import of OpenSSL 0.9.8k

63 files changed, 328 insertions, 173 deletions

diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES
index c888c56c26..04d332e338 100644
--- a/src/lib/libssl/src/CHANGES
+++ b/src/lib/libssl/src/CHANGES
@@ -2,11 +2,51 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.8i and 0.9.8j  [07 Jan 2009]
+ Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
 
-  *) Properly check EVP_VerifyFinal() and similar return values
-     (CVE-2008-5077).
-     [Ben Laurie, Bodo Moeller, Google Security Team]
+  *) Don't set val to NULL when freeing up structures, it is freed up by
+     underlying code. If sizeof(void *) > sizeof(long) this can result in
+     zeroing past the valid field. (CVE-2009-0789)
+     [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
+
+  *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
+     checked correctly. This would allow some invalid signed attributes to
+     appear to verify correctly. (CVE-2009-0591)
+     [Ivan Nestlerode <inestlerode@us.ibm.com>]
+
+  *) Reject UniversalString and BMPString types with invalid lengths. This
+     prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
+     a legal length. (CVE-2009-0590)
+     [Steve Henson]
+
+  *) Set S/MIME signing as the default purpose rather than setting it 
+     unconditionally. This allows applications to override it at the store
+     level.
+     [Steve Henson]
+
+  *) Permit restricted recursion of ASN1 strings. This is needed in practice
+     to handle some structures.
+     [Steve Henson]
+
+  *) Improve efficiency of mem_gets: don't search whole buffer each time
+     for a '\n'
+     [Jeremy Shapiro <jnshapir@us.ibm.com>]
+
+  *) New -hex option for openssl rand.
+     [Matthieu Herrb]
+
+  *) Print out UTF8String and NumericString when parsing ASN1.
+     [Steve Henson]
+
+  *) Support NumericString type for name components.
+     [Steve Henson]
+
+  *) Allow CC in the environment to override the automatically chosen
+     compiler. Note that nothing is done to ensure flags work with the
+     chosen compiler.
+     [Ben Laurie]
+
+ Changes between 0.9.8i and 0.9.8j  [07 Jan 2009]
 
   *) Properly check EVP_VerifyFinal() and similar return values
      (CVE-2008-5077).
diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure
index 09b58f2113..c6dbfae482 100644
--- a/src/lib/libssl/src/Configure
+++ b/src/lib/libssl/src/Configure
@@ -101,6 +101,11 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
 # SHA512_ASM    sha512_block is implemented in assembler
 # AES_ASM       ASE_[en|de]crypt is implemented in assembler
 
+# Minimum warning options... any contributions to OpenSSL should at least get
+# past these. 
+
+my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
+
 my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
 
 # MD2_CHAR slags pentium pros
@@ -154,15 +159,15 @@ my %table=(
 "debug-ben",    "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::bn86-elf.o co86-elf.o",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
-"debug-ben-debug",      "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
+"debug-ben-debug",      "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG  -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
 "debug-ben-strict",     "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-bodo",   "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
-"debug-steve64", "gcc:-m64 -DL_ENDIAN -DTERMIO -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DOPENSSL_NO_DEPRECATED -g -pedantic -Wall -Werror -Wno-long-long -Wsign-compare -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-steve32", "gcc:-m32 -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DOPENSSL_NO_DEPRECATED -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-steve",  "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared",
-"debug-steve-opt",      "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -O3 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared",
 "debug-steve-linux-pseudo64",   "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT:${no_asm}:dlfcn:linux-shared",
 "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -948,6 +953,10 @@ print "Configuring for $target\n";
 
 my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
 my $cc = $fields[$idx_cc];
+# Allow environment CC to override compiler...
+if($ENV{CC}) {
+    $cc = $ENV{CC};
+}
 my $cflags = $fields[$idx_cflags];
 my $unistd = $fields[$idx_unistd];
 my $thread_cflag = $fields[$idx_thread_cflag];
@@ -1048,7 +1057,6 @@ foreach (sort (keys %disabled))
         print "\n";
         }
 
-
 my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
 
 $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys());
@@ -1443,6 +1451,8 @@ while (<IN>)
                         }
                 }
         $sdirs = 0 unless /\\$/;
+        s/fips // if (/^DIRS=/ && !$fips);
+        s/engines // if (/^DIRS=/ && $disabled{"engine"});
         s/^VERSION=.*/VERSION=$version/;
         s/^MAJOR=.*/MAJOR=$major/;
         s/^MINOR=.*/MINOR=$minor/;
diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ
index ce71246fb8..942a671f2c 100644
--- a/src/lib/libssl/src/FAQ
+++ b/src/lib/libssl/src/FAQ
@@ -78,7 +78,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8j was released on Jan 7th, 2009.
+OpenSSL 0.9.8k was released on Mar 25th, 2009.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp b/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp
index 3036df7ee0..fbfbe786b7 100644
--- a/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp
+++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp
@@ -29,7 +29,7 @@ OSErr AppendErrorMessageToHandle(Handle inoutHandle);
 
 
 
-//      A bunch of evil macros that would be uneccessary if I were always using C++ !
+//      A bunch of evil macros that would be unnecessary if I were always using C++ !
 
 #define SetErrorMessageAndBailIfNil(theArg,theMessage)                                                          \
 {                                                                                                                                                                       \
diff --git a/src/lib/libssl/src/Makefile b/src/lib/libssl/src/Makefile
index fe0fe16843..57d742e4d4 100644
--- a/src/lib/libssl/src/Makefile
+++ b/src/lib/libssl/src/Makefile
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=0.9.8j
+VERSION=0.9.8k
 MAJOR=0
 MINOR=9.8
 SHLIB_VERSION_NUMBER=0.9.8
@@ -133,7 +133,7 @@ FIPSCANLIB=
 
 BASEADDR=0xFB00000
 
-DIRS=   crypto fips ssl engines apps test tools
+DIRS=   crypto ssl engines apps test tools
 SHLIBDIRS= crypto ssl
 
 # dirs in crypto to build
@@ -506,6 +506,9 @@ links:
         @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
         @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
         @set -e; target=links; $(RECURSIVE_BUILD_CMD)
+        @if [ -z "$(FIPSCANLIB)" ]; then \
+                set -e; target=links; dir=fips ; $(BUILD_CMD) ; \
+        fi
 
 gentests:
         @(cd test && echo "generating dummy tests (if needed)..." && \
diff --git a/src/lib/libssl/src/Makefile.org b/src/lib/libssl/src/Makefile.org
index 4be7dad7d6..d1b56b2f58 100644
--- a/src/lib/libssl/src/Makefile.org
+++ b/src/lib/libssl/src/Makefile.org
@@ -504,6 +504,9 @@ links:
         @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
         @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
         @set -e; target=links; $(RECURSIVE_BUILD_CMD)
+        @if [ -z "$(FIPSCANLIB)" ]; then \
+                set -e; target=links; dir=fips ; $(BUILD_CMD) ; \
+        fi
 
 gentests:
         @(cd test && echo "generating dummy tests (if needed)..." && \
diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS
index 322c3848f2..37156fc593 100644
--- a/src/lib/libssl/src/NEWS
+++ b/src/lib/libssl/src/NEWS
@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
+
+      o Fix various build issues.
+      o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
+
   Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j:
 
       o Fix security issue (CVE-2008-5077)
diff --git a/src/lib/libssl/src/README b/src/lib/libssl/src/README
index b3baac4a36..99a6a7b4bf 100644
--- a/src/lib/libssl/src/README
+++ b/src/lib/libssl/src/README
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8j
+ OpenSSL 0.9.8k
 
  Copyright (c) 1998-2008 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/src/lib/libssl/src/apps/apps.c b/src/lib/libssl/src/apps/apps.c
index 367eb177e1..498722a5a2 100644
--- a/src/lib/libssl/src/apps/apps.c
+++ b/src/lib/libssl/src/apps/apps.c
@@ -2428,7 +2428,7 @@ static void readbn(BIGNUM **bn, BIO *bconn)
         int l;
 
         l = BIO_gets(bconn, buf, sizeof buf);
-        assert(l >= 0);
+        assert(l > 0);
         assert(buf[l-1] == '\n');
         buf[l-1] = '\0';
         BN_hex2bn(bn, buf);
diff --git a/src/lib/libssl/src/apps/ca.c b/src/lib/libssl/src/apps/ca.c
index 87f0405f5d..68516ee9bd 100644
--- a/src/lib/libssl/src/apps/ca.c
+++ b/src/lib/libssl/src/apps/ca.c
@@ -83,7 +83,7 @@
 #    else
 #      include <unixlib.h>
 #    endif
-#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
+#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) && !defined(__TANDEM)
 #    include <sys/file.h>
 #  endif
 #endif
diff --git a/src/lib/libssl/src/apps/enc.c b/src/lib/libssl/src/apps/enc.c
index 47c6eb604d..f4f9a4c4a4 100644
--- a/src/lib/libssl/src/apps/enc.c
+++ b/src/lib/libssl/src/apps/enc.c
@@ -533,7 +533,8 @@ bad:
                         BIO_printf(bio_err,"invalid hex iv value\n");
                         goto end;
                         }
-                if ((hiv == NULL) && (str == NULL))
+                if ((hiv == NULL) && (str == NULL)
+                    && EVP_CIPHER_iv_length(cipher) != 0)
                         {
                         /* No IV was explicitly set and no IV was generated
                          * during EVP_BytesToKey. Hence the IV is undefined,
diff --git a/src/lib/libssl/src/apps/engine.c b/src/lib/libssl/src/apps/engine.c
index 1d0dd9bfbc..17bd81fb79 100644
--- a/src/lib/libssl/src/apps/engine.c
+++ b/src/lib/libssl/src/apps/engine.c
@@ -252,7 +252,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent
                         /* Now decide on the output */
                         if(xpos == 0)
                                 /* Do an indent */
-                                xpos = BIO_printf(bio_out, indent);
+                                xpos = BIO_puts(bio_out, indent);
                         else
                                 /* Otherwise prepend a ", " */
                                 xpos += BIO_printf(bio_out, ", ");
@@ -263,7 +263,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent
                                         (xpos + (int)strlen(name) > line_wrap))
                                         {
                                         BIO_printf(bio_out, "\n");
-                                        xpos = BIO_printf(bio_out, indent);
+                                        xpos = BIO_puts(bio_out, indent);
                                         }
                                 xpos += BIO_printf(bio_out, "%s", name);
                                 }
diff --git a/src/lib/libssl/src/apps/rand.c b/src/lib/libssl/src/apps/rand.c
index c3b26c466d..44a1d46a03 100644
--- a/src/lib/libssl/src/apps/rand.c
+++ b/src/lib/libssl/src/apps/rand.c
@@ -68,7 +68,8 @@
 
 /* -out file         - write to file
  * -rand file:file   - PRNG seed files
- * -base64           - encode output
+ * -base64           - base64 encode output
+ * -hex              - hex encode output
  * num               - write 'num' bytes
  */
 
@@ -84,6 +85,7 @@ int MAIN(int argc, char **argv)
         char *outfile = NULL;
         char *inrand = NULL;
         int base64 = 0;
+        int hex = 0;
         BIO *out = NULL;
         int num = -1;
 #ifndef OPENSSL_NO_ENGINE
@@ -133,6 +135,13 @@ int MAIN(int argc, char **argv)
                         else
                                 badopt = 1;
                         }
+                else if (strcmp(argv[i], "-hex") == 0)
+                        {
+                        if (!hex)
+                                hex = 1;
+                        else
+                                badopt = 1;
+                        }
                 else if (isdigit((unsigned char)argv[i][0]))
                         {
                         if (num < 0)
@@ -148,6 +157,9 @@ int MAIN(int argc, char **argv)
                         badopt = 1;
                 }
 
+        if (hex && base64)
+                badopt = 1;
+
         if (num < 0)
                 badopt = 1;
         
@@ -160,7 +172,8 @@ int MAIN(int argc, char **argv)
                 BIO_printf(bio_err, "-engine e             - use engine e, possibly a hardware device.\n");
 #endif
                 BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
-                BIO_printf(bio_err, "-base64               - encode output\n");
+                BIO_printf(bio_err, "-base64               - base64 encode output\n");
+                BIO_printf(bio_err, "-hex                  - hex encode output\n");
                 goto err;
                 }
 
@@ -210,9 +223,17 @@ int MAIN(int argc, char **argv)
                 r = RAND_bytes(buf, chunk);
                 if (r <= 0)
                         goto err;
-                BIO_write(out, buf, chunk);
+                if (!hex) 
+                        BIO_write(out, buf, chunk);
+                else
+                        {
+                        for (i = 0; i < chunk; i++)
+                                BIO_printf(out, "%02x", buf[i]);
+                        }
                 num -= chunk;
                 }
+        if (hex)
+                BIO_puts(out, "\n");
         (void)BIO_flush(out);
 
         app_RAND_write_file(NULL, bio_err);
diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c
index d904d34021..6debce4419 100644
--- a/src/lib/libssl/src/apps/x509.c
+++ b/src/lib/libssl/src/apps/x509.c
@@ -114,7 +114,7 @@ static const char *x509_usage[]={
 " -alias          - output certificate alias\n",
 " -noout          - no certificate output\n",
 " -ocspid         - print OCSP hash values for the subject name and public key\n",
-" -ocspurl        - print OCSP Responder URL(s)\n",
+" -ocsp_uri       - print OCSP Responder URL(s)\n",
 " -trustout       - output a \"trusted\" certificate\n",
 " -clrtrust       - clear all trusted purposes\n",
 " -clrreject      - clear all rejected purposes\n",
diff --git a/src/lib/libssl/src/config b/src/lib/libssl/src/config
index dde9275b76..68e7ea1737 100644
--- a/src/lib/libssl/src/config
+++ b/src/lib/libssl/src/config
@@ -29,7 +29,7 @@ EXE=""
 for i
 do
 case "$i" in 
--d*) PREFIX="debug-";;
+-d) PREFIX="debug-";;
 -t*) TEST="true";;
 -h*) TEST="true"; cat <<EOF
 Usage: config [options]
@@ -399,11 +399,8 @@ exit 0
 # this is where the translation occurs into SSLeay terms
 # ---------------------------------------------------------------------------
 
-# figure out if gcc is available and if so we use it otherwise
-# we fallback to whatever cc does on the system
 GCCVER=`(gcc -dumpversion) 2>/dev/null`
 if [ "$GCCVER" != "" ]; then
-  CC=gcc
   # then strip off whatever prefix egcs prepends the number with...
   # Hopefully, this will work for any future prefixes as well.
   GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'`
@@ -412,8 +409,17 @@ if [ "$GCCVER" != "" ]; then
   # major and minor version numbers.
   # peak single digit before and after first dot, e.g. 2.95.1 gives 29
   GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
-else
-  CC=cc
+fi
+
+# Only set CC if not supplied already
+if [ -z "$CC" ]; then
+# figure out if gcc is available and if so we use it otherwise
+# we fallback to whatever cc does on the system
+  if [ "$GCCVER" != "" ]; then
+    CC=gcc
+  else
+    CC=cc
+  fi
 fi
 GCCVER=${GCCVER:-0}
 if [ "$SYSTEM" = "HP-UX" ];then
diff --git a/src/lib/libssl/src/crypto/asn1/a_bytes.c b/src/lib/libssl/src/crypto/asn1/a_bytes.c
index 8d13f9c931..92d630cdba 100644
--- a/src/lib/libssl/src/crypto/asn1/a_bytes.c
+++ b/src/lib/libssl/src/crypto/asn1/a_bytes.c
@@ -79,7 +79,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp,
 
         if (tag >= 32)
                 {
-                i=ASN1_R_TAG_VALUE_TOO_HIGH;;
+                i=ASN1_R_TAG_VALUE_TOO_HIGH;
                 goto err;
                 }
         if (!(ASN1_tag2bit(tag) & type))
diff --git a/src/lib/libssl/src/crypto/asn1/asn1.h b/src/lib/libssl/src/crypto/asn1/asn1.h
index 424cd348bb..e3385226d4 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1.h
+++ b/src/lib/libssl/src/crypto/asn1/asn1.h
@@ -612,6 +612,7 @@ typedef struct BIT_STRING_BITNAME_st {
                         B_ASN1_GENERALIZEDTIME
 
 #define B_ASN1_PRINTABLE \
+                        B_ASN1_NUMERICSTRING| \
                         B_ASN1_PRINTABLESTRING| \
                         B_ASN1_T61STRING| \
                         B_ASN1_IA5STRING| \
@@ -1217,6 +1218,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_BAD_OBJECT_HEADER                         102
 #define ASN1_R_BAD_PASSWORD_READ                         103
 #define ASN1_R_BAD_TAG                                   104
+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH                 210
 #define ASN1_R_BN_LIB                                    105
 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH                   106
 #define ASN1_R_BUFFER_TOO_SMALL                          107
@@ -1306,6 +1308,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY                  157
 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY          158
 #define ASN1_R_UNEXPECTED_EOC                            159
+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH           211
 #define ASN1_R_UNKNOWN_FORMAT                            160
 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM          161
 #define ASN1_R_UNKNOWN_OBJECT_TYPE                       162
diff --git a/src/lib/libssl/src/crypto/asn1/asn1_err.c b/src/lib/libssl/src/crypto/asn1/asn1_err.c
index f8a3e2e6cd..5f5de98eed 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1_err.c
+++ b/src/lib/libssl/src/crypto/asn1/asn1_err.c
@@ -195,6 +195,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER)    ,"bad object header"},
 {ERR_REASON(ASN1_R_BAD_PASSWORD_READ)    ,"bad password read"},
 {ERR_REASON(ASN1_R_BAD_TAG)              ,"bad tag"},
+{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"},
 {ERR_REASON(ASN1_R_BN_LIB)               ,"bn lib"},
 {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
 {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL)     ,"buffer too small"},
@@ -284,6 +285,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
 {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
+{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"},
 {ERR_REASON(ASN1_R_UNKNOWN_FORMAT)       ,"unknown format"},
 {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"},
 {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE)  ,"unknown object type"},
diff --git a/src/lib/libssl/src/crypto/asn1/asn1_par.c b/src/lib/libssl/src/crypto/asn1/asn1_par.c
index 501b62a4b1..8657f73d66 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1_par.c
+++ b/src/lib/libssl/src/crypto/asn1/asn1_par.c
@@ -213,6 +213,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
                                 (tag == V_ASN1_T61STRING) ||
                                 (tag == V_ASN1_IA5STRING) ||
                                 (tag == V_ASN1_VISIBLESTRING) ||
+                                (tag == V_ASN1_NUMERICSTRING) ||
+                                (tag == V_ASN1_UTF8STRING) ||
                                 (tag == V_ASN1_UTCTIME) ||
                                 (tag == V_ASN1_GENERALIZEDTIME))
                                 {
diff --git a/src/lib/libssl/src/crypto/asn1/t_x509.c b/src/lib/libssl/src/crypto/asn1/t_x509.c
index 8b09e5890f..8f746f9c05 100644
--- a/src/lib/libssl/src/crypto/asn1/t_x509.c
+++ b/src/lib/libssl/src/crypto/asn1/t_x509.c
@@ -332,7 +332,7 @@ int X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig)
 int ASN1_STRING_print(BIO *bp, ASN1_STRING *v)
         {
         int i,n;
-        char buf[80],*p;;
+        char buf[80],*p;
 
         if (v == NULL) return(0);
         n=0;
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
index ced641698e..48bc1c0d4d 100644
--- a/src/lib/libssl/src/crypto/asn1/tasn_dec.c
+++ b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
@@ -69,7 +69,7 @@ static int asn1_check_eoc(const unsigned char **in, long len);
 static int asn1_find_end(const unsigned char **in, long len, char inf);
 
 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
-                                char inf, int tag, int aclass);
+                        char inf, int tag, int aclass, int depth);
 
 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen);
 
@@ -611,7 +611,6 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
 
         err:
         ASN1_template_free(val, tt);
-        *val = NULL;
         return 0;
         }
 
@@ -758,7 +757,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 
         err:
         ASN1_template_free(val, tt);
-        *val = NULL;
         return 0;
         }
 
@@ -878,7 +876,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
                  * internally irrespective of the type. So instead just check
                  * for UNIVERSAL class and ignore the tag.
                  */
-                if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL))
+                if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0))
                         {
                         free_cont = 1;
                         goto err;
@@ -1012,6 +1010,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
                 case V_ASN1_SET:
                 case V_ASN1_SEQUENCE:
                 default:
+                if (utype == V_ASN1_BMPSTRING && (len & 1))
+                        {
+                        ASN1err(ASN1_F_ASN1_EX_C2I,
+                                        ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+                        goto err;
+                        }
+                if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
+                        {
+                        ASN1err(ASN1_F_ASN1_EX_C2I,
+                                        ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
+                        goto err;
+                        }
                 /* All based on ASN1_STRING and handled the same */
                 if (!*pval)
                         {
@@ -1128,8 +1138,18 @@ static int asn1_find_end(const unsigned char **in, long len, char inf)
  * if it is indefinite length.
  */
 
+#ifndef ASN1_MAX_STRING_NEST
+/* This determines how many levels of recursion are permitted in ASN1
+ * string types. If it is not limited stack overflows can occur. If set
+ * to zero no recursion is allowed at all. Although zero should be adequate
+ * examples exist that require a value of 1. So 5 should be more than enough.
+ */
+#define ASN1_MAX_STRING_NEST 5
+#endif
+
+
 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
-                                char inf, int tag, int aclass)
+                        char inf, int tag, int aclass, int depth)
         {
         const unsigned char *p, *q;
         long plen;
@@ -1171,13 +1191,15 @@ static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
                 /* If indefinite length constructed update max length */
                 if (cst)
                         {
-#ifdef OPENSSL_ALLOW_NESTED_ASN1_STRINGS
-                        if (!asn1_collect(buf, &p, plen, ininf, tag, aclass))
+                        if (depth >= ASN1_MAX_STRING_NEST)
+                                {
+                                ASN1err(ASN1_F_ASN1_COLLECT,
+                                        ASN1_R_NESTED_ASN1_STRING);
+                                return 0;
+                                }
+                        if (!asn1_collect(buf, &p, plen, ininf, tag, aclass,
+                                                depth + 1))
                                 return 0;
-#else
-                        ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING);
-                        return 0;
-#endif
                         }
                 else if (plen && !collect_data(buf, &p, plen))
                         return 0;
diff --git a/src/lib/libssl/src/crypto/bio/bss_mem.c b/src/lib/libssl/src/crypto/bio/bss_mem.c
index a4edb711ae..e7ab9cb3a3 100644
--- a/src/lib/libssl/src/crypto/bio/bss_mem.c
+++ b/src/lib/libssl/src/crypto/bio/bss_mem.c
@@ -284,6 +284,7 @@ static int mem_gets(BIO *bp, char *buf, int size)
 
         BIO_clear_retry_flags(bp);
         j=bm->length;
+        if ((size-1) < j) j=size-1;
         if (j <= 0)
                 {
                 *buf='\0';
@@ -292,17 +293,18 @@ static int mem_gets(BIO *bp, char *buf, int size)
         p=bm->data;
         for (i=0; i<j; i++)
                 {
-                if (p[i] == '\n') break;
-                }
-        if (i == j)
-                {
-                BIO_set_retry_read(bp);
-                /* return(-1);  change the semantics 0.6.6a */ 
+                if (p[i] == '\n')
+                        {
+                        i++;
+                        break;
+                        }
                 }
-        else
-                i++;
-        /* i is the max to copy */
-        if ((size-1) < i) i=size-1;
+
+        /*
+         * i is now the max num of bytes to copy, either j or up to
+         * and including the first newline
+         */ 
+
         i=mem_read(bp,buf,i);
         if (i > 0) buf[i]='\0';
         ret=i;
diff --git a/src/lib/libssl/src/crypto/bio/bss_sock.c b/src/lib/libssl/src/crypto/bio/bss_sock.c
index 472dd75821..30c3ceab46 100644
--- a/src/lib/libssl/src/crypto/bio/bss_sock.c
+++ b/src/lib/libssl/src/crypto/bio/bss_sock.c
@@ -60,6 +60,9 @@
 #include <errno.h>
 #define USE_SOCKETS
 #include "cryptlib.h"
+
+#ifndef OPENSSL_NO_SOCK
+
 #include <openssl/bio.h>
 
 #ifdef WATT32
@@ -300,3 +303,5 @@ int BIO_sock_non_fatal_error(int err)
                 }
         return(0);
         }
+
+#endif  /* #ifndef OPENSSL_NO_SOCK */
diff --git a/src/lib/libssl/src/crypto/bn/bntest.c b/src/lib/libssl/src/crypto/bn/bntest.c
index 310763eca0..cf190380f5 100644
--- a/src/lib/libssl/src/crypto/bn/bntest.c
+++ b/src/lib/libssl/src/crypto/bn/bntest.c
@@ -926,7 +926,7 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
                 BN_bntest_rand(b,2+i,0,0); /**/
 
                 if (!BN_mod_exp(d,a,b,c,ctx))
-                        return(00);
+                        return(0);
 
                 if (bp != NULL)
                         {
@@ -1028,7 +1028,7 @@ int test_exp(BIO *bp, BN_CTX *ctx)
                 BN_bntest_rand(b,2+i,0,0); /**/
 
                 if (!BN_exp(d,a,b,ctx))
-                        return(00);
+                        return(0);
 
                 if (bp != NULL)
                         {
diff --git a/src/lib/libssl/src/crypto/crypto-lib.com b/src/lib/libssl/src/crypto/crypto-lib.com
index db9c882fb0..e72af90822 100644
--- a/src/lib/libssl/src/crypto/crypto-lib.com
+++ b/src/lib/libssl/src/crypto/crypto-lib.com
@@ -169,7 +169,7 @@ $ LIB_SHA = "sha_dgst,sha1dgst,sha_one,sha1_one,sha256,sha512"
 $ LIB_MDC2 = "mdc2dgst,mdc2_one"
 $ LIB_HMAC = "hmac"
 $ LIB_RIPEMD = "rmd_dgst,rmd_one"
-$ LIB_DES = "set_key,ecb_enc,cbc_enc,"+ -
+$ LIB_DES = "des_lib,set_key,ecb_enc,cbc_enc,"+ -
         "ecb3_enc,cfb64enc,cfb64ede,cfb_enc,ofb64ede,"+ -
         "enc_read,enc_writ,ofb64enc,"+ -
         "ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ -
@@ -191,7 +191,7 @@ $ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,"+ -
         "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ -
         "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ -
         "bn_recp,bn_mont,bn_mpi,bn_exp2,bn_gf2m,bn_nist,"+ -
-        "bn_depr,bn_const"
+        "bn_depr,bn_x931p,bn_const,bn_opt"
 $ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_nist,ec_cvt,ec_mult,"+ -
         "ec_err,ec_curve,ec_check,ec_print,ec_asn1,ec_key,"+ -
         "ec2_smpl,ec2_mult"
@@ -211,7 +211,7 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ -
         "tb_cipher,tb_digest,"+ -
         "eng_openssl,eng_dyn,eng_cnf,eng_cryptodev,eng_padlock"
 $ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,"+ -
-        "aes_ctr,aes_ige"
+        "aes_ctr,aes_ige,aes_wrap"
 $ LIB_BUFFER = "buffer,buf_str,buf_err"
 $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
         "bss_mem,bss_null,bss_fd,"+ -
@@ -246,7 +246,7 @@ $ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ -
 $ LIB_ASN1_2 = "t_req,t_x509,t_x509a,t_crl,t_pkey,t_spki,t_bitst,"+ -
         "tasn_new,tasn_fre,tasn_enc,tasn_dec,tasn_utl,tasn_typ,"+ -
         "f_int,f_string,n_pkey,"+ -
-        "f_enum,a_hdr,x_pkey,a_bool,x_exten,"+ -
+        "f_enum,a_hdr,x_pkey,a_bool,x_exten,asn_mime,"+ -
         "asn1_gen,asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,a_strnid,"+ -
         "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey,asn_moid"
 $ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err,"+ -
diff --git a/src/lib/libssl/src/crypto/des/times/usparc.cc b/src/lib/libssl/src/crypto/des/times/usparc.cc
index f6ec8e8831..0864285ef6 100644
--- a/src/lib/libssl/src/crypto/des/times/usparc.cc
+++ b/src/lib/libssl/src/crypto/des/times/usparc.cc
@@ -2,7 +2,7 @@ solaris 2.5.1 usparc 167mhz?? - SC4.0 cc -fast -Xa -xO5
 
 For the ultra sparc, SunC 4.0 cc -fast -Xa -xO5, running 'des_opts'
 gives a speed of 475,000 des/s while 'speed' gives 417,000 des/s.
-I belive the difference is tied up in optimisation that the compiler
+I believe the difference is tied up in optimisation that the compiler
 is able to perform when the code is 'inlined'.  For 'speed', the DES
 routines are being linked from a library.  I'll record the higher
 speed since if performance is everything, you can always inline
diff --git a/src/lib/libssl/src/crypto/evp/enc_min.c b/src/lib/libssl/src/crypto/evp/enc_min.c
index 3cb4626bef..7fba38ee24 100644
--- a/src/lib/libssl/src/crypto/evp/enc_min.c
+++ b/src/lib/libssl/src/crypto/evp/enc_min.c
@@ -199,7 +199,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                         enc = 1;
                 ctx->encrypt = enc;
                 }
-#ifdef OPENSSL_NO_FIPS
+#ifdef OPENSSL_FIPS
         if(FIPS_selftest_failed())
                 {
                 FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
diff --git a/src/lib/libssl/src/crypto/evp/evp_test.c b/src/lib/libssl/src/crypto/evp/evp_test.c
index bb6f02c2e9..436be20bf1 100644
--- a/src/lib/libssl/src/crypto/evp/evp_test.c
+++ b/src/lib/libssl/src/crypto/evp/evp_test.c
@@ -220,18 +220,18 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
             test1_exit(7);
             }
 
-        if(outl+outl2 != cn)
+        if(outl+outl2 != pn)
             {
             fprintf(stderr,"Plaintext length mismatch got %d expected %d\n",
-                    outl+outl2,cn);
+                    outl+outl2,pn);
             test1_exit(8);
             }
 
-        if(memcmp(out,plaintext,cn))
+        if(memcmp(out,plaintext,pn))
             {
             fprintf(stderr,"Plaintext mismatch\n");
-            hexdump(stderr,"Got",out,cn);
-            hexdump(stderr,"Expected",plaintext,cn);
+            hexdump(stderr,"Got",out,pn);
+            hexdump(stderr,"Expected",plaintext,pn);
             test1_exit(9);
             }
         }
diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h
index 09687b5136..c6207f76b2 100644
--- a/src/lib/libssl/src/crypto/opensslv.h
+++ b/src/lib/libssl/src/crypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x009080afL
+#define OPENSSL_VERSION_NUMBER  0x009080bfL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8j-fips 07 Jan 2009"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8k-fips 25 Mar 2009"
 #else
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8j 07 Jan 2009"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8k 25 Mar 2009"
 #endif
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/src/lib/libssl/src/crypto/pem/pem.h b/src/lib/libssl/src/crypto/pem/pem.h
index 6f8e01544b..6c193f1cbf 100644
--- a/src/lib/libssl/src/crypto/pem/pem.h
+++ b/src/lib/libssl/src/crypto/pem/pem.h
@@ -215,7 +215,9 @@ typedef struct pem_ctx_st
 
 #define IMPLEMENT_PEM_read_fp(name, type, str, asn1) /**/
 #define IMPLEMENT_PEM_write_fp(name, type, str, asn1) /**/
+#define IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) /**/
 #define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) /**/
+#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) /**/
 
 #else
 
@@ -355,6 +357,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 
 #define DECLARE_PEM_read_fp(name, type) /**/
 #define DECLARE_PEM_write_fp(name, type) /**/
+#define DECLARE_PEM_write_fp_const(name, type) /**/
 #define DECLARE_PEM_write_cb_fp(name, type) /**/
 
 #else
@@ -392,6 +395,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 
 #define DECLARE_PEM_read_bio(name, type) /**/
 #define DECLARE_PEM_write_bio(name, type) /**/
+#define DECLARE_PEM_write_bio_const(name, type) /**/
 #define DECLARE_PEM_write_cb_bio(name, type) /**/
 
 #endif
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
index e863de52ce..9522342fa5 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
@@ -170,6 +170,9 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 
         p12 = PKCS12_add_safes(safes, 0);
 
+        if (!p12)
+                goto err;
+
         sk_PKCS7_pop_free(safes, PKCS7_free);
 
         safes = NULL;
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
index c34db1d6fe..fd18ec3d95 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
@@ -229,8 +229,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                                 sk_X509_free(signers);
                                 return 0;
                                 }
-                        X509_STORE_CTX_set_purpose(&cert_ctx,
-                                                X509_PURPOSE_SMIME_SIGN);
+                        X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
                 } else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) {
                         PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
                         sk_X509_free(signers);
diff --git a/src/lib/libssl/src/crypto/rand/rand_unix.c b/src/lib/libssl/src/crypto/rand/rand_unix.c
index 6c2be5cb96..71b98ec212 100644
--- a/src/lib/libssl/src/crypto/rand/rand_unix.c
+++ b/src/lib/libssl/src/crypto/rand/rand_unix.c
@@ -232,7 +232,7 @@ int RAND_poll(void)
                                 t.tv_sec = 0;
                                 t.tv_usec = usec;
 
-                                if (FD_SETSIZE > 0 && fd >= FD_SETSIZE)
+                                if (FD_SETSIZE > 0 && (unsigned)fd >= FD_SETSIZE)
                                         {
                                         /* can't use select, so just try to read once anyway */
                                         try_read = 1;
diff --git a/src/lib/libssl/src/crypto/ripemd/README b/src/lib/libssl/src/crypto/ripemd/README
index 7097707264..f1ffc8b134 100644
--- a/src/lib/libssl/src/crypto/ripemd/README
+++ b/src/lib/libssl/src/crypto/ripemd/README
@@ -4,7 +4,7 @@ http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html
 This is my implementation of RIPEMD-160.  The pentium assember is a little
 off the pace since I only get 1050 cycles, while the best is 1013.
 I have a few ideas for how to get another 20 or so cycles, but at
-this point I will not bother right now.  I belive the trick will be
+this point I will not bother right now.  I believe the trick will be
 to remove my 'copy X array onto stack' until inside the RIP1() finctions the
 first time round.  To do this I need another register and will only have one
 temporary one.  A bit tricky....  I can also cleanup the saving of the 5 words
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_x931g.c b/src/lib/libssl/src/crypto/rsa/rsa_x931g.c
index c640cc2ec9..bf94f8be7a 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_x931g.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_x931g.c
@@ -79,9 +79,9 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
                 goto err;
 
         ctx = BN_CTX_new();
-        BN_CTX_start(ctx);
         if (!ctx) 
                 goto err;
+        BN_CTX_start(ctx);
 
         r0 = BN_CTX_get(ctx);
         r1 = BN_CTX_get(ctx);
@@ -190,7 +190,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
         if (ctx2)
                 BN_CTX_free(ctx2);
         /* If this is set all calls successful */
-        if (rsa->iqmp != NULL)
+        if (rsa && rsa->iqmp != NULL)
                 return 1;
 
         return 0;
diff --git a/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl b/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl
index aa18c1089b..51c4f47ecb 100644
--- a/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl
+++ b/src/lib/libssl/src/crypto/sha/asm/sha1-ia64.pl
@@ -302,4 +302,5 @@ $code.=<<___;
 stringz "SHA1 block transform for IA64, CRYPTOGAMS by <appro\@openssl.org>"
 ___
 
+$output=shift and open STDOUT,">$output";
 print $code;
diff --git a/src/lib/libssl/src/crypto/symhacks.h b/src/lib/libssl/src/crypto/symhacks.h
index 6cfb5fe479..8728e6124d 100644
--- a/src/lib/libssl/src/crypto/symhacks.h
+++ b/src/lib/libssl/src/crypto/symhacks.h
@@ -62,6 +62,10 @@
    VAX. */
 #ifdef OPENSSL_SYS_VMS
 
+/* Hack a long name in crypto/cryptlib.c */
+#undef int_CRYPTO_set_do_dynlock_callback
+#define int_CRYPTO_set_do_dynlock_callback      int_CRYPTO_set_do_dynlock_cb
+
 /* Hack a long name in crypto/ex_data.c */
 #undef CRYPTO_get_ex_data_implementation
 #define CRYPTO_get_ex_data_implementation       CRYPTO_get_ex_data_impl
diff --git a/src/lib/libssl/src/crypto/ui/ui_lib.c b/src/lib/libssl/src/crypto/ui/ui_lib.c
index 7ab249c3be..ac0100808f 100644
--- a/src/lib/libssl/src/crypto/ui/ui_lib.c
+++ b/src/lib/libssl/src/crypto/ui/ui_lib.c
@@ -90,6 +90,7 @@ UI *UI_new_method(const UI_METHOD *method)
 
         ret->strings=NULL;
         ret->user_data=NULL;
+        ret->flags=0;
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data);
         return ret;
         }
diff --git a/src/lib/libssl/src/crypto/x509/x509_cmp.c b/src/lib/libssl/src/crypto/x509/x509_cmp.c
index e4c682fc44..2faf92514a 100644
--- a/src/lib/libssl/src/crypto/x509/x509_cmp.c
+++ b/src/lib/libssl/src/crypto/x509/x509_cmp.c
@@ -288,7 +288,8 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
                         if (!(nabit & STR_TYPE_CMP) ||
                                 !(nbbit & STR_TYPE_CMP))
                                 return j;
-                        j = asn1_string_memcmp(na->value, nb->value);
+                        if (!asn1_string_memcmp(na->value, nb->value))
+                                j = 0;
                         }
                 else if (na->value->type == V_ASN1_PRINTABLESTRING)
                         j=nocase_spacenorm_cmp(na->value, nb->value);
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_cpols.c b/src/lib/libssl/src/crypto/x509v3/v3_cpols.c
index 95596055ab..ad0506d75c 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_cpols.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_cpols.c
@@ -181,7 +181,11 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
                         pol = POLICYINFO_new();
                         pol->policyid = pobj;
                 }
-                sk_POLICYINFO_push(pols, pol);
+                if (!sk_POLICYINFO_push(pols, pol)){
+                        POLICYINFO_free(pol);
+                        X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
         }
         sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
         return pols;
@@ -447,3 +451,4 @@ void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
                 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
         }
         
+IMPLEMENT_STACK_OF(X509_POLICY_NODE)
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_utl.c b/src/lib/libssl/src/crypto/x509v3/v3_utl.c
index a4236bbb6d..7a45216c00 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_utl.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_utl.c
@@ -84,7 +84,7 @@ int X509V3_add_value(const char *name, const char *value,
         CONF_VALUE *vtmp = NULL;
         char *tname = NULL, *tvalue = NULL;
         if(name && !(tname = BUF_strdup(name))) goto err;
-        if(value && !(tvalue = BUF_strdup(value))) goto err;;
+        if(value && !(tvalue = BUF_strdup(value))) goto err;
         if(!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) goto err;
         if(!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) goto err;
         vtmp->section = NULL;
diff --git a/src/lib/libssl/src/doc/apps/rand.pod b/src/lib/libssl/src/doc/apps/rand.pod
index 75745ca002..d1d213ef43 100644
--- a/src/lib/libssl/src/doc/apps/rand.pod
+++ b/src/lib/libssl/src/doc/apps/rand.pod
@@ -10,6 +10,7 @@ B<openssl rand>
 [B<-out> I<file>]
 [B<-rand> I<file(s)>]
 [B<-base64>]
+[B<-hex>]
 I<num>
 
 =head1 DESCRIPTION
@@ -41,6 +42,10 @@ all others.
 
 Perform base64 encoding on the output.
 
+=item B<-hex>
+
+Show the output as a hex string.
+
 =back
 
 =head1 SEE ALSO
diff --git a/src/lib/libssl/src/doc/apps/x509.pod b/src/lib/libssl/src/doc/apps/x509.pod
index a925da41f1..f43c175235 100644
--- a/src/lib/libssl/src/doc/apps/x509.pod
+++ b/src/lib/libssl/src/doc/apps/x509.pod
@@ -155,7 +155,7 @@ outputs the "hash" of the certificate issuer name.
 
 =item B<-hash>
 
-synonym for "-hash" for backward compatibility reasons.
+synonym for "-subject_hash" for backward compatibility reasons.
 
 =item B<-subject>
 
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod
index f81f692df5..f62a869a9b 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod
@@ -28,7 +28,7 @@ SSL_CIPHER_get_version() returns the protocol version for B<cipher>, currently
 
 SSL_CIPHER_description() returns a textual description of the cipher used
 into the buffer B<buf> of length B<len> provided. B<len> must be at least
-128 bytes, otherwise a pointer to the the string "Buffer too small" is
+128 bytes, otherwise a pointer to the string "Buffer too small" is
 returned. If B<buf> is NULL, a buffer of 128 bytes is allocated using
 OPENSSL_malloc(). If the allocation fails, a pointer to the string
 "OPENSSL_malloc Error" is returned.
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
index ca8d81b82c..81566839d3 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
@@ -28,7 +28,7 @@ specifies the B<verify_callback> function to be used. If no callback function
 shall be specified, the NULL pointer can be used for B<verify_callback>. In
 this case last B<verify_callback> set specifically for this B<ssl> remains. If
 no special B<callback> was set before, the default callback for the underlying
-B<ctx> is used, that was valid at the the time B<ssl> was created with
+B<ctx> is used, that was valid at the time B<ssl> was created with
 L<SSL_new(3)|SSL_new(3)>.
 
 SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain
diff --git a/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod b/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod
index 558de01df9..110ec73ab6 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod
@@ -14,7 +14,7 @@ SSL_SESSION_free - free an allocated SSL_SESSION structure
 
 SSL_SESSION_free() decrements the reference count of B<session> and removes
 the B<SSL_SESSION> structure pointed to by B<session> and frees up the allocated
-memory, if the the reference count has reached 0.
+memory, if the reference count has reached 0.
 
 =head1 NOTES
 
diff --git a/src/lib/libssl/src/doc/ssl/SSL_free.pod b/src/lib/libssl/src/doc/ssl/SSL_free.pod
index 2d4f8b6168..13c1abd9ec 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_free.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_free.pod
@@ -14,7 +14,7 @@ SSL_free - free an allocated SSL structure
 
 SSL_free() decrements the reference count of B<ssl>, and removes the SSL
 structure pointed to by B<ssl> and frees up the allocated memory if the
-the reference count has reached 0.
+reference count has reached 0.
 
 =head1 NOTES
 
diff --git a/src/lib/libssl/src/doc/ssleay.txt b/src/lib/libssl/src/doc/ssleay.txt
index c75312911f..a8b04d7059 100644
--- a/src/lib/libssl/src/doc/ssleay.txt
+++ b/src/lib/libssl/src/doc/ssleay.txt
@@ -3800,9 +3800,9 @@ made public on sci.crypt in Sep 1994 (RC4) and Feb 1996 (RC2).  I have
 copies of the origional postings if people are interested.  RSA I believe 
 claim that they were 'trade-secrets' and that some-one broke an NDA in 
 revealing them.  Other claim they reverse engineered the algorithms from 
-compiled binaries.  If the algorithms were reverse engineered, I belive 
+compiled binaries.  If the algorithms were reverse engineered, I believe 
 RSA had no legal leg to stand on.  If an NDA was broken, I don't know.
-Regardless, RSA, I belive, is willing to go to court over the issue so 
+Regardless, RSA, I believe, is willing to go to court over the issue so 
 licencing is probably the best idea, or at least talk to them.
 If there are people who actually know more about this, pease let me know, I 
 don't want to vilify or spread miss-information if I can help it.
diff --git a/src/lib/libssl/src/engines/makeengines.com b/src/lib/libssl/src/engines/makeengines.com
index 4a7474e010..840864f7cf 100644
--- a/src/lib/libssl/src/engines/makeengines.com
+++ b/src/lib/libssl/src/engines/makeengines.com
@@ -34,7 +34,7 @@ $! Set the names of the engines we want to build
 $!
 $ ENGINES = "," + P6
 $ IF ENGINES .EQS. "," THEN -
-        ENGINES = ",4758cca,aep,atalla,cswift,chil,nuron,sureware,ubsec"
+        ENGINES = ",4758cca,aep,atalla,cswift,chil,nuron,sureware,ubsec,capi"
 $!
 $! Set the default TCP/IP library to link against if needed
 $!
@@ -87,6 +87,7 @@ $ ENGINE_chil = "e_chil"
 $ ENGINE_nuron = "e_nuron"
 $ ENGINE_sureware = "e_sureware"
 $ ENGINE_ubsec = "e_ubsec"
+$ ENGINE_capi = "e_capi"
 $!
 $! Define which programs need to be linked with a TCP/IP library
 $!
diff --git a/src/lib/libssl/src/fips/Makefile b/src/lib/libssl/src/fips/Makefile
index d6dcb79a28..e038be8f13 100644
--- a/src/lib/libssl/src/fips/Makefile
+++ b/src/lib/libssl/src/fips/Makefile
@@ -123,7 +123,7 @@ fips_premain_dso$(EXE_EXT): fips_premain.c
                 $(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS)
 # this is executed only when linking with external fipscanister.o
 fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c
-        $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o
+        $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS)
 
 subdirs:
         @target=all; $(RECURSIVE_MAKE)
@@ -179,8 +179,15 @@ install:
         chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
         done;
         @target=install; $(RECURSIVE_MAKE)
-        @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
-                fips_premain.c.sha1 \
+        for i in $(EXE) ; \
+        do \
+                echo "installing $$i"; \
+                cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+                chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+                mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
+        done
+        cp -p -f $(FIPSLIBDIR)fipscanister.o $(FIPSLIBDIR)fipscanister.o.sha1 \
+                $(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fips_premain.c.sha1 \
                 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
         chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
 
diff --git a/src/lib/libssl/src/fips/aes/Makefile b/src/lib/libssl/src/fips/aes/Makefile
index 403525d4c0..7b8b3a26de 100644
--- a/src/lib/libssl/src/fips/aes/Makefile
+++ b/src/lib/libssl/src/fips/aes/Makefile
@@ -22,7 +22,6 @@ CFLAGS= $(INCLUDES) $(CFLAG)
 
 GENERAL=Makefile
 TEST=fips_aesavs.c
-TESTDATA=fips_aes_data
 APPS=
 
 LIB=$(TOP)/libcrypto.a
@@ -50,7 +49,6 @@ files:
 links:
         @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER)
         @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST)
-        @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TESTDATA)
         @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS)
 
 install:
diff --git a/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c b/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c
index 058b71a20f..eec65dc39e 100644
--- a/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c
+++ b/src/lib/libssl/src/fips/sha/fips_standalone_sha1.c
@@ -65,7 +65,7 @@ void OPENSSL_cleanse(void *p,size_t len) {}
 static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
                       const char *key)
     {
-    int len=strlen(key);
+    size_t len=strlen(key);
     int i;
     unsigned char keymd[HMAC_MAX_MD_CBLOCK];
     unsigned char pad[HMAC_MAX_MD_CBLOCK];
@@ -139,7 +139,7 @@ int main(int argc,char **argv)
         for( ; ; )
             {
             char buf[1024];
-            int l=fread(buf,1,sizeof buf,f);
+            size_t l=fread(buf,1,sizeof buf,f);
 
             if(l == 0)
                 {
diff --git a/src/lib/libssl/src/ms/do_masm.bat b/src/lib/libssl/src/ms/do_masm.bat
index 8c22256b32..a8575321f9 100644
--- a/src/lib/libssl/src/ms/do_masm.bat
+++ b/src/lib/libssl/src/ms/do_masm.bat
@@ -1,74 +1,70 @@
-@echo off
-
-SET ASMOPTS=-DOPENSSL_IA32_SSE2
-echo Generating x86 for MASM assember
-
-echo Bignum
-cd crypto\bn\asm
-perl bn-586.pl win32 %ASMOPTS% > bn_win32.asm
-perl co-586.pl win32 %ASMOPTS% > co_win32.asm
-perl mo-586.pl win32 %ASMOPTS% > mt_win32.asm
-cd ..\..\..
-
-echo AES
-cd crypto\aes\asm
-perl aes-586.pl win32 %ASMOPTS% > a_win32.asm
-cd ..\..\..
-
-echo DES
-cd crypto\des\asm
-perl des-586.pl win32 %ASMOPTS% > d_win32.asm
-cd ..\..\..
-
-echo "crypt(3)"
-
-cd crypto\des\asm
-perl crypt586.pl win32 %ASMOPTS% > y_win32.asm
-cd ..\..\..
-
-echo Blowfish
-
-cd crypto\bf\asm
-perl bf-586.pl win32 %ASMOPTS% > b_win32.asm
-cd ..\..\..
-
-echo CAST5
-cd crypto\cast\asm
-perl cast-586.pl win32 %ASMOPTS% > c_win32.asm
-cd ..\..\..
-
-echo RC4
-cd crypto\rc4\asm
-perl rc4-586.pl win32 %ASMOPTS% > r4_win32.asm
-cd ..\..\..
-
-echo MD5
-cd crypto\md5\asm
-perl md5-586.pl win32 %ASMOPTS% > m5_win32.asm
-cd ..\..\..
-
-echo SHA1
-cd crypto\sha\asm
-perl sha1-586.pl win32 %ASMOPTS% > s1_win32.asm
-perl sha512-sse2.pl win32 %ASMOPTS% > sha512-sse2.asm
-cd ..\..\..
-
-echo RIPEMD160
-cd crypto\ripemd\asm
-perl rmd-586.pl win32 %ASMOPTS% > rm_win32.asm
-cd ..\..\..
-
-echo RC5\32
-cd crypto\rc5\asm
-perl rc5-586.pl win32 %ASMOPTS% > r5_win32.asm
-cd ..\..\..
-
-echo CPU-ID
-cd crypto
-perl x86cpuid.pl win32 %ASMOPTS% > cpu_win32.asm
-cd ..
-
-echo on
+@SET ASMOPTS=-DOPENSSL_IA32_SSE2
+@echo Generating x86 for MASM assember
+
+@echo Bignum
+@cd crypto\bn\asm
+@perl bn-586.pl win32 %ASMOPTS% > bn_win32.asm
+@perl co-586.pl win32 %ASMOPTS% > co_win32.asm
+@perl mo-586.pl win32 %ASMOPTS% > mt_win32.asm
+@cd ..\..\..
+
+@echo AES
+@cd crypto\aes\asm
+@perl aes-586.pl win32 %ASMOPTS% > a_win32.asm
+@cd ..\..\..
+
+@echo DES
+@cd crypto\des\asm
+@perl des-586.pl win32 %ASMOPTS% > d_win32.asm
+@cd ..\..\..
+
+@echo "crypt(3)"
+
+@cd crypto\des\asm
+@perl crypt586.pl win32 %ASMOPTS% > y_win32.asm
+@cd ..\..\..
+
+@echo Blowfish
+
+@cd crypto\bf\asm
+@perl bf-586.pl win32 %ASMOPTS% > b_win32.asm
+@cd ..\..\..
+
+@echo CAST5
+@cd crypto\cast\asm
+@perl cast-586.pl win32 %ASMOPTS% > c_win32.asm
+@cd ..\..\..
+
+@echo RC4
+@cd crypto\rc4\asm
+@perl rc4-586.pl win32 %ASMOPTS% > r4_win32.asm
+@cd ..\..\..
+
+@echo MD5
+@cd crypto\md5\asm
+@perl md5-586.pl win32 %ASMOPTS% > m5_win32.asm
+@cd ..\..\..
+
+@echo SHA1
+@cd crypto\sha\asm
+@perl sha1-586.pl win32 %ASMOPTS% > s1_win32.asm
+@perl sha512-sse2.pl win32 %ASMOPTS% > sha512-sse2.asm
+@cd ..\..\..
+
+@echo RIPEMD160
+@cd crypto\ripemd\asm
+@perl rmd-586.pl win32 %ASMOPTS% > rm_win32.asm
+@cd ..\..\..
+
+@echo RC5\32
+@cd crypto\rc5\asm
+@perl rc5-586.pl win32 %ASMOPTS% > r5_win32.asm
+@cd ..\..\..
+
+@echo CPU-ID
+@cd crypto
+@perl x86cpuid.pl win32 %ASMOPTS% > cpu_win32.asm
+@cd ..
 
 perl util\mkfiles.pl >MINFO
 perl util\mk1mf.pl VC-WIN32 >ms\nt.mak
diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec
index 6008c3c9c8..329e3925b7 100644
--- a/src/lib/libssl/src/openssl.spec
+++ b/src/lib/libssl/src/openssl.spec
@@ -1,7 +1,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 8
-%define librev j
+%define librev k
 Release: 1
 
 %define openssldir /var/ssl
diff --git a/src/lib/libssl/src/ssl/kssl.c b/src/lib/libssl/src/ssl/kssl.c
index 6da75e6416..019030ae3c 100644
--- a/src/lib/libssl/src/ssl/kssl.c
+++ b/src/lib/libssl/src/ssl/kssl.c
@@ -946,7 +946,7 @@ kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
         if (kssl_err == NULL)  return;
 
         kssl_err->reason = reason;
-        BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, text);
+        BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text);
         return;
         }
 
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 5fd3520caf..50308487aa 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -173,7 +173,7 @@ int ssl3_connect(SSL *s)
         long num1;
         void (*cb)(const SSL *ssl,int type,int val)=NULL;
         int ret= -1;
-        int new_state,state,skip=0;;
+        int new_state,state,skip=0;
 
         RAND_add(&Time,sizeof(Time),0);
         ERR_clear_error();
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 0c2aa249b4..52f91cfe60 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -1355,7 +1355,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
         comp->method=cm;
         load_builtin_compressions();
         if (ssl_comp_methods
-                && !sk_SSL_COMP_find(ssl_comp_methods,comp))
+                && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0)
                 {
                 OPENSSL_free(comp);
                 MemCheck_on();
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 68eee77e6f..893abff1f4 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -510,6 +510,8 @@ void SSL_free(SSL *s)
 
         if (s->ctx) SSL_CTX_free(s->ctx);
 #ifndef OPENSSL_NO_TLSEXT
+        if (s->tlsext_hostname)
+                OPENSSL_free(s->tlsext_hostname);
         if (s->initial_ctx) SSL_CTX_free(s->initial_ctx);
         if (s->tlsext_ocsp_exts)
                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
diff --git a/src/lib/libssl/src/test/Makefile b/src/lib/libssl/src/test/Makefile
index 73d64440b1..228ee368cd 100644
--- a/src/lib/libssl/src/test/Makefile
+++ b/src/lib/libssl/src/test/Makefile
@@ -404,6 +404,8 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
         elif [ -n "$(FIPSCANLIB)" ]; then \
                 FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
                 LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
+        else \
+                LIBRARIES="$(LIBCRYPTO)"; \
         fi; \
         $(MAKE) -f $(TOP)/Makefile.shared -e \
                 CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
diff --git a/src/lib/libssl/src/test/times b/src/lib/libssl/src/test/times
index 49aeebf216..738d569b8f 100644
--- a/src/lib/libssl/src/test/times
+++ b/src/lib/libssl/src/test/times
@@ -68,7 +68,7 @@ eric (adding numbers to speculation)
 --- Appendix ---
 - The time measured is user time but these number a very rough.
 - Remember this is the cost of both client and server sides of the protocol.
-- The TCP/kernal overhead of connection establishment is normally the
+- The TCP/kernel overhead of connection establishment is normally the
   killer in SSL.  Often delays in the TCP protocol will make session-id
   reuse look slower that new sessions, but this would not be the case on
   a loaded server.
diff --git a/src/lib/libssl/src/util/domd b/src/lib/libssl/src/util/domd
index 691be7a440..560ebeaf82 100644
--- a/src/lib/libssl/src/util/domd
+++ b/src/lib/libssl/src/util/domd
@@ -22,7 +22,7 @@ if [ "$MAKEDEPEND" = "gcc" ]; then
     done
     sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp
     echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
-    gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp
+    ${CC:-gcc} -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp
     ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
     rm -f Makefile.tmp
 else
diff --git a/src/lib/libssl/src/util/libeay.num b/src/lib/libssl/src/util/libeay.num
index 0eb54ddc89..74eb337227 100644
--- a/src/lib/libssl/src/util/libeay.num
+++ b/src/lib/libssl/src/util/libeay.num
@@ -3667,7 +3667,8 @@ CRYPTO_set_mem_info_functions           4053	EXIST::FUNCTION:
 RSA_X931_generate_key_ex                4054    EXIST::FUNCTION:RSA
 int_ERR_set_state_func                  4055    EXIST:OPENSSL_FIPS:FUNCTION:
 int_EVP_MD_set_engine_callbacks         4056    EXIST:OPENSSL_FIPS:FUNCTION:ENGINE
-int_CRYPTO_set_do_dynlock_callback      4057    EXIST::FUNCTION:
+int_CRYPTO_set_do_dynlock_callback      4057    EXIST:!VMS:FUNCTION:
+int_CRYPTO_set_do_dynlock_cb            4057    EXIST:VMS:FUNCTION:
 FIPS_rng_stick                          4058    EXIST:OPENSSL_FIPS:FUNCTION:
 EVP_CIPHER_CTX_set_flags                4059    EXIST::FUNCTION:
 BN_X931_generate_prime_ex               4060    EXIST::FUNCTION:
diff --git a/src/lib/libssl/src/util/pl/VC-32.pl b/src/lib/libssl/src/util/pl/VC-32.pl
index 730c2083bd..85121c8ed1 100644
--- a/src/lib/libssl/src/util/pl/VC-32.pl
+++ b/src/lib/libssl/src/util/pl/VC-32.pl
@@ -164,7 +164,7 @@ if ($FLAVOR =~ /NT/)
         $ex_libs="unicows.lib $ex_libs";
         }
 # static library stuff
-$mklib='lib';
+$mklib='lib /nologo';
 $ranlib='';
 $plib="";
 $libp=".lib";
@@ -184,7 +184,7 @@ if ($nasm) {
         $asm.=' /Zi' if $debug;
         $afile='/Fo';
 } else {
-        $asm='ml /Cp /coff /c /Cx';
+        $asm='ml /nologo /Cp /coff /c /Cx';
         $asm.=" /Zi" if $debug;
         $afile='/Fo';
 }
@@ -405,7 +405,7 @@ sub do_link_rule
         if ($standalone == 1)
                 {
                 $ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n\t";
-                $ret.= "$mwex advapi32.lib " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild);
+                $ret.= "\$(EX_LIBS) " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild);
                 $ret.="$files $libs\n<<\n";
                 }
         elsif ($standalone == 2)