_aes.c (1.6.2.11), "Exp", lines: +11 -11
-                crypto/evp/e_des.c (1.5.2.9), "Exp", lines: +5 -3
-                crypto/evp/e_des3.c (1.8.2.8), "Exp", lines: +6 -6
-                crypto/evp/evp.h (1.86.2.16), "Exp", lines: +17 -0
-                crypto/evp/evp_enc.c (1.28.2.11), "Exp", lines: +15 -1
-                crypto/evp/evp_err.c (1.23.2.4), "Exp", lines: +6 -1
-                crypto/evp/evp_locl.h (1.7.2.7), "Exp", lines: +17 -2
-                crypto/evp/m_dss.c (1.8.2.1), "Exp", lines: +1 -1
-                crypto/evp/m_md2.c (1.9.2.1), "Exp", lines: +1 -0
-                crypto/evp/m_md4.c (1.8.2.1), "Exp", lines: +1 -0
-                crypto/evp/m_md5.c (1.9.2.1), "Exp", lines: +1 -0
-                crypto/evp/m_mdc2.c (1.9.2.1), "Exp", lines: +1 -0
-                crypto/evp/m_sha.c (1.8.2.2), "Exp", lines: +1 -0
-                crypto/evp/m_sha1.c (1.8.2.1), "Exp", lines: +1 -1
-                crypto/evp/names.c (1.7.2.1), "Exp", lines: +3 -0
-                crypto/hmac/hmac.c (1.12.2.3), "Exp", lines: +7 -0
-                crypto/hmac/hmac.h (1.14.2.2), "Exp", lines: +1 -0
-                crypto/idea/i_skey.c (1.5.6.1), "Exp", lines: +13 -0
-                crypto/idea/idea.h (1.10.2.1), "Exp", lines: +4 -0
-                crypto/md2/md2.h (1.11.2.1), "Exp", lines: +3 -0
-                crypto/md2/md2_dgst.c (1.13.2.4), "Exp", lines: +3 -1
-                crypto/md4/md4.h (1.3.2.1), "Exp", lines: +3 -0
-                crypto/md4/md4_dgst.c (1.2.2.2), "Exp", lines: +1 -1
-                crypto/md5/md5.h (1.10.2.3), "Exp", lines: +3 -0
-                crypto/md5/md5_dgst.c (1.16.2.2), "Exp", lines: +1 -1
-                crypto/mdc2/mdc2.h (1.9.2.1), "Exp", lines: +3 -1
-                crypto/mdc2/mdc2dgst.c (1.13.2.1), "Exp", lines: +3 -1
-                crypto/rc2/rc2.h (1.10.2.1), "Exp", lines: +4 -1
-                crypto/rc2/rc2_skey.c (1.4.6.1), "Exp", lines: +13 -0
-                crypto/rc4/rc4.h (1.10.2.2), "Exp", lines: +3 -0
-                crypto/rc4/rc4_skey.c (1.10.8.2), "Exp", lines: +2 -1
-                crypto/rc5/rc5.h (1.5.2.1), "Exp", lines: +4 -1
-                crypto/rc5/rc5_skey.c (1.4.6.1), "Exp", lines: +14 -0
-                crypto/ripemd/ripemd.h (1.8.2.1), "Exp", lines: +3 -0
-                crypto/ripemd/rmd_dgst.c (1.13.2.2), "Exp", lines: +2 -1
-                crypto/sha/sha.h (1.11.2.2), "Exp", lines: +3 -0
-                crypto/sha/sha_locl.h (1.16.2.3), "Exp", lines: +4 -0
-                crypto/x509/x509_cmp.c (1.22.2.4), "Exp", lines: +7 -1
-                crypto/x509/x509_vfy.c (1.56.2.13), "Exp", lines: +1 -1
-                ssl/s3_clnt.c (1.53.2.18), "Exp", lines: +2 -0
-                ssl/s3_enc.c (1.31.2.9), "Exp", lines: +3 -0
-                ssl/s3_srvr.c (1.85.2.23), "Exp", lines: +2 -0
-                ssl/t1_enc.c (1.27.2.9), "Exp", lines: +2 -0
-
-        FIPS algorithm blocking.
-
-                Non FIPS algorithms are not normally allowed in FIPS mode.
-
-                Any attempt to use them via high level functions will
-        return an error.
-
-                The low level non-FIPS algorithm functions cannot return
-        errors so they produce assertion failures. HMAC also has to give an
-        assertion error because it (erroneously) can't return an error
-        either.
-
-                There are exceptions (such as MD5 in TLS and non
-        cryptographic use of algorithms) and applications can override the
-        blocking and use non FIPS algorithms anyway.
-
-                For low level functions the override is perfomed by
-        prefixing the algorithm initalization function with "private_" for
-        example private_MD5_Init().
-
-                For high level functions an override is performed by
-        setting a flag in the context.
-
-2005-01-27 02:49  steve
-
-        Changed:
-                apps/dgst.c (1.23.2.14), "Exp", lines: +9 -5
-                crypto/crypto.h (1.62.2.10), "Exp", lines: +3 -0
-                crypto/evp/digest.c (1.21.2.8), "Exp", lines: +34 -0
-                crypto/hmac/hmac.c (1.12.2.4), "Exp", lines: +9 -0
-
-        More FIPS algorithm blocking.
-
-                Catch attempted use of non FIPS algorithms with HMAC.
-
-                Give an assertion error for applications that ignore FIPS
-        digest errors.
-
-                Make -non-fips-allow work with dgst and HMAC.
-
-2005-01-28 15:03  steve
-
-        Changed:
-                apps/dgst.c (1.23.2.15), "Exp", lines: +2 -1
-                apps/enc.c (1.35.2.13), "Exp", lines: +38 -4
-                crypto/evp/e_rc4.c (1.11.2.2), "Exp", lines: +1 -0
-                crypto/evp/evp.h (1.86.2.17), "Exp", lines: +3 -0
-                crypto/evp/evp_enc.c (1.28.2.12), "Exp", lines: +60 -15
-                crypto/evp/evp_locl.h (1.7.2.8), "Exp", lines: +1 -0
-                test/testenc (1.3.8.2), "Exp", lines: +8 -8
-
-        Further FIPS algorithm blocking.
-
-                Fixes to cipher blocking and enabling code.
-
-                Add option -non-fips-allow to 'enc' and update testenc.
-
-2005-01-31 02:33  steve
-
-        Changed:
-                ssl/s23_clnt.c (1.20.2.7), "Exp", lines: +16 -0
-                ssl/s23_srvr.c (1.41.2.6), "Exp", lines: +9 -0
-                ssl/s3_clnt.c (1.53.2.19), "Exp", lines: +0 -8
-                ssl/s3_enc.c (1.31.2.10), "Exp", lines: +1 -0
-                ssl/s3_srvr.c (1.85.2.24), "Exp", lines: +0 -8
-                ssl/ssl.h (1.126.2.21), "Exp", lines: +1 -0
-                ssl/ssl_cert.c (1.48.2.10), "Exp", lines: +0 -8
-                ssl/ssl_err.c (1.41.2.4), "Exp", lines: +2 -1
-                ssl/ssl_lib.c (1.110.2.13), "Exp", lines: +8 -9
-                ssl/t1_enc.c (1.27.2.10), "Exp", lines: +0 -18
-
-        Only allow TLS is FIPS mode.
-
-                Remove old FIPS_allow_md5() calls.
-
-2005-02-05 19:24  steve
-
-        Changed:
-                apps/req.c (1.88.2.18), "Exp", lines: +8 -1
-                apps/x509.c (1.67.2.20), "Exp", lines: +8 -1
-
-        In FIPS mode use SHA1 as default digest in x509 and req utilities.
-
-2005-03-15 10:46  appro
-
-        Changed:
-                Makefile.org (1.154.2.96), "Exp", lines: +1 -1
-                crypto/Makefile (1.1.4.6), "Exp", lines: +2 -3
-                fips/Makefile (1.1.4.8), "Exp", lines: +4 -1
-
-        Real Bourne shell doesn't accept ! as in "if ! grep ..." Fix this
-        in crypto/Makefile and make Makefile.org and fips/Makefile more
-        discreet.
-
-2005-03-22 18:29  steve
-
-        Changed:
-                fips/fingerprint.sha1 (1.1.2.12), "Exp", lines: +1 -1
-                fips/fips.c (1.1.2.10), "Exp", lines: +1 -0
-
-        Fix memory leak.
-
-2005-03-27 05:36  steve
-
-        Changed:
-                crypto/evp/e_null.c (1.9.2.1), "Exp", lines: +1 -1
-                ssl/s3_lib.c (1.57.2.13), "Exp", lines: +3 -3
-
-        Allow 'null' cipher and appropriate Kerberos ciphersuites in FIPS
-        mode.
-
-2005-04-14 14:44  steve
-
-        Changed:
-                fips/fipshashes.sha1 (1.1.2.1), "Exp", lines: +29 -0
-                util/checkhash.pl (1.1.2.1), "Exp", lines: +181 -0
-
-        Perl script that checks or rebuilds FIPS hash files. This works on
-        both Unix and Windows.
-
-                Merge all FIPS hash files into a single hash file
-        fips/fips.sha1
-
-2005-04-15 05:27  steve
-
-        Changed:
-                fips/Makefile (1.1.4.9), "Exp", lines: +1 -1
-                fips/aes/Makefile (1.1.4.4), "Exp", lines: +1 -4
-                fips/des/Makefile (1.1.4.6), "Exp", lines: +1 -4
-                fips/dh/Makefile (1.1.2.5), "Exp", lines: +1 -4
-                fips/dsa/Makefile (1.1.4.4), "Exp", lines: +1 -4
-                fips/rand/Makefile (1.1.4.3), "Exp", lines: +1 -4
-                fips/rsa/Makefile (1.1.4.5), "Exp", lines: +1 -4
-                fips/sha1/Makefile (1.1.4.9), "Exp", lines: +1 -7
-
-        Update hash checking in makefiles to use new perl script.
-
-2005-04-17 06:37  steve
-
-        Changed:
-                util/checkhash.pl (1.1.2.2), "Exp", lines: +163 -127
-
-        Modify checkhash.pl so it can be run standalone or included as a
-        funtion in another perl script.
-
-2005-04-17 16:00  appro
-
-        Changed:
-                fips/sha1/Makefile (1.1.4.10), "Exp", lines: +9 -5
-
-        Bring back fips_standalone_sha1.
-
-2005-04-17 16:17  appro
-
-        Deleted:
-                fips/sha1/asm/sx86-elf.s (1.1.4.4)
-        Changed:
-                Configure (1.314.2.114), "Exp", lines: +1 -1
-                fips/fipshashes.sha1 (1.1.2.2), "Exp", lines: +1 -1
-                fips/sha1/Makefile (1.1.4.11), "Exp", lines: +1 -1
-                fips/sha1/standalone.sha1 (1.1.2.13), "Exp", lines: +1 -1
-                fips/sha1/asm/fips-sx86-elf.s (1.1.2.1), "Exp", lines: +1568 -0
-
-        Rename fips/sha1/sx86-elf.s to fips/sha1/fips-sx86-elf.s.
-
-2005-04-17 16:21  steve
-
-        Changed:
-                util/checkhash.pl (1.1.2.3), "Exp", lines: +2 -0
-
-        Return 0 for successful hash check.
-
-2005-04-17 16:54  appro
-
-        Changed:
-                Configure (1.314.2.116), "Exp", lines: +8 -1
-                Makefile.org (1.154.2.99), "Exp", lines: +3 -2
-                crypto/aes/aes_cbc.c (1.1.2.11), "Exp", lines: +2 -0
-                fips/fipshashes.sha1 (1.1.2.4), "Exp", lines: +1 -0
-                fips/aes/Makefile (1.1.4.5), "Exp", lines: +4 -2
-                fips/aes/asm/fips-ax86-elf.s (1.1.2.1), "Exp", lines: +1822 -0
-
-        Throw in fips/aes/asm/fips-ax86-elf.s.
-
-2005-04-17 16:35  appro
-
-        Changed:
-                Configure (1.314.2.115), "Exp", lines: +1 -1
-                fips/fipshashes.sha1 (1.1.2.3), "Exp", lines: +1 -1
-                fips/des/asm/fips-dx86-elf.s (1.1.4.2), "Exp", lines: +108 -98
-
-        Regenerate fips/des/asm/fips-dx86-elf.s with -fPIC flag.
-
-2005-04-17 17:26  appro
-
-        Changed:
-                crypto/cryptlib.c (1.32.2.18), "Exp", lines: +6 -55
-                crypto/crypto.h (1.62.2.11), "Exp", lines: +0 -3
-                fips/fips.c (1.1.2.11), "Exp", lines: +62 -8
-                fips/fips.h (1.1.2.7), "Exp", lines: +2 -3
-                fips/fips_locl.h (1.1.4.3), "Exp", lines: +6 -3
-                fips/fipshashes.sha1 (1.1.2.5), "Exp", lines: +4 -4
-                fips/rand/fips_rand.c (1.1.2.10), "Exp", lines: +3 -1
-                fips/rsa/fips_rsa_gen.c (1.1.4.4), "Exp", lines: +4 -2
-
-        Resolve minor binary compatibility issues in fips.
-
-2005-04-17 18:22  appro
-
-        Changed:
-                fips/fipshashes.sha1 (1.1.2.6), "Exp", lines: +12 -12
-                fips/des/fips_des_locl.h (1.1.2.4), "Exp", lines: +1 -1
-                fips/des/fips_set_key.c (1.1.4.4), "Exp", lines: +2 -2
-                fips/dh/fips_dh_key.c (1.1.2.3), "Exp", lines: +1 -1
-                fips/dsa/fips_dsa_ossl.c (1.1.2.7), "Exp", lines: +1 -1
-                fips/dsa/fips_dsa_selftest.c (1.1.4.2), "Exp", lines: +3 -3
-                fips/rand/fips_rand.c (1.1.2.11), "Exp", lines: +2 -2
-                fips/rand/fips_rand.h (1.1.2.5), "Exp", lines: +1 -1
-                fips/rsa/fips_rsa_eay.c (1.1.4.4), "Exp", lines: +1 -1
-                fips/rsa/fips_rsa_gen.c (1.1.4.5), "Exp", lines: +1 -1
-                fips/rsa/fips_rsa_selftest.c (1.1.4.5), "Exp", lines: +11 -11
-                fips/sha1/fips_sha1_selftest.c (1.1.4.2), "Exp", lines: +1 -1
-                fips/sha1/fips_sha1dgst.c (1.1.2.5), "Exp", lines: +1 -1
-                fips/sha1/standalone.sha1 (1.1.2.14), "Exp", lines: +2 -2
-
-        Minor fips const-ification.
-
-2005-04-18 07:02  steve
-
-        Changed:
-                crypto/bf/bf_skey.c (1.6.2.2), "Exp", lines: +1 -0
-                crypto/cast/c_skey.c (1.5.6.2), "Exp", lines: +1 -0
-                crypto/idea/i_skey.c (1.5.6.2), "Exp", lines: +1 -0
-                crypto/rc2/rc2_skey.c (1.4.6.2), "Exp", lines: +1 -0
-                crypto/rc4/rc4_skey.c (1.10.8.3), "Exp", lines: +1 -0
-                crypto/rc5/rc5_skey.c (1.4.6.2), "Exp", lines: +1 -0
-
-        Pick up definition of FIPS_mode() in fips.h to avoid warnings.
-
-2005-04-18 10:34  steve
-
-        Deleted:
-                fips/fingerprint.sha1 (1.1.2.14)
-                fips/fips_check_sha1 (1.1.2.8)
-                fips/fips_make_sha1 (1.1.2.7)
-                fips/aes/fingerprint.sha1 (1.1.2.7)
-                fips/des/fingerprint.sha1 (1.1.2.6)
-                fips/dh/fingerprint.sha1 (1.1.2.4)
-                fips/dsa/fingerprint.sha1 (1.1.2.7)
-                fips/rand/fingerprint.sha1 (1.1.2.10)
-                fips/rsa/fingerprint.sha1 (1.1.4.7)
-                fips/sha1/fingerprint.sha1 (1.1.2.12)
-        Changed:
-                fips/sha1/Makefile (1.1.4.12), "Exp", lines: +1 -4
-
-        Remove obsolete fingerprint.sha1 files and associated scripts.
-        Delete test in fips/sha1/Makefile: the top level test checks the
-        same files.
-
-2005-04-19 09:11  appro
-
-        Deleted:
-                fips/fipshashes.sha1 (1.1.2.7)
-                fips/sha1/standalone.sha1 (1.1.2.15)
-        Changed:
-                fips/fipshashes.c (1.1.2.1), "Exp", lines: +32 -0
-                util/checkhash.pl (1.1.2.4), "Exp", lines: +7 -4
-
-        Maintain fingerprint hashes as C source.
-
-2005-04-19 09:17  appro
-
-        Changed:
-                util/checkhash.pl (1.1.2.5), "Exp", lines: +1 -1
-
-        Complete the transition C-code hashes.
-
-2005-04-21 19:06  steve
-
-        Changed:
-                apps/openssl.c (1.48.2.13), "Exp", lines: +0 -2
-                fips/fips.c (1.1.2.12), "Exp", lines: +0 -27
-                fips/fips.h (1.1.2.8), "Exp", lines: +0 -2
-                fips/fipshashes.c (1.1.2.2), "Exp", lines: +2 -2
-
-        Remove defunct FIPS_allow_md5() and related functions.
-
-2005-04-22 06:15  appro
-
-        Changed:
-                fips/fips.c (1.1.2.13), "Exp", lines: +3 -3
-                fips/fips_err.h (1.1.4.4), "Exp", lines: +3 -3
-                fips/fipshashes.c (1.1.2.4), "Exp", lines: +2 -2
-
-        Move some variables to .bss.
-
diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure
index 1a9a59f969..f24d738feb 100644
--- a/src/lib/libssl/src/Configure
+++ b/src/lib/libssl/src/Configure
@@ -407,12 +407,12 @@ my %table=(
 
 #### IBM's AIX.
 "aix3-cc",  "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
-"aix-gcc",  "gcc:-O -DB_ENDIAN::-D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
-"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-maix64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
+"aix-gcc",  "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
+"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
 # Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE
 # at build time. $OBJECT_MODE is respected at ./config stage!
-"aix-cc",   "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared::-q32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
-"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
+"aix-cc",   "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
+"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
 
 #
 # Cray T90 and similar (SDSC)
@@ -510,8 +510,9 @@ my %table=(
 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::",
 "darwin-ppc-cc","cc:-arch ppc -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:ppccpuid_osx64.o:osx_ppc64.o osx_ppc64-mont.o:::::sha1-ppc_osx64.o sha256-ppc_osx64.o sha512-ppc_osx64.o:::::dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -fno-common::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc64.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin64-x86_64-cc","cc:-arch x86_64 -O3 -fomit-frame-pointer -DL_ENDIAN -DMD32_REG_T=int -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 
@@ -616,6 +617,7 @@ my $perl;
 
 my %disabled = ( # "what"         => "comment"
                  "camellia"       => "default",
+                 "capieng"        => "default",
                  "cms"            => "default",
                  "gmp"            => "default",
                  "mdc2"           => "default",
@@ -634,7 +636,7 @@ my %disabled = ( # "what"         => "comment"
 # For symmetry, "disable-..." is a synonym for "no-...".
 
 # This is what $depflags will look like with the above default:
-my $default_depflags = "-DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_CMS -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED -DOPENSSL_NO_TLSEXT ";
+my $default_depflags = "-DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_CMS -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED -DOPENSSL_NO_TLSEXT ";
 
 
 my $no_sse2=0;
diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ
index 09f700cc3a..1b14ffe9a4 100644
--- a/src/lib/libssl/src/FAQ
+++ b/src/lib/libssl/src/FAQ
@@ -32,6 +32,7 @@ OpenSSL  -  Frequently Asked Questions
 * How do I install a CA certificate into a browser?
 * Why is OpenSSL x509 DN output not conformant to RFC2253?
 * What is a "128 bit certificate"? Can I create one with OpenSSL?
+* Why does OpenSSL set the authority key identifier extension incorrectly?
 * How can I set up a bundle of commercial root CA certificates?
 
 [BUILD] Questions about building and testing OpenSSL
@@ -68,6 +69,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
 * I think I've detected a memory leak, is this a bug?
 * Why does Valgrind complain about the use of uninitialized data?
+* Why doesn't a memory BIO work when a file does?
 
 ===============================================================================
 
@@ -76,7 +78,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8h was released on May 28th, 2008.
+OpenSSL 0.9.8i was released on Sep 15th, 2008.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -403,10 +405,10 @@ You can't generally create such a certificate using OpenSSL but there is no
 need to any more. Nowadays web browsers using unrestricted strong encryption
 are generally available.
 
-When there were tight export restrictions on the export of strong encryption
+When there were tight restrictions on the export of strong encryption
 software from the US only weak encryption algorithms could be freely exported
 (initially 40 bit and then 56 bit). It was widely recognised that this was
-inadequate. A relaxation the rules allowed the use of strong encryption but
+inadequate. A relaxation of the rules allowed the use of strong encryption but
 only to an authorised server.
 
 Two slighly different techniques were developed to support this, one used by
@@ -427,6 +429,25 @@ The export laws were later changed to allow almost unrestricted use of strong
 encryption so these certificates are now obsolete.
 
 
+* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
+
+It doesn't: this extension is often the cause of confusion.
+
+Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose
+certificate C contains AKID.
+
+The purpose of this extension is to identify the authority certificate B. This
+can be done either by including the subject key identifier of B or its issuer
+name and serial number.
+
+In this latter case because it is identifying certifcate B it must contain the
+issuer name and serial number of B.
+
+It is often wrongly assumed that it should contain the subject name of B. If it
+did this would be redundant information because it would duplicate the issuer
+name of C.
+
+
 * How can I set up a bundle of commercial root CA certificates?
 
 The OpenSSL software is shipped without any root CA certificate as the
@@ -920,5 +941,25 @@ OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
 to get rid of these warnings.
 
 
-===============================================================================
+* Why doesn't a memory BIO work when a file does?
 
+This can occur in several cases for example reading an S/MIME email message.
+The reason is that a memory BIO can do one of two things when all the data
+has been read from it.
+
+The default behaviour is to indicate that no more data is available and that
+the call should be retried, this is to allow the application to fill up the BIO
+again if necessary.
+
+Alternatively it can indicate that no more data is available and that EOF has
+been reached.
+
+If a memory BIO is to behave in the same way as a file this second behaviour
+is needed. This must be done by calling:
+
+   BIO_set_mem_eof_return(bio, 0);
+
+See the manual pages for more details.
+
+
+===============================================================================
diff --git a/src/lib/libssl/src/Makefile b/src/lib/libssl/src/Makefile
index 5aec3a2099..43b1d9796a 100644
--- a/src/lib/libssl/src/Makefile
+++ b/src/lib/libssl/src/Makefile
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=0.9.8h
+VERSION=0.9.8i
 MAJOR=0
 MINOR=9.8
 SHLIB_VERSION_NUMBER=0.9.8
@@ -13,7 +13,7 @@ SHLIB_MAJOR=0
 SHLIB_MINOR=9.8
 SHLIB_EXT=
 PLATFORM=dist
-OPTIONS= no-camellia no-cms no-gmp no-krb5 no-mdc2 no-montasm no-rc5 no-rfc3779 no-seed no-shared no-tlsext no-zlib no-zlib-dynamic
+OPTIONS= no-camellia no-capieng no-cms no-gmp no-krb5 no-mdc2 no-montasm no-rc5 no-rfc3779 no-seed no-shared no-tlsext no-zlib no-zlib-dynamic
 CONFIGURE_ARGS=dist
 SHLIB_TARGET=
 
@@ -61,7 +61,7 @@ OPENSSLDIR=/usr/local/ssl
 
 CC= cc
 CFLAG= -O
-DEPFLAG= -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_CMS -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED -DOPENSSL_NO_TLSEXT 
+DEPFLAG= -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_CMS -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED -DOPENSSL_NO_TLSEXT 
 PEX_LIBS= 
 EX_LIBS= 
 EXE_EXT= 
diff --git a/src/lib/libssl/src/Makefile.shared b/src/lib/libssl/src/Makefile.shared
index 97035a3c01..c6006f70bf 100644
--- a/src/lib/libssl/src/Makefile.shared
+++ b/src/lib/libssl/src/Makefile.shared
@@ -491,23 +491,23 @@ link_app.hpux:
 
 link_o.aix:
         @ $(CALC_VERSIONS); \
-        OBJECT_MODE=`expr x$(SHARED_LDFLAGS) : 'x\-[a-z]*\(64\)'` || :; \
+        OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || :; \
         OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
         SHLIB=lib$(LIBNAME).so; \
         SHLIB_SUFFIX=; \
         ALLSYMSFLAGS=''; \
         NOALLSYMSFLAGS=''; \
-        SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-G,-bexpall,-bnolibpath,-bM:SRE'; \
+        SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
         $(LINK_SO_O);
 link_a.aix:
         @ $(CALC_VERSIONS); \
-        OBJECT_MODE=`expr x$(SHARED_LDFLAGS) : 'x\-[a-z]*\(64\)'` || : ; \
+        OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || : ; \
         OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
         SHLIB=lib$(LIBNAME).so; \
         SHLIB_SUFFIX=; \
         ALLSYMSFLAGS='-bnogc'; \
         NOALLSYMSFLAGS=''; \
-        SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-G,-bexpall,-bnolibpath,-bM:SRE'; \
+        SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
         $(LINK_SO_A_VIA_O)
 link_app.aix:
         LDFLAGS="$(CFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS
index 40ded1aebf..6488ffa122 100644
--- a/src/lib/libssl/src/NEWS
+++ b/src/lib/libssl/src/NEWS
@@ -5,8 +5,16 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h:
+
+      o CryptoAPI ENGINE support.
+      o Various precautionary measures.
+      o Fix for bugs affecting certificate request creation.
+      o Support for local machine keyset attribute in PKCS#12 files.
+
   Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
 
+      o Backport of CMS functionality to 0.9.8.
       o Fixes for bugs introduced with 0.9.8f.
 
   Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
diff --git a/src/lib/libssl/src/README b/src/lib/libssl/src/README
index df02ae076d..a2d87d4a49 100644
--- a/src/lib/libssl/src/README
+++ b/src/lib/libssl/src/README
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8h
+ OpenSSL 0.9.8i
 
  Copyright (c) 1998-2008 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/src/lib/libssl/src/apps/Makefile b/src/lib/libssl/src/apps/Makefile
index 92ae515b44..7eade4e274 100644
--- a/src/lib/libssl/src/apps/Makefile
+++ b/src/lib/libssl/src/apps/Makefile
@@ -239,20 +239,21 @@ ciphers.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
 ciphers.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ciphers.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ciphers.o: ../include/openssl/engine.h ../include/openssl/err.h
-ciphers.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-ciphers.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ciphers.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ciphers.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ciphers.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ciphers.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-ciphers.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ciphers.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ciphers.o: ../include/openssl/x509v3.h apps.h ciphers.c
+ciphers.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ciphers.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ciphers.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ciphers.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+ciphers.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ciphers.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+ciphers.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ciphers.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+ciphers.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+ciphers.o: ciphers.c
 cms.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 cms.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 cms.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
@@ -419,20 +420,21 @@ engine.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
 engine.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 engine.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 engine.o: ../include/openssl/engine.h ../include/openssl/err.h
-engine.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-engine.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-engine.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-engine.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-engine.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-engine.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-engine.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-engine.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-engine.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-engine.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-engine.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-engine.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-engine.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-engine.o: ../include/openssl/x509v3.h apps.h engine.c
+engine.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+engine.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+engine.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+engine.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+engine.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+engine.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+engine.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+engine.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+engine.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+engine.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+engine.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+engine.o: engine.c
 errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 errstr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 errstr.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -440,20 +442,21 @@ errstr.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
 errstr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 errstr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 errstr.o: ../include/openssl/engine.h ../include/openssl/err.h
-errstr.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-errstr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-errstr.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-errstr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-errstr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-errstr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-errstr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-errstr.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-errstr.o: ../include/openssl/x509v3.h apps.h errstr.c
+errstr.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+errstr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+errstr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+errstr.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+errstr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+errstr.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+errstr.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+errstr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+errstr.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+errstr.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+errstr.o: errstr.c
 gendh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -531,20 +534,20 @@ ocsp.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
 ocsp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ocsp.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ocsp.o: ../include/openssl/engine.h ../include/openssl/err.h
-ocsp.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-ocsp.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ocsp.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-ocsp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ocsp.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ocsp.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ocsp.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ocsp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ocsp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ocsp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ocsp.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-ocsp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ocsp.o: ../include/openssl/x509v3.h apps.h ocsp.c
+ocsp.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ocsp.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ocsp.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ocsp.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+ocsp.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ocsp.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ocsp.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ocsp.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+ocsp.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ocsp.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ocsp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ocsp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ocsp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+ocsp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ocsp.c
 openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 openssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 openssl.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -552,20 +555,21 @@ openssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
 openssl.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 openssl.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 openssl.o: ../include/openssl/engine.h ../include/openssl/err.h
-openssl.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-openssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-openssl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-openssl.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-openssl.o: ../include/openssl/x509v3.h apps.h openssl.c progs.h s_apps.h
+openssl.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+openssl.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+openssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+openssl.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+openssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+openssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+openssl.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+openssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+openssl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+openssl.o: openssl.c progs.h s_apps.h
 passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -720,20 +724,21 @@ s_cb.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
 s_cb.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s_cb.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s_cb.o: ../include/openssl/engine.h ../include/openssl/err.h
-s_cb.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-s_cb.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_cb.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s_cb.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_cb.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s_cb.o: ../include/openssl/x509v3.h apps.h s_apps.h s_cb.c
+s_cb.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+s_cb.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s_cb.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s_cb.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+s_cb.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s_cb.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+s_cb.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+s_cb.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+s_cb.o: s_apps.h s_cb.c
 s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -741,21 +746,21 @@ s_client.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
 s_client.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s_client.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s_client.o: ../include/openssl/engine.h ../include/openssl/err.h
-s_client.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-s_client.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_client.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-s_client.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_client.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s_client.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s_client.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s_client.o: ../include/openssl/rand.h ../include/openssl/safestack.h
-s_client.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_client.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_client.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-s_client.o: s_apps.h s_client.c timeouts.h
+s_client.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+s_client.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s_client.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s_client.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_client.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s_client.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_client.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_client.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_client.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_client.o: ../include/openssl/x509v3.h apps.h s_apps.h s_client.c timeouts.h
 s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -764,22 +769,23 @@ s_server.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s_server.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s_server.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s_server.o: ../include/openssl/engine.h ../include/openssl/err.h
-s_server.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-s_server.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_server.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_server.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s_server.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s_server.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_server.o: ../include/openssl/stack.h ../include/openssl/store.h
-s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_server.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s_server.o: ../include/openssl/x509v3.h apps.h s_apps.h s_server.c timeouts.h
+s_server.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+s_server.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s_server.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s_server.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s_server.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s_server.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_server.o: ../include/openssl/store.h ../include/openssl/symhacks.h
+s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_server.o: ../include/openssl/ui.h ../include/openssl/x509.h
+s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+s_server.o: s_apps.h s_server.c timeouts.h
 s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_socket.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -787,20 +793,20 @@ s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
 s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h
-s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_socket.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-s_socket.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_socket.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_socket.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-s_socket.o: s_apps.h s_socket.c
+s_socket.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s_socket.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s_socket.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_socket.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_socket.o: ../include/openssl/x509v3.h apps.h s_apps.h s_socket.c
 s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_time.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s_time.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -808,20 +814,21 @@ s_time.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
 s_time.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s_time.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s_time.o: ../include/openssl/engine.h ../include/openssl/err.h
-s_time.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-s_time.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_time.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_time.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s_time.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s_time.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s_time.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_time.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s_time.o: ../include/openssl/x509v3.h apps.h s_apps.h s_time.c
+s_time.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+s_time.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s_time.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s_time.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+s_time.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_time.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s_time.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+s_time.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_time.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+s_time.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+s_time.o: s_apps.h s_time.c
 sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 sess_id.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 sess_id.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -829,20 +836,21 @@ sess_id.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
 sess_id.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 sess_id.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 sess_id.o: ../include/openssl/engine.h ../include/openssl/err.h
-sess_id.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-sess_id.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-sess_id.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-sess_id.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-sess_id.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-sess_id.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-sess_id.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-sess_id.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-sess_id.o: ../include/openssl/x509v3.h apps.h sess_id.c
+sess_id.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+sess_id.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+sess_id.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+sess_id.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+sess_id.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+sess_id.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+sess_id.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+sess_id.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+sess_id.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+sess_id.o: sess_id.c
 smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
diff --git a/src/lib/libssl/src/apps/dsa.c b/src/lib/libssl/src/apps/dsa.c
index 9e103037dd..7518a2fe96 100644
--- a/src/lib/libssl/src/apps/dsa.c
+++ b/src/lib/libssl/src/apps/dsa.c
@@ -240,37 +240,27 @@ bad:
                 goto end;
         }
 
-        in=BIO_new(BIO_s_file());
         out=BIO_new(BIO_s_file());
-        if ((in == NULL) || (out == NULL))
+        if (out == NULL)
                 {
                 ERR_print_errors(bio_err);
                 goto end;
                 }
 
-        if (infile == NULL)
-                BIO_set_fp(in,stdin,BIO_NOCLOSE);
-        else
-                {
-                if (BIO_read_filename(in,infile) <= 0)
-                        {
-                        perror(infile);
-                        goto end;
-                        }
-                }
-
         BIO_printf(bio_err,"read DSA key\n");
-        if      (informat == FORMAT_ASN1) {
-                if(pubin) dsa=d2i_DSA_PUBKEY_bio(in,NULL);
-                else dsa=d2i_DSAPrivateKey_bio(in,NULL);
-        } else if (informat == FORMAT_PEM) {
-                if(pubin) dsa=PEM_read_bio_DSA_PUBKEY(in,NULL, NULL, NULL);
-                else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,NULL,passin);
-        } else
-                {
-                BIO_printf(bio_err,"bad input format specified for key\n");
-                goto end;
-                }
+        {
+                EVP_PKEY        *pkey;
+                if (pubin)
+                        pkey = load_pubkey(bio_err, infile, informat, 1,
+                                passin, e, "Public Key");
+                else
+                        pkey = load_key(bio_err, infile, informat, 1,
+                                passin, e, "Private Key");
+
+                if (pkey != NULL)
+                dsa = pkey == NULL ? NULL : EVP_PKEY_get1_DSA(pkey);
+                EVP_PKEY_free(pkey);
+        }
         if (dsa == NULL)
                 {
                 BIO_printf(bio_err,"unable to load Key\n");
diff --git a/src/lib/libssl/src/apps/openssl.c b/src/lib/libssl/src/apps/openssl.c
index 47aee5b712..ec25f990fe 100644
--- a/src/lib/libssl/src/apps/openssl.c
+++ b/src/lib/libssl/src/apps/openssl.c
@@ -273,9 +273,21 @@ int main(int Argc, char *Argv[])
         i=NCONF_load(config,p,&errline);
         if (i == 0)
                 {
-                NCONF_free(config);
-                config = NULL;
-                ERR_clear_error();
+                if (ERR_GET_REASON(ERR_peek_last_error())
+                    == CONF_R_NO_SUCH_FILE)
+                        {
+                        BIO_printf(bio_err,
+                                   "WARNING: can't open config file: %s\n",p);
+                        ERR_clear_error();
+                        NCONF_free(config);
+                        config = NULL;
+                        }
+                else
+                        {
+                        ERR_print_errors(bio_err);
+                        NCONF_free(config);
+                        exit(1);
+                        }
                 }
 
         prog=prog_init();
diff --git a/src/lib/libssl/src/apps/pkcs12.c b/src/lib/libssl/src/apps/pkcs12.c
index 7c71b1a88f..268390ebe8 100644
--- a/src/lib/libssl/src/apps/pkcs12.c
+++ b/src/lib/libssl/src/apps/pkcs12.c
@@ -100,6 +100,7 @@ int MAIN(int argc, char **argv)
     char **args;
     char *name = NULL;
     char *csp_name = NULL;
+    int add_lmk = 0;
     PKCS12 *p12 = NULL;
     char pass[50], macpass[50];
     int export_cert = 0;
@@ -224,7 +225,9 @@ int MAIN(int argc, char **argv)
                         args++; 
                         name = *args;
                     } else badarg = 1;
-                } else if (!strcmp (*args, "-CSP")) {
+                } else if (!strcmp (*args, "-LMK"))
+                        add_lmk = 1;
+                else if (!strcmp (*args, "-CSP")) {
                     if (args[1]) {
                         args++; 
                         csp_name = *args;
@@ -338,6 +341,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
         BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");
         BIO_printf(bio_err,  "              the random number generator\n");
+        BIO_printf(bio_err,  "-CSP name     Microsoft CSP name\n");
+        BIO_printf(bio_err,  "-LMK          Add local machine keyset attribute to private key\n");
         goto end;
     }
 
@@ -562,7 +567,9 @@ int MAIN(int argc, char **argv)
         if (csp_name && key)
                 EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
                                 MBSTRING_ASC, (unsigned char *)csp_name, -1);
-                
+
+        if (add_lmk && key)
+                EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
 
 #ifdef CRYPTO_MDEBUG
         CRYPTO_pop_info();
diff --git a/src/lib/libssl/src/apps/s_client.c b/src/lib/libssl/src/apps/s_client.c
index 3a52853c82..78ac95c512 100644
--- a/src/lib/libssl/src/apps/s_client.c
+++ b/src/lib/libssl/src/apps/s_client.c
@@ -321,7 +321,8 @@ int MAIN(int argc, char **argv)
         char *inrand=NULL;
 #ifndef OPENSSL_NO_ENGINE
         char *engine_id=NULL;
-        ENGINE *e=NULL;
+        char *ssl_client_engine_id=NULL;
+        ENGINE *e=NULL, *ssl_client_engine=NULL;
 #endif
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
         struct timeval tv;
@@ -559,6 +560,11 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         engine_id = *(++argv);
                         }
+                else if (strcmp(*argv,"-ssl_client_engine") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        ssl_client_engine_id = *(++argv);
+                        }
 #endif
                 else if (strcmp(*argv,"-rand") == 0)
                         {
@@ -596,6 +602,16 @@ bad:
 
 #ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine_id, 1);
+        if (ssl_client_engine_id)
+                {
+                ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
+                if (!ssl_client_engine)
+                        {
+                        BIO_printf(bio_err,
+                                        "Error getting client auth engine\n");
+                        goto end;
+                        }
+                }
 #endif
         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
                 {
@@ -663,6 +679,20 @@ bad:
                 goto end;
                 }
 
+#ifndef OPENSSL_NO_ENGINE
+        if (ssl_client_engine)
+                {
+                if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
+                        {
+                        BIO_puts(bio_err, "Error setting client auth engine\n");
+                        ERR_print_errors(bio_err);
+                        ENGINE_free(ssl_client_engine);
+                        goto end;
+                        }
+                ENGINE_free(ssl_client_engine);
+                }
+#endif
+
         if (bugs)
                 SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
         else
diff --git a/src/lib/libssl/src/crypto/asn1/asn_mime.c b/src/lib/libssl/src/crypto/asn1/asn_mime.c
index fe7c4ec7ab..bc80b20d63 100644
--- a/src/lib/libssl/src/crypto/asn1/asn_mime.c
+++ b/src/lib/libssl/src/crypto/asn1/asn_mime.c
@@ -526,6 +526,8 @@ int SMIME_text(BIO *in, BIO *out)
         sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
         while ((len = BIO_read(in, iobuf, sizeof(iobuf))) > 0)
                                                 BIO_write(out, iobuf, len);
+        if (len < 0)
+                return 0;
         return 1;
 }
 
diff --git a/src/lib/libssl/src/crypto/asn1/t_x509.c b/src/lib/libssl/src/crypto/asn1/t_x509.c
index 26d3361722..cb76c32c8d 100644
--- a/src/lib/libssl/src/crypto/asn1/t_x509.c
+++ b/src/lib/libssl/src/crypto/asn1/t_x509.c
@@ -393,8 +393,9 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm)
         d= (v[6]-'0')*10+(v[7]-'0');
         h= (v[8]-'0')*10+(v[9]-'0');
         m=  (v[10]-'0')*10+(v[11]-'0');
-        if (    (v[12] >= '0') && (v[12] <= '9') &&
-                (v[13] >= '0') && (v[13] <= '9'))
+        if (i >= 14 &&
+            (v[12] >= '0') && (v[12] <= '9') &&
+            (v[13] >= '0') && (v[13] <= '9'))
                 s=  (v[12]-'0')*10+(v[13]-'0');
 
         if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
@@ -428,8 +429,9 @@ int ASN1_UTCTIME_print(BIO *bp, ASN1_UTCTIME *tm)
         d= (v[4]-'0')*10+(v[5]-'0');
         h= (v[6]-'0')*10+(v[7]-'0');
         m=  (v[8]-'0')*10+(v[9]-'0');
-        if (    (v[10] >= '0') && (v[10] <= '9') &&
-                (v[11] >= '0') && (v[11] <= '9'))
+        if (i >=12 &&
+            (v[10] >= '0') && (v[10] <= '9') &&
+            (v[11] >= '0') && (v[11] <= '9'))
                 s=  (v[10]-'0')*10+(v[11]-'0');
 
         if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
@@ -501,4 +503,3 @@ err:
         OPENSSL_free(b);
         return(ret);
         }
-
diff --git a/src/lib/libssl/src/crypto/bio/bss_dgram.c b/src/lib/libssl/src/crypto/bio/bss_dgram.c
index ea2c3fff63..c3da6dc82f 100644
--- a/src/lib/libssl/src/crypto/bio/bss_dgram.c
+++ b/src/lib/libssl/src/crypto/bio/bss_dgram.c
@@ -82,7 +82,7 @@ static int dgram_new(BIO *h);
 static int dgram_free(BIO *data);
 static int dgram_clear(BIO *bio);
 
-int BIO_dgram_should_retry(int s);
+static int BIO_dgram_should_retry(int s);
 
 static BIO_METHOD methods_dgramp=
         {
@@ -345,30 +345,90 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 
         memcpy(&(data->peer), to, sizeof(struct sockaddr));
         break;
+#if defined(SO_RCVTIMEO)
         case BIO_CTRL_DGRAM_SET_RECV_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                struct timeval *tv = (struct timeval *)ptr;
+                int timeout = tv->tv_sec * 1000 + tv->tv_usec/1000;
+                if (setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
+                        (void*)&timeout, sizeof(timeout)) < 0)
+                        { perror("setsockopt"); ret = -1; }
+                }
+#else
                 if ( setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, ptr,
                         sizeof(struct timeval)) < 0)
                         { perror("setsockopt"); ret = -1; }
+#endif
                 break;
         case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                int timeout, sz = sizeof(timeout);
+                struct timeval *tv = (struct timeval *)ptr;
+                if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
+                        (void*)&timeout, &sz) < 0)
+                        { perror("getsockopt"); ret = -1; }
+                else
+                        {
+                        tv->tv_sec = timeout / 1000;
+                        tv->tv_usec = (timeout % 1000) * 1000;
+                        ret = sizeof(*tv);
+                        }
+                }
+#else
                 if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 
                         ptr, (void *)&ret) < 0)
                         { perror("getsockopt"); ret = -1; }
+#endif
                 break;
+#endif
+#if defined(SO_SNDTIMEO)
         case BIO_CTRL_DGRAM_SET_SEND_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                struct timeval *tv = (struct timeval *)ptr;
+                int timeout = tv->tv_sec * 1000 + tv->tv_usec/1000;
+                if (setsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
+                        (void*)&timeout, sizeof(timeout)) < 0)
+                        { perror("setsockopt"); ret = -1; }
+                }
+#else
                 if ( setsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, ptr,
                         sizeof(struct timeval)) < 0)
                         { perror("setsockopt"); ret = -1; }
+#endif
                 break;
         case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                int timeout, sz = sizeof(timeout);
+                struct timeval *tv = (struct timeval *)ptr;
+                if (getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
+                        (void*)&timeout, &sz) < 0)
+                        { perror("getsockopt"); ret = -1; }
+                else
+                        {
+                        tv->tv_sec = timeout / 1000;
+                        tv->tv_usec = (timeout % 1000) * 1000;
+                        ret = sizeof(*tv);
+                        }
+                }
+#else
                 if ( getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, 
                         ptr, (void *)&ret) < 0)
                         { perror("getsockopt"); ret = -1; }
+#endif
                 break;
+#endif
         case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP:
                 /* fall-through */
         case BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP:
+#ifdef OPENSSL_SYS_WINDOWS
+                if ( data->_errno == WSAETIMEDOUT)
+#else
                 if ( data->_errno == EAGAIN)
+#endif
                         {
                         ret = 1;
                         data->_errno = 0;
@@ -403,7 +463,7 @@ static int dgram_puts(BIO *bp, const char *str)
         return(ret);
         }
 
-int BIO_dgram_should_retry(int i)
+static int BIO_dgram_should_retry(int i)
         {
         int err;
 
diff --git a/src/lib/libssl/src/crypto/bn/Makefile b/src/lib/libssl/src/crypto/bn/Makefile
index e97c751390..0491e3db4c 100644
--- a/src/lib/libssl/src/crypto/bn/Makefile
+++ b/src/lib/libssl/src/crypto/bn/Makefile
@@ -116,6 +116,7 @@ linux_ppc64.s: asm/ppc.pl;	$(PERL) $< $@
 aix_ppc32.s: asm/ppc.pl;        $(PERL) asm/ppc.pl $@
 aix_ppc64.s: asm/ppc.pl;        $(PERL) asm/ppc.pl $@
 osx_ppc32.s: asm/ppc.pl;        $(PERL) $< $@
+osx_ppc64.s: asm/ppc.pl;        $(PERL) $< $@
 
 files:
         $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
diff --git a/src/lib/libssl/src/crypto/bn/bn_div.c b/src/lib/libssl/src/crypto/bn/bn_div.c
index 8655eb118e..1e8e57626b 100644
--- a/src/lib/libssl/src/crypto/bn/bn_div.c
+++ b/src/lib/libssl/src/crypto/bn/bn_div.c
@@ -187,6 +187,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
         BN_ULONG d0,d1;
         int num_n,div_n;
 
+        /* Invalid zero-padding would have particularly bad consequences
+         * in the case of 'num', so don't just rely on bn_check_top() for this one
+         * (bn_check_top() works only for BN_DEBUG builds) */
+        if (num->top > 0 && num->d[num->top - 1] == 0)
+                {
+                BNerr(BN_F_BN_DIV,BN_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        bn_check_top(num);
+
         if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
                 {
                 return BN_div_no_branch(dv, rm, num, divisor, ctx);
@@ -194,7 +205,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 
         bn_check_top(dv);
         bn_check_top(rm);
-        bn_check_top(num);
+        /* bn_check_top(num); */ /* 'num' has been checked already */
         bn_check_top(divisor);
 
         if (BN_is_zero(divisor))
@@ -419,7 +430,7 @@ static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
 
         bn_check_top(dv);
         bn_check_top(rm);
-        bn_check_top(num);
+        /* bn_check_top(num); */ /* 'num' has been checked in BN_div() */
         bn_check_top(divisor);
 
         if (BN_is_zero(divisor))
diff --git a/src/lib/libssl/src/crypto/bn/bn_gf2m.c b/src/lib/libssl/src/crypto/bn/bn_gf2m.c
index 6a793857e1..306f029f27 100644
--- a/src/lib/libssl/src/crypto/bn/bn_gf2m.c
+++ b/src/lib/libssl/src/crypto/bn/bn_gf2m.c
@@ -384,7 +384,11 @@ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])
                 if (zz == 0) break;
                 d1 = BN_BITS2 - d0;
                 
-                if (d0) z[dN] = (z[dN] << d1) >> d1; /* clear up the top d1 bits */
+                /* clear up the top d1 bits */
+                if (d0)
+                        z[dN] = (z[dN] << d1) >> d1;
+                else
+                        z[dN] = 0;
                 z[0] ^= zz; /* reduction t^0 component */
 
                 for (k = 1; p[k] != 0; k++)
diff --git a/src/lib/libssl/src/crypto/bn/bn_nist.c b/src/lib/libssl/src/crypto/bn/bn_nist.c
index e14232fdbb..1fc94f55c3 100644
--- a/src/lib/libssl/src/crypto/bn/bn_nist.c
+++ b/src/lib/libssl/src/crypto/bn/bn_nist.c
@@ -59,6 +59,7 @@
 #include "bn_lcl.h"
 #include "cryptlib.h"
 
+
 #define BN_NIST_192_TOP (192+BN_BITS2-1)/BN_BITS2
 #define BN_NIST_224_TOP (224+BN_BITS2-1)/BN_BITS2
 #define BN_NIST_256_TOP (256+BN_BITS2-1)/BN_BITS2
@@ -101,60 +102,98 @@ static const BN_ULONG _nist_p_521[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
         0xFFFFFFFF,0x000001FF};
 #endif
 
+
+static const BIGNUM _bignum_nist_p_192 =
+        {
+        (BN_ULONG *)_nist_p_192,
+        BN_NIST_192_TOP,
+        BN_NIST_192_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_224 =
+        {
+        (BN_ULONG *)_nist_p_224,
+        BN_NIST_224_TOP,
+        BN_NIST_224_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_256 =
+        {
+        (BN_ULONG *)_nist_p_256,
+        BN_NIST_256_TOP,
+        BN_NIST_256_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_384 =
+        {
+        (BN_ULONG *)_nist_p_384,
+        BN_NIST_384_TOP,
+        BN_NIST_384_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_521 =
+        {
+        (BN_ULONG *)_nist_p_521,
+        BN_NIST_521_TOP,
+        BN_NIST_521_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+
 const BIGNUM *BN_get0_nist_prime_192(void)
         {
-        static BIGNUM const_nist_192 = { (BN_ULONG *)_nist_p_192,
-                BN_NIST_192_TOP, BN_NIST_192_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_192;
+        return &_bignum_nist_p_192;
         }
 
 const BIGNUM *BN_get0_nist_prime_224(void)
         {
-        static BIGNUM const_nist_224 = { (BN_ULONG *)_nist_p_224,
-                BN_NIST_224_TOP, BN_NIST_224_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_224;
+        return &_bignum_nist_p_224;
         }
 
 const BIGNUM *BN_get0_nist_prime_256(void)
         {
-        static BIGNUM const_nist_256 = { (BN_ULONG *)_nist_p_256,
-                BN_NIST_256_TOP, BN_NIST_256_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_256;
+        return &_bignum_nist_p_256;
         }
 
 const BIGNUM *BN_get0_nist_prime_384(void)
         {
-        static BIGNUM const_nist_384 = { (BN_ULONG *)_nist_p_384,
-                BN_NIST_384_TOP, BN_NIST_384_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_384;
+        return &_bignum_nist_p_384;
         }
 
 const BIGNUM *BN_get0_nist_prime_521(void)
         {
-        static BIGNUM const_nist_521 = { (BN_ULONG *)_nist_p_521,
-                BN_NIST_521_TOP, BN_NIST_521_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_521;
+        return &_bignum_nist_p_521;
         }
 
-#define BN_NIST_ADD_ONE(a)      while (!(*(a)=(*(a)+1)&BN_MASK2)) ++(a);
 
 static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
-        {
+        {
         int i;
-        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
-        for (i = (top); i != 0; i--)
-                *_tmp1++ = *_tmp2++;
-        for (i = (max) - (top); i != 0; i--)
-                *_tmp1++ = (BN_ULONG) 0;
-        }
+        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
+
+        OPENSSL_assert(top <= max);
+        for (i = (top); i != 0; i--)
+                *_tmp1++ = *_tmp2++;
+        for (i = (max) - (top); i != 0; i--)
+                *_tmp1++ = (BN_ULONG) 0;
+        }
 
 static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
-        { 
+        { 
         int i;
-        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
-        for (i = (top); i != 0; i--)
-                *_tmp1++ = *_tmp2++;
-        }
+        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
+        for (i = (top); i != 0; i--)
+                *_tmp1++ = *_tmp2++;
+        }
 
 #if BN_BITS2 == 64
 #define bn_cp_64(to, n, from, m)        (to)[n] = (m>=0)?((from)[m]):0;
@@ -199,6 +238,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_192; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_192_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -208,9 +252,6 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a) ? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_192_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_192_TOP))
@@ -245,6 +286,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_192_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
         }
 
@@ -272,6 +318,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_224; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_224_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -281,9 +332,6 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_224_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_224_TOP))
@@ -333,6 +381,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_224_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
 #else   /* BN_BITS!=32 */
         return 0;
@@ -364,6 +417,11 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_256; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_256_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -373,9 +431,6 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_256_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_256_TOP))
@@ -470,6 +525,11 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_256_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
 #else   /* BN_BITS!=32 */
         return 0;
@@ -505,6 +565,11 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_384; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_384_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -514,9 +579,6 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_384_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_384_TOP))
@@ -631,6 +693,11 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_384_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
 #else   /* BN_BITS!=32 */
         return 0;
@@ -646,14 +713,35 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 #define BN_NIST_521_TOP_MASK    (BN_ULONG)0x1FF
 #endif
         int     top, ret = 0;
-        BN_ULONG *r_d;
         BIGNUM  *tmp;
 
+        field = &_bignum_nist_p_521; /* just to make sure */
+
+        if (BN_is_negative(a))
+                return BN_nnmod(r, field, a, ctx);
+
         /* check whether a reduction is necessary */
         top = a->top;
         if (top < BN_NIST_521_TOP  || ( top == BN_NIST_521_TOP &&
-           (!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
-                return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+            (!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
+                {
+                int i = BN_ucmp(field, a);
+                if (i == 0)
+                        {
+                        BN_zero(r);
+                        return 1;
+                        }
+                else
+                        {
+#ifdef BN_DEBUG
+                        OPENSSL_assert(i > 0); /* because 'field' is 1111...1111 */
+#endif
+                        return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+                        }
+                }
+
+        if (BN_num_bits(a) > 2*521)
+                return BN_nnmod(r, field, a, ctx);
 
         BN_CTX_start(ctx);
         tmp = BN_CTX_get(ctx);
@@ -673,15 +761,11 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
         if (!BN_uadd(r, tmp, r))
                 goto err;
-        top = r->top;
-        r_d = r->d;
-        if (top == BN_NIST_521_TOP  && 
-           (r_d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))
+
+        if (BN_ucmp(field, r) <= 0)
                 {
-                BN_NIST_ADD_ONE(r_d)
-                r->d[BN_NIST_521_TOP-1] &= BN_NIST_521_TOP_MASK; 
+                if (!BN_usub(r, r, field)) goto err;
                 }
-        bn_correct_top(r);
 
         ret = 1;
 err:
diff --git a/src/lib/libssl/src/crypto/cms/cms_smime.c b/src/lib/libssl/src/crypto/cms/cms_smime.c
index f79c504e91..b35d28d411 100644
--- a/src/lib/libssl/src/crypto/cms/cms_smime.c
+++ b/src/lib/libssl/src/crypto/cms/cms_smime.c
@@ -89,11 +89,13 @@ static int cms_copy_content(BIO *out, BIO *in, unsigned int flags)
                                 if (!BIO_get_cipher_status(in))
                                         goto err;
                                 }
+                        if (i < 0)
+                                goto err;
                         break;
                         }
                                 
-                if (tmpout)
-                        BIO_write(tmpout, buf, i);
+                if (tmpout && (BIO_write(tmpout, buf, i) != i))
+                        goto err;
         }
 
         if(flags & CMS_TEXT)
diff --git a/src/lib/libssl/src/crypto/cryptlib.h b/src/lib/libssl/src/crypto/cryptlib.h
index 5ceaa964b5..fc249c57f3 100644
--- a/src/lib/libssl/src/crypto/cryptlib.h
+++ b/src/lib/libssl/src/crypto/cryptlib.h
@@ -103,7 +103,6 @@ extern unsigned long OPENSSL_ia32cap_P;
 void OPENSSL_showfatal(const char *,...);
 void *OPENSSL_stderr(void);
 extern int OPENSSL_NONPIC_relocated;
-int OPENSSL_isservice(void);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libssl/src/crypto/crypto.h b/src/lib/libssl/src/crypto/crypto.h
index d2b5ffe332..fe2c1d6403 100644
--- a/src/lib/libssl/src/crypto/crypto.h
+++ b/src/lib/libssl/src/crypto/crypto.h
@@ -521,6 +521,7 @@ void OpenSSLDie(const char *file,int line,const char *assertion);
 
 unsigned long *OPENSSL_ia32cap_loc(void);
 #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
+int OPENSSL_isservice(void);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
diff --git a/src/lib/libssl/src/crypto/dh/Makefile b/src/lib/libssl/src/crypto/dh/Makefile
index d368e33b4c..950cad9c5b 100644
--- a/src/lib/libssl/src/crypto/dh/Makefile
+++ b/src/lib/libssl/src/crypto/dh/Makefile
@@ -123,11 +123,17 @@ dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dh_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dh_key.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_key.c
-dh_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
-dh_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dh_lib.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
+dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dh_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+dh_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 dh_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dh_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_lib.c
+dh_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+dh_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+dh_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dh_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dh_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+dh_lib.o: ../cryptlib.h dh_lib.c
diff --git a/src/lib/libssl/src/crypto/dsa/Makefile b/src/lib/libssl/src/crypto/dsa/Makefile
index 676baf7d49..5493f19e85 100644
--- a/src/lib/libssl/src/crypto/dsa/Makefile
+++ b/src/lib/libssl/src/crypto/dsa/Makefile
@@ -126,11 +126,16 @@ dsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-dsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+dsa_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+dsa_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+dsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+dsa_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 dsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+dsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+dsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 dsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dsa_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 dsa_lib.o: ../cryptlib.h dsa_lib.c
 dsa_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
diff --git a/src/lib/libssl/src/crypto/ecdh/Makefile b/src/lib/libssl/src/crypto/ecdh/Makefile
index 95aa69fea5..65d8904ee8 100644
--- a/src/lib/libssl/src/crypto/ecdh/Makefile
+++ b/src/lib/libssl/src/crypto/ecdh/Makefile
@@ -84,20 +84,30 @@ ech_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 ech_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 ech_err.o: ech_err.c
 ech_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ech_key.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ech_key.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-ech_key.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ech_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ech_key.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ech_key.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ech_key.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
+ech_key.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ech_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 ech_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ech_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ech_key.o: ../../include/openssl/symhacks.h ech_key.c ech_locl.h
+ech_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ech_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ech_key.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ech_key.o: ../../include/openssl/x509_vfy.h ech_key.c ech_locl.h
 ech_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ech_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ech_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+ech_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ech_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ech_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 ech_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-ech_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-ech_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ech_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ech_lib.o: ../../include/openssl/symhacks.h ech_lib.c ech_locl.h
+ech_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+ech_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ech_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ech_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+ech_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ech_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ech_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ech_lib.o: ech_lib.c ech_locl.h
 ech_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
 ech_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 ech_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
diff --git a/src/lib/libssl/src/crypto/ecdsa/Makefile b/src/lib/libssl/src/crypto/ecdsa/Makefile
index 16a93cd3ae..9b48d5641f 100644
--- a/src/lib/libssl/src/crypto/ecdsa/Makefile
+++ b/src/lib/libssl/src/crypto/ecdsa/Makefile
@@ -92,14 +92,18 @@ ecs_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 ecs_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 ecs_err.o: ecs_err.c
 ecs_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ecs_lib.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-ecs_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+ecs_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ecs_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 ecs_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
-ecs_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-ecs_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-ecs_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-ecs_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ecs_lib.o: ecs_lib.c ecs_locl.h
+ecs_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ecs_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ecs_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+ecs_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ecs_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ecs_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ecs_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ecs_lib.o: ../../include/openssl/x509_vfy.h ecs_lib.c ecs_locl.h
 ecs_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 ecs_ossl.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 ecs_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -110,16 +114,26 @@ ecs_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ecs_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 ecs_ossl.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_ossl.c
 ecs_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ecs_sign.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ecs_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
-ecs_sign.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ecs_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ecs_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_sign.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ecs_sign.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
+ecs_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ecs_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 ecs_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ecs_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ecs_sign.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_sign.c
+ecs_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ecs_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ecs_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ecs_sign.o: ../../include/openssl/x509_vfy.h ecs_locl.h ecs_sign.c
 ecs_vrf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ecs_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ecs_vrf.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
-ecs_vrf.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ecs_vrf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ecs_vrf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_vrf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ecs_vrf.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
+ecs_vrf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ecs_vrf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 ecs_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ecs_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ecs_vrf.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_vrf.c
+ecs_vrf.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ecs_vrf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ecs_vrf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ecs_vrf.o: ../../include/openssl/x509_vfy.h ecs_locl.h ecs_vrf.c
diff --git a/src/lib/libssl/src/crypto/engine/Makefile b/src/lib/libssl/src/crypto/engine/Makefile
index 13f211a0ae..47cc619b8a 100644
--- a/src/lib/libssl/src/crypto/engine/Makefile
+++ b/src/lib/libssl/src/crypto/engine/Makefile
@@ -82,88 +82,142 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-eng_all.o: ../../e_os.h ../../include/openssl/bio.h
-eng_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_all.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-eng_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_all.o: ../cryptlib.h eng_all.c eng_int.h
-eng_cnf.o: ../../e_os.h ../../include/openssl/bio.h
-eng_cnf.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-eng_cnf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_all.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_all.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_all.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_all.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_all.c eng_int.h
+eng_cnf.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_cnf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_cnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+eng_cnf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_cnf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_cnf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_cnf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-eng_cnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_cnf.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_cnf.c eng_int.h
+eng_cnf.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_cnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_cnf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_cnf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_cnf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_cnf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_cnf.o: ../cryptlib.h eng_cnf.c eng_int.h
 eng_cryptodev.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-eng_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-eng_cryptodev.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/obj_mac.h
+eng_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+eng_cryptodev.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_cryptodev.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_cryptodev.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_cryptodev.o: ../../include/openssl/obj_mac.h
 eng_cryptodev.o: ../../include/openssl/objects.h
 eng_cryptodev.o: ../../include/openssl/opensslconf.h
 eng_cryptodev.o: ../../include/openssl/opensslv.h
-eng_cryptodev.o: ../../include/openssl/ossl_typ.h
-eng_cryptodev.o: ../../include/openssl/safestack.h
+eng_cryptodev.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_cryptodev.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 eng_cryptodev.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_cryptodev.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 eng_cryptodev.o: eng_cryptodev.c
-eng_ctrl.o: ../../e_os.h ../../include/openssl/bio.h
-eng_ctrl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_ctrl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_ctrl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_ctrl.o: ../../include/openssl/opensslconf.h
+eng_ctrl.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_ctrl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_ctrl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_ctrl.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_ctrl.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_ctrl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_ctrl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_ctrl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_ctrl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_ctrl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_ctrl.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_ctrl.c eng_int.h
-eng_dyn.o: ../../e_os.h ../../include/openssl/bio.h
-eng_dyn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_dyn.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+eng_ctrl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_ctrl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_ctrl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_ctrl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_ctrl.c eng_int.h
+eng_dyn.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_dyn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_dyn.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
+eng_dyn.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_dyn.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_dyn.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_dyn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-eng_dyn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_dyn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_dyn.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_dyn.c eng_int.h
-eng_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-eng_err.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+eng_dyn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_dyn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_dyn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_dyn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_dyn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_dyn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_dyn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_dyn.o: ../cryptlib.h eng_dyn.c eng_int.h
+eng_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+eng_err.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+eng_err.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_err.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+eng_err.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+eng_err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 eng_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+eng_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 eng_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 eng_err.o: eng_err.c
-eng_fat.o: ../../e_os.h ../../include/openssl/bio.h
-eng_fat.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-eng_fat.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_fat.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_fat.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_fat.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+eng_fat.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_fat.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_fat.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_fat.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-eng_fat.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_fat.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_fat.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_fat.c eng_int.h
-eng_init.o: ../../e_os.h ../../include/openssl/bio.h
-eng_init.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_init.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_init.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_init.o: ../../include/openssl/opensslconf.h
+eng_fat.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_fat.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_fat.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_fat.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_fat.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_fat.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_fat.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_fat.o: ../cryptlib.h eng_fat.c eng_int.h
+eng_init.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_init.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_init.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_init.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_init.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_init.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_init.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_init.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_init.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_init.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_init.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_init.c eng_int.h
-eng_lib.o: ../../e_os.h ../../include/openssl/bio.h
-eng_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-eng_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_lib.c
-eng_list.o: ../../e_os.h ../../include/openssl/bio.h
-eng_list.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_list.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_list.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_list.o: ../../include/openssl/opensslconf.h
+eng_init.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_init.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_init.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_init.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_init.c eng_int.h
+eng_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+eng_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_lib.o: ../cryptlib.h eng_int.h eng_lib.c
+eng_list.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_list.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_list.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_list.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_list.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_list.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_list.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_list.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_list.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_list.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_list.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_list.c
+eng_list.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_list.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_list.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_list.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h eng_list.c
 eng_openssl.o: ../../e_os.h ../../include/openssl/asn1.h
 eng_openssl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 eng_openssl.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
@@ -183,106 +237,166 @@ eng_openssl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 eng_openssl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 eng_openssl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_openssl.c
 eng_padlock.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-eng_padlock.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-eng_padlock.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+eng_padlock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_padlock.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
+eng_padlock.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_padlock.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_padlock.o: ../../include/openssl/engine.h ../../include/openssl/err.h
 eng_padlock.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 eng_padlock.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 eng_padlock.o: ../../include/openssl/opensslconf.h
 eng_padlock.o: ../../include/openssl/opensslv.h
-eng_padlock.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-eng_padlock.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_padlock.o: ../../include/openssl/symhacks.h eng_padlock.c
-eng_pkey.o: ../../e_os.h ../../include/openssl/bio.h
-eng_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_pkey.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_pkey.o: ../../include/openssl/opensslconf.h
+eng_padlock.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_padlock.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+eng_padlock.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_padlock.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_padlock.o: ../../include/openssl/x509_vfy.h eng_padlock.c
+eng_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_pkey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_pkey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_pkey.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_pkey.c
+eng_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h eng_pkey.c
 eng_table.o: ../../e_os.h ../../include/openssl/asn1.h
 eng_table.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 eng_table.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-eng_table.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_table.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-eng_table.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_table.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_table.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_table.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_table.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_table.o: ../../include/openssl/objects.h
 eng_table.o: ../../include/openssl/opensslconf.h
 eng_table.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_table.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_table.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+eng_table.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_table.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
 eng_table.o: eng_table.c
-tb_cipher.o: ../../e_os.h ../../include/openssl/bio.h
-tb_cipher.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_cipher.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_cipher.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_cipher.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_cipher.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_cipher.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_cipher.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_cipher.o: ../../include/openssl/objects.h
 tb_cipher.o: ../../include/openssl/opensslconf.h
 tb_cipher.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_cipher.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_cipher.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+tb_cipher.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_cipher.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_cipher.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_cipher.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
 tb_cipher.o: tb_cipher.c
-tb_dh.o: ../../e_os.h ../../include/openssl/bio.h
+tb_dh.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 tb_dh.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_dh.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_dh.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_dh.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+tb_dh.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+tb_dh.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+tb_dh.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+tb_dh.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 tb_dh.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_dh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+tb_dh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+tb_dh.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 tb_dh.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_dh.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 tb_dh.o: ../cryptlib.h eng_int.h tb_dh.c
-tb_digest.o: ../../e_os.h ../../include/openssl/bio.h
-tb_digest.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_digest.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_digest.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_digest.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_digest.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_digest.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_digest.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_digest.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_digest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_digest.o: ../../include/openssl/objects.h
 tb_digest.o: ../../include/openssl/opensslconf.h
 tb_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_digest.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_digest.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+tb_digest.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_digest.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_digest.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
 tb_digest.o: tb_digest.c
-tb_dsa.o: ../../e_os.h ../../include/openssl/bio.h
+tb_dsa.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 tb_dsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_dsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_dsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_dsa.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+tb_dsa.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+tb_dsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+tb_dsa.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+tb_dsa.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 tb_dsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_dsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+tb_dsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+tb_dsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 tb_dsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_dsa.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 tb_dsa.o: ../cryptlib.h eng_int.h tb_dsa.c
-tb_ecdh.o: ../../e_os.h ../../include/openssl/bio.h
-tb_ecdh.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_ecdh.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_ecdh.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_ecdh.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_ecdh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-tb_ecdh.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_ecdh.o: ../cryptlib.h eng_int.h tb_ecdh.c
-tb_ecdsa.o: ../../e_os.h ../../include/openssl/bio.h
-tb_ecdsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_ecdsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_ecdsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_ecdsa.o: ../../include/openssl/opensslconf.h
+tb_ecdh.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_ecdh.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_ecdh.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_ecdh.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_ecdh.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_ecdh.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_ecdh.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_ecdh.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_ecdh.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_ecdh.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_ecdh.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_ecdh.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_ecdh.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_ecdh.c
+tb_ecdsa.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_ecdsa.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_ecdsa.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_ecdsa.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_ecdsa.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_ecdsa.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_ecdsa.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_ecdsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 tb_ecdsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_ecdsa.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_ecdsa.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h tb_ecdsa.c
-tb_rand.o: ../../e_os.h ../../include/openssl/bio.h
-tb_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_rand.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-tb_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_rand.o: ../cryptlib.h eng_int.h tb_rand.c
-tb_rsa.o: ../../e_os.h ../../include/openssl/bio.h
+tb_ecdsa.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_ecdsa.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_ecdsa.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_ecdsa.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_ecdsa.c
+tb_rand.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_rand.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_rand.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_rand.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_rand.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_rand.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_rand.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_rand.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_rand.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_rand.c
+tb_rsa.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 tb_rsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_rsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_rsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_rsa.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+tb_rsa.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+tb_rsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+tb_rsa.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+tb_rsa.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 tb_rsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_rsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+tb_rsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+tb_rsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 tb_rsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_rsa.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 tb_rsa.o: ../cryptlib.h eng_int.h tb_rsa.c
-tb_store.o: ../../e_os.h ../../include/openssl/bio.h
-tb_store.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_store.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_store.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_store.o: ../../include/openssl/opensslconf.h
+tb_store.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_store.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_store.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_store.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_store.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_store.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_store.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_store.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 tb_store.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_store.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_store.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h tb_store.c
+tb_store.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_store.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_store.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_store.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_store.c
diff --git a/src/lib/libssl/src/crypto/engine/eng_all.c b/src/lib/libssl/src/crypto/engine/eng_all.c
index 8599046717..d29cd57dc2 100644
--- a/src/lib/libssl/src/crypto/engine/eng_all.c
+++ b/src/lib/libssl/src/crypto/engine/eng_all.c
@@ -107,6 +107,9 @@ void ENGINE_load_builtin_engines(void)
 #if defined(__OpenBSD__) || defined(__FreeBSD__)
         ENGINE_load_cryptodev();
 #endif
+#if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
+        ENGINE_load_capi();
+#endif
 #endif
         }
 
diff --git a/src/lib/libssl/src/crypto/engine/eng_cnf.c b/src/lib/libssl/src/crypto/engine/eng_cnf.c
index a97e01e619..8417ddaaef 100644
--- a/src/lib/libssl/src/crypto/engine/eng_cnf.c
+++ b/src/lib/libssl/src/crypto/engine/eng_cnf.c
@@ -98,6 +98,8 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
         CONF_VALUE *ecmd;
         char *ctrlname, *ctrlvalue;
         ENGINE *e = NULL;
+        int soft = 0;
+
         name = skip_dot(name);
 #ifdef ENGINE_CONF_DEBUG
         fprintf(stderr, "Configuring engine %s\n", name);
@@ -125,6 +127,8 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                 /* Override engine name to use */
                 if (!strcmp(ctrlname, "engine_id"))
                         name = ctrlvalue;
+                else if (!strcmp(ctrlname, "soft_load"))
+                        soft = 1;
                 /* Load a dynamic ENGINE */
                 else if (!strcmp(ctrlname, "dynamic_path"))
                         {
@@ -147,6 +151,11 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                         if (!e)
                                 {
                                 e = ENGINE_by_id(name);
+                                if (!e && soft)
+                                        {
+                                        ERR_clear_error();
+                                        return 1;
+                                        }
                                 if (!e)
                                         return 0;
                                 }
diff --git a/src/lib/libssl/src/crypto/engine/eng_err.c b/src/lib/libssl/src/crypto/engine/eng_err.c
index 369f2e22d3..574ffbb5c0 100644
--- a/src/lib/libssl/src/crypto/engine/eng_err.c
+++ b/src/lib/libssl/src/crypto/engine/eng_err.c
@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -92,6 +92,7 @@ static ERR_STRING_DATA ENGINE_str_functs[]=
 {ERR_FUNC(ENGINE_F_ENGINE_LIST_REMOVE), "ENGINE_LIST_REMOVE"},
 {ERR_FUNC(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY),    "ENGINE_load_private_key"},
 {ERR_FUNC(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY),     "ENGINE_load_public_key"},
+{ERR_FUNC(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT),        "ENGINE_load_ssl_client_cert"},
 {ERR_FUNC(ENGINE_F_ENGINE_NEW), "ENGINE_new"},
 {ERR_FUNC(ENGINE_F_ENGINE_REMOVE),      "ENGINE_remove"},
 {ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_STRING),  "ENGINE_set_default_string"},
diff --git a/src/lib/libssl/src/crypto/engine/eng_int.h b/src/lib/libssl/src/crypto/engine/eng_int.h
index a5b1edebf4..a66f107a44 100644
--- a/src/lib/libssl/src/crypto/engine/eng_int.h
+++ b/src/lib/libssl/src/crypto/engine/eng_int.h
@@ -170,6 +170,8 @@ struct engine_st
         ENGINE_LOAD_KEY_PTR load_privkey;
         ENGINE_LOAD_KEY_PTR load_pubkey;
 
+        ENGINE_SSL_CLIENT_CERT_PTR load_ssl_client_cert;
+
         const ENGINE_CMD_DEFN *cmd_defns;
         int flags;
         /* reference count on the structure itself */
diff --git a/src/lib/libssl/src/crypto/engine/eng_pkey.c b/src/lib/libssl/src/crypto/engine/eng_pkey.c
index bc8b21abec..1dfa2e3664 100644
--- a/src/lib/libssl/src/crypto/engine/eng_pkey.c
+++ b/src/lib/libssl/src/crypto/engine/eng_pkey.c
@@ -69,6 +69,13 @@ int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f)
         return 1;
         }
 
+int ENGINE_set_load_ssl_client_cert_function(ENGINE *e,
+                                ENGINE_SSL_CLIENT_CERT_PTR loadssl_f)
+        {
+        e->load_ssl_client_cert = loadssl_f;
+        return 1;
+        }
+
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e)
         {
         return e->load_privkey;
@@ -79,6 +86,11 @@ ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e)
         return e->load_pubkey;
         }
 
+ENGINE_SSL_CLIENT_CERT_PTR ENGINE_get_ssl_client_cert_function(const ENGINE *e)
+        {
+        return e->load_ssl_client_cert;
+        }
+
 /* API functions to load public/private keys */
 
 EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
@@ -152,3 +164,33 @@ EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
                 }
         return pkey;
         }
+
+int ENGINE_load_ssl_client_cert(ENGINE *e, SSL *s,
+        STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **ppkey,
+        STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data)
+        {
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(e->funct_ref == 0)
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                        ENGINE_R_NOT_INITIALISED);
+                return 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if (!e->load_ssl_client_cert)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                        ENGINE_R_NO_LOAD_FUNCTION);
+                return 0;
+                }
+        return e->load_ssl_client_cert(e, s, ca_dn, pcert, ppkey, pother,
+                                        ui_method, callback_data);
+        }
diff --git a/src/lib/libssl/src/crypto/engine/engine.h b/src/lib/libssl/src/crypto/engine/engine.h
index 3ec59338ff..f503595ece 100644
--- a/src/lib/libssl/src/crypto/engine/engine.h
+++ b/src/lib/libssl/src/crypto/engine/engine.h
@@ -93,6 +93,8 @@
 #include <openssl/err.h>
 #endif
 
+#include <openssl/x509.h>
+
 #include <openssl/ossl_typ.h>
 #include <openssl/symhacks.h>
 
@@ -278,6 +280,9 @@ typedef int (*ENGINE_CTRL_FUNC_PTR)(ENGINE *, int, long, void *, void (*f)(void)
 /* Generic load_key function pointer */
 typedef EVP_PKEY * (*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *,
         UI_METHOD *ui_method, void *callback_data);
+typedef int (*ENGINE_SSL_CLIENT_CERT_PTR)(ENGINE *, SSL *ssl,
+        STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
+        STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data);
 /* These callback types are for an ENGINE's handler for cipher and digest logic.
  * These handlers have these prototypes;
  *   int foo(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
@@ -334,6 +339,9 @@ void ENGINE_load_ubsec(void);
 void ENGINE_load_cryptodev(void);
 void ENGINE_load_padlock(void);
 void ENGINE_load_builtin_engines(void);
+#ifndef OPENSSL_NO_CAPIENG
+void ENGINE_load_capi(void);
+#endif
 
 /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
  * "registry" handling. */
@@ -459,6 +467,8 @@ int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
 int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f);
 int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f);
 int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f);
+int ENGINE_set_load_ssl_client_cert_function(ENGINE *e,
+                                ENGINE_SSL_CLIENT_CERT_PTR loadssl_f);
 int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f);
 int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f);
 int ENGINE_set_flags(ENGINE *e, int flags);
@@ -494,6 +504,7 @@ ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e);
 ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e);
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e);
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e);
+ENGINE_SSL_CLIENT_CERT_PTR ENGINE_get_ssl_client_cert_function(const ENGINE *e);
 ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e);
 ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e);
 const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid);
@@ -529,6 +540,10 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
         UI_METHOD *ui_method, void *callback_data);
 EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
         UI_METHOD *ui_method, void *callback_data);
+int ENGINE_load_ssl_client_cert(ENGINE *e, SSL *s,
+        STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **ppkey,
+        STACK_OF(X509) **pother,
+        UI_METHOD *ui_method, void *callback_data);
 
 /* This returns a pointer for the current ENGINE structure that
  * is (by default) performing any RSA operations. The value returned
@@ -723,6 +738,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_LIST_REMOVE                      121
 #define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY                 150
 #define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY                  151
+#define ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT             192
 #define ENGINE_F_ENGINE_NEW                              122
 #define ENGINE_F_ENGINE_REMOVE                           123
 #define ENGINE_F_ENGINE_SET_DEFAULT_STRING               189
diff --git a/src/lib/libssl/src/crypto/err/err.c b/src/lib/libssl/src/crypto/err/err.c
index b6ff070e8f..7952e70ab0 100644
--- a/src/lib/libssl/src/crypto/err/err.c
+++ b/src/lib/libssl/src/crypto/err/err.c
@@ -149,6 +149,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
 {ERR_PACK(ERR_LIB_DSO,0,0)              ,"DSO support routines"},
 {ERR_PACK(ERR_LIB_ENGINE,0,0)           ,"engine routines"},
 {ERR_PACK(ERR_LIB_OCSP,0,0)             ,"OCSP routines"},
+{ERR_PACK(ERR_LIB_FIPS,0,0)             ,"FIPS routines"},
 {ERR_PACK(ERR_LIB_CMS,0,0)              ,"CMS routines"},
 {0,NULL},
         };
diff --git a/src/lib/libssl/src/crypto/err/err.h b/src/lib/libssl/src/crypto/err/err.h
index bf28fce492..8d9f0da172 100644
--- a/src/lib/libssl/src/crypto/err/err.h
+++ b/src/lib/libssl/src/crypto/err/err.h
@@ -140,7 +140,8 @@ typedef struct err_state_st
 #define ERR_LIB_ECDSA           42
 #define ERR_LIB_ECDH            43
 #define ERR_LIB_STORE           44
-#define ERR_LIB_CMS             45
+#define ERR_LIB_FIPS            45
+#define ERR_LIB_CMS             46
 
 #define ERR_LIB_USER            128
 
@@ -172,6 +173,7 @@ typedef struct err_state_st
 #define ECDSAerr(f,r)  ERR_PUT_error(ERR_LIB_ECDSA,(f),(r),__FILE__,__LINE__)
 #define ECDHerr(f,r)  ERR_PUT_error(ERR_LIB_ECDH,(f),(r),__FILE__,__LINE__)
 #define STOREerr(f,r) ERR_PUT_error(ERR_LIB_STORE,(f),(r),__FILE__,__LINE__)
+#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__)
 #define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),__FILE__,__LINE__)
 
 /* Borland C seems too stupid to be able to shift and do longs in
diff --git a/src/lib/libssl/src/crypto/evp/Makefile b/src/lib/libssl/src/crypto/evp/Makefile
index 8f2555c7e5..9de56dc03d 100644
--- a/src/lib/libssl/src/crypto/evp/Makefile
+++ b/src/lib/libssl/src/crypto/evp/Makefile
@@ -135,13 +135,17 @@ bio_ok.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 bio_ok.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_ok.c
 c_all.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-c_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-c_all.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-c_all.o: ../../include/openssl/symhacks.h ../cryptlib.h c_all.c
+c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+c_all.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+c_all.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+c_all.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+c_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+c_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+c_all.o: ../cryptlib.h c_all.c
 c_allc.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_allc.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 c_allc.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -170,13 +174,17 @@ c_alld.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 c_alld.o: ../cryptlib.h c_alld.c
 digest.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 digest.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-digest.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-digest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-digest.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-digest.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-digest.o: ../../include/openssl/symhacks.h ../cryptlib.h digest.c
+digest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+digest.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+digest.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+digest.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+digest.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+digest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+digest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+digest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+digest.o: ../cryptlib.h digest.c
 e_aes.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
 e_aes.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 e_aes.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -312,13 +320,17 @@ evp_acnf.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_acnf.c
 evp_enc.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_enc.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-evp_enc.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-evp_enc.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-evp_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-evp_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+evp_enc.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+evp_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_enc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+evp_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+evp_enc.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
diff --git a/src/lib/libssl/src/crypto/evp/evp.h b/src/lib/libssl/src/crypto/evp/evp.h
index c19d764c15..1aa2d6fb35 100644
--- a/src/lib/libssl/src/crypto/evp/evp.h
+++ b/src/lib/libssl/src/crypto/evp/evp.h
@@ -303,6 +303,8 @@ struct env_md_ctx_st
                                                 * cleaned */
 #define EVP_MD_CTX_FLAG_REUSE           0x0004 /* Don't free up ctx->md_data
                                                 * in EVP_MD_CTX_cleanup */
+#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW  0x0008  /* Allow use of non FIPS digest
+                                                 * in FIPS mode */
 
 struct evp_cipher_st
         {
diff --git a/src/lib/libssl/src/crypto/evp/evp_enc.c b/src/lib/libssl/src/crypto/evp/evp_enc.c
index a1904993bf..6e582c458d 100644
--- a/src/lib/libssl/src/crypto/evp/evp_enc.c
+++ b/src/lib/libssl/src/crypto/evp/evp_enc.c
@@ -279,7 +279,12 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         {
         int i,j,bl;
 
-        OPENSSL_assert(inl > 0);
+        if (inl <= 0)
+                {
+                *outl = 0;
+                return inl == 0;
+                }
+
         if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
                 {
                 if(ctx->cipher->do_cipher(ctx,out,in,inl))
@@ -381,10 +386,10 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         int fix_len;
         unsigned int b;
 
-        if (inl == 0)
+        if (inl <= 0)
                 {
-                *outl=0;
-                return 1;
+                *outl = 0;
+                return inl == 0;
                 }
 
         if (ctx->flags & EVP_CIPH_NO_PADDING)
diff --git a/src/lib/libssl/src/crypto/hmac/hmac.c b/src/lib/libssl/src/crypto/hmac/hmac.c
index c45e001492..1d140f7adb 100644
--- a/src/lib/libssl/src/crypto/hmac/hmac.c
+++ b/src/lib/libssl/src/crypto/hmac/hmac.c
@@ -171,3 +171,10 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
         return(md);
         }
 
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
+        {
+        EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
+        EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
+        EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
+        }
+
diff --git a/src/lib/libssl/src/crypto/hmac/hmac.h b/src/lib/libssl/src/crypto/hmac/hmac.h
index 719fc408ac..fc38ffb52b 100644
--- a/src/lib/libssl/src/crypto/hmac/hmac.h
+++ b/src/lib/libssl/src/crypto/hmac/hmac.h
@@ -100,6 +100,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
                     const unsigned char *d, size_t n, unsigned char *md,
                     unsigned int *md_len);
 
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libssl/src/crypto/md32_common.h b/src/lib/libssl/src/crypto/md32_common.h
index 089c450290..61bcd9786f 100644
--- a/src/lib/libssl/src/crypto/md32_common.h
+++ b/src/lib/libssl/src/crypto/md32_common.h
@@ -301,7 +301,7 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, size_t len)
                 {
                 p=(unsigned char *)c->data;
 
-                if ((n+len) >= HASH_CBLOCK)
+                if (len >= HASH_CBLOCK || len+n >= HASH_CBLOCK)
                         {
                         memcpy (p+n,data,HASH_CBLOCK-n);
                         HASH_BLOCK_DATA_ORDER (c,p,1);
diff --git a/src/lib/libssl/src/crypto/objects/obj_mac.num b/src/lib/libssl/src/crypto/objects/obj_mac.num
index 47815b1e4e..53c9cb0d6a 100644
--- a/src/lib/libssl/src/crypto/objects/obj_mac.num
+++ b/src/lib/libssl/src/crypto/objects/obj_mac.num
@@ -788,3 +788,69 @@ id_ct_asciiTextWithCRLF		787
 id_aes128_wrap          788
 id_aes192_wrap          789
 id_aes256_wrap          790
+ecdsa_with_Recommended          791
+ecdsa_with_Specified            792
+ecdsa_with_SHA224               793
+ecdsa_with_SHA256               794
+ecdsa_with_SHA384               795
+ecdsa_with_SHA512               796
+hmacWithMD5             797
+hmacWithSHA224          798
+hmacWithSHA256          799
+hmacWithSHA384          800
+hmacWithSHA512          801
+dsa_with_SHA224         802
+dsa_with_SHA256         803
+whirlpool               804
+cryptopro               805
+cryptocom               806
+id_GostR3411_94_with_GostR3410_2001             807
+id_GostR3411_94_with_GostR3410_94               808
+id_GostR3411_94         809
+id_HMACGostR3411_94             810
+id_GostR3410_2001               811
+id_GostR3410_94         812
+id_Gost28147_89         813
+gost89_cnt              814
+id_Gost28147_89_MAC             815
+id_GostR3411_94_prf             816
+id_GostR3410_2001DH             817
+id_GostR3410_94DH               818
+id_Gost28147_89_CryptoPro_KeyMeshing            819
+id_Gost28147_89_None_KeyMeshing         820
+id_GostR3411_94_TestParamSet            821
+id_GostR3411_94_CryptoProParamSet               822
+id_Gost28147_89_TestParamSet            823
+id_Gost28147_89_CryptoPro_A_ParamSet            824
+id_Gost28147_89_CryptoPro_B_ParamSet            825
+id_Gost28147_89_CryptoPro_C_ParamSet            826
+id_Gost28147_89_CryptoPro_D_ParamSet            827
+id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet            828
+id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet            829
+id_Gost28147_89_CryptoPro_RIC_1_ParamSet                830
+id_GostR3410_94_TestParamSet            831
+id_GostR3410_94_CryptoPro_A_ParamSet            832
+id_GostR3410_94_CryptoPro_B_ParamSet            833
+id_GostR3410_94_CryptoPro_C_ParamSet            834
+id_GostR3410_94_CryptoPro_D_ParamSet            835
+id_GostR3410_94_CryptoPro_XchA_ParamSet         836
+id_GostR3410_94_CryptoPro_XchB_ParamSet         837
+id_GostR3410_94_CryptoPro_XchC_ParamSet         838
+id_GostR3410_2001_TestParamSet          839
+id_GostR3410_2001_CryptoPro_A_ParamSet          840
+id_GostR3410_2001_CryptoPro_B_ParamSet          841
+id_GostR3410_2001_CryptoPro_C_ParamSet          842
+id_GostR3410_2001_CryptoPro_XchA_ParamSet               843
+id_GostR3410_2001_CryptoPro_XchB_ParamSet               844
+id_GostR3410_94_a               845
+id_GostR3410_94_aBis            846
+id_GostR3410_94_b               847
+id_GostR3410_94_bBis            848
+id_Gost28147_89_cc              849
+id_GostR3410_94_cc              850
+id_GostR3410_2001_cc            851
+id_GostR3411_94_with_GostR3410_94_cc            852
+id_GostR3411_94_with_GostR3410_2001_cc          853
+id_GostR3410_2001_ParamSet_cc           854
+hmac            855
+LocalKeySet             856
diff --git a/src/lib/libssl/src/crypto/objects/objects.txt b/src/lib/libssl/src/crypto/objects/objects.txt
index 34c8d1d647..e009702e55 100644
--- a/src/lib/libssl/src/crypto/objects/objects.txt
+++ b/src/lib/libssl/src/crypto/objects/objects.txt
@@ -79,6 +79,12 @@ X9-62_primeCurve 7	 	: prime256v1
 !Alias id-ecSigType ansi-X9-62 4
 !global
 X9-62_id-ecSigType 1            : ecdsa-with-SHA1
+X9-62_id-ecSigType 2            : ecdsa-with-Recommended
+X9-62_id-ecSigType 3            : ecdsa-with-Specified
+ecdsa-with-Specified 1          : ecdsa-with-SHA224
+ecdsa-with-Specified 2          : ecdsa-with-SHA256
+ecdsa-with-Specified 3          : ecdsa-with-SHA384
+ecdsa-with-Specified 4          : ecdsa-with-SHA512
 
 # SECG curve OIDs from "SEC 2: Recommended Elliptic Curve Domain Parameters"
 # (http://www.secg.org/)
@@ -313,6 +319,7 @@ pkcs9 20		:			: friendlyName
 pkcs9 21                :                       : localKeyID
 !Cname ms-csp-name
 1 3 6 1 4 1 311 17 1    : CSPName               : Microsoft CSP Name
+1 3 6 1 4 1 311 17 2    : LocalKeySet           : Microsoft Local Key set
 !Alias certTypes pkcs9 22
 certTypes 1             :                       : x509Certificate
 certTypes 2             :                       : sdsiCertificate
@@ -348,7 +355,15 @@ rsadsi 2 2		: MD2			: md2
 rsadsi 2 4              : MD4                   : md4
 rsadsi 2 5              : MD5                   : md5
                         : MD5-SHA1              : md5-sha1
+rsadsi 2 6              :                       : hmacWithMD5
 rsadsi 2 7              :                       : hmacWithSHA1
+
+# From RFC4231
+rsadsi 2 8              :                       : hmacWithSHA224
+rsadsi 2 9              :                       : hmacWithSHA256
+rsadsi 2 10             :                       : hmacWithSHA384
+rsadsi 2 11             :                       : hmacWithSHA512
+
 rsadsi 3 2              : RC2-CBC               : rc2-cbc
                         : RC2-ECB               : rc2-ecb
 !Cname rc2-cfb64
@@ -833,6 +848,11 @@ nist_hashalgs 2		: SHA384		: sha384
 nist_hashalgs 3         : SHA512                : sha512
 nist_hashalgs 4         : SHA224                : sha224
 
+# OIDs for dsa-with-sha224 and dsa-with-sha256
+!Alias dsa_with_sha2 nistAlgorithms 3
+dsa_with_sha2 1         : dsa_with_SHA224
+dsa_with_sha2 2         : dsa_with_SHA256
+
 # Hold instruction CRL entry extension
 !Cname hold-instruction-code
 id-ce 23                : holdInstructionCode   : Hold Instruction Code
@@ -1070,13 +1090,93 @@ rsadsi 1 1 6		: rsaOAEPEncryptionSET
                         : Oakley-EC2N-3         : ipsec3
                         : Oakley-EC2N-4         : ipsec4
 
+iso 0 10118 3 0 55      : whirlpool
+
+# GOST OIDs
+
+member-body 643 2 2     : cryptopro
+member-body 643 2 9     : cryptocom
+
+cryptopro 3             : id-GostR3411-94-with-GostR3410-2001 : GOST R 34.11-94 with GOST R 34.10-2001
+cryptopro 4             : id-GostR3411-94-with-GostR3410-94 : GOST R 34.11-94 with GOST R 34.10-94
+!Cname id-GostR3411-94
+cryptopro 9             : md_gost94             : GOST R 34.11-94
+cryptopro 10            : id-HMACGostR3411-94   : HMAC GOST 34.11-94
+!Cname id-GostR3410-2001
+cryptopro 19            : gost2001      : GOST R 34.10-2001
+!Cname id-GostR3410-94
+cryptopro 20            : gost94        : GOST R 34.10-94
+!Cname id-Gost28147-89
+cryptopro 21            : gost89                : GOST 28147-89
+                        : gost89-cnt
+!Cname id-Gost28147-89-MAC
+cryptopro 22            : gost-mac      : GOST 28147-89 MAC
+!Cname id-GostR3411-94-prf
+cryptopro 23            : prf-gostr3411-94      : GOST R 34.11-94 PRF
+cryptopro 98            : id-GostR3410-2001DH   : GOST R 34.10-2001 DH
+cryptopro 99            : id-GostR3410-94DH     : GOST R 34.10-94 DH
+
+cryptopro 14 1          : id-Gost28147-89-CryptoPro-KeyMeshing
+cryptopro 14 0          : id-Gost28147-89-None-KeyMeshing
+
+# GOST parameter set OIDs
+
+cryptopro 30 0          : id-GostR3411-94-TestParamSet
+cryptopro 30 1          : id-GostR3411-94-CryptoProParamSet
+
+cryptopro 31 0          : id-Gost28147-89-TestParamSet
+cryptopro 31 1          : id-Gost28147-89-CryptoPro-A-ParamSet
+cryptopro 31 2          : id-Gost28147-89-CryptoPro-B-ParamSet
+cryptopro 31 3          : id-Gost28147-89-CryptoPro-C-ParamSet
+cryptopro 31 4          : id-Gost28147-89-CryptoPro-D-ParamSet
+cryptopro 31 5          : id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet
+cryptopro 31 6          : id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet
+cryptopro 31 7          : id-Gost28147-89-CryptoPro-RIC-1-ParamSet
+
+cryptopro 32 0          : id-GostR3410-94-TestParamSet
+cryptopro 32 2          : id-GostR3410-94-CryptoPro-A-ParamSet
+cryptopro 32 3          : id-GostR3410-94-CryptoPro-B-ParamSet
+cryptopro 32 4          : id-GostR3410-94-CryptoPro-C-ParamSet
+cryptopro 32 5          : id-GostR3410-94-CryptoPro-D-ParamSet
+
+cryptopro 33 1          : id-GostR3410-94-CryptoPro-XchA-ParamSet
+cryptopro 33 2          : id-GostR3410-94-CryptoPro-XchB-ParamSet
+cryptopro 33 3          : id-GostR3410-94-CryptoPro-XchC-ParamSet
+
+cryptopro 35 0          : id-GostR3410-2001-TestParamSet
+cryptopro 35 1          : id-GostR3410-2001-CryptoPro-A-ParamSet
+cryptopro 35 2          : id-GostR3410-2001-CryptoPro-B-ParamSet
+cryptopro 35 3          : id-GostR3410-2001-CryptoPro-C-ParamSet
+
+cryptopro 36 0          : id-GostR3410-2001-CryptoPro-XchA-ParamSet
+cryptopro 36 1          : id-GostR3410-2001-CryptoPro-XchB-ParamSet
+
+id-GostR3410-94 1       : id-GostR3410-94-a
+id-GostR3410-94 2       : id-GostR3410-94-aBis
+id-GostR3410-94 3       : id-GostR3410-94-b
+id-GostR3410-94 4       : id-GostR3410-94-bBis
+
+# Cryptocom LTD GOST OIDs
+
+cryptocom 1 6 1         : id-Gost28147-89-cc    : GOST 28147-89 Cryptocom ParamSet
+!Cname id-GostR3410-94-cc
+cryptocom 1 5 3         : gost94cc      : GOST 34.10-94 Cryptocom
+!Cname id-GostR3410-2001-cc
+cryptocom 1 5 4         : gost2001cc    : GOST 34.10-2001 Cryptocom
+
+cryptocom 1 3 3         : id-GostR3411-94-with-GostR3410-94-cc : GOST R 34.11-94 with GOST R 34.10-94 Cryptocom
+cryptocom 1 3 4         : id-GostR3411-94-with-GostR3410-2001-cc : GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom
+
+cryptocom 1 8 1         : id-GostR3410-2001-ParamSet-cc : GOST R 3410-2001 Parameter Set Cryptocom
 
 # Definitions for Camellia cipher - CBC MODE
+
 1 2 392 200011 61 1 1 1 2 : CAMELLIA-128-CBC            : camellia-128-cbc
 1 2 392 200011 61 1 1 1 3 : CAMELLIA-192-CBC            : camellia-192-cbc
 1 2 392 200011 61 1 1 1 4 : CAMELLIA-256-CBC            : camellia-256-cbc
 
 # Definitions for Camellia cipher - ECB, CFB, OFB MODE
+
 !Alias ntt-ds 0 3 4401 5
 !Alias camellia ntt-ds 3 1 9 
 
@@ -1107,7 +1207,6 @@ camellia 44		: CAMELLIA-256-CFB		: camellia-256-cfb
                         : CAMELLIA-192-CFB8             : camellia-192-cfb8
                         : CAMELLIA-256-CFB8             : camellia-256-cfb8
 
-
 # Definitions for SEED cipher - ECB, CBC, OFB mode
 
 member-body 410 200004  : KISA          : kisa
@@ -1117,3 +1216,7 @@ kisa 1 4                : SEED-CBC      : seed-cbc
 kisa 1 5                : SEED-CFB      : seed-cfb
 !Cname seed-ofb128
 kisa 1 6                : SEED-OFB      : seed-ofb
+
+# There is no OID that just denotes "HMAC" oddly enough...
+
+                        : HMAC                          : hmac
diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h
index b308894f18..5bdd370ac9 100644
--- a/src/lib/libssl/src/crypto/opensslv.h
+++ b/src/lib/libssl/src/crypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x0090808fL
+#define OPENSSL_VERSION_NUMBER  0x0090809fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8h-fips 28 May 2008"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8i-fips 15 Sep 2008"
 #else
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8h 28 May 2008"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8i 15 Sep 2008"
 #endif
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/src/lib/libssl/src/crypto/ossl_typ.h b/src/lib/libssl/src/crypto/ossl_typ.h
index 345fb1dc4d..734200428f 100644
--- a/src/lib/libssl/src/crypto/ossl_typ.h
+++ b/src/lib/libssl/src/crypto/ossl_typ.h
@@ -140,6 +140,8 @@ typedef struct X509_crl_st X509_CRL;
 typedef struct X509_name_st X509_NAME;
 typedef struct x509_store_st X509_STORE;
 typedef struct x509_store_ctx_st X509_STORE_CTX;
+typedef struct ssl_st SSL;
+typedef struct ssl_ctx_st SSL_CTX;
 
 typedef struct v3_ext_ctx X509V3_CTX;
 typedef struct conf_st CONF;
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
index dbafda17b6..9748256b6f 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
@@ -63,6 +63,19 @@
 
 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
 
+static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
+        {
+        int idx;
+        X509_ATTRIBUTE *attr;
+        idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1);
+        if (idx < 0)
+                return 1;
+        attr = EVP_PKEY_get_attr(pkey, idx);
+        if (!X509at_add1_attr(&bag->attrib, attr))
+                return 0;
+        return 1;
+        }
+
 PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
              STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,
              int keytype)
@@ -122,20 +135,15 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 
         if (pkey)
                 {
-                int cspidx;
                 bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
 
                 if (!bag)
                         goto err;
 
-                cspidx = EVP_PKEY_get_attr_by_NID(pkey, NID_ms_csp_name, -1);
-                if (cspidx >= 0)
-                        {
-                        X509_ATTRIBUTE *cspattr;
-                        cspattr = EVP_PKEY_get_attr(pkey, cspidx);
-                        if (!X509at_add1_attr(&bag->attrib, cspattr))
-                                goto err;
-                        }
+                if (!copy_bag_attr(bag, pkey, NID_ms_csp_name))
+                        goto err;
+                if (!copy_bag_attr(bag, pkey, NID_LocalKeySet))
+                        goto err;
 
                 if(name && !PKCS12_add_friendlyname(bag, name, -1))
                         goto err;
diff --git a/src/lib/libssl/src/crypto/rand/Makefile b/src/lib/libssl/src/crypto/rand/Makefile
index 3c1ab5bbae..27694aa664 100644
--- a/src/lib/libssl/src/crypto/rand/Makefile
+++ b/src/lib/libssl/src/crypto/rand/Makefile
@@ -97,14 +97,19 @@ rand_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rand_err.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 rand_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 rand_err.o: rand_err.c
-rand_lib.o: ../../e_os.h ../../include/openssl/bio.h
-rand_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rand_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-rand_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rand_lib.o: ../../include/openssl/opensslconf.h
+rand_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+rand_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+rand_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rand_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rand_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 rand_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rand_lib.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+rand_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rand_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 rand_lib.o: ../cryptlib.h rand_lib.c
 rand_nw.o: ../../e_os.h ../../include/openssl/asn1.h
 rand_nw.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
diff --git a/src/lib/libssl/src/crypto/rsa/Makefile b/src/lib/libssl/src/crypto/rsa/Makefile
index 13900812ac..8f1c611800 100644
--- a/src/lib/libssl/src/crypto/rsa/Makefile
+++ b/src/lib/libssl/src/crypto/rsa/Makefile
@@ -133,12 +133,17 @@ rsa_gen.o: ../cryptlib.h rsa_gen.c
 rsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-rsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+rsa_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+rsa_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+rsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+rsa_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 rsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-rsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+rsa_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 rsa_lib.o: ../cryptlib.h rsa_lib.c
 rsa_none.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_none.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
diff --git a/src/lib/libssl/src/crypto/rsa/rsa.h b/src/lib/libssl/src/crypto/rsa/rsa.h
index 6b5e4f8a9a..3699afaaaf 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa.h
+++ b/src/lib/libssl/src/crypto/rsa/rsa.h
@@ -281,6 +281,7 @@ int	RSA_print_fp(FILE *fp, const RSA *r,int offset);
 int     RSA_print(BIO *bp, const RSA *r,int offset);
 #endif
 
+#ifndef OPENSSL_NO_RC4
 int i2d_RSA_NET(const RSA *a, unsigned char **pp,
                 int (*cb)(char *buf, int len, const char *prompt, int verify),
                 int sgckey);
@@ -294,6 +295,7 @@ int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
 RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
                       int (*cb)(char *buf, int len, const char *prompt,
                                 int verify));
+#endif
 
 /* The following 2 functions sign and verify a X509_SIG ASN1 object
  * inside PKCS#1 padded RSA encryption */
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
index 272c5eed18..5a6eda7961 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -150,16 +150,6 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
         return(&rsa_pkcs1_eay_meth);
         }
 
-/* Usage example;
- *    MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
- */
-#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
-        if ((pre_cond) && ((method_mod) == NULL) && \
-                        !BN_MONT_CTX_set_locked(&(method_mod), \
-                                CRYPTO_LOCK_RSA, \
-                                (m), (ctx))) \
-                err_instr
-
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
@@ -233,7 +223,9 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                 goto err;
                 }
 
-        MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                        goto err;
 
         if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
                 rsa->_method_mod_n)) goto err;
@@ -460,7 +452,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                 else
                         d= rsa->d;
 
-                MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+                if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                        if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                                goto err;
 
                 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
                                 rsa->_method_mod_n)) goto err;
@@ -581,7 +575,9 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                 else
                         d = rsa->d;
 
-                MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+                if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                                goto err;
                 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
                                 rsa->_method_mod_n))
                   goto err;
@@ -691,7 +687,9 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                 goto err;
                 }
 
-        MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                        goto err;
 
         if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
                 rsa->_method_mod_n)) goto err;
@@ -769,11 +767,18 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
                         q = rsa->q;
                         }
 
-                MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
-                MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+                if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
+                        {
+                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
+                                goto err;
+                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
+                                goto err;
+                        }
         }
 
-        MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                        goto err;
 
         /* compute I mod q */
         if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_ssl.c b/src/lib/libssl/src/crypto/rsa/rsa_ssl.c
index ea72629494..cfeff15bc9 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_ssl.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_ssl.c
@@ -130,7 +130,7 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
                 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
                 return(-1);
                 }
-        for (k= -8; k<0; k++)
+        for (k = -9; k<-1; k++)
                 {
                 if (p[k] !=  0x03) break;
                 }
diff --git a/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl b/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl
index 0b4dab2bd5..a787dd37da 100644
--- a/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl
+++ b/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl
@@ -149,7 +149,7 @@ sub BODY_40_59
         &add($f,$e);                    # f+=ROTATE(a,5)
         }
 
-&function_begin("sha1_block_data_order",16);
+&function_begin("sha1_block_data_order");
         &mov($tmp1,&wparam(0)); # SHA_CTX *c
         &mov($T,&wparam(1));    # const void *input
         &mov($A,&wparam(2));    # size_t num
diff --git a/src/lib/libssl/src/crypto/stack/safestack.h b/src/lib/libssl/src/crypto/stack/safestack.h
index 78cc485e6d..40b17902e0 100644
--- a/src/lib/libssl/src/crypto/stack/safestack.h
+++ b/src/lib/libssl/src/crypto/stack/safestack.h
@@ -986,6 +986,50 @@ STACK_OF(type) \
 #define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
 #define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
 
+#define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st))
+#define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER)
+#define sk_MIME_HEADER_free(st) SKM_sk_free(MIME_HEADER, (st))
+#define sk_MIME_HEADER_num(st) SKM_sk_num(MIME_HEADER, (st))
+#define sk_MIME_HEADER_value(st, i) SKM_sk_value(MIME_HEADER, (st), (i))
+#define sk_MIME_HEADER_set(st, i, val) SKM_sk_set(MIME_HEADER, (st), (i), (val))
+#define sk_MIME_HEADER_zero(st) SKM_sk_zero(MIME_HEADER, (st))
+#define sk_MIME_HEADER_push(st, val) SKM_sk_push(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_unshift(st, val) SKM_sk_unshift(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_find(st, val) SKM_sk_find(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_find_ex(st, val) SKM_sk_find_ex(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_delete(st, i) SKM_sk_delete(MIME_HEADER, (st), (i))
+#define sk_MIME_HEADER_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_HEADER, (st), (ptr))
+#define sk_MIME_HEADER_insert(st, val, i) SKM_sk_insert(MIME_HEADER, (st), (val), (i))
+#define sk_MIME_HEADER_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_HEADER, (st), (cmp))
+#define sk_MIME_HEADER_dup(st) SKM_sk_dup(MIME_HEADER, st)
+#define sk_MIME_HEADER_pop_free(st, free_func) SKM_sk_pop_free(MIME_HEADER, (st), (free_func))
+#define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st))
+#define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st))
+#define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
+#define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
+
+#define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
+#define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
+#define sk_MIME_PARAM_free(st) SKM_sk_free(MIME_PARAM, (st))
+#define sk_MIME_PARAM_num(st) SKM_sk_num(MIME_PARAM, (st))
+#define sk_MIME_PARAM_value(st, i) SKM_sk_value(MIME_PARAM, (st), (i))
+#define sk_MIME_PARAM_set(st, i, val) SKM_sk_set(MIME_PARAM, (st), (i), (val))
+#define sk_MIME_PARAM_zero(st) SKM_sk_zero(MIME_PARAM, (st))
+#define sk_MIME_PARAM_push(st, val) SKM_sk_push(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_unshift(st, val) SKM_sk_unshift(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_find(st, val) SKM_sk_find(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_find_ex(st, val) SKM_sk_find_ex(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_delete(st, i) SKM_sk_delete(MIME_PARAM, (st), (i))
+#define sk_MIME_PARAM_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_PARAM, (st), (ptr))
+#define sk_MIME_PARAM_insert(st, val, i) SKM_sk_insert(MIME_PARAM, (st), (val), (i))
+#define sk_MIME_PARAM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_PARAM, (st), (cmp))
+#define sk_MIME_PARAM_dup(st) SKM_sk_dup(MIME_PARAM, st)
+#define sk_MIME_PARAM_pop_free(st, free_func) SKM_sk_pop_free(MIME_PARAM, (st), (free_func))
+#define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st))
+#define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st))
+#define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st))
+#define sk_MIME_PARAM_is_sorted(st) SKM_sk_is_sorted(MIME_PARAM, (st))
+
 #define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
 #define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
 #define sk_MIME_PARAM_free(st) SKM_sk_free(MIME_PARAM, (st))
diff --git a/src/lib/libssl/src/crypto/x509/x509_att.c b/src/lib/libssl/src/crypto/x509/x509_att.c
index 511b49d589..98460e8921 100644
--- a/src/lib/libssl/src/crypto/x509/x509_att.c
+++ b/src/lib/libssl/src/crypto/x509/x509_att.c
@@ -245,7 +245,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
                 goto err;
         if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
                 goto err;
-        
+
         if ((attr != NULL) && (*attr == NULL)) *attr=ret;
         return(ret);
 err:
@@ -302,8 +302,15 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
                 atype = attrtype;
         }
         if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
+        attr->single = 0;
+        /* This is a bit naughty because the attribute should really have
+         * at least one value but some types use and zero length SET and
+         * require this.
+         */
+        if (attrtype == 0)
+                return 1;
         if(!(ttmp = ASN1_TYPE_new())) goto err;
-        if (len == -1)
+        if ((len == -1) && !(attrtype & MBSTRING_FLAG))
                 {
                 if (!ASN1_TYPE_set1(ttmp, attrtype, data))
                         goto err;
@@ -311,7 +318,6 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
         else
                 ASN1_TYPE_set(ttmp, atype, stmp);
         if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
-        attr->single = 0;
         return 1;
         err:
         X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index 9a62ebcf67..336c40ddd7 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -394,7 +394,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 #ifdef OPENSSL_NO_CHAIN_VERIFY
         return 1;
 #else
-        int i, ok=0, must_be_ca;
+        int i, ok=0, must_be_ca, plen = 0;
         X509 *x;
         int (*cb)(int xok,X509_STORE_CTX *xctx);
         int proxy_path_length = 0;
@@ -495,9 +495,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                                 if (!ok) goto end;
                                 }
                         }
-                /* Check pathlen */
-                if ((i > 1) && (x->ex_pathlen != -1)
-                           && (i > (x->ex_pathlen + proxy_path_length + 1)))
+                /* Check pathlen if not self issued */
+                if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
+                           && (x->ex_pathlen != -1)
+                           && (plen > (x->ex_pathlen + proxy_path_length + 1)))
                         {
                         ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                         ctx->error_depth = i;
@@ -505,6 +506,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                         ok=cb(0,ctx);
                         if (!ok) goto end;
                         }
+                /* Increment path length if not self issued */
+                if (!(x->ex_flags & EXFLAG_SI))
+                        plen++;
                 /* If this certificate is a proxy certificate, the next
                    certificate must be another proxy certificate or a EE
                    certificate.  If not, the next certificate must be a
diff --git a/src/lib/libssl/src/crypto/x509v3/pcy_data.c b/src/lib/libssl/src/crypto/x509v3/pcy_data.c
index 614d2b4935..4711b1ee92 100644
--- a/src/lib/libssl/src/crypto/x509v3/pcy_data.c
+++ b/src/lib/libssl/src/crypto/x509v3/pcy_data.c
@@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
         X509_POLICY_DATA *ret;
         if (!policy && !id)
                 return NULL;
+        if (id)
+                {
+                id = OBJ_dup(id);
+                if (!id)
+                        return NULL;
+                }
         ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
         if (!ret)
                 return NULL;
@@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
         if (!ret->expected_policy_set)
                 {
                 OPENSSL_free(ret);
+                if (id)
+                        ASN1_OBJECT_free(id);
                 return NULL;
                 }
 
diff --git a/src/lib/libssl/src/crypto/x509v3/pcy_tree.c b/src/lib/libssl/src/crypto/x509v3/pcy_tree.c
index 4fda1d419a..b1ce77b9af 100644
--- a/src/lib/libssl/src/crypto/x509v3/pcy_tree.c
+++ b/src/lib/libssl/src/crypto/x509v3/pcy_tree.c
@@ -130,9 +130,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                         ret = 2;
                 if (explicit_policy > 0)
                         {
-                        explicit_policy--;
-                        if (!(x->ex_flags & EXFLAG_SS)
-                                && (cache->explicit_skip != -1)
+                        if (!(x->ex_flags & EXFLAG_SI))
+                                explicit_policy--;
+                        if ((cache->explicit_skip != -1)
                                 && (cache->explicit_skip < explicit_policy))
                                 explicit_policy = cache->explicit_skip;
                         }
@@ -197,13 +197,14 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                         /* Any matching allowed if certificate is self
                          * issued and not the last in the chain.
                          */
-                        if (!(x->ex_flags & EXFLAG_SS) || (i == 0))
+                        if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
                                 level->flags |= X509_V_FLAG_INHIBIT_ANY;
                         }
                 else
                         {
-                        any_skip--;
-                        if ((cache->any_skip > 0)
+                        if (!(x->ex_flags & EXFLAG_SI))
+                                any_skip--;
+                        if ((cache->any_skip >= 0)
                                 && (cache->any_skip < any_skip))
                                 any_skip = cache->any_skip;
                         }
@@ -213,7 +214,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                 else
                         {
                         map_skip--;
-                        if ((cache->map_skip > 0)
+                        if ((cache->map_skip >= 0)
                                 && (cache->map_skip < map_skip))
                                 map_skip = cache->map_skip;
                         }
@@ -310,7 +311,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
 
                 if (data == NULL)
                         return 0;
-                data->qualifier_set = curr->anyPolicy->data->qualifier_set;
+                /* Curr may not have anyPolicy */
+                data->qualifier_set = cache->anyPolicy->qualifier_set;
                 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
                 if (!level_add_node(curr, data, node, tree))
                         {
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_addr.c b/src/lib/libssl/src/crypto/x509v3/v3_addr.c
index ed9847b307..c6730ab3fd 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_addr.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_addr.c
@@ -594,10 +594,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
     return NULL;
   switch (afi) {
   case IANA_AFI_IPV4:
-    sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
     break;
   case IANA_AFI_IPV6:
-    sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
     break;
   }
   f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
@@ -854,7 +854,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
       if (!make_addressRange(&merged, a_min, b_max, length))
         return 0;
       sk_IPAddressOrRange_set(aors, i, merged);
-      sk_IPAddressOrRange_delete(aors, i + 1);
+      (void)sk_IPAddressOrRange_delete(aors, i + 1);
       IPAddressOrRange_free(a);
       IPAddressOrRange_free(b);
       --i;
@@ -1122,7 +1122,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
     return 1;
   if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
     return 0;
-  sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
+  (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
   for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
     IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
     int j = sk_IPAddressFamily_find(b, fa);
@@ -1183,7 +1183,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
   }
   if (!v3_addr_is_canonical(ext))
     validation_err(X509_V_ERR_INVALID_EXTENSION);
-  sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
+  (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
   if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
     X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
     ret = 0;
@@ -1209,7 +1209,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
       }
       continue;
     }
-    sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
+    (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
     for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
       IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
       int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_asid.c b/src/lib/libssl/src/crypto/x509v3/v3_asid.c
index 271930f967..abd497ed1f 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_asid.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_asid.c
@@ -466,7 +466,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
         break;
       }
       ASIdOrRange_free(b);
-      sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
+      (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
       i--;
       continue;
     }
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_purp.c b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
index b2f5cdfa05..c54e7887c7 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_purp.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
@@ -291,7 +291,9 @@ int X509_supported_extension(X509_EXTENSION *ex)
                 NID_sbgp_ipAddrBlock,   /* 290 */
                 NID_sbgp_autonomousSysNum, /* 291 */
 #endif
-                NID_proxyCertInfo       /* 661 */
+                NID_policy_constraints, /* 401 */
+                NID_proxyCertInfo,      /* 661 */
+                NID_inhibit_any_policy  /* 748 */
         };
 
         int ex_nid;
@@ -325,7 +327,7 @@ static void x509v3_cache_extensions(X509 *x)
 #endif
         /* Does subject name match issuer ? */
         if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                         x->ex_flags |= EXFLAG_SS;
+                         x->ex_flags |= EXFLAG_SI;
         /* V1 should mean no extensions ... */
         if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
         /* Handle basic constraints */
diff --git a/src/lib/libssl/src/crypto/x509v3/x509v3.h b/src/lib/libssl/src/crypto/x509v3/x509v3.h
index db2b0482c1..5ba59f71c9 100644
--- a/src/lib/libssl/src/crypto/x509v3/x509v3.h
+++ b/src/lib/libssl/src/crypto/x509v3/x509v3.h
@@ -363,6 +363,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_NSCERT           0x8
 
 #define EXFLAG_CA               0x10
+/* Really self issued not necessarily self signed */
+#define EXFLAG_SI               0x20
 #define EXFLAG_SS               0x20
 #define EXFLAG_V1               0x40
 #define EXFLAG_INVALID          0x80
@@ -370,7 +372,7 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_CRITICAL         0x200
 #define EXFLAG_PROXY            0x400
 
-#define EXFLAG_INVALID_POLICY   0x400
+#define EXFLAG_INVALID_POLICY   0x800
 
 #define KU_DIGITAL_SIGNATURE    0x0080
 #define KU_NON_REPUDIATION      0x0040
diff --git a/src/lib/libssl/src/doc/ssl/SSL_read.pod b/src/lib/libssl/src/doc/ssl/SSL_read.pod
index f6c37f77e4..7038cd2d75 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_read.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_read.pod
@@ -64,6 +64,11 @@ non-blocking socket, nothing is to be done, but select() can be used to check
 for the required condition. When using a buffering BIO, like a BIO pair, data
 must be written into or retrieved out of the BIO before being able to continue.
 
+L<SSL_pending(3)|SSL_pending(3)> can be used to find out whether there
+are buffered bytes available for immediate retrieval. In this case
+SSL_read() can be called without blocking or actually receiving new
+data from the underlying socket.
+
 =head1 WARNING
 
 When an SSL_read() operation has to be repeated because of
@@ -112,6 +117,7 @@ L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_write(3)|SSL_write(3)>,
 L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
 L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>
 L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
+L<SSL_pending(3)|SSL_pending(3)>,
 L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
 L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
 
diff --git a/src/lib/libssl/src/engines/Makefile b/src/lib/libssl/src/engines/Makefile
index 88f8390d0e..dbf1bd7251 100644
--- a/src/lib/libssl/src/engines/Makefile
+++ b/src/lib/libssl/src/engines/Makefile
@@ -20,7 +20,7 @@ TEST=
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBNAMES= 4758cca aep atalla cswift gmp chil nuron sureware ubsec
+LIBNAMES= 4758cca aep atalla cswift gmp chil nuron sureware ubsec capi
 
 LIBSRC= e_4758cca.c \
         e_aep.c \
@@ -30,7 +30,8 @@ LIBSRC=	e_4758cca.c \
         e_chil.c \
         e_nuron.c \
         e_sureware.c \
-        e_ubsec.c
+        e_ubsec.c \
+        e_capi.c
 LIBOBJ= e_4758cca.o \
         e_aep.o \
         e_atalla.o \
@@ -39,7 +40,8 @@ LIBOBJ= e_4758cca.o \
         e_chil.o \
         e_nuron.o \
         e_sureware.o \
-        e_ubsec.o
+        e_ubsec.o \
+        e_capi.o
 
 SRC= $(LIBSRC)
 
@@ -52,7 +54,8 @@ HEADER=	e_4758cca_err.c e_4758cca_err.h \
         e_chil_err.c e_chil_err.h \
         e_nuron_err.c e_nuron_err.h \
         e_sureware_err.c e_sureware_err.h \
-        e_ubsec_err.c e_ubsec_err.h
+        e_ubsec_err.c e_ubsec_err.h \
+        e_capi_err.c e_capi_err.h
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
 
@@ -157,24 +160,47 @@ e_aep.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 e_aep.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 e_aep.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 e_aep.o: ../include/openssl/dsa.h ../include/openssl/dso.h
-e_aep.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-e_aep.o: ../include/openssl/err.h ../include/openssl/lhash.h
+e_aep.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+e_aep.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+e_aep.o: ../include/openssl/engine.h ../include/openssl/err.h
+e_aep.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+e_aep.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 e_aep.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-e_aep.o: ../include/openssl/ossl_typ.h ../include/openssl/rsa.h
-e_aep.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-e_aep.o: ../include/openssl/symhacks.h e_aep.c e_aep_err.c e_aep_err.h
+e_aep.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+e_aep.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+e_aep.o: ../include/openssl/sha.h ../include/openssl/stack.h
+e_aep.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+e_aep.o: ../include/openssl/x509_vfy.h e_aep.c e_aep_err.c e_aep_err.h
 e_aep.o: vendor_defns/aep.h
 e_atalla.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 e_atalla.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 e_atalla.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 e_atalla.o: ../include/openssl/dsa.h ../include/openssl/dso.h
-e_atalla.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-e_atalla.o: ../include/openssl/err.h ../include/openssl/lhash.h
+e_atalla.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+e_atalla.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+e_atalla.o: ../include/openssl/engine.h ../include/openssl/err.h
+e_atalla.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+e_atalla.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 e_atalla.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-e_atalla.o: ../include/openssl/ossl_typ.h ../include/openssl/rsa.h
-e_atalla.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-e_atalla.o: ../include/openssl/symhacks.h e_atalla.c e_atalla_err.c
+e_atalla.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+e_atalla.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+e_atalla.o: ../include/openssl/sha.h ../include/openssl/stack.h
+e_atalla.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+e_atalla.o: ../include/openssl/x509_vfy.h e_atalla.c e_atalla_err.c
 e_atalla.o: e_atalla_err.h vendor_defns/atalla.h
+e_capi.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+e_capi.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+e_capi.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+e_capi.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+e_capi.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+e_capi.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+e_capi.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+e_capi.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+e_capi.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+e_capi.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+e_capi.o: ../include/openssl/sha.h ../include/openssl/stack.h
+e_capi.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+e_capi.o: ../include/openssl/x509_vfy.h e_capi.c
 e_chil.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 e_chil.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 e_chil.o: ../include/openssl/crypto.h ../include/openssl/dh.h
@@ -196,28 +222,46 @@ e_cswift.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 e_cswift.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 e_cswift.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 e_cswift.o: ../include/openssl/dsa.h ../include/openssl/dso.h
-e_cswift.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-e_cswift.o: ../include/openssl/err.h ../include/openssl/lhash.h
+e_cswift.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+e_cswift.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+e_cswift.o: ../include/openssl/engine.h ../include/openssl/err.h
+e_cswift.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+e_cswift.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 e_cswift.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-e_cswift.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-e_cswift.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-e_cswift.o: ../include/openssl/stack.h ../include/openssl/symhacks.h e_cswift.c
+e_cswift.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+e_cswift.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+e_cswift.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+e_cswift.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+e_cswift.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h e_cswift.c
 e_cswift.o: e_cswift_err.c e_cswift_err.h vendor_defns/cswift.h
-e_gmp.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
-e_gmp.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+e_gmp.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+e_gmp.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+e_gmp.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+e_gmp.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+e_gmp.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+e_gmp.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+e_gmp.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 e_gmp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-e_gmp.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
-e_gmp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h e_gmp.c
+e_gmp.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+e_gmp.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+e_gmp.o: ../include/openssl/sha.h ../include/openssl/stack.h
+e_gmp.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+e_gmp.o: ../include/openssl/x509_vfy.h e_gmp.c
 e_nuron.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 e_nuron.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 e_nuron.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 e_nuron.o: ../include/openssl/dsa.h ../include/openssl/dso.h
-e_nuron.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-e_nuron.o: ../include/openssl/err.h ../include/openssl/lhash.h
+e_nuron.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+e_nuron.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+e_nuron.o: ../include/openssl/engine.h ../include/openssl/err.h
+e_nuron.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+e_nuron.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 e_nuron.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-e_nuron.o: ../include/openssl/ossl_typ.h ../include/openssl/rsa.h
-e_nuron.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-e_nuron.o: ../include/openssl/symhacks.h e_nuron.c e_nuron_err.c e_nuron_err.h
+e_nuron.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+e_nuron.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+e_nuron.o: ../include/openssl/sha.h ../include/openssl/stack.h
+e_nuron.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+e_nuron.o: ../include/openssl/x509_vfy.h e_nuron.c e_nuron_err.c e_nuron_err.h
 e_sureware.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 e_sureware.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 e_sureware.o: ../include/openssl/crypto.h ../include/openssl/dh.h
@@ -240,10 +284,15 @@ e_ubsec.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 e_ubsec.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 e_ubsec.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 e_ubsec.o: ../include/openssl/dsa.h ../include/openssl/dso.h
-e_ubsec.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-e_ubsec.o: ../include/openssl/err.h ../include/openssl/lhash.h
+e_ubsec.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+e_ubsec.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+e_ubsec.o: ../include/openssl/engine.h ../include/openssl/err.h
+e_ubsec.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+e_ubsec.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 e_ubsec.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-e_ubsec.o: ../include/openssl/ossl_typ.h ../include/openssl/rsa.h
-e_ubsec.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-e_ubsec.o: ../include/openssl/symhacks.h e_ubsec.c e_ubsec_err.c e_ubsec_err.h
+e_ubsec.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+e_ubsec.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+e_ubsec.o: ../include/openssl/sha.h ../include/openssl/stack.h
+e_ubsec.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+e_ubsec.o: ../include/openssl/x509_vfy.h e_ubsec.c e_ubsec_err.c e_ubsec_err.h
 e_ubsec.o: vendor_defns/hw_ubsec.h
diff --git a/src/lib/libssl/src/engines/e_capi.c b/src/lib/libssl/src/engines/e_capi.c
new file mode 100644
index 0000000000..e98946c85a
--- /dev/null
+++ b/src/lib/libssl/src/engines/e_capi.c
@@ -0,0 +1,1781 @@
+/* engines/e_capi.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/rsa.h>
+#include <openssl/bn.h>
+
+#ifdef OPENSSL_SYS_WIN32
+#ifndef OPENSSL_NO_CAPIENG
+
+
+#include <windows.h>
+
+#ifndef _WIN32_WINNT
+#define _WIN32_WINNT 0x0400
+#endif
+
+#include <wincrypt.h>
+
+#undef X509_EXTENSIONS
+#undef X509_CERT_PAIR
+
+/* Definitions which may be missing from earlier version of headers */
+#ifndef CERT_STORE_OPEN_EXISTING_FLAG
+#define CERT_STORE_OPEN_EXISTING_FLAG                   0x00004000
+#endif
+
+#ifndef CERT_STORE_CREATE_NEW_FLAG
+#define CERT_STORE_CREATE_NEW_FLAG                      0x00002000
+#endif
+
+#include <openssl/engine.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+
+#include "e_capi_err.h"
+#include "e_capi_err.c"
+
+
+static const char *engine_capi_id = "capi";
+static const char *engine_capi_name = "CryptoAPI ENGINE";
+
+typedef struct CAPI_CTX_st CAPI_CTX;
+typedef struct CAPI_KEY_st CAPI_KEY;
+
+static void capi_addlasterror(void);
+static void capi_adderror(DWORD err);
+
+static void CAPI_trace(CAPI_CTX *ctx, char *format, ...);
+
+static int capi_list_providers(CAPI_CTX *ctx, BIO *out);
+static int capi_list_containers(CAPI_CTX *ctx, BIO *out);
+int capi_list_certs(CAPI_CTX *ctx, BIO *out, char *storename);
+void capi_free_key(CAPI_KEY *key);
+
+static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE hstore);
+
+CAPI_KEY *capi_find_key(CAPI_CTX *ctx, const char *id);
+
+static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data);
+static int capi_rsa_sign(int dtype, const unsigned char *m, unsigned int m_len,
+             unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
+static int capi_rsa_priv_enc(int flen, const unsigned char *from,
+                unsigned char *to, RSA *rsa, int padding);
+static int capi_rsa_priv_dec(int flen, const unsigned char *from,
+                unsigned char *to, RSA *rsa, int padding);
+static int capi_rsa_free(RSA *rsa);
+
+static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen,
+                                                        DSA *dsa);
+static int capi_dsa_free(DSA *dsa);
+
+static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl,
+        STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
+        STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data);
+
+static int cert_select_simple(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs);
+#ifdef OPENSSL_CAPIENG_DIALOG
+static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs);
+#endif
+
+typedef PCCERT_CONTEXT (WINAPI *CERTDLG)(HCERTSTORE, HWND, LPCWSTR,
+                                                LPCWSTR, DWORD, DWORD,
+                                                void *);
+typedef HWND (WINAPI *GETCONSWIN)(void);
+
+/* This structure contains CAPI ENGINE specific data:
+ * it contains various global options and affects how
+ * other functions behave.
+ */
+
+#define CAPI_DBG_TRACE  2
+#define CAPI_DBG_ERROR  1
+
+struct CAPI_CTX_st {
+        int debug_level;
+        char *debug_file;
+        /* Parameters to use for container lookup */
+        DWORD keytype;
+        LPTSTR cspname;
+        DWORD csptype;
+        /* Certificate store name to use */
+        LPTSTR storename;
+        LPTSTR ssl_client_store;
+        /* System store flags */
+        DWORD store_flags;
+
+/* Lookup string meanings in load_private_key */
+/* Substring of subject: uses "storename" */
+#define CAPI_LU_SUBSTR          0
+/* Friendly name: uses storename */
+#define CAPI_LU_FNAME           1
+/* Container name: uses cspname, keytype */
+#define CAPI_LU_CONTNAME        2
+        int lookup_method;
+/* Info to dump with dumpcerts option */
+/* Issuer and serial name strings */
+#define CAPI_DMP_SUMMARY        0x1
+/* Friendly name */
+#define CAPI_DMP_FNAME          0x2
+/* Full X509_print dump */
+#define CAPI_DMP_FULL           0x4
+/* Dump PEM format certificate */
+#define CAPI_DMP_PEM            0x8
+/* Dump pseudo key (if possible) */
+#define CAPI_DMP_PSKEY          0x10
+/* Dump key info (if possible) */
+#define CAPI_DMP_PKEYINFO       0x20
+
+        DWORD dump_flags;
+        int (*client_cert_select)(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs);
+
+        CERTDLG certselectdlg;
+        GETCONSWIN getconswindow;
+};
+
+
+static CAPI_CTX *capi_ctx_new();
+static void capi_ctx_free(CAPI_CTX *ctx);
+static int capi_ctx_set_provname(CAPI_CTX *ctx, LPSTR pname, DWORD type, int check);
+static int capi_ctx_set_provname_idx(CAPI_CTX *ctx, int idx);
+
+#define CAPI_CMD_LIST_CERTS             ENGINE_CMD_BASE
+#define CAPI_CMD_LOOKUP_CERT            (ENGINE_CMD_BASE + 1)
+#define CAPI_CMD_DEBUG_LEVEL            (ENGINE_CMD_BASE + 2)
+#define CAPI_CMD_DEBUG_FILE             (ENGINE_CMD_BASE + 3)
+#define CAPI_CMD_KEYTYPE                (ENGINE_CMD_BASE + 4)
+#define CAPI_CMD_LIST_CSPS              (ENGINE_CMD_BASE + 5)
+#define CAPI_CMD_SET_CSP_IDX            (ENGINE_CMD_BASE + 6)
+#define CAPI_CMD_SET_CSP_NAME           (ENGINE_CMD_BASE + 7)
+#define CAPI_CMD_SET_CSP_TYPE           (ENGINE_CMD_BASE + 8)
+#define CAPI_CMD_LIST_CONTAINERS        (ENGINE_CMD_BASE + 9)
+#define CAPI_CMD_LIST_OPTIONS           (ENGINE_CMD_BASE + 10)
+#define CAPI_CMD_LOOKUP_METHOD          (ENGINE_CMD_BASE + 11)
+#define CAPI_CMD_STORE_NAME             (ENGINE_CMD_BASE + 12)
+#define CAPI_CMD_STORE_FLAGS            (ENGINE_CMD_BASE + 13)
+
+static const ENGINE_CMD_DEFN capi_cmd_defns[] = {
+        {CAPI_CMD_LIST_CERTS,
+                "list_certs",
+                "List all certificates in store",
+                ENGINE_CMD_FLAG_NO_INPUT},
+        {CAPI_CMD_LOOKUP_CERT,
+                "lookup_cert",
+                "Lookup and output certificates",
+                ENGINE_CMD_FLAG_STRING},
+        {CAPI_CMD_DEBUG_LEVEL,
+                "debug_level",
+                "debug level (1=errors, 2=trace)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {CAPI_CMD_DEBUG_FILE,
+                "debug_file",
+                "debugging filename)",
+                ENGINE_CMD_FLAG_STRING},
+        {CAPI_CMD_KEYTYPE,
+                "key_type",
+                "Key type: 1=AT_KEYEXCHANGE (default), 2=AT_SIGNATURE",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {CAPI_CMD_LIST_CSPS,
+                "list_csps",
+                "List all CSPs",
+                ENGINE_CMD_FLAG_NO_INPUT},
+        {CAPI_CMD_SET_CSP_IDX,
+                "csp_idx",
+                "Set CSP by index",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {CAPI_CMD_SET_CSP_NAME,
+                "csp_name",
+                "Set CSP name, (default CSP used if not specified)",
+                ENGINE_CMD_FLAG_STRING},
+        {CAPI_CMD_SET_CSP_TYPE,
+                "csp_type",
+                "Set CSP type, (default RSA_PROV_FULL)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {CAPI_CMD_LIST_CONTAINERS,
+                "list_containers",
+                "list container names",
+                ENGINE_CMD_FLAG_NO_INPUT},
+        {CAPI_CMD_LIST_OPTIONS,
+                "list_options",
+                "Set list options (1=summary,2=friendly name, 4=full printout, 8=PEM output, 16=XXX, "
+                "32=private key info)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {CAPI_CMD_LOOKUP_METHOD,
+                "lookup_method",
+                "Set key lookup method (1=substring, 2=friendlyname, 3=container name)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {CAPI_CMD_STORE_NAME,
+                "store_name",
+                "certificate store name, default \"MY\"",
+                ENGINE_CMD_FLAG_STRING},
+        {CAPI_CMD_STORE_FLAGS,
+                "store_flags",
+                "Certificate store flags: 1 = system store",
+                ENGINE_CMD_FLAG_NUMERIC},
+
+        {0, NULL, NULL, 0}
+        };
+
+static int capi_idx = -1;
+static int rsa_capi_idx = -1;
+static int dsa_capi_idx = -1;
+static int cert_capi_idx = -1;
+
+static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
+        {
+        int ret = 1;
+        CAPI_CTX *ctx;
+        BIO *out;
+        if (capi_idx == -1)
+                {
+                CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_ENGINE_NOT_INITIALIZED);
+                return 0;
+                }
+        ctx = ENGINE_get_ex_data(e, capi_idx);
+        out = BIO_new_fp(stdout, BIO_NOCLOSE);
+        switch (cmd)
+                {
+                case CAPI_CMD_LIST_CSPS:
+                ret = capi_list_providers(ctx, out);
+                break;
+
+                case CAPI_CMD_LIST_CERTS:
+                ret = capi_list_certs(ctx, out, NULL);
+                break;
+
+                case CAPI_CMD_LOOKUP_CERT:
+                ret = capi_list_certs(ctx, out, p);
+                break;
+
+                case CAPI_CMD_LIST_CONTAINERS:
+                ret = capi_list_containers(ctx, out);
+                break;
+
+                case CAPI_CMD_STORE_NAME:
+                if (ctx->storename)
+                        OPENSSL_free(ctx->storename);
+                ctx->storename = BUF_strdup(p);
+                CAPI_trace(ctx, "Setting store name to %s\n", p);
+                break;
+
+                case CAPI_CMD_STORE_FLAGS:
+                if (i & 1)
+                        {
+                        ctx->store_flags |= CERT_SYSTEM_STORE_LOCAL_MACHINE;
+                        ctx->store_flags &= ~CERT_SYSTEM_STORE_CURRENT_USER;
+                        }
+                else
+                        {
+                        ctx->store_flags |= CERT_SYSTEM_STORE_CURRENT_USER;
+                        ctx->store_flags &= ~CERT_SYSTEM_STORE_LOCAL_MACHINE;
+                        }
+                CAPI_trace(ctx, "Setting flags to %d\n", i);
+                break;
+
+                case CAPI_CMD_DEBUG_LEVEL:
+                ctx->debug_level = (int)i;
+                CAPI_trace(ctx, "Setting debug level to %d\n", ctx->debug_level);
+                break;
+
+                case CAPI_CMD_DEBUG_FILE:
+                ctx->debug_file = BUF_strdup(p);
+                CAPI_trace(ctx, "Setting debug file to %s\n", ctx->debug_file);
+                break;
+
+                case CAPI_CMD_KEYTYPE:
+                ctx->keytype = i;
+                CAPI_trace(ctx, "Setting key type to %d\n", ctx->keytype);
+                break;
+
+                case CAPI_CMD_SET_CSP_IDX:
+                ret = capi_ctx_set_provname_idx(ctx, i);
+                break;
+
+                case CAPI_CMD_LIST_OPTIONS:
+                ctx->dump_flags = i;
+                break;
+
+                case CAPI_CMD_LOOKUP_METHOD:
+                if (i < 1 || i > 3)
+                        {
+                        CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_INVALID_LOOKUP_METHOD);
+                        return 0;
+                        }
+                ctx->lookup_method = i;
+                break;
+
+                case CAPI_CMD_SET_CSP_NAME:
+                ret = capi_ctx_set_provname(ctx, p, ctx->csptype, 1);
+                break;
+
+                case CAPI_CMD_SET_CSP_TYPE:
+                ctx->csptype = i;
+                break;
+
+                default:
+                CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_UNKNOWN_COMMAND);
+                ret = 0;
+        }
+
+        BIO_free(out);
+        return ret;
+
+        }
+
+static RSA_METHOD capi_rsa_method =
+        {
+        "CryptoAPI RSA method",
+        0,                              /* pub_enc */
+        0,                              /* pub_dec */
+        capi_rsa_priv_enc,              /* priv_enc */
+        capi_rsa_priv_dec,              /* priv_dec */
+        0,                              /* rsa_mod_exp */
+        0,                              /* bn_mod_exp */
+        0,                              /* init */
+        capi_rsa_free,                  /* finish */
+        RSA_FLAG_SIGN_VER,              /* flags */
+        NULL,                           /* app_data */
+        capi_rsa_sign,                  /* rsa_sign */
+        0                               /* rsa_verify */
+        };
+
+static DSA_METHOD capi_dsa_method =
+        {
+        "CryptoAPI DSA method",
+        capi_dsa_do_sign,               /* dsa_do_sign */
+        0,                              /* dsa_sign_setup */
+        0,                              /* dsa_do_verify */
+        0,                              /* dsa_mod_exp */
+        0,                              /* bn_mod_exp */
+        0,                              /* init */
+        capi_dsa_free,                  /* finish */
+        0,                              /* flags */
+        NULL,                           /* app_data */
+        0,                              /* dsa_paramgen */
+        0                               /* dsa_keygen */
+        };
+
+static int capi_init(ENGINE *e)
+        {
+        CAPI_CTX *ctx;
+        const RSA_METHOD *ossl_rsa_meth;
+        const DSA_METHOD *ossl_dsa_meth;
+        capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0);
+        cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0);
+
+        ctx = capi_ctx_new();
+        if (!ctx || (capi_idx < 0))
+                goto memerr;
+
+        ENGINE_set_ex_data(e, capi_idx, ctx);
+        /* Setup RSA_METHOD */
+        rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
+        ossl_rsa_meth = RSA_PKCS1_SSLeay();
+        capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc;
+        capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec;
+        capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp;
+        capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp;
+
+        /* Setup DSA Method */
+        dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
+        ossl_dsa_meth = DSA_OpenSSL();
+        capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify;
+        capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp;
+        capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp;
+
+#ifdef OPENSSL_CAPIENG_DIALOG
+        {
+        HMODULE cryptui = LoadLibrary(TEXT("CRYPTUI.DLL"));
+        HMODULE kernel = LoadLibrary(TEXT("KERNEL32.DLL"));
+        if (cryptui)
+                ctx->certselectdlg = (CERTDLG)GetProcAddress(cryptui, "CryptUIDlgSelectCertificateFromStore");
+        if (kernel)
+                ctx->getconswindow = (GETCONSWIN)GetProcAddress(kernel, "GetConsoleWindow");
+        if (cryptui && !OPENSSL_isservice())
+                ctx->client_cert_select = cert_select_dialog;
+        }
+#endif
+                
+
+        return 1;
+
+        memerr:
+        CAPIerr(CAPI_F_CAPI_INIT, ERR_R_MALLOC_FAILURE);
+        return 0;
+
+        return 1;
+        }
+
+static int capi_destroy(ENGINE *e)
+        {
+        ERR_unload_CAPI_strings();
+        return 1;
+        }
+
+static int capi_finish(ENGINE *e)
+        {
+        CAPI_CTX *ctx;
+        ctx = ENGINE_get_ex_data(e, capi_idx);
+        capi_ctx_free(ctx);
+        ENGINE_set_ex_data(e, capi_idx, NULL);
+        return 1;
+        }
+
+
+/* CryptoAPI key application data. This contains
+ * a handle to the private key container (for sign operations)
+ * and a handle to the key (for decrypt operations).
+ */
+
+struct CAPI_KEY_st
+        {
+        /* Associated certificate context (if any) */
+        PCCERT_CONTEXT pcert;
+        HCRYPTPROV hprov;
+        HCRYPTKEY key;
+        DWORD keyspec;
+        };
+
+static int bind_capi(ENGINE *e)
+        {
+        if (!ENGINE_set_id(e, engine_capi_id)
+                || !ENGINE_set_name(e, engine_capi_name)
+                || !ENGINE_set_init_function(e, capi_init)
+                || !ENGINE_set_finish_function(e, capi_finish)
+                || !ENGINE_set_destroy_function(e, capi_destroy)
+                || !ENGINE_set_RSA(e, &capi_rsa_method)
+                || !ENGINE_set_DSA(e, &capi_dsa_method)
+                || !ENGINE_set_load_privkey_function(e, capi_load_privkey)
+                || !ENGINE_set_load_ssl_client_cert_function(e,
+                                                capi_load_ssl_client_cert)
+                || !ENGINE_set_cmd_defns(e, capi_cmd_defns)
+                || !ENGINE_set_ctrl_function(e, capi_ctrl))
+                        return 0;
+        ERR_load_CAPI_strings();
+
+        return 1;
+
+        }
+
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+static int bind_helper(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_capi_id) != 0))
+                return 0;
+        if(!bind_capi(e))
+                return 0;
+        return 1;
+        }       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
+#else
+static ENGINE *engine_capi(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_capi(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_capi(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_capi();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+#endif
+
+
+static int lend_tobn(BIGNUM *bn, unsigned char *bin, int binlen)
+        {
+        int i;
+        /* Reverse buffer in place: since this is a keyblob structure
+         * that will be freed up after conversion anyway it doesn't 
+         * matter if we change it.
+         */
+        for(i = 0; i < binlen / 2; i++)
+                {
+                unsigned char c;
+                c = bin[i];
+                bin[i] = bin[binlen - i - 1];
+                bin[binlen - i - 1] = c;
+                }
+
+        if (!BN_bin2bn(bin, binlen, bn))
+                return 0;
+        return 1;
+        }
+
+/* Given a CAPI_KEY get an EVP_PKEY structure */
+
+static EVP_PKEY *capi_get_pkey(ENGINE *eng, CAPI_KEY *key)
+        {
+        unsigned char *pubkey = NULL;
+        DWORD len;
+        BLOBHEADER *bh;
+        RSA *rkey = NULL;
+        DSA *dkey = NULL;
+        EVP_PKEY *ret = NULL;
+        if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, NULL, &len))
+                {
+                CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_LENGTH_ERROR);
+                capi_addlasterror();
+                return NULL;
+                }
+
+        pubkey = OPENSSL_malloc(len);
+
+        if (!pubkey)
+                goto memerr;
+
+        if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, pubkey, &len))
+                {
+                CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_ERROR);
+                capi_addlasterror();
+                goto err;
+                }
+
+        bh = (BLOBHEADER *)pubkey;
+        if (bh->bType != PUBLICKEYBLOB)
+                {
+                CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_PUBLIC_KEY_BLOB);
+                goto err;
+                }
+        if (bh->aiKeyAlg == CALG_RSA_SIGN || bh->aiKeyAlg == CALG_RSA_KEYX)
+                {
+                RSAPUBKEY *rp;
+                DWORD rsa_modlen;
+                unsigned char *rsa_modulus;
+                rp = (RSAPUBKEY *)(bh + 1);
+                if (rp->magic != 0x31415352)
+                        {
+                        char magstr[10];
+                        BIO_snprintf(magstr, 10, "%lx", rp->magic);
+                        CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_RSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
+                        ERR_add_error_data(2, "magic=0x", magstr);
+                        goto err;
+                        }
+                rsa_modulus = (unsigned char *)(rp + 1);
+                rkey = RSA_new_method(eng);
+                if (!rkey)
+                        goto memerr;
+
+                rkey->e = BN_new();
+                rkey->n = BN_new();
+
+                if (!rkey->e || !rkey->n)
+                        goto memerr;
+
+                if (!BN_set_word(rkey->e, rp->pubexp))
+                        goto memerr;
+
+                rsa_modlen = rp->bitlen / 8;
+                if (!lend_tobn(rkey->n, rsa_modulus, rsa_modlen))
+                        goto memerr;
+
+                RSA_set_ex_data(rkey, rsa_capi_idx, key);
+
+                if (!(ret = EVP_PKEY_new()))
+                        goto memerr;
+
+                EVP_PKEY_assign_RSA(ret, rkey);
+                rkey = NULL;
+
+                }
+        else if (bh->aiKeyAlg == CALG_DSS_SIGN)
+                {
+                DSSPUBKEY *dp;
+                DWORD dsa_plen;
+                unsigned char *btmp;
+                dp = (DSSPUBKEY *)(bh + 1);
+                if (dp->magic != 0x31535344)
+                        {
+                        char magstr[10];
+                        BIO_snprintf(magstr, 10, "%lx", dp->magic);
+                        CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_DSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
+                        ERR_add_error_data(2, "magic=0x", magstr);
+                        goto err;
+                        }
+                dsa_plen = dp->bitlen / 8;
+                btmp = (unsigned char *)(dp + 1);
+                dkey = DSA_new_method(eng);
+                if (!dkey)
+                        goto memerr;
+                dkey->p = BN_new();
+                dkey->q = BN_new();
+                dkey->g = BN_new();
+                dkey->pub_key = BN_new();
+                if (!dkey->p || !dkey->q || !dkey->g || !dkey->pub_key)
+                        goto memerr;
+                if (!lend_tobn(dkey->p, btmp, dsa_plen))
+                        goto memerr;
+                btmp += dsa_plen;
+                if (!lend_tobn(dkey->q, btmp, 20))
+                        goto memerr;
+                btmp += 20;
+                if (!lend_tobn(dkey->g, btmp, dsa_plen))
+                        goto memerr;
+                btmp += dsa_plen;
+                if (!lend_tobn(dkey->pub_key, btmp, dsa_plen))
+                        goto memerr;
+                btmp += dsa_plen;
+
+                DSA_set_ex_data(dkey, dsa_capi_idx, key);
+
+                if (!(ret = EVP_PKEY_new()))
+                        goto memerr;
+
+                EVP_PKEY_assign_DSA(ret, dkey);
+                dkey = NULL;
+                }
+        else
+                {
+                char algstr[10];
+                BIO_snprintf(algstr, 10, "%lx", bh->aiKeyAlg);
+                CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_UNSUPPORTED_PUBLIC_KEY_ALGORITHM);
+                ERR_add_error_data(2, "aiKeyAlg=0x", algstr);
+                goto err;
+                }
+
+
+        err:
+        if (pubkey)
+                OPENSSL_free(pubkey);
+        if (!ret)
+                {
+                if (rkey)
+                        RSA_free(rkey);
+                if (dkey)
+                        DSA_free(dkey);
+                }
+
+        return ret;
+
+memerr:
+        CAPIerr(CAPI_F_CAPI_GET_PKEY, ERR_R_MALLOC_FAILURE);
+        goto err;
+
+        }
+
+static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
+        {
+        CAPI_CTX *ctx;
+        CAPI_KEY *key;
+        EVP_PKEY *ret;
+        ctx = ENGINE_get_ex_data(eng, capi_idx);
+
+        if (!ctx)
+                {
+                CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_CANT_FIND_CAPI_CONTEXT);
+                return NULL;
+                }
+
+        key = capi_find_key(ctx, key_id);
+
+        if (!key)
+                return NULL;
+
+        ret = capi_get_pkey(eng, key);
+
+        if (!ret)
+                capi_free_key(key);
+        return ret;
+
+        }
+
+/* CryptoAPI RSA operations */
+
+int capi_rsa_priv_enc(int flen, const unsigned char *from,
+                unsigned char *to, RSA *rsa, int padding)
+        {
+        CAPIerr(CAPI_F_CAPI_RSA_PRIV_ENC, CAPI_R_FUNCTION_NOT_SUPPORTED);
+        return -1;
+        }
+
+int capi_rsa_sign(int dtype, const unsigned char *m, unsigned int m_len,
+             unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
+        {
+        ALG_ID alg;
+        HCRYPTHASH hash;
+        DWORD slen;
+        unsigned int i;
+        int ret = -1;
+        CAPI_KEY *capi_key;
+        CAPI_CTX *ctx;
+
+        ctx = ENGINE_get_ex_data(rsa->engine, capi_idx);
+
+        CAPI_trace(ctx, "Called CAPI_rsa_sign()\n");
+
+        capi_key = RSA_get_ex_data(rsa, rsa_capi_idx);
+        if (!capi_key)
+                {
+                CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_GET_KEY);
+                return -1;
+                }
+/* Convert the signature type to a CryptoAPI algorithm ID */
+        switch(dtype)
+                {
+        case NID_sha1:
+                alg = CALG_SHA1;
+                break;
+
+        case NID_md5:
+                alg = CALG_MD5;
+                break;
+
+        case NID_md5_sha1:
+                alg = CALG_SSL3_SHAMD5;
+                break;
+        default:
+                {
+                char algstr[10];
+                BIO_snprintf(algstr, 10, "%lx", dtype);
+                CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_UNSUPPORTED_ALGORITHM_NID);
+                ERR_add_error_data(2, "NID=0x", algstr);
+                return -1;
+                }
+        }
+
+
+
+/* Create the hash object */
+        if(!CryptCreateHash(capi_key->hprov, alg, 0, 0, &hash))
+                {
+                CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT);
+                capi_addlasterror();
+                return -1;
+                }
+/* Set the hash value to the value passed */
+
+        if(!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)m, 0))
+                {
+                CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_SET_HASH_VALUE);
+                capi_addlasterror();
+                goto err;
+                }
+
+
+/* Finally sign it */
+        slen = RSA_size(rsa);
+        if(!CryptSignHash(hash, capi_key->keyspec, NULL, 0, sigret, &slen))
+                {
+                CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_ERROR_SIGNING_HASH);
+                capi_addlasterror();
+                goto err;
+                }
+        else
+                {
+                ret = 1;
+                /* Inplace byte reversal of signature */
+                for(i = 0; i < slen / 2; i++)
+                        {
+                        unsigned char c;
+                        c = sigret[i];
+                        sigret[i] = sigret[slen - i - 1];
+                        sigret[slen - i - 1] = c;
+                        }
+                *siglen = slen;
+                }
+
+        /* Now cleanup */
+
+err:
+        CryptDestroyHash(hash);
+
+        return ret;
+        }
+
+int capi_rsa_priv_dec(int flen, const unsigned char *from,
+                unsigned char *to, RSA *rsa, int padding)
+        {
+        int i;
+        unsigned char *tmpbuf;
+        CAPI_KEY *capi_key;
+        CAPI_CTX *ctx;
+        ctx = ENGINE_get_ex_data(rsa->engine, capi_idx);
+
+        CAPI_trace(ctx, "Called capi_rsa_priv_dec()\n");
+
+
+        capi_key = RSA_get_ex_data(rsa, rsa_capi_idx);
+        if (!capi_key)
+                {
+                CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_CANT_GET_KEY);
+                return -1;
+                }
+
+        if(padding != RSA_PKCS1_PADDING)
+                {
+                char errstr[10];
+                BIO_snprintf(errstr, 10, "%d", padding);
+                CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING);
+                ERR_add_error_data(2, "padding=", errstr);
+                return -1;
+                }
+
+        /* Create temp reverse order version of input */
+        if(!(tmpbuf = OPENSSL_malloc(flen)) ) 
+                {
+                CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, ERR_R_MALLOC_FAILURE);
+                return -1;
+                }
+        for(i = 0; i < flen; i++)
+                tmpbuf[flen - i - 1] = from[i];
+        
+        /* Finally decrypt it */
+        if(!CryptDecrypt(capi_key->key, 0, TRUE, 0, tmpbuf, &flen))
+                {
+                CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR);
+                capi_addlasterror();
+                OPENSSL_free(tmpbuf);
+                return -1;
+                } 
+        else memcpy(to, tmpbuf, flen);
+
+        OPENSSL_free(tmpbuf);
+
+        return flen;
+        }
+
+static int capi_rsa_free(RSA *rsa)
+        {
+        CAPI_KEY *capi_key;
+        capi_key = RSA_get_ex_data(rsa, rsa_capi_idx);
+        capi_free_key(capi_key);
+        RSA_set_ex_data(rsa, rsa_capi_idx, 0);
+        return 1;
+        }
+
+/* CryptoAPI DSA operations */
+
+static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen,
+                                                                DSA *dsa)
+        {
+        HCRYPTHASH hash;
+        DWORD slen;
+        DSA_SIG *ret = NULL;
+        CAPI_KEY *capi_key;
+        CAPI_CTX *ctx;
+        unsigned char csigbuf[40];
+
+        ctx = ENGINE_get_ex_data(dsa->engine, capi_idx);
+
+        CAPI_trace(ctx, "Called CAPI_dsa_do_sign()\n");
+
+        capi_key = DSA_get_ex_data(dsa, dsa_capi_idx);
+
+        if (!capi_key)
+                {
+                CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_GET_KEY);
+                return NULL;
+                }
+
+        if (dlen != 20)
+                {
+                CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_INVALID_DIGEST_LENGTH);
+                return NULL;
+                }
+
+        /* Create the hash object */
+        if(!CryptCreateHash(capi_key->hprov, CALG_SHA1, 0, 0, &hash))
+                {
+                CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT);
+                capi_addlasterror();
+                return NULL;
+                }
+
+        /* Set the hash value to the value passed */
+        if(!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)digest, 0))
+                {
+                CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_SET_HASH_VALUE);
+                capi_addlasterror();
+                goto err;
+                }
+
+
+        /* Finally sign it */
+        slen = sizeof(csigbuf);
+        if(!CryptSignHash(hash, capi_key->keyspec, NULL, 0, csigbuf, &slen))
+                {
+                CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_ERROR_SIGNING_HASH);
+                capi_addlasterror();
+                goto err;
+                }
+        else
+                {
+                ret = DSA_SIG_new();
+                if (!ret)
+                        goto err;
+                ret->r = BN_new();
+                ret->s = BN_new();
+                if (!ret->r || !ret->s)
+                        goto err;
+                if (!lend_tobn(ret->r, csigbuf, 20)
+                        || !lend_tobn(ret->s, csigbuf + 20, 20))
+                        {
+                        DSA_SIG_free(ret);
+                        ret = NULL;
+                        goto err;
+                        }
+                }
+
+        /* Now cleanup */
+
+err:
+        OPENSSL_cleanse(csigbuf, 40);
+        CryptDestroyHash(hash);
+        return ret;
+        }
+
+static int capi_dsa_free(DSA *dsa)
+        {
+        CAPI_KEY *capi_key;
+        capi_key = DSA_get_ex_data(dsa, dsa_capi_idx);
+        capi_free_key(capi_key);
+        DSA_set_ex_data(dsa, dsa_capi_idx, 0);
+        return 1;
+        }
+
+static void capi_vtrace(CAPI_CTX *ctx, int level, char *format, va_list argptr)
+        {
+        BIO *out;
+
+        if (!ctx || (ctx->debug_level < level) || (!ctx->debug_file))
+                return;
+        out = BIO_new_file(ctx->debug_file, "a+");
+        BIO_vprintf(out, format, argptr);
+        BIO_free(out);
+        }
+
+static void CAPI_trace(CAPI_CTX *ctx, char *format, ...)
+        {
+        va_list args;
+        va_start(args, format);
+        capi_vtrace(ctx, CAPI_DBG_TRACE, format, args);
+        va_end(args);
+        }
+
+static void capi_addlasterror(void)
+        {
+        capi_adderror(GetLastError());
+        }
+
+static void capi_adderror(DWORD err)
+        {
+        char errstr[10];
+        BIO_snprintf(errstr, 10, "%lX", err);
+        ERR_add_error_data(2, "Error code= 0x", errstr);
+        }
+
+static char *wide_to_asc(LPWSTR wstr)
+        {
+        char *str;
+        if (!wstr)
+                return NULL;
+        str = OPENSSL_malloc(wcslen(wstr) + 1);
+        if (!str)
+                {
+                CAPIerr(CAPI_F_WIDE_TO_ASC, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+        sprintf(str, "%S", wstr);
+        return str;
+        }
+
+static int capi_get_provname(CAPI_CTX *ctx, LPSTR *pname, DWORD *ptype, DWORD idx)
+        {
+        LPSTR name;
+        DWORD len, err;
+        CAPI_trace(ctx, "capi_get_provname, index=%d\n", idx);
+        if (!CryptEnumProviders(idx, NULL, 0, ptype, NULL, &len))
+                {
+                err = GetLastError();
+                if (err == ERROR_NO_MORE_ITEMS)
+                        return 2;
+                CAPIerr(CAPI_F_CAPI_GET_PROVNAME, CAPI_R_CRYPTENUMPROVIDERS_ERROR);
+                capi_adderror(err);
+                return 0;
+                }
+        name = OPENSSL_malloc(len);
+                if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len))
+                {
+                err = GetLastError();
+                if (err == ERROR_NO_MORE_ITEMS)
+                        return 2;
+                CAPIerr(CAPI_F_CAPI_GET_PROVNAME, CAPI_R_CRYPTENUMPROVIDERS_ERROR);
+                capi_adderror(err);
+                return 0;
+                }
+        *pname = name;
+        CAPI_trace(ctx, "capi_get_provname, returned name=%s, type=%d\n", name, *ptype);
+
+        return 1;
+        }
+
+static int capi_list_providers(CAPI_CTX *ctx, BIO *out)
+        {
+        DWORD idx, ptype;
+        int ret;
+        LPTSTR provname = NULL;
+        CAPI_trace(ctx, "capi_list_providers\n");
+        BIO_printf(out, "Available CSPs:\n");
+        for(idx = 0; ; idx++)
+                {
+                ret = capi_get_provname(ctx, &provname, &ptype, idx);
+                if (ret == 2)
+                        break;
+                if (ret == 0)
+                        break;
+                BIO_printf(out, "%d. %s, type %d\n", idx, provname, ptype);
+                OPENSSL_free(provname);
+                }
+        return 1;
+        }
+
+static int capi_list_containers(CAPI_CTX *ctx, BIO *out)
+        {
+        int ret = 1;
+        HCRYPTPROV hprov;
+        DWORD err, idx, flags, buflen = 0, clen;
+        LPSTR cname;
+        CAPI_trace(ctx, "Listing containers CSP=%s, type = %d\n", ctx->cspname, ctx->csptype);
+        if (!CryptAcquireContext(&hprov, NULL, ctx->cspname, ctx->csptype, CRYPT_VERIFYCONTEXT))
+                {
+                CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
+                capi_addlasterror();
+                return 0;
+                }
+        if (!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, NULL, &buflen, CRYPT_FIRST))
+                {
+                CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR);
+                capi_addlasterror();
+                return 0;
+                }
+        CAPI_trace(ctx, "Got max container len %d\n", buflen);
+        if (buflen == 0)
+                buflen = 1024;
+        cname = OPENSSL_malloc(buflen);
+        if (!cname)
+                {
+                CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        for (idx = 0;;idx++)
+                {
+                clen = buflen;
+                cname[0] = 0;
+
+                if (idx == 0)
+                        flags = CRYPT_FIRST;
+                else
+                        flags = 0;
+                if(!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, cname, &clen, flags))
+                        {
+                        err = GetLastError();
+                        if (err == ERROR_NO_MORE_ITEMS)
+                                goto done;
+                        CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR);
+                        capi_adderror(err);
+                        goto err;
+                        }
+                CAPI_trace(ctx, "Container name %s, len=%d, index=%d, flags=%d\n", cname, clen, idx, flags);
+                if (!cname[0] && (clen == buflen))
+                        {
+                        CAPI_trace(ctx, "Enumerate bug: using workaround\n");
+                        goto done;
+                        }
+                BIO_printf(out, "%d. %s\n", idx, cname);
+                }
+        err:
+
+        ret = 0;
+
+        done:
+        if (cname)
+                OPENSSL_free(cname);
+        CryptReleaseContext(hprov, 0);
+
+        return ret;
+        }
+
+CRYPT_KEY_PROV_INFO *capi_get_prov_info(CAPI_CTX *ctx, PCCERT_CONTEXT cert)
+        {
+        DWORD len;
+        CRYPT_KEY_PROV_INFO *pinfo;
+        
+        if(!CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, NULL, &len))
+                return NULL;
+        pinfo = OPENSSL_malloc(len);
+        if (!pinfo)
+                {
+                CAPIerr(CAPI_F_CAPI_GET_PROV_INFO, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+        if(!CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, pinfo, &len))
+                {
+                CAPIerr(CAPI_F_CAPI_GET_PROV_INFO, CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO);
+                capi_addlasterror();
+                OPENSSL_free(pinfo);
+                return NULL;
+                }
+        return pinfo;
+        }
+
+static void capi_dump_prov_info(CAPI_CTX *ctx, BIO *out, CRYPT_KEY_PROV_INFO *pinfo)
+        {
+        char *provname = NULL, *contname = NULL;
+        if (!pinfo)
+                {
+                BIO_printf(out, "  No Private Key\n");
+                return;
+                }
+        provname = wide_to_asc(pinfo->pwszProvName);
+        contname = wide_to_asc(pinfo->pwszContainerName);
+        if (!provname || !contname)
+                goto err;
+
+        BIO_printf(out, "  Private Key Info:\n");
+        BIO_printf(out, "    Provider Name:  %s, Provider Type %d\n", provname, pinfo->dwProvType);
+        BIO_printf(out, "    Container Name: %s, Key Type %d\n", contname, pinfo->dwKeySpec);
+        err:
+        if (provname)
+                OPENSSL_free(provname);
+        if (contname)
+                OPENSSL_free(contname);
+        }
+
+char * capi_cert_get_fname(CAPI_CTX *ctx, PCCERT_CONTEXT cert)
+        {
+        LPWSTR wfname;
+        DWORD dlen;
+
+        CAPI_trace(ctx, "capi_cert_get_fname\n");
+        if (!CertGetCertificateContextProperty(cert, CERT_FRIENDLY_NAME_PROP_ID, NULL, &dlen))
+                return NULL;
+        wfname = OPENSSL_malloc(dlen);
+        if (CertGetCertificateContextProperty(cert, CERT_FRIENDLY_NAME_PROP_ID, wfname, &dlen))
+                {
+                char *fname = wide_to_asc(wfname);
+                OPENSSL_free(wfname);
+                return fname;
+                }
+        CAPIerr(CAPI_F_CAPI_CERT_GET_FNAME, CAPI_R_ERROR_GETTING_FRIENDLY_NAME);
+        capi_addlasterror();
+
+        OPENSSL_free(wfname);
+        return NULL;
+        }
+
+
+void capi_dump_cert(CAPI_CTX *ctx, BIO *out, PCCERT_CONTEXT cert)
+        {
+        X509 *x;
+        unsigned char *p;
+        unsigned long flags = ctx->dump_flags;
+        if (flags & CAPI_DMP_FNAME)
+                {
+                char *fname;
+                fname = capi_cert_get_fname(ctx, cert);
+                if (fname)
+                        {
+                        BIO_printf(out, "  Friendly Name \"%s\"\n", fname);
+                        OPENSSL_free(fname);
+                        }
+                else
+                        BIO_printf(out, "  <No Friendly Name>\n");
+                }
+
+        p = cert->pbCertEncoded;
+        x = d2i_X509(NULL, &p, cert->cbCertEncoded);
+        if (!x)
+                BIO_printf(out, "  <Can't parse certificate>\n");
+        if (flags & CAPI_DMP_SUMMARY)
+                {
+                BIO_printf(out, "  Subject: ");
+                X509_NAME_print_ex(out, X509_get_subject_name(x), 0, XN_FLAG_ONELINE);
+                BIO_printf(out, "\n  Issuer: ");
+                X509_NAME_print_ex(out, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE);
+                BIO_printf(out, "\n");
+                }
+        if (flags & CAPI_DMP_FULL)
+                X509_print_ex(out, x, XN_FLAG_ONELINE,0);
+
+        if (flags & CAPI_DMP_PKEYINFO)
+                {
+                CRYPT_KEY_PROV_INFO *pinfo;
+                pinfo = capi_get_prov_info(ctx, cert);
+                capi_dump_prov_info(ctx, out, pinfo);
+                if (pinfo)
+                        OPENSSL_free(pinfo);
+                }
+
+        if (flags & CAPI_DMP_PEM)
+                PEM_write_bio_X509(out, x);
+        X509_free(x);
+        }
+
+HCERTSTORE capi_open_store(CAPI_CTX *ctx, char *storename)
+        {
+        HCERTSTORE hstore;
+
+        if (!storename)
+                storename = ctx->storename;
+        if (!storename)
+                storename = "MY";
+        CAPI_trace(ctx, "Opening certificate store %s\n", storename);
+
+        hstore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, 0, 
+                                ctx->store_flags, storename);
+        if (!hstore)
+                {
+                CAPIerr(CAPI_F_CAPI_OPEN_STORE, CAPI_R_ERROR_OPENING_STORE);
+                capi_addlasterror();
+                }
+        return hstore;
+        }
+
+int capi_list_certs(CAPI_CTX *ctx, BIO *out, char *id)
+        {
+        char *storename;
+        int idx;
+        int ret = 1;
+        HCERTSTORE hstore;
+        PCCERT_CONTEXT cert = NULL;
+
+        storename = ctx->storename;
+        if (!storename)
+                storename = "MY";
+        CAPI_trace(ctx, "Listing certs for store %s\n", storename);
+
+        hstore = capi_open_store(ctx, storename);
+        if (!hstore)
+                return 0;
+        if (id)
+                {
+                cert = capi_find_cert(ctx, id, hstore);
+                if (!cert)
+                        {
+                        ret = 0;
+                        goto err;
+                        }
+                capi_dump_cert(ctx, out, cert);
+                CertFreeCertificateContext(cert);
+                }
+        else
+                {
+                for(idx = 0;;idx++)
+                        {
+                        LPWSTR fname = NULL;
+                        cert = CertEnumCertificatesInStore(hstore, cert);
+                        if (!cert)
+                                break;
+                        BIO_printf(out, "Certificate %d\n", idx);
+                        capi_dump_cert(ctx, out, cert);
+                        }
+                }
+        err:
+        CertCloseStore(hstore, 0);
+        return ret;
+        }
+
+static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE hstore)
+        {
+        PCCERT_CONTEXT cert = NULL;
+        char *fname = NULL;
+        int match;
+        switch(ctx->lookup_method)
+                {
+                case CAPI_LU_SUBSTR:
+                        return CertFindCertificateInStore(hstore,
+                                        X509_ASN_ENCODING, 0,
+                                        CERT_FIND_SUBJECT_STR_A, id, NULL);
+                case CAPI_LU_FNAME:
+                        for(;;)
+                                {
+                                cert = CertEnumCertificatesInStore(hstore, cert);
+                                if (!cert)
+                                        return NULL;
+                                fname = capi_cert_get_fname(ctx, cert);
+                                if (fname)
+                                        {
+                                        if (strcmp(fname, id))
+                                                match = 0;
+                                        else
+                                                match = 1;
+                                        OPENSSL_free(fname);
+                                        if (match)
+                                                return cert;
+                                        }
+                                }
+                default:
+                        return NULL;
+                }
+        }
+
+static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provname, DWORD ptype, DWORD keyspec)
+        {
+        CAPI_KEY *key;
+        key = OPENSSL_malloc(sizeof(CAPI_KEY));
+        CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", 
+                                                contname, provname, ptype);
+        if (!CryptAcquireContext(&key->hprov, contname, provname, ptype, 0))
+                {
+                CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
+                capi_addlasterror();
+                goto err;
+                }
+        if (!CryptGetUserKey(key->hprov, keyspec, &key->key))
+                {
+                CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_GETUSERKEY_ERROR);
+                capi_addlasterror();
+                CryptReleaseContext(key->hprov, 0);
+                goto err;
+                }
+        key->keyspec = keyspec;
+        key->pcert = NULL;
+        return key;
+
+        err:
+        OPENSSL_free(key);
+        return NULL;
+        }
+
+static CAPI_KEY *capi_get_cert_key(CAPI_CTX *ctx, PCCERT_CONTEXT cert)
+        {
+        CAPI_KEY *key = NULL;
+        CRYPT_KEY_PROV_INFO *pinfo = NULL;
+        char *provname = NULL, *contname = NULL;
+        pinfo = capi_get_prov_info(ctx, cert);
+        if (!pinfo)
+                goto err;
+        provname = wide_to_asc(pinfo->pwszProvName);
+        contname = wide_to_asc(pinfo->pwszContainerName);
+        if (!provname || !contname)
+                goto err;
+        key = capi_get_key(ctx, contname, provname,
+                                pinfo->dwProvType, pinfo->dwKeySpec);
+
+        err:
+        if (pinfo)
+                OPENSSL_free(pinfo);
+        if (provname)
+                OPENSSL_free(provname);
+        if (contname)
+                OPENSSL_free(contname);
+        return key;
+        }
+
+CAPI_KEY *capi_find_key(CAPI_CTX *ctx, const char *id)
+        {
+        PCCERT_CONTEXT cert;
+        HCERTSTORE hstore;
+        CAPI_KEY *key = NULL;
+        switch (ctx->lookup_method)
+                {
+                case CAPI_LU_SUBSTR:
+                case CAPI_LU_FNAME:
+                hstore = capi_open_store(ctx, NULL);
+                if (!hstore)
+                        return NULL;
+                cert = capi_find_cert(ctx, id, hstore);
+                if (cert)
+                        {
+                        key = capi_get_cert_key(ctx, cert);
+                        CertFreeCertificateContext(cert);
+                        }
+                CertCloseStore(hstore, 0);
+                break;
+
+                case CAPI_LU_CONTNAME:
+                key = capi_get_key(ctx, id, ctx->cspname, ctx->csptype,
+                                                        ctx->keytype);
+                break;
+                }
+
+        return key;
+        }
+
+void capi_free_key(CAPI_KEY *key)
+        {
+        if (!key)
+                return;
+        CryptDestroyKey(key->key);
+        CryptReleaseContext(key->hprov, 0);
+        if (key->pcert)
+                CertFreeCertificateContext(key->pcert);
+        OPENSSL_free(key);
+        }
+
+
+/* Initialize a CAPI_CTX structure */
+
+static CAPI_CTX *capi_ctx_new()
+        {
+        CAPI_CTX *ctx;
+        ctx = OPENSSL_malloc(sizeof(CAPI_CTX));
+        if (!ctx)
+                {
+                CAPIerr(CAPI_F_CAPI_CTX_NEW, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+        ctx->cspname = NULL;
+        ctx->csptype = PROV_RSA_FULL;
+        ctx->dump_flags = CAPI_DMP_SUMMARY|CAPI_DMP_FNAME;
+        ctx->keytype = AT_KEYEXCHANGE;
+        ctx->storename = NULL;
+        ctx->ssl_client_store = NULL;
+        ctx->store_flags = CERT_STORE_OPEN_EXISTING_FLAG |
+                                CERT_STORE_READONLY_FLAG |
+                                CERT_SYSTEM_STORE_CURRENT_USER;
+        ctx->lookup_method = CAPI_LU_SUBSTR;
+        ctx->debug_level = 0;
+        ctx->debug_file = NULL;
+        ctx->client_cert_select = cert_select_simple;
+        return ctx;
+        }
+
+static void capi_ctx_free(CAPI_CTX *ctx)
+        {
+        CAPI_trace(ctx, "Calling capi_ctx_free with %lx\n", ctx);
+        if (!ctx)
+                return;
+        if (ctx->cspname)
+                OPENSSL_free(ctx->cspname);
+        if (ctx->debug_file)
+                OPENSSL_free(ctx->debug_file);
+        if (ctx->storename)
+                OPENSSL_free(ctx->storename);
+        if (ctx->ssl_client_store)
+                OPENSSL_free(ctx->ssl_client_store);
+        OPENSSL_free(ctx);
+        }
+
+static int capi_ctx_set_provname(CAPI_CTX *ctx, LPSTR pname, DWORD type, int check)
+        {
+        CAPI_trace(ctx, "capi_ctx_set_provname, name=%s, type=%d\n", pname, type);
+        if (check)
+                {
+                HCRYPTPROV hprov;
+                if (!CryptAcquireContext(&hprov, NULL, pname, type,
+                                                CRYPT_VERIFYCONTEXT))
+                        {
+                        CAPIerr(CAPI_F_CAPI_CTX_SET_PROVNAME, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
+                        capi_addlasterror();
+                        return 0;
+                        }
+                CryptReleaseContext(hprov, 0);
+                }
+        ctx->cspname = BUF_strdup(pname);
+        ctx->csptype = type;
+        return 1;
+        }
+
+static int capi_ctx_set_provname_idx(CAPI_CTX *ctx, int idx)
+        {
+        LPSTR pname;
+        DWORD type;
+        if (capi_get_provname(ctx, &pname, &type, idx) != 1)
+                return 0;
+        return capi_ctx_set_provname(ctx, pname, type, 0);
+        }
+
+static int cert_issuer_match(STACK_OF(X509_NAME) *ca_dn, X509 *x)
+        {
+        int i;
+        X509_NAME *nm;
+        /* Special case: empty list: match anything */
+        if (sk_X509_NAME_num(ca_dn) <= 0)
+                return 1;
+        for (i = 0; i < sk_X509_NAME_num(ca_dn); i++)
+                {
+                nm = sk_X509_NAME_value(ca_dn, i);
+                if (!X509_NAME_cmp(nm, X509_get_issuer_name(x)))
+                                return 1;
+                }
+        return 0;
+        }
+
+
+
+static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl,
+        STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
+        STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data)
+        {
+        STACK_OF(X509) *certs = NULL;
+        X509 *x;
+        char *storename;
+        const char *p;
+        int i, client_cert_idx;
+        HCERTSTORE hstore;
+        PCCERT_CONTEXT cert = NULL, excert = NULL;
+        CAPI_CTX *ctx;
+        CAPI_KEY *key;
+        ctx = ENGINE_get_ex_data(e, capi_idx);
+
+        *pcert = NULL;
+        *pkey = NULL;
+
+        storename = ctx->ssl_client_store;
+        if (!storename)
+                storename = "MY";
+
+        hstore = capi_open_store(ctx, storename);
+        if (!hstore)
+                return 0;
+        /* Enumerate all certificates collect any matches */
+        for(i = 0;;i++)
+                {
+                cert = CertEnumCertificatesInStore(hstore, cert);
+                if (!cert)
+                        break;
+                p = cert->pbCertEncoded;
+                x = d2i_X509(NULL, &p, cert->cbCertEncoded);
+                if (!x)
+                        {
+                        CAPI_trace(ctx, "Can't Parse Certificate %d\n", i);
+                        continue;
+                        }
+                if (cert_issuer_match(ca_dn, x)
+                        && X509_check_purpose(x, X509_PURPOSE_SSL_CLIENT, 0))
+                        {
+                        key = capi_get_cert_key(ctx, cert);
+                        if (!key)
+                                {
+                                X509_free(x);
+                                continue;
+                                }
+                        /* Match found: attach extra data to it so
+                         * we can retrieve the key later.
+                         */
+                        excert = CertDuplicateCertificateContext(cert);
+                        key->pcert = excert;
+                        X509_set_ex_data(x, cert_capi_idx, key);
+
+                        if (!certs)
+                                certs = sk_X509_new_null();
+
+                        sk_X509_push(certs, x);
+                        }
+                else
+                        X509_free(x);
+
+                }
+
+        if (cert)
+                CertFreeCertificateContext(cert);
+        if (hstore)
+                CertCloseStore(hstore, 0);
+
+        if (!certs)
+                return 0;
+
+
+        /* Select the appropriate certificate */
+
+        client_cert_idx = ctx->client_cert_select(e, ssl, certs);
+
+        /* Set the selected certificate and free the rest */
+
+        for(i = 0; i < sk_X509_num(certs); i++)
+                {
+                x = sk_X509_value(certs, i);
+                if (i == client_cert_idx)
+                        *pcert = x;
+                else
+                        {
+                        key = X509_get_ex_data(x, cert_capi_idx);
+                        capi_free_key(key);
+                        X509_free(x);
+                        }
+                }
+
+        sk_X509_free(certs);
+
+        if (!*pcert)
+                return 0;
+
+        /* Setup key for selected certificate */
+
+        key = X509_get_ex_data(*pcert, cert_capi_idx);
+        *pkey = capi_get_pkey(e, key);
+        X509_set_ex_data(*pcert, cert_capi_idx, NULL);
+
+        return 1;
+
+        }
+
+
+/* Simple client cert selection function: always select first */
+
+static int cert_select_simple(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs)
+        {
+        return 0;
+        }
+
+#ifdef OPENSSL_CAPIENG_DIALOG
+
+/* More complex cert selection function, using standard function
+ * CryptUIDlgSelectCertificateFromStore() to produce a dialog box.
+ */
+
+/* Definitions which are in cryptuiapi.h but this is not present in older
+ * versions of headers.
+ */
+
+#ifndef CRYPTUI_SELECT_LOCATION_COLUMN
+#define CRYPTUI_SELECT_LOCATION_COLUMN                   0x000000010
+#define CRYPTUI_SELECT_INTENDEDUSE_COLUMN                0x000000004
+#endif
+
+#define dlg_title L"OpenSSL Application SSL Client Certificate Selection"
+#define dlg_prompt L"Select a certificate to use for authentication"
+#define dlg_columns      CRYPTUI_SELECT_LOCATION_COLUMN \
+                        |CRYPTUI_SELECT_INTENDEDUSE_COLUMN
+
+static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs)
+        {
+        X509 *x;
+        HCERTSTORE dstore;
+        PCCERT_CONTEXT cert;
+        CAPI_CTX *ctx;
+        CAPI_KEY *key;
+        HWND hwnd;
+        int i, idx = -1;
+        if (sk_X509_num(certs) == 1)
+                return 0;
+        ctx = ENGINE_get_ex_data(e, capi_idx);
+        /* Create an in memory store of certificates */
+        dstore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
+                                        CERT_STORE_CREATE_NEW_FLAG, NULL);
+        if (!dstore)
+                {
+                CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_CREATING_STORE);
+                capi_addlasterror();
+                goto err;
+                }
+        /* Add all certificates to store */
+        for(i = 0; i < sk_X509_num(certs); i++)
+                {
+                x = sk_X509_value(certs, i);
+                key = X509_get_ex_data(x, cert_capi_idx);
+
+                if (!CertAddCertificateContextToStore(dstore, key->pcert,
+                                                CERT_STORE_ADD_NEW, NULL))
+                        {
+                        CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_ADDING_CERT);
+                        capi_addlasterror();
+                        goto err;
+                        }
+
+                }
+        hwnd = GetForegroundWindow();
+        if (!hwnd)
+                hwnd = GetActiveWindow();
+        if (!hwnd && ctx->getconswindow)
+                hwnd = ctx->getconswindow();
+        /* Call dialog to select one */
+        cert = ctx->certselectdlg(dstore, hwnd, dlg_title, dlg_prompt,
+                                                dlg_columns, 0, NULL);
+
+        /* Find matching cert from list */
+        if (cert)
+                {
+                for(i = 0; i < sk_X509_num(certs); i++)
+                        {
+                        x = sk_X509_value(certs, i);
+                        key = X509_get_ex_data(x, cert_capi_idx);
+                        if (CertCompareCertificate(
+                                X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+                                        cert->pCertInfo,
+                                        key->pcert->pCertInfo))
+                                {
+                                idx = i;
+                                break;
+                                }
+                        }
+                }
+
+        err:
+        if (dstore)
+                CertCloseStore(dstore, 0);
+        return idx;
+
+        }
+#endif
+
+#endif
+#else /* !WIN32 */
+#include <openssl/engine.h>
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+OPENSSL_EXPORT
+int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { return 0; }
+IMPLEMENT_DYNAMIC_CHECK_FN()
+#endif
+#endif
diff --git a/src/lib/libssl/src/engines/e_capi.ec b/src/lib/libssl/src/engines/e_capi.ec
new file mode 100644
index 0000000000..d2ad668a98
--- /dev/null
+++ b/src/lib/libssl/src/engines/e_capi.ec
@@ -0,0 +1 @@
+L       CAPI    e_capi_err.h e_capi_err.c
diff --git a/src/lib/libssl/src/engines/e_capi_err.c b/src/lib/libssl/src/engines/e_capi_err.c
new file mode 100644
index 0000000000..73bbaaa718
--- /dev/null
+++ b/src/lib/libssl/src/engines/e_capi_err.c
@@ -0,0 +1,183 @@
+/* e_capi_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "e_capi_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(0,func,0)
+#define ERR_REASON(reason) ERR_PACK(0,0,reason)
+
+static ERR_STRING_DATA CAPI_str_functs[]=
+        {
+{ERR_FUNC(CAPI_F_CAPI_CERT_GET_FNAME),  "CAPI_CERT_GET_FNAME"},
+{ERR_FUNC(CAPI_F_CAPI_CTRL),    "CAPI_CTRL"},
+{ERR_FUNC(CAPI_F_CAPI_CTX_NEW), "CAPI_CTX_NEW"},
+{ERR_FUNC(CAPI_F_CAPI_CTX_SET_PROVNAME),        "CAPI_CTX_SET_PROVNAME"},
+{ERR_FUNC(CAPI_F_CAPI_DSA_DO_SIGN),     "CAPI_DSA_DO_SIGN"},
+{ERR_FUNC(CAPI_F_CAPI_GET_KEY), "CAPI_GET_KEY"},
+{ERR_FUNC(CAPI_F_CAPI_GET_PKEY),        "CAPI_GET_PKEY"},
+{ERR_FUNC(CAPI_F_CAPI_GET_PROVNAME),    "CAPI_GET_PROVNAME"},
+{ERR_FUNC(CAPI_F_CAPI_GET_PROV_INFO),   "CAPI_GET_PROV_INFO"},
+{ERR_FUNC(CAPI_F_CAPI_INIT),    "CAPI_INIT"},
+{ERR_FUNC(CAPI_F_CAPI_LIST_CONTAINERS), "CAPI_LIST_CONTAINERS"},
+{ERR_FUNC(CAPI_F_CAPI_LOAD_PRIVKEY),    "CAPI_LOAD_PRIVKEY"},
+{ERR_FUNC(CAPI_F_CAPI_OPEN_STORE),      "CAPI_OPEN_STORE"},
+{ERR_FUNC(CAPI_F_CAPI_RSA_PRIV_DEC),    "CAPI_RSA_PRIV_DEC"},
+{ERR_FUNC(CAPI_F_CAPI_RSA_PRIV_ENC),    "CAPI_RSA_PRIV_ENC"},
+{ERR_FUNC(CAPI_F_CAPI_RSA_SIGN),        "CAPI_RSA_SIGN"},
+{ERR_FUNC(CAPI_F_CERT_SELECT_DIALOG),   "CERT_SELECT_DIALOG"},
+{ERR_FUNC(CAPI_F_CLIENT_CERT_SELECT),   "CLIENT_CERT_SELECT"},
+{ERR_FUNC(CAPI_F_WIDE_TO_ASC),  "WIDE_TO_ASC"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA CAPI_str_reasons[]=
+        {
+{ERR_REASON(CAPI_R_CANT_CREATE_HASH_OBJECT),"cant create hash object"},
+{ERR_REASON(CAPI_R_CANT_FIND_CAPI_CONTEXT),"cant find capi context"},
+{ERR_REASON(CAPI_R_CANT_GET_KEY)         ,"cant get key"},
+{ERR_REASON(CAPI_R_CANT_SET_HASH_VALUE)  ,"cant set hash value"},
+{ERR_REASON(CAPI_R_CRYPTACQUIRECONTEXT_ERROR),"cryptacquirecontext error"},
+{ERR_REASON(CAPI_R_CRYPTENUMPROVIDERS_ERROR),"cryptenumproviders error"},
+{ERR_REASON(CAPI_R_DECRYPT_ERROR)        ,"decrypt error"},
+{ERR_REASON(CAPI_R_ENGINE_NOT_INITIALIZED),"engine not initialized"},
+{ERR_REASON(CAPI_R_ENUMCONTAINERS_ERROR) ,"enumcontainers error"},
+{ERR_REASON(CAPI_R_ERROR_ADDING_CERT)    ,"error adding cert"},
+{ERR_REASON(CAPI_R_ERROR_CREATING_STORE) ,"error creating store"},
+{ERR_REASON(CAPI_R_ERROR_GETTING_FRIENDLY_NAME),"error getting friendly name"},
+{ERR_REASON(CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO),"error getting key provider info"},
+{ERR_REASON(CAPI_R_ERROR_OPENING_STORE)  ,"error opening store"},
+{ERR_REASON(CAPI_R_ERROR_SIGNING_HASH)   ,"error signing hash"},
+{ERR_REASON(CAPI_R_FUNCTION_NOT_SUPPORTED),"function not supported"},
+{ERR_REASON(CAPI_R_GETUSERKEY_ERROR)     ,"getuserkey error"},
+{ERR_REASON(CAPI_R_INVALID_DIGEST_LENGTH),"invalid digest length"},
+{ERR_REASON(CAPI_R_INVALID_DSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER),"invalid dsa public key blob magic number"},
+{ERR_REASON(CAPI_R_INVALID_LOOKUP_METHOD),"invalid lookup method"},
+{ERR_REASON(CAPI_R_INVALID_PUBLIC_KEY_BLOB),"invalid public key blob"},
+{ERR_REASON(CAPI_R_INVALID_RSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER),"invalid rsa public key blob magic number"},
+{ERR_REASON(CAPI_R_PUBKEY_EXPORT_ERROR)  ,"pubkey export error"},
+{ERR_REASON(CAPI_R_PUBKEY_EXPORT_LENGTH_ERROR),"pubkey export length error"},
+{ERR_REASON(CAPI_R_UNKNOWN_COMMAND)      ,"unknown command"},
+{ERR_REASON(CAPI_R_UNSUPPORTED_ALGORITHM_NID),"unsupported algorithm nid"},
+{ERR_REASON(CAPI_R_UNSUPPORTED_PADDING)  ,"unsupported padding"},
+{ERR_REASON(CAPI_R_UNSUPPORTED_PUBLIC_KEY_ALGORITHM),"unsupported public key algorithm"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef CAPI_LIB_NAME
+static ERR_STRING_DATA CAPI_lib_name[]=
+        {
+{0      ,CAPI_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int CAPI_lib_error_code=0;
+static int CAPI_error_init=1;
+
+static void ERR_load_CAPI_strings(void)
+        {
+        if (CAPI_lib_error_code == 0)
+                CAPI_lib_error_code=ERR_get_next_error_library();
+
+        if (CAPI_error_init)
+                {
+                CAPI_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(CAPI_lib_error_code,CAPI_str_functs);
+                ERR_load_strings(CAPI_lib_error_code,CAPI_str_reasons);
+#endif
+
+#ifdef CAPI_LIB_NAME
+                CAPI_lib_name->error = ERR_PACK(CAPI_lib_error_code,0,0);
+                ERR_load_strings(0,CAPI_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_CAPI_strings(void)
+        {
+        if (CAPI_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(CAPI_lib_error_code,CAPI_str_functs);
+                ERR_unload_strings(CAPI_lib_error_code,CAPI_str_reasons);
+#endif
+
+#ifdef CAPI_LIB_NAME
+                ERR_unload_strings(0,CAPI_lib_name);
+#endif
+                CAPI_error_init=1;
+                }
+        }
+
+static void ERR_CAPI_error(int function, int reason, char *file, int line)
+        {
+        if (CAPI_lib_error_code == 0)
+                CAPI_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(CAPI_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libssl/src/engines/e_capi_err.h b/src/lib/libssl/src/engines/e_capi_err.h
new file mode 100644
index 0000000000..efdb751251
--- /dev/null
+++ b/src/lib/libssl/src/engines/e_capi_err.h
@@ -0,0 +1,123 @@
+/* ====================================================================
+ * Copyright (c) 2001-2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_CAPI_ERR_H
+#define HEADER_CAPI_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_CAPI_strings(void);
+static void ERR_unload_CAPI_strings(void);
+static void ERR_CAPI_error(int function, int reason, char *file, int line);
+#define CAPIerr(f,r) ERR_CAPI_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the CAPI functions. */
+
+/* Function codes. */
+#define CAPI_F_CAPI_CERT_GET_FNAME                       99
+#define CAPI_F_CAPI_CTRL                                 100
+#define CAPI_F_CAPI_CTX_NEW                              101
+#define CAPI_F_CAPI_CTX_SET_PROVNAME                     102
+#define CAPI_F_CAPI_DSA_DO_SIGN                          114
+#define CAPI_F_CAPI_GET_KEY                              103
+#define CAPI_F_CAPI_GET_PKEY                             115
+#define CAPI_F_CAPI_GET_PROVNAME                         104
+#define CAPI_F_CAPI_GET_PROV_INFO                        105
+#define CAPI_F_CAPI_INIT                                 106
+#define CAPI_F_CAPI_LIST_CONTAINERS                      107
+#define CAPI_F_CAPI_LOAD_PRIVKEY                         108
+#define CAPI_F_CAPI_OPEN_STORE                           109
+#define CAPI_F_CAPI_RSA_PRIV_DEC                         110
+#define CAPI_F_CAPI_RSA_PRIV_ENC                         111
+#define CAPI_F_CAPI_RSA_SIGN                             112
+#define CAPI_F_CERT_SELECT_DIALOG                        117
+#define CAPI_F_CLIENT_CERT_SELECT                        116
+#define CAPI_F_WIDE_TO_ASC                               113
+
+/* Reason codes. */
+#define CAPI_R_CANT_CREATE_HASH_OBJECT                   99
+#define CAPI_R_CANT_FIND_CAPI_CONTEXT                    100
+#define CAPI_R_CANT_GET_KEY                              101
+#define CAPI_R_CANT_SET_HASH_VALUE                       102
+#define CAPI_R_CRYPTACQUIRECONTEXT_ERROR                 103
+#define CAPI_R_CRYPTENUMPROVIDERS_ERROR                  104
+#define CAPI_R_DECRYPT_ERROR                             105
+#define CAPI_R_ENGINE_NOT_INITIALIZED                    106
+#define CAPI_R_ENUMCONTAINERS_ERROR                      107
+#define CAPI_R_ERROR_ADDING_CERT                         125
+#define CAPI_R_ERROR_CREATING_STORE                      126
+#define CAPI_R_ERROR_GETTING_FRIENDLY_NAME               108
+#define CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO           109
+#define CAPI_R_ERROR_OPENING_STORE                       110
+#define CAPI_R_ERROR_SIGNING_HASH                        111
+#define CAPI_R_FUNCTION_NOT_SUPPORTED                    112
+#define CAPI_R_GETUSERKEY_ERROR                          113
+#define CAPI_R_INVALID_DIGEST_LENGTH                     124
+#define CAPI_R_INVALID_DSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER  122
+#define CAPI_R_INVALID_LOOKUP_METHOD                     114
+#define CAPI_R_INVALID_PUBLIC_KEY_BLOB                   115
+#define CAPI_R_INVALID_RSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER  123
+#define CAPI_R_PUBKEY_EXPORT_ERROR                       116
+#define CAPI_R_PUBKEY_EXPORT_LENGTH_ERROR                117
+#define CAPI_R_UNKNOWN_COMMAND                           118
+#define CAPI_R_UNSUPPORTED_ALGORITHM_NID                 119
+#define CAPI_R_UNSUPPORTED_PADDING                       120
+#define CAPI_R_UNSUPPORTED_PUBLIC_KEY_ALGORITHM          121
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/engines/e_gmp.c b/src/lib/libssl/src/engines/e_gmp.c
index e62e6fcd07..a1a2d2bda6 100644
--- a/src/lib/libssl/src/engines/e_gmp.c
+++ b/src/lib/libssl/src/engines/e_gmp.c
@@ -451,9 +451,13 @@ static int e_gmp_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
         }
 #endif
 
+#endif /* !OPENSSL_NO_GMP */
+
 /* This stuff is needed if this ENGINE is being compiled into a self-contained
  * shared-library. */      
-#ifndef ENGINE_NO_DYNAMIC_SUPPORT
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+IMPLEMENT_DYNAMIC_CHECK_FN()
+#ifndef OPENSSL_NO_GMP
 static int bind_fn(ENGINE *e, const char *id)
         {
         if(id && (strcmp(id, engine_e_gmp_id) != 0))
@@ -462,10 +466,11 @@ static int bind_fn(ENGINE *e, const char *id)
                 return 0;
         return 1;
         }       
-IMPLEMENT_DYNAMIC_CHECK_FN()
 IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
-#endif /* ENGINE_DYNAMIC_SUPPORT */
+#else
+OPENSSL_EXPORT
+int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { return 0; }
+#endif
+#endif /* OPENSSL_NO_DYNAMIC_ENGINE */
 
-#endif /* !OPENSSL_NO_GMP */
 #endif /* !OPENSSL_NO_HW */
-
diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec
index 4acba76aa2..a1fa198423 100644
--- a/src/lib/libssl/src/openssl.spec
+++ b/src/lib/libssl/src/openssl.spec
@@ -1,7 +1,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 8
-%define librev h
+%define librev i
 Release: 1
 
 %define openssldir /var/ssl
diff --git a/src/lib/libssl/src/ssl/Makefile b/src/lib/libssl/src/ssl/Makefile
index 2754632849..cb4267f5de 100644
--- a/src/lib/libssl/src/ssl/Makefile
+++ b/src/lib/libssl/src/ssl/Makefile
@@ -111,18 +111,19 @@ bio_ssl.o: ../include/openssl/comp.h ../include/openssl/crypto.h
 bio_ssl.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
 bio_ssl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 bio_ssl.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-bio_ssl.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-bio_ssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-bio_ssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-bio_ssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-bio_ssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-bio_ssl.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-bio_ssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-bio_ssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-bio_ssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-bio_ssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-bio_ssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-bio_ssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h bio_ssl.c
+bio_ssl.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+bio_ssl.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+bio_ssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+bio_ssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+bio_ssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+bio_ssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+bio_ssl.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+bio_ssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+bio_ssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+bio_ssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+bio_ssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+bio_ssl.o: ../include/openssl/x509_vfy.h bio_ssl.c
 d1_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 d1_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -130,19 +131,20 @@ d1_both.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 d1_both.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 d1_both.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 d1_both.o: ../include/openssl/err.h ../include/openssl/evp.h
-d1_both.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-d1_both.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-d1_both.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-d1_both.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-d1_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-d1_both.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-d1_both.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-d1_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-d1_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-d1_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-d1_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-d1_both.o: ../include/openssl/x509_vfy.h d1_both.c ssl_locl.h
+d1_both.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+d1_both.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+d1_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+d1_both.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+d1_both.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+d1_both.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+d1_both.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+d1_both.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+d1_both.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+d1_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+d1_both.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_both.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_both.c
+d1_both.o: ssl_locl.h
 d1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 d1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -150,20 +152,21 @@ d1_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 d1_clnt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
 d1_clnt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 d1_clnt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-d1_clnt.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-d1_clnt.o: ../include/openssl/lhash.h ../include/openssl/md5.h
-d1_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-d1_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-d1_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-d1_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-d1_clnt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-d1_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-d1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-d1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-d1_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-d1_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-d1_clnt.o: ../include/openssl/x509_vfy.h d1_clnt.c kssl_lcl.h ssl_locl.h
+d1_clnt.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+d1_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+d1_clnt.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
+d1_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+d1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+d1_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+d1_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+d1_clnt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+d1_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+d1_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+d1_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+d1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_clnt.c
+d1_clnt.o: kssl_lcl.h ssl_locl.h
 d1_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 d1_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -192,19 +195,19 @@ d1_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 d1_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 d1_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 d1_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
-d1_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-d1_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-d1_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-d1_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-d1_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-d1_lib.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-d1_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-d1_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-d1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-d1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-d1_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-d1_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_lib.c
-d1_lib.o: ssl_locl.h
+d1_lib.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+d1_lib.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+d1_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+d1_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+d1_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+d1_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+d1_lib.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+d1_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+d1_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+d1_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+d1_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+d1_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+d1_lib.o: ../include/openssl/x509_vfy.h d1_lib.c ssl_locl.h
 d1_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 d1_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -212,19 +215,19 @@ d1_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 d1_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 d1_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 d1_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
-d1_meth.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-d1_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-d1_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-d1_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-d1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-d1_meth.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-d1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-d1_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-d1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-d1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-d1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-d1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_meth.c
-d1_meth.o: ssl_locl.h
+d1_meth.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+d1_meth.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+d1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+d1_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+d1_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+d1_meth.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+d1_meth.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+d1_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+d1_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+d1_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+d1_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+d1_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+d1_meth.o: ../include/openssl/x509_vfy.h d1_meth.c ssl_locl.h
 d1_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 d1_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -232,19 +235,20 @@ d1_pkt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 d1_pkt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 d1_pkt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 d1_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h
-d1_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-d1_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-d1_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-d1_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-d1_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-d1_pkt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-d1_pkt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-d1_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-d1_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-d1_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-d1_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-d1_pkt.o: ../include/openssl/x509_vfy.h d1_pkt.c ssl_locl.h
+d1_pkt.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+d1_pkt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+d1_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+d1_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+d1_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+d1_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+d1_pkt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+d1_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+d1_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+d1_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+d1_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_pkt.c
+d1_pkt.o: ssl_locl.h
 d1_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 d1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -252,38 +256,40 @@ d1_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 d1_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
 d1_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 d1_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-d1_srvr.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-d1_srvr.o: ../include/openssl/lhash.h ../include/openssl/md5.h
-d1_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-d1_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-d1_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-d1_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-d1_srvr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-d1_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-d1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-d1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-d1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-d1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-d1_srvr.o: ../include/openssl/x509_vfy.h d1_srvr.c ssl_locl.h
+d1_srvr.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+d1_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+d1_srvr.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
+d1_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+d1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+d1_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+d1_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+d1_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+d1_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+d1_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+d1_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+d1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srvr.c
+d1_srvr.o: ssl_locl.h
 kssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 kssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 kssl.o: ../include/openssl/comp.h ../include/openssl/crypto.h
 kssl.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
 kssl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 kssl.o: ../include/openssl/ecdsa.h ../include/openssl/evp.h
-kssl.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h
-kssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-kssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-kssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-kssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-kssl.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-kssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-kssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-kssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-kssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-kssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-kssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl.c
+kssl.o: ../include/openssl/hmac.h ../include/openssl/krb5_asn.h
+kssl.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+kssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+kssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+kssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+kssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+kssl.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+kssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+kssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+kssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+kssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+kssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+kssl.o: ../include/openssl/x509_vfy.h kssl.c
 s23_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s23_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s23_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -291,19 +297,20 @@ s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s23_clnt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s23_clnt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s23_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s23_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s23_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s23_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s23_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s23_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s23_clnt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s23_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s23_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s23_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s23_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s23_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s23_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s23_clnt.o: ../include/openssl/x509_vfy.h s23_clnt.c ssl_locl.h
+s23_clnt.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s23_clnt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s23_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s23_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s23_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s23_clnt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s23_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s23_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_clnt.c
+s23_clnt.o: ssl_locl.h
 s23_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s23_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s23_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -311,19 +318,19 @@ s23_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s23_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s23_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s23_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
-s23_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s23_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s23_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s23_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s23_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s23_lib.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s23_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s23_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s23_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s23_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s23_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s23_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_lib.c
-s23_lib.o: ssl_locl.h
+s23_lib.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s23_lib.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s23_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s23_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s23_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s23_lib.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+s23_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s23_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_lib.o: ../include/openssl/x509_vfy.h s23_lib.c ssl_locl.h
 s23_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s23_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s23_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -331,19 +338,19 @@ s23_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s23_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s23_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s23_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
-s23_meth.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s23_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s23_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s23_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s23_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s23_meth.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s23_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s23_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s23_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s23_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s23_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s23_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_meth.c
-s23_meth.o: ssl_locl.h
+s23_meth.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s23_meth.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s23_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s23_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s23_meth.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s23_meth.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+s23_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s23_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_meth.o: ../include/openssl/x509_vfy.h s23_meth.c ssl_locl.h
 s23_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s23_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s23_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -351,19 +358,19 @@ s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s23_pkt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s23_pkt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s23_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s23_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s23_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s23_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s23_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s23_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s23_pkt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s23_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s23_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s23_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s23_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s23_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s23_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_pkt.c
-s23_pkt.o: ssl_locl.h
+s23_pkt.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s23_pkt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s23_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s23_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s23_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s23_pkt.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+s23_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s23_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_pkt.o: ../include/openssl/x509_vfy.h s23_pkt.c ssl_locl.h
 s23_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s23_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s23_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -371,19 +378,20 @@ s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s23_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s23_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s23_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
-s23_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s23_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s23_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s23_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s23_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s23_srvr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s23_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s23_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s23_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s23_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s23_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s23_srvr.o: ../include/openssl/x509_vfy.h s23_srvr.c ssl_locl.h
+s23_srvr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s23_srvr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s23_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s23_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s23_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s23_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s23_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s23_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_srvr.c
+s23_srvr.o: ssl_locl.h
 s2_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -391,19 +399,20 @@ s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s2_clnt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s2_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s2_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s2_clnt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s2_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s2_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s2_clnt.o: ../include/openssl/x509_vfy.h s2_clnt.c ssl_locl.h
+s2_clnt.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s2_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s2_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s2_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s2_clnt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s2_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s2_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_clnt.c
+s2_clnt.o: ssl_locl.h
 s2_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -411,19 +420,19 @@ s2_enc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s2_enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_enc.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s2_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s2_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s2_enc.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s2_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s2_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_enc.c
-s2_enc.o: ssl_locl.h
+s2_enc.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s2_enc.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s2_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s2_enc.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s2_enc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+s2_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s2_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_enc.o: ../include/openssl/x509_vfy.h s2_enc.c ssl_locl.h
 s2_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -431,19 +440,20 @@ s2_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s2_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_lib.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
-s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s2_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s2_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-s2_lib.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
-s2_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s2_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s2_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s2_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s2_lib.o: ../include/openssl/x509_vfy.h s2_lib.c ssl_locl.h
+s2_lib.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+s2_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_lib.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s2_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s2_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_lib.c
+s2_lib.o: ssl_locl.h
 s2_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s2_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -451,19 +461,19 @@ s2_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s2_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s2_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_meth.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s2_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s2_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s2_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s2_meth.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s2_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s2_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s2_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s2_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s2_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_meth.c
-s2_meth.o: ssl_locl.h
+s2_meth.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s2_meth.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s2_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s2_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s2_meth.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s2_meth.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+s2_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s2_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_meth.o: ../include/openssl/x509_vfy.h s2_meth.c ssl_locl.h
 s2_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -471,19 +481,19 @@ s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s2_pkt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s2_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s2_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s2_pkt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s2_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c
-s2_pkt.o: ssl_locl.h
+s2_pkt.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s2_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s2_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s2_pkt.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+s2_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s2_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_pkt.o: ../include/openssl/x509_vfy.h s2_pkt.c ssl_locl.h
 s2_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -491,19 +501,20 @@ s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s2_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s2_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s2_srvr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s2_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s2_srvr.o: ../include/openssl/x509_vfy.h s2_srvr.c ssl_locl.h
+s2_srvr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s2_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s2_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s2_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s2_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_srvr.c
+s2_srvr.o: ssl_locl.h
 s3_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s3_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -511,27 +522,29 @@ s3_both.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s3_both.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s3_both.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s3_both.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_both.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s3_both.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s3_both.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s3_both.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s3_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_both.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s3_both.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s3_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_both.o: ../include/openssl/x509_vfy.h s3_both.c ssl_locl.h
+s3_both.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s3_both.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s3_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_both.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_both.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_both.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s3_both.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s3_both.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_both.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_both.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_both.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_both.c
+s3_both.o: ssl_locl.h
 s3_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
 s3_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 s3_clnt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
 s3_clnt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s3_clnt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s3_clnt.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s3_clnt.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+s3_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_clnt.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
 s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md5.h
 s3_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 s3_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
@@ -552,19 +565,20 @@ s3_enc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s3_enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s3_enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s3_enc.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s3_enc.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
-s3_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s3_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s3_enc.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-s3_enc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
-s3_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_enc.o: ../include/openssl/x509_vfy.h s3_enc.c ssl_locl.h
+s3_enc.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s3_enc.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+s3_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s3_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s3_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s3_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_enc.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s3_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_enc.c
+s3_enc.o: ssl_locl.h
 s3_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s3_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -572,20 +586,20 @@ s3_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 s3_lib.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
 s3_lib.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 s3_lib.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s3_lib.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-s3_lib.o: ../include/openssl/lhash.h ../include/openssl/md5.h
-s3_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s3_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s3_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s3_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_lib.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s3_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s3_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h
-s3_lib.o: s3_lib.c ssl_locl.h
+s3_lib.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+s3_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s3_lib.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
+s3_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s3_lib.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+s3_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_lib.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_lib.c ssl_locl.h
 s3_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s3_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -593,19 +607,19 @@ s3_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s3_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s3_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s3_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_meth.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s3_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s3_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s3_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s3_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_meth.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s3_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s3_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_meth.c
-s3_meth.o: ssl_locl.h
+s3_meth.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s3_meth.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s3_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_meth.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s3_meth.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+s3_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_meth.o: ../include/openssl/x509_vfy.h s3_meth.c ssl_locl.h
 s3_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s3_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -613,19 +627,19 @@ s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 s3_pkt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 s3_pkt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 s3_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s3_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s3_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s3_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s3_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_pkt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s3_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s3_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_pkt.c
-s3_pkt.o: ssl_locl.h
+s3_pkt.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s3_pkt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s3_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s3_pkt.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+s3_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_pkt.o: ../include/openssl/x509_vfy.h s3_pkt.c ssl_locl.h
 s3_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -655,19 +669,19 @@ ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 ssl_algs.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ssl_algs.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssl_algs.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_algs.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-ssl_algs.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_algs.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ssl_algs.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ssl_algs.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_algs.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-ssl_algs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_algs.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_algs.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_algs.c
-ssl_algs.o: ssl_locl.h
+ssl_algs.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+ssl_algs.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ssl_algs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_algs.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_algs.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ssl_algs.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_algs.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_algs.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_algs.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_algs.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_algs.o: ../include/openssl/x509_vfy.h ssl_algs.c ssl_locl.h
 ssl_asn1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/asn1_mac.h
 ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/bn.h
 ssl_asn1.o: ../include/openssl/buffer.h ../include/openssl/comp.h
@@ -675,19 +689,20 @@ ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
 ssl_asn1.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
 ssl_asn1.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 ssl_asn1.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl_asn1.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-ssl_asn1.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl_asn1.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_asn1.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-ssl_asn1.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
-ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_asn1.o: ../include/openssl/x509_vfy.h ssl_asn1.c ssl_locl.h
+ssl_asn1.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ssl_asn1.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_asn1.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_asn1.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_asn1.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_asn1.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssl_asn1.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_asn1.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_asn1.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_asn1.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_asn1.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_asn1.c
+ssl_asn1.o: ssl_locl.h
 ssl_cert.o: ../crypto/o_dir.h ../e_os.h ../include/openssl/asn1.h
 ssl_cert.o: ../include/openssl/bio.h ../include/openssl/bn.h
 ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/comp.h
@@ -696,20 +711,20 @@ ssl_cert.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 ssl_cert.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
 ssl_cert.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 ssl_cert.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl_cert.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-ssl_cert.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl_cert.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_cert.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_cert.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_cert.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-ssl_cert.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
-ssl_cert.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_cert.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_cert.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_cert.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_cert.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_cert.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
-ssl_cert.o: ssl_cert.c ssl_locl.h
+ssl_cert.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ssl_cert.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_cert.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_cert.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_cert.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_cert.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_cert.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssl_cert.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_cert.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_cert.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_cert.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_cert.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_cert.o: ../include/openssl/x509v3.h ssl_cert.c ssl_locl.h
 ssl_ciph.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_ciph.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 ssl_ciph.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -717,55 +732,57 @@ ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 ssl_ciph.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ssl_ciph.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssl_ciph.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_ciph.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-ssl_ciph.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_ciph.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ssl_ciph.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ssl_ciph.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_ciph.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-ssl_ciph.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_ciph.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_ciph.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_ciph.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_ciph.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_ciph.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_ciph.c
-ssl_ciph.o: ssl_locl.h
+ssl_ciph.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+ssl_ciph.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ssl_ciph.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_ciph.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_ciph.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_ciph.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ssl_ciph.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_ciph.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_ciph.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_ciph.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_ciph.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_ciph.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_ciph.o: ../include/openssl/x509_vfy.h ssl_ciph.c ssl_locl.h
 ssl_err.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_err.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 ssl_err.o: ../include/openssl/comp.h ../include/openssl/crypto.h
 ssl_err.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
 ssl_err.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 ssl_err.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl_err.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-ssl_err.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl_err.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_err.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_err.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_err.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-ssl_err.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-ssl_err.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_err.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_err.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_err.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_err.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_err.c
+ssl_err.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ssl_err.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_err.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_err.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_err.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_err.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_err.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssl_err.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_err.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_err.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_err.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err.o: ../include/openssl/x509_vfy.h ssl_err.c
 ssl_err2.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_err2.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 ssl_err2.o: ../include/openssl/comp.h ../include/openssl/crypto.h
 ssl_err2.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
 ssl_err2.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 ssl_err2.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl_err2.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-ssl_err2.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl_err2.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_err2.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_err2.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_err2.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-ssl_err2.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-ssl_err2.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_err2.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_err2.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_err2.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_err2.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_err2.c
+ssl_err2.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ssl_err2.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_err2.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_err2.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_err2.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_err2.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_err2.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssl_err2.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_err2.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_err2.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_err2.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err2.o: ../include/openssl/x509_vfy.h ssl_err2.c
 ssl_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -773,7 +790,8 @@ ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 ssl_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 ssl_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ssl_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_lib.o: ../include/openssl/engine.h ../include/openssl/err.h
+ssl_lib.o: ../include/openssl/evp.h ../include/openssl/hmac.h
 ssl_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
 ssl_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 ssl_lib.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
@@ -795,26 +813,27 @@ ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 ssl_rsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ssl_rsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssl_rsa.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_rsa.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-ssl_rsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_rsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ssl_rsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ssl_rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_rsa.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-ssl_rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_rsa.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_rsa.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-ssl_rsa.o: ssl_rsa.c
+ssl_rsa.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+ssl_rsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ssl_rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_rsa.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ssl_rsa.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_rsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_rsa.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_rsa.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_rsa.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_rsa.c
 ssl_sess.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_sess.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h
 ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ssl_sess.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-ssl_sess.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_sess.o: ../include/openssl/engine.h ../include/openssl/err.h
+ssl_sess.o: ../include/openssl/evp.h ../include/openssl/hmac.h
 ssl_sess.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
 ssl_sess.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 ssl_sess.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
@@ -835,19 +854,19 @@ ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 ssl_stat.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ssl_stat.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssl_stat.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_stat.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-ssl_stat.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_stat.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ssl_stat.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ssl_stat.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_stat.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-ssl_stat.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_stat.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_stat.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_stat.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_stat.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_stat.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-ssl_stat.o: ssl_stat.c
+ssl_stat.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+ssl_stat.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ssl_stat.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_stat.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_stat.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ssl_stat.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_stat.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_stat.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_stat.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_stat.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_stat.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_stat.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_stat.c
 ssl_txt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_txt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 ssl_txt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -855,19 +874,19 @@ ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 ssl_txt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ssl_txt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssl_txt.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_txt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-ssl_txt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_txt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ssl_txt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ssl_txt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_txt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-ssl_txt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_txt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_txt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_txt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_txt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-ssl_txt.o: ssl_txt.c
+ssl_txt.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+ssl_txt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ssl_txt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_txt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_txt.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+ssl_txt.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_txt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_txt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_txt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_txt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_txt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_txt.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_txt.c
 t1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 t1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -875,19 +894,20 @@ t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 t1_clnt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 t1_clnt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 t1_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h
-t1_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-t1_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-t1_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-t1_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-t1_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-t1_clnt.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-t1_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-t1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-t1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_clnt.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_clnt.c
+t1_clnt.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+t1_clnt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+t1_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+t1_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+t1_clnt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+t1_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_clnt.o: t1_clnt.c
 t1_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 t1_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -938,19 +958,19 @@ t1_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 t1_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 t1_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 t1_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
-t1_meth.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-t1_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-t1_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-t1_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-t1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-t1_meth.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-t1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-t1_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-t1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-t1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-t1_meth.o: t1_meth.c
+t1_meth.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+t1_meth.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+t1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+t1_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_meth.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+t1_meth.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+t1_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_meth.c
 t1_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 t1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -958,16 +978,17 @@ t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 t1_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 t1_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 t1_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
-t1_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-t1_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-t1_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-t1_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-t1_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-t1_srvr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-t1_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-t1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-t1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_srvr.c
+t1_srvr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+t1_srvr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+t1_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+t1_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+t1_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+t1_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_srvr.o: t1_srvr.c
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index 5e59dc845a..49c6760d19 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -1095,8 +1095,7 @@ int dtls1_send_client_certificate(SSL *s)
                  * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
                  * We then get retied later */
                 i=0;
-                if (s->ctx->client_cert_cb != NULL)
-                        i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+                i = ssl_do_client_cert_cb(s, &x509, &pkey);
                 if (i < 0)
                         {
                         s->rwstate=SSL_X509_LOOKUP;
diff --git a/src/lib/libssl/src/ssl/d1_pkt.c b/src/lib/libssl/src/ssl/d1_pkt.c
index 377696deac..b2765ba801 100644
--- a/src/lib/libssl/src/ssl/d1_pkt.c
+++ b/src/lib/libssl/src/ssl/d1_pkt.c
@@ -811,6 +811,14 @@ start:
              *  may be fragmented--don't always expect dest_maxlen bytes */
                         if ( rr->length < dest_maxlen)
                                 {
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                                /*
+                                 * for normal alerts rr->length is 2, while
+                                 * dest_maxlen is 7 if we were to handle this
+                                 * non-existing alert...
+                                 */
+                                FIX ME
+#endif
                                 s->rstate=SSL_ST_READ_HEADER;
                                 rr->length = 0;
                                 goto start;
@@ -1251,7 +1259,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
         else 
                 s->s3->wnum += i;
 
-        return tot + i;
+        return i;
         }
 
 int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
@@ -1576,7 +1584,7 @@ int dtls1_dispatch_alert(SSL *s)
         {
         int i,j;
         void (*cb)(const SSL *ssl,int type,int val)=NULL;
-        unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */
+        unsigned char buf[DTLS1_AL_HEADER_LENGTH];
         unsigned char *ptr = &buf[0];
 
         s->s3->alert_dispatch=0;
@@ -1585,6 +1593,7 @@ int dtls1_dispatch_alert(SSL *s)
         *ptr++ = s->s3->send_alert[0];
         *ptr++ = s->s3->send_alert[1];
 
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
         if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
                 {       
                 s2n(s->d1->handshake_read_seq, ptr);
@@ -1600,6 +1609,7 @@ int dtls1_dispatch_alert(SSL *s)
 #endif
                 l2n3(s->d1->r_msg_hdr.frag_off, ptr);
                 }
+#endif
 
         i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
         if (i <= 0)
@@ -1609,8 +1619,11 @@ int dtls1_dispatch_alert(SSL *s)
                 }
         else
                 {
-                if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
-                        s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+                if (s->s3->send_alert[0] == SSL3_AL_FATAL
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                    || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+#endif
+                   )
                         (void)BIO_flush(s->wbio);
 
                 if (s->msg_callback)
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index 927b01f3c4..0bbf8ae7f3 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -732,7 +732,7 @@ int dtls1_send_server_hello(SSL *s)
 
                 d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
 
-                s->state=SSL3_ST_CW_CLNT_HELLO_B;
+                s->state=SSL3_ST_SW_SRVR_HELLO_B;
                 /* number of bytes to write */
                 s->init_num=p-buf;
                 s->init_off=0;
@@ -741,7 +741,7 @@ int dtls1_send_server_hello(SSL *s)
                 dtls1_buffer_message(s, 0);
                 }
 
-        /* SSL3_ST_CW_CLNT_HELLO_B */
+        /* SSL3_ST_SW_SRVR_HELLO_B */
         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
         }
 
@@ -765,7 +765,7 @@ int dtls1_send_server_done(SSL *s)
                 dtls1_buffer_message(s, 0);
                 }
 
-        /* SSL3_ST_CW_CLNT_HELLO_B */
+        /* SSL3_ST_SW_SRVR_DONE_B */
         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
         }
 
diff --git a/src/lib/libssl/src/ssl/dtls1.h b/src/lib/libssl/src/ssl/dtls1.h
index a663cf85f2..f159d37110 100644
--- a/src/lib/libssl/src/ssl/dtls1.h
+++ b/src/lib/libssl/src/ssl/dtls1.h
@@ -70,7 +70,10 @@ extern "C" {
 #define DTLS1_VERSION                   0xFEFF
 #define DTLS1_BAD_VER                   0x0100
 
+#if 0
+/* this alert description is not specified anywhere... */
 #define DTLS1_AD_MISSING_HANDSHAKE_MESSAGE    110
+#endif
 
 /* lengths of messages */
 #define DTLS1_COOKIE_LENGTH                     32
@@ -84,7 +87,11 @@ extern "C" {
 
 #define DTLS1_CCS_HEADER_LENGTH                  1
 
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
 #define DTLS1_AL_HEADER_LENGTH                   7
+#else
+#define DTLS1_AL_HEADER_LENGTH                   2
+#endif
 
 
 typedef struct dtls1_bitmap_st
diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c
index c45a8e0a04..bc918170e1 100644
--- a/src/lib/libssl/src/ssl/s23_clnt.c
+++ b/src/lib/libssl/src/ssl/s23_clnt.c
@@ -257,6 +257,14 @@ static int ssl23_client_hello(SSL *s)
                         version_major = TLS1_VERSION_MAJOR;
                         version_minor = TLS1_VERSION_MINOR;
                         }
+#ifdef OPENSSL_FIPS
+                else if(FIPS_mode())
+                        {
+                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                        return -1;
+                        }
+#endif
                 else if (version == SSL3_VERSION)
                         {
                         version_major = SSL3_VERSION_MAJOR;
@@ -536,6 +544,14 @@ static int ssl23_get_server_hello(SSL *s)
                 if ((p[2] == SSL3_VERSION_MINOR) &&
                         !(s->options & SSL_OP_NO_SSLv3))
                         {
+#ifdef OPENSSL_FIPS
+                        if(FIPS_mode())
+                                {
+                                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                                goto err;
+                                }
+#endif
                         s->version=SSL3_VERSION;
                         s->method=SSLv3_client_method();
                         }
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c
index 6637bb9549..ba06e7ae2e 100644
--- a/src/lib/libssl/src/ssl/s23_srvr.c
+++ b/src/lib/libssl/src/ssl/s23_srvr.c
@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s)
                         }
                 }
 
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (s->version < TLS1_VERSION))
+                {
+                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                goto err;
+                }
+#endif
+
         if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
                 {
                 /* we have SSLv3/TLSv1 in an SSLv2 header
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 9a87c1cfb3..9b823fddbd 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -130,10 +130,17 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/md5.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
 #include <openssl/bn.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 
 static SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
@@ -1415,6 +1422,8 @@ int ssl3_get_key_exchange(SSL *s)
                         q=md_buf;
                         for (num=2; num > 0; num--)
                                 {
+                                EVP_MD_CTX_set_flags(&md_ctx,
+                                        EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                 EVP_DigestInit_ex(&md_ctx,(num == 2)
                                         ?s->ctx->md5:s->ctx->sha1, NULL);
                                 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -2061,12 +2070,12 @@ int ssl3_send_client_key_exchange(SSL *s)
                         {
                         DH *dh_srvr,*dh_clnt;
 
-                        if (s->session->sess_cert == NULL) 
-                                {
-                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-                                goto err;
-                                }
+                        if (s->session->sess_cert == NULL) 
+                                {
+                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
+                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+                                goto err;
+                                }
 
                         if (s->session->sess_cert->peer_dh_tmp != NULL)
                                 dh_srvr=s->session->sess_cert->peer_dh_tmp;
@@ -2448,8 +2457,7 @@ int ssl3_send_client_certificate(SSL *s)
                  * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
                  * We then get retied later */
                 i=0;
-                if (s->ctx->client_cert_cb != NULL)
-                        i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+                i = ssl_do_client_cert_cb(s, &x509, &pkey);
                 if (i < 0)
                         {
                         s->rwstate=SSL_X509_LOOKUP;
@@ -2716,3 +2724,21 @@ static int ssl3_check_finished(SSL *s)
         return 1;
         }
 #endif
+
+int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
+        {
+        int i = 0;
+#ifndef OPENSSL_NO_ENGINE
+        if (s->ctx->client_cert_engine)
+                {
+                i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
+                                                SSL_get_client_CA_list(s),
+                                                px509, ppkey, NULL, NULL, NULL);
+                if (i != 0)
+                        return i;
+                }
+#endif
+        if (s->ctx->client_cert_cb)
+                i = s->ctx->client_cert_cb(s,px509,ppkey);
+        return i;
+        }
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index 2859351b00..06e54666b2 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -146,6 +146,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 #endif
         k=0;
         EVP_MD_CTX_init(&m5);
+        EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
         EVP_MD_CTX_init(&s1);
         for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
                 {
@@ -518,6 +519,8 @@ int ssl3_enc(SSL *s, int send)
 
 void ssl3_init_finished_mac(SSL *s)
         {
+        EVP_MD_CTX_set_flags(&(s->s3->finish_dgst1),
+                EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
         EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
         EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
         }
@@ -554,6 +557,7 @@ static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
         EVP_MD_CTX ctx;
 
         EVP_MD_CTX_init(&ctx);
+        EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
         EVP_MD_CTX_copy_ex(&ctx,in_ctx);
 
         n=EVP_MD_CTX_size(&ctx);
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index bdbcd44f27..8916a0b1b3 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -158,7 +158,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_RSA_NULL_SHA,
         SSL3_CK_RSA_NULL_SHA,
         SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_STRONG_NONE,
+        SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
         0,
         0,
         0,
@@ -264,7 +264,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_RSA_DES_192_CBC3_SHA,
         SSL3_CK_RSA_DES_192_CBC3_SHA,
         SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -304,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
         SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
         SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -343,7 +343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
         SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
         SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -384,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
         SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
         SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -423,7 +423,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
         SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
         SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -488,7 +488,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_ADH_DES_192_CBC_SHA,
         SSL3_CK_ADH_DES_192_CBC_SHA,
         SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -563,7 +563,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL3_TXT_KRB5_DES_192_CBC3_SHA,
         SSL3_CK_KRB5_DES_192_CBC3_SHA,
         SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         168,
         168,
@@ -747,7 +747,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_RSA_WITH_AES_128_SHA,
         TLS1_CK_RSA_WITH_AES_128_SHA,
         SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -760,7 +760,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
         TLS1_CK_DH_DSS_WITH_AES_128_SHA,
         SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -773,7 +773,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
         TLS1_CK_DH_RSA_WITH_AES_128_SHA,
         SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -786,7 +786,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
         TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
         SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -799,7 +799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
         TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
         SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -812,7 +812,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_ADH_WITH_AES_128_SHA,
         TLS1_CK_ADH_WITH_AES_128_SHA,
         SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         128,
         128,
@@ -826,7 +826,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_RSA_WITH_AES_256_SHA,
         TLS1_CK_RSA_WITH_AES_256_SHA,
         SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
@@ -839,7 +839,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
         TLS1_CK_DH_DSS_WITH_AES_256_SHA,
         SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
@@ -852,7 +852,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
         TLS1_CK_DH_RSA_WITH_AES_256_SHA,
         SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
@@ -865,7 +865,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
         TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
         SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
@@ -878,7 +878,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
         TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
         SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
@@ -891,7 +891,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         TLS1_TXT_ADH_WITH_AES_256_SHA,
         TLS1_CK_ADH_WITH_AES_256_SHA,
         SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
         0,
         256,
         256,
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index 44c7c143fe..72853a2e72 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -1225,6 +1225,13 @@ int ssl3_do_change_cipher_spec(SSL *s)
 
         if (s->s3->tmp.key_block == NULL)
                 {
+                if (s->session == NULL) 
+                        {
+                        /* might happen if dtls1_read_bytes() calls this */
+                        SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
+                        return (0);
+                        }
+
                 s->session->cipher=s->s3->tmp.new_cipher;
                 if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
                 }
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 903522ab59..398ce469d6 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1172,13 +1172,13 @@ int ssl3_send_server_hello(SSL *s)
                 *(d++)=SSL3_MT_SERVER_HELLO;
                 l2n3(l,d);
 
-                s->state=SSL3_ST_CW_CLNT_HELLO_B;
+                s->state=SSL3_ST_SW_SRVR_HELLO_B;
                 /* number of bytes to write */
                 s->init_num=p-buf;
                 s->init_off=0;
                 }
 
-        /* SSL3_ST_CW_CLNT_HELLO_B */
+        /* SSL3_ST_SW_SRVR_HELLO_B */
         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
         }
 
@@ -1202,7 +1202,7 @@ int ssl3_send_server_done(SSL *s)
                 s->init_off=0;
                 }
 
-        /* SSL3_ST_CW_CLNT_HELLO_B */
+        /* SSL3_ST_SW_SRVR_DONE_B */
         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
         }
 
@@ -1540,6 +1540,8 @@ int ssl3_send_server_key_exchange(SSL *s)
                                 j=0;
                                 for (num=2; num > 0; num--)
                                         {
+                                        EVP_MD_CTX_set_flags(&md_ctx,
+                                                EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                         EVP_DigestInit_ex(&md_ctx,(num == 2)
                                                 ?s->ctx->md5:s->ctx->sha1, NULL);
                                         EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index 6df921f3c1..ff8a128d3c 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -252,6 +252,7 @@ extern "C" {
 #define SSL_TXT_LOW             "LOW"
 #define SSL_TXT_MEDIUM          "MEDIUM"
 #define SSL_TXT_HIGH            "HIGH"
+#define SSL_TXT_FIPS            "FIPS"
 #define SSL_TXT_kFZA            "kFZA"
 #define SSL_TXT_aFZA            "aFZA"
 #define SSL_TXT_eFZA            "eFZA"
@@ -361,9 +362,6 @@ typedef struct ssl_cipher_st
 
 DECLARE_STACK_OF(SSL_CIPHER)
 
-typedef struct ssl_st SSL;
-typedef struct ssl_ctx_st SSL_CTX;
-
 /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
 typedef struct ssl_method_st
         {
@@ -760,6 +758,12 @@ struct ssl_ctx_st
 
         int quiet_shutdown;
 
+#ifndef OPENSSL_ENGINE
+        /* Engine to pass requests for client certs to
+         */
+        ENGINE *client_cert_engine;
+#endif
+
 #ifndef OPENSSL_NO_TLSEXT
         /* TLS extensions servername callback */
         int (*tlsext_servername_callback)(SSL*, int *, void *);
@@ -829,6 +833,9 @@ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,
 void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+#ifndef OPENSSL_NO_ENGINE
+int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
+#endif
 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
 
@@ -1702,6 +1709,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL3_CONNECT                               132
 #define SSL_F_SSL3_CTRL                                  213
 #define SSL_F_SSL3_CTX_CTRL                              133
+#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC                 279
 #define SSL_F_SSL3_ENC                                   134
 #define SSL_F_SSL3_GENERATE_KEY_BLOCK                    238
 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST               135
@@ -1755,6 +1763,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                  168
 #define SSL_F_SSL_CTX_NEW                                169
 #define SSL_F_SSL_CTX_SET_CIPHER_LIST                    269
+#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE             278
 #define SSL_F_SSL_CTX_SET_PURPOSE                        226
 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT             219
 #define SSL_F_SSL_CTX_SET_SSL_VERSION                    170
@@ -1935,6 +1944,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NO_CIPHERS_SPECIFIED                       183
 #define SSL_R_NO_CIPHER_LIST                             184
 #define SSL_R_NO_CIPHER_MATCH                            185
+#define SSL_R_NO_CLIENT_CERT_METHOD                      317
 #define SSL_R_NO_CLIENT_CERT_RECEIVED                    186
 #define SSL_R_NO_COMPRESSION_SPECIFIED                   187
 #define SSL_R_NO_METHOD_SPECIFIED                        188
diff --git a/src/lib/libssl/src/ssl/ssl_asn1.c b/src/lib/libssl/src/ssl/ssl_asn1.c
index 6e14f4d834..0f9a3489dd 100644
--- a/src/lib/libssl/src/ssl/ssl_asn1.c
+++ b/src/lib/libssl/src/ssl/ssl_asn1.c
@@ -353,7 +353,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
         memcpy(ret->session_id,os.data,os.length);
 
         M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
-        if (ret->master_key_length > SSL_MAX_MASTER_KEY_LENGTH)
+        if (os.length > SSL_MAX_MASTER_KEY_LENGTH)
                 ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
         else
                 ret->master_key_length=os.length;
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 71b645da14..514292a03e 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -222,6 +222,7 @@ static const SSL_CIPHER cipher_aliases[]={
         {0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
         {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
         {0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
+        {0,SSL_TXT_FIPS,  0, 0,  SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
         };
 
 void ssl_load_ciphers(void)
@@ -515,7 +516,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                 c = ssl_method->get_cipher(i);
 #define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask))
                 /* drop those that use any of that is not available */
+#ifdef OPENSSL_FIPS
+                if ((c != NULL) && c->valid && !IS_MASKED(c)
+                        && (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
+#else
                 if ((c != NULL) && c->valid && !IS_MASKED(c))
+#endif
                         {
                         co_list[co_list_num].cipher = c;
                         co_list[co_list_num].next = NULL;
@@ -1054,7 +1060,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
          */
         for (curr = head; curr != NULL; curr = curr->next)
                 {
+#ifdef OPENSSL_FIPS
+                if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
+#else
                 if (curr->active)
+#endif
                         {
                         sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
diff --git a/src/lib/libssl/src/ssl/ssl_err.c b/src/lib/libssl/src/ssl/ssl_err.c
index 50779c1632..24a994fe01 100644
--- a/src/lib/libssl/src/ssl/ssl_err.c
+++ b/src/lib/libssl/src/ssl/ssl_err.c
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -138,6 +138,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL3_CONNECT),  "SSL3_CONNECT"},
 {ERR_FUNC(SSL_F_SSL3_CTRL),     "SSL3_CTRL"},
 {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
+{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),    "SSL3_DO_CHANGE_CIPHER_SPEC"},
 {ERR_FUNC(SSL_F_SSL3_ENC),      "SSL3_ENC"},
 {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK),       "SSL3_GENERATE_KEY_BLOCK"},
 {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),  "SSL3_GET_CERTIFICATE_REQUEST"},
@@ -191,6 +192,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),     "SSL_CTX_check_private_key"},
 {ERR_FUNC(SSL_F_SSL_CTX_NEW),   "SSL_CTX_new"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST),       "SSL_CTX_set_cipher_list"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE),        "SSL_CTX_set_client_cert_engine"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE),   "SSL_CTX_set_purpose"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT),        "SSL_CTX_set_session_id_context"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION),       "SSL_CTX_set_ssl_version"},
@@ -374,6 +376,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED)  ,"no ciphers specified"},
 {ERR_REASON(SSL_R_NO_CIPHER_LIST)        ,"no cipher list"},
 {ERR_REASON(SSL_R_NO_CIPHER_MATCH)       ,"no cipher match"},
+{ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) ,"no client cert method"},
 {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
 {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
 {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED)   ,"no method specified"},
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 31f6318357..1ac7d6f951 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -130,6 +130,9 @@
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 
 const char *SSL_version_str=OPENSSL_VERSION_TEXT;
 
@@ -1390,6 +1393,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
                 return(NULL);
                 }
 
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (meth->version < TLS1_VERSION))      
+                {
+                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                return NULL;
+                }
+#endif
+
         if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                 {
                 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1510,6 +1521,27 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
 
 #endif
 
+#ifndef OPENSSL_NO_ENGINE
+        ret->client_cert_engine = NULL;
+#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
+#define eng_strx(x)     #x
+#define eng_str(x)      eng_strx(x)
+        /* Use specific client engine automatically... ignore errors */
+        {
+        ENGINE *eng;
+        eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
+        if (!eng)
+                {
+                ERR_clear_error();
+                ENGINE_load_builtin_engines();
+                eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
+                }
+        if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
+                ERR_clear_error();
+        }
+#endif
+#endif
+
         return(ret);
 err:
         SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
@@ -1580,6 +1612,10 @@ void SSL_CTX_free(SSL_CTX *a)
 #else
         a->comp_methods = NULL;
 #endif
+#ifndef OPENSSL_NO_ENGINE
+        if (a->client_cert_engine)
+                ENGINE_finish(a->client_cert_engine);
+#endif
         OPENSSL_free(a);
         }
 
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index de94c0d0c7..735db39713 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -330,8 +330,9 @@
 #define SSL_LOW                 0x00000020L
 #define SSL_MEDIUM              0x00000040L
 #define SSL_HIGH                0x00000080L
+#define SSL_FIPS                0x00000100L
 
-/* we have used 000000ff - 24 bits left to go */
+/* we have used 000001ff - 23 bits left to go */
 
 /*
  * Macros to check the export status and cipher strength for export ciphers.
@@ -874,6 +875,7 @@ int ssl3_get_new_session_ticket(SSL *s);
 int ssl3_get_cert_status(SSL *s);
 int ssl3_get_server_done(SSL *s);
 int ssl3_send_client_verify(SSL *s);
+int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
 int ssl3_send_client_certificate(SSL *s);
 int ssl3_send_client_key_exchange(SSL *s);
 int ssl3_get_key_exchange(SSL *s);
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index ee88be2b88..8391d62212 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -59,6 +59,9 @@
 #include <stdio.h>
 #include <openssl/lhash.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 #include "ssl_locl.h"
 
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
@@ -870,6 +873,25 @@ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PK
         return ctx->client_cert_cb;
         }
 
+#ifndef OPENSSL_NO_ENGINE
+int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
+        {
+        if (!ENGINE_init(e))
+                {
+                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
+                return 0;
+                }
+        if(!ENGINE_get_ssl_client_cert_function(e))
+                {
+                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
+                ENGINE_finish(e);
+                return 0;
+                }
+        ctx->client_cert_engine = e;
+        return 1;
+        }
+#endif
+
 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
         int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
         {
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index e786b428cd..f409f3dc76 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -231,6 +231,9 @@ static void sv_usage(void)
         {
         fprintf(stderr,"usage: ssltest [args ...]\n");
         fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+        fprintf(stderr,"-F             - run test in FIPS mode\n");
+#endif
         fprintf(stderr," -server_auth  - check server certificate\n");
         fprintf(stderr," -client_auth  - do client authentication\n");
         fprintf(stderr," -proxy        - allow proxy certificates\n");
@@ -412,7 +415,7 @@ int main(int argc, char *argv[])
         long bytes=256L;
 #ifndef OPENSSL_NO_DH
         DH *dh;
-        int dhe1024 = 0, dhe1024dsa = 0;
+        int dhe1024 = 1, dhe1024dsa = 0;
 #endif
 #ifndef OPENSSL_NO_ECDH
         EC_KEY *ecdh = NULL;
@@ -427,6 +430,9 @@ int main(int argc, char *argv[])
 #endif
         STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
         int test_cipherlist = 0;
+#ifdef OPENSSL_FIPS
+        int fips_mode=0;
+#endif
 
         verbose = 0;
         debug = 0;
@@ -458,7 +464,16 @@ int main(int argc, char *argv[])
 
         while (argc >= 1)
                 {
-                if      (strcmp(*argv,"-server_auth") == 0)
+                if(!strcmp(*argv,"-F"))
+                        {
+#ifdef OPENSSL_FIPS
+                        fips_mode=1;
+#else
+                        fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+                        EXIT(0);
+#endif
+                        }
+                else if (strcmp(*argv,"-server_auth") == 0)
                         server_auth=1;
                 else if (strcmp(*argv,"-client_auth") == 0)
                         client_auth=1;
@@ -640,6 +655,20 @@ bad:
                 EXIT(1);
                 }
 
+#ifdef OPENSSL_FIPS
+        if(fips_mode)
+                {
+                if(!FIPS_mode_set(1))
+                        {
+                        ERR_load_crypto_strings();
+                        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+                        EXIT(1);
+                        }
+                else
+                        fprintf(stderr,"*** IN FIPS MODE ***\n");
+                }
+#endif
+
         if (print_time)
                 {
                 if (!bio_pair)
@@ -2061,15 +2090,7 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
                 }
 
 #ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
-        if(s->version == TLS1_VERSION)
-                FIPS_allow_md5(1);
-# endif
         ok = X509_verify_cert(ctx);
-# ifdef OPENSSL_FIPS
-        if(s->version == TLS1_VERSION)
-                FIPS_allow_md5(0);
-# endif
 #endif
 
         if (cb_arg->proxy_auth)
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index ed5a4a7255..3c4dec76d7 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -131,6 +131,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 
         HMAC_CTX_init(&ctx);
         HMAC_CTX_init(&ctx_tmp);
+        HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+        HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
         HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
         HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
         HMAC_Update(&ctx,seed,seed_len);
@@ -852,8 +854,10 @@ int tls1_alert_code(int code)
         case SSL_AD_INTERNAL_ERROR:     return(TLS1_AD_INTERNAL_ERROR);
         case SSL_AD_USER_CANCELLED:     return(TLS1_AD_USER_CANCELLED);
         case SSL_AD_NO_RENEGOTIATION:   return(TLS1_AD_NO_RENEGOTIATION);
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
         case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 
                                           (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
+#endif
         default:                        return(-1);
                 }
         }
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 35f04afa4a..9ce726996d 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -734,6 +734,13 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
         /* Point after session ID in client hello */
         const unsigned char *p = session_id + len;
         unsigned short i;
+
+        /* If tickets disabled behave as if no ticket present
+         * to permit stateful resumption.
+         */
+        if (SSL_get_options(s) & SSL_OP_NO_TICKET)
+                return 1;
+
         if ((s->version <= SSL3_VERSION) || !limit)
                 return 1;
         if (p >= limit)
@@ -761,12 +768,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                         return 1;
                 if (type == TLSEXT_TYPE_session_ticket)
                         {
-                        /* If tickets disabled indicate cache miss which will
-                         * trigger a full handshake
-                         */
-                        if (SSL_get_options(s) & SSL_OP_NO_TICKET)
-                                return 0;
-                        /* If zero length not client will accept a ticket
+                        /* If zero length note client will accept a ticket
                          * and indicate cache miss to trigger full handshake
                          */
                         if (size == 0)
diff --git a/src/lib/libssl/src/test/Makefile b/src/lib/libssl/src/test/Makefile
index 62f9b86052..3e58351cb9 100644
--- a/src/lib/libssl/src/test/Makefile
+++ b/src/lib/libssl/src/test/Makefile
@@ -185,7 +185,7 @@ test_rand:
         ../util/shlib_wrap.sh ./$(RANDTEST)
 
 test_enc:
-        @sh ./testenc
+        sh ./testenc
 
 test_x509:
         echo test normal x509v1 certificate
@@ -476,41 +476,58 @@ ecdhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
 ecdhtest.o: ../include/openssl/sha.h ../include/openssl/stack.h
 ecdhtest.o: ../include/openssl/symhacks.h ecdhtest.c
 ecdsatest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ecdsatest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-ecdsatest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ecdsatest.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ecdsatest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+ecdsatest.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 ecdsatest.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
 ecdsatest.o: ../include/openssl/err.h ../include/openssl/evp.h
 ecdsatest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 ecdsatest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 ecdsatest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ecdsatest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+ecdsatest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+ecdsatest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ecdsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ecdsatest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
 ecdsatest.o: ecdsatest.c
 ectest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ectest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-ectest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-ectest.o: ../include/openssl/engine.h ../include/openssl/err.h
+ectest.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ectest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+ectest.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+ectest.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+ectest.o: ../include/openssl/err.h ../include/openssl/evp.h
 ectest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 ectest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 ectest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ectest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
-ectest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ectest.c
-enginetest.o: ../include/openssl/bio.h ../include/openssl/buffer.h
-enginetest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+ectest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+ectest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ectest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ectest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ectest.c
+enginetest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+enginetest.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
+enginetest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+enginetest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 enginetest.o: ../include/openssl/engine.h ../include/openssl/err.h
-enginetest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-enginetest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-enginetest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-enginetest.o: ../include/openssl/symhacks.h enginetest.c
+enginetest.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+enginetest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+enginetest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+enginetest.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+enginetest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+enginetest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+enginetest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+enginetest.o: enginetest.c
 evp_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-evp_test.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-evp_test.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+evp_test.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+evp_test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+evp_test.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+evp_test.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
 evp_test.o: ../include/openssl/err.h ../include/openssl/evp.h
 evp_test.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 evp_test.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 evp_test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-evp_test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-evp_test.o: ../include/openssl/symhacks.h evp_test.c
+evp_test.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+evp_test.o: ../include/openssl/sha.h ../include/openssl/stack.h
+evp_test.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+evp_test.o: ../include/openssl/x509_vfy.h evp_test.c
 exptest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
 exptest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 exptest.o: ../include/openssl/err.h ../include/openssl/lhash.h
@@ -607,17 +624,17 @@ ssltest.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 ssltest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ssltest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssltest.o: ../include/openssl/engine.h ../include/openssl/err.h
-ssltest.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-ssltest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssltest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssltest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssltest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-ssltest.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
-ssltest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssltest.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssltest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssltest.o: ../include/openssl/x509v3.h ssltest.c
+ssltest.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ssltest.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssltest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssltest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssltest.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssltest.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssltest.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssltest.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+ssltest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssltest.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssltest.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssltest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssltest.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssltest.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h ssltest.c
diff --git a/src/lib/libssl/src/util/libeay.num b/src/lib/libssl/src/util/libeay.num
index 2989500c4b..62664f3c37 100644
--- a/src/lib/libssl/src/util/libeay.num
+++ b/src/lib/libssl/src/util/libeay.num
@@ -725,7 +725,7 @@ d2i_DSAPublicKey                        731	EXIST::FUNCTION:DSA
 d2i_DSAparams                           732     EXIST::FUNCTION:DSA
 d2i_NETSCAPE_SPKAC                      733     EXIST::FUNCTION:
 d2i_NETSCAPE_SPKI                       734     EXIST::FUNCTION:
-d2i_Netscape_RSA                        735     EXIST::FUNCTION:RSA
+d2i_Netscape_RSA                        735     EXIST::FUNCTION:RC4,RSA
 d2i_PKCS7                               736     EXIST::FUNCTION:
 d2i_PKCS7_DIGEST                        737     EXIST::FUNCTION:
 d2i_PKCS7_ENCRYPT                       738     EXIST::FUNCTION:
@@ -827,7 +827,7 @@ i2d_DSAPublicKey                        834	EXIST::FUNCTION:DSA
 i2d_DSAparams                           835     EXIST::FUNCTION:DSA
 i2d_NETSCAPE_SPKAC                      836     EXIST::FUNCTION:
 i2d_NETSCAPE_SPKI                       837     EXIST::FUNCTION:
-i2d_Netscape_RSA                        838     EXIST::FUNCTION:RSA
+i2d_Netscape_RSA                        838     EXIST::FUNCTION:RC4,RSA
 i2d_PKCS7                               839     EXIST::FUNCTION:
 i2d_PKCS7_DIGEST                        840     EXIST::FUNCTION:
 i2d_PKCS7_ENCRYPT                       841     EXIST::FUNCTION:
@@ -1814,9 +1814,9 @@ RAND_egd_bytes                          2402	EXIST::FUNCTION:
 X509_REQ_get1_email                     2403    EXIST::FUNCTION:
 X509_get1_email                         2404    EXIST::FUNCTION:
 X509_email_free                         2405    EXIST::FUNCTION:
-i2d_RSA_NET                             2406    EXIST::FUNCTION:RSA
+i2d_RSA_NET                             2406    EXIST::FUNCTION:RC4,RSA
 d2i_RSA_NET_2                           2407    NOEXIST::FUNCTION:
-d2i_RSA_NET                             2408    EXIST::FUNCTION:RSA
+d2i_RSA_NET                             2408    EXIST::FUNCTION:RC4,RSA
 DSO_bind_func                           2409    EXIST::FUNCTION:
 CRYPTO_get_new_dynlockid                2410    EXIST::FUNCTION:
 sk_new_null                             2411    EXIST::FUNCTION:
@@ -2843,7 +2843,7 @@ FIPS_selftest_failed                    3284	NOEXIST::FUNCTION:
 sk_is_sorted                            3285    EXIST::FUNCTION:
 X509_check_ca                           3286    EXIST::FUNCTION:
 private_idea_set_encrypt_key            3287    NOEXIST::FUNCTION:
-HMAC_CTX_set_flags                      3288    NOEXIST::FUNCTION:
+HMAC_CTX_set_flags                      3288    EXIST::FUNCTION:HMAC
 private_SHA_Init                        3289    NOEXIST::FUNCTION:
 private_CAST_set_key                    3290    NOEXIST::FUNCTION:
 private_RIPEMD160_Init                  3291    NOEXIST::FUNCTION:
@@ -3652,3 +3652,51 @@ CMS_set1_eContentType                   4040	EXIST::FUNCTION:CMS
 CMS_ReceiptRequest_create0              4041    EXIST::FUNCTION:CMS
 CMS_add1_signer                         4042    EXIST::FUNCTION:CMS
 CMS_RecipientInfo_set0_pkey             4043    EXIST::FUNCTION:CMS
+ENGINE_set_load_ssl_client_cert_function 4044   EXIST::FUNCTION:ENGINE
+ENGINE_get_ssl_client_cert_function     4045    EXIST::FUNCTION:ENGINE
+ENGINE_load_ssl_client_cert             4046    EXIST::FUNCTION:ENGINE
+ENGINE_load_capi                        4047    EXIST::FUNCTION:CAPIENG,ENGINE
+OPENSSL_isservice                       4048    EXIST::FUNCTION:
+FIPS_dsa_sig_decode                     4049    NOEXIST::FUNCTION:
+EVP_CIPHER_CTX_clear_flags              4050    NOEXIST::FUNCTION:
+FIPS_rand_status                        4051    NOEXIST::FUNCTION:
+FIPS_rand_set_key                       4052    NOEXIST::FUNCTION:
+CRYPTO_set_mem_info_functions           4053    NOEXIST::FUNCTION:
+RSA_X931_generate_key_ex                4054    NOEXIST::FUNCTION:
+int_ERR_set_state_func                  4055    NOEXIST::FUNCTION:
+int_EVP_MD_set_engine_callbacks         4056    NOEXIST::FUNCTION:
+int_CRYPTO_set_do_dynlock_callback      4057    NOEXIST::FUNCTION:
+FIPS_rng_stick                          4058    NOEXIST::FUNCTION:
+EVP_CIPHER_CTX_set_flags                4059    NOEXIST::FUNCTION:
+BN_X931_generate_prime_ex               4060    NOEXIST::FUNCTION:
+FIPS_selftest_check                     4061    NOEXIST::FUNCTION:
+FIPS_rand_set_dt                        4062    NOEXIST::FUNCTION:
+CRYPTO_dbg_pop_info                     4063    NOEXIST::FUNCTION:
+FIPS_dsa_free                           4064    NOEXIST::FUNCTION:
+RSA_X931_derive_ex                      4065    NOEXIST::FUNCTION:
+FIPS_rsa_new                            4066    NOEXIST::FUNCTION:
+FIPS_rand_bytes                         4067    NOEXIST::FUNCTION:
+fips_cipher_test                        4068    NOEXIST::FUNCTION:
+EVP_CIPHER_CTX_test_flags               4069    NOEXIST::FUNCTION:
+CRYPTO_malloc_debug_init                4070    NOEXIST::FUNCTION:
+CRYPTO_dbg_push_info                    4071    NOEXIST::FUNCTION:
+FIPS_corrupt_rsa_keygen                 4072    NOEXIST::FUNCTION:
+FIPS_dh_new                             4073    NOEXIST::FUNCTION:
+FIPS_corrupt_dsa_keygen                 4074    NOEXIST::FUNCTION:
+FIPS_dh_free                            4075    NOEXIST::FUNCTION:
+fips_pkey_signature_test                4076    NOEXIST::FUNCTION:
+EVP_add_alg_module                      4077    NOEXIST::FUNCTION:
+int_RAND_init_engine_callbacks          4078    NOEXIST::FUNCTION:
+int_EVP_CIPHER_set_engine_callbacks     4079    NOEXIST::FUNCTION:
+int_EVP_MD_init_engine_callbacks        4080    NOEXIST::FUNCTION:
+FIPS_rand_test_mode                     4081    NOEXIST::FUNCTION:
+FIPS_rand_reset                         4082    NOEXIST::FUNCTION:
+FIPS_dsa_new                            4083    NOEXIST::FUNCTION:
+int_RAND_set_callbacks                  4084    NOEXIST::FUNCTION:
+BN_X931_derive_prime_ex                 4085    NOEXIST::FUNCTION:
+int_ERR_lib_init                        4086    NOEXIST::FUNCTION:
+int_EVP_CIPHER_init_engine_callbacks    4087    NOEXIST::FUNCTION:
+FIPS_rsa_free                           4088    NOEXIST::FUNCTION:
+FIPS_dsa_sig_encode                     4089    NOEXIST::FUNCTION:
+CRYPTO_dbg_remove_all_info              4090    NOEXIST::FUNCTION:
+OPENSSL_init                            4091    NOEXIST::FUNCTION:
diff --git a/src/lib/libssl/src/util/mk1mf.pl b/src/lib/libssl/src/util/mk1mf.pl
index 1ac5fd3a50..7ba804ce33 100644
--- a/src/lib/libssl/src/util/mk1mf.pl
+++ b/src/lib/libssl/src/util/mk1mf.pl
@@ -221,6 +221,7 @@ $cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2;
 $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
 $cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext;
 $cflags.=" -DOPENSSL_NO_CMS" if $no_cms;
+$cflags.=" -DOPENSSL_NO_CAPIENG" if $no_capieng;
 $cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
 $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
@@ -1017,6 +1018,7 @@ sub read_options
                 "no-ssl3" => \$no_ssl3,
                 "no-tlsext" => \$no_tlsext,
                 "no-cms" => \$no_cms,
+                "no-capieng" => \$no_capieng,
                 "no-err" => \$no_err,
                 "no-sock" => \$no_sock,
                 "no-krb5" => \$no_krb5,
@@ -1100,7 +1102,7 @@ sub read_options
                                 }
                         }
                 }
-        elsif (/^([^=]*)=(.*)$/){ $VARS{$1}=$2; }
+        elsif (/^([^=]*)=(.*)$/ && !/^-D/){ $VARS{$1}=$2; }
         elsif (/^-[lL].*$/)     { $l_flags.="$_ "; }
         elsif ((!/^-help/) && (!/^-h/) && (!/^-\?/) && /^-.*$/)
                 { $c_flags.="$_ "; }
diff --git a/src/lib/libssl/src/util/mkdef.pl b/src/lib/libssl/src/util/mkdef.pl
index ef1cc6e513..8ecfde1848 100644
--- a/src/lib/libssl/src/util/mkdef.pl
+++ b/src/lib/libssl/src/util/mkdef.pl
@@ -100,6 +100,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                          "TLSEXT",
                          # CMS
                          "CMS",
+                         # CryptoAPI Engine
+                         "CAPIENG",
                          # Deprecated functions
                          "DEPRECATED" );
 
@@ -120,7 +122,7 @@ my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
 my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_camellia;
 my $no_seed;
 my $no_fp_api; my $no_static_engine; my $no_gmp; my $no_deprecated;
-my $no_rfc3779; my $no_tlsext; my $no_cms;
+my $no_rfc3779; my $no_tlsext; my $no_cms; my $no_capieng;
 
 
 foreach (@ARGV, split(/ /, $options))
@@ -206,6 +208,7 @@ foreach (@ARGV, split(/ /, $options))
         elsif (/^no-rfc3779$/)  { $no_rfc3779=1; }
         elsif (/^no-tlsext$/)   { $no_tlsext=1; }
         elsif (/^no-cms$/)      { $no_cms=1; }
+        elsif (/^no-capieng$/)  { $no_capieng=1; }
         }
 
 
@@ -1131,6 +1134,7 @@ sub is_valid
                         if ($keyword eq "RFC3779" && $no_rfc3779) { return 0; }
                         if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; }
                         if ($keyword eq "CMS" && $no_cms) { return 0; }
+                        if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
                         if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; }
 
                         # Nothing recognise as true
diff --git a/src/lib/libssl/src/util/pl/VC-32.pl b/src/lib/libssl/src/util/pl/VC-32.pl
index 9cb2ab7e99..1e254119e6 100644
--- a/src/lib/libssl/src/util/pl/VC-32.pl
+++ b/src/lib/libssl/src/util/pl/VC-32.pl
@@ -138,7 +138,7 @@ if ($FLAVOR =~ /CE/)
         }
 else
         {
-        $ex_libs.=' gdi32.lib advapi32.lib user32.lib';
+        $ex_libs.=' gdi32.lib crypt32.lib advapi32.lib user32.lib';
         $ex_libs.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
         }
 
@@ -259,7 +259,6 @@ sub do_lib_rule
                 $name =~ tr/a-z/A-Z/;
                 $name = "/def:ms/${name}.def";
                 }
-
 #       $target="\$(LIB_D)$o$target";
         $ret.="$target: $objs\n";
         if (!$shlib)
@@ -274,6 +273,10 @@ sub do_lib_rule
                 if ($name eq "")
                         {
                         $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
+                        if ($target =~ /capi/)
+                                {
+                                $ex.=' crypt32.lib advapi32.lib';
+                                }
                         }
                 elsif ($FLAVOR =~ /CE/)
                         {
@@ -283,6 +286,7 @@ sub do_lib_rule
                         {
                         $ex.=' unicows.lib' if ($FLAVOR =~ /NT/);
                         $ex.=' wsock32.lib gdi32.lib advapi32.lib user32.lib';
+                        $ex.=' crypt32.lib';
                         $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
                         }
                 $ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
diff --git a/src/lib/libssl/src/util/ssleay.num b/src/lib/libssl/src/util/ssleay.num
index b3ac136a56..2055cc1597 100644
--- a/src/lib/libssl/src/util/ssleay.num
+++ b/src/lib/libssl/src/util/ssleay.num
@@ -241,3 +241,4 @@ SSL_CTX_sess_get_remove_cb              289	EXIST::FUNCTION:
 SSL_set_SSL_CTX                         290     EXIST::FUNCTION:
 SSL_get_servername                      291     EXIST::FUNCTION:TLSEXT
 SSL_get_servername_type                 292     EXIST::FUNCTION:TLSEXT
+SSL_CTX_set_client_cert_engine          293     EXIST::FUNCTION:ENGINE
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 6df921f3c1..ff8a128d3c 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -252,6 +252,7 @@ extern "C" {
 #define SSL_TXT_LOW             "LOW"
 #define SSL_TXT_MEDIUM          "MEDIUM"
 #define SSL_TXT_HIGH            "HIGH"
+#define SSL_TXT_FIPS            "FIPS"
 #define SSL_TXT_kFZA            "kFZA"
 #define SSL_TXT_aFZA            "aFZA"
 #define SSL_TXT_eFZA            "eFZA"
@@ -361,9 +362,6 @@ typedef struct ssl_cipher_st
 
 DECLARE_STACK_OF(SSL_CIPHER)
 
-typedef struct ssl_st SSL;
-typedef struct ssl_ctx_st SSL_CTX;
-
 /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
 typedef struct ssl_method_st
         {
@@ -760,6 +758,12 @@ struct ssl_ctx_st
 
         int quiet_shutdown;
 
+#ifndef OPENSSL_ENGINE
+        /* Engine to pass requests for client certs to
+         */
+        ENGINE *client_cert_engine;
+#endif
+
 #ifndef OPENSSL_NO_TLSEXT
         /* TLS extensions servername callback */
         int (*tlsext_servername_callback)(SSL*, int *, void *);
@@ -829,6 +833,9 @@ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,
 void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+#ifndef OPENSSL_NO_ENGINE
+int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
+#endif
 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
 
@@ -1702,6 +1709,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL3_CONNECT                               132
 #define SSL_F_SSL3_CTRL                                  213
 #define SSL_F_SSL3_CTX_CTRL                              133
+#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC                 279
 #define SSL_F_SSL3_ENC                                   134
 #define SSL_F_SSL3_GENERATE_KEY_BLOCK                    238
 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST               135
@@ -1755,6 +1763,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                  168
 #define SSL_F_SSL_CTX_NEW                                169
 #define SSL_F_SSL_CTX_SET_CIPHER_LIST                    269
+#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE             278
 #define SSL_F_SSL_CTX_SET_PURPOSE                        226
 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT             219
 #define SSL_F_SSL_CTX_SET_SSL_VERSION                    170
@@ -1935,6 +1944,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NO_CIPHERS_SPECIFIED                       183
 #define SSL_R_NO_CIPHER_LIST                             184
 #define SSL_R_NO_CIPHER_MATCH                            185
+#define SSL_R_NO_CLIENT_CERT_METHOD                      317
 #define SSL_R_NO_CLIENT_CERT_RECEIVED                    186
 #define SSL_R_NO_COMPRESSION_SPECIFIED                   187
 #define SSL_R_NO_METHOD_SPECIFIED                        188
diff --git a/src/lib/libssl/ssl/shlib_version b/src/lib/libssl/ssl/shlib_version
index 56246d02b2..262f3bc13b 100644
--- a/src/lib/libssl/ssl/shlib_version
+++ b/src/lib/libssl/ssl/shlib_version
@@ -1,2 +1,2 @@
-major=12
+major=13
 minor=0
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index 6e14f4d834..0f9a3489dd 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -353,7 +353,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
         memcpy(ret->session_id,os.data,os.length);
 
         M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
-        if (ret->master_key_length > SSL_MAX_MASTER_KEY_LENGTH)
+        if (os.length > SSL_MAX_MASTER_KEY_LENGTH)
                 ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
         else
                 ret->master_key_length=os.length;
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 71b645da14..514292a03e 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -222,6 +222,7 @@ static const SSL_CIPHER cipher_aliases[]={
         {0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
         {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
         {0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
+        {0,SSL_TXT_FIPS,  0, 0,  SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
         };
 
 void ssl_load_ciphers(void)
@@ -515,7 +516,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                 c = ssl_method->get_cipher(i);
 #define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask))
                 /* drop those that use any of that is not available */
+#ifdef OPENSSL_FIPS
+                if ((c != NULL) && c->valid && !IS_MASKED(c)
+                        && (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
+#else
                 if ((c != NULL) && c->valid && !IS_MASKED(c))
+#endif
                         {
                         co_list[co_list_num].cipher = c;
                         co_list[co_list_num].next = NULL;
@@ -1054,7 +1060,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
          */
         for (curr = head; curr != NULL; curr = curr->next)
                 {
+#ifdef OPENSSL_FIPS
+                if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
+#else
                 if (curr->active)
+#endif
                         {
                         sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 50779c1632..24a994fe01 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -138,6 +138,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL3_CONNECT),  "SSL3_CONNECT"},
 {ERR_FUNC(SSL_F_SSL3_CTRL),     "SSL3_CTRL"},
 {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
+{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),    "SSL3_DO_CHANGE_CIPHER_SPEC"},
 {ERR_FUNC(SSL_F_SSL3_ENC),      "SSL3_ENC"},
 {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK),       "SSL3_GENERATE_KEY_BLOCK"},
 {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),  "SSL3_GET_CERTIFICATE_REQUEST"},
@@ -191,6 +192,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),     "SSL_CTX_check_private_key"},
 {ERR_FUNC(SSL_F_SSL_CTX_NEW),   "SSL_CTX_new"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST),       "SSL_CTX_set_cipher_list"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE),        "SSL_CTX_set_client_cert_engine"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE),   "SSL_CTX_set_purpose"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT),        "SSL_CTX_set_session_id_context"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION),       "SSL_CTX_set_ssl_version"},
@@ -374,6 +376,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED)  ,"no ciphers specified"},
 {ERR_REASON(SSL_R_NO_CIPHER_LIST)        ,"no cipher list"},
 {ERR_REASON(SSL_R_NO_CIPHER_MATCH)       ,"no cipher match"},
+{ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) ,"no client cert method"},
 {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
 {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
 {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED)   ,"no method specified"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 31f6318357..1ac7d6f951 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -130,6 +130,9 @@
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 
 const char *SSL_version_str=OPENSSL_VERSION_TEXT;
 
@@ -1390,6 +1393,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
                 return(NULL);
                 }
 
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (meth->version < TLS1_VERSION))      
+                {
+                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                return NULL;
+                }
+#endif
+
         if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                 {
                 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1510,6 +1521,27 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
 
 #endif
 
+#ifndef OPENSSL_NO_ENGINE
+        ret->client_cert_engine = NULL;
+#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
+#define eng_strx(x)     #x
+#define eng_str(x)      eng_strx(x)
+        /* Use specific client engine automatically... ignore errors */
+        {
+        ENGINE *eng;
+        eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
+        if (!eng)
+                {
+                ERR_clear_error();
+                ENGINE_load_builtin_engines();
+                eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
+                }
+        if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
+                ERR_clear_error();
+        }
+#endif
+#endif
+
         return(ret);
 err:
         SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
@@ -1580,6 +1612,10 @@ void SSL_CTX_free(SSL_CTX *a)
 #else
         a->comp_methods = NULL;
 #endif
+#ifndef OPENSSL_NO_ENGINE
+        if (a->client_cert_engine)
+                ENGINE_finish(a->client_cert_engine);
+#endif
         OPENSSL_free(a);
         }
 
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index de94c0d0c7..735db39713 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -330,8 +330,9 @@
 #define SSL_LOW                 0x00000020L
 #define SSL_MEDIUM              0x00000040L
 #define SSL_HIGH                0x00000080L
+#define SSL_FIPS                0x00000100L
 
-/* we have used 000000ff - 24 bits left to go */
+/* we have used 000001ff - 23 bits left to go */
 
 /*
  * Macros to check the export status and cipher strength for export ciphers.
@@ -874,6 +875,7 @@ int ssl3_get_new_session_ticket(SSL *s);
 int ssl3_get_cert_status(SSL *s);
 int ssl3_get_server_done(SSL *s);
 int ssl3_send_client_verify(SSL *s);
+int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
 int ssl3_send_client_certificate(SSL *s);
 int ssl3_send_client_key_exchange(SSL *s);
 int ssl3_get_key_exchange(SSL *s);
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index ee88be2b88..8391d62212 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -59,6 +59,9 @@
 #include <stdio.h>
 #include <openssl/lhash.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 #include "ssl_locl.h"
 
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
@@ -870,6 +873,25 @@ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PK
         return ctx->client_cert_cb;
         }
 
+#ifndef OPENSSL_NO_ENGINE
+int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
+        {
+        if (!ENGINE_init(e))
+                {
+                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
+                return 0;
+                }
+        if(!ENGINE_get_ssl_client_cert_function(e))
+                {
+                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
+                ENGINE_finish(e);
+                return 0;
+                }
+        ctx->client_cert_engine = e;
+        return 1;
+        }
+#endif
+
 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
         int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
         {
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index ed5a4a7255..3c4dec76d7 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -131,6 +131,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 
         HMAC_CTX_init(&ctx);
         HMAC_CTX_init(&ctx_tmp);
+        HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+        HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
         HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
         HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
         HMAC_Update(&ctx,seed,seed_len);
@@ -852,8 +854,10 @@ int tls1_alert_code(int code)
         case SSL_AD_INTERNAL_ERROR:     return(TLS1_AD_INTERNAL_ERROR);
         case SSL_AD_USER_CANCELLED:     return(TLS1_AD_USER_CANCELLED);
         case SSL_AD_NO_RENEGOTIATION:   return(TLS1_AD_NO_RENEGOTIATION);
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
         case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 
                                           (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
+#endif
         default:                        return(-1);
                 }
         }
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 35f04afa4a..9ce726996d 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -734,6 +734,13 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
         /* Point after session ID in client hello */
         const unsigned char *p = session_id + len;
         unsigned short i;
+
+        /* If tickets disabled behave as if no ticket present
+         * to permit stateful resumption.
+         */
+        if (SSL_get_options(s) & SSL_OP_NO_TICKET)
+                return 1;
+
         if ((s->version <= SSL3_VERSION) || !limit)
                 return 1;
         if (p >= limit)
@@ -761,12 +768,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                         return 1;
                 if (type == TLSEXT_TYPE_session_ticket)
                         {
-                        /* If tickets disabled indicate cache miss which will
-                         * trigger a full handshake
-                         */
-                        if (SSL_get_options(s) & SSL_OP_NO_TICKET)
-                                return 0;
-                        /* If zero length not client will accept a ticket
+                        /* If zero length note client will accept a ticket
                          * and indicate cache miss to trigger full handshake
                          */
                         if (size == 0)
diff --git a/src/lib/libssl/test/Makefile b/src/lib/libssl/test/Makefile
index 62f9b86052..3e58351cb9 100644
--- a/src/lib/libssl/test/Makefile
+++ b/src/lib/libssl/test/Makefile
@@ -185,7 +185,7 @@ test_rand:
         ../util/shlib_wrap.sh ./$(RANDTEST)
 
 test_enc:
-        @sh ./testenc
+        sh ./testenc
 
 test_x509:
         echo test normal x509v1 certificate
@@ -476,41 +476,58 @@ ecdhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
 ecdhtest.o: ../include/openssl/sha.h ../include/openssl/stack.h
 ecdhtest.o: ../include/openssl/symhacks.h ecdhtest.c
 ecdsatest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ecdsatest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-ecdsatest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ecdsatest.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ecdsatest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+ecdsatest.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 ecdsatest.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
 ecdsatest.o: ../include/openssl/err.h ../include/openssl/evp.h
 ecdsatest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 ecdsatest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 ecdsatest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ecdsatest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+ecdsatest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+ecdsatest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ecdsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ecdsatest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
 ecdsatest.o: ecdsatest.c
 ectest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ectest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-ectest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-ectest.o: ../include/openssl/engine.h ../include/openssl/err.h
+ectest.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ectest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+ectest.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+ectest.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+ectest.o: ../include/openssl/err.h ../include/openssl/evp.h
 ectest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 ectest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 ectest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ectest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
-ectest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ectest.c
-enginetest.o: ../include/openssl/bio.h ../include/openssl/buffer.h
-enginetest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+ectest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+ectest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ectest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ectest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ectest.c
+enginetest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+enginetest.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
+enginetest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+enginetest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 enginetest.o: ../include/openssl/engine.h ../include/openssl/err.h
-enginetest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-enginetest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-enginetest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-enginetest.o: ../include/openssl/symhacks.h enginetest.c
+enginetest.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+enginetest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+enginetest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+enginetest.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+enginetest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+enginetest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+enginetest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+enginetest.o: enginetest.c
 evp_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-evp_test.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-evp_test.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+evp_test.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+evp_test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+evp_test.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+evp_test.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
 evp_test.o: ../include/openssl/err.h ../include/openssl/evp.h
 evp_test.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 evp_test.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 evp_test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-evp_test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-evp_test.o: ../include/openssl/symhacks.h evp_test.c
+evp_test.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+evp_test.o: ../include/openssl/sha.h ../include/openssl/stack.h
+evp_test.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+evp_test.o: ../include/openssl/x509_vfy.h evp_test.c
 exptest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
 exptest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 exptest.o: ../include/openssl/err.h ../include/openssl/lhash.h
@@ -607,17 +624,17 @@ ssltest.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
 ssltest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 ssltest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 ssltest.o: ../include/openssl/engine.h ../include/openssl/err.h
-ssltest.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-ssltest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssltest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssltest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssltest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-ssltest.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
-ssltest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssltest.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssltest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssltest.o: ../include/openssl/x509v3.h ssltest.c
+ssltest.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ssltest.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssltest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssltest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssltest.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssltest.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssltest.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ssltest.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+ssltest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssltest.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssltest.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssltest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssltest.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssltest.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h ssltest.c