45 files changed, 119 insertions, 193 deletions

diff --git a/src/lib/libcrypto/asn1/a_utctm.c b/src/lib/libcrypto/asn1/a_utctm.c
index dbb4a42c9d..ed2d827db2 100644
--- a/src/lib/libcrypto/asn1/a_utctm.c
+++ b/src/lib/libcrypto/asn1/a_utctm.c
@@ -222,7 +222,6 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
         {
         struct tm *tm;
-        struct tm data;
         int offset;
         int year;
 
@@ -239,7 +238,7 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 
         t -= offset*60; /* FIXME: may overflow in extreme cases */
 
-        tm = OPENSSL_gmtime(&t, &data);
+        { struct tm data; tm = OPENSSL_gmtime(&t, &data); }
         
 #define return_cmp(a,b) if ((a)<(b)) return -1; else if ((a)>(b)) return 1
         year = g2(s->data);
diff --git a/src/lib/libcrypto/des/fcrypt.c b/src/lib/libcrypto/des/fcrypt.c
index 387d97f28d..2758c32656 100644
--- a/src/lib/libcrypto/des/fcrypt.c
+++ b/src/lib/libcrypto/des/fcrypt.c
@@ -1,5 +1,13 @@
 /* NOCW */
 #include <stdio.h>
+#ifdef _OSD_POSIX
+#ifndef CHARSET_EBCDIC
+#define CHARSET_EBCDIC 1
+#endif
+#endif
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
 
 /* This version of crypt has been developed from my MIT compatible
  * DES library.
diff --git a/src/lib/libcrypto/des/read_pwd.c b/src/lib/libcrypto/des/read_pwd.c
index 54e0e2e6b6..00000190f8 100644
--- a/src/lib/libcrypto/des/read_pwd.c
+++ b/src/lib/libcrypto/des/read_pwd.c
@@ -211,7 +211,7 @@ static int noecho_fgets(char *buf, int size, FILE *tty);
 #endif
 static jmp_buf save;
 
-int _ossl_old_des_read_pw_string(char *buf, int length, const char *prompt,
+int des_read_pw_string(char *buf, int length, const char *prompt,
              int verify)
         {
         char buff[BUFSIZ];
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index bf718c1c6d..ef87c3e637 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -64,8 +64,6 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 
-extern int      __BN_rand_range(BIGNUM *r, BIGNUM *range);
-
 int DSA_generate_key(DSA *dsa)
         {
         int ok=0;
@@ -82,7 +80,7 @@ int DSA_generate_key(DSA *dsa)
                 priv_key=dsa->priv_key;
 
         do
-                if (!__BN_rand_range(priv_key,dsa->q)) goto err;
+                if (!BN_rand_range(priv_key,dsa->q)) goto err;
         while (BN_is_zero(priv_key));
 
         if (dsa->pub_key == NULL)
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 07addc94d9..37dd5fc994 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -66,8 +66,6 @@
 #include <openssl/asn1.h>
 #include <openssl/engine.h>
 
-int     __BN_rand_range(BIGNUM *r, BIGNUM *range);
-
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -193,7 +191,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 
         /* Get random k */
         do
-                if (!__BN_rand_range(&k, dsa->q)) goto err;
+                if (!BN_rand_range(&k, dsa->q)) goto err;
         while (BN_is_zero(&k));
 
         if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
@@ -344,55 +342,3 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 {
         return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
-
-
-/* random number r:  0 <= r < range */
-int     __BN_rand_range(BIGNUM *r, BIGNUM *range)
-        {
-        int n;
-
-        if (range->neg || BN_is_zero(range))
-                {
-                /* BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); */
-                return 0;
-                }
-
-        n = BN_num_bits(range); /* n > 0 */
-
-        if (n == 1)
-                {
-                if (!BN_zero(r)) return 0;
-                }
-        else if (BN_is_bit_set(range, n - 2))
-                {
-                do
-                        {
-                        /* range = 11..._2, so each iteration succeeds with probability >= .75 */
-                        if (!BN_rand(r, n, -1, 0)) return 0;
-                        }
-                while (BN_cmp(r, range) >= 0);
-                }
-        else
-                {
-                /* range = 10..._2,
-                 * so  3*range (= 11..._2)  is exactly one bit longer than  range */
-                do
-                        {
-                        if (!BN_rand(r, n + 1, -1, 0)) return 0;
-                        /* If  r < 3*range,  use  r := r MOD range
-                         * (which is either  r, r - range,  or  r - 2*range).
-                         * Otherwise, iterate once more.
-                         * Since  3*range = 11..._2, each iteration succeeds with
-                         * probability >= .75. */
-                        if (BN_cmp(r ,range) >= 0)
-                                {
-                                if (!BN_sub(r, r, range)) return 0;
-                                if (BN_cmp(r, range) >= 0)
-                                        if (!BN_sub(r, r, range)) return 0;
-                                }
-                        }
-                while (BN_cmp(r, range) >= 0);
-                }
-
-        return 1;
-        }
diff --git a/src/lib/libcrypto/engine/Makefile.ssl b/src/lib/libcrypto/engine/Makefile.ssl
index 8ee3b7d2dd..5172028f93 100644
--- a/src/lib/libcrypto/engine/Makefile.ssl
+++ b/src/lib/libcrypto/engine/Makefile.ssl
@@ -74,7 +74,7 @@ tags:
 
 errors:
         $(PERL) $(TOP)/util/mkerr.pl -conf hw.ec \
-                -nostatic -staticloader -write hw_*.c
+                -nostatic -staticloader -write hw_*.c; \
 
 tests:
 
diff --git a/src/lib/libcrypto/engine/eng_all.c b/src/lib/libcrypto/engine/eng_all.c
index a35b3db9e8..bc50465422 100644
--- a/src/lib/libcrypto/engine/eng_all.c
+++ b/src/lib/libcrypto/engine/eng_all.c
@@ -96,6 +96,9 @@ void ENGINE_load_builtin_engines(void)
 #ifndef OPENSSL_NO_HW_SUREWARE
         ENGINE_load_sureware();
 #endif
+#ifndef OPENSSL_NO_HW_4758_CCA
+        ENGINE_load_4758cca();
+#endif
 #ifdef OPENSSL_OPENBSD_DEV_CRYPTO
         ENGINE_load_openbsd_dev_crypto();
 #endif
@@ -114,5 +117,3 @@ void ENGINE_setup_openbsd(void) {
         openbsd_default_loaded=1;
 }
 #endif
-
-
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
index 97f5de9e12..fd17ff616d 100644
--- a/src/lib/libcrypto/engine/engine.h
+++ b/src/lib/libcrypto/engine/engine.h
@@ -312,7 +312,7 @@ void ENGINE_load_builtin_engines(void);
 #ifdef __OpenBSD__
 void ENGINE_load_cryptodev(void);
 #endif  
-        
+
 /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
  * "registry" handling. */
 unsigned int ENGINE_get_table_flags(void);
diff --git a/src/lib/libcrypto/evp/evp_test.c b/src/lib/libcrypto/evp/evp_test.c
index 90294ef686..1bfffb34cf 100644
--- a/src/lib/libcrypto/evp/evp_test.c
+++ b/src/lib/libcrypto/evp/evp_test.c
@@ -118,7 +118,7 @@ static char *sstrsep(char **string, const char *delim)
     }
 
 static unsigned char *ustrsep(char **p,const char *sep)
-    { return (unsigned char *)sstrsep(p,sep); }
+    { return (unsigned char *)sstrsep((char **)p,sep); }
 
 static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
                   const unsigned char *iv,int in,
@@ -358,7 +358,7 @@ int main(int argc,char **argv)
             p[-1] = '\0';
             encdec = -1;
         } else {
-            encdec = atoi(sstrsep(&p,"\n"));
+            encdec = atoi(strsep(&p,"\n"));
         }
               
 
diff --git a/src/lib/libcrypto/objects/Makefile.ssl b/src/lib/libcrypto/objects/Makefile.ssl
index 1e990107d3..a9f01ffc0d 100644
--- a/src/lib/libcrypto/objects/Makefile.ssl
+++ b/src/lib/libcrypto/objects/Makefile.ssl
@@ -15,6 +15,7 @@ MAKEDEPPROG=	makedepend
 MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
+PERL=           perl
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
diff --git a/src/lib/libcrypto/objects/obj_dat.pl b/src/lib/libcrypto/objects/obj_dat.pl
index 85ab209809..d0371661f9 100644
--- a/src/lib/libcrypto/objects/obj_dat.pl
+++ b/src/lib/libcrypto/objects/obj_dat.pl
@@ -1,4 +1,7 @@
 #!/usr/local/bin/perl
+
+# fixes bug in floating point emulation on sparc64 when
+# this script produces off-by-one output on sparc64
 use integer;
 
 sub obj_cmp
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index 4b221e08f5..1c3e68ef31 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -99,12 +99,11 @@ int RAND_load_file(const char *file, long bytes)
         if (file == NULL) return(0);
 
         i=stat(file,&sb);
-        if (i < 0) { 
-          /* If the state fails, put some crap in anyway */
-          RAND_add(&sb,sizeof(sb),0);
-          return(0);
-        }
+        /* If the state fails, put some crap in anyway */
+        RAND_add(&sb,sizeof(sb),0);
+        if (i < 0) return(0);
         if (bytes == 0) return(ret);
+
         in=fopen(file,"rb");
         if (in == NULL) goto err;
         if (sb.st_mode & (S_IFBLK | S_IFCHR)) {
@@ -218,12 +217,12 @@ err:
 
 const char *RAND_file_name(char *buf, size_t size)
         {
-        char *s = NULL;
+        char *s=NULL;
         int ok = 0;
         struct stat sb;
 
         if (issetugid() == 0)
-                s = getenv("RANDFILE");
+                s=getenv("RANDFILE");
         if (s != NULL && *s && strlen(s) + 1 < size)
                 {
                 strlcpy(buf,s,size);
@@ -272,4 +271,3 @@ const char *RAND_file_name(char *buf, size_t size)
 #endif
         return(buf);
         }
-
diff --git a/src/lib/libcrypto/util/domd b/src/lib/libcrypto/util/domd
index 8cbe383c16..aa99cb0523 100644
--- a/src/lib/libcrypto/util/domd
+++ b/src/lib/libcrypto/util/domd
@@ -18,11 +18,11 @@ if [ "$MAKEDEPEND" = "gcc" ]; then
     sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp
     echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
     gcc -D OPENSSL_DOING_MAKEDEPEND -M $@ >> Makefile.tmp
-    ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
+    perl $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
     rm -f Makefile.tmp
 else
     ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile.ssl $@
-    ${PERL} $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
+    perl $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
 fi
 mv Makefile.new Makefile.ssl
 # unfake the presence of Kerberos
diff --git a/src/lib/libssl/crypto/Makefile b/src/lib/libssl/crypto/Makefile
index 15c310f2ee..490ce259c6 100644
--- a/src/lib/libssl/crypto/Makefile
+++ b/src/lib/libssl/crypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.25 2002/09/03 18:59:55 markus Exp $
+# $OpenBSD: Makefile,v 1.26 2002/09/05 22:12:11 markus Exp $
 
 LIB=    crypto
 
@@ -29,7 +29,7 @@ CFLAGS+= -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DSO_DLFCN -DHAVE_DLFCN_H
 CFLAGS+= -DNO_WINDOWS_BRAINDEATH
 CFLAGS+= -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA
 CFLAGS+= -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP
-CFLAGS+= -DOPENSSL_NO_HW_SUREWARE
+CFLAGS+= -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA
 CFLAGS+= -I${.CURDIR}/../${SSLEAYDIST}
 CFLAGS+= -I${LCRYPTO_SRC}
 SRCS+= o_time.c
@@ -282,11 +282,13 @@ includes: obj_mac.h
 CFLAGS+= -I${.OBJDIR}
 
 GENERATED=obj_mac.h obj_dat.h
-CLEANFILES=${GENERATED}
+CLEANFILES=${GENERATED} obj_mac.num.tmp
 SSL_OBJECTS=${SSL_SRC}/crypto/objects
 
-obj_mac.h: ${SSL_OBJECTS}/objects.h
-        /usr/bin/perl ${SSL_OBJECTS}/objects.pl ${SSL_OBJECTS}/objects.txt ${SSL_OBJECTS}/obj_mac.num obj_mac.h
+obj_mac.h: ${SSL_OBJECTS}/objects.h ${SSL_OBJECTS}/obj_mac.num ${SSL_OBJECTS}/objects.txt
+        cat ${SSL_OBJECTS}/obj_mac.num > obj_mac.num.tmp
+        /usr/bin/perl ${SSL_OBJECTS}/objects.pl ${SSL_OBJECTS}/objects.txt obj_mac.num.tmp obj_mac.h
+
 obj_dat.h: obj_mac.h
         /usr/bin/perl ${SSL_OBJECTS}/obj_dat.pl obj_mac.h obj_dat.h
 
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index dfffed7165..cef8d4f81e 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -114,8 +114,6 @@
 
 
 #include <stdio.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
@@ -123,8 +121,10 @@
 #include <openssl/x509.h>
 #ifndef OPENSSL_NO_KRB5
 #include <openssl/krb5_asn.h>
+#include "kssl_lcl.h"
 #endif
 #include <openssl/md5.h>
+#include "ssl_locl.h"
 
 static SSL_METHOD *ssl3_get_server_method(int ver);
 static int ssl3_get_client_hello(SSL *s);
diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure
index 0976f41f8d..986db2f614 100644
--- a/src/lib/libssl/src/Configure
+++ b/src/lib/libssl/src/Configure
@@ -366,6 +366,9 @@ my %table=(
 "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
 "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
 
+# assembler versions -- currently defunct:
+##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer:::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${alpha_asm}",
+
 # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the
 # bn86-elf.o file file since it is hand tweaked assembler.
 "linux-elf",    "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff --git a/src/lib/libssl/src/Makefile.org b/src/lib/libssl/src/Makefile.org
index 799c370cb6..71c196b1e6 100644
--- a/src/lib/libssl/src/Makefile.org
+++ b/src/lib/libssl/src/Makefile.org
@@ -35,8 +35,6 @@ OPENSSLDIR=/usr/local/ssl
 # DEVRANDOM - Give this the value of the 'random device' if your OS supports
 #           one.  32 bytes will be read from this when the random
 #           number generator is initalised.
-# SSL_ALLOW_ADH - define if you want the server to be able to use the
-#           SSLv3 anon-DH ciphers.
 # SSL_FORBID_ENULL - define if you want the server to be not able to use the
 #           NULL encryption ciphers.
 #
@@ -734,21 +732,21 @@ install_docs:
                 fn=`basename $$i .pod`; \
                 if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
                 echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
-                (cd `$(PERL) util/dirname.pl $$i`; \
+                (cd `dirname $$i`; \
                 sh -c "`cd ../../util; ./pod2mantest ignore` \
                         --section=$$sec --center=OpenSSL \
                         --release=$(VERSION) `basename $$i`") \
-                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec); \
+                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
         done
         @for i in doc/crypto/*.pod doc/ssl/*.pod; do \
                 fn=`basename $$i .pod`; \
                 if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
                 echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
-                (cd `$(PERL) util/dirname.pl $$i`; \
+                (cd `dirname $$i`; \
                 sh -c "`cd ../../util; ./pod2mantest ignore` \
                         --section=$$sec --center=OpenSSL \
                         --release=$(VERSION) `basename $$i`") \
-                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec); \
+                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
         done
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/src/lib/libssl/src/apps/speed.c b/src/lib/libssl/src/apps/speed.c
index 3f55e26bdd..fea0ffe2cf 100644
--- a/src/lib/libssl/src/apps/speed.c
+++ b/src/lib/libssl/src/apps/speed.c
@@ -1627,7 +1627,7 @@ show_res:
 #endif
 #ifdef HZ
 #define as_string(s) (#s)
-                printf("HZ=%g", HZ);
+                printf("HZ=%g", (double)HZ);
 # ifdef _SC_CLK_TCK
                 printf(" [sysconf value]");
 # endif
diff --git a/src/lib/libssl/src/crypto/asn1/a_utctm.c b/src/lib/libssl/src/crypto/asn1/a_utctm.c
index dbb4a42c9d..ed2d827db2 100644
--- a/src/lib/libssl/src/crypto/asn1/a_utctm.c
+++ b/src/lib/libssl/src/crypto/asn1/a_utctm.c
@@ -222,7 +222,6 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
         {
         struct tm *tm;
-        struct tm data;
         int offset;
         int year;
 
@@ -239,7 +238,7 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 
         t -= offset*60; /* FIXME: may overflow in extreme cases */
 
-        tm = OPENSSL_gmtime(&t, &data);
+        { struct tm data; tm = OPENSSL_gmtime(&t, &data); }
         
 #define return_cmp(a,b) if ((a)<(b)) return -1; else if ((a)>(b)) return 1
         year = g2(s->data);
diff --git a/src/lib/libssl/src/crypto/des/fcrypt.c b/src/lib/libssl/src/crypto/des/fcrypt.c
index 387d97f28d..2758c32656 100644
--- a/src/lib/libssl/src/crypto/des/fcrypt.c
+++ b/src/lib/libssl/src/crypto/des/fcrypt.c
@@ -1,5 +1,13 @@
 /* NOCW */
 #include <stdio.h>
+#ifdef _OSD_POSIX
+#ifndef CHARSET_EBCDIC
+#define CHARSET_EBCDIC 1
+#endif
+#endif
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
 
 /* This version of crypt has been developed from my MIT compatible
  * DES library.
diff --git a/src/lib/libssl/src/crypto/des/read_pwd.c b/src/lib/libssl/src/crypto/des/read_pwd.c
index 54e0e2e6b6..00000190f8 100644
--- a/src/lib/libssl/src/crypto/des/read_pwd.c
+++ b/src/lib/libssl/src/crypto/des/read_pwd.c
@@ -211,7 +211,7 @@ static int noecho_fgets(char *buf, int size, FILE *tty);
 #endif
 static jmp_buf save;
 
-int _ossl_old_des_read_pw_string(char *buf, int length, const char *prompt,
+int des_read_pw_string(char *buf, int length, const char *prompt,
              int verify)
         {
         char buff[BUFSIZ];
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_key.c b/src/lib/libssl/src/crypto/dsa/dsa_key.c
index bf718c1c6d..ef87c3e637 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_key.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_key.c
@@ -64,8 +64,6 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 
-extern int      __BN_rand_range(BIGNUM *r, BIGNUM *range);
-
 int DSA_generate_key(DSA *dsa)
         {
         int ok=0;
@@ -82,7 +80,7 @@ int DSA_generate_key(DSA *dsa)
                 priv_key=dsa->priv_key;
 
         do
-                if (!__BN_rand_range(priv_key,dsa->q)) goto err;
+                if (!BN_rand_range(priv_key,dsa->q)) goto err;
         while (BN_is_zero(priv_key));
 
         if (dsa->pub_key == NULL)
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
index 07addc94d9..37dd5fc994 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
@@ -66,8 +66,6 @@
 #include <openssl/asn1.h>
 #include <openssl/engine.h>
 
-int     __BN_rand_range(BIGNUM *r, BIGNUM *range);
-
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -193,7 +191,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 
         /* Get random k */
         do
-                if (!__BN_rand_range(&k, dsa->q)) goto err;
+                if (!BN_rand_range(&k, dsa->q)) goto err;
         while (BN_is_zero(&k));
 
         if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
@@ -344,55 +342,3 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 {
         return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
-
-
-/* random number r:  0 <= r < range */
-int     __BN_rand_range(BIGNUM *r, BIGNUM *range)
-        {
-        int n;
-
-        if (range->neg || BN_is_zero(range))
-                {
-                /* BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); */
-                return 0;
-                }
-
-        n = BN_num_bits(range); /* n > 0 */
-
-        if (n == 1)
-                {
-                if (!BN_zero(r)) return 0;
-                }
-        else if (BN_is_bit_set(range, n - 2))
-                {
-                do
-                        {
-                        /* range = 11..._2, so each iteration succeeds with probability >= .75 */
-                        if (!BN_rand(r, n, -1, 0)) return 0;
-                        }
-                while (BN_cmp(r, range) >= 0);
-                }
-        else
-                {
-                /* range = 10..._2,
-                 * so  3*range (= 11..._2)  is exactly one bit longer than  range */
-                do
-                        {
-                        if (!BN_rand(r, n + 1, -1, 0)) return 0;
-                        /* If  r < 3*range,  use  r := r MOD range
-                         * (which is either  r, r - range,  or  r - 2*range).
-                         * Otherwise, iterate once more.
-                         * Since  3*range = 11..._2, each iteration succeeds with
-                         * probability >= .75. */
-                        if (BN_cmp(r ,range) >= 0)
-                                {
-                                if (!BN_sub(r, r, range)) return 0;
-                                if (BN_cmp(r, range) >= 0)
-                                        if (!BN_sub(r, r, range)) return 0;
-                                }
-                        }
-                while (BN_cmp(r, range) >= 0);
-                }
-
-        return 1;
-        }
diff --git a/src/lib/libssl/src/crypto/engine/Makefile.ssl b/src/lib/libssl/src/crypto/engine/Makefile.ssl
index 8ee3b7d2dd..5172028f93 100644
--- a/src/lib/libssl/src/crypto/engine/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/engine/Makefile.ssl
@@ -74,7 +74,7 @@ tags:
 
 errors:
         $(PERL) $(TOP)/util/mkerr.pl -conf hw.ec \
-                -nostatic -staticloader -write hw_*.c
+                -nostatic -staticloader -write hw_*.c; \
 
 tests:
 
diff --git a/src/lib/libssl/src/crypto/engine/eng_all.c b/src/lib/libssl/src/crypto/engine/eng_all.c
index a35b3db9e8..bc50465422 100644
--- a/src/lib/libssl/src/crypto/engine/eng_all.c
+++ b/src/lib/libssl/src/crypto/engine/eng_all.c
@@ -96,6 +96,9 @@ void ENGINE_load_builtin_engines(void)
 #ifndef OPENSSL_NO_HW_SUREWARE
         ENGINE_load_sureware();
 #endif
+#ifndef OPENSSL_NO_HW_4758_CCA
+        ENGINE_load_4758cca();
+#endif
 #ifdef OPENSSL_OPENBSD_DEV_CRYPTO
         ENGINE_load_openbsd_dev_crypto();
 #endif
@@ -114,5 +117,3 @@ void ENGINE_setup_openbsd(void) {
         openbsd_default_loaded=1;
 }
 #endif
-
-
diff --git a/src/lib/libssl/src/crypto/engine/engine.h b/src/lib/libssl/src/crypto/engine/engine.h
index 97f5de9e12..fd17ff616d 100644
--- a/src/lib/libssl/src/crypto/engine/engine.h
+++ b/src/lib/libssl/src/crypto/engine/engine.h
@@ -312,7 +312,7 @@ void ENGINE_load_builtin_engines(void);
 #ifdef __OpenBSD__
 void ENGINE_load_cryptodev(void);
 #endif  
-        
+
 /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
  * "registry" handling. */
 unsigned int ENGINE_get_table_flags(void);
diff --git a/src/lib/libssl/src/crypto/evp/evp_test.c b/src/lib/libssl/src/crypto/evp/evp_test.c
index 90294ef686..1bfffb34cf 100644
--- a/src/lib/libssl/src/crypto/evp/evp_test.c
+++ b/src/lib/libssl/src/crypto/evp/evp_test.c
@@ -118,7 +118,7 @@ static char *sstrsep(char **string, const char *delim)
     }
 
 static unsigned char *ustrsep(char **p,const char *sep)
-    { return (unsigned char *)sstrsep(p,sep); }
+    { return (unsigned char *)sstrsep((char **)p,sep); }
 
 static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
                   const unsigned char *iv,int in,
@@ -358,7 +358,7 @@ int main(int argc,char **argv)
             p[-1] = '\0';
             encdec = -1;
         } else {
-            encdec = atoi(sstrsep(&p,"\n"));
+            encdec = atoi(strsep(&p,"\n"));
         }
               
 
diff --git a/src/lib/libssl/src/crypto/objects/Makefile.ssl b/src/lib/libssl/src/crypto/objects/Makefile.ssl
index 1e990107d3..a9f01ffc0d 100644
--- a/src/lib/libssl/src/crypto/objects/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/objects/Makefile.ssl
@@ -15,6 +15,7 @@ MAKEDEPPROG=	makedepend
 MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
+PERL=           perl
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
diff --git a/src/lib/libssl/src/crypto/objects/obj_dat.pl b/src/lib/libssl/src/crypto/objects/obj_dat.pl
index 85ab209809..d0371661f9 100644
--- a/src/lib/libssl/src/crypto/objects/obj_dat.pl
+++ b/src/lib/libssl/src/crypto/objects/obj_dat.pl
@@ -1,4 +1,7 @@
 #!/usr/local/bin/perl
+
+# fixes bug in floating point emulation on sparc64 when
+# this script produces off-by-one output on sparc64
 use integer;
 
 sub obj_cmp
diff --git a/src/lib/libssl/src/crypto/rand/randfile.c b/src/lib/libssl/src/crypto/rand/randfile.c
index 4b221e08f5..1c3e68ef31 100644
--- a/src/lib/libssl/src/crypto/rand/randfile.c
+++ b/src/lib/libssl/src/crypto/rand/randfile.c
@@ -99,12 +99,11 @@ int RAND_load_file(const char *file, long bytes)
         if (file == NULL) return(0);
 
         i=stat(file,&sb);
-        if (i < 0) { 
-          /* If the state fails, put some crap in anyway */
-          RAND_add(&sb,sizeof(sb),0);
-          return(0);
-        }
+        /* If the state fails, put some crap in anyway */
+        RAND_add(&sb,sizeof(sb),0);
+        if (i < 0) return(0);
         if (bytes == 0) return(ret);
+
         in=fopen(file,"rb");
         if (in == NULL) goto err;
         if (sb.st_mode & (S_IFBLK | S_IFCHR)) {
@@ -218,12 +217,12 @@ err:
 
 const char *RAND_file_name(char *buf, size_t size)
         {
-        char *s = NULL;
+        char *s=NULL;
         int ok = 0;
         struct stat sb;
 
         if (issetugid() == 0)
-                s = getenv("RANDFILE");
+                s=getenv("RANDFILE");
         if (s != NULL && *s && strlen(s) + 1 < size)
                 {
                 strlcpy(buf,s,size);
@@ -272,4 +271,3 @@ const char *RAND_file_name(char *buf, size_t size)
 #endif
         return(buf);
         }
-
diff --git a/src/lib/libssl/src/demos/easy_tls/Makefile b/src/lib/libssl/src/demos/easy_tls/Makefile
index fd3c246ef4..32a79c4cc9 100644
--- a/src/lib/libssl/src/demos/easy_tls/Makefile
+++ b/src/lib/libssl/src/demos/easy_tls/Makefile
@@ -1,5 +1,5 @@
 # Makefile for easy-tls example application (rudimentary client and server)
-# $Id: Makefile,v 1.1 2002/05/15 02:29:18 beck Exp $
+# $Id: Makefile,v 1.2 2002/09/05 22:12:11 markus Exp $
 
 SOLARIS_CFLAGS=-Wall -pedantic -g -O2
 SOLARIS_LIBS=-lxnet
diff --git a/src/lib/libssl/src/demos/easy_tls/cacerts.pem b/src/lib/libssl/src/demos/easy_tls/cacerts.pem
index 0b1c91f95e..036e3c3dc0 100644
--- a/src/lib/libssl/src/demos/easy_tls/cacerts.pem
+++ b/src/lib/libssl/src/demos/easy_tls/cacerts.pem
@@ -1,4 +1,4 @@
-$Id: cacerts.pem,v 1.1 2002/05/15 02:29:18 beck Exp $
+$Id: cacerts.pem,v 1.2 2002/09/05 22:12:11 markus Exp $
 
 issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
 subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
diff --git a/src/lib/libssl/src/demos/easy_tls/cert.pem b/src/lib/libssl/src/demos/easy_tls/cert.pem
index d4d19d9ad1..ab38de65e7 100644
--- a/src/lib/libssl/src/demos/easy_tls/cert.pem
+++ b/src/lib/libssl/src/demos/easy_tls/cert.pem
@@ -1,4 +1,4 @@
-$Id: cert.pem,v 1.1 2002/05/15 02:29:18 beck Exp $
+$Id: cert.pem,v 1.2 2002/09/05 22:12:11 markus Exp $
 
 Example certificate and key.
 
diff --git a/src/lib/libssl/src/demos/easy_tls/easy-tls.c b/src/lib/libssl/src/demos/easy_tls/easy-tls.c
index 9fa0ef9a6b..70f7ae3c11 100644
--- a/src/lib/libssl/src/demos/easy_tls/easy-tls.c
+++ b/src/lib/libssl/src/demos/easy_tls/easy-tls.c
@@ -1,7 +1,7 @@
 /* -*- Mode: C; c-file-style: "bsd" -*- */
 /*
  * easy-tls.c -- generic TLS proxy.
- * $Id: easy-tls.c,v 1.1 2002/05/15 02:29:18 beck Exp $
+ * $Id: easy-tls.c,v 1.2 2002/09/05 22:12:11 markus Exp $
  */
 /*
  (c) Copyright 1999 Bodo Moeller.  All rights reserved.
@@ -73,7 +73,7 @@
  */
 
 static char const rcsid[] =
-"$Id: easy-tls.c,v 1.1 2002/05/15 02:29:18 beck Exp $";
+"$Id: easy-tls.c,v 1.2 2002/09/05 22:12:11 markus Exp $";
 
 #include <assert.h>
 #include <errno.h>
@@ -567,8 +567,13 @@ no_passphrase_callback(char *buf, int num, int w, void *arg)
     return -1;
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
 static int
 verify_dont_fail_cb(X509_STORE_CTX *c, void *unused_arg)
+#else
+static int
+verify_dont_fail_cb(X509_STORE_CTX *c)
+#endif
 {
     int i;
     
diff --git a/src/lib/libssl/src/demos/easy_tls/easy-tls.h b/src/lib/libssl/src/demos/easy_tls/easy-tls.h
index 0cfbd8fe7b..3133200443 100644
--- a/src/lib/libssl/src/demos/easy_tls/easy-tls.h
+++ b/src/lib/libssl/src/demos/easy_tls/easy-tls.h
@@ -1,7 +1,7 @@
 /* -*- Mode: C; c-file-style: "bsd" -*- */
 /*
  * easy-tls.h -- generic TLS proxy.
- * $Id: easy-tls.h,v 1.1 2002/05/15 02:29:18 beck Exp $
+ * $Id: easy-tls.h,v 1.2 2002/09/05 22:12:11 markus Exp $
  */
 /*
  * (c) Copyright 1999 Bodo Moeller.  All rights reserved.
diff --git a/src/lib/libssl/src/demos/easy_tls/test.c b/src/lib/libssl/src/demos/easy_tls/test.c
index 4ce676ca93..f86141d1d8 100644
--- a/src/lib/libssl/src/demos/easy_tls/test.c
+++ b/src/lib/libssl/src/demos/easy_tls/test.c
@@ -1,5 +1,5 @@
 /* test.c */
-/* $Id: test.c,v 1.1 2002/05/15 02:29:18 beck Exp $ */
+/* $Id: test.c,v 1.2 2002/09/05 22:12:11 markus Exp $ */
 
 #define L_PORT 9999
 #define C_PORT 443
diff --git a/src/lib/libssl/src/demos/easy_tls/test.h b/src/lib/libssl/src/demos/easy_tls/test.h
index c580169464..575391c00b 100644
--- a/src/lib/libssl/src/demos/easy_tls/test.h
+++ b/src/lib/libssl/src/demos/easy_tls/test.h
@@ -1,5 +1,5 @@
 /* test.h */
-/* $Id: test.h,v 1.1 2002/05/15 02:29:18 beck Exp $ */
+/* $Id: test.h,v 1.2 2002/09/05 22:12:11 markus Exp $ */
 
 
 void test_process_init(int fd, int client_p, void *apparg);
diff --git a/src/lib/libssl/src/doc/crypto/des_modes.pod b/src/lib/libssl/src/doc/crypto/des_modes.pod
index dc17942f97..0cc22150e7 100644
--- a/src/lib/libssl/src/doc/crypto/des_modes.pod
+++ b/src/lib/libssl/src/doc/crypto/des_modes.pod
@@ -204,8 +204,8 @@ just one key.
 =item *
 
 If the first and last key are the same, the key length is 112 bits.
-There are attacks that could reduce the key space to 55 bit's but it
-requires 2^56 blocks of memory.
+There are attacks that could reduce the effective key strength
+to only slightly more than 56 bits, but these require a lot of memory.
 
 =item *
 
diff --git a/src/lib/libssl/src/e_os.h b/src/lib/libssl/src/e_os.h
index 055c1b0e29..f216936e18 100644
--- a/src/lib/libssl/src/e_os.h
+++ b/src/lib/libssl/src/e_os.h
@@ -79,7 +79,7 @@ extern "C" {
 #ifndef DEVRANDOM
 /* set this to a comma-separated list of 'random' device files to try out.
  * My default, we will try to read at least one of these files */
-#define DEVRANDOM  "/dev/arandom","/dev/urandom","/dev/random","/dev/srandom"
+#define DEVRANDOM "/dev/urandom","/dev/random","/dev/srandom"
 #endif
 #ifndef DEVRANDOM_EGD
 /* set this to a comma-seperated list of 'egd' sockets to try out. These
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index dfffed7165..cef8d4f81e 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -114,8 +114,6 @@
 
 
 #include <stdio.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
@@ -123,8 +121,10 @@
 #include <openssl/x509.h>
 #ifndef OPENSSL_NO_KRB5
 #include <openssl/krb5_asn.h>
+#include "kssl_lcl.h"
 #endif
 #include <openssl/md5.h>
+#include "ssl_locl.h"
 
 static SSL_METHOD *ssl3_get_server_method(int ver);
 static int ssl3_get_client_hello(SSL *s);
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 0029edc3a6..6afb0f4cdf 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -116,7 +116,7 @@
 #include <string.h>
 #include <errno.h>
 
-#include <e_os.h> 
+#include "e_os.h"
 
 #include <openssl/buffer.h>
 #include <openssl/comp.h>
diff --git a/src/lib/libssl/src/test/Makefile.ssl b/src/lib/libssl/src/test/Makefile.ssl
index 952ab16371..49f2cc9a23 100644
--- a/src/lib/libssl/src/test/Makefile.ssl
+++ b/src/lib/libssl/src/test/Makefile.ssl
@@ -14,6 +14,7 @@ MAKEFILE=	Makefile.ssl
 MAKE=           make -f $(MAKEFILE)
 MAKEDEPPROG=    makedepend
 MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+PERL=           perl
 
 PEX_LIBS=
 EX_LIBS= #-lnsl -lsocket
@@ -234,7 +235,7 @@ test_gen:
         @echo "Generate and verify a certificate request"
         @sh ./testgen
 
-test_ss:
+test_ss keyU.ss certU.ss certCA.ss: testss
         @echo "Generate and certify a test certificate"
         @sh ./testss
 
@@ -242,13 +243,17 @@ test_engine:
         @echo "Manipulate the ENGINE structures"
         ./$(ENGINETEST)
 
-test_ssl:
+test_ssl: keyU.ss certU.ss certCA.ss
         @echo "test SSL protocol"
-        @sh ./testssl
+        @sh ./testssl keyU.ss certU.ss certCA.ss
 
 test_ca:
-        @echo "Generate and certify a test certificate via the 'ca' program"
-        @sh ./testca
+        @if ../apps/openssl no-rsa; then \
+          echo "skipping CA.sh test -- requires RSA"; \
+        else \
+          echo "Generate and certify a test certificate via the 'ca' program"; \
+          sh ./testca; \
+        fi
 
 test_rd: #$(RDTEST)
 #       @echo "test Rijndael"
diff --git a/src/lib/libssl/src/util/domd b/src/lib/libssl/src/util/domd
index 8cbe383c16..aa99cb0523 100644
--- a/src/lib/libssl/src/util/domd
+++ b/src/lib/libssl/src/util/domd
@@ -18,11 +18,11 @@ if [ "$MAKEDEPEND" = "gcc" ]; then
     sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp
     echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
     gcc -D OPENSSL_DOING_MAKEDEPEND -M $@ >> Makefile.tmp
-    ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
+    perl $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
     rm -f Makefile.tmp
 else
     ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile.ssl $@
-    ${PERL} $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
+    perl $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
 fi
 mv Makefile.new Makefile.ssl
 # unfake the presence of Kerberos
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 0029edc3a6..6afb0f4cdf 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -116,7 +116,7 @@
 #include <string.h>
 #include <errno.h>
 
-#include <e_os.h> 
+#include "e_os.h"
 
 #include <openssl/buffer.h>
 #include <openssl/comp.h>
diff --git a/src/lib/libssl/test/Makefile.ssl b/src/lib/libssl/test/Makefile.ssl
index 952ab16371..49f2cc9a23 100644
--- a/src/lib/libssl/test/Makefile.ssl
+++ b/src/lib/libssl/test/Makefile.ssl
@@ -14,6 +14,7 @@ MAKEFILE=	Makefile.ssl
 MAKE=           make -f $(MAKEFILE)
 MAKEDEPPROG=    makedepend
 MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+PERL=           perl
 
 PEX_LIBS=
 EX_LIBS= #-lnsl -lsocket
@@ -234,7 +235,7 @@ test_gen:
         @echo "Generate and verify a certificate request"
         @sh ./testgen
 
-test_ss:
+test_ss keyU.ss certU.ss certCA.ss: testss
         @echo "Generate and certify a test certificate"
         @sh ./testss
 
@@ -242,13 +243,17 @@ test_engine:
         @echo "Manipulate the ENGINE structures"
         ./$(ENGINETEST)
 
-test_ssl:
+test_ssl: keyU.ss certU.ss certCA.ss
         @echo "test SSL protocol"
-        @sh ./testssl
+        @sh ./testssl keyU.ss certU.ss certCA.ss
 
 test_ca:
-        @echo "Generate and certify a test certificate via the 'ca' program"
-        @sh ./testca
+        @if ../apps/openssl no-rsa; then \
+          echo "skipping CA.sh test -- requires RSA"; \
+        else \
+          echo "Generate and certify a test certificate via the 'ca' program"; \
+          sh ./testca; \
+        fi
 
 test_rd: #$(RDTEST)
 #       @echo "test Rijndael"