Import OpenSSL 1.0.1g

15 files changed, 507 insertions, 153 deletions

diff --git a/src/lib/libcrypto/Attic/Makefile b/src/lib/libcrypto/Attic/Makefile
index 947dd5d44e..a90809b2b8 100644
--- a/src/lib/libcrypto/Attic/Makefile
+++ b/src/lib/libcrypto/Attic/Makefile
@@ -77,7 +77,9 @@ ia64cpuid.s: ia64cpuid.S;	$(CC) $(CFLAGS) -E ia64cpuid.S > $@
 ppccpuid.s:     ppccpuid.pl;    $(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
 pariscid.s:     pariscid.pl;    $(PERL) pariscid.pl $(PERLASM_SCHEME) $@
 alphacpuid.s:   alphacpuid.pl
-        $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+        (preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+        $(PERL) alphacpuid.pl > $$preproc && \
+        $(CC) -E $$preproc > $@ && rm $$preproc)
 
 testapps:
         [ -z "$(THIS)" ] || (   if echo $(SDIRS) | fgrep ' des '; \
diff --git a/src/lib/libcrypto/bn/Makefile b/src/lib/libcrypto/bn/Makefile
index 672773454c..6dd136be5d 100644
--- a/src/lib/libcrypto/bn/Makefile
+++ b/src/lib/libcrypto/bn/Makefile
@@ -125,7 +125,9 @@ ppc-mont.s:	asm/ppc-mont.pl;$(PERL) asm/ppc-mont.pl $(PERLASM_SCHEME) $@
 ppc64-mont.s:   asm/ppc64-mont.pl;$(PERL) asm/ppc64-mont.pl $(PERLASM_SCHEME) $@
 
 alpha-mont.s:   asm/alpha-mont.pl
-        $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+        (preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+        $(PERL) asm/alpha-mont.pl > $$preproc && \
+        $(CC) -E $$preproc > $@ && rm $$preproc)
 
 # GNU make "catch all"
 %-mont.s:       asm/%-mont.pl;  $(PERL) $< $(PERLASM_SCHEME) $@
diff --git a/src/lib/libcrypto/ec/ectest.c b/src/lib/libcrypto/ec/ectest.c
index f107782de0..102eaa9b23 100644
--- a/src/lib/libcrypto/ec/ectest.c
+++ b/src/lib/libcrypto/ec/ectest.c
@@ -236,7 +236,7 @@ static void group_order_tests(EC_GROUP *group)
         }
 
 static void prime_field_tests(void)
-        {       
+        {
         BN_CTX *ctx = NULL;
         BIGNUM *p, *a, *b;
         EC_GROUP *group;
diff --git a/src/lib/libcrypto/engine/hw_cryptodev.c b/src/lib/libcrypto/engine/hw_cryptodev.c
index 3e7fff1c1e..5a715aca4f 100644
--- a/src/lib/libcrypto/engine/hw_cryptodev.c
+++ b/src/lib/libcrypto/engine/hw_cryptodev.c
@@ -29,14 +29,16 @@
 #include <openssl/objects.h>
 #include <openssl/engine.h>
 #include <openssl/evp.h>
+#include <openssl/bn.h>
 
-#if (defined(__unix__) || defined(unix)) && !defined(USG)
+#if (defined(__unix__) || defined(unix)) && !defined(USG) && \
+        (defined(OpenBSD) || defined(__FreeBSD__))
 #include <sys/param.h>
 # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
-# define HAVE_CRYPTODEV
+#  define HAVE_CRYPTODEV
 # endif
 # if (OpenBSD >= 200110)
-# define HAVE_SYSLOG_R
+#  define HAVE_SYSLOG_R
 # endif
 #endif
 
@@ -50,9 +52,13 @@ ENGINE_load_cryptodev(void)
 }
 
 #else 
-
+ 
 #include <sys/types.h>
 #include <crypto/cryptodev.h>
+#include <crypto/dh/dh.h>
+#include <crypto/dsa/dsa.h>
+#include <crypto/err/err.h>
+#include <crypto/rsa/rsa.h>
 #include <sys/ioctl.h>
 #include <errno.h>
 #include <stdio.h>
@@ -66,6 +72,14 @@ ENGINE_load_cryptodev(void)
 struct dev_crypto_state {
         struct session_op d_sess;
         int d_fd;
+
+#ifdef USE_CRYPTODEV_DIGESTS
+        char dummy_mac_key[HASH_MAX_LEN];
+
+        unsigned char digest_res[HASH_MAX_LEN];
+        char *mac_data;
+        int mac_len;
+#endif
 };
 
 static u_int32_t cryptodev_asymfeat = 0;
@@ -73,15 +87,14 @@ static u_int32_t cryptodev_asymfeat = 0;
 static int get_asym_dev_crypto(void);
 static int open_dev_crypto(void);
 static int get_dev_crypto(void);
-static int cryptodev_max_iv(int cipher);
-static int cryptodev_key_length_valid(int cipher, int len);
-static int cipher_nid_to_cryptodev(int nid);
 static int get_cryptodev_ciphers(const int **cnids);
-/*static int get_cryptodev_digests(const int **cnids);*/
+#ifdef USE_CRYPTODEV_DIGESTS
+static int get_cryptodev_digests(const int **cnids);
+#endif
 static int cryptodev_usable_ciphers(const int **nids);
 static int cryptodev_usable_digests(const int **nids);
 static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-    const unsigned char *in, unsigned int inl);
+    const unsigned char *in, size_t inl);
 static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     const unsigned char *iv, int enc);
 static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx);
@@ -98,8 +111,8 @@ static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r,
 static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
     const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I,
-    RSA *rsa);
-static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+    RSA *rsa, BN_CTX *ctx);
+static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
 static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
     const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g,
@@ -115,7 +128,7 @@ static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
 static int cryptodev_dh_compute_key(unsigned char *key,
     const BIGNUM *pub_key, DH *dh);
 static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
-    void (*f)());
+    void (*f)(void));
 void ENGINE_load_cryptodev(void);
 
 static const ENGINE_CMD_DEFN cryptodev_defns[] = {
@@ -128,27 +141,32 @@ static struct {
         int     ivmax;
         int     keylen;
 } ciphers[] = {
+        { CRYPTO_ARC4,                  NID_rc4,                0,      16, },
         { CRYPTO_DES_CBC,               NID_des_cbc,            8,       8, },
         { CRYPTO_3DES_CBC,              NID_des_ede3_cbc,       8,      24, },
         { CRYPTO_AES_CBC,               NID_aes_128_cbc,        16,     16, },
+        { CRYPTO_AES_CBC,               NID_aes_192_cbc,        16,     24, },
+        { CRYPTO_AES_CBC,               NID_aes_256_cbc,        16,     32, },
         { CRYPTO_BLF_CBC,               NID_bf_cbc,             8,      16, },
         { CRYPTO_CAST_CBC,              NID_cast5_cbc,          8,      16, },
         { CRYPTO_SKIPJACK_CBC,          NID_undef,              0,       0, },
         { 0,                            NID_undef,              0,       0, },
 };
 
-#if 0 /* UNUSED */
+#ifdef USE_CRYPTODEV_DIGESTS
 static struct {
         int     id;
         int     nid;
+        int     keylen;
 } digests[] = {
-        { CRYPTO_SHA1_HMAC,             NID_hmacWithSHA1,       },
-        { CRYPTO_RIPEMD160_HMAC,        NID_ripemd160,          },
-        { CRYPTO_MD5_KPDK,              NID_undef,              },
-        { CRYPTO_SHA1_KPDK,             NID_undef,              },
-        { CRYPTO_MD5,                   NID_md5,                },
-        { CRYPTO_SHA1,                  NID_undef,              },
-        { 0,                            NID_undef,              },
+        { CRYPTO_MD5_HMAC,              NID_hmacWithMD5,        16},
+        { CRYPTO_SHA1_HMAC,             NID_hmacWithSHA1,       20},
+        { CRYPTO_RIPEMD160_HMAC,        NID_ripemd160,          16/*?*/},
+        { CRYPTO_MD5_KPDK,              NID_undef,              0},
+        { CRYPTO_SHA1_KPDK,             NID_undef,              0},
+        { CRYPTO_MD5,                   NID_md5,                16},
+        { CRYPTO_SHA1,                  NID_sha1,               20},
+        { 0,                            NID_undef,              0},
 };
 #endif
 
@@ -180,6 +198,7 @@ get_dev_crypto(void)
 
         if ((fd = open_dev_crypto()) == -1)
                 return (-1);
+#ifndef CRIOGET_NOT_NEEDED
         if (ioctl(fd, CRIOGET, &retfd) == -1)
                 return (-1);
 
@@ -188,9 +207,19 @@ get_dev_crypto(void)
                 close(retfd);
                 return (-1);
         }
+#else
+        retfd = fd;
+#endif
         return (retfd);
 }
 
+static void put_dev_crypto(int fd)
+{
+#ifndef CRIOGET_NOT_NEEDED
+        close(fd);
+#endif
+}
+
 /* Caching version for asym operations */
 static int
 get_asym_dev_crypto(void)
@@ -203,50 +232,6 @@ get_asym_dev_crypto(void)
 }
 
 /*
- * XXXX this needs to be set for each alg - and determined from
- * a running card.
- */
-static int
-cryptodev_max_iv(int cipher)
-{
-        int i;
-
-        for (i = 0; ciphers[i].id; i++)
-                if (ciphers[i].id == cipher)
-                        return (ciphers[i].ivmax);
-        return (0);
-}
-
-/*
- * XXXX this needs to be set for each alg - and determined from
- * a running card. For now, fake it out - but most of these
- * for real devices should return 1 for the supported key
- * sizes the device can handle.
- */
-static int
-cryptodev_key_length_valid(int cipher, int len)
-{
-        int i;
-
-        for (i = 0; ciphers[i].id; i++)
-                if (ciphers[i].id == cipher)
-                        return (ciphers[i].keylen == len);
-        return (0);
-}
-
-/* convert libcrypto nids to cryptodev */
-static int
-cipher_nid_to_cryptodev(int nid)
-{
-        int i;
-
-        for (i = 0; ciphers[i].id; i++)
-                if (ciphers[i].nid == nid)
-                        return (ciphers[i].id);
-        return (0);
-}
-
-/*
  * Find out what ciphers /dev/crypto will let us have a session for.
  * XXX note, that some of these openssl doesn't deal with yet!
  * returning them here is harmless, as long as we return NULL
@@ -264,7 +249,7 @@ get_cryptodev_ciphers(const int **cnids)
                 return (0);
         }
         memset(&sess, 0, sizeof(sess));
-        sess.key = (caddr_t)"123456781234567812345678";
+        sess.key = (caddr_t)"123456789abcdefghijklmno";
 
         for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
                 if (ciphers[i].nid == NID_undef)
@@ -276,7 +261,7 @@ get_cryptodev_ciphers(const int **cnids)
                     ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
                         nids[count++] = ciphers[i].nid;
         }
-        close(fd);
+        put_dev_crypto(fd);
 
         if (count > 0)
                 *cnids = nids;
@@ -285,13 +270,13 @@ get_cryptodev_ciphers(const int **cnids)
         return (count);
 }
 
+#ifdef USE_CRYPTODEV_DIGESTS
 /*
  * Find out what digests /dev/crypto will let us have a session for.
  * XXX note, that some of these openssl doesn't deal with yet!
  * returning them here is harmless, as long as we return NULL
  * when asked for a handler in the cryptodev_engine_digests routine
  */
-#if 0 /* UNUSED */
 static int
 get_cryptodev_digests(const int **cnids)
 {
@@ -304,16 +289,18 @@ get_cryptodev_digests(const int **cnids)
                 return (0);
         }
         memset(&sess, 0, sizeof(sess));
+        sess.mackey = (caddr_t)"123456789abcdefghijklmno";
         for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
                 if (digests[i].nid == NID_undef)
                         continue;
                 sess.mac = digests[i].id;
+                sess.mackeylen = digests[i].keylen;
                 sess.cipher = 0;
                 if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
                     ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
                         nids[count++] = digests[i].nid;
         }
-        close(fd);
+        put_dev_crypto(fd);
 
         if (count > 0)
                 *cnids = nids;
@@ -321,7 +308,7 @@ get_cryptodev_digests(const int **cnids)
                 *cnids = NULL;
         return (count);
 }
-#endif
+#endif  /* 0 */
 
 /*
  * Find the useable ciphers|digests from dev/crypto - this is the first
@@ -353,6 +340,9 @@ cryptodev_usable_ciphers(const int **nids)
 static int
 cryptodev_usable_digests(const int **nids)
 {
+#ifdef USE_CRYPTODEV_DIGESTS
+        return (get_cryptodev_digests(nids));
+#else
         /*
          * XXXX just disable all digests for now, because it sucks.
          * we need a better way to decide this - i.e. I may not
@@ -367,16 +357,17 @@ cryptodev_usable_digests(const int **nids)
          */
         *nids = NULL;
         return (0);
+#endif
 }
 
 static int
 cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-    const unsigned char *in, unsigned int inl)
+    const unsigned char *in, size_t inl)
 {
         struct crypt_op cryp;
         struct dev_crypto_state *state = ctx->cipher_data;
         struct session_op *sess = &state->d_sess;
-        void *iiv;
+        const void *iiv;
         unsigned char save_iv[EVP_MAX_IV_LENGTH];
 
         if (state->d_fd < 0)
@@ -400,7 +391,7 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         if (ctx->cipher->iv_len) {
                 cryp.iv = (caddr_t) ctx->iv;
                 if (!ctx->encrypt) {
-                        iiv = (void *) in + inl - ctx->cipher->iv_len;
+                        iiv = in + inl - ctx->cipher->iv_len;
                         memcpy(save_iv, iiv, ctx->cipher->iv_len);
                 }
         } else
@@ -415,7 +406,7 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
         if (ctx->cipher->iv_len) {
                 if (ctx->encrypt)
-                        iiv = (void *) out + inl - ctx->cipher->iv_len;
+                        iiv = out + inl - ctx->cipher->iv_len;
                 else
                         iiv = save_iv;
                 memcpy(ctx->iv, iiv, ctx->cipher->iv_len);
@@ -429,28 +420,32 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 {
         struct dev_crypto_state *state = ctx->cipher_data;
         struct session_op *sess = &state->d_sess;
-        int cipher;
+        int cipher = -1, i;
 
-        if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef)
-                return (0);
-
-        if (ctx->cipher->iv_len > cryptodev_max_iv(cipher))
-                return (0);
+        for (i = 0; ciphers[i].id; i++)
+                if (ctx->cipher->nid == ciphers[i].nid &&
+                    ctx->cipher->iv_len <= ciphers[i].ivmax &&
+                    ctx->key_len == ciphers[i].keylen) {
+                        cipher = ciphers[i].id;
+                        break;
+                }
 
-        if (!cryptodev_key_length_valid(cipher, ctx->key_len))
+        if (!ciphers[i].id) {
+                state->d_fd = -1;
                 return (0);
+        }
 
         memset(sess, 0, sizeof(struct session_op));
 
         if ((state->d_fd = get_dev_crypto()) < 0)
                 return (0);
 
-        sess->key = (unsigned char *)key;
+        sess->key = (caddr_t)key;
         sess->keylen = ctx->key_len;
         sess->cipher = cipher;
 
         if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) {
-                close(state->d_fd);
+                put_dev_crypto(state->d_fd);
                 state->d_fd = -1;
                 return (0);
         }
@@ -487,7 +482,7 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
         } else {
                 ret = 1;
         }
-        close(state->d_fd);
+        put_dev_crypto(state->d_fd);
         state->d_fd = -1;
 
         return (ret);
@@ -498,6 +493,20 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
  * gets called when libcrypto requests a cipher NID.
  */
 
+/* RC4 */
+const EVP_CIPHER cryptodev_rc4 = {
+        NID_rc4,
+        1, 16, 0,
+        EVP_CIPH_VARIABLE_LENGTH,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct dev_crypto_state),
+        NULL,
+        NULL,
+        NULL
+};
+
 /* DES CBC EVP */
 const EVP_CIPHER cryptodev_des_cbc = {
         NID_des_cbc,
@@ -565,6 +574,32 @@ const EVP_CIPHER cryptodev_aes_cbc = {
         NULL
 };
 
+const EVP_CIPHER cryptodev_aes_192_cbc = {
+        NID_aes_192_cbc,
+        16, 24, 16,
+        EVP_CIPH_CBC_MODE,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct dev_crypto_state),
+        EVP_CIPHER_set_asn1_iv,
+        EVP_CIPHER_get_asn1_iv,
+        NULL
+};
+
+const EVP_CIPHER cryptodev_aes_256_cbc = {
+        NID_aes_256_cbc,
+        16, 32, 16,
+        EVP_CIPH_CBC_MODE,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct dev_crypto_state),
+        EVP_CIPHER_set_asn1_iv,
+        EVP_CIPHER_get_asn1_iv,
+        NULL
+};
+
 /*
  * Registered by the ENGINE when used to find out how to deal with
  * a particular NID in the ENGINE. this says what we'll do at the
@@ -578,6 +613,9 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
                 return (cryptodev_usable_ciphers(nids));
 
         switch (nid) {
+        case NID_rc4:
+                *cipher = &cryptodev_rc4;
+                break;
         case NID_des_ede3_cbc:
                 *cipher = &cryptodev_3des_cbc;
                 break;
@@ -593,6 +631,12 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
         case NID_aes_128_cbc:
                 *cipher = &cryptodev_aes_cbc;
                 break;
+        case NID_aes_192_cbc:
+                *cipher = &cryptodev_aes_192_cbc;
+                break;
+        case NID_aes_256_cbc:
+                *cipher = &cryptodev_aes_256_cbc;
+                break;
         default:
                 *cipher = NULL;
                 break;
@@ -600,6 +644,256 @@ cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
         return (*cipher != NULL);
 }
 
+
+#ifdef USE_CRYPTODEV_DIGESTS
+
+/* convert digest type to cryptodev */
+static int
+digest_nid_to_cryptodev(int nid)
+{
+        int i;
+
+        for (i = 0; digests[i].id; i++)
+                if (digests[i].nid == nid)
+                        return (digests[i].id);
+        return (0);
+}
+
+
+static int
+digest_key_length(int nid)
+{
+        int i;
+
+        for (i = 0; digests[i].id; i++)
+                if (digests[i].nid == nid)
+                        return digests[i].keylen;
+        return (0);
+}
+
+
+static int cryptodev_digest_init(EVP_MD_CTX *ctx)
+{
+        struct dev_crypto_state *state = ctx->md_data;
+        struct session_op *sess = &state->d_sess;
+        int digest;
+
+        if ((digest = digest_nid_to_cryptodev(ctx->digest->type)) == NID_undef){
+                printf("cryptodev_digest_init: Can't get digest \n");
+                return (0);
+        }
+
+        memset(state, 0, sizeof(struct dev_crypto_state));
+
+        if ((state->d_fd = get_dev_crypto()) < 0) {
+                printf("cryptodev_digest_init: Can't get Dev \n");
+                return (0);
+        }
+
+        sess->mackey = state->dummy_mac_key;
+        sess->mackeylen = digest_key_length(ctx->digest->type);
+        sess->mac = digest;
+
+        if (ioctl(state->d_fd, CIOCGSESSION, sess) < 0) {
+                put_dev_crypto(state->d_fd);
+                state->d_fd = -1;
+                printf("cryptodev_digest_init: Open session failed\n");
+                return (0);
+        }
+
+        return (1);
+}
+
+static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
+                size_t count)
+{
+        struct crypt_op cryp;
+        struct dev_crypto_state *state = ctx->md_data;
+        struct session_op *sess = &state->d_sess;
+
+        if (!data || state->d_fd < 0) {
+                printf("cryptodev_digest_update: illegal inputs \n");
+                return (0);
+        }
+
+        if (!count) {
+                return (0);
+        }
+
+        if (!(ctx->flags & EVP_MD_CTX_FLAG_ONESHOT)) {
+                /* if application doesn't support one buffer */
+                state->mac_data = OPENSSL_realloc(state->mac_data, state->mac_len + count);
+
+                if (!state->mac_data) {
+                        printf("cryptodev_digest_update: realloc failed\n");
+                        return (0);
+                }
+
+                memcpy(state->mac_data + state->mac_len, data, count);
+                state->mac_len += count;
+        
+                return (1);
+        }
+
+        memset(&cryp, 0, sizeof(cryp));
+
+        cryp.ses = sess->ses;
+        cryp.flags = 0;
+        cryp.len = count;
+        cryp.src = (caddr_t) data;
+        cryp.dst = NULL;
+        cryp.mac = (caddr_t) state->digest_res;
+        if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
+                printf("cryptodev_digest_update: digest failed\n");
+                return (0);
+        }
+        return (1);
+}
+
+
+static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+        struct crypt_op cryp;
+        struct dev_crypto_state *state = ctx->md_data;
+        struct session_op *sess = &state->d_sess;
+
+        int ret = 1;
+
+        if (!md || state->d_fd < 0) {
+                printf("cryptodev_digest_final: illegal input\n");
+                return(0);
+        }
+
+        if (! (ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) ) {
+                /* if application doesn't support one buffer */
+                memset(&cryp, 0, sizeof(cryp));
+                cryp.ses = sess->ses;
+                cryp.flags = 0;
+                cryp.len = state->mac_len;
+                cryp.src = state->mac_data;
+                cryp.dst = NULL;
+                cryp.mac = (caddr_t)md;
+                if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
+                        printf("cryptodev_digest_final: digest failed\n");
+                        return (0);
+                }
+
+                return 1;
+        }
+
+        memcpy(md, state->digest_res, ctx->digest->md_size);
+
+        return (ret);
+}
+
+
+static int cryptodev_digest_cleanup(EVP_MD_CTX *ctx)
+{
+        int ret = 1;
+        struct dev_crypto_state *state = ctx->md_data;
+        struct session_op *sess = &state->d_sess;
+
+        if (state == NULL)
+          return 0;
+
+        if (state->d_fd < 0) {
+                printf("cryptodev_digest_cleanup: illegal input\n");
+                return (0);
+        }
+
+        if (state->mac_data) {
+                OPENSSL_free(state->mac_data);
+                state->mac_data = NULL;
+                state->mac_len = 0;
+        }
+
+        if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) < 0) {
+                printf("cryptodev_digest_cleanup: failed to close session\n");
+                ret = 0;
+        } else {
+                ret = 1;
+        }
+        put_dev_crypto(state->d_fd);    
+        state->d_fd = -1;
+
+        return (ret);
+}
+
+static int cryptodev_digest_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from)
+{
+        struct dev_crypto_state *fstate = from->md_data;
+        struct dev_crypto_state *dstate = to->md_data;
+        struct session_op *sess;
+        int digest;
+
+        if (dstate == NULL || fstate == NULL)
+          return 1;
+
+        memcpy(dstate, fstate, sizeof(struct dev_crypto_state));
+
+        sess = &dstate->d_sess;
+
+        digest = digest_nid_to_cryptodev(to->digest->type);
+
+        sess->mackey = dstate->dummy_mac_key;
+        sess->mackeylen = digest_key_length(to->digest->type);
+        sess->mac = digest;
+
+        dstate->d_fd = get_dev_crypto();
+
+        if (ioctl(dstate->d_fd, CIOCGSESSION, sess) < 0) {
+                put_dev_crypto(dstate->d_fd);
+                dstate->d_fd = -1;
+                printf("cryptodev_digest_init: Open session failed\n");
+                return (0);
+        }
+
+        if (fstate->mac_len != 0) {
+                if (fstate->mac_data != NULL)
+                        {
+                        dstate->mac_data = OPENSSL_malloc(fstate->mac_len);
+                        memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len);
+                        dstate->mac_len = fstate->mac_len;
+                        }
+        }
+
+        return 1;
+}
+
+
+const EVP_MD cryptodev_sha1 = {
+        NID_sha1,
+        NID_undef, 
+        SHA_DIGEST_LENGTH, 
+        EVP_MD_FLAG_ONESHOT,
+        cryptodev_digest_init,
+        cryptodev_digest_update,
+        cryptodev_digest_final,
+        cryptodev_digest_copy,
+        cryptodev_digest_cleanup,
+        EVP_PKEY_NULL_method,
+        SHA_CBLOCK,
+        sizeof(struct dev_crypto_state),
+};
+
+const EVP_MD cryptodev_md5 = {
+        NID_md5,
+        NID_undef, 
+        16 /* MD5_DIGEST_LENGTH */, 
+        EVP_MD_FLAG_ONESHOT,
+        cryptodev_digest_init,
+        cryptodev_digest_update,
+        cryptodev_digest_final,
+        cryptodev_digest_copy,
+        cryptodev_digest_cleanup,
+        EVP_PKEY_NULL_method,
+        64 /* MD5_CBLOCK */,
+        sizeof(struct dev_crypto_state),
+};
+
+#endif /* USE_CRYPTODEV_DIGESTS */
+
+
 static int
 cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
     const int **nids, int nid)
@@ -608,10 +902,15 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
                 return (cryptodev_usable_digests(nids));
 
         switch (nid) {
+#ifdef USE_CRYPTODEV_DIGESTS
         case NID_md5:
-                *digest = NULL; /* need to make a clean md5 critter */
+                *digest = &cryptodev_md5; 
                 break;
+        case NID_sha1:
+                *digest = &cryptodev_sha1;
+                break;
         default:
+#endif /* USE_CRYPTODEV_DIGESTS */
                 *digest = NULL;
                 break;
         }
@@ -639,8 +938,9 @@ bn2crparam(const BIGNUM *a, struct crparam *crp)
         b = malloc(bytes);
         if (b == NULL)
                 return (1);
+        memset(b, 0, bytes);
 
-        crp->crp_p = b;
+        crp->crp_p = (caddr_t) b;
         crp->crp_nbits = bits;
 
         for (i = 0, j = 0; i < a->top; i++) {
@@ -683,7 +983,7 @@ zapparams(struct crypt_kop *kop)
 {
         int i;
 
-        for (i = 0; i <= kop->crk_iparams + kop->crk_oparams; i++) {
+        for (i = 0; i < kop->crk_iparams + kop->crk_oparams; i++) {
                 if (kop->crk_param[i].crp_p)
                         free(kop->crk_param[i].crp_p);
                 kop->crk_param[i].crp_p = NULL;
@@ -748,21 +1048,27 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 goto err;
         kop.crk_iparams = 3;
 
-        if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) {
+        if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL)) {
+                const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+                printf("OCF asym process failed, Running in software\n");
+                ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
+
+        } else if (ECANCELED == kop.crk_status) {
                 const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+                printf("OCF hardware operation cancelled. Running in Software\n");
                 ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
         }
+        /* else cryptodev operation worked ok ==> ret = 1*/
+
 err:
         zapparams(&kop);
         return (ret);
 }
 
 static int
-cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 {
         int r;
-        BN_CTX *ctx;
-
         ctx = BN_CTX_new();
         r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL);
         BN_CTX_free(ctx);
@@ -770,7 +1076,7 @@ cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 }
 
 static int
-cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 {
         struct crypt_kop kop;
         int ret = 1;
@@ -797,10 +1103,18 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
                 goto err;
         kop.crk_iparams = 6;
 
-        if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) {
+        if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL)) {
+                const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+                printf("OCF asym process failed, running in Software\n");
+                ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
+
+        } else if (ECANCELED == kop.crk_status) {
                 const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
-                ret = (*meth->rsa_mod_exp)(r0, I, rsa);
+                printf("OCF hardware operation cancelled. Running in Software\n");
+                ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
         }
+        /* else cryptodev operation worked ok ==> ret = 1*/
+
 err:
         zapparams(&kop);
         return (ret);
@@ -936,7 +1250,8 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
         kop.crk_iparams = 7;
 
         if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) {
-                dsaret = kop.crk_status;
+/*OCF success value is 0, if not zero, change dsaret to fail*/
+                if(0 != kop.crk_status) dsaret  = 0;
         } else {
                 const DSA_METHOD *meth = DSA_OpenSSL();
 
@@ -996,7 +1311,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
                 goto err;
         kop.crk_iparams = 3;
 
-        kop.crk_param[3].crp_p = key;
+        kop.crk_param[3].crp_p = (caddr_t) key;
         kop.crk_param[3].crp_nbits = keylen * 8;
         kop.crk_oparams = 1;
 
@@ -1027,7 +1342,7 @@ static DH_METHOD cryptodev_dh = {
  * but I expect we'll want some options soon.
  */
 static int
-cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
 {
 #ifdef HAVE_SYSLOG_R
         struct syslog_data sd = SYSLOG_DATA_INIT;
@@ -1063,11 +1378,11 @@ ENGINE_load_cryptodev(void)
          * find out what asymmetric crypto algorithms we support
          */
         if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) {
-                close(fd);
+                put_dev_crypto(fd);
                 ENGINE_free(engine);
                 return;
         }
-        close(fd);
+        put_dev_crypto(fd);
 
         if (!ENGINE_set_id(engine, "cryptodev") ||
             !ENGINE_set_name(engine, "BSD cryptodev engine") ||
diff --git a/src/lib/libcrypto/evp/Makefile b/src/lib/libcrypto/evp/Makefile
index 0fe1b96bff..5d0c6b7db4 100644
--- a/src/lib/libcrypto/evp/Makefile
+++ b/src/lib/libcrypto/evp/Makefile
@@ -18,7 +18,7 @@ TESTDATA=evptests.txt
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
+LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c evp_cnf.c \
         e_des.c e_bf.c e_idea.c e_des3.c e_camellia.c\
         e_rc4.c e_aes.c names.c e_seed.c \
         e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \
@@ -31,7 +31,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
         e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \
         e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
 
-LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
+LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
         e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\
         e_rc4.o e_aes.o names.o e_seed.o \
         e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o \
@@ -67,7 +67,7 @@ files:
 links:
         @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
         @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-        cp $(TESTDATA) ../../test
+        @[ -f $(TESTDATA) ] && cp $(TESTDATA) ../../test && echo "$(TESTDATA) -> ../../test/$(TESTDATA)"
         @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
@@ -356,6 +356,20 @@ evp_acnf.o: ../../include/openssl/opensslconf.h
 evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 evp_acnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 evp_acnf.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_acnf.c
+evp_cnf.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_cnf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+evp_cnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+evp_cnf.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+evp_cnf.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+evp_cnf.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+evp_cnf.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+evp_cnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+evp_cnf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+evp_cnf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+evp_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_cnf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+evp_cnf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+evp_cnf.o: ../../include/openssl/x509v3.h ../cryptlib.h evp_cnf.c
 evp_enc.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_enc.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@@ -437,28 +451,22 @@ evp_pkey.o: ../asn1/asn1_locl.h ../cryptlib.h evp_pkey.c
 m_dss.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 m_dss.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_dss.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-m_dss.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-m_dss.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-m_dss.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-m_dss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_dss.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_dss.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_dss.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_dss.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+m_dss.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_dss.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 m_dss.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_dss.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_dss.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 m_dss.o: ../cryptlib.h m_dss.c
 m_dss1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 m_dss1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_dss1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-m_dss1.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-m_dss1.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-m_dss1.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-m_dss1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_dss1.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_dss1.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_dss1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+m_dss1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+m_dss1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_dss1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 m_dss1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_dss1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_dss1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 m_dss1.o: ../cryptlib.h m_dss1.c
 m_ecdsa.o: ../../e_os.h ../../include/openssl/asn1.h
 m_ecdsa.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
@@ -563,16 +571,13 @@ m_sha.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 m_sha.o: ../cryptlib.h evp_locl.h m_sha.c
 m_sha1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 m_sha1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-m_sha1.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-m_sha1.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-m_sha1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_sha1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-m_sha1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-m_sha1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_sha1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+m_sha1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+m_sha1.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+m_sha1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+m_sha1.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+m_sha1.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
 m_sha1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_sha1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_sha1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 m_sha1.o: ../cryptlib.h m_sha1.c
 m_sigver.o: ../../e_os.h ../../include/openssl/asn1.h
 m_sigver.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
diff --git a/src/lib/libcrypto/mem.c b/src/lib/libcrypto/mem.c
index 21c0011380..1cc62eafd1 100644
--- a/src/lib/libcrypto/mem.c
+++ b/src/lib/libcrypto/mem.c
@@ -121,10 +121,10 @@ static void (*set_debug_options_func)(long) = NULL;
 static long (*get_debug_options_func)(void) = NULL;
 #endif
 
-
 int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t),
         void (*f)(void *))
         {
+        /* Dummy call just to ensure OPENSSL_init() gets linked in */
         OPENSSL_init();
         if (!allow_customize)
                 return 0;
diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c
index fcdd3f2a84..aee1c30b0a 100644
--- a/src/lib/libcrypto/rand/md_rand.c
+++ b/src/lib/libcrypto/rand/md_rand.c
@@ -123,10 +123,10 @@
 
 #include "e_os.h"
 
+#include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#include <openssl/crypto.h>
 #include <openssl/err.h>
 
 #ifdef BN_DEBUG
@@ -198,6 +198,9 @@ static void ssleay_rand_add(const void *buf, int num, double add)
         EVP_MD_CTX m;
         int do_not_lock;
 
+        if (!num)
+                return;
+
         /*
          * (Based on the rand(3) manpage)
          *
@@ -380,8 +383,11 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
          * are fed into the hash function and the results are kept in the
          * global 'md'.
          */
-
-        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+        /* NB: in FIPS mode we are already under a lock */
+        if (!FIPS_mode())
+#endif
+                CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 
         /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
         CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
@@ -460,7 +466,10 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 
         /* before unlocking, we must clear 'crypto_lock_rand' */
         crypto_lock_rand = 0;
-        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+        if (!FIPS_mode())
+#endif
+                CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
         while (num > 0)
                 {
@@ -512,10 +521,16 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
         MD_Init(&m);
         MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
         MD_Update(&m,local_md,MD_DIGEST_LENGTH);
-        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+        if (!FIPS_mode())
+#endif
+                CRYPTO_w_lock(CRYPTO_LOCK_RAND);
         MD_Update(&m,md,MD_DIGEST_LENGTH);
         MD_Final(&m,md);
-        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+        if (!FIPS_mode())
+#endif
+                CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
         EVP_MD_CTX_cleanup(&m);
         if (ok)
diff --git a/src/lib/libcrypto/rand/rand_win.c b/src/lib/libcrypto/rand/rand_win.c
index 5d134e186b..34ffcd23f9 100644
--- a/src/lib/libcrypto/rand/rand_win.c
+++ b/src/lib/libcrypto/rand/rand_win.c
@@ -750,7 +750,7 @@ static void readscreen(void)
   int           y;              /* y-coordinate of screen lines to grab */
   int           n = 16;         /* number of screen lines to grab at a time */
 
-  if (GetVersion() < 0x80000000 && OPENSSL_isservice()>0)
+  if (check_winnt() && OPENSSL_isservice()>0)
     return;
 
   /* Create a screen DC and a memory DC compatible to screen DC */
diff --git a/src/lib/libcrypto/sha/Makefile b/src/lib/libcrypto/sha/Makefile
index 6d191d3936..2eb2b7af99 100644
--- a/src/lib/libcrypto/sha/Makefile
+++ b/src/lib/libcrypto/sha/Makefile
@@ -60,7 +60,9 @@ sha256-armv4.S: asm/sha256-armv4.pl
         $(PERL) $< $(PERLASM_SCHEME) $@
 
 sha1-alpha.s:   asm/sha1-alpha.pl
-        $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+        (preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+        $(PERL) asm/sha1-alpha.pl > $$preproc && \
+        $(CC) -E $$preproc > $@ && rm $$preproc)
 
 # Solaris make has to be explicitly told
 sha1-x86_64.s:  asm/sha1-x86_64.pl;     $(PERL) asm/sha1-x86_64.pl $(PERLASM_SCHEME) > $@
diff --git a/src/lib/libcrypto/sha/sha_dgst.c b/src/lib/libcrypto/sha/sha_dgst.c
index c946ad827d..fb63b17ff2 100644
--- a/src/lib/libcrypto/sha/sha_dgst.c
+++ b/src/lib/libcrypto/sha/sha_dgst.c
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#include <openssl/opensslconf.h>
 #include <openssl/crypto.h>
+#include <openssl/opensslconf.h>
 #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
 
 #undef  SHA_1
diff --git a/src/lib/libcrypto/symhacks.h b/src/lib/libcrypto/symhacks.h
index 403f592dcd..bd2f000d59 100644
--- a/src/lib/libcrypto/symhacks.h
+++ b/src/lib/libcrypto/symhacks.h
@@ -193,17 +193,23 @@
 #undef SSL_CTX_set_srp_username_callback
 #define SSL_CTX_set_srp_username_callback       SSL_CTX_set_srp_un_cb
 #undef ssl_add_clienthello_use_srtp_ext
-#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext
+#define ssl_add_clienthello_use_srtp_ext        ssl_add_clihello_use_srtp_ext
 #undef ssl_add_serverhello_use_srtp_ext
-#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext
+#define ssl_add_serverhello_use_srtp_ext        ssl_add_serhello_use_srtp_ext
 #undef ssl_parse_clienthello_use_srtp_ext
-#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext
+#define ssl_parse_clienthello_use_srtp_ext      ssl_parse_clihello_use_srtp_ext
 #undef ssl_parse_serverhello_use_srtp_ext
-#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext
+#define ssl_parse_serverhello_use_srtp_ext      ssl_parse_serhello_use_srtp_ext
 #undef SSL_CTX_set_next_protos_advertised_cb
-#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb
+#define SSL_CTX_set_next_protos_advertised_cb   SSL_CTX_set_next_protos_adv_cb
 #undef SSL_CTX_set_next_proto_select_cb
-#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb
+#define SSL_CTX_set_next_proto_select_cb        SSL_CTX_set_next_proto_sel_cb
+#undef ssl3_cbc_record_digest_supported
+#define ssl3_cbc_record_digest_supported        ssl3_cbc_record_digest_support
+#undef ssl_check_clienthello_tlsext_late
+#define ssl_check_clienthello_tlsext_late       ssl_check_clihello_tlsext_late
+#undef ssl_check_clienthello_tlsext_early
+#define ssl_check_clienthello_tlsext_early      ssl_check_clihello_tlsext_early
 
 /* Hack some long ENGINE names */
 #undef ENGINE_get_default_BN_mod_exp_crt
@@ -316,8 +322,6 @@
 #define ec_GFp_simple_point_set_to_infinity     ec_GFp_simple_pt_set_to_inf
 #undef ec_GFp_simple_points_make_affine
 #define ec_GFp_simple_points_make_affine        ec_GFp_simple_pts_make_affine
-#undef ec_GFp_simple_group_get_curve_GFp
-#define ec_GFp_simple_group_get_curve_GFp       ec_GFp_simple_grp_get_curve_GFp
 #undef ec_GFp_simple_set_Jprojective_coordinates_GFp
 #define ec_GFp_simple_set_Jprojective_coordinates_GFp \
                                                 ec_GFp_smp_set_Jproj_coords_GFp
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 93f80ba0c6..aa86b2b8b1 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -3510,6 +3510,8 @@ BIO_get_callback_arg                    3902	EXIST::FUNCTION:
 BIO_set_callback                        3903    EXIST::FUNCTION:
 d2i_ASIdOrRange                         3904    EXIST::FUNCTION:RFC3779
 i2d_ASIdentifiers                       3905    EXIST::FUNCTION:RFC3779
+CRYPTO_memcmp                           3906    EXIST::FUNCTION:
+BN_consttime_swap                       3907    EXIST::FUNCTION:
 SEED_decrypt                            3908    EXIST::FUNCTION:SEED
 SEED_encrypt                            3909    EXIST::FUNCTION:SEED
 SEED_cbc_encrypt                        3910    EXIST::FUNCTION:SEED
@@ -3687,7 +3689,7 @@ FIPS_dh_new                             4073	NOEXIST::FUNCTION:
 FIPS_corrupt_dsa_keygen                 4074    NOEXIST::FUNCTION:
 FIPS_dh_free                            4075    NOEXIST::FUNCTION:
 fips_pkey_signature_test                4076    NOEXIST::FUNCTION:
-EVP_add_alg_module                      4077    NOEXIST::FUNCTION:
+EVP_add_alg_module                      4077    EXIST::FUNCTION:
 int_RAND_init_engine_callbacks          4078    NOEXIST::FUNCTION:
 int_EVP_CIPHER_set_engine_callbacks     4079    NOEXIST::FUNCTION:
 int_EVP_MD_init_engine_callbacks        4080    NOEXIST::FUNCTION:
diff --git a/src/lib/libcrypto/util/pl/BC-32.pl b/src/lib/libcrypto/util/pl/BC-32.pl
index 1f1e13fb40..b41bb45e82 100644
--- a/src/lib/libcrypto/util/pl/BC-32.pl
+++ b/src/lib/libcrypto/util/pl/BC-32.pl
@@ -18,7 +18,7 @@ $out_def="out32";
 $tmp_def="tmp32";
 $inc_def="inc32";
 #enable max error messages, disable most common warnings
-$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp ";
+$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp -D_timeb=timeb -D_ftime=ftime ";
 if ($debug)
 {
     $cflags.="-Od -y -v -vi- -D_DEBUG";
@@ -38,7 +38,7 @@ $efile="";
 $exep='.exe';
 if ($no_sock)
         { $ex_libs=""; }
-else    { $ex_libs="cw32mt.lib import32.lib"; }
+else    { $ex_libs="cw32mt.lib import32.lib crypt32.lib ws2_32.lib"; }
 
 # static library stuff
 $mklib='tlib /P64';
@@ -51,8 +51,8 @@ $lfile='';
 $shlib_ex_obj="";
 $app_ex_obj="c0x32.obj"; 
 
-$asm='nasmw -f obj -d__omf__';
-$asm.=" /Zi" if $debug;
+$asm=(`nasm -v 2>NUL` ge `nasmw -v 2>NUL`?"nasm":"nasmw")." -f obj -d__omf__";
+$asm.=" -g" if $debug;
 $afile='-o';
 
 $bn_mulw_obj='';
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index c503bd52b9..3705fc73b7 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -27,6 +27,8 @@ $zlib_lib="zlib1.lib";
 $l_flags =~ s/-L("\[^"]+")/\/libpath:$1/g;
 $l_flags =~ s/-L(\S+)/\/libpath:$1/g;
 
+my $ff = "";
+
 # C compiler stuff
 $cc='cl';
 if ($FLAVOR =~ /WIN64/)
@@ -118,7 +120,7 @@ elsif ($FLAVOR =~ /CE/)
     $base_cflags.=' -I$(WCECOMPAT)/include'             if (defined($ENV{'WCECOMPAT'}));
     $base_cflags.=' -I$(PORTSDK_LIBPATH)/../../include' if (defined($ENV{'PORTSDK_LIBPATH'}));
     $opt_cflags=' /MC /O1i';    # optimize for space, but with intrinsics...
-    $dbg_clfags=' /MC /Od -DDEBUG -D_DEBUG';
+    $dbg_cflags=' /MC /Od -DDEBUG -D_DEBUG';
     $lflags="/nologo /opt:ref $wcelflag";
     }
 else    # Win32
@@ -126,6 +128,7 @@ else	# Win32
     $base_cflags= " $mf_cflag";
     my $f = $shlib || $fips ?' /MD':' /MT';
     $lib_cflag='/Zl' if (!$shlib);      # remove /DEFAULTLIBs from static lib
+    $ff = "/fixed";
     $opt_cflags=$f.' /Ox /O2 /Ob2';
     $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
     $lflags="/nologo /subsystem:console /opt:ref";
@@ -318,7 +321,7 @@ sub do_lib_rule
                         $ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
                         $ret.="\tSET FIPS_TARGET=$target\n";
                         $ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
-                        $ret.="\t\$(FIPSLINK) \$(MLFLAGS) /map $base_arg $efile$target ";
+                        $ret.="\t\$(FIPSLINK) \$(MLFLAGS) $ff /map $base_arg $efile$target ";
                         $ret.="$name @<<\n  \$(SHLIB_EX_OBJ) $objs \$(EX_LIBS) ";
                         $ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n<<\n";
                         }
@@ -355,7 +358,7 @@ sub do_link_rule
                 $ret.="\tSET FIPS_TARGET=$target\n";
                 $ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
                 $ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
-                $ret.="\t\$(FIPSLINK) \$(LFLAGS) /map $efile$target @<<\n";
+                $ret.="\t\$(FIPSLINK) \$(LFLAGS) $ff /map $efile$target @<<\n";
                 $ret.="\t\$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n<<\n";
                 }
         else
diff --git a/src/lib/libcrypto/util/shlib_wrap.sh b/src/lib/libcrypto/util/shlib_wrap.sh
index 9416d593d2..8775cb5411 100755
--- a/src/lib/libcrypto/util/shlib_wrap.sh
+++ b/src/lib/libcrypto/util/shlib_wrap.sh
@@ -90,4 +90,8 @@ fi
 
 cmd="$1${EXE_EXT}"
 shift
-exec "$cmd" "$@"
+if [ $# -eq 0 ]; then
+        exec "$cmd"     # old sh, such as Tru64 4.x, fails to expand empty "$@"
+else
+        exec "$cmd" "$@"
+fi