132 files changed, 1127 insertions, 435 deletions

diff --git a/src/lib/libcrypto/aes/aes.h b/src/lib/libcrypto/aes/aes.h
index 8294a41a3a..da067f4a8f 100644
--- a/src/lib/libcrypto/aes/aes.h
+++ b/src/lib/libcrypto/aes/aes.h
@@ -100,7 +100,7 @@ void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
         unsigned char *ivec, int *num);
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
         const unsigned long length, const AES_KEY *key,
-        unsigned char counter[AES_BLOCK_SIZE],
+        unsigned char ivec[AES_BLOCK_SIZE],
         unsigned char ecount_buf[AES_BLOCK_SIZE],
         unsigned int *num);
 
diff --git a/src/lib/libcrypto/aes/aes_cbc.c b/src/lib/libcrypto/aes/aes_cbc.c
index de438306b1..86b27b10d6 100644
--- a/src/lib/libcrypto/aes/aes_cbc.c
+++ b/src/lib/libcrypto/aes/aes_cbc.c
@@ -72,7 +72,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 
         if (AES_ENCRYPT == enc) {
                 while (len >= AES_BLOCK_SIZE) {
-                        for(n=0; n < sizeof tmp; ++n)
+                        for(n=0; n < AES_BLOCK_SIZE; ++n)
                                 tmp[n] = in[n] ^ ivec[n];
                         AES_encrypt(tmp, out, key);
                         memcpy(ivec, out, AES_BLOCK_SIZE);
@@ -86,12 +86,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                         for(n=len; n < AES_BLOCK_SIZE; ++n)
                                 tmp[n] = ivec[n];
                         AES_encrypt(tmp, tmp, key);
-                        memcpy(out, tmp, len);
-                        memcpy(ivec, tmp, sizeof tmp);
+                        memcpy(out, tmp, AES_BLOCK_SIZE);
+                        memcpy(ivec, tmp, AES_BLOCK_SIZE);
                 }                       
         } else {
                 while (len >= AES_BLOCK_SIZE) {
-                        memcpy(tmp, in, sizeof tmp);
+                        memcpy(tmp, in, AES_BLOCK_SIZE);
                         AES_decrypt(in, out, key);
                         for(n=0; n < AES_BLOCK_SIZE; ++n)
                                 out[n] ^= ivec[n];
@@ -101,11 +101,11 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                         out += AES_BLOCK_SIZE;
                 }
                 if (len) {
-                        memcpy(tmp, in, sizeof tmp);
+                        memcpy(tmp, in, AES_BLOCK_SIZE);
                         AES_decrypt(tmp, tmp, key);
                         for(n=0; n < len; ++n)
                                 out[n] ^= ivec[n];
-                        memcpy(ivec, tmp, sizeof tmp);
+                        memcpy(ivec, tmp, AES_BLOCK_SIZE);
                 }                       
         }
 }
diff --git a/src/lib/libcrypto/aes/aes_ctr.c b/src/lib/libcrypto/aes/aes_ctr.c
index 59088499a0..79e1c18f19 100644
--- a/src/lib/libcrypto/aes/aes_ctr.c
+++ b/src/lib/libcrypto/aes/aes_ctr.c
@@ -62,19 +62,49 @@
 /* NOTE: CTR mode is big-endian.  The rest of the AES code
  * is endian-neutral. */
 
-/* increment counter (128-bit int) by 2^64 */
+/* increment counter (128-bit int) by 1 */
 static void AES_ctr128_inc(unsigned char *counter) {
         unsigned long c;
 
-        /* Grab 3rd dword of counter and increment */
+        /* Grab bottom dword of counter and increment */
 #ifdef L_ENDIAN
-        c = GETU32(counter + 8);
+        c = GETU32(counter +  0);
         c++;
-        PUTU32(counter + 8, c);
+        PUTU32(counter +  0, c);
 #else
-        c = GETU32(counter + 4);
+        c = GETU32(counter + 12);
         c++;
-        PUTU32(counter + 4, c);
+        PUTU32(counter + 12, c);
+#endif
+
+        /* if no overflow, we're done */
+        if (c)
+                return;
+
+        /* Grab 1st dword of counter and increment */
+#ifdef L_ENDIAN
+        c = GETU32(counter +  4);
+        c++;
+        PUTU32(counter +  4, c);
+#else
+        c = GETU32(counter +  8);
+        c++;
+        PUTU32(counter +  8, c);
+#endif
+
+        /* if no overflow, we're done */
+        if (c)
+                return;
+
+        /* Grab 2nd dword of counter and increment */
+#ifdef L_ENDIAN
+        c = GETU32(counter +  8);
+        c++;
+        PUTU32(counter +  8, c);
+#else
+        c = GETU32(counter +  4);
+        c++;
+        PUTU32(counter +  4, c);
 #endif
 
         /* if no overflow, we're done */
@@ -100,10 +130,16 @@ static void AES_ctr128_inc(unsigned char *counter) {
  * encrypted counter is kept in ecount_buf.  Both *num and
  * ecount_buf must be initialised with zeros before the first
  * call to AES_ctr128_encrypt().
+ *
+ * This algorithm assumes that the counter is in the x lower bits
+ * of the IV (ivec), and that the application has full control over
+ * overflow and the rest of the IV.  This implementation takes NO
+ * responsability for checking that the counter doesn't overflow
+ * into the rest of the IV when incremented.
  */
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
         const unsigned long length, const AES_KEY *key,
-        unsigned char counter[AES_BLOCK_SIZE],
+        unsigned char ivec[AES_BLOCK_SIZE],
         unsigned char ecount_buf[AES_BLOCK_SIZE],
         unsigned int *num) {
 
@@ -117,8 +153,8 @@ void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 
         while (l--) {
                 if (n == 0) {
-                        AES_encrypt(counter, ecount_buf, key);
-                        AES_ctr128_inc(counter);
+                        AES_encrypt(ivec, ecount_buf, key);
+                        AES_ctr128_inc(ivec);
                 }
                 *(out++) = *(in++) ^ ecount_buf[n];
                 n = (n+1) % AES_BLOCK_SIZE;
diff --git a/src/lib/libcrypto/asn1/a_mbstr.c b/src/lib/libcrypto/asn1/a_mbstr.c
index 58b437bc84..c811b11776 100644
--- a/src/lib/libcrypto/asn1/a_mbstr.c
+++ b/src/lib/libcrypto/asn1/a_mbstr.c
@@ -296,7 +296,7 @@ static int in_utf8(unsigned long value, void *arg)
 
 static int out_utf8(unsigned long value, void *arg)
 {
-        long *outlen;
+        int *outlen;
         outlen = arg;
         *outlen += UTF8_putc(NULL, -1, value);
         return 1;
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index 1def6c6549..8abfdfe598 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -279,7 +279,7 @@ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING
  * otherwise it is the number of bytes per character
  */
 
-const static char tag2nbyte[] = {
+const static signed char tag2nbyte[] = {
         -1, -1, -1, -1, -1,     /* 0-4 */
         -1, -1, -1, -1, -1,     /* 5-9 */
         -1, -1, 0, -1,          /* 10-13 */
diff --git a/src/lib/libcrypto/asn1/a_strnid.c b/src/lib/libcrypto/asn1/a_strnid.c
index aa49e9d7d0..613bbc4a7d 100644
--- a/src/lib/libcrypto/asn1/a_strnid.c
+++ b/src/lib/libcrypto/asn1/a_strnid.c
@@ -143,7 +143,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
 /* Now the tables and helper functions for the string table:
  */
 
-/* size limits: this stuff is taken straight from RFC2459 */
+/* size limits: this stuff is taken straight from RFC3280 */
 
 #define ub_name                         32768
 #define ub_common_name                  64
@@ -153,6 +153,8 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
 #define ub_organization_unit_name       64
 #define ub_title                        64
 #define ub_email_address                128
+#define ub_serial_number                64
+
 
 /* This table must be kept in NID order */
 
@@ -170,6 +172,7 @@ static ASN1_STRING_TABLE tbl_standard[] = {
 {NID_givenName,                 1, ub_name, DIRSTRING_TYPE, 0},
 {NID_surname,                   1, ub_name, DIRSTRING_TYPE, 0},
 {NID_initials,                  1, ub_name, DIRSTRING_TYPE, 0},
+{NID_serialNumber,              1, ub_serial_number, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
 {NID_friendlyName,              -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK},
 {NID_name,                      1, ub_name, DIRSTRING_TYPE, 0},
 {NID_dnQualifier,               -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
diff --git a/src/lib/libcrypto/bio/b_print.c b/src/lib/libcrypto/bio/b_print.c
index a9e552f245..2cfc689dd6 100644
--- a/src/lib/libcrypto/bio/b_print.c
+++ b/src/lib/libcrypto/bio/b_print.c
@@ -836,5 +836,5 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
                  * had the buffer been large enough.) */
                 return -1;
         else
-                return (retlen <= INT_MAX) ? retlen : -1;
+                return (retlen <= INT_MAX) ? (int)retlen : -1;
         }
diff --git a/src/lib/libcrypto/bio/bf_buff.c b/src/lib/libcrypto/bio/bf_buff.c
index 1cecd70579..c1fd75aaad 100644
--- a/src/lib/libcrypto/bio/bf_buff.c
+++ b/src/lib/libcrypto/bio/bf_buff.c
@@ -494,6 +494,7 @@ static int buffer_gets(BIO *b, char *buf, int size)
                         if (i <= 0)
                                 {
                                 BIO_copy_next_retry(b);
+                                *buf='\0';
                                 if (i < 0) return((num > 0)?num:i);
                                 if (i == 0) return(num);
                                 }
diff --git a/src/lib/libcrypto/bio/bss_bio.c b/src/lib/libcrypto/bio/bss_bio.c
index aa58dab046..0f9f0955b4 100644
--- a/src/lib/libcrypto/bio/bss_bio.c
+++ b/src/lib/libcrypto/bio/bss_bio.c
@@ -1,4 +1,57 @@
 /* crypto/bio/bss_bio.c  -*- Mode: C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 /* Special method for a BIO where the other endpoint is also a BIO
  * of this kind, handled by the same thread (i.e. the "peer" is actually
@@ -502,7 +555,7 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
                 break;
                 
         case BIO_C_DESTROY_BIO_PAIR:
-                /* Effects both BIOs in the pair -- call just once!
+                /* Affects both BIOs in the pair -- call just once!
                  * Or let BIO_free(bio1); BIO_free(bio2); do the job. */
                 bio_destroy_pair(bio);
                 ret = 1;
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index e4e9df144c..0ca603ee0a 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -213,12 +213,29 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                 b->shutdown=(int)num&BIO_CLOSE;
                 b->ptr=(char *)ptr;
                 b->init=1;
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
-                /* Set correct text/binary mode */
+#if defined(OPENSSL_SYS_WINDOWS)
                 if (num & BIO_FP_TEXT)
                         _setmode(fileno((FILE *)ptr),_O_TEXT);
                 else
                         _setmode(fileno((FILE *)ptr),_O_BINARY);
+#elif defined(OPENSSL_SYS_MSDOS)
+                {
+                int fd = fileno((FILE*)ptr);
+                /* Set correct text/binary mode */
+                if (num & BIO_FP_TEXT)
+                        _setmode(fd,_O_TEXT);
+                /* Dangerous to set stdin/stdout to raw (unless redirected) */
+                else
+                        {
+                        if (fd == STDIN_FILENO || fd == STDOUT_FILENO)
+                                {
+                                if (isatty(fd) <= 0)
+                                        _setmode(fd,_O_BINARY);
+                                }
+                        else
+                                _setmode(fd,_O_BINARY);
+                        }
+                }
 #elif defined(OPENSSL_SYS_OS2)
                 if (num & BIO_FP_TEXT)
                         setmode(fileno((FILE *)ptr), O_TEXT);
diff --git a/src/lib/libcrypto/bn/Makefile.ssl b/src/lib/libcrypto/bn/Makefile.ssl
index fa17d3c7d8..0c6e796d17 100644
--- a/src/lib/libcrypto/bn/Makefile.ssl
+++ b/src/lib/libcrypto/bn/Makefile.ssl
@@ -22,6 +22,7 @@ BN_ASM=		bn_asm.o
 #BN_ASM=        bn86-elf.o
 
 CFLAGS= $(INCLUDES) $(CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG)
 
 GENERAL=Makefile
 TEST=bntest.c exptest.c
diff --git a/src/lib/libcrypto/bn/bn_mul.c b/src/lib/libcrypto/bn/bn_mul.c
index cb93ac3356..3ae3822bc2 100644
--- a/src/lib/libcrypto/bn/bn_mul.c
+++ b/src/lib/libcrypto/bn/bn_mul.c
@@ -224,7 +224,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
              int n, BN_ULONG *t)
         {
         int i,j,n2=n*2;
-        unsigned int c1,c2,neg,zero;
+        int c1,c2,neg,zero;
         BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
@@ -376,7 +376,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
 
                 /* The overflow will stop before we over write
                  * words we should not overwrite */
-                if (ln < c1)
+                if (ln < (BN_ULONG)c1)
                         {
                         do      {
                                 p++;
diff --git a/src/lib/libcrypto/des/cfb_enc.c b/src/lib/libcrypto/des/cfb_enc.c
index 17bf77ca9e..2600bdfc93 100644
--- a/src/lib/libcrypto/des/cfb_enc.c
+++ b/src/lib/libcrypto/des/cfb_enc.c
@@ -64,32 +64,22 @@
  * the second.  The second 12 bits will come from the 3rd and half the 4th
  * byte.
  */
+/* WARNING WARNING: this uses in and out in 8-byte chunks regardless of
+ * length */
+/* Until Aug 1 2003 this function did not correctly implement CFB-r, so it
+ * will not be compatible with any encryption prior to that date. Ben. */
 void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
-                     long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc)
+                     long length, DES_key_schedule *schedule, DES_cblock *ivec,
+                     int enc)
         {
         register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8;
-        register DES_LONG mask0,mask1;
         register unsigned long l=length;
         register int num=numbits;
         DES_LONG ti[2];
         unsigned char *iv;
+        unsigned char ovec[16];
 
         if (num > 64) return;
-        if (num > 32)
-                {
-                mask0=0xffffffffL;
-                if (num == 64)
-                        mask1=mask0;
-                else    mask1=(1L<<(num-32))-1;
-                }
-        else
-                {
-                if (num == 32)
-                        mask0=0xffffffffL;
-                else    mask0=(1L<<num)-1;
-                mask1=0x00000000L;
-                }
-
         iv = &(*ivec)[0];
         c2l(iv,v0);
         c2l(iv,v1);
@@ -103,8 +93,8 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
                         DES_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT);
                         c2ln(in,d0,d1,n);
                         in+=n;
-                        d0=(d0^ti[0])&mask0;
-                        d1=(d1^ti[1])&mask1;
+                        d0^=ti[0];
+                        d1^=ti[1];
                         l2cn(d0,d1,out,n);
                         out+=n;
                         /* 30-08-94 - eay - changed because l>>32 and
@@ -113,15 +103,25 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
                                 { v0=v1; v1=d0; }
                         else if (num == 64)
                                 { v0=d0; v1=d1; }
-                        else if (num > 32) /* && num != 64 */
-                                {
-                                v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL;
-                                v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL;
-                                }
-                        else /* num < 32 */
+                        else
                                 {
-                                v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL;
-                                v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL;
+                                iv=&ovec[0];
+                                l2c(v0,iv);
+                                l2c(v1,iv);
+                                l2c(d0,iv);
+                                l2c(d1,iv);
+                                /* shift ovec left most of the bits... */
+                                memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+                                /* now the remaining bits */
+                                if(num%8 != 0)
+                                        for(n=0 ; n < 8 ; ++n)
+                                                {
+                                                ovec[n]<<=num%8;
+                                                ovec[n]|=ovec[n+1]>>(8-num%8);
+                                                }
+                                iv=&ovec[0];
+                                c2l(iv,v0);
+                                c2l(iv,v1);
                                 }
                         }
                 }
@@ -141,18 +141,28 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
                                 { v0=v1; v1=d0; }
                         else if (num == 64)
                                 { v0=d0; v1=d1; }
-                        else if (num > 32) /* && num != 64 */
-                                {
-                                v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL;
-                                v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL;
-                                }
-                        else /* num < 32 */
+                        else
                                 {
-                                v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL;
-                                v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL;
+                                iv=&ovec[0];
+                                l2c(v0,iv);
+                                l2c(v1,iv);
+                                l2c(d0,iv);
+                                l2c(d1,iv);
+                                /* shift ovec left most of the bits... */
+                                memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+                                /* now the remaining bits */
+                                if(num%8 != 0)
+                                        for(n=0 ; n < 8 ; ++n)
+                                                {
+                                                ovec[n]<<=num%8;
+                                                ovec[n]|=ovec[n+1]>>(8-num%8);
+                                                }
+                                iv=&ovec[0];
+                                c2l(iv,v0);
+                                c2l(iv,v1);
                                 }
-                        d0=(d0^ti[0])&mask0;
-                        d1=(d1^ti[1])&mask1;
+                        d0^=ti[0];
+                        d1^=ti[1];
                         l2cn(d0,d1,out,n);
                         out+=n;
                         }
diff --git a/src/lib/libcrypto/des/destest.c b/src/lib/libcrypto/des/destest.c
index 687c00c792..3983ac8e5f 100644
--- a/src/lib/libcrypto/des/destest.c
+++ b/src/lib/libcrypto/des/destest.c
@@ -431,7 +431,7 @@ int main(int argc, char *argv[])
 
 #ifndef LIBDES_LIT
         printf("Doing ede ecb\n");
-        for (i=0; i<(NUM_TESTS-1); i++)
+        for (i=0; i<(NUM_TESTS-2); i++)
                 {
                 DES_set_key_unchecked(&key_data[i],&ks);
                 DES_set_key_unchecked(&key_data[i+1],&ks2);
diff --git a/src/lib/libcrypto/dso/dso_dlfcn.c b/src/lib/libcrypto/dso/dso_dlfcn.c
index 906b4703de..9d49ebc253 100644
--- a/src/lib/libcrypto/dso/dso_dlfcn.c
+++ b/src/lib/libcrypto/dso/dso_dlfcn.c
@@ -125,7 +125,11 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
 #               endif
 #       endif
 #else
-#       define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+#       ifdef OPENSSL_SYS_SUNOS
+#               define DLOPEN_FLAG 1
+#       else
+#               define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+#       endif
 #endif
 
 /* For this DSO_METHOD, our meth_data STACK will contain;
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 4dbc931120..16822a73cf 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -175,12 +175,13 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B
  *       (thus the boundaries should be increased)
  */
 #define EC_window_bits_for_scalar_size(b) \
-                ((b) >= 2000 ? 6 : \
-                 (b) >=  800 ? 5 : \
-                 (b) >=  300 ? 4 : \
-                 (b) >=   70 ? 3 : \
-                 (b) >=   20 ? 2 : \
-                  1)
+                ((size_t) \
+                 ((b) >= 2000 ? 6 : \
+                  (b) >=  800 ? 5 : \
+                  (b) >=  300 ? 4 : \
+                  (b) >=   70 ? 3 : \
+                  (b) >=   20 ? 2 : \
+                   1))
 
 /* Compute
  *      \sum scalars[i]*points[i],
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
index 8686879e1a..9c3ab182d3 100644
--- a/src/lib/libcrypto/engine/engine.h
+++ b/src/lib/libcrypto/engine/engine.h
@@ -538,10 +538,10 @@ void ENGINE_add_conf_module(void);
 /**************************/
 
 /* Binary/behaviour compatibility levels */
-#define OSSL_DYNAMIC_VERSION            (unsigned long)0x00010100
+#define OSSL_DYNAMIC_VERSION            (unsigned long)0x00010200
 /* Binary versions older than this are too old for us (whether we're a loader or
  * a loadee) */
-#define OSSL_DYNAMIC_OLDEST             (unsigned long)0x00010100
+#define OSSL_DYNAMIC_OLDEST             (unsigned long)0x00010200
 
 /* When compiling an ENGINE entirely as an external shared library, loadable by
  * the "dynamic" ENGINE, these types are needed. The 'dynamic_fns' structure
@@ -630,6 +630,10 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id,
                 if(!fn(e,id)) return 0; \
                 return 1; }
 
+#if defined(__OpenBSD__) || defined(__FreeBSD__)
+void ENGINE_setup_bsd_cryptodev(void);
+#endif
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
diff --git a/src/lib/libcrypto/engine/hw_ubsec.c b/src/lib/libcrypto/engine/hw_ubsec.c
index 6286dd851c..5234a08a07 100644
--- a/src/lib/libcrypto/engine/hw_ubsec.c
+++ b/src/lib/libcrypto/engine/hw_ubsec.c
@@ -561,7 +561,6 @@ static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
                 return 0;
         }
-        memset(r->d, 0, BN_num_bytes(m));
 
         if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
                 fd = 0;
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index a4f4a260af..6ab119c1ef 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -225,6 +225,7 @@ struct st_ERR_FNS
         ERR_STRING_DATA *(*cb_err_del_item)(ERR_STRING_DATA *);
         /* Works on the "thread_hash" error-state table */
         LHASH *(*cb_thread_get)(int create);
+        void (*cb_thread_release)(LHASH **hash);
         ERR_STATE *(*cb_thread_get_item)(const ERR_STATE *);
         ERR_STATE *(*cb_thread_set_item)(ERR_STATE *);
         void (*cb_thread_del_item)(const ERR_STATE *);
@@ -239,6 +240,7 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
 static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *);
 static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *);
 static LHASH *int_thread_get(int create);
+static void int_thread_release(LHASH **hash);
 static ERR_STATE *int_thread_get_item(const ERR_STATE *);
 static ERR_STATE *int_thread_set_item(ERR_STATE *);
 static void int_thread_del_item(const ERR_STATE *);
@@ -252,6 +254,7 @@ static const ERR_FNS err_defaults =
         int_err_set_item,
         int_err_del_item,
         int_thread_get,
+        int_thread_release,
         int_thread_get_item,
         int_thread_set_item,
         int_thread_del_item,
@@ -271,6 +274,7 @@ static const ERR_FNS *err_fns = NULL;
  * and state in the loading application. */
 static LHASH *int_error_hash = NULL;
 static LHASH *int_thread_hash = NULL;
+static int int_thread_hash_references = 0;
 static int int_err_library_number= ERR_LIB_USER;
 
 /* Internal function that checks whether "err_fns" is set and if not, sets it to
@@ -417,11 +421,37 @@ static LHASH *int_thread_get(int create)
                 CRYPTO_pop_info();
                 }
         if (int_thread_hash)
+                {
+                int_thread_hash_references++;
                 ret = int_thread_hash;
+                }
         CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
         return ret;
         }
 
+static void int_thread_release(LHASH **hash)
+        {
+        int i;
+
+        if (hash == NULL || *hash == NULL)
+                return;
+
+        i = CRYPTO_add(&int_thread_hash_references, -1, CRYPTO_LOCK_ERR);
+
+#ifdef REF_PRINT
+        fprintf(stderr,"%4d:%s\n",int_thread_hash_references,"ERR");
+#endif
+        if (i > 0) return;
+#ifdef REF_CHECK
+        if (i < 0)
+                {
+                fprintf(stderr,"int_thread_release, bad reference count\n");
+                abort(); /* ok */
+                }
+#endif
+        *hash = NULL;
+        }
+
 static ERR_STATE *int_thread_get_item(const ERR_STATE *d)
         {
         ERR_STATE *p;
@@ -436,6 +466,7 @@ static ERR_STATE *int_thread_get_item(const ERR_STATE *d)
         p = (ERR_STATE *)lh_retrieve(hash, d);
         CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
 
+        ERRFN(thread_release)(&hash);
         return p;
         }
 
@@ -453,6 +484,7 @@ static ERR_STATE *int_thread_set_item(ERR_STATE *d)
         p = (ERR_STATE *)lh_insert(hash, d);
         CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
 
+        ERRFN(thread_release)(&hash);
         return p;
         }
 
@@ -469,13 +501,15 @@ static void int_thread_del_item(const ERR_STATE *d)
         CRYPTO_w_lock(CRYPTO_LOCK_ERR);
         p = (ERR_STATE *)lh_delete(hash, d);
         /* make sure we don't leak memory */
-        if (int_thread_hash && (lh_num_items(int_thread_hash) == 0))
+        if (int_thread_hash_references == 1
+                && int_thread_hash && (lh_num_items(int_thread_hash) == 0))
                 {
                 lh_free(int_thread_hash);
                 int_thread_hash = NULL;
                 }
         CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
 
+        ERRFN(thread_release)(&hash);
         if (p)
                 ERR_STATE_free(p);
         }
@@ -845,6 +879,12 @@ LHASH *ERR_get_err_state_table(void)
         return ERRFN(thread_get)(0);
         }
 
+void ERR_release_err_state_table(LHASH **hash)
+        {
+        err_fns_check();
+        ERRFN(thread_release)(hash);
+        }
+
 const char *ERR_lib_error_string(unsigned long e)
         {
         ERR_STRING_DATA d,*p;
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index 988ef81aa0..8faa3a7b4f 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -278,6 +278,7 @@ ERR_STATE *ERR_get_state(void);
 #ifndef OPENSSL_NO_LHASH
 LHASH *ERR_get_string_table(void);
 LHASH *ERR_get_err_state_table(void);
+void ERR_release_err_state_table(LHASH **hash);
 #endif
 
 int ERR_get_next_error_library(void);
diff --git a/src/lib/libcrypto/evp/Makefile.ssl b/src/lib/libcrypto/evp/Makefile.ssl
index b4172406ae..f33aebd33a 100644
--- a/src/lib/libcrypto/evp/Makefile.ssl
+++ b/src/lib/libcrypto/evp/Makefile.ssl
@@ -185,13 +185,14 @@ c_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 c_all.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
 c_all.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 c_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-c_all.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-c_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-c_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-c_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+c_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 c_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 c_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 c_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
diff --git a/src/lib/libcrypto/evp/bio_b64.c b/src/lib/libcrypto/evp/bio_b64.c
index 6e550f6a43..33349c2f98 100644
--- a/src/lib/libcrypto/evp/bio_b64.c
+++ b/src/lib/libcrypto/evp/bio_b64.c
@@ -184,7 +184,9 @@ static int b64_read(BIO *b, char *out, int outl)
         ret_code=0;
         while (outl > 0)
                 {
-                if (ctx->cont <= 0) break;
+
+                if (ctx->cont <= 0)
+                        break;
 
                 i=BIO_read(b->next_bio,&(ctx->tmp[ctx->tmp_len]),
                         B64_BLOCK_SIZE-ctx->tmp_len);
@@ -195,11 +197,21 @@ static int b64_read(BIO *b, char *out, int outl)
 
                         /* Should be continue next time we are called? */
                         if (!BIO_should_retry(b->next_bio))
+                                {
                                 ctx->cont=i;
-                        /* else we should continue when called again */
-                        break;
+                                /* If buffer empty break */
+                                if(ctx->tmp_len == 0)
+                                        break;
+                                /* Fall through and process what we have */
+                                else
+                                        i = 0;
+                                }
+                        /* else we retry and add more data to buffer */
+                        else
+                                break;
                         }
                 i+=ctx->tmp_len;
+                ctx->tmp_len = i;
 
                 /* We need to scan, a line at a time until we
                  * have a valid line if we are starting. */
@@ -255,8 +267,12 @@ static int b64_read(BIO *b, char *out, int outl)
                                  * reading until a new line. */
                                 if (p == (unsigned char *)&(ctx->tmp[0]))
                                         {
-                                        ctx->tmp_nl=1;
-                                        ctx->tmp_len=0;
+                                        /* Check buffer full */
+                                        if (i == B64_BLOCK_SIZE)
+                                                {
+                                                ctx->tmp_nl=1;
+                                                ctx->tmp_len=0;
+                                                }
                                         }
                                 else if (p != q) /* finished on a '\n' */
                                         {
@@ -271,6 +287,11 @@ static int b64_read(BIO *b, char *out, int outl)
                         else
                                 ctx->tmp_len=0;
                         }
+                /* If buffer isn't full and we can retry then
+                 * restart to read in more data.
+                 */
+                else if ((i < B64_BLOCK_SIZE) && (ctx->cont > 0))
+                        continue;
 
                 if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL)
                         {
@@ -310,8 +331,8 @@ static int b64_read(BIO *b, char *out, int outl)
                         i=EVP_DecodeUpdate(&(ctx->base64),
                                 (unsigned char *)ctx->buf,&ctx->buf_len,
                                 (unsigned char *)ctx->tmp,i);
+                        ctx->tmp_len = 0;
                         }
-                ctx->cont=i;
                 ctx->buf_off=0;
                 if (i < 0)
                         {
@@ -484,10 +505,7 @@ again:
                         {
                         i=b64_write(b,NULL,0);
                         if (i < 0)
-                                {
-                                ret=i;
-                                break;
-                                }
+                                return i;
                         }
                 if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL)
                         {
diff --git a/src/lib/libcrypto/evp/c_all.c b/src/lib/libcrypto/evp/c_all.c
index 1b31a14e37..fa60a73ead 100644
--- a/src/lib/libcrypto/evp/c_all.c
+++ b/src/lib/libcrypto/evp/c_all.c
@@ -59,6 +59,9 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 
 #if 0
 #undef OpenSSL_add_all_algorithms
diff --git a/src/lib/libcrypto/md2/md2test.c b/src/lib/libcrypto/md2/md2test.c
index 901d0a7d8e..9c1e28b6ce 100644
--- a/src/lib/libcrypto/md2/md2test.c
+++ b/src/lib/libcrypto/md2/md2test.c
@@ -59,7 +59,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/md2.h>
 
 #include "../e_os.h"
 
@@ -71,6 +70,7 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/evp.h>
+#include <openssl/md2.h>
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
diff --git a/src/lib/libcrypto/md5/Makefile.ssl b/src/lib/libcrypto/md5/Makefile.ssl
index b11ab476d6..2361775a2d 100644
--- a/src/lib/libcrypto/md5/Makefile.ssl
+++ b/src/lib/libcrypto/md5/Makefile.ssl
@@ -6,7 +6,7 @@ DIR=    md5
 TOP=    ../..
 CC=     cc
 CPP=    $(CC) -E
-INCLUDES=
+INCLUDES=-I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
@@ -20,6 +20,7 @@ AR=             ar r
 MD5_ASM_OBJ=
 
 CFLAGS= $(INCLUDES) $(CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG)
 
 GENERAL=Makefile
 TEST=md5test.c
diff --git a/src/lib/libcrypto/md5/asm/md5-586.pl b/src/lib/libcrypto/md5/asm/md5-586.pl
index 5fc6a205ce..fa3fa3bed5 100644
--- a/src/lib/libcrypto/md5/asm/md5-586.pl
+++ b/src/lib/libcrypto/md5/asm/md5-586.pl
@@ -293,7 +293,7 @@ sub md5_block
          &mov(&DWP(12,$tmp2,"",0),$D);
 
         &cmp($tmp1,$X) unless $normal;                  # check count
-         &jge(&label("start")) unless $normal;
+         &jae(&label("start")) unless $normal;
 
         &pop("eax"); # pop the temp variable off the stack
          &pop("ebx");
diff --git a/src/lib/libcrypto/md5/asm/md5-sparcv9.S b/src/lib/libcrypto/md5/asm/md5-sparcv9.S
index a599ed5660..db45aa4c97 100644
--- a/src/lib/libcrypto/md5/asm/md5-sparcv9.S
+++ b/src/lib/libcrypto/md5/asm/md5-sparcv9.S
@@ -34,10 +34,12 @@
  *
  * or if above fails (it does if you have gas):
  *
- *      gcc -E -DULTRASPARC -DMD5_BLOCK_DATA_ORDER md5_block.sparc.S | \
+ *      gcc -E -DOPENSSL_SYSNAMEULTRASPARC -DMD5_BLOCK_DATA_ORDER md5_block.sparc.S | \
  *              as -xarch=v8plus /dev/fd/0 -o md5-sparcv9.o
  */
 
+#include <openssl/e_os2.h>
+
 #define A       %o0
 #define B       %o1
 #define C       %o2
diff --git a/src/lib/libcrypto/o_time.c b/src/lib/libcrypto/o_time.c
index 723eb1b5af..785468131e 100644
--- a/src/lib/libcrypto/o_time.c
+++ b/src/lib/libcrypto/o_time.c
@@ -73,7 +73,7 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
         {
         struct tm *ts = NULL;
 
-#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && !defined(__CYGWIN32__) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX)
+#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && !defined(__CYGWIN32__) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_SUNOS)
         /* should return &data, but doesn't on some systems,
            so we don't even look at the return value */
         gmtime_r(timer,result);
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 08cb1d5018..e226d9de79 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,8 +25,8 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x0090702fL
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7b 10 Apr 2003"
+#define OPENSSL_VERSION_NUMBER  0x0090703fL
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7c 30 Sep 2003"
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
 
diff --git a/src/lib/libcrypto/perlasm/x86ms.pl b/src/lib/libcrypto/perlasm/x86ms.pl
index 35f1a4ddb9..fbb4afb9bd 100644
--- a/src/lib/libcrypto/perlasm/x86ms.pl
+++ b/src/lib/libcrypto/perlasm/x86ms.pl
@@ -144,7 +144,10 @@ sub main'jle	{ &out1("jle",@_); }
 sub main'jz     { &out1("jz",@_); }
 sub main'jge    { &out1("jge",@_); }
 sub main'jl     { &out1("jl",@_); }
+sub main'ja     { &out1("ja",@_); }
+sub main'jae    { &out1("jae",@_); }
 sub main'jb     { &out1("jb",@_); }
+sub main'jbe    { &out1("jbe",@_); }
 sub main'jc     { &out1("jc",@_); }
 sub main'jnc    { &out1("jnc",@_); }
 sub main'jnz    { &out1("jnz",@_); }
diff --git a/src/lib/libcrypto/perlasm/x86nasm.pl b/src/lib/libcrypto/perlasm/x86nasm.pl
index f30b7466d4..30346af4ea 100644
--- a/src/lib/libcrypto/perlasm/x86nasm.pl
+++ b/src/lib/libcrypto/perlasm/x86nasm.pl
@@ -152,7 +152,10 @@ sub main'jle	{ &out1("jle NEAR",@_); }
 sub main'jz     { &out1("jz NEAR",@_); }
 sub main'jge    { &out1("jge NEAR",@_); }
 sub main'jl     { &out1("jl NEAR",@_); }
+sub main'ja     { &out1("ja NEAR",@_); }
+sub main'jae    { &out1("jae NEAR",@_); }
 sub main'jb     { &out1("jb NEAR",@_); }
+sub main'jbe    { &out1("jbe NEAR",@_); }
 sub main'jc     { &out1("jc NEAR",@_); }
 sub main'jnc    { &out1("jnc NEAR",@_); }
 sub main'jnz    { &out1("jnz NEAR",@_); }
diff --git a/src/lib/libcrypto/perlasm/x86unix.pl b/src/lib/libcrypto/perlasm/x86unix.pl
index 72bde061c5..10b669bf04 100644
--- a/src/lib/libcrypto/perlasm/x86unix.pl
+++ b/src/lib/libcrypto/perlasm/x86unix.pl
@@ -156,7 +156,10 @@ sub main'jnz	{ &out1("jnz",@_); }
 sub main'jz     { &out1("jz",@_); }
 sub main'jge    { &out1("jge",@_); }
 sub main'jl     { &out1("jl",@_); }
+sub main'ja     { &out1("ja",@_); }
+sub main'jae    { &out1("jae",@_); }
 sub main'jb     { &out1("jb",@_); }
+sub main'jbe    { &out1("jbe",@_); }
 sub main'jc     { &out1("jc",@_); }
 sub main'jnc    { &out1("jnc",@_); }
 sub main'jno    { &out1("jno",@_); }
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 0060a2ea3d..190ca0e9bf 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -767,6 +767,11 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
                         }
                 if (EVP_MD_CTX_type(mdc) == md_type)
                         break;
+                /* Workaround for some broken clients that put the signature
+                 * OID instead of the digest OID in digest_alg->algorithm
+                 */
+                if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type)
+                        break;
                 btmp=BIO_next(btmp);
                 }
 
diff --git a/src/lib/libcrypto/pkcs7/pk7_mime.c b/src/lib/libcrypto/pkcs7/pk7_mime.c
index 086d394270..5d2a97839d 100644
--- a/src/lib/libcrypto/pkcs7/pk7_mime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_mime.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -101,7 +101,7 @@ static int mime_param_cmp(const MIME_PARAM * const *a,
 static void mime_param_free(MIME_PARAM *param);
 static int mime_bound_check(char *line, int linelen, char *bound, int blen);
 static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret);
-static int iscrlf(char c);
+static int strip_eol(char *linebuf, int *plen);
 static MIME_HEADER *mime_hdr_find(STACK_OF(MIME_HEADER) *hdrs, char *name);
 static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name);
 static void mime_hdr_free(MIME_HEADER *hdr);
@@ -150,9 +150,17 @@ static PKCS7 *B64_read_PKCS7(BIO *bio)
 
 int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
 {
-        char linebuf[MAX_SMLEN];
         char bound[33], c;
         int i;
+        char *mime_prefix, *mime_eol;
+        if (flags & PKCS7_NOOLDMIMETYPE)
+                mime_prefix = "application/pkcs7-";
+        else
+                mime_prefix = "application/x-pkcs7-";
+        if (flags & PKCS7_CRLFEOL)
+                mime_eol = "\r\n";
+        else
+                mime_eol = "\n";
         if((flags & PKCS7_DETACHED) && data) {
         /* We want multipart/signed */
                 /* Generate a random boundary */
@@ -164,34 +172,42 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
                         bound[i] = c;
                 }
                 bound[32] = 0;
-                BIO_printf(bio, "MIME-Version: 1.0\n");
+                BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol);
                 BIO_printf(bio, "Content-Type: multipart/signed;");
-                BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";");
-                BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound);
-                BIO_printf(bio, "This is an S/MIME signed message\n\n");
+                BIO_printf(bio, " protocol=\"%ssignature\";", mime_prefix);
+                BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"%s%s",
+                                                bound, mime_eol, mime_eol);
+                BIO_printf(bio, "This is an S/MIME signed message%s%s",
+                                                mime_eol, mime_eol);
                 /* Now write out the first part */
-                BIO_printf(bio, "------%s\n", bound);
-                if(flags & PKCS7_TEXT) BIO_printf(bio, "Content-Type: text/plain\n\n");
-                while((i = BIO_read(data, linebuf, MAX_SMLEN)) > 0) 
-                                                BIO_write(bio, linebuf, i);
-                BIO_printf(bio, "\n------%s\n", bound);
+                BIO_printf(bio, "------%s%s", bound, mime_eol);
+                SMIME_crlf_copy(data, bio, flags);
+                BIO_printf(bio, "%s------%s%s", mime_eol, bound, mime_eol);
 
                 /* Headers for signature */
 
-                BIO_printf(bio, "Content-Type: application/x-pkcs7-signature; name=\"smime.p7s\"\n");
-                BIO_printf(bio, "Content-Transfer-Encoding: base64\n");
-                BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7s\"\n\n");
+                BIO_printf(bio, "Content-Type: %ssignature;", mime_prefix); 
+                BIO_printf(bio, " name=\"smime.p7s\"%s", mime_eol);
+                BIO_printf(bio, "Content-Transfer-Encoding: base64%s",
+                                                                mime_eol);
+                BIO_printf(bio, "Content-Disposition: attachment;");
+                BIO_printf(bio, " filename=\"smime.p7s\"%s%s",
+                                                        mime_eol, mime_eol);
                 B64_write_PKCS7(bio, p7);
-                BIO_printf(bio,"\n------%s--\n\n", bound);
+                BIO_printf(bio,"%s------%s--%s%s", mime_eol, bound,
+                                                mime_eol, mime_eol);
                 return 1;
         }
         /* MIME headers */
-        BIO_printf(bio, "MIME-Version: 1.0\n");
-        BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7m\"\n");
-        BIO_printf(bio, "Content-Type: application/x-pkcs7-mime; name=\"smime.p7m\"\n");
-        BIO_printf(bio, "Content-Transfer-Encoding: base64\n\n");
+        BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol);
+        BIO_printf(bio, "Content-Disposition: attachment;");
+        BIO_printf(bio, " filename=\"smime.p7m\"%s", mime_eol);
+        BIO_printf(bio, "Content-Type: %smime;", mime_prefix);
+        BIO_printf(bio, " name=\"smime.p7m\"%s", mime_eol);
+        BIO_printf(bio, "Content-Transfer-Encoding: base64%s%s",
+                                                mime_eol, mime_eol);
         B64_write_PKCS7(bio, p7);
-        BIO_printf(bio, "\n");
+        BIO_printf(bio, "%s", mime_eol);
         return 1;
 }
 
@@ -316,12 +332,9 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags)
         }
         if(flags & PKCS7_TEXT) BIO_printf(out, "Content-Type: text/plain\r\n\r\n");
         while ((len = BIO_gets(in, linebuf, MAX_SMLEN)) > 0) {
-                eol = 0;
-                while(iscrlf(linebuf[len - 1])) {
-                        len--;
-                        eol = 1;
-                }       
-                BIO_write(out, linebuf, len);
+                eol = strip_eol(linebuf, &len);
+                if (len)
+                        BIO_write(out, linebuf, len);
                 if(eol) BIO_write(out, "\r\n", 2);
         }
         return 1;
@@ -364,6 +377,7 @@ static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret)
 {
         char linebuf[MAX_SMLEN];
         int len, blen;
+        int eol = 0, next_eol = 0;
         BIO *bpart = NULL;
         STACK_OF(BIO) *parts;
         char state, part, first;
@@ -383,26 +397,23 @@ static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret)
                         sk_BIO_push(parts, bpart);
                         return 1;
                 } else if(part) {
+                        /* Strip CR+LF from linebuf */
+                        next_eol = strip_eol(linebuf, &len);
                         if(first) {
                                 first = 0;
                                 if(bpart) sk_BIO_push(parts, bpart);
                                 bpart = BIO_new(BIO_s_mem());
-                                
-                        } else BIO_write(bpart, "\r\n", 2);
-                        /* Strip CR+LF from linebuf */
-                        while(iscrlf(linebuf[len - 1])) len--;
-                        BIO_write(bpart, linebuf, len);
+                                BIO_set_mem_eof_return(bpart, 0);
+                        } else if (eol)
+                                BIO_write(bpart, "\r\n", 2);
+                        eol = next_eol;
+                        if (len)
+                                BIO_write(bpart, linebuf, len);
                 }
         }
         return 0;
 }
 
-static int iscrlf(char c)
-{
-        if(c == '\r' || c == '\n') return 1;
-        return 0;
-}
-
 /* This is the big one: parse MIME header lines up to message body */
 
 #define MIME_INVALID    0
@@ -683,3 +694,21 @@ static int mime_bound_check(char *line, int linelen, char *bound, int blen)
         }
         return 0;
 }
+
+static int strip_eol(char *linebuf, int *plen)
+        {
+        int len = *plen;
+        char *p, c;
+        int is_eol = 0;
+        p = linebuf + len - 1;
+        for (p = linebuf + len - 1; len > 0; len--, p--)
+                {
+                c = *p;
+                if (c == '\n')
+                        is_eol = 1;
+                else if (c != '\r')
+                        break;
+                }
+        *plen = len;
+        return is_eol;
+        }
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index f0d071e282..6e5735de11 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/src/lib/libcrypto/pkcs7/pkcs7.h b/src/lib/libcrypto/pkcs7/pkcs7.h
index 5819700a85..15372e18f8 100644
--- a/src/lib/libcrypto/pkcs7/pkcs7.h
+++ b/src/lib/libcrypto/pkcs7/pkcs7.h
@@ -260,6 +260,8 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 #define PKCS7_BINARY            0x80
 #define PKCS7_NOATTR            0x100
 #define PKCS7_NOSMIMECAP        0x200
+#define PKCS7_NOOLDMIMETYPE     0x400
+#define PKCS7_CRLFEOL           0x800
 
 /* Flags: for compatibility with older code */
 
diff --git a/src/lib/libcrypto/rand/rand_win.c b/src/lib/libcrypto/rand/rand_win.c
index 113b58678f..263068d256 100644
--- a/src/lib/libcrypto/rand/rand_win.c
+++ b/src/lib/libcrypto/rand/rand_win.c
@@ -162,6 +162,7 @@ typedef BOOL (WINAPI *GETCURSORINFO)(PCURSORINFO);
 typedef DWORD (WINAPI *GETQUEUESTATUS)(UINT);
 
 typedef HANDLE (WINAPI *CREATETOOLHELP32SNAPSHOT)(DWORD, DWORD);
+typedef BOOL (WINAPI *CLOSETOOLHELP32SNAPSHOT)(HANDLE);
 typedef BOOL (WINAPI *HEAP32FIRST)(LPHEAPENTRY32, DWORD, DWORD);
 typedef BOOL (WINAPI *HEAP32NEXT)(LPHEAPENTRY32);
 typedef BOOL (WINAPI *HEAP32LIST)(HANDLE, LPHEAPLIST32);
@@ -431,7 +432,7 @@ int RAND_poll(void)
          * This seeding method was proposed in Peter Gutmann, Software
          * Generation of Practically Strong Random Numbers,
          * http://www.usenix.org/publications/library/proceedings/sec98/gutmann.html
-     * revised version at http://www.cryptoengines.com/~peter/06_random.pdf
+         * revised version at http://www.cryptoengines.com/~peter/06_random.pdf
          * (The assignment of entropy estimates below is arbitrary, but based
          * on Peter's analysis the full poll appears to be safe. Additional
          * interactive seeding is encouraged.)
@@ -440,6 +441,7 @@ int RAND_poll(void)
         if (kernel)
                 {
                 CREATETOOLHELP32SNAPSHOT snap;
+                CLOSETOOLHELP32SNAPSHOT close_snap;
                 HANDLE handle;
 
                 HEAP32FIRST heap_first;
@@ -457,6 +459,8 @@ int RAND_poll(void)
 
                 snap = (CREATETOOLHELP32SNAPSHOT)
                         GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot"));
+                close_snap = (CLOSETOOLHELP32SNAPSHOT)
+                        GetProcAddress(kernel, TEXT("CloseToolhelp32Snapshot"));
                 heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First"));
                 heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next"));
                 heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst"));
@@ -472,7 +476,7 @@ int RAND_poll(void)
                         heaplist_next && process_first && process_next &&
                         thread_first && thread_next && module_first &&
                         module_next && (handle = snap(TH32CS_SNAPALL,0))
-                        != NULL)
+                        != INVALID_HANDLE_VALUE)
                         {
                         /* heap list and heap walking */
                         /* HEAPLIST32 contains 3 fields that will change with
@@ -534,8 +538,10 @@ int RAND_poll(void)
                                 do
                                         RAND_add(&m, m.dwSize, 9);
                                 while (module_next(handle, &m));
-
-                        CloseHandle(handle);
+                        if (close_snap)
+                                close_snap(handle);
+                        else
+                                CloseHandle(handle);
                         }
 
                 FreeLibrary(kernel);
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index e26a68b482..62fa745f79 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -158,11 +158,6 @@ struct rsa_st
 #define RSA_FLAG_CACHE_PUBLIC           0x02
 #define RSA_FLAG_CACHE_PRIVATE          0x04
 #define RSA_FLAG_BLINDING               0x08
-#define RSA_FLAG_NO_BLINDING            0x80 /* new with 0.9.6j and 0.9.7b; the built-in
-                                              * RSA implementation now uses blinding by
-                                              * default (ignoring RSA_FLAG_BLINDING),
-                                              * but other engines might not need it
-                                              */
 #define RSA_FLAG_THREAD_SAFE            0x10
 /* This flag means the private key operations will be handled by rsa_mod_exp
  * and that they do not depend on the private key components being present:
@@ -175,7 +170,11 @@ struct rsa_st
  */
 #define RSA_FLAG_SIGN_VER               0x40
 
-#define RSA_FLAG_NO_BLINDING            0x80
+#define RSA_FLAG_NO_BLINDING            0x80 /* new with 0.9.6j and 0.9.7b; the built-in
+                                              * RSA implementation now uses blinding by
+                                              * default (ignoring RSA_FLAG_BLINDING),
+                                              * but other engines might not need it
+                                              */
 
 #define RSA_PKCS1_PADDING       1
 #define RSA_SSLV23_PADDING      2
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 027b4dc754..e0d286266e 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -484,6 +484,8 @@ err:
         if (ctx != NULL) BN_CTX_free(ctx);
         BN_clear_free(&f);
         BN_clear_free(&ret);
+        if (local_blinding)
+                BN_BLINDING_free(blinding);
         if (buf != NULL)
                 {
                 OPENSSL_cleanse(buf,num);
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index 53c5092014..e4d622851e 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -316,7 +316,7 @@ void RSA_blinding_off(RSA *rsa)
 
 int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
         {
-        BIGNUM *A,*Ai;
+        BIGNUM *A,*Ai = NULL;
         BN_CTX *ctx;
         int ret=0;
 
@@ -327,8 +327,12 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
         else
                 ctx=p_ctx;
 
+        /* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */
         if (rsa->blinding != NULL)
+                {
                 BN_BLINDING_free(rsa->blinding);
+                rsa->blinding = NULL;
+                }
 
         /* NB: similar code appears in setup_blinding (rsa_eay.c);
          * this should be placed in a new function of its own, but for reasons
@@ -356,9 +360,9 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
         rsa->blinding->thread_id = CRYPTO_thread_id();
         rsa->flags |= RSA_FLAG_BLINDING;
         rsa->flags &= ~RSA_FLAG_NO_BLINDING;
-        BN_free(Ai);
         ret=1;
 err:
+        if (Ai != NULL) BN_free(Ai);
         BN_CTX_end(ctx);
         if (ctx != p_ctx) BN_CTX_free(ctx);
         return(ret);
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index f5c8c0be8a..203c7713e7 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -2801,3 +2801,5 @@ BIO_indent                              3242	EXIST::FUNCTION:
 BUF_strlcpy                             3243    EXIST::FUNCTION:
 OpenSSLDie                              3244    EXIST::FUNCTION:
 OPENSSL_cleanse                         3245    EXIST::FUNCTION:
+ENGINE_setup_bsd_cryptodev              3246    EXIST:__FreeBSD__:FUNCTION:ENGINE
+ERR_release_err_state_table             3247    EXIST::FUNCTION:LHASH
diff --git a/src/lib/libcrypto/util/pl/Mingw32.pl b/src/lib/libcrypto/util/pl/Mingw32.pl
index 043a3a53ee..4bee638c4a 100644
--- a/src/lib/libcrypto/util/pl/Mingw32.pl
+++ b/src/lib/libcrypto/util/pl/Mingw32.pl
@@ -85,7 +85,7 @@ sub do_lib_rule
         ($Name=$name) =~ tr/a-z/A-Z/;
 
         $ret.="$target: \$(${Name}OBJ)\n";
-        $ret.="\t\$(RM) $target\n";
+        $ret.="\tif exist $target \$(RM) $target\n";
         $ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n";
         $ret.="\t\$(RANLIB) $target\n\n";
         }
diff --git a/src/lib/libcrypto/util/point.sh b/src/lib/libcrypto/util/point.sh
index ce7dcc56df..4790e08f8a 100644
--- a/src/lib/libcrypto/util/point.sh
+++ b/src/lib/libcrypto/util/point.sh
@@ -1,10 +1,10 @@
 #!/bin/sh
 
-rm -f $2
+rm -f "$2"
 if test "$OSTYPE" = msdosdjgpp; then
-    cp $1 $2
+    cp "$1" "$2"
 else
-    ln -s $1 $2
+    ln -s "$1" "$2"
 fi
 echo "$2 => $1"
 
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index 17d69ac005..881252608d 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -82,6 +82,7 @@ static X509_TRUST trstandard[] = {
 {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
 {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
 {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
+{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
 {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
 {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}
 };
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 04997ba456..2bb21b443e 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -453,9 +453,9 @@ static int check_revocation(X509_STORE_CTX *ctx)
         if (!(ctx->flags & X509_V_FLAG_CRL_CHECK))
                 return 1;
         if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL)
-                last = 0;
-        else
                 last = sk_X509_num(ctx->chain) - 1;
+        else
+                last = 0;
         for(i = 0; i <= last; i++)
                 {
                 ctx->error_depth = i;
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c
index 8e78b34458..f78c2a6b43 100644
--- a/src/lib/libcrypto/x509/x509type.c
+++ b/src/lib/libcrypto/x509/x509type.c
@@ -99,14 +99,15 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
         case EVP_PKEY_RSA:
                 ret|=EVP_PKS_RSA;
                 break;
-        case EVP_PKS_DSA:
+        case EVP_PKEY_DSA:
                 ret|=EVP_PKS_DSA;
                 break;
         default:
                 break;
                 }
 
-        if (EVP_PKEY_size(pk) <= 512)
+        if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look
+                                           for, not bytes */
                 ret|=EVP_PKT_EXP;
         if(pkey==NULL) EVP_PKEY_free(pk);
         return(ret);
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
index 1a3448e121..1284d5aaa5 100644
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ b/src/lib/libcrypto/x509v3/v3_conf.c
@@ -236,7 +236,7 @@ static int v3_check_critical(char **value)
 static int v3_check_generic(char **value)
 {
         char *p = *value;
-        if ((strlen(p) < 4) || strncmp(p, "DER:,", 4)) return 0;
+        if ((strlen(p) < 4) || strncmp(p, "DER:", 4)) return 0;
         p+=4;
         while (isspace((unsigned char)*p)) p++;
         *value = p;
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
index 0d4ab1f680..0d554f3a2c 100644
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ b/src/lib/libcrypto/x509v3/v3_cpols.c
@@ -73,7 +73,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
                                  STACK_OF(CONF_VALUE) *polstrs, int ia5org);
 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
                                         STACK_OF(CONF_VALUE) *unot, int ia5org);
-static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos);
+static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
 
 X509V3_EXT_METHOD v3_cpols = {
 NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES),
@@ -226,6 +226,8 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
                         qual = notice_section(ctx, unot, ia5org);
                         X509V3_section_free(ctx, unot);
                         if(!qual) goto err;
+                        if(!pol->qualifiers) pol->qualifiers =
+                                                 sk_POLICYQUALINFO_new_null();
                         if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
                                                                  goto merr;
                 } else {
@@ -255,7 +257,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
                                         STACK_OF(CONF_VALUE) *unot, int ia5org)
 {
-        int i;
+        int i, ret;
         CONF_VALUE *cnf;
         USERNOTICE *not;
         POLICYQUALINFO *qual;
@@ -275,8 +277,8 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
                                 if(!(nref = NOTICEREF_new())) goto merr;
                                 not->noticeref = nref;
                         } else nref = not->noticeref;
-                        if(ia5org) nref->organization = M_ASN1_IA5STRING_new();
-                        else nref->organization = M_ASN1_VISIBLESTRING_new();
+                        if(ia5org) nref->organization->type = V_ASN1_IA5STRING;
+                        else nref->organization->type = V_ASN1_VISIBLESTRING;
                         if(!ASN1_STRING_set(nref->organization, cnf->value,
                                                  strlen(cnf->value))) goto merr;
                 } else if(!strcmp(cnf->name, "noticeNumbers")) {
@@ -292,12 +294,12 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
                                 X509V3_conf_err(cnf);
                                 goto err;
                         }
-                        nref->noticenos = nref_nos(nos);
+                        ret = nref_nos(nref->noticenos, nos);
                         sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
-                        if(!nref->noticenos) goto err;
+                        if (!ret)
+                                goto err;
                 } else {
                         X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION);
-
                         X509V3_conf_err(cnf);
                         goto err;
                 }
@@ -319,15 +321,13 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
         return NULL;
 }
 
-static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos)
+static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
 {
-        STACK_OF(ASN1_INTEGER) *nnums;
         CONF_VALUE *cnf;
         ASN1_INTEGER *aint;
 
         int i;
 
-        if(!(nnums = sk_ASN1_INTEGER_new_null())) goto merr;
         for(i = 0; i < sk_CONF_VALUE_num(nos); i++) {
                 cnf = sk_CONF_VALUE_value(nos, i);
                 if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
@@ -336,14 +336,14 @@ static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos)
                 }
                 if(!sk_ASN1_INTEGER_push(nnums, aint)) goto merr;
         }
-        return nnums;
+        return 1;
 
         merr:
         X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
 
         err:
         sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
-        return NULL;
+        return 0;
 }
 
 
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
index 482ca8ccf5..ca5a4a4a57 100644
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ b/src/lib/libcrypto/x509v3/v3_lib.c
@@ -202,6 +202,7 @@ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
                 if(OBJ_obj2nid(ex->object) == nid) {
                         if(idx) {
                                 *idx = i;
+                                found_ex = ex;
                                 break;
                         } else if(found_ex) {
                                 /* Found more than one */
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
index 754808b625..5d268eb768 100644
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ b/src/lib/libcrypto/x509v3/v3_prn.c
@@ -184,7 +184,7 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts
                 j=X509_EXTENSION_get_critical(ex);
                 if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
                         return 0;
-                if(!X509V3_EXT_print(bp, ex, flag, 12))
+                if(!X509V3_EXT_print(bp, ex, flag, indent + 4))
                         {
                         BIO_printf(bp, "%*s", indent + 4, "");
                         M_ASN1_OCTET_STRING_print(bp,ex->value);
diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES
index 1e85275800..b8630792ad 100644
--- a/src/lib/libssl/src/CHANGES
+++ b/src/lib/libssl/src/CHANGES
@@ -2,6 +2,57 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.7b and 0.9.7c  [30 Sep 2003]
+
+  *) Fix various bugs revealed by running the NISCC test suite:
+
+     Stop out of bounds reads in the ASN1 code when presented with
+     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     
+     Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+
+     If verify callback ignores invalid public key errors don't try to check
+     certificate signature with the NULL public key.
+
+     [Steve Henson]
+
+  *) New -ignore_err option in ocsp application to stop the server
+     exiting on the first error in a request.
+     [Steve Henson]
+
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]
+
+  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+     extra data after the compression methods not only for TLS 1.0
+     but also for SSL 3.0 (as required by the specification).
+     [Bodo Moeller; problem pointed out by Matthias Loepfe]
+
+  *) Change X509_certificate_type() to mark the key as exported/exportable
+     when it's 512 *bits* long, not 512 bytes.
+     [Richard Levitte]
+
+  *) Change AES_cbc_encrypt() so it outputs exact multiple of
+     blocks during encryption.
+     [Richard Levitte]
+
+  *) Various fixes to base64 BIO and non blocking I/O. On write 
+     flushes were not handled properly if the BIO retried. On read
+     data was not being buffered properly and had various logic bugs.
+     This also affects blocking I/O when the data being decoded is a
+     certain size.
+     [Steve Henson]
+
+  *) Various S/MIME bugfixes and compatibility changes:
+     output correct application/pkcs7 MIME type if
+     PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
+     Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
+     of files as .eml work). Correctly handle very long lines in MIME
+     parser.
+     [Steve Henson]
+
  Changes between 0.9.7a and 0.9.7b  [10 Apr 2003]
 
   *) Countermeasure against the Klima-Pokorny-Rosa extension of
@@ -120,6 +171,9 @@
 
  Changes between 0.9.6h and 0.9.7  [31 Dec 2002]
 
+  [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
+  OpenSSL 0.9.7.]
+
   *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
      code (06) was taken as the first octet of the session ID and the last
      octet was ignored consequently. As a result SSLv2 client side session
@@ -1938,6 +1992,57 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Clean old EAY MD5 hack from e_os.h.
      [Richard Levitte]
 
+ Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
+
+  *) Fix various bugs revealed by running the NISCC test suite:
+
+     Stop out of bounds reads in the ASN1 code when presented with
+     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     
+     If verify callback ignores invalid public key errors don't try to check
+     certificate signature with the NULL public key.
+
+     [Steve Henson]
+
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]
+
+  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+     extra data after the compression methods not only for TLS 1.0
+     but also for SSL 3.0 (as required by the specification).
+     [Bodo Moeller; problem pointed out by Matthias Loepfe]
+
+  *) Change X509_certificate_type() to mark the key as exported/exportable
+     when it's 512 *bits* long, not 512 bytes.
+     [Richard Levitte]
+
+ Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]
+
+  *) Countermeasure against the Klima-Pokorny-Rosa extension of
+     Bleichbacher's attack on PKCS #1 v1.5 padding: treat
+     a protocol version number mismatch like a decryption error
+     in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
+     [Bodo Moeller]
+
+  *) Turn on RSA blinding by default in the default implementation
+     to avoid a timing attack. Applications that don't want it can call
+     RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
+     They would be ill-advised to do so in most cases.
+     [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
+
+  *) Change RSA blinding code so that it works when the PRNG is not
+     seeded (in this case, the secret RSA exponent is abused as
+     an unpredictable seed -- if it is not unpredictable, there
+     is no point in blinding anyway).  Make RSA blinding thread-safe
+     by remembering the creator's thread ID in rsa->blinding and
+     having all other threads use local one-time blinding factors
+     (this requires more computation than sharing rsa->blinding, but
+     avoids excessive locking; and if an RSA object is not shared
+     between threads, blinding will still be very fast).
+     [Bodo Moeller]
+
  Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]
 
   *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure
index 7763dc4138..61331dbb51 100644
--- a/src/lib/libssl/src/Configure
+++ b/src/lib/libssl/src/Configure
@@ -560,6 +560,8 @@ my %table=(
 "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
 "vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::",
 "vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
+"vxworks-ppc860","ccppc:-nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
+"vxworks-mipsle","ccmips:-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r::::::::::::::::ranlibmips:",
 
 ##### Compaq Non-Stop Kernel (Tandem)
 "tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::",
diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ
index 7812ae88cb..ca5683def7 100644
--- a/src/lib/libssl/src/FAQ
+++ b/src/lib/libssl/src/FAQ
@@ -68,7 +68,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7b was released on April 10, 2003.
+OpenSSL 0.9.7c was released on September 30, 2003.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
diff --git a/src/lib/libssl/src/INSTALL.W32 b/src/lib/libssl/src/INSTALL.W32
index 78d289e16a..0f6c302f0d 100644
--- a/src/lib/libssl/src/INSTALL.W32
+++ b/src/lib/libssl/src/INSTALL.W32
@@ -225,7 +225,7 @@
         $ md c:\openssl\lib
         $ md c:\openssl\include
         $ md c:\openssl\include\openssl
-        $ copy /b inc32\*               c:\openssl\include\openssl
+        $ copy /b inc32\openssl\*       c:\openssl\include\openssl
         $ copy /b out32dll\ssleay32.lib c:\openssl\lib
         $ copy /b out32dll\libeay32.lib c:\openssl\lib
         $ copy /b out32dll\ssleay32.dll c:\openssl\bin
diff --git a/src/lib/libssl/src/Makefile.org b/src/lib/libssl/src/Makefile.org
index 4d0627bfdd..e80b22a32a 100644
--- a/src/lib/libssl/src/Makefile.org
+++ b/src/lib/libssl/src/Makefile.org
@@ -78,7 +78,7 @@ MAKEDEPPROG=makedepend
 # gcc, then the driver will automatically translate it to -xarch=v8plus
 # and pass it down to assembler.
 AS=$(CC) -c
-ASFLAGS=$(CFLAG)
+ASFLAG=$(CFLAG)
 
 # Set BN_ASM to bn_asm.o if you want to use the C version
 BN_ASM= bn_asm.o
@@ -194,6 +194,7 @@ MAKE=     make -f Makefile.ssl
 MANDIR=$(OPENSSLDIR)/man
 MAN1=1
 MAN3=3
+MANSUFFIX=
 SHELL=/bin/sh
 
 TOP=    .
@@ -225,7 +226,7 @@ sub_all:
         do \
         if [ -d "$$i" ]; then \
                 (cd $$i && echo "making all in $$i..." && \
-                $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAGS='${ASFLAGS}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+                $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
         else \
                 $(MAKE) $$i; \
         fi; \
@@ -410,7 +411,7 @@ do_svr3-shared:
                   find . -name "*.o" -print > allobjs ; \
                   OBJS= ; export OBJS ; \
                   for obj in `ar t lib$$i.a` ; do \
-                    OBJS="$${OBJS} `grep $$obj allobjs`" ; \
+                    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
                   done ; \
                   set -x; ${CC} ${SHARED_LDFLAGS} \
                         -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
@@ -435,7 +436,7 @@ do_svr5-shared:
                   find . -name "*.o" -print > allobjs ; \
                   OBJS= ; export OBJS ; \
                   for obj in `ar t lib$$i.a` ; do \
-                    OBJS="$${OBJS} `grep $$obj allobjs`" ; \
+                    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
                   done ; \
                   set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \
                         ${CC} ${SHARED_LDFLAGS} \
@@ -831,6 +832,7 @@ install: all install_docs
                 fi; \
         fi
         cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
 
 install_docs:
         @$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -847,33 +849,33 @@ install_docs:
         for i in doc/apps/*.pod; do \
                 fn=`basename $$i .pod`; \
                 if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
-                echo "installing man$$sec/$$fn.$$sec"; \
+                echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
                 (cd `$(PERL) util/dirname.pl $$i`; \
                 sh -c "$$pod2man \
                         --section=$$sec --center=OpenSSL \
                         --release=$(VERSION) `basename $$i`") \
-                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
                 $(PERL) util/extract-names.pl < $$i | \
                         grep -v $$filecase "^$$fn\$$" | \
                         (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
                          while read n; do \
-                                $$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+                                $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
                          done); \
         done; \
         for i in doc/crypto/*.pod doc/ssl/*.pod; do \
                 fn=`basename $$i .pod`; \
                 if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
-                echo "installing man$$sec/$$fn.$$sec"; \
+                echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
                 (cd `$(PERL) util/dirname.pl $$i`; \
                 sh -c "$$pod2man \
                         --section=$$sec --center=OpenSSL \
                         --release=$(VERSION) `basename $$i`") \
-                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
                 $(PERL) util/extract-names.pl < $$i | \
                         grep -v $$filecase "^$$fn\$$" | \
                         (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
                          while read n; do \
-                                $$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+                                $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
                          done); \
         done
 
diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS
index dce63f0549..f0282ebb87 100644
--- a/src/lib/libssl/src/NEWS
+++ b/src/lib/libssl/src/NEWS
@@ -5,6 +5,13 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
+
+      o Security: fix various ASN1 parsing bugs.
+      o New -ignore_err option to OCSP utility.
+      o Various interop and bug fixes in S/MIME code.
+      o SSL/TLS protocol fix for unrequested client certificates.
+
   Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:
 
       o Security: counter the Klima-Pokorny-Rosa extension of
@@ -73,6 +80,11 @@
       o SSL/TLS: add callback to retrieve SSL/TLS messages.
       o SSL/TLS: support AES cipher suites (RFC3268).
 
+  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
+
+      o Security: fix various ASN1 parsing bugs.
+      o SSL/TLS protocol fix for unrequested client certificates.
+
   Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
 
       o Security: counter the Klima-Pokorny-Rosa extension of
diff --git a/src/lib/libssl/src/README b/src/lib/libssl/src/README
index 3af69bfdb5..65e3a12426 100644
--- a/src/lib/libssl/src/README
+++ b/src/lib/libssl/src/README
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.7b 10 Apr 2003
+ OpenSSL 0.9.7c 30 Sep 2003
 
  Copyright (c) 1998-2003 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/src/lib/libssl/src/apps/ocsp.c b/src/lib/libssl/src/apps/ocsp.c
index 17e84366d9..e5f186fd5e 100644
--- a/src/lib/libssl/src/apps/ocsp.c
+++ b/src/lib/libssl/src/apps/ocsp.c
@@ -136,6 +136,7 @@ int MAIN(int argc, char **argv)
         int accept_count = -1;
         int badarg = 0;
         int i;
+        int ignore_err = 0;
         STACK *reqnames = NULL;
         STACK_OF(OCSP_CERTID) *ids = NULL;
 
@@ -195,6 +196,8 @@ int MAIN(int argc, char **argv)
                                 }
                         else badarg = 1;
                         }
+                else if (!strcmp(*args, "-ignore_err"))
+                        ignore_err = 1;
                 else if (!strcmp(*args, "-noverify"))
                         noverify = 1;
                 else if (!strcmp(*args, "-nonce"))
@@ -809,6 +812,8 @@ int MAIN(int argc, char **argv)
                 {
                 BIO_printf(out, "Responder Error: %s (%ld)\n",
                                 OCSP_response_status_str(i), i);
+                if (ignore_err)
+                        goto redo_accept;
                 ret = 0;
                 goto end;
                 }
diff --git a/src/lib/libssl/src/apps/pkcs8.c b/src/lib/libssl/src/apps/pkcs8.c
index 6be27e7f44..ee8cf02813 100644
--- a/src/lib/libssl/src/apps/pkcs8.c
+++ b/src/lib/libssl/src/apps/pkcs8.c
@@ -235,7 +235,7 @@ int MAIN(int argc, char **argv)
                         return (1);
                 }
                 if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
-                        BIO_printf(bio_err, "Error converting key\n", outfile);
+                        BIO_printf(bio_err, "Error converting key\n");
                         ERR_print_errors(bio_err);
                         return (1);
                 }
@@ -259,8 +259,7 @@ int MAIN(int argc, char **argv)
                         if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
                                         p8pass, strlen(p8pass),
                                         NULL, 0, iter, p8inf))) {
-                                BIO_printf(bio_err, "Error encrypting key\n",
-                                                                 outfile);
+                                BIO_printf(bio_err, "Error encrypting key\n");
                                 ERR_print_errors(bio_err);
                                 return (1);
                         }
@@ -303,7 +302,7 @@ int MAIN(int argc, char **argv)
                 }
 
                 if (!p8) {
-                        BIO_printf (bio_err, "Error reading key\n", outfile);
+                        BIO_printf (bio_err, "Error reading key\n");
                         ERR_print_errors(bio_err);
                         return (1);
                 }
@@ -317,13 +316,13 @@ int MAIN(int argc, char **argv)
         }
 
         if (!p8inf) {
-                BIO_printf(bio_err, "Error decrypting key\n", outfile);
+                BIO_printf(bio_err, "Error decrypting key\n");
                 ERR_print_errors(bio_err);
                 return (1);
         }
 
         if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
-                BIO_printf(bio_err, "Error converting key\n", outfile);
+                BIO_printf(bio_err, "Error converting key\n");
                 ERR_print_errors(bio_err);
                 return (1);
         }
diff --git a/src/lib/libssl/src/apps/s_apps.h b/src/lib/libssl/src/apps/s_apps.h
index ff18a72fe0..66b6edd442 100644
--- a/src/lib/libssl/src/apps/s_apps.h
+++ b/src/lib/libssl/src/apps/s_apps.h
@@ -112,6 +112,14 @@
 #include <sys/types.h>
 #include <openssl/opensslconf.h>
 
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#include <conio.h>
+#endif
+
+#ifdef OPENSSL_SYS_MSDOS
+#define _kbhit kbhit
+#endif
+
 #if defined(OPENSSL_SYS_VMS) && !defined(FD_SET)
 /* VAX C does not defined fd_set and friends, but it's actually quite simple */
 /* These definitions are borrowed from SOCKETSHR.       /Richard Levitte */
diff --git a/src/lib/libssl/src/apps/s_client.c b/src/lib/libssl/src/apps/s_client.c
index efa4902abd..1128735d49 100644
--- a/src/lib/libssl/src/apps/s_client.c
+++ b/src/lib/libssl/src/apps/s_client.c
@@ -136,10 +136,6 @@ typedef unsigned int u_int;
 #include <openssl/rand.h>
 #include "s_apps.h"
 
-#ifdef OPENSSL_SYS_WINDOWS
-#include <conio.h>
-#endif
-
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
 #ifdef fileno
@@ -221,7 +217,7 @@ static void sc_usage(void)
         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
-        BIO_printf(bio_err,"                 only \"smtp\" is supported.\n");
+        BIO_printf(bio_err,"                 only \"smtp\" and \"pop3\" are supported.\n");
 #ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 #endif
@@ -251,7 +247,7 @@ int MAIN(int argc, char **argv)
         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
         SSL_CTX *ctx=NULL;
         int ret=1,in_init=1,i,nbio_test=0;
-        int smtp_starttls = 0;
+        int starttls_proto = 0;
         int prexit = 0, vflags = 0;
         SSL_METHOD *meth=NULL;
         BIO *sbio;
@@ -260,7 +256,7 @@ int MAIN(int argc, char **argv)
         char *engine_id=NULL;
         ENGINE *e=NULL;
 #endif
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
         struct timeval tv;
 #endif
 
@@ -415,7 +411,9 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         ++argv;
                         if (strcmp(*argv,"smtp") == 0)
-                                smtp_starttls = 1;
+                                starttls_proto = 1;
+                        else if (strcmp(*argv,"pop3") == 0)
+                                starttls_proto = 2;
                         else
                                 goto bad;
                         }
@@ -587,12 +585,18 @@ re_start:
         sbuf_off=0;
 
         /* This is an ugly hack that does a lot of assumptions */
-        if (smtp_starttls)
+        if (starttls_proto == 1)
                 {
                 BIO_read(sbio,mbuf,BUFSIZZ);
                 BIO_printf(sbio,"STARTTLS\r\n");
                 BIO_read(sbio,sbuf,BUFSIZZ);
                 }
+        if (starttls_proto == 2)
+                {
+                BIO_read(sbio,mbuf,BUFSIZZ);
+                BIO_printf(sbio,"STLS\r\n");
+                BIO_read(sbio,sbuf,BUFSIZZ);
+                }
 
         for (;;)
                 {
@@ -613,11 +617,11 @@ re_start:
                                 print_stuff(bio_c_out,con,full_log);
                                 if (full_log > 0) full_log--;
 
-                                if (smtp_starttls)
+                                if (starttls_proto)
                                         {
                                         BIO_printf(bio_err,"%s",mbuf);
                                         /* We don't need to know any more */
-                                        smtp_starttls = 0;
+                                        starttls_proto = 0;
                                         }
 
                                 if (reconnect)
@@ -636,7 +640,7 @@ re_start:
 
                 if (!ssl_pending)
                         {
-#ifndef OPENSSL_SYS_WINDOWS
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
                         if (tty_on)
                                 {
                                 if (read_tty)  FD_SET(fileno(stdin),&readfds);
@@ -663,8 +667,8 @@ re_start:
                          * will choke the compiler: if you do have a cast then
                          * you can either go for (int *) or (void *).
                          */
-#ifdef OPENSSL_SYS_WINDOWS
-                        /* Under Windows we make the assumption that we can
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+                        /* Under Windows/DOS we make the assumption that we can
                          * always write to the tty: therefore if we need to
                          * write to the tty we just fall through. Otherwise
                          * we timeout the select every second and see if there
@@ -678,7 +682,7 @@ re_start:
                                         tv.tv_usec = 0;
                                         i=select(width,(void *)&readfds,(void *)&writefds,
                                                  NULL,&tv);
-#ifdef OPENSSL_SYS_WINCE
+#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
                                         if(!i && (!_kbhit() || !read_tty) ) continue;
 #else
                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
@@ -847,8 +851,8 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
                                 }
                         }
 
-#ifdef OPENSSL_SYS_WINDOWS
-#ifdef OPENSSL_SYS_WINCE
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
                 else if (_kbhit())
 #else
                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
diff --git a/src/lib/libssl/src/apps/s_server.c b/src/lib/libssl/src/apps/s_server.c
index 5157aae4d1..ff4ab6ef28 100644
--- a/src/lib/libssl/src/apps/s_server.c
+++ b/src/lib/libssl/src/apps/s_server.c
@@ -140,10 +140,6 @@ typedef unsigned int u_int;
 #include <openssl/rand.h>
 #include "s_apps.h"
 
-#ifdef OPENSSL_SYS_WINDOWS
-#include <conio.h>
-#endif
-
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
 #ifdef fileno
@@ -917,7 +913,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
         unsigned long l;
         SSL *con=NULL;
         BIO *sbio;
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
         struct timeval tv;
 #endif
 
@@ -991,7 +987,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                 if (!read_from_sslcon)
                         {
                         FD_ZERO(&readfds);
-#ifndef OPENSSL_SYS_WINDOWS
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
                         FD_SET(fileno(stdin),&readfds);
 #endif
                         FD_SET(s,&readfds);
@@ -1001,8 +997,8 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                          * the compiler: if you do have a cast then you can either
                          * go for (int *) or (void *).
                          */
-#ifdef OPENSSL_SYS_WINDOWS
-                        /* Under Windows we can't select on stdin: only
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+                        /* Under DOS (non-djgpp) and Windows we can't select on stdin: only
                          * on sockets. As a workaround we timeout the select every
                          * second and check for any keypress. In a proper Windows
                          * application we wouldn't do this because it is inefficient.
@@ -1263,7 +1259,13 @@ static int init_ssl_connection(SSL *con)
         if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
                 TLS1_FLAGS_TLS_PADDING_BUG)
                 BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
-
+#ifndef OPENSSL_NO_KRB5
+        if (con->kssl_ctx->client_princ != NULL)
+                {
+                BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
+                        con->kssl_ctx->client_princ);
+                }
+#endif /* OPENSSL_NO_KRB5 */
         return(1);
         }
 
diff --git a/src/lib/libssl/src/apps/smime.c b/src/lib/libssl/src/apps/smime.c
index cc248d377b..51bc893ffa 100644
--- a/src/lib/libssl/src/apps/smime.c
+++ b/src/lib/libssl/src/apps/smime.c
@@ -168,6 +168,10 @@ int MAIN(int argc, char **argv)
                                 flags |= PKCS7_BINARY;
                 else if (!strcmp (*args, "-nosigs"))
                                 flags |= PKCS7_NOSIGS;
+                else if (!strcmp (*args, "-nooldmime"))
+                                flags |= PKCS7_NOOLDMIMETYPE;
+                else if (!strcmp (*args, "-crlfeol"))
+                                flags |= PKCS7_CRLFEOL;
                 else if (!strcmp (*args, "-crl_check"))
                                 store_flags |= X509_V_FLAG_CRL_CHECK;
                 else if (!strcmp (*args, "-crl_check_all"))
diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c
index e300bb82cf..64e233e444 100644
--- a/src/lib/libssl/src/apps/x509.c
+++ b/src/lib/libssl/src/apps/x509.c
@@ -1147,7 +1147,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
         else if (!(bs = load_serial(CAfile, serialfile, create)))
                 goto end;
 
-        if (!X509_STORE_add_cert(ctx,x)) goto end;
+/*      if (!X509_STORE_add_cert(ctx,x)) goto end;*/
 
         /* NOTE: this certificate can/should be self signed, unless it was
          * a certificate request in which case it is not. */
diff --git a/src/lib/libssl/src/bugs/SSLv3 b/src/lib/libssl/src/bugs/SSLv3
index db53e1343a..a75a1652d9 100644
--- a/src/lib/libssl/src/bugs/SSLv3
+++ b/src/lib/libssl/src/bugs/SSLv3
@@ -29,7 +29,7 @@ RC4-MD5, but a re-connect tries to use DES-CBC-SHA.  So netscape, when
 doing a re-connect, always takes the first cipher in the cipher list.
 
 If we accept a netscape connection, demand a client cert, have a
-non-self-sighed CA which does not have it's CA in netscape, and the
+non-self-signed CA which does not have it's CA in netscape, and the
 browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta
 
 Netscape browsers do not really notice the server sending a
diff --git a/src/lib/libssl/src/crypto/aes/aes.h b/src/lib/libssl/src/crypto/aes/aes.h
index 8294a41a3a..da067f4a8f 100644
--- a/src/lib/libssl/src/crypto/aes/aes.h
+++ b/src/lib/libssl/src/crypto/aes/aes.h
@@ -100,7 +100,7 @@ void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
         unsigned char *ivec, int *num);
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
         const unsigned long length, const AES_KEY *key,
-        unsigned char counter[AES_BLOCK_SIZE],
+        unsigned char ivec[AES_BLOCK_SIZE],
         unsigned char ecount_buf[AES_BLOCK_SIZE],
         unsigned int *num);
 
diff --git a/src/lib/libssl/src/crypto/aes/aes_cbc.c b/src/lib/libssl/src/crypto/aes/aes_cbc.c
index de438306b1..86b27b10d6 100644
--- a/src/lib/libssl/src/crypto/aes/aes_cbc.c
+++ b/src/lib/libssl/src/crypto/aes/aes_cbc.c
@@ -72,7 +72,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 
         if (AES_ENCRYPT == enc) {
                 while (len >= AES_BLOCK_SIZE) {
-                        for(n=0; n < sizeof tmp; ++n)
+                        for(n=0; n < AES_BLOCK_SIZE; ++n)
                                 tmp[n] = in[n] ^ ivec[n];
                         AES_encrypt(tmp, out, key);
                         memcpy(ivec, out, AES_BLOCK_SIZE);
@@ -86,12 +86,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                         for(n=len; n < AES_BLOCK_SIZE; ++n)
                                 tmp[n] = ivec[n];
                         AES_encrypt(tmp, tmp, key);
-                        memcpy(out, tmp, len);
-                        memcpy(ivec, tmp, sizeof tmp);
+                        memcpy(out, tmp, AES_BLOCK_SIZE);
+                        memcpy(ivec, tmp, AES_BLOCK_SIZE);
                 }                       
         } else {
                 while (len >= AES_BLOCK_SIZE) {
-                        memcpy(tmp, in, sizeof tmp);
+                        memcpy(tmp, in, AES_BLOCK_SIZE);
                         AES_decrypt(in, out, key);
                         for(n=0; n < AES_BLOCK_SIZE; ++n)
                                 out[n] ^= ivec[n];
@@ -101,11 +101,11 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                         out += AES_BLOCK_SIZE;
                 }
                 if (len) {
-                        memcpy(tmp, in, sizeof tmp);
+                        memcpy(tmp, in, AES_BLOCK_SIZE);
                         AES_decrypt(tmp, tmp, key);
                         for(n=0; n < len; ++n)
                                 out[n] ^= ivec[n];
-                        memcpy(ivec, tmp, sizeof tmp);
+                        memcpy(ivec, tmp, AES_BLOCK_SIZE);
                 }                       
         }
 }
diff --git a/src/lib/libssl/src/crypto/aes/aes_ctr.c b/src/lib/libssl/src/crypto/aes/aes_ctr.c
index 59088499a0..79e1c18f19 100644
--- a/src/lib/libssl/src/crypto/aes/aes_ctr.c
+++ b/src/lib/libssl/src/crypto/aes/aes_ctr.c
@@ -62,19 +62,49 @@
 /* NOTE: CTR mode is big-endian.  The rest of the AES code
  * is endian-neutral. */
 
-/* increment counter (128-bit int) by 2^64 */
+/* increment counter (128-bit int) by 1 */
 static void AES_ctr128_inc(unsigned char *counter) {
         unsigned long c;
 
-        /* Grab 3rd dword of counter and increment */
+        /* Grab bottom dword of counter and increment */
 #ifdef L_ENDIAN
-        c = GETU32(counter + 8);
+        c = GETU32(counter +  0);
         c++;
-        PUTU32(counter + 8, c);
+        PUTU32(counter +  0, c);
 #else
-        c = GETU32(counter + 4);
+        c = GETU32(counter + 12);
         c++;
-        PUTU32(counter + 4, c);
+        PUTU32(counter + 12, c);
+#endif
+
+        /* if no overflow, we're done */
+        if (c)
+                return;
+
+        /* Grab 1st dword of counter and increment */
+#ifdef L_ENDIAN
+        c = GETU32(counter +  4);
+        c++;
+        PUTU32(counter +  4, c);
+#else
+        c = GETU32(counter +  8);
+        c++;
+        PUTU32(counter +  8, c);
+#endif
+
+        /* if no overflow, we're done */
+        if (c)
+                return;
+
+        /* Grab 2nd dword of counter and increment */
+#ifdef L_ENDIAN
+        c = GETU32(counter +  8);
+        c++;
+        PUTU32(counter +  8, c);
+#else
+        c = GETU32(counter +  4);
+        c++;
+        PUTU32(counter +  4, c);
 #endif
 
         /* if no overflow, we're done */
@@ -100,10 +130,16 @@ static void AES_ctr128_inc(unsigned char *counter) {
  * encrypted counter is kept in ecount_buf.  Both *num and
  * ecount_buf must be initialised with zeros before the first
  * call to AES_ctr128_encrypt().
+ *
+ * This algorithm assumes that the counter is in the x lower bits
+ * of the IV (ivec), and that the application has full control over
+ * overflow and the rest of the IV.  This implementation takes NO
+ * responsability for checking that the counter doesn't overflow
+ * into the rest of the IV when incremented.
  */
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
         const unsigned long length, const AES_KEY *key,
-        unsigned char counter[AES_BLOCK_SIZE],
+        unsigned char ivec[AES_BLOCK_SIZE],
         unsigned char ecount_buf[AES_BLOCK_SIZE],
         unsigned int *num) {
 
@@ -117,8 +153,8 @@ void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 
         while (l--) {
                 if (n == 0) {
-                        AES_encrypt(counter, ecount_buf, key);
-                        AES_ctr128_inc(counter);
+                        AES_encrypt(ivec, ecount_buf, key);
+                        AES_ctr128_inc(ivec);
                 }
                 *(out++) = *(in++) ^ ecount_buf[n];
                 n = (n+1) % AES_BLOCK_SIZE;
diff --git a/src/lib/libssl/src/crypto/asn1/a_mbstr.c b/src/lib/libssl/src/crypto/asn1/a_mbstr.c
index 58b437bc84..c811b11776 100644
--- a/src/lib/libssl/src/crypto/asn1/a_mbstr.c
+++ b/src/lib/libssl/src/crypto/asn1/a_mbstr.c
@@ -296,7 +296,7 @@ static int in_utf8(unsigned long value, void *arg)
 
 static int out_utf8(unsigned long value, void *arg)
 {
-        long *outlen;
+        int *outlen;
         outlen = arg;
         *outlen += UTF8_putc(NULL, -1, value);
         return 1;
diff --git a/src/lib/libssl/src/crypto/asn1/a_strex.c b/src/lib/libssl/src/crypto/asn1/a_strex.c
index 1def6c6549..8abfdfe598 100644
--- a/src/lib/libssl/src/crypto/asn1/a_strex.c
+++ b/src/lib/libssl/src/crypto/asn1/a_strex.c
@@ -279,7 +279,7 @@ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING
  * otherwise it is the number of bytes per character
  */
 
-const static char tag2nbyte[] = {
+const static signed char tag2nbyte[] = {
         -1, -1, -1, -1, -1,     /* 0-4 */
         -1, -1, -1, -1, -1,     /* 5-9 */
         -1, -1, 0, -1,          /* 10-13 */
diff --git a/src/lib/libssl/src/crypto/asn1/a_strnid.c b/src/lib/libssl/src/crypto/asn1/a_strnid.c
index aa49e9d7d0..613bbc4a7d 100644
--- a/src/lib/libssl/src/crypto/asn1/a_strnid.c
+++ b/src/lib/libssl/src/crypto/asn1/a_strnid.c
@@ -143,7 +143,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
 /* Now the tables and helper functions for the string table:
  */
 
-/* size limits: this stuff is taken straight from RFC2459 */
+/* size limits: this stuff is taken straight from RFC3280 */
 
 #define ub_name                         32768
 #define ub_common_name                  64
@@ -153,6 +153,8 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
 #define ub_organization_unit_name       64
 #define ub_title                        64
 #define ub_email_address                128
+#define ub_serial_number                64
+
 
 /* This table must be kept in NID order */
 
@@ -170,6 +172,7 @@ static ASN1_STRING_TABLE tbl_standard[] = {
 {NID_givenName,                 1, ub_name, DIRSTRING_TYPE, 0},
 {NID_surname,                   1, ub_name, DIRSTRING_TYPE, 0},
 {NID_initials,                  1, ub_name, DIRSTRING_TYPE, 0},
+{NID_serialNumber,              1, ub_serial_number, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
 {NID_friendlyName,              -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK},
 {NID_name,                      1, ub_name, DIRSTRING_TYPE, 0},
 {NID_dnQualifier,               -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
diff --git a/src/lib/libssl/src/crypto/bio/b_print.c b/src/lib/libssl/src/crypto/bio/b_print.c
index a9e552f245..2cfc689dd6 100644
--- a/src/lib/libssl/src/crypto/bio/b_print.c
+++ b/src/lib/libssl/src/crypto/bio/b_print.c
@@ -836,5 +836,5 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
                  * had the buffer been large enough.) */
                 return -1;
         else
-                return (retlen <= INT_MAX) ? retlen : -1;
+                return (retlen <= INT_MAX) ? (int)retlen : -1;
         }
diff --git a/src/lib/libssl/src/crypto/bio/bf_buff.c b/src/lib/libssl/src/crypto/bio/bf_buff.c
index 1cecd70579..c1fd75aaad 100644
--- a/src/lib/libssl/src/crypto/bio/bf_buff.c
+++ b/src/lib/libssl/src/crypto/bio/bf_buff.c
@@ -494,6 +494,7 @@ static int buffer_gets(BIO *b, char *buf, int size)
                         if (i <= 0)
                                 {
                                 BIO_copy_next_retry(b);
+                                *buf='\0';
                                 if (i < 0) return((num > 0)?num:i);
                                 if (i == 0) return(num);
                                 }
diff --git a/src/lib/libssl/src/crypto/bio/bss_bio.c b/src/lib/libssl/src/crypto/bio/bss_bio.c
index aa58dab046..0f9f0955b4 100644
--- a/src/lib/libssl/src/crypto/bio/bss_bio.c
+++ b/src/lib/libssl/src/crypto/bio/bss_bio.c
@@ -1,4 +1,57 @@
 /* crypto/bio/bss_bio.c  -*- Mode: C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 /* Special method for a BIO where the other endpoint is also a BIO
  * of this kind, handled by the same thread (i.e. the "peer" is actually
@@ -502,7 +555,7 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
                 break;
                 
         case BIO_C_DESTROY_BIO_PAIR:
-                /* Effects both BIOs in the pair -- call just once!
+                /* Affects both BIOs in the pair -- call just once!
                  * Or let BIO_free(bio1); BIO_free(bio2); do the job. */
                 bio_destroy_pair(bio);
                 ret = 1;
diff --git a/src/lib/libssl/src/crypto/bio/bss_file.c b/src/lib/libssl/src/crypto/bio/bss_file.c
index e4e9df144c..0ca603ee0a 100644
--- a/src/lib/libssl/src/crypto/bio/bss_file.c
+++ b/src/lib/libssl/src/crypto/bio/bss_file.c
@@ -213,12 +213,29 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                 b->shutdown=(int)num&BIO_CLOSE;
                 b->ptr=(char *)ptr;
                 b->init=1;
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
-                /* Set correct text/binary mode */
+#if defined(OPENSSL_SYS_WINDOWS)
                 if (num & BIO_FP_TEXT)
                         _setmode(fileno((FILE *)ptr),_O_TEXT);
                 else
                         _setmode(fileno((FILE *)ptr),_O_BINARY);
+#elif defined(OPENSSL_SYS_MSDOS)
+                {
+                int fd = fileno((FILE*)ptr);
+                /* Set correct text/binary mode */
+                if (num & BIO_FP_TEXT)
+                        _setmode(fd,_O_TEXT);
+                /* Dangerous to set stdin/stdout to raw (unless redirected) */
+                else
+                        {
+                        if (fd == STDIN_FILENO || fd == STDOUT_FILENO)
+                                {
+                                if (isatty(fd) <= 0)
+                                        _setmode(fd,_O_BINARY);
+                                }
+                        else
+                                _setmode(fd,_O_BINARY);
+                        }
+                }
 #elif defined(OPENSSL_SYS_OS2)
                 if (num & BIO_FP_TEXT)
                         setmode(fileno((FILE *)ptr), O_TEXT);
diff --git a/src/lib/libssl/src/crypto/bn/Makefile.ssl b/src/lib/libssl/src/crypto/bn/Makefile.ssl
index fa17d3c7d8..0c6e796d17 100644
--- a/src/lib/libssl/src/crypto/bn/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/bn/Makefile.ssl
@@ -22,6 +22,7 @@ BN_ASM=		bn_asm.o
 #BN_ASM=        bn86-elf.o
 
 CFLAGS= $(INCLUDES) $(CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG)
 
 GENERAL=Makefile
 TEST=bntest.c exptest.c
diff --git a/src/lib/libssl/src/crypto/bn/bn_mul.c b/src/lib/libssl/src/crypto/bn/bn_mul.c
index cb93ac3356..3ae3822bc2 100644
--- a/src/lib/libssl/src/crypto/bn/bn_mul.c
+++ b/src/lib/libssl/src/crypto/bn/bn_mul.c
@@ -224,7 +224,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
              int n, BN_ULONG *t)
         {
         int i,j,n2=n*2;
-        unsigned int c1,c2,neg,zero;
+        int c1,c2,neg,zero;
         BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
@@ -376,7 +376,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
 
                 /* The overflow will stop before we over write
                  * words we should not overwrite */
-                if (ln < c1)
+                if (ln < (BN_ULONG)c1)
                         {
                         do      {
                                 p++;
diff --git a/src/lib/libssl/src/crypto/des/cfb_enc.c b/src/lib/libssl/src/crypto/des/cfb_enc.c
index 17bf77ca9e..2600bdfc93 100644
--- a/src/lib/libssl/src/crypto/des/cfb_enc.c
+++ b/src/lib/libssl/src/crypto/des/cfb_enc.c
@@ -64,32 +64,22 @@
  * the second.  The second 12 bits will come from the 3rd and half the 4th
  * byte.
  */
+/* WARNING WARNING: this uses in and out in 8-byte chunks regardless of
+ * length */
+/* Until Aug 1 2003 this function did not correctly implement CFB-r, so it
+ * will not be compatible with any encryption prior to that date. Ben. */
 void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
-                     long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc)
+                     long length, DES_key_schedule *schedule, DES_cblock *ivec,
+                     int enc)
         {
         register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8;
-        register DES_LONG mask0,mask1;
         register unsigned long l=length;
         register int num=numbits;
         DES_LONG ti[2];
         unsigned char *iv;
+        unsigned char ovec[16];
 
         if (num > 64) return;
-        if (num > 32)
-                {
-                mask0=0xffffffffL;
-                if (num == 64)
-                        mask1=mask0;
-                else    mask1=(1L<<(num-32))-1;
-                }
-        else
-                {
-                if (num == 32)
-                        mask0=0xffffffffL;
-                else    mask0=(1L<<num)-1;
-                mask1=0x00000000L;
-                }
-
         iv = &(*ivec)[0];
         c2l(iv,v0);
         c2l(iv,v1);
@@ -103,8 +93,8 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
                         DES_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT);
                         c2ln(in,d0,d1,n);
                         in+=n;
-                        d0=(d0^ti[0])&mask0;
-                        d1=(d1^ti[1])&mask1;
+                        d0^=ti[0];
+                        d1^=ti[1];
                         l2cn(d0,d1,out,n);
                         out+=n;
                         /* 30-08-94 - eay - changed because l>>32 and
@@ -113,15 +103,25 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
                                 { v0=v1; v1=d0; }
                         else if (num == 64)
                                 { v0=d0; v1=d1; }
-                        else if (num > 32) /* && num != 64 */
-                                {
-                                v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL;
-                                v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL;
-                                }
-                        else /* num < 32 */
+                        else
                                 {
-                                v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL;
-                                v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL;
+                                iv=&ovec[0];
+                                l2c(v0,iv);
+                                l2c(v1,iv);
+                                l2c(d0,iv);
+                                l2c(d1,iv);
+                                /* shift ovec left most of the bits... */
+                                memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+                                /* now the remaining bits */
+                                if(num%8 != 0)
+                                        for(n=0 ; n < 8 ; ++n)
+                                                {
+                                                ovec[n]<<=num%8;
+                                                ovec[n]|=ovec[n+1]>>(8-num%8);
+                                                }
+                                iv=&ovec[0];
+                                c2l(iv,v0);
+                                c2l(iv,v1);
                                 }
                         }
                 }
@@ -141,18 +141,28 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
                                 { v0=v1; v1=d0; }
                         else if (num == 64)
                                 { v0=d0; v1=d1; }
-                        else if (num > 32) /* && num != 64 */
-                                {
-                                v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL;
-                                v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL;
-                                }
-                        else /* num < 32 */
+                        else
                                 {
-                                v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL;
-                                v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL;
+                                iv=&ovec[0];
+                                l2c(v0,iv);
+                                l2c(v1,iv);
+                                l2c(d0,iv);
+                                l2c(d1,iv);
+                                /* shift ovec left most of the bits... */
+                                memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+                                /* now the remaining bits */
+                                if(num%8 != 0)
+                                        for(n=0 ; n < 8 ; ++n)
+                                                {
+                                                ovec[n]<<=num%8;
+                                                ovec[n]|=ovec[n+1]>>(8-num%8);
+                                                }
+                                iv=&ovec[0];
+                                c2l(iv,v0);
+                                c2l(iv,v1);
                                 }
-                        d0=(d0^ti[0])&mask0;
-                        d1=(d1^ti[1])&mask1;
+                        d0^=ti[0];
+                        d1^=ti[1];
                         l2cn(d0,d1,out,n);
                         out+=n;
                         }
diff --git a/src/lib/libssl/src/crypto/des/destest.c b/src/lib/libssl/src/crypto/des/destest.c
index 687c00c792..3983ac8e5f 100644
--- a/src/lib/libssl/src/crypto/des/destest.c
+++ b/src/lib/libssl/src/crypto/des/destest.c
@@ -431,7 +431,7 @@ int main(int argc, char *argv[])
 
 #ifndef LIBDES_LIT
         printf("Doing ede ecb\n");
-        for (i=0; i<(NUM_TESTS-1); i++)
+        for (i=0; i<(NUM_TESTS-2); i++)
                 {
                 DES_set_key_unchecked(&key_data[i],&ks);
                 DES_set_key_unchecked(&key_data[i+1],&ks2);
diff --git a/src/lib/libssl/src/crypto/dso/dso_dlfcn.c b/src/lib/libssl/src/crypto/dso/dso_dlfcn.c
index 906b4703de..9d49ebc253 100644
--- a/src/lib/libssl/src/crypto/dso/dso_dlfcn.c
+++ b/src/lib/libssl/src/crypto/dso/dso_dlfcn.c
@@ -125,7 +125,11 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
 #               endif
 #       endif
 #else
-#       define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+#       ifdef OPENSSL_SYS_SUNOS
+#               define DLOPEN_FLAG 1
+#       else
+#               define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+#       endif
 #endif
 
 /* For this DSO_METHOD, our meth_data STACK will contain;
diff --git a/src/lib/libssl/src/crypto/ec/ec_mult.c b/src/lib/libssl/src/crypto/ec/ec_mult.c
index 4dbc931120..16822a73cf 100644
--- a/src/lib/libssl/src/crypto/ec/ec_mult.c
+++ b/src/lib/libssl/src/crypto/ec/ec_mult.c
@@ -175,12 +175,13 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B
  *       (thus the boundaries should be increased)
  */
 #define EC_window_bits_for_scalar_size(b) \
-                ((b) >= 2000 ? 6 : \
-                 (b) >=  800 ? 5 : \
-                 (b) >=  300 ? 4 : \
-                 (b) >=   70 ? 3 : \
-                 (b) >=   20 ? 2 : \
-                  1)
+                ((size_t) \
+                 ((b) >= 2000 ? 6 : \
+                  (b) >=  800 ? 5 : \
+                  (b) >=  300 ? 4 : \
+                  (b) >=   70 ? 3 : \
+                  (b) >=   20 ? 2 : \
+                   1))
 
 /* Compute
  *      \sum scalars[i]*points[i],
diff --git a/src/lib/libssl/src/crypto/engine/engine.h b/src/lib/libssl/src/crypto/engine/engine.h
index 8686879e1a..9c3ab182d3 100644
--- a/src/lib/libssl/src/crypto/engine/engine.h
+++ b/src/lib/libssl/src/crypto/engine/engine.h
@@ -538,10 +538,10 @@ void ENGINE_add_conf_module(void);
 /**************************/
 
 /* Binary/behaviour compatibility levels */
-#define OSSL_DYNAMIC_VERSION            (unsigned long)0x00010100
+#define OSSL_DYNAMIC_VERSION            (unsigned long)0x00010200
 /* Binary versions older than this are too old for us (whether we're a loader or
  * a loadee) */
-#define OSSL_DYNAMIC_OLDEST             (unsigned long)0x00010100
+#define OSSL_DYNAMIC_OLDEST             (unsigned long)0x00010200
 
 /* When compiling an ENGINE entirely as an external shared library, loadable by
  * the "dynamic" ENGINE, these types are needed. The 'dynamic_fns' structure
@@ -630,6 +630,10 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id,
                 if(!fn(e,id)) return 0; \
                 return 1; }
 
+#if defined(__OpenBSD__) || defined(__FreeBSD__)
+void ENGINE_setup_bsd_cryptodev(void);
+#endif
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
diff --git a/src/lib/libssl/src/crypto/engine/hw_ubsec.c b/src/lib/libssl/src/crypto/engine/hw_ubsec.c
index 6286dd851c..5234a08a07 100644
--- a/src/lib/libssl/src/crypto/engine/hw_ubsec.c
+++ b/src/lib/libssl/src/crypto/engine/hw_ubsec.c
@@ -561,7 +561,6 @@ static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
                 return 0;
         }
-        memset(r->d, 0, BN_num_bytes(m));
 
         if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
                 fd = 0;
diff --git a/src/lib/libssl/src/crypto/err/err.c b/src/lib/libssl/src/crypto/err/err.c
index a4f4a260af..6ab119c1ef 100644
--- a/src/lib/libssl/src/crypto/err/err.c
+++ b/src/lib/libssl/src/crypto/err/err.c
@@ -225,6 +225,7 @@ struct st_ERR_FNS
         ERR_STRING_DATA *(*cb_err_del_item)(ERR_STRING_DATA *);
         /* Works on the "thread_hash" error-state table */
         LHASH *(*cb_thread_get)(int create);
+        void (*cb_thread_release)(LHASH **hash);
         ERR_STATE *(*cb_thread_get_item)(const ERR_STATE *);
         ERR_STATE *(*cb_thread_set_item)(ERR_STATE *);
         void (*cb_thread_del_item)(const ERR_STATE *);
@@ -239,6 +240,7 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
 static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *);
 static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *);
 static LHASH *int_thread_get(int create);
+static void int_thread_release(LHASH **hash);
 static ERR_STATE *int_thread_get_item(const ERR_STATE *);
 static ERR_STATE *int_thread_set_item(ERR_STATE *);
 static void int_thread_del_item(const ERR_STATE *);
@@ -252,6 +254,7 @@ static const ERR_FNS err_defaults =
         int_err_set_item,
         int_err_del_item,
         int_thread_get,
+        int_thread_release,
         int_thread_get_item,
         int_thread_set_item,
         int_thread_del_item,
@@ -271,6 +274,7 @@ static const ERR_FNS *err_fns = NULL;
  * and state in the loading application. */
 static LHASH *int_error_hash = NULL;
 static LHASH *int_thread_hash = NULL;
+static int int_thread_hash_references = 0;
 static int int_err_library_number= ERR_LIB_USER;
 
 /* Internal function that checks whether "err_fns" is set and if not, sets it to
@@ -417,11 +421,37 @@ static LHASH *int_thread_get(int create)
                 CRYPTO_pop_info();
                 }
         if (int_thread_hash)
+                {
+                int_thread_hash_references++;
                 ret = int_thread_hash;
+                }
         CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
         return ret;
         }
 
+static void int_thread_release(LHASH **hash)
+        {
+        int i;
+
+        if (hash == NULL || *hash == NULL)
+                return;
+
+        i = CRYPTO_add(&int_thread_hash_references, -1, CRYPTO_LOCK_ERR);
+
+#ifdef REF_PRINT
+        fprintf(stderr,"%4d:%s\n",int_thread_hash_references,"ERR");
+#endif
+        if (i > 0) return;
+#ifdef REF_CHECK
+        if (i < 0)
+                {
+                fprintf(stderr,"int_thread_release, bad reference count\n");
+                abort(); /* ok */
+                }
+#endif
+        *hash = NULL;
+        }
+
 static ERR_STATE *int_thread_get_item(const ERR_STATE *d)
         {
         ERR_STATE *p;
@@ -436,6 +466,7 @@ static ERR_STATE *int_thread_get_item(const ERR_STATE *d)
         p = (ERR_STATE *)lh_retrieve(hash, d);
         CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
 
+        ERRFN(thread_release)(&hash);
         return p;
         }
 
@@ -453,6 +484,7 @@ static ERR_STATE *int_thread_set_item(ERR_STATE *d)
         p = (ERR_STATE *)lh_insert(hash, d);
         CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
 
+        ERRFN(thread_release)(&hash);
         return p;
         }
 
@@ -469,13 +501,15 @@ static void int_thread_del_item(const ERR_STATE *d)
         CRYPTO_w_lock(CRYPTO_LOCK_ERR);
         p = (ERR_STATE *)lh_delete(hash, d);
         /* make sure we don't leak memory */
-        if (int_thread_hash && (lh_num_items(int_thread_hash) == 0))
+        if (int_thread_hash_references == 1
+                && int_thread_hash && (lh_num_items(int_thread_hash) == 0))
                 {
                 lh_free(int_thread_hash);
                 int_thread_hash = NULL;
                 }
         CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
 
+        ERRFN(thread_release)(&hash);
         if (p)
                 ERR_STATE_free(p);
         }
@@ -845,6 +879,12 @@ LHASH *ERR_get_err_state_table(void)
         return ERRFN(thread_get)(0);
         }
 
+void ERR_release_err_state_table(LHASH **hash)
+        {
+        err_fns_check();
+        ERRFN(thread_release)(hash);
+        }
+
 const char *ERR_lib_error_string(unsigned long e)
         {
         ERR_STRING_DATA d,*p;
diff --git a/src/lib/libssl/src/crypto/err/err.h b/src/lib/libssl/src/crypto/err/err.h
index 988ef81aa0..8faa3a7b4f 100644
--- a/src/lib/libssl/src/crypto/err/err.h
+++ b/src/lib/libssl/src/crypto/err/err.h
@@ -278,6 +278,7 @@ ERR_STATE *ERR_get_state(void);
 #ifndef OPENSSL_NO_LHASH
 LHASH *ERR_get_string_table(void);
 LHASH *ERR_get_err_state_table(void);
+void ERR_release_err_state_table(LHASH **hash);
 #endif
 
 int ERR_get_next_error_library(void);
diff --git a/src/lib/libssl/src/crypto/evp/Makefile.ssl b/src/lib/libssl/src/crypto/evp/Makefile.ssl
index b4172406ae..f33aebd33a 100644
--- a/src/lib/libssl/src/crypto/evp/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/evp/Makefile.ssl
@@ -185,13 +185,14 @@ c_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 c_all.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
 c_all.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 c_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-c_all.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-c_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-c_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-c_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+c_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 c_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 c_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 c_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
diff --git a/src/lib/libssl/src/crypto/evp/bio_b64.c b/src/lib/libssl/src/crypto/evp/bio_b64.c
index 6e550f6a43..33349c2f98 100644
--- a/src/lib/libssl/src/crypto/evp/bio_b64.c
+++ b/src/lib/libssl/src/crypto/evp/bio_b64.c
@@ -184,7 +184,9 @@ static int b64_read(BIO *b, char *out, int outl)
         ret_code=0;
         while (outl > 0)
                 {
-                if (ctx->cont <= 0) break;
+
+                if (ctx->cont <= 0)
+                        break;
 
                 i=BIO_read(b->next_bio,&(ctx->tmp[ctx->tmp_len]),
                         B64_BLOCK_SIZE-ctx->tmp_len);
@@ -195,11 +197,21 @@ static int b64_read(BIO *b, char *out, int outl)
 
                         /* Should be continue next time we are called? */
                         if (!BIO_should_retry(b->next_bio))
+                                {
                                 ctx->cont=i;
-                        /* else we should continue when called again */
-                        break;
+                                /* If buffer empty break */
+                                if(ctx->tmp_len == 0)
+                                        break;
+                                /* Fall through and process what we have */
+                                else
+                                        i = 0;
+                                }
+                        /* else we retry and add more data to buffer */
+                        else
+                                break;
                         }
                 i+=ctx->tmp_len;
+                ctx->tmp_len = i;
 
                 /* We need to scan, a line at a time until we
                  * have a valid line if we are starting. */
@@ -255,8 +267,12 @@ static int b64_read(BIO *b, char *out, int outl)
                                  * reading until a new line. */
                                 if (p == (unsigned char *)&(ctx->tmp[0]))
                                         {
-                                        ctx->tmp_nl=1;
-                                        ctx->tmp_len=0;
+                                        /* Check buffer full */
+                                        if (i == B64_BLOCK_SIZE)
+                                                {
+                                                ctx->tmp_nl=1;
+                                                ctx->tmp_len=0;
+                                                }
                                         }
                                 else if (p != q) /* finished on a '\n' */
                                         {
@@ -271,6 +287,11 @@ static int b64_read(BIO *b, char *out, int outl)
                         else
                                 ctx->tmp_len=0;
                         }
+                /* If buffer isn't full and we can retry then
+                 * restart to read in more data.
+                 */
+                else if ((i < B64_BLOCK_SIZE) && (ctx->cont > 0))
+                        continue;
 
                 if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL)
                         {
@@ -310,8 +331,8 @@ static int b64_read(BIO *b, char *out, int outl)
                         i=EVP_DecodeUpdate(&(ctx->base64),
                                 (unsigned char *)ctx->buf,&ctx->buf_len,
                                 (unsigned char *)ctx->tmp,i);
+                        ctx->tmp_len = 0;
                         }
-                ctx->cont=i;
                 ctx->buf_off=0;
                 if (i < 0)
                         {
@@ -484,10 +505,7 @@ again:
                         {
                         i=b64_write(b,NULL,0);
                         if (i < 0)
-                                {
-                                ret=i;
-                                break;
-                                }
+                                return i;
                         }
                 if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL)
                         {
diff --git a/src/lib/libssl/src/crypto/evp/c_all.c b/src/lib/libssl/src/crypto/evp/c_all.c
index 1b31a14e37..fa60a73ead 100644
--- a/src/lib/libssl/src/crypto/evp/c_all.c
+++ b/src/lib/libssl/src/crypto/evp/c_all.c
@@ -59,6 +59,9 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 
 #if 0
 #undef OpenSSL_add_all_algorithms
diff --git a/src/lib/libssl/src/crypto/md2/md2test.c b/src/lib/libssl/src/crypto/md2/md2test.c
index 901d0a7d8e..9c1e28b6ce 100644
--- a/src/lib/libssl/src/crypto/md2/md2test.c
+++ b/src/lib/libssl/src/crypto/md2/md2test.c
@@ -59,7 +59,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/md2.h>
 
 #include "../e_os.h"
 
@@ -71,6 +70,7 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/evp.h>
+#include <openssl/md2.h>
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
diff --git a/src/lib/libssl/src/crypto/md5/Makefile.ssl b/src/lib/libssl/src/crypto/md5/Makefile.ssl
index b11ab476d6..2361775a2d 100644
--- a/src/lib/libssl/src/crypto/md5/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/md5/Makefile.ssl
@@ -6,7 +6,7 @@ DIR=    md5
 TOP=    ../..
 CC=     cc
 CPP=    $(CC) -E
-INCLUDES=
+INCLUDES=-I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
@@ -20,6 +20,7 @@ AR=             ar r
 MD5_ASM_OBJ=
 
 CFLAGS= $(INCLUDES) $(CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG)
 
 GENERAL=Makefile
 TEST=md5test.c
diff --git a/src/lib/libssl/src/crypto/md5/asm/md5-586.pl b/src/lib/libssl/src/crypto/md5/asm/md5-586.pl
index 5fc6a205ce..fa3fa3bed5 100644
--- a/src/lib/libssl/src/crypto/md5/asm/md5-586.pl
+++ b/src/lib/libssl/src/crypto/md5/asm/md5-586.pl
@@ -293,7 +293,7 @@ sub md5_block
          &mov(&DWP(12,$tmp2,"",0),$D);
 
         &cmp($tmp1,$X) unless $normal;                  # check count
-         &jge(&label("start")) unless $normal;
+         &jae(&label("start")) unless $normal;
 
         &pop("eax"); # pop the temp variable off the stack
          &pop("ebx");
diff --git a/src/lib/libssl/src/crypto/md5/asm/md5-sparcv9.S b/src/lib/libssl/src/crypto/md5/asm/md5-sparcv9.S
index a599ed5660..db45aa4c97 100644
--- a/src/lib/libssl/src/crypto/md5/asm/md5-sparcv9.S
+++ b/src/lib/libssl/src/crypto/md5/asm/md5-sparcv9.S
@@ -34,10 +34,12 @@
  *
  * or if above fails (it does if you have gas):
  *
- *      gcc -E -DULTRASPARC -DMD5_BLOCK_DATA_ORDER md5_block.sparc.S | \
+ *      gcc -E -DOPENSSL_SYSNAMEULTRASPARC -DMD5_BLOCK_DATA_ORDER md5_block.sparc.S | \
  *              as -xarch=v8plus /dev/fd/0 -o md5-sparcv9.o
  */
 
+#include <openssl/e_os2.h>
+
 #define A       %o0
 #define B       %o1
 #define C       %o2
diff --git a/src/lib/libssl/src/crypto/o_time.c b/src/lib/libssl/src/crypto/o_time.c
index 723eb1b5af..785468131e 100644
--- a/src/lib/libssl/src/crypto/o_time.c
+++ b/src/lib/libssl/src/crypto/o_time.c
@@ -73,7 +73,7 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
         {
         struct tm *ts = NULL;
 
-#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && !defined(__CYGWIN32__) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX)
+#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && !defined(__CYGWIN32__) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_SUNOS)
         /* should return &data, but doesn't on some systems,
            so we don't even look at the return value */
         gmtime_r(timer,result);
diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h
index 08cb1d5018..e226d9de79 100644
--- a/src/lib/libssl/src/crypto/opensslv.h
+++ b/src/lib/libssl/src/crypto/opensslv.h
@@ -25,8 +25,8 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x0090702fL
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7b 10 Apr 2003"
+#define OPENSSL_VERSION_NUMBER  0x0090703fL
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7c 30 Sep 2003"
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
 
diff --git a/src/lib/libssl/src/crypto/perlasm/x86ms.pl b/src/lib/libssl/src/crypto/perlasm/x86ms.pl
index 35f1a4ddb9..fbb4afb9bd 100644
--- a/src/lib/libssl/src/crypto/perlasm/x86ms.pl
+++ b/src/lib/libssl/src/crypto/perlasm/x86ms.pl
@@ -144,7 +144,10 @@ sub main'jle	{ &out1("jle",@_); }
 sub main'jz     { &out1("jz",@_); }
 sub main'jge    { &out1("jge",@_); }
 sub main'jl     { &out1("jl",@_); }
+sub main'ja     { &out1("ja",@_); }
+sub main'jae    { &out1("jae",@_); }
 sub main'jb     { &out1("jb",@_); }
+sub main'jbe    { &out1("jbe",@_); }
 sub main'jc     { &out1("jc",@_); }
 sub main'jnc    { &out1("jnc",@_); }
 sub main'jnz    { &out1("jnz",@_); }
diff --git a/src/lib/libssl/src/crypto/perlasm/x86nasm.pl b/src/lib/libssl/src/crypto/perlasm/x86nasm.pl
index f30b7466d4..30346af4ea 100644
--- a/src/lib/libssl/src/crypto/perlasm/x86nasm.pl
+++ b/src/lib/libssl/src/crypto/perlasm/x86nasm.pl
@@ -152,7 +152,10 @@ sub main'jle	{ &out1("jle NEAR",@_); }
 sub main'jz     { &out1("jz NEAR",@_); }
 sub main'jge    { &out1("jge NEAR",@_); }
 sub main'jl     { &out1("jl NEAR",@_); }
+sub main'ja     { &out1("ja NEAR",@_); }
+sub main'jae    { &out1("jae NEAR",@_); }
 sub main'jb     { &out1("jb NEAR",@_); }
+sub main'jbe    { &out1("jbe NEAR",@_); }
 sub main'jc     { &out1("jc NEAR",@_); }
 sub main'jnc    { &out1("jnc NEAR",@_); }
 sub main'jnz    { &out1("jnz NEAR",@_); }
diff --git a/src/lib/libssl/src/crypto/perlasm/x86unix.pl b/src/lib/libssl/src/crypto/perlasm/x86unix.pl
index 72bde061c5..10b669bf04 100644
--- a/src/lib/libssl/src/crypto/perlasm/x86unix.pl
+++ b/src/lib/libssl/src/crypto/perlasm/x86unix.pl
@@ -156,7 +156,10 @@ sub main'jnz	{ &out1("jnz",@_); }
 sub main'jz     { &out1("jz",@_); }
 sub main'jge    { &out1("jge",@_); }
 sub main'jl     { &out1("jl",@_); }
+sub main'ja     { &out1("ja",@_); }
+sub main'jae    { &out1("jae",@_); }
 sub main'jb     { &out1("jb",@_); }
+sub main'jbe    { &out1("jbe",@_); }
 sub main'jc     { &out1("jc",@_); }
 sub main'jnc    { &out1("jnc",@_); }
 sub main'jno    { &out1("jno",@_); }
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
index 0060a2ea3d..190ca0e9bf 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
@@ -767,6 +767,11 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
                         }
                 if (EVP_MD_CTX_type(mdc) == md_type)
                         break;
+                /* Workaround for some broken clients that put the signature
+                 * OID instead of the digest OID in digest_alg->algorithm
+                 */
+                if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type)
+                        break;
                 btmp=BIO_next(btmp);
                 }
 
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_mime.c b/src/lib/libssl/src/crypto/pkcs7/pk7_mime.c
index 086d394270..5d2a97839d 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_mime.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_mime.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -101,7 +101,7 @@ static int mime_param_cmp(const MIME_PARAM * const *a,
 static void mime_param_free(MIME_PARAM *param);
 static int mime_bound_check(char *line, int linelen, char *bound, int blen);
 static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret);
-static int iscrlf(char c);
+static int strip_eol(char *linebuf, int *plen);
 static MIME_HEADER *mime_hdr_find(STACK_OF(MIME_HEADER) *hdrs, char *name);
 static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name);
 static void mime_hdr_free(MIME_HEADER *hdr);
@@ -150,9 +150,17 @@ static PKCS7 *B64_read_PKCS7(BIO *bio)
 
 int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
 {
-        char linebuf[MAX_SMLEN];
         char bound[33], c;
         int i;
+        char *mime_prefix, *mime_eol;
+        if (flags & PKCS7_NOOLDMIMETYPE)
+                mime_prefix = "application/pkcs7-";
+        else
+                mime_prefix = "application/x-pkcs7-";
+        if (flags & PKCS7_CRLFEOL)
+                mime_eol = "\r\n";
+        else
+                mime_eol = "\n";
         if((flags & PKCS7_DETACHED) && data) {
         /* We want multipart/signed */
                 /* Generate a random boundary */
@@ -164,34 +172,42 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
                         bound[i] = c;
                 }
                 bound[32] = 0;
-                BIO_printf(bio, "MIME-Version: 1.0\n");
+                BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol);
                 BIO_printf(bio, "Content-Type: multipart/signed;");
-                BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";");
-                BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound);
-                BIO_printf(bio, "This is an S/MIME signed message\n\n");
+                BIO_printf(bio, " protocol=\"%ssignature\";", mime_prefix);
+                BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"%s%s",
+                                                bound, mime_eol, mime_eol);
+                BIO_printf(bio, "This is an S/MIME signed message%s%s",
+                                                mime_eol, mime_eol);
                 /* Now write out the first part */
-                BIO_printf(bio, "------%s\n", bound);
-                if(flags & PKCS7_TEXT) BIO_printf(bio, "Content-Type: text/plain\n\n");
-                while((i = BIO_read(data, linebuf, MAX_SMLEN)) > 0) 
-                                                BIO_write(bio, linebuf, i);
-                BIO_printf(bio, "\n------%s\n", bound);
+                BIO_printf(bio, "------%s%s", bound, mime_eol);
+                SMIME_crlf_copy(data, bio, flags);
+                BIO_printf(bio, "%s------%s%s", mime_eol, bound, mime_eol);
 
                 /* Headers for signature */
 
-                BIO_printf(bio, "Content-Type: application/x-pkcs7-signature; name=\"smime.p7s\"\n");
-                BIO_printf(bio, "Content-Transfer-Encoding: base64\n");
-                BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7s\"\n\n");
+                BIO_printf(bio, "Content-Type: %ssignature;", mime_prefix); 
+                BIO_printf(bio, " name=\"smime.p7s\"%s", mime_eol);
+                BIO_printf(bio, "Content-Transfer-Encoding: base64%s",
+                                                                mime_eol);
+                BIO_printf(bio, "Content-Disposition: attachment;");
+                BIO_printf(bio, " filename=\"smime.p7s\"%s%s",
+                                                        mime_eol, mime_eol);
                 B64_write_PKCS7(bio, p7);
-                BIO_printf(bio,"\n------%s--\n\n", bound);
+                BIO_printf(bio,"%s------%s--%s%s", mime_eol, bound,
+                                                mime_eol, mime_eol);
                 return 1;
         }
         /* MIME headers */
-        BIO_printf(bio, "MIME-Version: 1.0\n");
-        BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7m\"\n");
-        BIO_printf(bio, "Content-Type: application/x-pkcs7-mime; name=\"smime.p7m\"\n");
-        BIO_printf(bio, "Content-Transfer-Encoding: base64\n\n");
+        BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol);
+        BIO_printf(bio, "Content-Disposition: attachment;");
+        BIO_printf(bio, " filename=\"smime.p7m\"%s", mime_eol);
+        BIO_printf(bio, "Content-Type: %smime;", mime_prefix);
+        BIO_printf(bio, " name=\"smime.p7m\"%s", mime_eol);
+        BIO_printf(bio, "Content-Transfer-Encoding: base64%s%s",
+                                                mime_eol, mime_eol);
         B64_write_PKCS7(bio, p7);
-        BIO_printf(bio, "\n");
+        BIO_printf(bio, "%s", mime_eol);
         return 1;
 }
 
@@ -316,12 +332,9 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags)
         }
         if(flags & PKCS7_TEXT) BIO_printf(out, "Content-Type: text/plain\r\n\r\n");
         while ((len = BIO_gets(in, linebuf, MAX_SMLEN)) > 0) {
-                eol = 0;
-                while(iscrlf(linebuf[len - 1])) {
-                        len--;
-                        eol = 1;
-                }       
-                BIO_write(out, linebuf, len);
+                eol = strip_eol(linebuf, &len);
+                if (len)
+                        BIO_write(out, linebuf, len);
                 if(eol) BIO_write(out, "\r\n", 2);
         }
         return 1;
@@ -364,6 +377,7 @@ static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret)
 {
         char linebuf[MAX_SMLEN];
         int len, blen;
+        int eol = 0, next_eol = 0;
         BIO *bpart = NULL;
         STACK_OF(BIO) *parts;
         char state, part, first;
@@ -383,26 +397,23 @@ static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret)
                         sk_BIO_push(parts, bpart);
                         return 1;
                 } else if(part) {
+                        /* Strip CR+LF from linebuf */
+                        next_eol = strip_eol(linebuf, &len);
                         if(first) {
                                 first = 0;
                                 if(bpart) sk_BIO_push(parts, bpart);
                                 bpart = BIO_new(BIO_s_mem());
-                                
-                        } else BIO_write(bpart, "\r\n", 2);
-                        /* Strip CR+LF from linebuf */
-                        while(iscrlf(linebuf[len - 1])) len--;
-                        BIO_write(bpart, linebuf, len);
+                                BIO_set_mem_eof_return(bpart, 0);
+                        } else if (eol)
+                                BIO_write(bpart, "\r\n", 2);
+                        eol = next_eol;
+                        if (len)
+                                BIO_write(bpart, linebuf, len);
                 }
         }
         return 0;
 }
 
-static int iscrlf(char c)
-{
-        if(c == '\r' || c == '\n') return 1;
-        return 0;
-}
-
 /* This is the big one: parse MIME header lines up to message body */
 
 #define MIME_INVALID    0
@@ -683,3 +694,21 @@ static int mime_bound_check(char *line, int linelen, char *bound, int blen)
         }
         return 0;
 }
+
+static int strip_eol(char *linebuf, int *plen)
+        {
+        int len = *plen;
+        char *p, c;
+        int is_eol = 0;
+        p = linebuf + len - 1;
+        for (p = linebuf + len - 1; len > 0; len--, p--)
+                {
+                c = *p;
+                if (c == '\n')
+                        is_eol = 1;
+                else if (c != '\r')
+                        break;
+                }
+        *plen = len;
+        return is_eol;
+        }
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
index f0d071e282..6e5735de11 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/src/lib/libssl/src/crypto/pkcs7/pkcs7.h b/src/lib/libssl/src/crypto/pkcs7/pkcs7.h
index 5819700a85..15372e18f8 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pkcs7.h
+++ b/src/lib/libssl/src/crypto/pkcs7/pkcs7.h
@@ -260,6 +260,8 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 #define PKCS7_BINARY            0x80
 #define PKCS7_NOATTR            0x100
 #define PKCS7_NOSMIMECAP        0x200
+#define PKCS7_NOOLDMIMETYPE     0x400
+#define PKCS7_CRLFEOL           0x800
 
 /* Flags: for compatibility with older code */
 
diff --git a/src/lib/libssl/src/crypto/rand/rand_win.c b/src/lib/libssl/src/crypto/rand/rand_win.c
index 113b58678f..263068d256 100644
--- a/src/lib/libssl/src/crypto/rand/rand_win.c
+++ b/src/lib/libssl/src/crypto/rand/rand_win.c
@@ -162,6 +162,7 @@ typedef BOOL (WINAPI *GETCURSORINFO)(PCURSORINFO);
 typedef DWORD (WINAPI *GETQUEUESTATUS)(UINT);
 
 typedef HANDLE (WINAPI *CREATETOOLHELP32SNAPSHOT)(DWORD, DWORD);
+typedef BOOL (WINAPI *CLOSETOOLHELP32SNAPSHOT)(HANDLE);
 typedef BOOL (WINAPI *HEAP32FIRST)(LPHEAPENTRY32, DWORD, DWORD);
 typedef BOOL (WINAPI *HEAP32NEXT)(LPHEAPENTRY32);
 typedef BOOL (WINAPI *HEAP32LIST)(HANDLE, LPHEAPLIST32);
@@ -431,7 +432,7 @@ int RAND_poll(void)
          * This seeding method was proposed in Peter Gutmann, Software
          * Generation of Practically Strong Random Numbers,
          * http://www.usenix.org/publications/library/proceedings/sec98/gutmann.html
-     * revised version at http://www.cryptoengines.com/~peter/06_random.pdf
+         * revised version at http://www.cryptoengines.com/~peter/06_random.pdf
          * (The assignment of entropy estimates below is arbitrary, but based
          * on Peter's analysis the full poll appears to be safe. Additional
          * interactive seeding is encouraged.)
@@ -440,6 +441,7 @@ int RAND_poll(void)
         if (kernel)
                 {
                 CREATETOOLHELP32SNAPSHOT snap;
+                CLOSETOOLHELP32SNAPSHOT close_snap;
                 HANDLE handle;
 
                 HEAP32FIRST heap_first;
@@ -457,6 +459,8 @@ int RAND_poll(void)
 
                 snap = (CREATETOOLHELP32SNAPSHOT)
                         GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot"));
+                close_snap = (CLOSETOOLHELP32SNAPSHOT)
+                        GetProcAddress(kernel, TEXT("CloseToolhelp32Snapshot"));
                 heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First"));
                 heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next"));
                 heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst"));
@@ -472,7 +476,7 @@ int RAND_poll(void)
                         heaplist_next && process_first && process_next &&
                         thread_first && thread_next && module_first &&
                         module_next && (handle = snap(TH32CS_SNAPALL,0))
-                        != NULL)
+                        != INVALID_HANDLE_VALUE)
                         {
                         /* heap list and heap walking */
                         /* HEAPLIST32 contains 3 fields that will change with
@@ -534,8 +538,10 @@ int RAND_poll(void)
                                 do
                                         RAND_add(&m, m.dwSize, 9);
                                 while (module_next(handle, &m));
-
-                        CloseHandle(handle);
+                        if (close_snap)
+                                close_snap(handle);
+                        else
+                                CloseHandle(handle);
                         }
 
                 FreeLibrary(kernel);
diff --git a/src/lib/libssl/src/crypto/rsa/rsa.h b/src/lib/libssl/src/crypto/rsa/rsa.h
index e26a68b482..62fa745f79 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa.h
+++ b/src/lib/libssl/src/crypto/rsa/rsa.h
@@ -158,11 +158,6 @@ struct rsa_st
 #define RSA_FLAG_CACHE_PUBLIC           0x02
 #define RSA_FLAG_CACHE_PRIVATE          0x04
 #define RSA_FLAG_BLINDING               0x08
-#define RSA_FLAG_NO_BLINDING            0x80 /* new with 0.9.6j and 0.9.7b; the built-in
-                                              * RSA implementation now uses blinding by
-                                              * default (ignoring RSA_FLAG_BLINDING),
-                                              * but other engines might not need it
-                                              */
 #define RSA_FLAG_THREAD_SAFE            0x10
 /* This flag means the private key operations will be handled by rsa_mod_exp
  * and that they do not depend on the private key components being present:
@@ -175,7 +170,11 @@ struct rsa_st
  */
 #define RSA_FLAG_SIGN_VER               0x40
 
-#define RSA_FLAG_NO_BLINDING            0x80
+#define RSA_FLAG_NO_BLINDING            0x80 /* new with 0.9.6j and 0.9.7b; the built-in
+                                              * RSA implementation now uses blinding by
+                                              * default (ignoring RSA_FLAG_BLINDING),
+                                              * but other engines might not need it
+                                              */
 
 #define RSA_PKCS1_PADDING       1
 #define RSA_SSLV23_PADDING      2
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
index 027b4dc754..e0d286266e 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -484,6 +484,8 @@ err:
         if (ctx != NULL) BN_CTX_free(ctx);
         BN_clear_free(&f);
         BN_clear_free(&ret);
+        if (local_blinding)
+                BN_BLINDING_free(blinding);
         if (buf != NULL)
                 {
                 OPENSSL_cleanse(buf,num);
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_lib.c b/src/lib/libssl/src/crypto/rsa/rsa_lib.c
index 53c5092014..e4d622851e 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_lib.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_lib.c
@@ -316,7 +316,7 @@ void RSA_blinding_off(RSA *rsa)
 
 int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
         {
-        BIGNUM *A,*Ai;
+        BIGNUM *A,*Ai = NULL;
         BN_CTX *ctx;
         int ret=0;
 
@@ -327,8 +327,12 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
         else
                 ctx=p_ctx;
 
+        /* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */
         if (rsa->blinding != NULL)
+                {
                 BN_BLINDING_free(rsa->blinding);
+                rsa->blinding = NULL;
+                }
 
         /* NB: similar code appears in setup_blinding (rsa_eay.c);
          * this should be placed in a new function of its own, but for reasons
@@ -356,9 +360,9 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
         rsa->blinding->thread_id = CRYPTO_thread_id();
         rsa->flags |= RSA_FLAG_BLINDING;
         rsa->flags &= ~RSA_FLAG_NO_BLINDING;
-        BN_free(Ai);
         ret=1;
 err:
+        if (Ai != NULL) BN_free(Ai);
         BN_CTX_end(ctx);
         if (ctx != p_ctx) BN_CTX_free(ctx);
         return(ret);
diff --git a/src/lib/libssl/src/crypto/x509/x509_trs.c b/src/lib/libssl/src/crypto/x509/x509_trs.c
index 17d69ac005..881252608d 100644
--- a/src/lib/libssl/src/crypto/x509/x509_trs.c
+++ b/src/lib/libssl/src/crypto/x509/x509_trs.c
@@ -82,6 +82,7 @@ static X509_TRUST trstandard[] = {
 {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
 {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
 {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
+{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
 {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
 {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}
 };
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index 04997ba456..2bb21b443e 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -453,9 +453,9 @@ static int check_revocation(X509_STORE_CTX *ctx)
         if (!(ctx->flags & X509_V_FLAG_CRL_CHECK))
                 return 1;
         if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL)
-                last = 0;
-        else
                 last = sk_X509_num(ctx->chain) - 1;
+        else
+                last = 0;
         for(i = 0; i <= last; i++)
                 {
                 ctx->error_depth = i;
diff --git a/src/lib/libssl/src/crypto/x509/x509type.c b/src/lib/libssl/src/crypto/x509/x509type.c
index 8e78b34458..f78c2a6b43 100644
--- a/src/lib/libssl/src/crypto/x509/x509type.c
+++ b/src/lib/libssl/src/crypto/x509/x509type.c
@@ -99,14 +99,15 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
         case EVP_PKEY_RSA:
                 ret|=EVP_PKS_RSA;
                 break;
-        case EVP_PKS_DSA:
+        case EVP_PKEY_DSA:
                 ret|=EVP_PKS_DSA;
                 break;
         default:
                 break;
                 }
 
-        if (EVP_PKEY_size(pk) <= 512)
+        if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look
+                                           for, not bytes */
                 ret|=EVP_PKT_EXP;
         if(pkey==NULL) EVP_PKEY_free(pk);
         return(ret);
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_conf.c b/src/lib/libssl/src/crypto/x509v3/v3_conf.c
index 1a3448e121..1284d5aaa5 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_conf.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_conf.c
@@ -236,7 +236,7 @@ static int v3_check_critical(char **value)
 static int v3_check_generic(char **value)
 {
         char *p = *value;
-        if ((strlen(p) < 4) || strncmp(p, "DER:,", 4)) return 0;
+        if ((strlen(p) < 4) || strncmp(p, "DER:", 4)) return 0;
         p+=4;
         while (isspace((unsigned char)*p)) p++;
         *value = p;
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_cpols.c b/src/lib/libssl/src/crypto/x509v3/v3_cpols.c
index 0d4ab1f680..0d554f3a2c 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_cpols.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_cpols.c
@@ -73,7 +73,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
                                  STACK_OF(CONF_VALUE) *polstrs, int ia5org);
 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
                                         STACK_OF(CONF_VALUE) *unot, int ia5org);
-static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos);
+static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
 
 X509V3_EXT_METHOD v3_cpols = {
 NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES),
@@ -226,6 +226,8 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
                         qual = notice_section(ctx, unot, ia5org);
                         X509V3_section_free(ctx, unot);
                         if(!qual) goto err;
+                        if(!pol->qualifiers) pol->qualifiers =
+                                                 sk_POLICYQUALINFO_new_null();
                         if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
                                                                  goto merr;
                 } else {
@@ -255,7 +257,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
                                         STACK_OF(CONF_VALUE) *unot, int ia5org)
 {
-        int i;
+        int i, ret;
         CONF_VALUE *cnf;
         USERNOTICE *not;
         POLICYQUALINFO *qual;
@@ -275,8 +277,8 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
                                 if(!(nref = NOTICEREF_new())) goto merr;
                                 not->noticeref = nref;
                         } else nref = not->noticeref;
-                        if(ia5org) nref->organization = M_ASN1_IA5STRING_new();
-                        else nref->organization = M_ASN1_VISIBLESTRING_new();
+                        if(ia5org) nref->organization->type = V_ASN1_IA5STRING;
+                        else nref->organization->type = V_ASN1_VISIBLESTRING;
                         if(!ASN1_STRING_set(nref->organization, cnf->value,
                                                  strlen(cnf->value))) goto merr;
                 } else if(!strcmp(cnf->name, "noticeNumbers")) {
@@ -292,12 +294,12 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
                                 X509V3_conf_err(cnf);
                                 goto err;
                         }
-                        nref->noticenos = nref_nos(nos);
+                        ret = nref_nos(nref->noticenos, nos);
                         sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
-                        if(!nref->noticenos) goto err;
+                        if (!ret)
+                                goto err;
                 } else {
                         X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION);
-
                         X509V3_conf_err(cnf);
                         goto err;
                 }
@@ -319,15 +321,13 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
         return NULL;
 }
 
-static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos)
+static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
 {
-        STACK_OF(ASN1_INTEGER) *nnums;
         CONF_VALUE *cnf;
         ASN1_INTEGER *aint;
 
         int i;
 
-        if(!(nnums = sk_ASN1_INTEGER_new_null())) goto merr;
         for(i = 0; i < sk_CONF_VALUE_num(nos); i++) {
                 cnf = sk_CONF_VALUE_value(nos, i);
                 if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
@@ -336,14 +336,14 @@ static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos)
                 }
                 if(!sk_ASN1_INTEGER_push(nnums, aint)) goto merr;
         }
-        return nnums;
+        return 1;
 
         merr:
         X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
 
         err:
         sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
-        return NULL;
+        return 0;
 }
 
 
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_lib.c b/src/lib/libssl/src/crypto/x509v3/v3_lib.c
index 482ca8ccf5..ca5a4a4a57 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_lib.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_lib.c
@@ -202,6 +202,7 @@ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
                 if(OBJ_obj2nid(ex->object) == nid) {
                         if(idx) {
                                 *idx = i;
+                                found_ex = ex;
                                 break;
                         } else if(found_ex) {
                                 /* Found more than one */
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_prn.c b/src/lib/libssl/src/crypto/x509v3/v3_prn.c
index 754808b625..5d268eb768 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_prn.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_prn.c
@@ -184,7 +184,7 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts
                 j=X509_EXTENSION_get_critical(ex);
                 if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
                         return 0;
-                if(!X509V3_EXT_print(bp, ex, flag, 12))
+                if(!X509V3_EXT_print(bp, ex, flag, indent + 4))
                         {
                         BIO_printf(bp, "%*s", indent + 4, "");
                         M_ASN1_OCTET_STRING_print(bp,ex->value);
diff --git a/src/lib/libssl/src/doc/apps/ca.pod b/src/lib/libssl/src/doc/apps/ca.pod
index de66c534b5..74f45ca2f9 100644
--- a/src/lib/libssl/src/doc/apps/ca.pod
+++ b/src/lib/libssl/src/doc/apps/ca.pod
@@ -359,7 +359,7 @@ the same as the B<-md> option. The message digest to use. Mandatory.
 the text database file to use. Mandatory. This file must be present
 though initially it will be empty.
 
-=item B<serialfile>
+=item B<serial>
 
 a text file containing the next serial number to use in hex. Mandatory.
 This file must be present and contain a valid serial number.
@@ -400,7 +400,7 @@ here, except the B<no_signame> and B<no_sigdump> are permanently set
 and cannot be disabled (this is because the certificate signature cannot
 be displayed because the certificate has not been signed at this point).
 
-For convenience the values B<default_ca> are accepted by both to produce
+For convenience the values B<ca_default> are accepted by both to produce
 a reasonable output.
 
 If neither option is present the format used in earlier versions of
@@ -513,8 +513,8 @@ A sample configuration file with the relevant sections for B<ca>:
  policy         = policy_any            # default policy
  email_in_dn    = no                    # Don't add the email into cert DN
 
- nameopt        = default_ca            # Subject name display option
- certopt        = default_ca            # Certificate display option
+ nameopt        = ca_default            # Subject name display option
+ certopt        = ca_default            # Certificate display option
  copy_extensions = none                 # Don't copy extensions from request
 
  [ policy_any ]
diff --git a/src/lib/libssl/src/doc/apps/s_client.pod b/src/lib/libssl/src/doc/apps/s_client.pod
index 47dc93cb3f..d061326c1f 100644
--- a/src/lib/libssl/src/doc/apps/s_client.pod
+++ b/src/lib/libssl/src/doc/apps/s_client.pod
@@ -168,7 +168,7 @@ command for more information.
 
 send the protocol-specific message(s) to switch to TLS for communication.
 B<protocol> is a keyword for the intended protocol.  Currently, the only
-supported keyword is "smtp".
+supported keywords are "smtp" and "pop3".
 
 =item B<-engine id>
 
diff --git a/src/lib/libssl/src/doc/crypto/BIO_f_base64.pod b/src/lib/libssl/src/doc/crypto/BIO_f_base64.pod
index fdb603b38e..929557d22f 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_f_base64.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_f_base64.pod
@@ -55,16 +55,15 @@ to standard output:
 Read Base64 encoded data from standard input and write the decoded
 data to standard output:
 
- BIO *bio, *b64, bio_out;
+ BIO *bio, *b64, *bio_out;
  char inbuf[512];
  int inlen;
- char message[] = "Hello World \n";
 
  b64 = BIO_new(BIO_f_base64());
  bio = BIO_new_fp(stdin, BIO_NOCLOSE);
  bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
  bio = BIO_push(b64, bio);
- while((inlen = BIO_read(bio, inbuf, strlen(message))) > 0) 
+ while((inlen = BIO_read(bio, inbuf, 512) > 0) 
         BIO_write(bio_out, inbuf, inlen);
 
  BIO_free_all(bio);
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
index 74f05301ec..81566839d3 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
@@ -135,9 +135,9 @@ process is immediately stopped with "verification failed" state. If
 SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and
 the TLS/SSL handshake is terminated. If B<verify_callback> returns 1,
 the verification process is continued. If B<verify_callback> always returns
-1, the TLS/SSL handshake will never be terminated because of this application
-experiencing a verification failure. The calling process can however
-retrieve the error code of the last verification error using
+1, the TLS/SSL handshake will not be terminated with respect to verification
+failures and the connection will be established. The calling process can
+however retrieve the error code of the last verification error using
 L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> or by maintaining its
 own error storage managed by B<verify_callback>.
 
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod
index b8868f18bf..ea2faba3ec 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod
@@ -68,7 +68,9 @@ should be preferred.
 
 SSL_CTX_use_certificate_chain_file() loads a certificate chain from 
 B<file> into B<ctx>. The certificates must be in PEM format and must
-be sorted starting with the certificate to the highest level (root CA).
+be sorted starting with the subject's certificate (actual client or server
+certificate), followed by intermediate CA certificates if applicable, and
+ending at the highest level (root) CA.
 There is no corresponding function working on a single SSL object.
 
 SSL_CTX_use_PrivateKey() adds B<pkey> as private key to B<ctx>.
diff --git a/src/lib/libssl/src/doc/ssl/SSL_accept.pod b/src/lib/libssl/src/doc/ssl/SSL_accept.pod
index a673edba85..cc724c0d56 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_accept.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_accept.pod
@@ -28,7 +28,8 @@ should be called again.
 
 If the underlying BIO is B<non-blocking>, SSL_accept() will also return
 when the underlying BIO could not satisfy the needs of SSL_accept()
-to continue the handshake. In this case a call to SSL_get_error() with the
+to continue the handshake, indicating the problem by the return value -1.
+In this case a call to SSL_get_error() with the
 return value of SSL_accept() will yield B<SSL_ERROR_WANT_READ> or
 B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after
 taking appropriate action to satisfy the needs of SSL_accept().
diff --git a/src/lib/libssl/src/doc/ssl/SSL_connect.pod b/src/lib/libssl/src/doc/ssl/SSL_connect.pod
index 8426310c0d..cc56ebb75f 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_connect.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_connect.pod
@@ -25,7 +25,8 @@ handshake has been finished or an error occurred.
 
 If the underlying BIO is B<non-blocking>, SSL_connect() will also return
 when the underlying BIO could not satisfy the needs of SSL_connect()
-to continue the handshake. In this case a call to SSL_get_error() with the
+to continue the handshake, indicating the problem by the return value -1.
+In this case a call to SSL_get_error() with the
 return value of SSL_connect() will yield B<SSL_ERROR_WANT_READ> or
 B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after
 taking appropriate action to satisfy the needs of SSL_connect().
diff --git a/src/lib/libssl/src/e_os.h b/src/lib/libssl/src/e_os.h
index f7d09c5295..096eabe09a 100644
--- a/src/lib/libssl/src/e_os.h
+++ b/src/lib/libssl/src/e_os.h
@@ -174,6 +174,13 @@ extern "C" {
 #define closesocket(s)          close(s)
 #define readsocket(s,b,n)       recv((s),(b),(n),0)
 #define writesocket(s,b,n)      send((s),(b),(n),0)
+#elif defined(OPENSSL_SYS_VXWORKS)
+#define get_last_socket_error() errno
+#define clear_socket_error()    errno=0
+#define ioctlsocket(a,b,c)          ioctl((a),(b),(int)(c))
+#define closesocket(s)              close(s)
+#define readsocket(s,b,n)           read((s),(b),(n))
+#define writesocket(s,b,n)          write((s),(char *)(b),(n))
 #else
 #define get_last_socket_error() errno
 #define clear_socket_error()    errno=0
@@ -250,7 +257,7 @@ extern "C" {
 #    define EXIT(n) _wsetexit(_WINEXITNOPERSIST)
 #    define OPENSSL_EXIT(n) do { if (n == 0) EXIT(n); return(n); } while(0)
 #  else
-#    define EXIT(n) return(n)
+#    define EXIT(n) exit(n)
 #  endif
 #  define LIST_SEPARATOR_CHAR ';'
 #  ifndef X_OK
@@ -331,6 +338,8 @@ extern "C" {
 #      define pid_t int /* pid_t is missing on NEXTSTEP/OPENSTEP
                          * (unless when compiling with -D_POSIX_SOURCE,
                          * which doesn't work for us) */
+#    endif
+#    if defined(NeXT) || defined(OPENSSL_SYS_NEWS4) || defined(OPENSSL_SYS_SUNOS)
 #      define ssize_t int /* ditto */
 #    endif
 #    ifdef OPENSSL_SYS_NEWS4 /* setvbuf is missing on mips-sony-bsd */
@@ -517,10 +526,6 @@ extern char *sys_errlist[]; extern int sys_nerr;
 #define TTY_STRUCT int
 
 #define sleep(a) taskDelay((a) * sysClkRateGet())
-#if defined(ioctlsocket)
-#undef ioctlsocket
-#endif
-#define ioctlsocket(a,b,c) ioctl((a),(b),*(c))
 
 #include <vxWorks.h>
 #include <sockLib.h>
diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec
index 9bd9c8375e..9ce236e0d2 100644
--- a/src/lib/libssl/src/openssl.spec
+++ b/src/lib/libssl/src/openssl.spec
@@ -1,7 +1,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 7
-%define librev b
+%define librev c
 Release: 1
 
 %define openssldir /var/ssl
@@ -83,18 +83,18 @@ documentation and POD files from which the man pages were produced.
 
 %build 
 
-%define CONFIG_FLAGS -DSSL_ALLOW_ADH --prefix=/usr 
+%define CONFIG_FLAGS -DSSL_ALLOW_ADH --prefix=/usr --openssldir=%{openssldir}
 
 perl util/perlpath.pl /usr/bin/perl
 
 %ifarch i386 i486 i586 i686
-./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-elf shared
+./Configure %{CONFIG_FLAGS} linux-elf shared
 %endif
 %ifarch ppc
-./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-ppc shared
+./Configure %{CONFIG_FLAGS} linux-ppc shared
 %endif
 %ifarch alpha
-./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha shared
+./Configure %{CONFIG_FLAGS} linux-alpha shared
 %endif
 LD_LIBRARY_PATH=`pwd` make
 LD_LIBRARY_PATH=`pwd` make rehash
@@ -102,12 +102,7 @@ LD_LIBRARY_PATH=`pwd` make test
 
 %install
 rm -rf $RPM_BUILD_ROOT
-make MANDIR=/usr/man INSTALL_PREFIX="$RPM_BUILD_ROOT" install
-
-# Rename manpages
-for x in $RPM_BUILD_ROOT/usr/man/man*/* 
-        do mv ${x} ${x}ssl
-done
+make MANDIR=/usr/man MANSUFFIX=ssl INSTALL_PREFIX="$RPM_BUILD_ROOT" install
 
 # Make backwards-compatibility symlink to ssleay
 ln -sf /usr/bin/openssl $RPM_BUILD_ROOT/usr/bin/ssleay
@@ -135,6 +130,7 @@ rm -rf $RPM_BUILD_ROOT
 %doc CHANGES CHANGES.SSLeay LICENSE NEWS README
 
 %attr(0644,root,root) /usr/lib/*.a
+%attr(0644,root,root) /usr/lib/pkgconfig/openssl.pc
 %attr(0644,root,root) /usr/include/openssl/*
 %attr(0644,root,root) /usr/man/man[3]/*
 
@@ -150,6 +146,8 @@ ldconfig
 ldconfig
 
 %changelog
+* Wed May  7 2003 Richard Levitte <richard@levitte.org>
+- Add /usr/lib/pkgconfig/openssl.pc to the development section.
 * Thu Mar 22 2001 Richard Levitte <richard@levitte.org>
 - Removed redundant subsection that re-installed libcrypto.a and libssl.a
   as well.  Also remove RSAref stuff completely, since it's not needed
diff --git a/src/lib/libssl/src/ssl/kssl.c b/src/lib/libssl/src/ssl/kssl.c
index a80f5b2f74..7c45f8ff4e 100644
--- a/src/lib/libssl/src/ssl/kssl.c
+++ b/src/lib/libssl/src/ssl/kssl.c
@@ -1496,8 +1496,9 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
                         "bad ticket from krb5_rd_req.\n");
                 }
         else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
-                &krb5ticket->enc_part2->client->realm,
-                krb5ticket->enc_part2->client->data))
+                 &krb5ticket->enc_part2->client->realm,
+                 krb5ticket->enc_part2->client->data,
+                 krb5ticket->enc_part2->client->length))
                 {
                 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
                         "kssl_ctx_setprinc() fails.\n");
@@ -1564,16 +1565,17 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
         }
 
 
-/*      Given a (krb5_data *) entity (and optional realm),
+/*      Given an array of (krb5_data *) entity (and optional realm),
 **      set the plain (char *) client_princ or service_host member
 **      of the kssl_ctx struct.
 */
 krb5_error_code
 kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
-        krb5_data *realm, krb5_data *entity)
+        krb5_data *realm, krb5_data *entity, int nentities)
         {
         char    **princ;
         int     length;
+        int i;
 
         if (kssl_ctx == NULL  ||  entity == NULL)  return KSSL_CTX_ERR;
 
@@ -1585,18 +1587,33 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
                 }
         if (*princ)  free(*princ);
 
-        length = entity->length + ((realm)? realm->length + 2: 1);
+        /* Add up all the entity->lengths */
+        length = 0;
+        for (i=0; i < nentities; i++)
+                {
+                length += entity[i].length;
+                }
+        /* Add in space for the '/' character(s) (if any) */
+        length += nentities-1;
+        /* Space for the ('@'+realm+NULL | NULL) */
+        length += ((realm)? realm->length + 2: 1);
+
         if ((*princ = calloc(1, length)) == NULL)
                 return KSSL_CTX_ERR;
         else
-                {
-                strncpy(*princ, entity->data, entity->length);
-                (*princ)[entity->length]='\0';
+                {
+                for (i = 0; i < nentities; i++)
+                        {
+                        strncat(*princ, entity[i].data, entity[i].length);
+                        if (i < nentities-1)
+                                {
+                                strcat (*princ, "/");
+                                }
+                        }
                 if (realm)
                         {
                         strcat (*princ, "@");
                         (void) strncat(*princ, realm->data, realm->length);
-                        (*princ)[entity->length+1+realm->length]='\0';
                         }
                 }
 
diff --git a/src/lib/libssl/src/ssl/kssl.h b/src/lib/libssl/src/ssl/kssl.h
index cf7ebdd168..19a689b089 100644
--- a/src/lib/libssl/src/ssl/kssl.h
+++ b/src/lib/libssl/src/ssl/kssl.h
@@ -149,7 +149,7 @@ KSSL_CTX *kssl_ctx_new(void);
 KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
 void kssl_ctx_show(KSSL_CTX *kssl_ctx);
 krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
-        krb5_data *realm, krb5_data *entity);
+        krb5_data *realm, krb5_data *entity, int nentities);
 krb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx,  krb5_data **enc_tktp,
         krb5_data *authenp, KSSL_ERR *kssl_err);
 krb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx,  krb5_data *indata,
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 8701fb33ca..ee9a82d586 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -472,6 +472,11 @@ void SSL_free(SSL *s)
 
         if (s->method != NULL) s->method->ssl_free(s);
 
+#ifndef OPENSSL_NO_KRB5
+        if (s->kssl_ctx != NULL)
+                kssl_ctx_free(s->kssl_ctx);
+#endif  /* OPENSSL_NO_KRB5 */
+
         OPENSSL_free(s);
         }
 
diff --git a/src/lib/libssl/src/ssl/ssl_rsa.c b/src/lib/libssl/src/ssl/ssl_rsa.c
index 03828b6632..330390519b 100644
--- a/src/lib/libssl/src/ssl/ssl_rsa.c
+++ b/src/lib/libssl/src/ssl/ssl_rsa.c
@@ -207,7 +207,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
                          ok=1;
                 else
 #endif
-                        if (!X509_check_private_key(c->pkeys[i].x509,pkey))
+                     if (!X509_check_private_key(c->pkeys[i].x509,pkey))
                         {
                         if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
                                 {
@@ -241,6 +241,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
                 return(0);
                 }
 
+        ERR_clear_error(); /* make sure no error from X509_check_private_key()
+                            * is left if we have chosen to ignore it */
         if (c->pkeys[i].privatekey != NULL)
                 EVP_PKEY_free(c->pkeys[i].privatekey);
         CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index a505e388fb..7016c87d3b 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -78,11 +78,11 @@ SSL_SESSION *SSL_get1_session(SSL *ssl)
         /* Need to lock this all up rather than just use CRYPTO_add so that
          * somebody doesn't free ssl->session between when we check it's
          * non-null and when we up the reference count. */
-        CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION);
+        CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
         sess = ssl->session;
         if(sess)
                 sess->references++;
-        CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION);
+        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
         return(sess);
         }
 
diff --git a/src/lib/libssl/src/util/libeay.num b/src/lib/libssl/src/util/libeay.num
index f5c8c0be8a..203c7713e7 100644
--- a/src/lib/libssl/src/util/libeay.num
+++ b/src/lib/libssl/src/util/libeay.num
@@ -2801,3 +2801,5 @@ BIO_indent                              3242	EXIST::FUNCTION:
 BUF_strlcpy                             3243    EXIST::FUNCTION:
 OpenSSLDie                              3244    EXIST::FUNCTION:
 OPENSSL_cleanse                         3245    EXIST::FUNCTION:
+ENGINE_setup_bsd_cryptodev              3246    EXIST:__FreeBSD__:FUNCTION:ENGINE
+ERR_release_err_state_table             3247    EXIST::FUNCTION:LHASH
diff --git a/src/lib/libssl/src/util/pl/Mingw32.pl b/src/lib/libssl/src/util/pl/Mingw32.pl
index 043a3a53ee..4bee638c4a 100644
--- a/src/lib/libssl/src/util/pl/Mingw32.pl
+++ b/src/lib/libssl/src/util/pl/Mingw32.pl
@@ -85,7 +85,7 @@ sub do_lib_rule
         ($Name=$name) =~ tr/a-z/A-Z/;
 
         $ret.="$target: \$(${Name}OBJ)\n";
-        $ret.="\t\$(RM) $target\n";
+        $ret.="\tif exist $target \$(RM) $target\n";
         $ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n";
         $ret.="\t\$(RANLIB) $target\n\n";
         }
diff --git a/src/lib/libssl/src/util/point.sh b/src/lib/libssl/src/util/point.sh
index ce7dcc56df..4790e08f8a 100644
--- a/src/lib/libssl/src/util/point.sh
+++ b/src/lib/libssl/src/util/point.sh
@@ -1,10 +1,10 @@
 #!/bin/sh
 
-rm -f $2
+rm -f "$2"
 if test "$OSTYPE" = msdosdjgpp; then
-    cp $1 $2
+    cp "$1" "$2"
 else
-    ln -s $1 $2
+    ln -s "$1" "$2"
 fi
 echo "$2 => $1"
 
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 8701fb33ca..ee9a82d586 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -472,6 +472,11 @@ void SSL_free(SSL *s)
 
         if (s->method != NULL) s->method->ssl_free(s);
 
+#ifndef OPENSSL_NO_KRB5
+        if (s->kssl_ctx != NULL)
+                kssl_ctx_free(s->kssl_ctx);
+#endif  /* OPENSSL_NO_KRB5 */
+
         OPENSSL_free(s);
         }
 
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 03828b6632..330390519b 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -207,7 +207,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
                          ok=1;
                 else
 #endif
-                        if (!X509_check_private_key(c->pkeys[i].x509,pkey))
+                     if (!X509_check_private_key(c->pkeys[i].x509,pkey))
                         {
                         if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
                                 {
@@ -241,6 +241,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
                 return(0);
                 }
 
+        ERR_clear_error(); /* make sure no error from X509_check_private_key()
+                            * is left if we have chosen to ignore it */
         if (c->pkeys[i].privatekey != NULL)
                 EVP_PKEY_free(c->pkeys[i].privatekey);
         CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index a505e388fb..7016c87d3b 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -78,11 +78,11 @@ SSL_SESSION *SSL_get1_session(SSL *ssl)
         /* Need to lock this all up rather than just use CRYPTO_add so that
          * somebody doesn't free ssl->session between when we check it's
          * non-null and when we up the reference count. */
-        CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION);
+        CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
         sess = ssl->session;
         if(sess)
                 sess->references++;
-        CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION);
+        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
         return(sess);
         }