merge with openssl-0.9.7-stable-SNAP-20020911,

new minor for libcrypto (_X509_REQ_print_ex)
tested by miod@, pb@

40 files changed, 543 insertions, 332 deletions

diff --git a/src/lib/libcrypto/Makefile.ssl b/src/lib/libcrypto/Makefile.ssl
index 2489b614c6..db8baf385e 100644
--- a/src/lib/libcrypto/Makefile.ssl
+++ b/src/lib/libcrypto/Makefile.ssl
@@ -98,7 +98,7 @@ lib:	$(LIBOBJ)
 
 shared:
         if [ -n "$(SHARED_LIBS)" ]; then \
-                (cd ..; make $(SHARED_LIB)); \
+                (cd ..; $(MAKE) $(SHARED_LIB)); \
         fi
 
 libs:
diff --git a/src/lib/libcrypto/asn1/a_bitstr.c b/src/lib/libcrypto/asn1/a_bitstr.c
index ed0bdfbde1..e0265f69d2 100644
--- a/src/lib/libcrypto/asn1/a_bitstr.c
+++ b/src/lib/libcrypto/asn1/a_bitstr.c
@@ -120,6 +120,12 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
         unsigned char *p,*s;
         int i;
 
+        if (len < 1)
+                {
+                i=ASN1_R_STRING_TOO_SHORT;
+                goto err;
+                }
+
         if ((a == NULL) || ((*a) == NULL))
                 {
                 if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index 8dab29dca1..7ddb7662f1 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -544,7 +544,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 {
         ASN1_STRING stmp, *str = &stmp;
         int mbflag, type, ret;
-        if(!*out || !in) return -1;
+        if(!in) return -1;
         type = in->type;
         if((type < 0) || (type > 30)) return -1;
         mbflag = tag2nbyte[type];
@@ -553,6 +553,6 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
         stmp.data = NULL;
         ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
         if(ret < 0) return ret;
-        if(out) *out = stmp.data;
+        *out = stmp.data;
         return stmp.length;
 }
diff --git a/src/lib/libcrypto/asn1/t_req.c b/src/lib/libcrypto/asn1/t_req.c
index 848c29a2dd..739f272ecf 100644
--- a/src/lib/libcrypto/asn1/t_req.c
+++ b/src/lib/libcrypto/asn1/t_req.c
@@ -82,7 +82,7 @@ int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
         }
 #endif
 
-int X509_REQ_print(BIO *bp, X509_REQ *x)
+int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long cflag)
         {
         unsigned long l;
         int i;
@@ -92,143 +92,185 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
         STACK_OF(X509_ATTRIBUTE) *sk;
         STACK_OF(X509_EXTENSION) *exts;
         char str[128];
+        char mlch = ' ';
+        int nmindent = 0;
+
+        if((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
+                mlch = '\n';
+                nmindent = 12;
+        }
+
+        if(nmflags == X509_FLAG_COMPAT)
+                nmindent = 16;
+
 
         ri=x->req_info;
-        sprintf(str,"Certificate Request:\n");
-        if (BIO_puts(bp,str) <= 0) goto err;
-        sprintf(str,"%4sData:\n","");
-        if (BIO_puts(bp,str) <= 0) goto err;
-
-        neg=(ri->version->type == V_ASN1_NEG_INTEGER)?"-":"";
-        l=0;
-        for (i=0; i<ri->version->length; i++)
-                { l<<=8; l+=ri->version->data[i]; }
-        sprintf(str,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg,l);
-        if (BIO_puts(bp,str) <= 0) goto err;
-        sprintf(str,"%8sSubject: ","");
-        if (BIO_puts(bp,str) <= 0) goto err;
-
-        X509_NAME_print(bp,ri->subject,16);
-        sprintf(str,"\n%8sSubject Public Key Info:\n","");
-        if (BIO_puts(bp,str) <= 0) goto err;
-        i=OBJ_obj2nid(ri->pubkey->algor->algorithm);
-        sprintf(str,"%12sPublic Key Algorithm: %s\n","",
-                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
-        if (BIO_puts(bp,str) <= 0) goto err;
-
-        pkey=X509_REQ_get_pubkey(x);
-#ifndef OPENSSL_NO_RSA
-        if (pkey != NULL && pkey->type == EVP_PKEY_RSA)
+        if(!(cflag & X509_FLAG_NO_HEADER))
                 {
-                BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","",
-                        BN_num_bits(pkey->pkey.rsa->n));
-                RSA_print(bp,pkey->pkey.rsa,16);
+                if (BIO_write(bp,"Certificate Request:\n",21) <= 0) goto err;
+                if (BIO_write(bp,"    Data:\n",10) <= 0) goto err;
                 }
-        else 
-#endif
-#ifndef OPENSSL_NO_DSA
-                if (pkey != NULL && pkey->type == EVP_PKEY_DSA)
+        if(!(cflag & X509_FLAG_NO_VERSION))
                 {
-                BIO_printf(bp,"%12sDSA Public Key:\n","");
-                DSA_print(bp,pkey->pkey.dsa,16);
+                neg=(ri->version->type == V_ASN1_NEG_INTEGER)?"-":"";
+                l=0;
+                for (i=0; i<ri->version->length; i++)
+                        { l<<=8; l+=ri->version->data[i]; }
+                sprintf(str,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg,l);
+                if (BIO_puts(bp,str) <= 0) goto err;
                 }
-        else
-#endif
-                BIO_printf(bp,"%12sUnknown Public Key:\n","");
+        if(!(cflag & X509_FLAG_NO_SUBJECT))
+                {
+                if (BIO_printf(bp,"        Subject:%c",mlch) <= 0) goto err;
+                if (X509_NAME_print_ex(bp,ri->subject,nmindent, nmflags) < 0) goto err;
+                if (BIO_write(bp,"\n",1) <= 0) goto err;
+                }
+        if(!(cflag & X509_FLAG_NO_PUBKEY))
+                {
+                if (BIO_write(bp,"        Subject Public Key Info:\n",33) <= 0)
+                        goto err;
+                if (BIO_printf(bp,"%12sPublic Key Algorithm: ","") <= 0)
+                        goto err;
+                if (i2a_ASN1_OBJECT(bp, ri->pubkey->algor->algorithm) <= 0)
+                        goto err;
+                if (BIO_puts(bp, "\n") <= 0)
+                        goto err;
 
-        if (pkey != NULL)
-            EVP_PKEY_free(pkey);
+                pkey=X509_REQ_get_pubkey(x);
+                if (pkey == NULL)
+                        {
+                        BIO_printf(bp,"%12sUnable to load Public Key\n","");
+                        ERR_print_errors(bp);
+                        }
+                else
+#ifndef OPENSSL_NO_RSA
+                if (pkey->type == EVP_PKEY_RSA)
+                        {
+                        BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","",
+                        BN_num_bits(pkey->pkey.rsa->n));
+                        RSA_print(bp,pkey->pkey.rsa,16);
+                        }
+                else
+#endif
+#ifndef OPENSSL_NO_DSA
+                if (pkey->type == EVP_PKEY_DSA)
+                        {
+                        BIO_printf(bp,"%12sDSA Public Key:\n","");
+                        DSA_print(bp,pkey->pkey.dsa,16);
+                        }
+                else
+#endif
+                        BIO_printf(bp,"%12sUnknown Public Key:\n","");
 
-        /* may not be */
-        sprintf(str,"%8sAttributes:\n","");
-        if (BIO_puts(bp,str) <= 0) goto err;
+                EVP_PKEY_free(pkey);
+                }
 
-        sk=x->req_info->attributes;
-        if (sk_X509_ATTRIBUTE_num(sk) == 0)
+        if(!(cflag & X509_FLAG_NO_ATTRIBUTES))
                 {
-                sprintf(str,"%12sa0:00\n","");
+                /* may not be */
+                sprintf(str,"%8sAttributes:\n","");
                 if (BIO_puts(bp,str) <= 0) goto err;
-                }
-        else
-                {
-                for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
+
+                sk=x->req_info->attributes;
+                if (sk_X509_ATTRIBUTE_num(sk) == 0)
                         {
-                        ASN1_TYPE *at;
-                        X509_ATTRIBUTE *a;
-                        ASN1_BIT_STRING *bs=NULL;
-                        ASN1_TYPE *t;
-                        int j,type=0,count=1,ii=0;
-
-                        a=sk_X509_ATTRIBUTE_value(sk,i);
-                        if(X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
-                                                                continue;
-                        sprintf(str,"%12s","");
+                        sprintf(str,"%12sa0:00\n","");
                         if (BIO_puts(bp,str) <= 0) goto err;
-                        if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0)
+                        }
+                else
                         {
-                        if (a->single)
+                        for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
                                 {
-                                t=a->value.single;
-                                type=t->type;
-                                bs=t->value.bit_string;
-                                }
-                        else
+                                ASN1_TYPE *at;
+                                X509_ATTRIBUTE *a;
+                                ASN1_BIT_STRING *bs=NULL;
+                                ASN1_TYPE *t;
+                                int j,type=0,count=1,ii=0;
+
+                                a=sk_X509_ATTRIBUTE_value(sk,i);
+                                if(X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
+                                                                        continue;
+                                sprintf(str,"%12s","");
+                                if (BIO_puts(bp,str) <= 0) goto err;
+                                if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0)
                                 {
-                                ii=0;
-                                count=sk_ASN1_TYPE_num(a->value.set);
+                                if (a->single)
+                                        {
+                                        t=a->value.single;
+                                        type=t->type;
+                                        bs=t->value.bit_string;
+                                        }
+                                else
+                                        {
+                                        ii=0;
+                                        count=sk_ASN1_TYPE_num(a->value.set);
 get_next:
-                                at=sk_ASN1_TYPE_value(a->value.set,ii);
-                                type=at->type;
-                                bs=at->value.asn1_string;
+                                        at=sk_ASN1_TYPE_value(a->value.set,ii);
+                                        type=at->type;
+                                        bs=at->value.asn1_string;
+                                        }
+                                }
+                                for (j=25-j; j>0; j--)
+                                        if (BIO_write(bp," ",1) != 1) goto err;
+                                if (BIO_puts(bp,":") <= 0) goto err;
+                                if (    (type == V_ASN1_PRINTABLESTRING) ||
+                                        (type == V_ASN1_T61STRING) ||
+                                        (type == V_ASN1_IA5STRING))
+                                        {
+                                        if (BIO_write(bp,(char *)bs->data,bs->length)
+                                                != bs->length)
+                                                goto err;
+                                        BIO_puts(bp,"\n");
+                                        }
+                                else
+                                        {
+                                        BIO_puts(bp,"unable to print attribute\n");
+                                        }
+                                if (++ii < count) goto get_next;
                                 }
                         }
-                        for (j=25-j; j>0; j--)
-                                if (BIO_write(bp," ",1) != 1) goto err;
-                        if (BIO_puts(bp,":") <= 0) goto err;
-                        if (    (type == V_ASN1_PRINTABLESTRING) ||
-                                (type == V_ASN1_T61STRING) ||
-                                (type == V_ASN1_IA5STRING))
+                }
+        if(!(cflag & X509_FLAG_NO_ATTRIBUTES))
+                {
+                exts = X509_REQ_get_extensions(x);
+                if(exts)
+                        {
+                        BIO_printf(bp,"%8sRequested Extensions:\n","");
+                        for (i=0; i<sk_X509_EXTENSION_num(exts); i++)
                                 {
-                                if (BIO_write(bp,(char *)bs->data,bs->length)
-                                        != bs->length)
+                                ASN1_OBJECT *obj;
+                                X509_EXTENSION *ex;
+                                int j;
+                                ex=sk_X509_EXTENSION_value(exts, i);
+                                if (BIO_printf(bp,"%12s","") <= 0) goto err;
+                                obj=X509_EXTENSION_get_object(ex);
+                                i2a_ASN1_OBJECT(bp,obj);
+                                j=X509_EXTENSION_get_critical(ex);
+                                if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
                                         goto err;
-                                BIO_puts(bp,"\n");
-                                }
-                        else
-                                {
-                                BIO_puts(bp,"unable to print attribute\n");
+                                if(!X509V3_EXT_print(bp, ex, 0, 16))
+                                        {
+                                        BIO_printf(bp, "%16s", "");
+                                        M_ASN1_OCTET_STRING_print(bp,ex->value);
+                                        }
+                                if (BIO_write(bp,"\n",1) <= 0) goto err;
                                 }
-                        if (++ii < count) goto get_next;
+                        sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
                         }
                 }
 
-        exts = X509_REQ_get_extensions(x);
-        if(exts) {
-                BIO_printf(bp,"%8sRequested Extensions:\n","");
-                for (i=0; i<sk_X509_EXTENSION_num(exts); i++) {
-                        ASN1_OBJECT *obj;
-                        X509_EXTENSION *ex;
-                        int j;
-                        ex=sk_X509_EXTENSION_value(exts, i);
-                        if (BIO_printf(bp,"%12s","") <= 0) goto err;
-                        obj=X509_EXTENSION_get_object(ex);
-                        i2a_ASN1_OBJECT(bp,obj);
-                        j=X509_EXTENSION_get_critical(ex);
-                        if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
-                                goto err;
-                        if(!X509V3_EXT_print(bp, ex, 0, 16)) {
-                                BIO_printf(bp, "%16s", "");
-                                M_ASN1_OCTET_STRING_print(bp,ex->value);
-                        }
-                        if (BIO_write(bp,"\n",1) <= 0) goto err;
+        if(!(cflag & X509_FLAG_NO_SIGDUMP))
+                {
+                if(!X509_signature_print(bp, x->sig_alg, x->signature)) goto err;
                 }
-                sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
-        }
-
-        if(!X509_signature_print(bp, x->sig_alg, x->signature)) goto err;
 
         return(1);
 err:
         X509err(X509_F_X509_REQ_PRINT,ERR_R_BUF_LIB);
         return(0);
         }
+
+int X509_REQ_print(BIO *bp, X509_REQ *x)
+        {
+        return X509_REQ_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
+        }
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index 0fc1f421e2..f87c08793a 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -913,10 +913,10 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *i
                         ctx->ptag = ptag;
                         ctx->hdrlen = p - q;
                         ctx->valid = 1;
-                        /* If definite length, length + header can't exceed total
-                         * amount of data available.
+                        /* If definite length, and no error, length +
+                         * header can't exceed total amount of data available. 
                          */
-                        if(!(i & 1) && ((plen + ctx->hdrlen) > len)) {
+                        if(!(i & 0x81) && ((plen + ctx->hdrlen) > len)) {
                                 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_TOO_LONG);
                                 asn1_tlc_clear(ctx);
                                 return 0;
diff --git a/src/lib/libcrypto/bio/b_print.c b/src/lib/libcrypto/bio/b_print.c
index 3ce1290772..80c9cb69db 100644
--- a/src/lib/libcrypto/bio/b_print.c
+++ b/src/lib/libcrypto/bio/b_print.c
@@ -109,7 +109,7 @@
  * o ...                                       (for OpenSSL)
  */
 
-#if HAVE_LONG_DOUBLE
+#ifdef HAVE_LONG_DOUBLE
 #define LDOUBLE long double
 #else
 #define LDOUBLE double
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 1eaf879553..b40682f831 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -430,7 +430,7 @@ int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
 int BN_from_montgomery(BIGNUM *r,const BIGNUM *a,
         BN_MONT_CTX *mont, BN_CTX *ctx);
 void BN_MONT_CTX_free(BN_MONT_CTX *mont);
-int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *modulus,BN_CTX *ctx);
+int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx);
 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
 
 BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod);
diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com
index 4847a69a71..dfcff11860 100644
--- a/src/lib/libcrypto/crypto-lib.com
+++ b/src/lib/libcrypto/crypto-lib.com
@@ -231,7 +231,7 @@ $ LIB_RAND = "md_rand,randfile,rand_lib,rand_err,rand_egd,"+ -
         "rand_vms"
 $ LIB_ERR = "err,err_all,err_prn"
 $ LIB_OBJECTS = "o_names,obj_dat,obj_lib,obj_err"
-$ LIB_EVP = "encode,digest,evp_enc,evp_key,"+ -
+$ LIB_EVP = "encode,digest,evp_enc,evp_key,evp_acnf,"+ -
         "e_des,e_bf,e_idea,e_des3,"+ -
         "e_rc4,e_aes,names,"+ -
         "e_xcbc_d,e_rc2,e_cast,e_rc5"
@@ -265,14 +265,14 @@ $ LIB_X509V3 = "v3_bcons,v3_bitst,v3_conf,v3_extku,v3_ia5,v3_lib,"+ -
         "v3_prn,v3_utl,v3err,v3_genn,v3_alt,v3_skey,v3_akey,v3_pku,"+ -
         "v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info,"+ -
         "v3_ocsp,v3_akeya"
-$ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def,conf_mod,conf_mall"
+$ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def,conf_mod,conf_mall,conf_sap"
 $ LIB_TXT_DB = "txt_db"
 $ LIB_PKCS7 = "pk7_asn1,pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,"+ -
         "pk7_mime"
 $ LIB_PKCS12 = "p12_add,p12_asn,p12_attr,p12_crpt,p12_crt,p12_decr,"+ -
         "p12_init,p12_key,p12_kiss,p12_mutl,"+ -
         "p12_utl,p12_npas,pk12err,p12_p8d,p12_p8e"
-$ LIB_COMP = "comp_lib,"+ -
+$ LIB_COMP = "comp_lib,comp_err,"+ -
         "c_rle,c_zlib"
 $ LIB_OCSP = "ocsp_asn,ocsp_ext,ocsp_ht,ocsp_lib,ocsp_cl,"+ -
         "ocsp_srv,ocsp_prn,ocsp_vfy,ocsp_err"
@@ -1325,7 +1325,7 @@ $   CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
 $!
 $!  Show user the result
 $!
-$   WRITE SYS$OUTPUT "Main C Compiling Command: ",CC
+$   WRITE/SYMBOL SYS$OUTPUT "Main C Compiling Command: ",CC
 $!
 $!  Else The User Entered An Invalid Arguement.
 $!
@@ -1356,7 +1356,7 @@ $ IF ARCH .EQS. "AXP" THEN MACRO = "MACRO/MIGRATION/''DEBUGGER'/''MACRO_OPTIMIZE
 $!
 $!  Show user the result
 $!
-$   WRITE SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
+$   WRITE/SYMBOL SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
diff --git a/src/lib/libcrypto/des/Makefile.ssl b/src/lib/libcrypto/des/Makefile.ssl
index ee5849d8fa..826ffcc58c 100644
--- a/src/lib/libcrypto/des/Makefile.ssl
+++ b/src/lib/libcrypto/des/Makefile.ssl
@@ -207,7 +207,8 @@ ecb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 ecb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 ecb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 ecb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-ecb_enc.o: ../../include/openssl/ui_compat.h des_locl.h ecb_enc.c spr.h
+ecb_enc.o: ../../include/openssl/ui_compat.h des_locl.h des_ver.h ecb_enc.c
+ecb_enc.o: spr.h
 ede_cbcm_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 ede_cbcm_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 ede_cbcm_enc.o: ../../include/openssl/opensslconf.h
diff --git a/src/lib/libcrypto/des/des_ver.h b/src/lib/libcrypto/des/des_ver.h
index 0fa94d5368..ec9cc736e3 100644
--- a/src/lib/libcrypto/des/des_ver.h
+++ b/src/lib/libcrypto/des/des_ver.h
@@ -63,5 +63,5 @@
 # define OPENSSL_EXTERN OPENSSL_EXPORT
 #endif
 
-OPENSSL_EXTERN char *DES_version;       /* SSLeay version string */
-OPENSSL_EXTERN char *libdes_version;    /* old libdes version string */
+OPENSSL_EXTERN const char *DES_version; /* SSLeay version string */
+OPENSSL_EXTERN const char *libdes_version;      /* old libdes version string */
diff --git a/src/lib/libcrypto/des/ecb_enc.c b/src/lib/libcrypto/des/ecb_enc.c
index 4650f2fa0f..1b70f68806 100644
--- a/src/lib/libcrypto/des/ecb_enc.c
+++ b/src/lib/libcrypto/des/ecb_enc.c
@@ -57,6 +57,7 @@
  */
 
 #include "des_locl.h"
+#include "des_ver.h"
 #include "spr.h"
 #include <openssl/opensslv.h>
 
diff --git a/src/lib/libcrypto/des/set_key.c b/src/lib/libcrypto/des/set_key.c
index 683916e71b..143008ed9c 100644
--- a/src/lib/libcrypto/des/set_key.c
+++ b/src/lib/libcrypto/des/set_key.c
@@ -342,7 +342,7 @@ void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
         register DES_LONG *k;
         register int i;
 
-#if OPENBSD_DEV_CRYPTO
+#ifdef OPENBSD_DEV_CRYPTO
         memcpy(schedule->key,key,sizeof schedule->key);
         schedule->session=NULL;
 #endif
diff --git a/src/lib/libcrypto/doc/DH_set_method.pod b/src/lib/libcrypto/doc/DH_set_method.pod
index d990bf8786..73261fc467 100644
--- a/src/lib/libcrypto/doc/DH_set_method.pod
+++ b/src/lib/libcrypto/doc/DH_set_method.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-DH_set_default_openssl_method, DH_get_default_openssl_method,
+DH_set_default_method, DH_get_default_method,
 DH_set_method, DH_new_method, DH_OpenSSL - select DH method
 
 =head1 SYNOPSIS
@@ -10,45 +10,47 @@ DH_set_method, DH_new_method, DH_OpenSSL - select DH method
  #include <openssl/dh.h>
  #include <openssl/engine.h>
 
- void DH_set_default_openssl_method(DH_METHOD *meth);
+ void DH_set_default_method(const DH_METHOD *meth);
 
- DH_METHOD *DH_get_default_openssl_method(void);
+ const DH_METHOD *DH_get_default_method(void);
 
- int DH_set_method(DH *dh, ENGINE *engine);
+ int DH_set_method(DH *dh, const DH_METHOD *meth);
 
  DH *DH_new_method(ENGINE *engine);
 
- DH_METHOD *DH_OpenSSL(void);
+ const DH_METHOD *DH_OpenSSL(void);
 
 =head1 DESCRIPTION
 
 A B<DH_METHOD> specifies the functions that OpenSSL uses for Diffie-Hellman
 operations. By modifying the method, alternative implementations
-such as hardware accelerators may be used.
-
-Initially, the default is to use the OpenSSL internal implementation.
-DH_OpenSSL() returns a pointer to that method.
-
-DH_set_default_openssl_method() makes B<meth> the default method for all DH
-structures created later. B<NB:> This is true only whilst the default engine
-for Diffie-Hellman operations remains as "openssl". ENGINEs provide an
-encapsulation for implementations of one or more algorithms, and all the DH
-functions mentioned here operate within the scope of the default
-"openssl" engine.
-
-DH_get_default_openssl_method() returns a pointer to the current default
-method for the "openssl" engine.
-
-DH_set_method() selects B<engine> as the engine that will be responsible for
-all operations using the structure B<dh>. If this function completes successfully,
-then the B<dh> structure will have its own functional reference of B<engine>, so
-the caller should remember to free their own reference to B<engine> when they are
-finished with it. NB: An ENGINE's DH_METHOD can be retrieved (or set) by
-ENGINE_get_DH() or ENGINE_set_DH().
-
-DH_new_method() allocates and initializes a DH structure so that
-B<engine> will be used for the DH operations. If B<engine> is NULL,
-the default engine for Diffie-Hellman opertaions is used.
+such as hardware accelerators may be used. IMPORTANT: See the NOTES section for
+important information about how these DH API functions are affected by the use
+of B<ENGINE> API calls.
+
+Initially, the default DH_METHOD is the OpenSSL internal implementation, as
+returned by DH_OpenSSL().
+
+DH_set_default_method() makes B<meth> the default method for all DH
+structures created later. B<NB>: This is true only whilst no ENGINE has been set
+as a default for DH, so this function is no longer recommended.
+
+DH_get_default_method() returns a pointer to the current default DH_METHOD.
+However, the meaningfulness of this result is dependant on whether the ENGINE
+API is being used, so this function is no longer recommended.
+
+DH_set_method() selects B<meth> to perform all operations using the key B<dh>.
+This will replace the DH_METHOD used by the DH key and if the previous method
+was supplied by an ENGINE, the handle to that ENGINE will be released during the
+change. It is possible to have DH keys that only work with certain DH_METHOD
+implementations (eg. from an ENGINE module that supports embedded
+hardware-protected keys), and in such cases attempting to change the DH_METHOD
+for the key can have unexpected results.
+
+DH_new_method() allocates and initializes a DH structure so that B<engine> will
+be used for the DH operations. If B<engine> is NULL, the default ENGINE for DH
+operations is used, and if no default ENGINE is set, the DH_METHOD controlled by
+DH_set_default_method() is used.
 
 =head1 THE DH_METHOD STRUCTURE
 
@@ -82,17 +84,28 @@ the default engine for Diffie-Hellman opertaions is used.
 
 =head1 RETURN VALUES
 
-DH_OpenSSL() and DH_get_default_openssl_method() return pointers to the
-respective B<DH_METHOD>s.
+DH_OpenSSL() and DH_get_default_method() return pointers to the respective
+B<DH_METHOD>s.
+
+DH_set_default_method() returns no value.
+
+DH_set_method() returns non-zero if the provided B<meth> was successfully set as
+the method for B<dh> (including unloading the ENGINE handle if the previous
+method was supplied by an ENGINE).
 
-DH_set_default_openssl_method() returns no value.
+DH_new_method() returns NULL and sets an error code that can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
+returns a pointer to the newly allocated structure.
 
-DH_set_method() returns non-zero if the ENGINE associated with B<dh>
-was successfully changed to B<engine>.
+=head1 NOTES
 
-DH_new_method() returns NULL and sets an error code that can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails.
-Otherwise it returns a pointer to the newly allocated structure.
+As of version 0.9.7, DH_METHOD implementations are grouped together with other
+algorithmic APIs (eg. RSA_METHOD, EVP_CIPHER, etc) in B<ENGINE> modules. If a
+default ENGINE is specified for DH functionality using an ENGINE API function,
+that will override any DH defaults set using the DH API (ie.
+DH_set_default_method()). For this reason, the ENGINE API is the recommended way
+to control default implementations for use in DH and other cryptographic
+algorithms.
 
 =head1 SEE ALSO
 
@@ -103,9 +116,14 @@ L<dh(3)|dh(3)>, L<DH_new(3)|DH_new(3)>
 DH_set_default_method(), DH_get_default_method(), DH_set_method(),
 DH_new_method() and DH_OpenSSL() were added in OpenSSL 0.9.4.
 
-DH_set_default_openssl_method() and DH_get_default_openssl_method()
-replaced DH_set_default_method() and DH_get_default_method() respectively,
-and DH_set_method() and DH_new_method() were altered to use B<ENGINE>s
-rather than B<DH_METHOD>s during development of OpenSSL 0.9.6.
+DH_set_default_openssl_method() and DH_get_default_openssl_method() replaced
+DH_set_default_method() and DH_get_default_method() respectively, and
+DH_set_method() and DH_new_method() were altered to use B<ENGINE>s rather than
+B<DH_METHOD>s during development of the engine version of OpenSSL 0.9.6. For
+0.9.7, the handling of defaults in the ENGINE API was restructured so that this
+change was reversed, and behaviour of the other functions resembled more closely
+the previous behaviour. The behaviour of defaults in the ENGINE API now
+transparently overrides the behaviour of defaults in the DH API without
+requiring changing these function prototypes.
 
 =cut
diff --git a/src/lib/libcrypto/doc/DSA_dup_DH.pod b/src/lib/libcrypto/doc/DSA_dup_DH.pod
index 695f99a13b..7f6f0d1115 100644
--- a/src/lib/libcrypto/doc/DSA_dup_DH.pod
+++ b/src/lib/libcrypto/doc/DSA_dup_DH.pod
@@ -8,7 +8,7 @@ DSA_dup_DH - create a DH structure out of DSA structure
 
  #include <openssl/dsa.h>
 
- DH * DSA_dup_DH(DSA *r);
+ DH * DSA_dup_DH(const DSA *r);
 
 =head1 DESCRIPTION
 
diff --git a/src/lib/libcrypto/doc/DSA_new.pod b/src/lib/libcrypto/doc/DSA_new.pod
index 301af912dd..48e9b82a09 100644
--- a/src/lib/libcrypto/doc/DSA_new.pod
+++ b/src/lib/libcrypto/doc/DSA_new.pod
@@ -14,7 +14,8 @@ DSA_new, DSA_free - allocate and free DSA objects
 
 =head1 DESCRIPTION
 
-DSA_new() allocates and initializes a B<DSA> structure.
+DSA_new() allocates and initializes a B<DSA> structure. It is equivalent to
+calling DSA_new_method(NULL).
 
 DSA_free() frees the B<DSA> structure and its components. The values are
 erased before the memory is returned to the system.
diff --git a/src/lib/libcrypto/doc/DSA_set_method.pod b/src/lib/libcrypto/doc/DSA_set_method.pod
index 36a1052d27..bc3cfb1f0a 100644
--- a/src/lib/libcrypto/doc/DSA_set_method.pod
+++ b/src/lib/libcrypto/doc/DSA_set_method.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-DSA_set_default_openssl_method, DSA_get_default_openssl_method,
+DSA_set_default_method, DSA_get_default_method,
 DSA_set_method, DSA_new_method, DSA_OpenSSL - select DSA method
 
 =head1 SYNOPSIS
@@ -10,11 +10,11 @@ DSA_set_method, DSA_new_method, DSA_OpenSSL - select DSA method
  #include <openssl/dsa.h>
  #include <openssl/engine.h>
 
- void DSA_set_default_openssl_method(DSA_METHOD *meth);
+ void DSA_set_default_method(const DSA_METHOD *meth);
 
- DSA_METHOD *DSA_get_default_openssl_method(void);
+ const DSA_METHOD *DSA_get_default_method(void);
 
- int DSA_set_method(DSA *dsa, ENGINE *engine);
+ int DSA_set_method(DSA *dsa, const DSA_METHOD *meth);
 
  DSA *DSA_new_method(ENGINE *engine);
 
@@ -24,26 +24,35 @@ DSA_set_method, DSA_new_method, DSA_OpenSSL - select DSA method
 
 A B<DSA_METHOD> specifies the functions that OpenSSL uses for DSA
 operations. By modifying the method, alternative implementations
-such as hardware accelerators may be used.
-
-Initially, the default is to use the OpenSSL internal implementation.
-DSA_OpenSSL() returns a pointer to that method.
-
-DSA_set_default_openssl_method() makes B<meth> the default method for
-all DSA structures created later. B<NB:> This is true only whilst the
-default engine for DSA operations remains as "openssl". ENGINEs
-provide an encapsulation for implementations of one or more algorithms at a
-time, and all the DSA functions mentioned here operate within the scope
-of the default "openssl" engine.
-
-DSA_get_default_openssl_method() returns a pointer to the current default
-method for the "openssl" engine.
-
-DSA_set_method() selects B<engine> for all operations using the structure B<dsa>.
-
-DSA_new_method() allocates and initializes a DSA structure so that
-B<engine> will be used for the DSA operations. If B<engine> is NULL,
-the default engine for DSA operations is used.
+such as hardware accelerators may be used. IMPORTANT: See the NOTES section for
+important information about how these DSA API functions are affected by the use
+of B<ENGINE> API calls.
+
+Initially, the default DSA_METHOD is the OpenSSL internal implementation,
+as returned by DSA_OpenSSL().
+
+DSA_set_default_method() makes B<meth> the default method for all DSA
+structures created later. B<NB>: This is true only whilst no ENGINE has
+been set as a default for DSA, so this function is no longer recommended.
+
+DSA_get_default_method() returns a pointer to the current default
+DSA_METHOD. However, the meaningfulness of this result is dependant on
+whether the ENGINE API is being used, so this function is no longer 
+recommended.
+
+DSA_set_method() selects B<meth> to perform all operations using the key
+B<rsa>. This will replace the DSA_METHOD used by the DSA key and if the
+previous method was supplied by an ENGINE, the handle to that ENGINE will
+be released during the change. It is possible to have DSA keys that only
+work with certain DSA_METHOD implementations (eg. from an ENGINE module
+that supports embedded hardware-protected keys), and in such cases
+attempting to change the DSA_METHOD for the key can have unexpected
+results.
+
+DSA_new_method() allocates and initializes a DSA structure so that B<engine>
+will be used for the DSA operations. If B<engine> is NULL, the default engine
+for DSA operations is used, and if no default ENGINE is set, the DSA_METHOD
+controlled by DSA_set_default_method() is used.
 
 =head1 THE DSA_METHOD STRUCTURE
 
@@ -89,18 +98,29 @@ struct
 
 =head1 RETURN VALUES
 
-DSA_OpenSSL() and DSA_get_default_openssl_method() return pointers to the
-respective B<DSA_METHOD>s.
+DSA_OpenSSL() and DSA_get_default_method() return pointers to the respective
+B<DSA_METHOD>s.
 
-DSA_set_default_openssl_method() returns no value.
+DSA_set_default_method() returns no value.
 
-DSA_set_method() returns non-zero if the ENGINE associated with B<dsa>
-was successfully changed to B<engine>.
+DSA_set_method() returns non-zero if the provided B<meth> was successfully set as
+the method for B<dsa> (including unloading the ENGINE handle if the previous
+method was supplied by an ENGINE).
 
 DSA_new_method() returns NULL and sets an error code that can be
 obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation
 fails. Otherwise it returns a pointer to the newly allocated structure.
 
+=head1 NOTES
+
+As of version 0.9.7, DSA_METHOD implementations are grouped together with other
+algorithmic APIs (eg. RSA_METHOD, EVP_CIPHER, etc) in B<ENGINE> modules. If a
+default ENGINE is specified for DSA functionality using an ENGINE API function,
+that will override any DSA defaults set using the DSA API (ie.
+DSA_set_default_method()). For this reason, the ENGINE API is the recommended way
+to control default implementations for use in DSA and other cryptographic
+algorithms.
+
 =head1 SEE ALSO
 
 L<dsa(3)|dsa(3)>, L<DSA_new(3)|DSA_new(3)>
@@ -110,9 +130,14 @@ L<dsa(3)|dsa(3)>, L<DSA_new(3)|DSA_new(3)>
 DSA_set_default_method(), DSA_get_default_method(), DSA_set_method(),
 DSA_new_method() and DSA_OpenSSL() were added in OpenSSL 0.9.4.
 
-DSA_set_default_openssl_method() and DSA_get_default_openssl_method()
-replaced DSA_set_default_method() and DSA_get_default_method() respectively,
-and DSA_set_method() and DSA_new_method() were altered to use B<ENGINE>s
-rather than B<DSA_METHOD>s during development of OpenSSL 0.9.6.
+DSA_set_default_openssl_method() and DSA_get_default_openssl_method() replaced
+DSA_set_default_method() and DSA_get_default_method() respectively, and
+DSA_set_method() and DSA_new_method() were altered to use B<ENGINE>s rather than
+B<DSA_METHOD>s during development of the engine version of OpenSSL 0.9.6. For
+0.9.7, the handling of defaults in the ENGINE API was restructured so that this
+change was reversed, and behaviour of the other functions resembled more closely
+the previous behaviour. The behaviour of defaults in the ENGINE API now
+transparently overrides the behaviour of defaults in the DSA API without
+requiring changing these function prototypes.
 
 =cut
diff --git a/src/lib/libcrypto/doc/DSA_size.pod b/src/lib/libcrypto/doc/DSA_size.pod
index 23b6320a4d..ba4f650361 100644
--- a/src/lib/libcrypto/doc/DSA_size.pod
+++ b/src/lib/libcrypto/doc/DSA_size.pod
@@ -8,7 +8,7 @@ DSA_size - get DSA signature size
 
  #include <openssl/dsa.h>
 
- int DSA_size(DSA *dsa);
+ int DSA_size(const DSA *dsa);
 
 =head1 DESCRIPTION
 
diff --git a/src/lib/libcrypto/doc/EVP_SealInit.pod b/src/lib/libcrypto/doc/EVP_SealInit.pod
index 0451eb648a..25ef07f7c7 100644
--- a/src/lib/libcrypto/doc/EVP_SealInit.pod
+++ b/src/lib/libcrypto/doc/EVP_SealInit.pod
@@ -73,4 +73,6 @@ L<EVP_OpenInit(3)|EVP_OpenInit(3)>
 
 =head1 HISTORY
 
+EVP_SealFinal() did not return a value before OpenSSL 0.9.7.
+
 =cut
diff --git a/src/lib/libcrypto/doc/RAND_set_rand_method.pod b/src/lib/libcrypto/doc/RAND_set_rand_method.pod
index 464eba416d..c9bb6d9f27 100644
--- a/src/lib/libcrypto/doc/RAND_set_rand_method.pod
+++ b/src/lib/libcrypto/doc/RAND_set_rand_method.pod
@@ -8,22 +8,30 @@ RAND_set_rand_method, RAND_get_rand_method, RAND_SSLeay - select RAND method
 
  #include <openssl/rand.h>
 
- void RAND_set_rand_method(RAND_METHOD *meth);
+ void RAND_set_rand_method(const RAND_METHOD *meth);
 
- RAND_METHOD *RAND_get_rand_method(void);
+ const RAND_METHOD *RAND_get_rand_method(void);
 
  RAND_METHOD *RAND_SSLeay(void);
 
 =head1 DESCRIPTION
 
-A B<RAND_METHOD> specifies the functions that OpenSSL uses for random
-number generation. By modifying the method, alternative
-implementations such as hardware RNGs may be used.  Initially, the
-default is to use the OpenSSL internal implementation. RAND_SSLeay()
-returns a pointer to that method.
+A B<RAND_METHOD> specifies the functions that OpenSSL uses for random number
+generation. By modifying the method, alternative implementations such as
+hardware RNGs may be used. IMPORTANT: See the NOTES section for important
+information about how these RAND API functions are affected by the use of
+B<ENGINE> API calls.
 
-RAND_set_rand_method() sets the RAND method to B<meth>.
-RAND_get_rand_method() returns a pointer to the current method.
+Initially, the default RAND_METHOD is the OpenSSL internal implementation, as
+returned by RAND_SSLeay().
+
+RAND_set_default_method() makes B<meth> the method for PRNG use. B<NB>: This is
+true only whilst no ENGINE has been set as a default for RAND, so this function
+is no longer recommended.
+
+RAND_get_default_method() returns a pointer to the current RAND_METHOD.
+However, the meaningfulness of this result is dependant on whether the ENGINE
+API is being used, so this function is no longer recommended.
 
 =head1 THE RAND_METHOD STRUCTURE
 
@@ -47,13 +55,29 @@ Each component may be NULL if the function is not implemented.
 RAND_set_rand_method() returns no value. RAND_get_rand_method() and
 RAND_SSLeay() return pointers to the respective methods.
 
+=head1 NOTES
+
+As of version 0.9.7, RAND_METHOD implementations are grouped together with other
+algorithmic APIs (eg. RSA_METHOD, EVP_CIPHER, etc) in B<ENGINE> modules. If a
+default ENGINE is specified for RAND functionality using an ENGINE API function,
+that will override any RAND defaults set using the RAND API (ie.
+RAND_set_rand_method()). For this reason, the ENGINE API is the recommended way
+to control default implementations for use in RAND and other cryptographic
+algorithms.
+
 =head1 SEE ALSO
 
-L<rand(3)|rand(3)>
+L<rand(3)|rand(3)>, L<engine(3)|engine(3)>
 
 =head1 HISTORY
 
 RAND_set_rand_method(), RAND_get_rand_method() and RAND_SSLeay() are
 available in all versions of OpenSSL.
 
+In the engine version of version 0.9.6, RAND_set_rand_method() was altered to
+take an ENGINE pointer as its argument. As of version 0.9.7, that has been
+reverted as the ENGINE API transparently overrides RAND defaults if used,
+otherwise RAND API functions work as before. RAND_set_rand_engine() was also
+introduced in version 0.9.7.
+
 =cut
diff --git a/src/lib/libcrypto/doc/RSA_new.pod b/src/lib/libcrypto/doc/RSA_new.pod
index 299047f31f..3d15b92824 100644
--- a/src/lib/libcrypto/doc/RSA_new.pod
+++ b/src/lib/libcrypto/doc/RSA_new.pod
@@ -14,7 +14,8 @@ RSA_new, RSA_free - allocate and free RSA objects
 
 =head1 DESCRIPTION
 
-RSA_new() allocates and initializes an B<RSA> structure.
+RSA_new() allocates and initializes an B<RSA> structure. It is equivalent to
+calling RSA_new_method(NULL).
 
 RSA_free() frees the B<RSA> structure and its components. The key is
 erased before the memory is returned to the system.
@@ -30,7 +31,8 @@ RSA_free() returns no value.
 =head1 SEE ALSO
 
 L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_generate_key(3)|RSA_generate_key(3)>
+L<RSA_generate_key(3)|RSA_generate_key(3)>,
+L<RSA_new_method(3)|RSA_new_method(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/RSA_set_method.pod b/src/lib/libcrypto/doc/RSA_set_method.pod
index 14917dd35f..0687c2242a 100644
--- a/src/lib/libcrypto/doc/RSA_set_method.pod
+++ b/src/lib/libcrypto/doc/RSA_set_method.pod
@@ -11,52 +11,64 @@ RSA_null_method, RSA_flags, RSA_new_method - select RSA method
  #include <openssl/rsa.h>
  #include <openssl/engine.h>
 
- void RSA_set_default_openssl_method(RSA_METHOD *meth);
+ void RSA_set_default_method(const RSA_METHOD *meth);
 
- RSA_METHOD *RSA_get_default_openssl_method(void);
+ RSA_METHOD *RSA_get_default_method(void);
 
- int RSA_set_method(RSA *rsa, ENGINE *engine);
+ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
 
- RSA_METHOD *RSA_get_method(RSA *rsa);
+ RSA_METHOD *RSA_get_method(const RSA *rsa);
 
  RSA_METHOD *RSA_PKCS1_SSLeay(void);
 
  RSA_METHOD *RSA_null_method(void);
 
- int RSA_flags(RSA *rsa);
+ int RSA_flags(const RSA *rsa);
 
  RSA *RSA_new_method(ENGINE *engine);
 
 =head1 DESCRIPTION
 
 An B<RSA_METHOD> specifies the functions that OpenSSL uses for RSA
-operations. By modifying the method, alternative implementations
-such as hardware accelerators may be used.
-
-Initially, the default is to use the OpenSSL internal implementation.
-RSA_PKCS1_SSLeay() returns a pointer to that method.
-
-RSA_set_default_openssl_method() makes B<meth> the default method for all B<RSA>
-structures created later. B<NB:> This is true only whilst the default engine
-for RSA operations remains as "openssl". ENGINEs provide an
-encapsulation for implementations of one or more algorithms at a time, and all
-the RSA functions mentioned here operate within the scope of the default
-"openssl" engine.
-
-RSA_get_default_openssl_method() returns a pointer to the current default
-method for the "openssl" engine.
-
-RSA_set_method() selects B<engine> for all operations using the key
-B<rsa>.
-
-RSA_get_method() returns a pointer to the RSA_METHOD from the currently
-selected ENGINE for B<rsa>.
-
-RSA_flags() returns the B<flags> that are set for B<rsa>'s current method.
+operations. By modifying the method, alternative implementations such as
+hardware accelerators may be used. IMPORTANT: See the NOTES section for
+important information about how these RSA API functions are affected by the
+use of B<ENGINE> API calls.
+
+Initially, the default RSA_METHOD is the OpenSSL internal implementation,
+as returned by RSA_PKCS1_SSLeay().
+
+RSA_set_default_method() makes B<meth> the default method for all RSA
+structures created later. B<NB>: This is true only whilst no ENGINE has
+been set as a default for RSA, so this function is no longer recommended.
+
+RSA_get_default_method() returns a pointer to the current default
+RSA_METHOD. However, the meaningfulness of this result is dependant on
+whether the ENGINE API is being used, so this function is no longer 
+recommended.
+
+RSA_set_method() selects B<meth> to perform all operations using the key
+B<rsa>. This will replace the RSA_METHOD used by the RSA key and if the
+previous method was supplied by an ENGINE, the handle to that ENGINE will
+be released during the change. It is possible to have RSA keys that only
+work with certain RSA_METHOD implementations (eg. from an ENGINE module
+that supports embedded hardware-protected keys), and in such cases
+attempting to change the RSA_METHOD for the key can have unexpected
+results.
+
+RSA_get_method() returns a pointer to the RSA_METHOD being used by B<rsa>.
+This method may or may not be supplied by an ENGINE implementation, but if
+it is, the return value can only be guaranteed to be valid as long as the
+RSA key itself is valid and does not have its implementation changed by
+RSA_set_method().
+
+RSA_flags() returns the B<flags> that are set for B<rsa>'s current
+RSA_METHOD. See the BUGS section.
 
 RSA_new_method() allocates and initializes an RSA structure so that
-B<engine> will be used for the RSA operations. If B<engine> is NULL,
-the default engine for RSA operations is used.
+B<engine> will be used for the RSA operations. If B<engine> is NULL, the
+default ENGINE for RSA operations is used, and if no default ENGINE is set,
+the RSA_METHOD controlled by RSA_set_default_method() is used.
 
 =head1 THE RSA_METHOD STRUCTURE
 
@@ -121,22 +133,45 @@ the default engine for RSA operations is used.
 
 =head1 RETURN VALUES
 
-RSA_PKCS1_SSLeay(), RSA_PKCS1_null_method(), RSA_get_default_openssl_method()
+RSA_PKCS1_SSLeay(), RSA_PKCS1_null_method(), RSA_get_default_method()
 and RSA_get_method() return pointers to the respective RSA_METHODs.
 
-RSA_set_default_openssl_method() returns no value.
+RSA_set_default_method() returns no value.
 
-RSA_set_method() selects B<engine> as the engine that will be responsible for
-all operations using the structure B<rsa>. If this function completes successfully,
-then the B<rsa> structure will have its own functional reference of B<engine>, so
-the caller should remember to free their own reference to B<engine> when they are
-finished with it. NB: An ENGINE's RSA_METHOD can be retrieved (or set) by
-ENGINE_get_RSA() or ENGINE_set_RSA().
+RSA_set_method() returns a pointer to the old RSA_METHOD implementation
+that was replaced. However, this return value should probably be ignored
+because if it was supplied by an ENGINE, the pointer could be invalidated
+at any time if the ENGINE is unloaded (in fact it could be unloaded as a
+result of the RSA_set_method() function releasing its handle to the
+ENGINE). For this reason, the return type may be replaced with a B<void>
+declaration in a future release.
 
-RSA_new_method() returns NULL and sets an error code that can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise
+RSA_new_method() returns NULL and sets an error code that can be obtained
+by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise
 it returns a pointer to the newly allocated structure.
 
+=head1 NOTES
+
+As of version 0.9.7, RSA_METHOD implementations are grouped together with
+other algorithmic APIs (eg. DSA_METHOD, EVP_CIPHER, etc) into B<ENGINE>
+modules. If a default ENGINE is specified for RSA functionality using an
+ENGINE API function, that will override any RSA defaults set using the RSA
+API (ie.  RSA_set_default_method()). For this reason, the ENGINE API is the
+recommended way to control default implementations for use in RSA and other
+cryptographic algorithms.
+
+=head1 BUGS
+
+The behaviour of RSA_flags() is a mis-feature that is left as-is for now
+to avoid creating compatibility problems. RSA functionality, such as the
+encryption functions, are controlled by the B<flags> value in the RSA key
+itself, not by the B<flags> value in the RSA_METHOD attached to the RSA key
+(which is what this function returns). If the flags element of an RSA key
+is changed, the changes will be honoured by RSA functionality but will not
+be reflected in the return value of the RSA_flags() function - in effect
+RSA_flags() behaves more like an RSA_default_flags() function (which does
+not currently exist).
+
 =head1 SEE ALSO
 
 L<rsa(3)|rsa(3)>, L<RSA_new(3)|RSA_new(3)>
@@ -149,8 +184,14 @@ well as the rsa_sign and rsa_verify components of RSA_METHOD were
 added in OpenSSL 0.9.4.
 
 RSA_set_default_openssl_method() and RSA_get_default_openssl_method()
-replaced RSA_set_default_method() and RSA_get_default_method() respectively,
-and RSA_set_method() and RSA_new_method() were altered to use B<ENGINE>s
-rather than B<RSA_METHOD>s during development of OpenSSL 0.9.6.
+replaced RSA_set_default_method() and RSA_get_default_method()
+respectively, and RSA_set_method() and RSA_new_method() were altered to use
+B<ENGINE>s rather than B<RSA_METHOD>s during development of the engine
+version of OpenSSL 0.9.6. For 0.9.7, the handling of defaults in the ENGINE
+API was restructured so that this change was reversed, and behaviour of the
+other functions resembled more closely the previous behaviour. The
+behaviour of defaults in the ENGINE API now transparently overrides the
+behaviour of defaults in the RSA API without requiring changing these
+function prototypes.
 
 =cut
diff --git a/src/lib/libcrypto/doc/RSA_size.pod b/src/lib/libcrypto/doc/RSA_size.pod
index b36b4d58d5..5b7f835f95 100644
--- a/src/lib/libcrypto/doc/RSA_size.pod
+++ b/src/lib/libcrypto/doc/RSA_size.pod
@@ -8,7 +8,7 @@ RSA_size - get RSA modulus size
 
  #include <openssl/rsa.h>
 
- int RSA_size(RSA *rsa);
+ int RSA_size(const RSA *rsa);
 
 =head1 DESCRIPTION
 
diff --git a/src/lib/libcrypto/doc/dh.pod b/src/lib/libcrypto/doc/dh.pod
index b4be4be405..c3ccd06207 100644
--- a/src/lib/libcrypto/doc/dh.pod
+++ b/src/lib/libcrypto/doc/dh.pod
@@ -12,20 +12,20 @@ dh - Diffie-Hellman key agreement
  DH *   DH_new(void);
  void   DH_free(DH *dh);
 
- int    DH_size(DH *dh);
+ int    DH_size(const DH *dh);
 
  DH *   DH_generate_parameters(int prime_len, int generator,
                 void (*callback)(int, int, void *), void *cb_arg);
- int    DH_check(DH *dh, int *codes);
+ int    DH_check(const DH *dh, int *codes);
 
  int    DH_generate_key(DH *dh);
  int    DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
 
- void DH_set_default_openssl_method(DH_METHOD *meth);
- DH_METHOD *DH_get_default_openssl_method(void);
- int DH_set_method(DH *dh, ENGINE *engine);
+ void DH_set_default_method(const DH_METHOD *meth);
+ const DH_METHOD *DH_get_default_method(void);
+ int DH_set_method(DH *dh, const DH_METHOD *meth);
  DH *DH_new_method(ENGINE *engine);
- DH_METHOD *DH_OpenSSL(void);
+ const DH_METHOD *DH_OpenSSL(void);
 
  int DH_get_ex_new_index(long argl, char *argp, int (*new_func)(),
              int (*dup_func)(), void (*free_func)());
@@ -33,10 +33,10 @@ dh - Diffie-Hellman key agreement
  char *DH_get_ex_data(DH *d, int idx);
 
  DH *   d2i_DHparams(DH **a, unsigned char **pp, long length);
- int    i2d_DHparams(DH *a, unsigned char **pp);
+ int    i2d_DHparams(const DH *a, unsigned char **pp);
 
- int    DHparams_print_fp(FILE *fp, DH *x);
- int    DHparams_print(BIO *bp, DH *x);
+ int    DHparams_print_fp(FILE *fp, const DH *x);
+ int    DHparams_print(BIO *bp, const DH *x);
 
 =head1 DESCRIPTION
 
@@ -57,11 +57,20 @@ The B<DH> structure consists of several BIGNUM components.
         };
  DH
 
+Note that DH keys may use non-standard B<DH_METHOD> implementations,
+either directly or by the use of B<ENGINE> modules. In some cases (eg. an
+ENGINE providing support for hardware-embedded keys), these BIGNUM values
+will not be used by the implementation or may be used for alternative data
+storage. For this reason, applications should generally avoid using DH
+structure elements directly and instead use API functions to query or
+modify keys.
+
 =head1 SEE ALSO
 
 L<dhparam(1)|dhparam(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)>,
-L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<DH_set_method(3)|DH_set_method(3)>,
-L<DH_new(3)|DH_new(3)>, L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>,
+L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<engine(3)|engine(3)>,
+L<DH_set_method(3)|DH_set_method(3)>, L<DH_new(3)|DH_new(3)>,
+L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>,
 L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
 L<DH_compute_key(3)|DH_compute_key(3)>, L<d2i_DHparams(3)|d2i_DHparams(3)>,
 L<RSA_print(3)|RSA_print(3)> 
diff --git a/src/lib/libcrypto/doc/dsa.pod b/src/lib/libcrypto/doc/dsa.pod
index 573500204b..ae2e5d81f9 100644
--- a/src/lib/libcrypto/doc/dsa.pod
+++ b/src/lib/libcrypto/doc/dsa.pod
@@ -12,13 +12,13 @@ dsa - Digital Signature Algorithm
  DSA *  DSA_new(void);
  void   DSA_free(DSA *dsa);
 
- int    DSA_size(DSA *dsa);
+ int    DSA_size(const DSA *dsa);
 
  DSA *  DSA_generate_parameters(int bits, unsigned char *seed,
                 int seed_len, int *counter_ret, unsigned long *h_ret,
                 void (*callback)(int, int, void *), void *cb_arg);
 
- DH *   DSA_dup_DH(DSA *r);
+ DH *   DSA_dup_DH(const DSA *r);
 
  int    DSA_generate_key(DSA *dsa);
 
@@ -27,13 +27,13 @@ dsa - Digital Signature Algorithm
  int    DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp,
                 BIGNUM **rp);
  int    DSA_verify(int dummy, const unsigned char *dgst, int len,
-                unsigned char *sigbuf, int siglen, DSA *dsa);
+                const unsigned char *sigbuf, int siglen, DSA *dsa);
 
- void DSA_set_default_openssl_method(DSA_METHOD *meth);
- DSA_METHOD *DSA_get_default_openssl_method(void);
- int DSA_set_method(DSA *dsa, ENGINE *engine);
+ void DSA_set_default_method(const DSA_METHOD *meth);
+ const DSA_METHOD *DSA_get_default_method(void);
+ int DSA_set_method(DSA *dsa, const DSA_METHOD *meth);
  DSA *DSA_new_method(ENGINE *engine);
- DSA_METHOD *DSA_OpenSSL(void);
+ const DSA_METHOD *DSA_OpenSSL(void);
 
  int DSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
              int (*dup_func)(), void (*free_func)());
@@ -42,7 +42,7 @@ dsa - Digital Signature Algorithm
 
  DSA_SIG *DSA_SIG_new(void);
  void   DSA_SIG_free(DSA_SIG *a);
- int    i2d_DSA_SIG(DSA_SIG *a, unsigned char **pp);
+ int    i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp);
  DSA_SIG *d2i_DSA_SIG(DSA_SIG **v, unsigned char **pp, long length);
 
  DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
@@ -52,14 +52,14 @@ dsa - Digital Signature Algorithm
  DSA *  d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length);
  DSA *  d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
  DSA *  d2i_DSAparams(DSA **a, unsigned char **pp, long length);
- int    i2d_DSAPublicKey(DSA *a, unsigned char **pp);
- int    i2d_DSAPrivateKey(DSA *a, unsigned char **pp);
- int    i2d_DSAparams(DSA *a,unsigned char **pp);
+ int    i2d_DSAPublicKey(const DSA *a, unsigned char **pp);
+ int    i2d_DSAPrivateKey(const DSA *a, unsigned char **pp);
+ int    i2d_DSAparams(const DSA *a,unsigned char **pp);
 
- int    DSAparams_print(BIO *bp, DSA *x);
- int    DSAparams_print_fp(FILE *fp, DSA *x);
- int    DSA_print(BIO *bp, DSA *x, int off);
- int    DSA_print_fp(FILE *bp, DSA *x, int off);
+ int    DSAparams_print(BIO *bp, const DSA *x);
+ int    DSAparams_print_fp(FILE *fp, const DSA *x);
+ int    DSA_print(BIO *bp, const DSA *x, int off);
+ int    DSA_print_fp(FILE *bp, const DSA *x, int off);
 
 =head1 DESCRIPTION
 
@@ -85,6 +85,14 @@ The B<DSA> structure consists of several BIGNUM components.
 
 In public keys, B<priv_key> is NULL.
 
+Note that DSA keys may use non-standard B<DSA_METHOD> implementations,
+either directly or by the use of B<ENGINE> modules. In some cases (eg. an
+ENGINE providing support for hardware-embedded keys), these BIGNUM values
+will not be used by the implementation or may be used for alternative data
+storage. For this reason, applications should generally avoid using DSA
+structure elements directly and instead use API functions to query or
+modify keys.
+
 =head1 CONFORMING TO
 
 US Federal Information Processing Standard FIPS 186 (Digital Signature
diff --git a/src/lib/libcrypto/doc/evp.pod b/src/lib/libcrypto/doc/evp.pod
index edf47dbde6..b3ca14314f 100644
--- a/src/lib/libcrypto/doc/evp.pod
+++ b/src/lib/libcrypto/doc/evp.pod
@@ -24,6 +24,13 @@ functions.  The B<EVP_Digest>I<...> functions provide message digests.
 
 Algorithms are loaded with OpenSSL_add_all_algorithms(3).
 
+All the symmetric algorithms (ciphers) and digests can be replaced by ENGINE
+modules providing alternative implementations. If ENGINE implementations of
+ciphers or digests are registered as defaults, then the various EVP functions
+will automatically use those implementations automatically in preference to
+built in software implementations. For more information, consult the engine(3)
+man page.
+
 =head1 SEE ALSO
 
 L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
@@ -32,6 +39,7 @@ L<EVP_OpenInit(3)|EVP_OpenInit(3)>,
 L<EVP_SealInit(3)|EVP_SealInit(3)>,
 L<EVP_SignInit(3)|EVP_SignInit(3)>,
 L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
-L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)>
+L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)>,
+L<engine(3)|engine(3)>
 
 =cut
diff --git a/src/lib/libcrypto/doc/rsa.pod b/src/lib/libcrypto/doc/rsa.pod
index 2b93a12b65..45ac53ffc1 100644
--- a/src/lib/libcrypto/doc/rsa.pod
+++ b/src/lib/libcrypto/doc/rsa.pod
@@ -16,13 +16,17 @@ rsa - RSA public key cryptosystem
     unsigned char *to, RSA *rsa, int padding);
  int RSA_private_decrypt(int flen, unsigned char *from,
     unsigned char *to, RSA *rsa, int padding);
+ int RSA_private_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa,int padding);
+ int RSA_public_decrypt(int flen, unsigned char *from, 
+    unsigned char *to, RSA *rsa,int padding);
 
  int RSA_sign(int type, unsigned char *m, unsigned int m_len,
     unsigned char *sigret, unsigned int *siglen, RSA *rsa);
  int RSA_verify(int type, unsigned char *m, unsigned int m_len,
     unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
 
- int RSA_size(RSA *rsa);
+ int RSA_size(const RSA *rsa);
 
  RSA *RSA_generate_key(int num, unsigned long e,
     void (*callback)(int,int,void *), void *cb_arg);
@@ -32,13 +36,13 @@ rsa - RSA public key cryptosystem
  int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
  void RSA_blinding_off(RSA *rsa);
 
- void RSA_set_default_openssl_method(RSA_METHOD *meth);
- RSA_METHOD *RSA_get_default_openssl_method(void);
- int RSA_set_method(RSA *rsa, ENGINE *engine);
- RSA_METHOD *RSA_get_method(RSA *rsa);
+ void RSA_set_default_method(const RSA_METHOD *meth);
+ const RSA_METHOD *RSA_get_default_method(void);
+ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
+ const RSA_METHOD *RSA_get_method(const RSA *rsa);
  RSA_METHOD *RSA_PKCS1_SSLeay(void);
  RSA_METHOD *RSA_null_method(void);
- int RSA_flags(RSA *rsa);
+ int RSA_flags(const RSA *rsa);
  RSA *RSA_new_method(ENGINE *engine);
 
  int RSA_print(BIO *bp, RSA *x, int offset);
@@ -49,11 +53,6 @@ rsa - RSA public key cryptosystem
  int RSA_set_ex_data(RSA *r,int idx,char *arg);
  char *RSA_get_ex_data(RSA *r, int idx);
 
- int RSA_private_encrypt(int flen, unsigned char *from,
-    unsigned char *to, RSA *rsa,int padding);
- int RSA_public_decrypt(int flen, unsigned char *from, 
-    unsigned char *to, RSA *rsa,int padding);
-
  int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m,
     unsigned int m_len, unsigned char *sigret, unsigned int *siglen,
     RSA *rsa);
@@ -90,6 +89,14 @@ B<p>, B<q>, B<dmp1>, B<dmq1> and B<iqmp> may be B<NULL> in private
 keys, but the RSA operations are much faster when these values are
 available.
 
+Note that RSA keys may use non-standard B<RSA_METHOD> implementations,
+either directly or by the use of B<ENGINE> modules. In some cases (eg. an
+ENGINE providing support for hardware-embedded keys), these BIGNUM values
+will not be used by the implementation or may be used for alternative data
+storage. For this reason, applications should generally avoid using RSA
+structure elements directly and instead use API functions to query or
+modify keys.
+
 =head1 CONFORMING TO
 
 SSL, PKCS #1 v2.0
@@ -101,7 +108,7 @@ RSA was covered by a US patent which expired in September 2000.
 =head1 SEE ALSO
 
 L<rsa(1)|rsa(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>,
-L<rand(3)|rand(3)>, L<RSA_new(3)|RSA_new(3)>,
+L<rand(3)|rand(3)>, L<engine(3)|engine(3)>, L<RSA_new(3)|RSA_new(3)>,
 L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
 L<RSA_sign(3)|RSA_sign(3)>, L<RSA_size(3)|RSA_size(3)>,
 L<RSA_generate_key(3)|RSA_generate_key(3)>,
diff --git a/src/lib/libcrypto/engine/hw_4758_cca.c b/src/lib/libcrypto/engine/hw_4758_cca.c
index f404b1a3b8..6d41b9ed2a 100644
--- a/src/lib/libcrypto/engine/hw_4758_cca.c
+++ b/src/lib/libcrypto/engine/hw_4758_cca.c
@@ -953,7 +953,7 @@ static void cca_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, int idx,
 #ifdef ENGINE_DYNAMIC_SUPPORT 
 static int bind_fn(ENGINE *e, const char *id)
         {
-        if(id && (strcmp(id, engine_cswift_id) != 0))
+        if(id && (strcmp(id, engine_4758_cca_id) != 0))
                 return 0;
         if(!bind_helper(e))
                 return 0;
diff --git a/src/lib/libcrypto/engine/hw_openbsd_dev_crypto.c b/src/lib/libcrypto/engine/hw_openbsd_dev_crypto.c
index f946389b8a..b8aab545db 100644
--- a/src/lib/libcrypto/engine/hw_openbsd_dev_crypto.c
+++ b/src/lib/libcrypto/engine/hw_openbsd_dev_crypto.c
@@ -408,7 +408,7 @@ static int do_digest(int ses,unsigned char *md,const void *data,int len)
     cryp.op=COP_ENCRYPT;/* required to do the MAC rather than check it */
     cryp.len=len;
     cryp.src=(caddr_t)data;
-    cryp.dst=(caddr_t)data; // FIXME!!!
+    cryp.dst=(caddr_t)data; /* FIXME!!! */
     cryp.mac=(caddr_t)md;
 
     if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
@@ -420,7 +420,7 @@ static int do_digest(int ses,unsigned char *md,const void *data,int len)
             dcopy=OPENSSL_malloc(len);
             memcpy(dcopy,data,len);
             cryp.src=dcopy;
-            cryp.dst=cryp.src; // FIXME!!!
+            cryp.dst=cryp.src; /* FIXME!!! */
 
             if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
                 {
@@ -437,7 +437,7 @@ static int do_digest(int ses,unsigned char *md,const void *data,int len)
             return 0;
             }
         }
-    //    printf("done\n");
+    /*    printf("done\n"); */
 
     return 1;
     }
@@ -483,7 +483,7 @@ static int dev_crypto_md5_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from)
     const MD_DATA *from_md=from->md_data;
     MD_DATA *to_md=to->md_data;
 
-    // How do we copy sessions?
+    /* How do we copy sessions? */
     assert(from->digest->flags&EVP_MD_FLAG_ONESHOT);
 
     to_md->data=OPENSSL_malloc(from_md->len);
@@ -530,7 +530,7 @@ static const EVP_MD md5_md=
     NID_md5,
     NID_md5WithRSAEncryption,
     MD5_DIGEST_LENGTH,
-    EVP_MD_FLAG_ONESHOT,        // XXX: set according to device info...
+    EVP_MD_FLAG_ONESHOT,        /* XXX: set according to device info... */
     dev_crypto_md5_init,
     dev_crypto_md5_update,
     dev_crypto_md5_final,
diff --git a/src/lib/libcrypto/engine/hw_ubsec.c b/src/lib/libcrypto/engine/hw_ubsec.c
index 63397f868c..ed8401ec16 100644
--- a/src/lib/libcrypto/engine/hw_ubsec.c
+++ b/src/lib/libcrypto/engine/hw_ubsec.c
@@ -93,7 +93,7 @@ static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
 static int ubsec_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 #ifndef OPENSSL_NO_DSA
-#if NOT_USED
+#ifdef NOT_USED
 static int ubsec_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
                 BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
                 BN_CTX *ctx, BN_MONT_CTX *in_mont);
@@ -113,7 +113,7 @@ static int ubsec_dh_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh)
 static int ubsec_dh_generate_key(DH *dh);
 #endif
 
-#if NOT_USED
+#ifdef NOT_USED
 static int ubsec_rand_bytes(unsigned char *buf, int num);
 static int ubsec_rand_status(void);
 #endif
@@ -663,7 +663,7 @@ static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 }
 
 #ifndef OPENSSL_NO_DSA
-#if NOT_USED
+#ifdef NOT_USED
 static int ubsec_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
                 BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
                 BN_CTX *ctx, BN_MONT_CTX *in_mont)
@@ -987,7 +987,7 @@ err:
         }
 #endif
 
-#if NOT_USED
+#ifdef NOT_USED
 static int ubsec_rand_bytes(unsigned char * buf,
                             int num)
         {
diff --git a/src/lib/libcrypto/evp/evp_locl.h b/src/lib/libcrypto/evp/evp_locl.h
index 7b088b4848..4d81a3bf4c 100644
--- a/src/lib/libcrypto/evp/evp_locl.h
+++ b/src/lib/libcrypto/evp/evp_locl.h
@@ -124,17 +124,17 @@ const EVP_CIPHER *EVP_##cname##_##mode(void) { return &cname##_##mode; }
 BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
                   iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
 
-#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, block_size, key_len, \
+#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
                              iv_len, cbits, flags, init_key, cleanup, \
                              set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, cfb##cbits, cfb, CFB, kstruct, nid, block_size, \
+BLOCK_CIPHER_def1(cname, cfb##cbits, cfb, CFB, kstruct, nid, 1, \
                   key_len, iv_len, flags, init_key, cleanup, set_asn1, \
                   get_asn1, ctrl)
 
-#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, block_size, key_len, \
+#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \
                              iv_len, cbits, flags, init_key, cleanup, \
                              set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, ofb##cbits, ofb, OFB, kstruct, nid, block_size, \
+BLOCK_CIPHER_def1(cname, ofb##cbits, ofb, OFB, kstruct, nid, 1, \
                   key_len, iv_len, flags, init_key, cleanup, set_asn1, \
                   get_asn1, ctrl)
 
@@ -149,9 +149,9 @@ BLOCK_CIPHER_def1(cname, ecb, ecb, ECB, kstruct, nid, block_size, key_len, \
                           init_key, cleanup, set_asn1, get_asn1, ctrl) \
 BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
                      init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_cfb(cname, kstruct, nid, block_size, key_len, iv_len, cbits, \
+BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, iv_len, cbits, \
                      flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_ofb(cname, kstruct, nid, block_size, key_len, iv_len, cbits, \
+BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, iv_len, cbits, \
                      flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
 BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
                      init_key, cleanup, set_asn1, get_asn1, ctrl)
diff --git a/src/lib/libcrypto/krb5/Makefile.ssl b/src/lib/libcrypto/krb5/Makefile.ssl
index caf111be8d..7ad0cbb0bc 100644
--- a/src/lib/libcrypto/krb5/Makefile.ssl
+++ b/src/lib/libcrypto/krb5/Makefile.ssl
@@ -45,13 +45,13 @@ lib:	$(LIBOBJ)
         @touch lib
 
 files:
-        perl $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+        $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
 
 links:
-        @sh $(TOP)/util/point.sh Makefile.ssl Makefile
-        $(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-        $(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-        $(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+        @sh $(TOP)/util/point.sh Makefile.ssl Makefile ;
+        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
         @for i in $(EXHEADER) ; \
diff --git a/src/lib/libcrypto/mem.c b/src/lib/libcrypto/mem.c
index effec714e8..a7826908e6 100644
--- a/src/lib/libcrypto/mem.c
+++ b/src/lib/libcrypto/mem.c
@@ -303,6 +303,9 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line)
         {
         void *ret = NULL;
 
+        if (str == NULL)
+                return CRYPTO_malloc(num, file, line);
+
         if (realloc_debug_func != NULL)
                 realloc_debug_func(str, NULL, num, file, line, 0);
         ret = realloc_ex_func(str,num,file,line);
diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 02c3719f04..ce779dc1b5 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -425,7 +425,7 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
         a2d_ASN1_OBJECT(p,i,s,-1);
         
         p=buf;
-        op=d2i_ASN1_OBJECT(NULL,&p,i);
+        op=d2i_ASN1_OBJECT(NULL,&p,j);
         OPENSSL_free(buf);
         return op;
         }
diff --git a/src/lib/libcrypto/ocsp/Makefile.ssl b/src/lib/libcrypto/ocsp/Makefile.ssl
index 44eacbbb13..2be98179ae 100644
--- a/src/lib/libcrypto/ocsp/Makefile.ssl
+++ b/src/lib/libcrypto/ocsp/Makefile.ssl
@@ -47,13 +47,13 @@ lib:	$(LIBOBJ)
         @touch lib
 
 files:
-        perl $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+        $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
 
 links:
-        @sh $(TOP)/util/point.sh Makefile.ssl Makefile
-        $(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-        $(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-        $(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+        @sh $(TOP)/util/point.sh Makefile.ssl Makefile ;
+        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
         @for i in $(EXHEADER) ; \
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 18b751a91a..a8db6ffbf5 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -366,8 +366,11 @@ err:
         memset(iv,0,sizeof(iv));
         memset((char *)&ctx,0,sizeof(ctx));
         memset(buf,0,PEM_BUFSIZE);
-        memset(data,0,(unsigned int)dsize);
-        OPENSSL_free(data);
+        if (data != NULL)
+                {
+                memset(data,0,(unsigned int)dsize);
+                OPENSSL_free(data);
+                }
         return(ret);
         }
 
diff --git a/src/lib/libcrypto/pkcs12/p12_asn.c b/src/lib/libcrypto/pkcs12/p12_asn.c
index c327bdba03..a3739fee1a 100644
--- a/src/lib/libcrypto/pkcs12/p12_asn.c
+++ b/src/lib/libcrypto/pkcs12/p12_asn.c
@@ -83,8 +83,8 @@ ASN1_ADB_TEMPLATE(bag_default) = ASN1_EXP(PKCS12_BAGS, value.other, ASN1_ANY, 0)
 
 ASN1_ADB(PKCS12_BAGS) = {
         ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.x509cert, ASN1_OCTET_STRING, 0)),
-        ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.x509crl, ASN1_OCTET_STRING, 0)),
-        ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.sdsicert, ASN1_IA5STRING, 0)),
+        ADB_ENTRY(NID_x509Crl, ASN1_EXP(PKCS12_BAGS, value.x509crl, ASN1_OCTET_STRING, 0)),
+        ADB_ENTRY(NID_sdsiCertificate, ASN1_EXP(PKCS12_BAGS, value.sdsicert, ASN1_IA5STRING, 0)),
 } ASN1_ADB_END(PKCS12_BAGS, 0, type, 0, &bag_default_tt, NULL);
 
 ASN1_SEQUENCE(PKCS12_BAGS) = {
@@ -98,7 +98,7 @@ ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_
 
 ASN1_ADB(PKCS12_SAFEBAG) = {
         ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)),
-        ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, X509_SIG, 0)),
+        ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)),
         ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
         ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
         ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
diff --git a/src/lib/libcrypto/pkcs7/pk7_lib.c b/src/lib/libcrypto/pkcs7/pk7_lib.c
index c00ed6833a..985b07245c 100644
--- a/src/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/src/lib/libcrypto/pkcs7/pk7_lib.c
@@ -74,6 +74,13 @@ long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
                 if (nid == NID_pkcs7_signed)
                         {
                         ret=p7->detached=(int)larg;
+                        if (ret && PKCS7_type_is_data(p7->d.sign->contents))
+                                        {
+                                        ASN1_OCTET_STRING *os;
+                                        os=p7->d.sign->contents->d.data;
+                                        ASN1_OCTET_STRING_free(os);
+                                        p7->d.sign->contents->d.data = NULL;
+                                        }
                         }
                 else
                         {
diff --git a/src/lib/libcrypto/ripemd/rmdtest.c b/src/lib/libcrypto/ripemd/rmdtest.c
index 19e9741db2..be1fb8b1f6 100644
--- a/src/lib/libcrypto/ripemd/rmdtest.c
+++ b/src/lib/libcrypto/ripemd/rmdtest.c
@@ -59,7 +59,6 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
-#include <openssl/ripemd.h>
 
 #ifdef OPENSSL_NO_RIPEMD
 int main(int argc, char *argv[])
@@ -68,6 +67,7 @@ int main(int argc, char *argv[])
     return(0);
 }
 #else
+#include <openssl/ripemd.h>
 #include <openssl/evp.h>
 
 #ifdef CHARSET_EBCDIC
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 512185e257..7e5728495f 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -2792,3 +2792,4 @@ ASN1_UNIVERSALSTRING_it                 3234	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 ASN1_UNIVERSALSTRING_it                 3234    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 d2i_ASN1_UNIVERSALSTRING                3235    EXIST::FUNCTION:
 EVP_des_ede3_ecb                        3236    EXIST::FUNCTION:DES
+X509_REQ_print_ex                       3237    EXIST::FUNCTION:BIO
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index c75aa0c717..7095440d36 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -331,6 +331,7 @@ DECLARE_STACK_OF(X509_TRUST)
 #define X509_FLAG_NO_EXTENSIONS         (1L << 8)
 #define X509_FLAG_NO_SIGDUMP            (1L << 9)
 #define X509_FLAG_NO_AUX                (1L << 10)
+#define X509_FLAG_NO_ATTRIBUTES         (1L << 11)
 
 /* Flags specific to X509_NAME_print_ex() */    
 
@@ -1015,6 +1016,7 @@ int		X509_print(BIO *bp,X509 *x);
 int             X509_ocspid_print(BIO *bp,X509 *x);
 int             X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent);
 int             X509_CRL_print(BIO *bp,X509_CRL *x);
+int             X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, unsigned long cflag);
 int             X509_REQ_print(BIO *bp,X509_REQ *req);
 #endif