78 files changed, 765 insertions, 149 deletions
diff --git a/src/lib/libcrypto/aes/aes_locl.h b/src/lib/libcrypto/aes/aes_locl.h
index 541d1d6e84..18fc2d0747 100644
--- a/src/lib/libcrypto/aes/aes_locl.h
+++ b/src/lib/libcrypto/aes/aes_locl.h
@@ -60,10 +60,7 @@
 #include <stdio.h>
 #include <stdlib.h>
-#if defined(__STDC__) || defined(OPENSSL_SYS_VMS) || defined(M_XENIX) || defined(OPENSSL_SYS_MSDOS)
 #include <string.h>
-#endif
 #ifdef _MSC_VER
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index 128aa7e772..8dab29dca1 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -77,8 +77,8 @@
 /* Three IO functions for sending data to memory, a BIO and
 * and a FILE pointer.
 */
+#if 0                           /* never used */
-int send_mem_chars(void *arg, const void *buf, int len)
+static int send_mem_chars(void *arg, const void *buf, int len)
 {
        unsigned char **out = arg;
        if(!out) return 1;
@@ -86,15 +86,16 @@ int send_mem_chars(void *arg, const void *buf, int len)
        *out += len;
        return 1;
 }
+#endif
-int send_bio_chars(void *arg, const void *buf, int len)
+static int send_bio_chars(void *arg, const void *buf, int len)
 {
        if(!arg) return 1;
        if(BIO_write(arg, buf, len) != len) return 0;
        return 1;
 }
-int send_fp_chars(void *arg, const void *buf, int len)
+static int send_fp_chars(void *arg, const void *buf, int len)
 {
        if(!arg) return 1;
        if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0;
@@ -240,7 +241,7 @@ static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen
 * #01234 format.
 */
-int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
+static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
 {
        /* Placing the ASN1_STRING in a temp ASN1_TYPE allows
         * the DER encoding to readily obtained
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index 0d1713f8dd..dbb30f4f22 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -773,6 +773,7 @@ int 	ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b);
 int     ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, unsigned char *data, int len);
 DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
+DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_UTF8STRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_NULL)
 DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING)
diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c
index 830ff2af3c..422685a3b4 100644
--- a/src/lib/libcrypto/asn1/asn1_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_lib.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
 static int asn1_get_length(unsigned char **pp,int *inf,long *rl,int max);
 static void asn1_put_length(unsigned char **pp, int length);
@@ -123,15 +124,13 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
                (int)(omax+ *pp));
 #endif
-#if 0
+        if (*plength > (omax - (*pp - p)))
-        if ((p+ *plength) > (omax+ *pp))
                {
                ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
                /* Set this so that even if things are not long enough
                 * the values are set correctly */
                ret|=0x80;
                }
-#endif
        *pp=p;
        return(ret|inf);
 err:
@@ -158,6 +157,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
                i= *p&0x7f;
                if (*(p++) & 0x80)
                        {
+                        if (i > sizeof(long))
+                                return 0;
                        if (max-- == 0) return(0);
                        while (i-- > 0)
                                {
@@ -169,6 +170,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
                else
                        ret=i;
                }
+        if (ret < 0)
+                return 0;
        *pp=p;
        *rl=ret;
        return(1);
@@ -406,7 +409,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)
 void asn1_add_error(unsigned char *address, int offset)
        {
-        char buf1[16],buf2[16];
+        char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
        sprintf(buf1,"%lu",(unsigned long)address);
        sprintf(buf2,"%d",offset);
diff --git a/src/lib/libcrypto/asn1/n_pkey.c b/src/lib/libcrypto/asn1/n_pkey.c
index 49f80fffd2..9146ee02c9 100644
--- a/src/lib/libcrypto/asn1/n_pkey.c
+++ b/src/lib/libcrypto/asn1/n_pkey.c
@@ -92,6 +92,8 @@ ASN1_BROKEN_SEQUENCE(NETSCAPE_ENCRYPTED_PKEY) = {
        ASN1_SIMPLE(NETSCAPE_ENCRYPTED_PKEY, enckey, X509_SIG)
 } ASN1_BROKEN_SEQUENCE_END(NETSCAPE_ENCRYPTED_PKEY)
+DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY)
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY,NETSCAPE_ENCRYPTED_PKEY)
 IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY)
 ASN1_SEQUENCE(NETSCAPE_PKEY) = {
@@ -100,6 +102,8 @@ ASN1_SEQUENCE(NETSCAPE_PKEY) = {
        ASN1_SIMPLE(NETSCAPE_PKEY, private_key, ASN1_OCTET_STRING)
 } ASN1_SEQUENCE_END(NETSCAPE_PKEY)
+DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_PKEY,NETSCAPE_PKEY)
 IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)
 static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
diff --git a/src/lib/libcrypto/asn1/t_pkey.c b/src/lib/libcrypto/asn1/t_pkey.c
index 8060115202..2d46914cb1 100644
--- a/src/lib/libcrypto/asn1/t_pkey.c
+++ b/src/lib/libcrypto/asn1/t_pkey.c
@@ -96,10 +96,34 @@ int RSA_print(BIO *bp, const RSA *x, int off)
        char str[128];
        const char *s;
        unsigned char *m=NULL;
-        int i,ret=0;
+        int ret=0;
+        size_t buf_len=0, i;
-        i=RSA_size(x);
+        if (x->n)
-        m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+                buf_len = (size_t)BN_num_bytes(x->n);
+        if (x->e)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->e)))
+                        buf_len = i;
+        if (x->d)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->d)))
+                        buf_len = i;
+        if (x->p)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->p)))
+                        buf_len = i;
+        if (x->q)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
+                        buf_len = i;
+        if (x->dmp1)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->dmp1)))
+                        buf_len = i;
+        if (x->dmq1)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->dmq1)))
+                        buf_len = i;
+        if (x->iqmp)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->iqmp)))
+                        buf_len = i;
+        m=(unsigned char *)OPENSSL_malloc(buf_len+10);
        if (m == NULL)
                {
                RSAerr(RSA_F_RSA_PRINT,ERR_R_MALLOC_FAILURE);
@@ -161,22 +185,25 @@ int DSA_print(BIO *bp, const DSA *x, int off)
        {
        char str[128];
        unsigned char *m=NULL;
-        int i,ret=0;
+        int ret=0;
-        BIGNUM *bn=NULL;
+        size_t buf_len=0,i;
-        if (x->p != NULL)
+        if (x->p)
-                bn=x->p;
+                buf_len = (size_t)BN_num_bytes(x->p);
-        else if (x->priv_key != NULL)
+        if (x->q)
-                bn=x->priv_key;
+                if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
-        else if (x->pub_key != NULL)
+                        buf_len = i;
-                bn=x->pub_key;
+        if (x->g)
-                
+                if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
-        /* larger than needed but what the hell :-) */
+                        buf_len = i;
-        if (bn != NULL)
+        if (x->priv_key)
-                i=BN_num_bytes(bn)*2;
+                if (buf_len < (i = (size_t)BN_num_bytes(x->priv_key)))
-        else
+                        buf_len = i;
-                i=256;
+        if (x->pub_key)
-        m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+                if (buf_len < (i = (size_t)BN_num_bytes(x->pub_key)))
+                        buf_len = i;
+        m=(unsigned char *)OPENSSL_malloc(buf_len+10);
        if (m == NULL)
                {
                DSAerr(DSA_F_DSA_PRINT,ERR_R_MALLOC_FAILURE);
@@ -281,10 +308,15 @@ int DHparams_print_fp(FILE *fp, const DH *x)
 int DHparams_print(BIO *bp, const DH *x)
        {
        unsigned char *m=NULL;
-        int reason=ERR_R_BUF_LIB,i,ret=0;
+        int reason=ERR_R_BUF_LIB,ret=0;
+        size_t buf_len=0, i;
-        i=BN_num_bytes(x->p);
+        if (x->p)
-        m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+                buf_len = (size_t)BN_num_bytes(x->p);
+        if (x->g)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
+                        buf_len = i;
+        m=(unsigned char *)OPENSSL_malloc(buf_len+10);
        if (m == NULL)
                {
                reason=ERR_R_MALLOC_FAILURE;
@@ -334,10 +366,18 @@ int DSAparams_print_fp(FILE *fp, const DSA *x)
 int DSAparams_print(BIO *bp, const DSA *x)
        {
        unsigned char *m=NULL;
-        int reason=ERR_R_BUF_LIB,i,ret=0;
+        int reason=ERR_R_BUF_LIB,ret=0;
+        size_t buf_len=0,i;
-        i=BN_num_bytes(x->p);
+        if (x->p)
-        m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+                buf_len = (size_t)BN_num_bytes(x->p);
+        if (x->q)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
+                        buf_len = i;
+        if (x->g)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
+                        buf_len = i;
+        m=(unsigned char *)OPENSSL_malloc(buf_len+10);
        if (m == NULL)
                {
                reason=ERR_R_MALLOC_FAILURE;
diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c
index dcaef68ea7..45bd7c47e8 100644
--- a/src/lib/libcrypto/bio/b_sock.c
+++ b/src/lib/libcrypto/bio/b_sock.c
@@ -484,7 +484,11 @@ int BIO_socket_ioctl(int fd, long type, unsigned long *arg)
        {
        int i;
+#ifdef __DJGPP__
+        i=ioctlsocket(fd,type,(char *)arg);
+#else
        i=ioctlsocket(fd,type,arg);
+#endif /* __DJGPP__ */
        if (i < 0)
                SYSerr(SYS_F_IOCTLSOCKET,get_last_socket_error());
        return(i);
diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h
index b122c7069d..c5caf253c9 100644
--- a/src/lib/libcrypto/bio/bio.h
+++ b/src/lib/libcrypto/bio/bio.h
@@ -554,7 +554,9 @@ BIO_METHOD *BIO_s_socket(void);
 BIO_METHOD *BIO_s_connect(void);
 BIO_METHOD *BIO_s_accept(void);
 BIO_METHOD *BIO_s_fd(void);
+#ifndef OPENSSL_SYS_OS2
 BIO_METHOD *BIO_s_log(void);
+#endif
 BIO_METHOD *BIO_s_bio(void);
 BIO_METHOD *BIO_s_null(void);
 BIO_METHOD *BIO_f_null(void);
@@ -647,6 +649,7 @@ void ERR_load_BIO_strings(void);
 #define BIO_F_CONN_CTRL                                  127
 #define BIO_F_CONN_STATE                                 115
 #define BIO_F_FILE_CTRL                                  116
+#define BIO_F_FILE_READ                                  130
 #define BIO_F_LINEBUFFER_CTRL                            129
 #define BIO_F_MEM_READ                                   128
 #define BIO_F_MEM_WRITE                                  117
diff --git a/src/lib/libcrypto/bio/bio_err.c b/src/lib/libcrypto/bio/bio_err.c
index 99ca3cd0da..68a119d895 100644
--- a/src/lib/libcrypto/bio/bio_err.c
+++ b/src/lib/libcrypto/bio/bio_err.c
@@ -91,6 +91,7 @@ static ERR_STRING_DATA BIO_str_functs[]=
 {ERR_PACK(0,BIO_F_CONN_CTRL,0), "CONN_CTRL"},
 {ERR_PACK(0,BIO_F_CONN_STATE,0),        "CONN_STATE"},
 {ERR_PACK(0,BIO_F_FILE_CTRL,0), "FILE_CTRL"},
+{ERR_PACK(0,BIO_F_FILE_READ,0), "FILE_READ"},
 {ERR_PACK(0,BIO_F_LINEBUFFER_CTRL,0),   "LINEBUFFER_CTRL"},
 {ERR_PACK(0,BIO_F_MEM_READ,0),  "MEM_READ"},
 {ERR_PACK(0,BIO_F_MEM_WRITE,0), "MEM_WRITE"},
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index 8b3ff278d9..826b361fa2 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -162,6 +162,12 @@ static int MS_CALLBACK file_read(BIO *b, char *out, int outl)
        if (b->init && (out != NULL))
                {
                ret=fread(out,1,(int)outl,(FILE *)b->ptr);
+                if(ret == 0 && ferror((FILE *)b->ptr))
+                        {
+                        SYSerr(SYS_F_FREAD,get_last_sys_error());
+                        BIOerr(BIO_F_FILE_READ,ERR_R_SYS_LIB);
+                        ret=-1;
+                        }
                }
        return(ret);
        }
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index a016cb7f53..8abe095af2 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -397,6 +397,12 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
        {
        BIGNUM *r = NULL;
+        /* This function does not work if
+         *      words <= b->dmax && top < words
+         * because BN_dup() does not preserve 'dmax'!
+         * (But bn_dup_expand() is not used anywhere yet.)
+         */
+        
        if (words > b->dmax)
                {
                BN_ULONG *a = bn_expand_internal(b, words);
diff --git a/src/lib/libcrypto/bn/bn_mul.c b/src/lib/libcrypto/bn/bn_mul.c
index fd598b8b3d..b03458d002 100644
--- a/src/lib/libcrypto/bn/bn_mul.c
+++ b/src/lib/libcrypto/bn/bn_mul.c
@@ -66,7 +66,7 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"
-#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__))/* Assembler implementation exists only for x86 */
+#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__)) || defined(__DJGPP__) /* Assembler implementation exists only for x86 */
 /* Here follows specialised variants of bn_add_words() and
   bn_sub_words().  They have the property performing operations on
   arrays of different sizes.  The sizes of those arrays is expressed through
diff --git a/src/lib/libcrypto/conf/conf.h b/src/lib/libcrypto/conf/conf.h
index 3c03fb19c0..f4671442ab 100644
--- a/src/lib/libcrypto/conf/conf.h
+++ b/src/lib/libcrypto/conf/conf.h
@@ -129,6 +129,7 @@ int CONF_dump_fp(LHASH *conf, FILE *out);
 int CONF_dump_bio(LHASH *conf, BIO *out);
 void OPENSSL_config(const char *config_name);
+void OPENSSL_no_config(void);
 /* New conf code.  The semantics are different from the functions above.
   If that wasn't the case, the above functions would have been replaced */
@@ -141,10 +142,10 @@ struct conf_st
        };
 CONF *NCONF_new(CONF_METHOD *meth);
-CONF_METHOD *NCONF_default();
+CONF_METHOD *NCONF_default(void);
-CONF_METHOD *NCONF_WIN32();
+CONF_METHOD *NCONF_WIN32(void);
 #if 0 /* Just to give you an idea of what I have in mind */
-CONF_METHOD *NCONF_XML();
+CONF_METHOD *NCONF_XML(void);
 #endif
 void NCONF_free(CONF *conf);
 void NCONF_free_data(CONF *conf);
@@ -176,6 +177,7 @@ int CONF_modules_load_file(const char *filename, const char *appname,
                           unsigned long flags);
 void CONF_modules_unload(int all);
 void CONF_modules_finish(void);
+void CONF_modules_free(void);
 int CONF_module_add(const char *name, conf_init_func *ifunc,
                    conf_finish_func *ffunc);
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 31f2766246..5e194de60e 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -67,6 +67,7 @@
 #include "conf_def.h"
 #include <openssl/buffer.h>
 #include <openssl/err.h>
+#include "cryptlib.h"
 static char *eat_ws(CONF *conf, char *p);
 static char *eat_alpha_numeric(CONF *conf, char *p);
@@ -208,12 +209,12 @@ static int def_load(CONF *conf, const char *name, long *line)
 static int def_load_bio(CONF *conf, BIO *in, long *line)
        {
 #define BUFSIZE 512
-        char btmp[16];
        int bufnum=0,i,ii;
        BUF_MEM *buff=NULL;
        char *s,*p,*end;
        int again,n;
        long eline=0;
+        char btmp[DECIMAL_SIZE(eline)+1];
        CONF_VALUE *v=NULL,*tv;
        CONF_VALUE *sv=NULL;
        char *section=NULL,*buf;
diff --git a/src/lib/libcrypto/conf/conf_lib.c b/src/lib/libcrypto/conf/conf_lib.c
index 7998f34c7b..6a3cf109dd 100644
--- a/src/lib/libcrypto/conf/conf_lib.c
+++ b/src/lib/libcrypto/conf/conf_lib.c
@@ -382,8 +382,9 @@ int NCONF_dump_bio(const CONF *conf, BIO *out)
        return conf->meth->dump(conf, out);
        }
 /* This function should be avoided */
-#undef NCONF_get_number
+#if 0
 long NCONF_get_number(CONF *conf,char *group,char *name)
        {
        int status;
@@ -397,4 +398,4 @@ long NCONF_get_number(CONF *conf,char *group,char *name)
                }
        return ret;
        }
+#endif
diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c
index f92babc2e2..edcc08921c 100644
--- a/src/lib/libcrypto/conf/conf_mod.c
+++ b/src/lib/libcrypto/conf/conf_mod.c
@@ -230,7 +230,7 @@ static int module_run(const CONF *cnf, char *name, char *value,
                {
                if (!(flags & CONF_MFLAGS_SILENT))
                        {
-                        char rcode[10];
+                        char rcode[DECIMAL_SIZE(ret)+1];
                        CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);
                        sprintf(rcode, "%-8d", ret);
                        ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);
diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index 612b3b93b4..d301b376f7 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -492,3 +492,11 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
 #endif
 #endif
+void OpenSSLDie(const char *file,int line,const char *assertion)
+    {
+    fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",
+            file,line,assertion);
+    abort();
+    }
diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h
index a0489e57fc..985a6d377c 100644
--- a/src/lib/libcrypto/cryptlib.h
+++ b/src/lib/libcrypto/cryptlib.h
@@ -89,6 +89,14 @@ extern "C" {
 #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
 #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
+/* size of string represenations */
+#define DECIMAL_SIZE(type)     ((sizeof(type)*8+2)/3+1)
+#define HEX_SIZE(type)         ((sizeof(type)*2)
+/* die if we have to */
+void OpenSSLDie(const char *file,int line,const char *assertion);
+#define die(e)  ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
 #ifdef  __cplusplus
 }
 #endif
diff --git a/src/lib/libcrypto/doc/DH_get_ex_new_index.pod b/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
index 82e2548bcd..fa5eab2650 100644
--- a/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
+++ b/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
@@ -26,7 +26,7 @@ as described in L<RSA_get_ex_new_index(3)>.
 =head1 SEE ALSO
-L<RSA_get_ex_new_index()|RSA_get_ex_new_index()>, L<dh(3)|dh(3)>
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dh(3)|dh(3)>
 =head1 HISTORY
diff --git a/src/lib/libcrypto/doc/EVP_DigestInit.pod b/src/lib/libcrypto/doc/EVP_DigestInit.pod
index b3a61f1c5d..5901c39526 100644
--- a/src/lib/libcrypto/doc/EVP_DigestInit.pod
+++ b/src/lib/libcrypto/doc/EVP_DigestInit.pod
@@ -238,14 +238,19 @@ even though they are identical digests.
 L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
 L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
 =head1 HISTORY
 EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() are
 available in all versions of SSLeay and OpenSSL.
-EVP_DigestInit_ex(), EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex()
+EVP_MD_CTX_init(), EVP_MD_CTX_create(), EVP_MD_CTX_copy_ex(),
-were added in OpenSSL 0.9.7.
+EVP_MD_CTX_cleanup(), EVP_MD_CTX_destroy(), EVP_DigestInit_ex()
+and EVP_DigestFinal_ex() were added in OpenSSL 0.9.7.
+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(),
+EVP_dss(), EVP_dss1(), EVP_mdc2() and EVP_ripemd160() were
+changed to return truely const EVP_MD * in OpenSSL 0.9.7.
 =cut
diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
index 371b6a2287..75cceb1ca2 100644
--- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod
+++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
@@ -501,4 +501,9 @@ L<evp(3)|evp(3)>
 =head1 HISTORY
+EVP_CIPHER_CTX_init(), EVP_EncryptInit_ex(), EVP_EncryptFinal_ex(),
+EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), EVP_CipherInit_ex(),
+EVP_CipherFinal_ex() and EVP_CIPHER_CTX_set_padding() appeared in
+OpenSSL 0.9.7.
 =cut
diff --git a/src/lib/libcrypto/doc/EVP_SignInit.pod b/src/lib/libcrypto/doc/EVP_SignInit.pod
index 32e9d54809..b203c3a1c5 100644
--- a/src/lib/libcrypto/doc/EVP_SignInit.pod
+++ b/src/lib/libcrypto/doc/EVP_SignInit.pod
@@ -84,13 +84,13 @@ L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
 L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
 L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
 L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
 =head1 HISTORY
 EVP_SignInit(), EVP_SignUpdate() and EVP_SignFinal() are
 available in all versions of SSLeay and OpenSSL.
-EVP_SignInit_ex() was added in OpenSSL 0.9.7
+EVP_SignInit_ex() was added in OpenSSL 0.9.7.
 =cut
diff --git a/src/lib/libcrypto/doc/EVP_VerifyInit.pod b/src/lib/libcrypto/doc/EVP_VerifyInit.pod
index 80c656fde8..b6afaedee5 100644
--- a/src/lib/libcrypto/doc/EVP_VerifyInit.pod
+++ b/src/lib/libcrypto/doc/EVP_VerifyInit.pod
@@ -74,7 +74,7 @@ L<EVP_SignInit(3)|EVP_SignInit(3)>,
 L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
 L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
 L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
 =head1 HISTORY
diff --git a/src/lib/libcrypto/doc/RSA_check_key.pod b/src/lib/libcrypto/doc/RSA_check_key.pod
index 79fed753ad..3d824a07f5 100644
--- a/src/lib/libcrypto/doc/RSA_check_key.pod
+++ b/src/lib/libcrypto/doc/RSA_check_key.pod
@@ -18,7 +18,9 @@ in fact prime, and that B<n = p*q>.
 It also checks that B<d*e = 1 mod (p-1*q-1)>,
 and that B<dmp1>, B<dmq1> and B<iqmp> are set correctly or are B<NULL>.
-The key's public components may not be B<NULL>.
+As such, this function can not be used with any arbitrary RSA key object,
+even if it is otherwise fit for regular RSA operation. See B<NOTES> for more
+information.
 =head1 RETURN VALUE
@@ -28,12 +30,38 @@ RSA_check_key() returns 1 if B<rsa> is a valid RSA key, and 0 otherwise.
 If the key is invalid or an error occurred, the reason code can be
 obtained using L<ERR_get_error(3)|ERR_get_error(3)>.
+=head1 NOTES
+This function does not work on RSA public keys that have only the modulus
+and public exponent elements populated. It performs integrity checks on all
+the RSA key material, so the RSA key structure must contain all the private
+key data too.
+Unlike most other RSA functions, this function does B<not> work
+transparently with any underlying ENGINE implementation because it uses the
+key data in the RSA structure directly. An ENGINE implementation can
+override the way key data is stored and handled, and can even provide
+support for HSM keys - in which case the RSA structure may contain B<no>
+key data at all! If the ENGINE in question is only being used for
+acceleration or analysis purposes, then in all likelihood the RSA key data
+is complete and untouched, but this can't be assumed in the general case.
+=head1 BUGS
+A method of verifying the RSA key using opaque RSA API functions might need
+to be considered. Right now RSA_check_key() simply uses the RSA structure
+elements directly, bypassing the RSA_METHOD table altogether (and
+completely violating encapsulation and object-orientation in the process).
+The best fix will probably be to introduce a "check_key()" handler to the
+RSA_METHOD function table so that alternative implementations can also
+provide their own verifiers.
 =head1 SEE ALSO
 L<rsa(3)|rsa(3)>, L<err(3)|err(3)>
 =head1 HISTORY
-RSA_check() appeared in OpenSSL 0.9.4.
+RSA_check_key() appeared in OpenSSL 0.9.4.
 =cut
diff --git a/src/lib/libcrypto/doc/rsa.pod b/src/lib/libcrypto/doc/rsa.pod
index 09ad30cab1..2b93a12b65 100644
--- a/src/lib/libcrypto/doc/rsa.pod
+++ b/src/lib/libcrypto/doc/rsa.pod
@@ -110,7 +110,7 @@ L<RSA_blinding_on(3)|RSA_blinding_on(3)>,
 L<RSA_set_method(3)|RSA_set_method(3)>, L<RSA_print(3)|RSA_print(3)>,
 L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
 L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
-L<RSA_sign_ASN_OCTET_STRING(3)|RSA_sign_ASN_OCTET_STRING(3)>,
+L<RSA_sign_ASN1_OCTET_STRING(3)|RSA_sign_ASN1_OCTET_STRING(3)>,
 L<RSA_padding_add_PKCS1_type_1(3)|RSA_padding_add_PKCS1_type_1(3)> 
 =cut
diff --git a/src/lib/libcrypto/engine/eng_cnf.c b/src/lib/libcrypto/engine/eng_cnf.c
index 8c0ae8a1ad..cdf670901a 100644
--- a/src/lib/libcrypto/engine/eng_cnf.c
+++ b/src/lib/libcrypto/engine/eng_cnf.c
@@ -92,7 +92,7 @@ static int int_engine_init(ENGINE *e)
        }
        
-int int_engine_configure(char *name, char *value, const CONF *cnf)
+static int int_engine_configure(char *name, char *value, const CONF *cnf)
        {
        int i;
        int ret = 0;
diff --git a/src/lib/libcrypto/engine/eng_dyn.c b/src/lib/libcrypto/engine/eng_dyn.c
index 4fefcc0cae..4139a16e76 100644
--- a/src/lib/libcrypto/engine/eng_dyn.c
+++ b/src/lib/libcrypto/engine/eng_dyn.c
@@ -157,6 +157,10 @@ static void dynamic_data_ctx_free_func(void *parent, void *ptr,
                dynamic_data_ctx *ctx = (dynamic_data_ctx *)ptr;
                if(ctx->dynamic_dso)
                        DSO_free(ctx->dynamic_dso);
+                if(ctx->DYNAMIC_LIBNAME)
+                        OPENSSL_free((void*)ctx->DYNAMIC_LIBNAME);
+                if(ctx->engine_id)
+                        OPENSSL_free((void*)ctx->engine_id);
                OPENSSL_free(ctx);
                }
        }
@@ -169,7 +173,7 @@ static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
        {
        dynamic_data_ctx *c;
        c = OPENSSL_malloc(sizeof(dynamic_data_ctx));
-        if(!ctx)
+        if(!c)
                {
                ENGINEerr(ENGINE_F_SET_DATA_CTX,ERR_R_MALLOC_FAILURE);
                return 0;
@@ -310,8 +314,13 @@ static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
                /* a NULL 'p' or a string of zero-length is the same thing */
                if(p && (strlen((const char *)p) < 1))
                        p = NULL;
-                ctx->DYNAMIC_LIBNAME = (const char *)p;
+                if(ctx->DYNAMIC_LIBNAME)
-                return 1;
+                        OPENSSL_free((void*)ctx->DYNAMIC_LIBNAME);
+                if(p)
+                        ctx->DYNAMIC_LIBNAME = BUF_strdup(p);
+                else
+                        ctx->DYNAMIC_LIBNAME = NULL;
+                return (ctx->DYNAMIC_LIBNAME ? 1 : 0);
        case DYNAMIC_CMD_NO_VCHECK:
                ctx->no_vcheck = ((i == 0) ? 0 : 1);
                return 1;
@@ -319,8 +328,13 @@ static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
                /* a NULL 'p' or a string of zero-length is the same thing */
                if(p && (strlen((const char *)p) < 1))
                        p = NULL;
-                ctx->engine_id = (const char *)p;
+                if(ctx->engine_id)
-                return 1;
+                        OPENSSL_free((void*)ctx->engine_id);
+                if(p)
+                        ctx->engine_id = BUF_strdup(p);
+                else
+                        ctx->engine_id = NULL;
+                return (ctx->engine_id ? 1 : 0);
        case DYNAMIC_CMD_LIST_ADD:
                if((i < 0) || (i > 2))
                        {
diff --git a/src/lib/libcrypto/engine/eng_fat.c b/src/lib/libcrypto/engine/eng_fat.c
index d49aa7ed40..f7edb5ad32 100644
--- a/src/lib/libcrypto/engine/eng_fat.c
+++ b/src/lib/libcrypto/engine/eng_fat.c
@@ -84,7 +84,7 @@ int ENGINE_set_default(ENGINE *e, unsigned int flags)
 /* Set default algorithms using a string */
-int int_def_cb(const char *alg, int len, void *arg)
+static int int_def_cb(const char *alg, int len, void *arg)
        {
        unsigned int *pflags = arg;
        if (!strncmp(alg, "ALL", len))
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index 04773d65a6..5abe44e6d5 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -166,6 +166,7 @@ static ERR_STRING_DATA ERR_str_functs[]=
        {ERR_PACK(0,SYS_F_WSASTARTUP,0),        "WSAstartup"},
 #endif
        {ERR_PACK(0,SYS_F_OPENDIR,0),           "opendir"},
+        {ERR_PACK(0,SYS_F_FREAD,0),             "fread"},
        {0,NULL},
        };
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index cc9bb649ea..988ef81aa0 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -182,6 +182,7 @@ typedef struct err_state_st
 #define SYS_F_ACCEPT            8
 #define SYS_F_WSASTARTUP        9 /* Winsock stuff */
 #define SYS_F_OPENDIR           10
+#define SYS_F_FREAD             11
 /* reasons */
diff --git a/src/lib/libcrypto/evp/c_all.c b/src/lib/libcrypto/evp/c_all.c
index 5ffd352ea0..2d3e57c4fa 100644
--- a/src/lib/libcrypto/evp/c_all.c
+++ b/src/lib/libcrypto/evp/c_all.c
@@ -60,12 +60,14 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#if 0
 #undef OpenSSL_add_all_algorithms
 void OpenSSL_add_all_algorithms(void)
        {
        OPENSSL_add_all_algorithms_noconf();
        }
+#endif
 void OPENSSL_add_all_algorithms_noconf(void)
        {
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index fb16de6852..45a25f968d 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -74,6 +74,48 @@
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
+#ifndef OPENSSL_NO_MD2
+#include <openssl/md2.h>
+#endif
+#ifndef OPENSSL_NO_MD4
+#include <openssl/md4.h>
+#endif
+#ifndef OPENSSL_NO_MD5
+#include <openssl/md5.h>
+#endif
+#ifndef OPENSSL_NO_SHA
+#include <openssl/sha.h>
+#endif
+#ifndef OPENSSL_NO_RIPEMD
+#include <openssl/ripemd.h>
+#endif
+#ifndef OPENSSL_NO_DES
+#include <openssl/des.h>
+#endif
+#ifndef OPENSSL_NO_RC4
+#include <openssl/rc4.h>
+#endif
+#ifndef OPENSSL_NO_RC2
+#include <openssl/rc2.h>
+#endif
+#ifndef OPENSSL_NO_RC5
+#include <openssl/rc5.h>
+#endif
+#ifndef OPENSSL_NO_BF
+#include <openssl/blowfish.h>
+#endif
+#ifndef OPENSSL_NO_CAST
+#include <openssl/cast.h>
+#endif
+#ifndef OPENSSL_NO_IDEA
+#include <openssl/idea.h>
+#endif
+#ifndef OPENSSL_NO_MDC2
+#include <openssl/mdc2.h>
+#endif
+#ifndef OPENSSL_NO_AES
+#include <openssl/aes.h>
+#endif
 /*
 #define EVP_RC2_KEY_SIZE                16
@@ -91,6 +133,18 @@
 /* Default PKCS#5 iteration count */
 #define PKCS5_DEFAULT_ITER              2048
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
 #include <openssl/objects.h>
 #define EVP_PK_RSA      0x0001
@@ -582,6 +636,8 @@ const EVP_CIPHER *EVP_enc_null(void);		/* does nothing :-) */
 const EVP_CIPHER *EVP_des_ecb(void);
 const EVP_CIPHER *EVP_des_ede(void);
 const EVP_CIPHER *EVP_des_ede3(void);
+const EVP_CIPHER *EVP_des_ede_ecb(void);
+const EVP_CIPHER *EVP_des_ede3_ecb(void);
 const EVP_CIPHER *EVP_des_cfb(void);
 const EVP_CIPHER *EVP_des_ede_cfb(void);
 const EVP_CIPHER *EVP_des_ede3_cfb(void);
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index 06afb9d152..bcd4d29f85 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -57,9 +57,9 @@
 */
 #include <stdio.h>
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "cryptlib.h"
 /* Password based encryption (PBE) functions */
diff --git a/src/lib/libcrypto/evp/p5_crpt.c b/src/lib/libcrypto/evp/p5_crpt.c
index 113c60fedb..27a8286489 100644
--- a/src/lib/libcrypto/evp/p5_crpt.c
+++ b/src/lib/libcrypto/evp/p5_crpt.c
@@ -58,9 +58,9 @@
 #include <stdio.h>
 #include <stdlib.h>
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/evp.h>
-#include "cryptlib.h"
 /* PKCS#5 v1.5 compatible PBE functions: see PKCS#5 v2.0 for more info.
 */
diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c
index 7881860b53..7485d6a278 100644
--- a/src/lib/libcrypto/evp/p5_crpt2.c
+++ b/src/lib/libcrypto/evp/p5_crpt2.c
@@ -58,10 +58,10 @@
 #if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
 #include <stdio.h>
 #include <stdlib.h>
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
-#include "cryptlib.h"
 /* set this to print out info about the keygen algorithm */
 /* #define DEBUG_PKCS5V2 */
diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 3ff64bb8d1..02c3719f04 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -436,7 +436,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
        unsigned long l;
        unsigned char *p;
        const char *s;
-        char tbuf[32];
+        char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
        if (buf_len <= 0) return(0);
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 02b39062fe..1486199661 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -507,3 +507,141 @@ mime_mhs_bodies		506
 id_hex_partial_message          507
 id_hex_multipart_message                508
 generationQualifier             509
+pseudonym               510
+InternationalRA         511
+id_set          512
+set_ctype               513
+set_msgExt              514
+set_attr                515
+set_policy              516
+set_certExt             517
+set_brand               518
+setct_PANData           519
+setct_PANToken          520
+setct_PANOnly           521
+setct_OIData            522
+setct_PI                523
+setct_PIData            524
+setct_PIDataUnsigned            525
+setct_HODInput          526
+setct_AuthResBaggage            527
+setct_AuthRevReqBaggage         528
+setct_AuthRevResBaggage         529
+setct_CapTokenSeq               530
+setct_PInitResData              531
+setct_PI_TBS            532
+setct_PResData          533
+setct_AuthReqTBS                534
+setct_AuthResTBS                535
+setct_AuthResTBSX               536
+setct_AuthTokenTBS              537
+setct_CapTokenData              538
+setct_CapTokenTBS               539
+setct_AcqCardCodeMsg            540
+setct_AuthRevReqTBS             541
+setct_AuthRevResData            542
+setct_AuthRevResTBS             543
+setct_CapReqTBS         544
+setct_CapReqTBSX                545
+setct_CapResData                546
+setct_CapRevReqTBS              547
+setct_CapRevReqTBSX             548
+setct_CapRevResData             549
+setct_CredReqTBS                550
+setct_CredReqTBSX               551
+setct_CredResData               552
+setct_CredRevReqTBS             553
+setct_CredRevReqTBSX            554
+setct_CredRevResData            555
+setct_PCertReqData              556
+setct_PCertResTBS               557
+setct_BatchAdminReqData         558
+setct_BatchAdminResData         559
+setct_CardCInitResTBS           560
+setct_MeAqCInitResTBS           561
+setct_RegFormResTBS             562
+setct_CertReqData               563
+setct_CertReqTBS                564
+setct_CertResData               565
+setct_CertInqReqTBS             566
+setct_ErrorTBS          567
+setct_PIDualSignedTBE           568
+setct_PIUnsignedTBE             569
+setct_AuthReqTBE                570
+setct_AuthResTBE                571
+setct_AuthResTBEX               572
+setct_AuthTokenTBE              573
+setct_CapTokenTBE               574
+setct_CapTokenTBEX              575
+setct_AcqCardCodeMsgTBE         576
+setct_AuthRevReqTBE             577
+setct_AuthRevResTBE             578
+setct_AuthRevResTBEB            579
+setct_CapReqTBE         580
+setct_CapReqTBEX                581
+setct_CapResTBE         582
+setct_CapRevReqTBE              583
+setct_CapRevReqTBEX             584
+setct_CapRevResTBE              585
+setct_CredReqTBE                586
+setct_CredReqTBEX               587
+setct_CredResTBE                588
+setct_CredRevReqTBE             589
+setct_CredRevReqTBEX            590
+setct_CredRevResTBE             591
+setct_BatchAdminReqTBE          592
+setct_BatchAdminResTBE          593
+setct_RegFormReqTBE             594
+setct_CertReqTBE                595
+setct_CertReqTBEX               596
+setct_CertResTBE                597
+setct_CRLNotificationTBS                598
+setct_CRLNotificationResTBS             599
+setct_BCIDistributionTBS                600
+setext_genCrypt         601
+setext_miAuth           602
+setext_pinSecure                603
+setext_pinAny           604
+setext_track2           605
+setext_cv               606
+set_policy_root         607
+setCext_hashedRoot              608
+setCext_certType                609
+setCext_merchData               610
+setCext_cCertRequired           611
+setCext_tunneling               612
+setCext_setExt          613
+setCext_setQualf                614
+setCext_PGWYcapabilities                615
+setCext_TokenIdentifier         616
+setCext_Track2Data              617
+setCext_TokenType               618
+setCext_IssuerCapabilities              619
+setAttr_Cert            620
+setAttr_PGWYcap         621
+setAttr_TokenType               622
+setAttr_IssCap          623
+set_rootKeyThumb                624
+set_addPolicy           625
+setAttr_Token_EMV               626
+setAttr_Token_B0Prime           627
+setAttr_IssCap_CVM              628
+setAttr_IssCap_T2               629
+setAttr_IssCap_Sig              630
+setAttr_GenCryptgrm             631
+setAttr_T2Enc           632
+setAttr_T2cleartxt              633
+setAttr_TokICCsig               634
+setAttr_SecDevSig               635
+set_brand_IATA_ATA              636
+set_brand_Diners                637
+set_brand_AmericanExpress               638
+set_brand_JCB           639
+set_brand_Visa          640
+set_brand_MasterCard            641
+set_brand_Novus         642
+des_cdmf                643
+rsaOAEPEncryptionSET            644
+itu_t           645
+joint_iso_itu_t         646
+international_organizations             647
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index 65d0b15629..71a4908485 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -542,6 +542,7 @@ X509 43			: 			: initials
 X509 44                 :                       : generationQualifier
 X509 45                 :                       : x500UniqueIdentifier
 X509 46                 : dnQualifier           : dnQualifier
+X509 65                 :                       : pseudonym
 X509 72                 : role                  : role
 X500 8                  : X500algorithms        : directory services - algorithms
@@ -762,3 +763,150 @@ pilotAttributeType 53	:			: personalSignature
 pilotAttributeType 54   :                       : dITRedirect
 pilotAttributeType 55   : audio
 pilotAttributeType 56   :                       : documentPublisher
+2 23 42                 : id-set                : Secure Electronic Transactions
+id-set 0                : set-ctype             : content types
+id-set 1                : set-msgExt            : message extensions
+id-set 3                : set-attr
+id-set 5                : set-policy
+id-set 7                : set-certExt           : certificate extensions
+id-set 8                : set-brand
+set-ctype 0             : setct-PANData
+set-ctype 1             : setct-PANToken
+set-ctype 2             : setct-PANOnly
+set-ctype 3             : setct-OIData
+set-ctype 4             : setct-PI
+set-ctype 5             : setct-PIData
+set-ctype 6             : setct-PIDataUnsigned
+set-ctype 7             : setct-HODInput
+set-ctype 8             : setct-AuthResBaggage
+set-ctype 9             : setct-AuthRevReqBaggage
+set-ctype 10            : setct-AuthRevResBaggage
+set-ctype 11            : setct-CapTokenSeq
+set-ctype 12            : setct-PInitResData
+set-ctype 13            : setct-PI-TBS
+set-ctype 14            : setct-PResData
+set-ctype 16            : setct-AuthReqTBS
+set-ctype 17            : setct-AuthResTBS
+set-ctype 18            : setct-AuthResTBSX
+set-ctype 19            : setct-AuthTokenTBS
+set-ctype 20            : setct-CapTokenData
+set-ctype 21            : setct-CapTokenTBS
+set-ctype 22            : setct-AcqCardCodeMsg
+set-ctype 23            : setct-AuthRevReqTBS
+set-ctype 24            : setct-AuthRevResData
+set-ctype 25            : setct-AuthRevResTBS
+set-ctype 26            : setct-CapReqTBS
+set-ctype 27            : setct-CapReqTBSX
+set-ctype 28            : setct-CapResData
+set-ctype 29            : setct-CapRevReqTBS
+set-ctype 30            : setct-CapRevReqTBSX
+set-ctype 31            : setct-CapRevResData
+set-ctype 32            : setct-CredReqTBS
+set-ctype 33            : setct-CredReqTBSX
+set-ctype 34            : setct-CredResData
+set-ctype 35            : setct-CredRevReqTBS
+set-ctype 36            : setct-CredRevReqTBSX
+set-ctype 37            : setct-CredRevResData
+set-ctype 38            : setct-PCertReqData
+set-ctype 39            : setct-PCertResTBS
+set-ctype 40            : setct-BatchAdminReqData
+set-ctype 41            : setct-BatchAdminResData
+set-ctype 42            : setct-CardCInitResTBS
+set-ctype 43            : setct-MeAqCInitResTBS
+set-ctype 44            : setct-RegFormResTBS
+set-ctype 45            : setct-CertReqData
+set-ctype 46            : setct-CertReqTBS
+set-ctype 47            : setct-CertResData
+set-ctype 48            : setct-CertInqReqTBS
+set-ctype 49            : setct-ErrorTBS
+set-ctype 50            : setct-PIDualSignedTBE
+set-ctype 51            : setct-PIUnsignedTBE
+set-ctype 52            : setct-AuthReqTBE
+set-ctype 53            : setct-AuthResTBE
+set-ctype 54            : setct-AuthResTBEX
+set-ctype 55            : setct-AuthTokenTBE
+set-ctype 56            : setct-CapTokenTBE
+set-ctype 57            : setct-CapTokenTBEX
+set-ctype 58            : setct-AcqCardCodeMsgTBE
+set-ctype 59            : setct-AuthRevReqTBE
+set-ctype 60            : setct-AuthRevResTBE
+set-ctype 61            : setct-AuthRevResTBEB
+set-ctype 62            : setct-CapReqTBE
+set-ctype 63            : setct-CapReqTBEX
+set-ctype 64            : setct-CapResTBE
+set-ctype 65            : setct-CapRevReqTBE
+set-ctype 66            : setct-CapRevReqTBEX
+set-ctype 67            : setct-CapRevResTBE
+set-ctype 68            : setct-CredReqTBE
+set-ctype 69            : setct-CredReqTBEX
+set-ctype 70            : setct-CredResTBE
+set-ctype 71            : setct-CredRevReqTBE
+set-ctype 72            : setct-CredRevReqTBEX
+set-ctype 73            : setct-CredRevResTBE
+set-ctype 74            : setct-BatchAdminReqTBE
+set-ctype 75            : setct-BatchAdminResTBE
+set-ctype 76            : setct-RegFormReqTBE
+set-ctype 77            : setct-CertReqTBE
+set-ctype 78            : setct-CertReqTBEX
+set-ctype 79            : setct-CertResTBE
+set-ctype 80            : setct-CRLNotificationTBS
+set-ctype 81            : setct-CRLNotificationResTBS
+set-ctype 82            : setct-BCIDistributionTBS
+set-msgExt 1            : setext-genCrypt       : generic cryptogram
+set-msgExt 3            : setext-miAuth         : merchant initiated auth
+set-msgExt 4            : setext-pinSecure
+set-msgExt 5            : setext-pinAny
+set-msgExt 7            : setext-track2
+set-msgExt 8            : setext-cv             : additional verification
+set-policy 0            : set-policy-root
+set-certExt 0           : setCext-hashedRoot
+set-certExt 1           : setCext-certType
+set-certExt 2           : setCext-merchData
+set-certExt 3           : setCext-cCertRequired
+set-certExt 4           : setCext-tunneling
+set-certExt 5           : setCext-setExt
+set-certExt 6           : setCext-setQualf
+set-certExt 7           : setCext-PGWYcapabilities
+set-certExt 8           : setCext-TokenIdentifier
+set-certExt 9           : setCext-Track2Data
+set-certExt 10          : setCext-TokenType
+set-certExt 11          : setCext-IssuerCapabilities
+set-attr 0              : setAttr-Cert
+set-attr 1              : setAttr-PGWYcap       : payment gateway capabilities
+set-attr 2              : setAttr-TokenType
+set-attr 3              : setAttr-IssCap        : issuer capabilities
+setAttr-Cert 0          : set-rootKeyThumb
+setAttr-Cert 1          : set-addPolicy
+setAttr-TokenType 1     : setAttr-Token-EMV
+setAttr-TokenType 2     : setAttr-Token-B0Prime
+setAttr-IssCap 3        : setAttr-IssCap-CVM
+setAttr-IssCap 4        : setAttr-IssCap-T2
+setAttr-IssCap 5        : setAttr-IssCap-Sig
+setAttr-IssCap-CVM 1    : setAttr-GenCryptgrm   : generate cryptogram
+setAttr-IssCap-T2 1     : setAttr-T2Enc         : encrypted track 2
+setAttr-IssCap-T2 2     : setAttr-T2cleartxt    : cleartext track 2
+setAttr-IssCap-Sig 1    : setAttr-TokICCsig     : ICC or token signature
+setAttr-IssCap-Sig 2    : setAttr-SecDevSig     : secure device signature
+set-brand 1             : set-brand-IATA-ATA
+set-brand 30            : set-brand-Diners
+set-brand 34            : set-brand-AmericanExpress
+set-brand 35            : set-brand-JCB
+set-brand 4             : set-brand-Visa
+set-brand 5             : set-brand-MasterCard
+set-brand 6011          : set-brand-Novus
+rsadsi 3 10             : DES-CDMF              : des-cdmf
+rsadsi 1 1 6            : rsaOAEPEncryptionSET
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 0d23a02fb2..9689b49c5b 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,8 +25,8 @@
 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
 *  major minor fix final patch/beta)
 */
-#define OPENSSL_VERSION_NUMBER  0x00907001L
+#define OPENSSL_VERSION_NUMBER  0x00907003L
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7-beta1 01 Jun 2002"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7-beta3 30 Jul 2002"
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
diff --git a/src/lib/libcrypto/pem/pem2.h b/src/lib/libcrypto/pem/pem2.h
index 4e484bcd82..f31790d69c 100644
--- a/src/lib/libcrypto/pem/pem2.h
+++ b/src/lib/libcrypto/pem/pem2.h
@@ -61,7 +61,9 @@
 extern "C" {
 #endif
+#ifndef HEADER_PEM_H
 void ERR_load_PEM_strings(void);
+#endif
 #ifdef __cplusplus
 }
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
index 270892d72b..d96ecf6940 100644
--- a/src/lib/libcrypto/pem/pem_pkey.c
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -85,6 +85,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo
        else if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) {
                PKCS8_PRIV_KEY_INFO *p8inf;
                p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len);
+                if(!p8inf) goto p8err;
                ret = EVP_PKCS82PKEY(p8inf);
                PKCS8_PRIV_KEY_INFO_free(p8inf);
        } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) {
diff --git a/src/lib/libcrypto/perlasm/x86asm.pl b/src/lib/libcrypto/perlasm/x86asm.pl
index 81c6e64e87..9a3d85b098 100644
--- a/src/lib/libcrypto/perlasm/x86asm.pl
+++ b/src/lib/libcrypto/perlasm/x86asm.pl
@@ -87,6 +87,12 @@ $tmp
 #ifdef OUT
 #define OK      1
 #define ALIGN   4
+#if defined(__CYGWIN__) || defined(__DJGPP__)
+#undef SIZE
+#undef TYPE
+#define SIZE(a,b)
+#define TYPE(a,b)
+#endif /* __CYGWIN || __DJGPP */
 #endif
 #if defined(BSDI) && !defined(ELF)
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index 1786b6d4f3..dd338f266c 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -156,8 +156,8 @@ union {
 #define M_PKCS12_decrypt_skey PKCS12_decrypt_skey
 #define M_PKCS8_decrypt PKCS8_decrypt
-#define M_PKCS12_bag_type(bag) OBJ_obj2nid(bag->type)
+#define M_PKCS12_bag_type(bg) OBJ_obj2nid((bg)->type)
-#define M_PKCS12_cert_bag_type(bag) OBJ_obj2nid(bag->value.bag->type)
+#define M_PKCS12_cert_bag_type(bg) OBJ_obj2nid((bg)->value.bag->type)
 #define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type
 #define PKCS12_get_attr(bag, attr_nid) \
diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h
index e17aa7a9f7..66e39991ec 100644
--- a/src/lib/libcrypto/rand/rand.h
+++ b/src/lib/libcrypto/rand/rand.h
@@ -61,6 +61,11 @@
 #include <stdlib.h>
 #include <openssl/ossl_typ.h>
+#include <openssl/e_os2.h>
+#if defined(OPENSSL_SYS_WINDOWS)
+#include <windows.h>
+#endif
 #ifdef  __cplusplus
 extern "C" {
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 030a6c88e5..98b3bd7cc5 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -276,6 +276,9 @@ int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 int RSA_set_ex_data(RSA *r,int idx,void *arg);
 void *RSA_get_ex_data(const RSA *r, int idx);
+RSA *RSAPublicKey_dup(RSA *rsa);
+RSA *RSAPrivateKey_dup(RSA *rsa);
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.
diff --git a/src/lib/libcrypto/ui/ui_openssl.c b/src/lib/libcrypto/ui/ui_openssl.c
index 4e12165410..2c2fbc0443 100644
--- a/src/lib/libcrypto/ui/ui_openssl.c
+++ b/src/lib/libcrypto/ui/ui_openssl.c
@@ -269,7 +269,7 @@ static long tty_orig[3], tty_new[3]; /* XXX   Is there any guarantee that this w
 static long status;
 static unsigned short channel = 0;
 #else
-#ifndef OPENSSL_SYS_MSDOS
+#if !defined(OPENSSL_SYS_MSDOS) || defined(__DJGPP__)
 static TTY_STRUCT tty_orig,tty_new;
 #endif
 #endif
diff --git a/src/lib/libcrypto/ui/ui_util.c b/src/lib/libcrypto/ui/ui_util.c
index 7c6f7d3a73..f05573df33 100644
--- a/src/lib/libcrypto/ui/ui_util.c
+++ b/src/lib/libcrypto/ui/ui_util.c
@@ -71,12 +71,15 @@ int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify)
        int ok = 0;
        UI *ui;
+        if (size < 1)
+                return -1;
        ui = UI_new();
        if (ui)
                {
-                ok = UI_add_input_string(ui,prompt,0,buf,0,BUFSIZ-1);
+                ok = UI_add_input_string(ui,prompt,0,buf,0,size-1);
                if (ok == 0 && verify)
-                        ok = UI_add_verify_string(ui,prompt,0,buff,0,BUFSIZ-1,
+                        ok = UI_add_verify_string(ui,prompt,0,buff,0,size-1,
                                buf);
                if (ok == 0)
                        ok=UI_process(ui);
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 586f116db5..2fb97d8925 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -99,8 +99,8 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_ocsp_nocheck,
 &v3_ocsp_acutoff,
 &v3_ocsp_serviceloc,
-&v3_crl_hold,
+&v3_sinfo,
-&v3_sinfo
+&v3_crl_hold
 };
 /* Number of standard extensions */
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
index 7f17f3231d..e1cf01a9b4 100644
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ b/src/lib/libcrypto/x509v3/v3_info.c
@@ -158,6 +158,7 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *metho
                objlen = ptmp - cnf->name;
                ctmp.name = ptmp + 1;
                ctmp.value = cnf->value;
+                GENERAL_NAME_free(acc->location);
                if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp)))
                                                                 goto err; 
                if(!(objtmp = OPENSSL_malloc(objlen + 1))) {
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index b2be8340fb..019e9aecee 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -57,11 +57,11 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include "ssl_locl.h"
 static SSL_METHOD *ssl23_get_client_method(int ver);
 static int ssl23_client_hello(SSL *s);
diff --git a/src/lib/libssl/s23_pkt.c b/src/lib/libssl/s23_pkt.c
index f45e1ce3d8..4ca6a1b258 100644
--- a/src/lib/libssl/s23_pkt.c
+++ b/src/lib/libssl/s23_pkt.c
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <errno.h>
 #define USE_SOCKETS
+#include "ssl_locl.h"
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
-#include "ssl_locl.h"
 int ssl23_write_bytes(SSL *s)
        {
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 9e89cc7f9a..8743b61cbb 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -110,11 +110,11 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include "ssl_locl.h"
 static SSL_METHOD *ssl23_get_server_method(int ver);
 int ssl23_get_client_hello(SSL *s);
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 58a24cd883..8864366f59 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -112,12 +112,12 @@
 #include <limits.h>
 #include <string.h>
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "ssl_locl.h"
 /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
 int ssl3_do_write(SSL *s, int type)
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index e5853ede95..2699b5863b 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -110,13 +110,14 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
 #include <openssl/md5.h>
+#include "cryptlib.h"
 static SSL_METHOD *ssl3_get_client_method(int ver);
 static int ssl3_client_hello(SSL *s);
@@ -545,6 +546,7 @@ static int ssl3_client_hello(SSL *s)
                *(p++)=i;
                if (i != 0)
                        {
+                        die(i <= sizeof s->session->session_id);
                        memcpy(p,s->session->session_id,i);
                        p+=i;
                        }
@@ -626,6 +628,14 @@ static int ssl3_get_server_hello(SSL *s)
        /* get the session-id */
        j= *(p++);
+       if(j > sizeof s->session->session_id)
+               {
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                      SSL_R_SSL3_SESSION_ID_TOO_LONG);
+               goto f_err;
+               }
        if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
                {
                /* SSLref returns 16 :-( */
@@ -1588,6 +1598,7 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                SSL_MAX_MASTER_KEY_LENGTH);
                        EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
                        outl += padl;
+                        die(outl <= sizeof epms);
                        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
                        /*  KerberosWrapper.EncryptedPreMasterSecret    */
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 686992406c..14b2f13ae2 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -129,7 +129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_NULL_MD5,
        SSL3_CK_RSA_NULL_MD5,
        SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
-        SSL_NOT_EXP,
+        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
@@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_NULL_SHA,
        SSL3_CK_RSA_NULL_SHA,
        SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP,
+        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
@@ -490,7 +490,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_FZA_DMS_NULL_SHA,
        SSL3_CK_FZA_DMS_NULL_SHA,
        SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP,
+        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
@@ -504,7 +504,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_FZA_DMS_FZA_SHA,
        SSL3_CK_FZA_DMS_FZA_SHA,
        SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP,
+        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 43e8502b66..6ccea9aee5 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -112,9 +112,9 @@
 #include <stdio.h>
 #include <errno.h>
 #define USE_SOCKETS
+#include "ssl_locl.h"
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
-#include "ssl_locl.h"
 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                         unsigned int len, int create_empty_fragment);
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 99b6a86983..782b57f57a 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -114,15 +114,16 @@
 #include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/krb5_asn.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
 #include <openssl/md5.h>
+#include "cryptlib.h"
 static SSL_METHOD *ssl3_get_server_method(int ver);
 static int ssl3_get_client_hello(SSL *s);
@@ -964,6 +965,7 @@ static int ssl3_send_server_hello(SSL *s)
                        s->session->session_id_length=0;
                sl=s->session->session_id_length;
+                die(sl <= sizeof s->session->session_id);
                *(p++)=sl;
                memcpy(p,s->session->session_id,sl);
                p+=sl;
@@ -1559,8 +1561,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
                EVP_CIPHER              *enc = NULL;
                unsigned char           iv[EVP_MAX_IV_LENGTH];
                unsigned char           pms[SSL_MAX_MASTER_KEY_LENGTH
-                                                + EVP_MAX_IV_LENGTH + 1];
+                                               + EVP_MAX_BLOCK_LENGTH];
-                int                     padl, outl = sizeof(pms);
+                int                     padl, outl;
                krb5_timestamp          authtime = 0;
                krb5_ticket_times       ttimes;
@@ -1583,6 +1585,16 @@ static int ssl3_get_client_key_exchange(SSL *s)
                enc_pms.data = (char *)p;
                p+=enc_pms.length;
+                /* Note that the length is checked again below,
+                ** after decryption
+                */
+                if(enc.pms_length > sizeof pms)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                               SSL_R_DATA_LENGTH_TOO_LONG);
+                        goto err;
+                        }
                if (n != enc_ticket.length + authenticator.length +
                                                enc_pms.length + 6)
                        {
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 833f761690..d9949e8eb2 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -253,7 +253,7 @@ extern "C" {
 #define SSL_TXT_RC4             "RC4"
 #define SSL_TXT_RC2             "RC2"
 #define SSL_TXT_IDEA            "IDEA"
-#define SSL_TXT_AES             "AESdraft" /* AES ciphersuites are not yet official (thus excluded from 'ALL') */
+#define SSL_TXT_AES             "AES"
 #define SSL_TXT_MD5             "MD5"
 #define SSL_TXT_SHA1            "SHA1"
 #define SSL_TXT_SHA             "SHA"
@@ -266,6 +266,23 @@ extern "C" {
 #define SSL_TXT_TLSV1           "TLSv1"
 #define SSL_TXT_ALL             "ALL"
+/*
+ * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
+ * ciphers normally not being used.
+ * Example: "RC4" will activate all ciphers using RC4 including ciphers
+ * without authentication, which would normally disabled by DEFAULT (due
+ * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
+ * will make sure that it is also disabled in the specific selection.
+ * COMPLEMENTOF* identifiers are portable between version, as adjustments
+ * to the default cipher setup will also be included here.
+ *
+ * COMPLEMENTOFDEFAULT does not experience the same special treatment that
+ * DEFAULT gets, as only selection is being done and no sorting as needed
+ * for DEFAULT.
+ */
+#define SSL_TXT_CMPALL          "COMPLEMENTOFALL"
+#define SSL_TXT_CMPDEF          "COMPLEMENTOFDEFAULT"
 /* The following cipher list is used by default.
 * It also is substituted when an application-defined cipher list string
 * starts with 'DEFAULT'. */
@@ -429,6 +446,7 @@ typedef struct ssl_session_st
        struct ssl_session_st *prev,*next;
        } SSL_SESSION;
 #define SSL_OP_MICROSOFT_SESS_ID_BUG                    0x00000001L
 #define SSL_OP_NETSCAPE_CHALLENGE_BUG                   0x00000002L
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x00000008L
@@ -439,6 +457,19 @@ typedef struct ssl_session_st
 #define SSL_OP_TLS_D5_BUG                               0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x00000200L
+/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
+ * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
+ * the workaround is not needed.  Unfortunately some broken SSL/TLS
+ * implementations cannot handle it at all, which is why we include
+ * it in SSL_OP_ALL. */
+#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800L /* added in 0.9.6e */
+/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
+ *             This used to be 0x000FFFFFL before 0.9.7. */
+#define SSL_OP_ALL                                      0x00000FFFL
+/* As server, disallow session resumption on renegotiation */
+#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   0x00010000L
 /* If set, always create a new key when using tmp_dh parameters */
 #define SSL_OP_SINGLE_DH_USE                            0x00100000L
 /* Set to always use the tmp_rsa key when doing RSA operations,
@@ -452,8 +483,10 @@ typedef struct ssl_session_st
 * (version 3.1) was announced in the client hello. Normally this is
 * forbidden to prevent version rollback attacks. */
 #define SSL_OP_TLS_ROLLBACK_BUG                         0x00800000L
-/* As server, disallow session resumption on renegotiation */
-#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   0x01000000L
+#define SSL_OP_NO_SSLv2                                 0x01000000L
+#define SSL_OP_NO_SSLv3                                 0x02000000L
+#define SSL_OP_NO_TLSv1                                 0x04000000L
 /* The next flag deliberately changes the ciphertest, this is a check
 * for the PKCS#1 attack */
@@ -461,11 +494,7 @@ typedef struct ssl_session_st
 #define SSL_OP_PKCS1_CHECK_2                            0x10000000L
 #define SSL_OP_NETSCAPE_CA_DN_BUG                       0x20000000L
 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x40000000L
-#define SSL_OP_ALL                                      0x000FFFFFL
-#define SSL_OP_NO_SSLv2                                 0x01000000L
-#define SSL_OP_NO_SSLv3                                 0x02000000L
-#define SSL_OP_NO_TLSv1                                 0x04000000L
 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
 * when just a single record has been written): */
@@ -479,6 +508,7 @@ typedef struct ssl_session_st
 * is blocking: */
 #define SSL_MODE_AUTO_RETRY 0x00000004L
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
 * they cannot be used to clear bits. */
@@ -1637,6 +1667,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_INVALID_COMMAND                            280
 #define SSL_R_INVALID_PURPOSE                            278
 #define SSL_R_INVALID_TRUST                              279
+#define SSL_R_KEY_ARG_TOO_LONG                           1112
 #define SSL_R_KRB5                                       1104
 #define SSL_R_KRB5_C_CC_PRINC                            1094
 #define SSL_R_KRB5_C_GET_CRED                            1095
@@ -1716,6 +1747,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_SHORT_READ                                 219
 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE      220
 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE               221
+#define SSL_R_SSL3_SESSION_ID_TOO_LONG                   1113
 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT                  222
 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE                1042
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC                 1020
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index c5eeeb6bc5..1638c6b525 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -58,10 +58,11 @@
 #include <stdio.h>
 #include <stdlib.h>
+#include "ssl_locl.h"
 #include <openssl/asn1_mac.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#include "ssl_locl.h"
+#include "cryptlib.h"
 typedef struct ssl_session_asn1_st
        {
@@ -296,6 +297,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
                os.length=i;
        ret->session_id_length=os.length;
+        die(os.length <= sizeof ret->session_id);
        memcpy(ret->session_id,os.data,os.length);
        M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index cdd8dde128..37f58886a6 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -100,9 +100,10 @@ typedef struct cipher_order_st
        } CIPHER_ORDER;
 static const SSL_CIPHER cipher_aliases[]={
-        /* Don't include eNULL unless specifically enabled.
+        /* Don't include eNULL unless specifically enabled. */
-         * Similarly, don't include AES in ALL because these ciphers are not yet official. */
+        {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
-        {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_AES, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
+        {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},  /* COMPLEMENT OF ALL */
+        {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0},
        {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0},  /* VRS Kerberos5 */
        {0,SSL_TXT_kRSA,0,SSL_kRSA,  0,0,0,0,SSL_MKEY_MASK,0},
        {0,SSL_TXT_kDHr,0,SSL_kDHr,  0,0,0,0,SSL_MKEY_MASK,0},
@@ -999,10 +1000,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
        case SSL_AES:
                switch(cipher->strength_bits)
                        {
-                case 128: enc="AESdraft(128)"; break;
+                case 128: enc="AES(128)"; break;
-                case 192: enc="AESdraft(192)"; break;
+                case 192: enc="AES(192)"; break;
-                case 256: enc="AESdraft(256)"; break;
+                case 256: enc="AES(256)"; break;
-                default: enc="AESdraft(?""?""?)"; break;
+                default: enc="AES(?""?""?)"; break;
                        }
                break;
        default:
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index c32c4ef6e9..0cad32c855 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -275,6 +275,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_INVALID_COMMAND                   ,"invalid command"},
 {SSL_R_INVALID_PURPOSE                   ,"invalid purpose"},
 {SSL_R_INVALID_TRUST                     ,"invalid trust"},
+{SSL_R_KEY_ARG_TOO_LONG                  ,"key arg too long"},
 {SSL_R_KRB5                              ,"krb5"},
 {SSL_R_KRB5_C_CC_PRINC                   ,"krb5 client cc principal (no tkt?)"},
 {SSL_R_KRB5_C_GET_CRED                   ,"krb5 client get cred"},
@@ -354,6 +355,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_SHORT_READ                        ,"short read"},
 {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
 {SSL_R_SSL23_DOING_SESSION_ID_REUSE      ,"ssl23 doing session id reuse"},
+{SSL_R_SSL3_SESSION_ID_TOO_LONG          ,"ssl3 session id too long"},
 {SSL_R_SSL3_SESSION_ID_TOO_SHORT         ,"ssl3 session id too short"},
 {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE       ,"sslv3 alert bad certificate"},
 {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC        ,"sslv3 alert bad record mac"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index df307a80c5..ab172aeaec 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -116,11 +116,11 @@
 #  include <assert.h>
 #endif
 #include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
 #include <openssl/objects.h>
 #include <openssl/lhash.h>
 #include <openssl/x509v3.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
 const char *SSL_version_str=OPENSSL_VERSION_TEXT;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 17e9bef832..fe4ac839cf 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -293,16 +293,17 @@
 #define SSL_NOT_EXP             0x00000001L
 #define SSL_EXPORT              0x00000002L
-#define SSL_STRONG_MASK         0x0000007cL
+#define SSL_STRONG_MASK         0x000000fcL
-#define SSL_EXP40               0x00000004L
+#define SSL_STRONG_NONE         0x00000004L
+#define SSL_EXP40               0x00000008L
 #define SSL_MICRO               (SSL_EXP40)
-#define SSL_EXP56               0x00000008L
+#define SSL_EXP56               0x00000010L
 #define SSL_MINI                (SSL_EXP56)
-#define SSL_LOW                 0x00000010L
+#define SSL_LOW                 0x00000020L
-#define SSL_MEDIUM              0x00000020L
+#define SSL_MEDIUM              0x00000040L
-#define SSL_HIGH                0x00000040L
+#define SSL_HIGH                0x00000080L
-/* we have used 0000007f - 25 bits left to go */
+/* we have used 000000ff - 24 bits left to go */
 /*
 * Macros to check the export status and cipher strength for export ciphers.
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 1cf8e20934..03828b6632 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -57,12 +57,12 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/bio.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
-#include "ssl_locl.h"
 static int ssl_set_cert(CERT *c, X509 *x509);
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 6424f775e2..8bfc382bb6 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -60,6 +60,7 @@
 #include <openssl/lhash.h>
 #include <openssl/rand.h>
 #include "ssl_locl.h"
+#include "cryptlib.h"
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
 static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
@@ -250,6 +251,7 @@ int ssl_get_new_session(SSL *s, int session)
                ss->session_id_length=0;
                }
+        die(s->sid_ctx_length <= sizeof ss->sid_ctx);
        memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
        ss->sid_ctx_length=s->sid_ctx_length;
        s->session=ss;
diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c
index 9745630a00..9ad518f9f4 100644
--- a/src/lib/libssl/t1_clnt.c
+++ b/src/lib/libssl/t1_clnt.c
@@ -57,11 +57,11 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include "ssl_locl.h"
 static SSL_METHOD *tls1_get_client_method(int ver);
 static SSL_METHOD *tls1_get_client_method(int ver)
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index b80525f3ba..5290bf6665 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -110,10 +110,10 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/comp.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
-#include "ssl_locl.h"
 #include <openssl/md5.h>
 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
@@ -483,14 +483,25 @@ printf("\nkey block\n");
 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
 #endif
-        /* enable vulnerability countermeasure for CBC ciphers with
+        if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
-         * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */
+                {
-        s->s3->need_empty_fragments = 1;
+                /* enable vulnerability countermeasure for CBC ciphers with
-#ifndef NO_RC4
+                 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
-        if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
+                 */
-                s->s3->need_empty_fragments = 0;
+                s->s3->need_empty_fragments = 1;
+                if (s->session->cipher != NULL)
+                        {
+                        if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
+                                s->s3->need_empty_fragments = 0;
+                        
+#ifndef OPENSSL_NO_RC4
+                        if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
+                                s->s3->need_empty_fragments = 0;
 #endif
-                
+                        }
+                }
        return(1);
 err:
        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c
index 996b7ca8e2..6e765e587f 100644
--- a/src/lib/libssl/t1_srvr.c
+++ b/src/lib/libssl/t1_srvr.c
@@ -57,12 +57,12 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "ssl_locl.h"
 static SSL_METHOD *tls1_get_server_method(int ver);
 static SSL_METHOD *tls1_get_server_method(int ver)
diff --git a/src/lib/libssl/test/tcrl b/src/lib/libssl/test/tcrl
index acaf8f3c47..f71ef7a863 100644
--- a/src/lib/libssl/test/tcrl
+++ b/src/lib/libssl/test/tcrl
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl crl'
diff --git a/src/lib/libssl/test/testca b/src/lib/libssl/test/testca
index 88c186b6ab..8215ebb5d1 100644
--- a/src/lib/libssl/test/testca
+++ b/src/lib/libssl/test/testca
@@ -1,7 +1,11 @@
 #!/bin/sh
 SH="/bin/sh"
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=./apps\;../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export SH PATH
 SSLEAY_CONFIG="-config CAss.cnf"
diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen
index 6a4b6b9221..55c496f4bc 100644
--- a/src/lib/libssl/test/testgen
+++ b/src/lib/libssl/test/testgen
@@ -6,7 +6,11 @@ CA=../certs/testca.pem
 /bin/rm -f $T.1 $T.2 $T.key
-PATH=../apps:$PATH;
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH;
+else
+    PATH=../apps:$PATH;
+fi
 export PATH
 echo "generating certificate request"
diff --git a/src/lib/libssl/test/tpkcs7 b/src/lib/libssl/test/tpkcs7
index 15bbba42c0..cf3bd9fadb 100644
--- a/src/lib/libssl/test/tpkcs7
+++ b/src/lib/libssl/test/tpkcs7
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl pkcs7'
diff --git a/src/lib/libssl/test/tpkcs7d b/src/lib/libssl/test/tpkcs7d
index 46e5aa2bd6..18f9311b06 100644
--- a/src/lib/libssl/test/tpkcs7d
+++ b/src/lib/libssl/test/tpkcs7d
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl pkcs7'
diff --git a/src/lib/libssl/test/treq b/src/lib/libssl/test/treq
index 9f5eb7eea5..47a8273cde 100644
--- a/src/lib/libssl/test/treq
+++ b/src/lib/libssl/test/treq
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl req -config ../apps/openssl.cnf'
diff --git a/src/lib/libssl/test/trsa b/src/lib/libssl/test/trsa
index bd6c07650a..413e2ec0a0 100644
--- a/src/lib/libssl/test/trsa
+++ b/src/lib/libssl/test/trsa
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 if ../apps/openssl no-rsa; then
diff --git a/src/lib/libssl/test/tsid b/src/lib/libssl/test/tsid
index 9e0854516c..40a1dfa97c 100644
--- a/src/lib/libssl/test/tsid
+++ b/src/lib/libssl/test/tsid
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl sess_id'
diff --git a/src/lib/libssl/test/tx509 b/src/lib/libssl/test/tx509
index 35169f3a43..d380963abc 100644
--- a/src/lib/libssl/test/tx509
+++ b/src/lib/libssl/test/tx509
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl x509'
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index 88ec5fb527..38838ea9a5 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -96,7 +96,7 @@ extern "C" {
 #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA      0x03000065
 #define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA                0x03000066
-  /* AES ciphersuites from draft ietf-tls-ciphersuite-03.txt */
+/* AES ciphersuites from RFC3268 */
 #define TLS1_CK_RSA_WITH_AES_128_SHA                    0x0300002F
 #define TLS1_CK_DH_DSS_WITH_AES_128_SHA                 0x03000030
@@ -126,20 +126,21 @@ extern "C" {
 #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA         "EXP1024-RC4-SHA"
 #define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA     "EXP1024-DHE-DSS-RC4-SHA"
 #define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA               "DHE-DSS-RC4-SHA"
-  /* AES ciphersuites from draft-ietf-tls-ciphersuite-06.txt */
-#define TLS1_TXT_RSA_WITH_AES_128_SHA                   "AESdraft128-SHA"
+/* AES ciphersuites from RFC3268 */
-#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA                "DH-DSS-AESdraft128-SHA"
+#define TLS1_TXT_RSA_WITH_AES_128_SHA                   "AES128-SHA"
-#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA                "DH-RSA-AESdraft128-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA                "DH-DSS-AES128-SHA"
-#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA               "DHE-DSS-AESdraft128-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA                "DH-RSA-AES128-SHA"
-#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA               "DHE-RSA-AESdraft128-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA               "DHE-DSS-AES128-SHA"
-#define TLS1_TXT_ADH_WITH_AES_128_SHA                   "ADH-AESdraft128-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA               "DHE-RSA-AES128-SHA"
+#define TLS1_TXT_ADH_WITH_AES_128_SHA                   "ADH-AES128-SHA"
-#define TLS1_TXT_RSA_WITH_AES_256_SHA                   "AESdraft256-SHA"
-#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA                "DH-DSS-AESdraft256-SHA"
+#define TLS1_TXT_RSA_WITH_AES_256_SHA                   "AES256-SHA"
-#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA                "DH-RSA-AESdraft256-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA                "DH-DSS-AES256-SHA"
-#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA               "DHE-DSS-AESdraft256-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA                "DH-RSA-AES256-SHA"
-#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA               "DHE-RSA-AESdraft256-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA               "DHE-DSS-AES256-SHA"
-#define TLS1_TXT_ADH_WITH_AES_256_SHA                   "ADH-AESdraft256-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA               "DHE-RSA-AES256-SHA"
+#define TLS1_TXT_ADH_WITH_AES_256_SHA                   "ADH-AES256-SHA"
 #define TLS_CT_RSA_SIGN                 1