54 files changed, 1083 insertions, 343 deletions

diff --git a/src/lib/libcrypto/asn1/asn_mime.c b/src/lib/libcrypto/asn1/asn_mime.c
index fe7c4ec7ab..bc80b20d63 100644
--- a/src/lib/libcrypto/asn1/asn_mime.c
+++ b/src/lib/libcrypto/asn1/asn_mime.c
@@ -526,6 +526,8 @@ int SMIME_text(BIO *in, BIO *out)
         sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
         while ((len = BIO_read(in, iobuf, sizeof(iobuf))) > 0)
                                                 BIO_write(out, iobuf, len);
+        if (len < 0)
+                return 0;
         return 1;
 }
 
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index 26d3361722..cb76c32c8d 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -393,8 +393,9 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm)
         d= (v[6]-'0')*10+(v[7]-'0');
         h= (v[8]-'0')*10+(v[9]-'0');
         m=  (v[10]-'0')*10+(v[11]-'0');
-        if (    (v[12] >= '0') && (v[12] <= '9') &&
-                (v[13] >= '0') && (v[13] <= '9'))
+        if (i >= 14 &&
+            (v[12] >= '0') && (v[12] <= '9') &&
+            (v[13] >= '0') && (v[13] <= '9'))
                 s=  (v[12]-'0')*10+(v[13]-'0');
 
         if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
@@ -428,8 +429,9 @@ int ASN1_UTCTIME_print(BIO *bp, ASN1_UTCTIME *tm)
         d= (v[4]-'0')*10+(v[5]-'0');
         h= (v[6]-'0')*10+(v[7]-'0');
         m=  (v[8]-'0')*10+(v[9]-'0');
-        if (    (v[10] >= '0') && (v[10] <= '9') &&
-                (v[11] >= '0') && (v[11] <= '9'))
+        if (i >=12 &&
+            (v[10] >= '0') && (v[10] <= '9') &&
+            (v[11] >= '0') && (v[11] <= '9'))
                 s=  (v[10]-'0')*10+(v[11]-'0');
 
         if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
@@ -501,4 +503,3 @@ err:
         OPENSSL_free(b);
         return(ret);
         }
-
diff --git a/src/lib/libcrypto/bio/bss_dgram.c b/src/lib/libcrypto/bio/bss_dgram.c
index ea2c3fff63..c3da6dc82f 100644
--- a/src/lib/libcrypto/bio/bss_dgram.c
+++ b/src/lib/libcrypto/bio/bss_dgram.c
@@ -82,7 +82,7 @@ static int dgram_new(BIO *h);
 static int dgram_free(BIO *data);
 static int dgram_clear(BIO *bio);
 
-int BIO_dgram_should_retry(int s);
+static int BIO_dgram_should_retry(int s);
 
 static BIO_METHOD methods_dgramp=
         {
@@ -345,30 +345,90 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 
         memcpy(&(data->peer), to, sizeof(struct sockaddr));
         break;
+#if defined(SO_RCVTIMEO)
         case BIO_CTRL_DGRAM_SET_RECV_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                struct timeval *tv = (struct timeval *)ptr;
+                int timeout = tv->tv_sec * 1000 + tv->tv_usec/1000;
+                if (setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
+                        (void*)&timeout, sizeof(timeout)) < 0)
+                        { perror("setsockopt"); ret = -1; }
+                }
+#else
                 if ( setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, ptr,
                         sizeof(struct timeval)) < 0)
                         { perror("setsockopt"); ret = -1; }
+#endif
                 break;
         case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                int timeout, sz = sizeof(timeout);
+                struct timeval *tv = (struct timeval *)ptr;
+                if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
+                        (void*)&timeout, &sz) < 0)
+                        { perror("getsockopt"); ret = -1; }
+                else
+                        {
+                        tv->tv_sec = timeout / 1000;
+                        tv->tv_usec = (timeout % 1000) * 1000;
+                        ret = sizeof(*tv);
+                        }
+                }
+#else
                 if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 
                         ptr, (void *)&ret) < 0)
                         { perror("getsockopt"); ret = -1; }
+#endif
                 break;
+#endif
+#if defined(SO_SNDTIMEO)
         case BIO_CTRL_DGRAM_SET_SEND_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                struct timeval *tv = (struct timeval *)ptr;
+                int timeout = tv->tv_sec * 1000 + tv->tv_usec/1000;
+                if (setsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
+                        (void*)&timeout, sizeof(timeout)) < 0)
+                        { perror("setsockopt"); ret = -1; }
+                }
+#else
                 if ( setsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, ptr,
                         sizeof(struct timeval)) < 0)
                         { perror("setsockopt"); ret = -1; }
+#endif
                 break;
         case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+                {
+                int timeout, sz = sizeof(timeout);
+                struct timeval *tv = (struct timeval *)ptr;
+                if (getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
+                        (void*)&timeout, &sz) < 0)
+                        { perror("getsockopt"); ret = -1; }
+                else
+                        {
+                        tv->tv_sec = timeout / 1000;
+                        tv->tv_usec = (timeout % 1000) * 1000;
+                        ret = sizeof(*tv);
+                        }
+                }
+#else
                 if ( getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, 
                         ptr, (void *)&ret) < 0)
                         { perror("getsockopt"); ret = -1; }
+#endif
                 break;
+#endif
         case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP:
                 /* fall-through */
         case BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP:
+#ifdef OPENSSL_SYS_WINDOWS
+                if ( data->_errno == WSAETIMEDOUT)
+#else
                 if ( data->_errno == EAGAIN)
+#endif
                         {
                         ret = 1;
                         data->_errno = 0;
@@ -403,7 +463,7 @@ static int dgram_puts(BIO *bp, const char *str)
         return(ret);
         }
 
-int BIO_dgram_should_retry(int i)
+static int BIO_dgram_should_retry(int i)
         {
         int err;
 
diff --git a/src/lib/libcrypto/bn/Makefile b/src/lib/libcrypto/bn/Makefile
index e97c751390..0491e3db4c 100644
--- a/src/lib/libcrypto/bn/Makefile
+++ b/src/lib/libcrypto/bn/Makefile
@@ -116,6 +116,7 @@ linux_ppc64.s: asm/ppc.pl;	$(PERL) $< $@
 aix_ppc32.s: asm/ppc.pl;        $(PERL) asm/ppc.pl $@
 aix_ppc64.s: asm/ppc.pl;        $(PERL) asm/ppc.pl $@
 osx_ppc32.s: asm/ppc.pl;        $(PERL) $< $@
+osx_ppc64.s: asm/ppc.pl;        $(PERL) $< $@
 
 files:
         $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index 8655eb118e..1e8e57626b 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -187,6 +187,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
         BN_ULONG d0,d1;
         int num_n,div_n;
 
+        /* Invalid zero-padding would have particularly bad consequences
+         * in the case of 'num', so don't just rely on bn_check_top() for this one
+         * (bn_check_top() works only for BN_DEBUG builds) */
+        if (num->top > 0 && num->d[num->top - 1] == 0)
+                {
+                BNerr(BN_F_BN_DIV,BN_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        bn_check_top(num);
+
         if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
                 {
                 return BN_div_no_branch(dv, rm, num, divisor, ctx);
@@ -194,7 +205,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 
         bn_check_top(dv);
         bn_check_top(rm);
-        bn_check_top(num);
+        /* bn_check_top(num); */ /* 'num' has been checked already */
         bn_check_top(divisor);
 
         if (BN_is_zero(divisor))
@@ -419,7 +430,7 @@ static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
 
         bn_check_top(dv);
         bn_check_top(rm);
-        bn_check_top(num);
+        /* bn_check_top(num); */ /* 'num' has been checked in BN_div() */
         bn_check_top(divisor);
 
         if (BN_is_zero(divisor))
diff --git a/src/lib/libcrypto/bn/bn_gf2m.c b/src/lib/libcrypto/bn/bn_gf2m.c
index 6a793857e1..306f029f27 100644
--- a/src/lib/libcrypto/bn/bn_gf2m.c
+++ b/src/lib/libcrypto/bn/bn_gf2m.c
@@ -384,7 +384,11 @@ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])
                 if (zz == 0) break;
                 d1 = BN_BITS2 - d0;
                 
-                if (d0) z[dN] = (z[dN] << d1) >> d1; /* clear up the top d1 bits */
+                /* clear up the top d1 bits */
+                if (d0)
+                        z[dN] = (z[dN] << d1) >> d1;
+                else
+                        z[dN] = 0;
                 z[0] ^= zz; /* reduction t^0 component */
 
                 for (k = 1; p[k] != 0; k++)
diff --git a/src/lib/libcrypto/bn/bn_nist.c b/src/lib/libcrypto/bn/bn_nist.c
index e14232fdbb..1fc94f55c3 100644
--- a/src/lib/libcrypto/bn/bn_nist.c
+++ b/src/lib/libcrypto/bn/bn_nist.c
@@ -59,6 +59,7 @@
 #include "bn_lcl.h"
 #include "cryptlib.h"
 
+
 #define BN_NIST_192_TOP (192+BN_BITS2-1)/BN_BITS2
 #define BN_NIST_224_TOP (224+BN_BITS2-1)/BN_BITS2
 #define BN_NIST_256_TOP (256+BN_BITS2-1)/BN_BITS2
@@ -101,60 +102,98 @@ static const BN_ULONG _nist_p_521[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
         0xFFFFFFFF,0x000001FF};
 #endif
 
+
+static const BIGNUM _bignum_nist_p_192 =
+        {
+        (BN_ULONG *)_nist_p_192,
+        BN_NIST_192_TOP,
+        BN_NIST_192_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_224 =
+        {
+        (BN_ULONG *)_nist_p_224,
+        BN_NIST_224_TOP,
+        BN_NIST_224_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_256 =
+        {
+        (BN_ULONG *)_nist_p_256,
+        BN_NIST_256_TOP,
+        BN_NIST_256_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_384 =
+        {
+        (BN_ULONG *)_nist_p_384,
+        BN_NIST_384_TOP,
+        BN_NIST_384_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+static const BIGNUM _bignum_nist_p_521 =
+        {
+        (BN_ULONG *)_nist_p_521,
+        BN_NIST_521_TOP,
+        BN_NIST_521_TOP,
+        0,
+        BN_FLG_STATIC_DATA
+        };
+
+
 const BIGNUM *BN_get0_nist_prime_192(void)
         {
-        static BIGNUM const_nist_192 = { (BN_ULONG *)_nist_p_192,
-                BN_NIST_192_TOP, BN_NIST_192_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_192;
+        return &_bignum_nist_p_192;
         }
 
 const BIGNUM *BN_get0_nist_prime_224(void)
         {
-        static BIGNUM const_nist_224 = { (BN_ULONG *)_nist_p_224,
-                BN_NIST_224_TOP, BN_NIST_224_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_224;
+        return &_bignum_nist_p_224;
         }
 
 const BIGNUM *BN_get0_nist_prime_256(void)
         {
-        static BIGNUM const_nist_256 = { (BN_ULONG *)_nist_p_256,
-                BN_NIST_256_TOP, BN_NIST_256_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_256;
+        return &_bignum_nist_p_256;
         }
 
 const BIGNUM *BN_get0_nist_prime_384(void)
         {
-        static BIGNUM const_nist_384 = { (BN_ULONG *)_nist_p_384,
-                BN_NIST_384_TOP, BN_NIST_384_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_384;
+        return &_bignum_nist_p_384;
         }
 
 const BIGNUM *BN_get0_nist_prime_521(void)
         {
-        static BIGNUM const_nist_521 = { (BN_ULONG *)_nist_p_521,
-                BN_NIST_521_TOP, BN_NIST_521_TOP, 0, BN_FLG_STATIC_DATA };
-        return &const_nist_521;
+        return &_bignum_nist_p_521;
         }
 
-#define BN_NIST_ADD_ONE(a)      while (!(*(a)=(*(a)+1)&BN_MASK2)) ++(a);
 
 static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
-        {
+        {
         int i;
-        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
-        for (i = (top); i != 0; i--)
-                *_tmp1++ = *_tmp2++;
-        for (i = (max) - (top); i != 0; i--)
-                *_tmp1++ = (BN_ULONG) 0;
-        }
+        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
+
+        OPENSSL_assert(top <= max);
+        for (i = (top); i != 0; i--)
+                *_tmp1++ = *_tmp2++;
+        for (i = (max) - (top); i != 0; i--)
+                *_tmp1++ = (BN_ULONG) 0;
+        }
 
 static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
-        { 
+        { 
         int i;
-        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
-        for (i = (top); i != 0; i--)
-                *_tmp1++ = *_tmp2++;
-        }
+        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
+        for (i = (top); i != 0; i--)
+                *_tmp1++ = *_tmp2++;
+        }
 
 #if BN_BITS2 == 64
 #define bn_cp_64(to, n, from, m)        (to)[n] = (m>=0)?((from)[m]):0;
@@ -199,6 +238,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_192; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_192_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -208,9 +252,6 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a) ? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_192_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_192_TOP))
@@ -245,6 +286,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_192_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
         }
 
@@ -272,6 +318,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_224; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_224_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -281,9 +332,6 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_224_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_224_TOP))
@@ -333,6 +381,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_224_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
 #else   /* BN_BITS!=32 */
         return 0;
@@ -364,6 +417,11 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_256; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_256_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -373,9 +431,6 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_256_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_256_TOP))
@@ -470,6 +525,11 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_256_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
 #else   /* BN_BITS!=32 */
         return 0;
@@ -505,6 +565,11 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                 *res;
         size_t   mask;
 
+        field = &_bignum_nist_p_384; /* just to make sure */
+
+        if (BN_is_negative(a) || a->top > 2*BN_NIST_384_TOP)
+                return BN_nnmod(r, field, a, ctx);
+
         i = BN_ucmp(field, a);
         if (i == 0)
                 {
@@ -514,9 +579,6 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (i > 0)
                 return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-        if (top == BN_NIST_384_TOP)
-                return BN_usub(r, a, field);
-
         if (r != a)
                 {
                 if (!bn_wexpand(r, BN_NIST_384_TOP))
@@ -631,6 +693,11 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r->top = BN_NIST_384_TOP;
         bn_correct_top(r);
 
+        if (BN_ucmp(field, r) <= 0)
+                {
+                if (!BN_usub(r, r, field)) return 0;
+                }
+
         return 1;
 #else   /* BN_BITS!=32 */
         return 0;
@@ -646,14 +713,35 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 #define BN_NIST_521_TOP_MASK    (BN_ULONG)0x1FF
 #endif
         int     top, ret = 0;
-        BN_ULONG *r_d;
         BIGNUM  *tmp;
 
+        field = &_bignum_nist_p_521; /* just to make sure */
+
+        if (BN_is_negative(a))
+                return BN_nnmod(r, field, a, ctx);
+
         /* check whether a reduction is necessary */
         top = a->top;
         if (top < BN_NIST_521_TOP  || ( top == BN_NIST_521_TOP &&
-           (!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
-                return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+            (!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
+                {
+                int i = BN_ucmp(field, a);
+                if (i == 0)
+                        {
+                        BN_zero(r);
+                        return 1;
+                        }
+                else
+                        {
+#ifdef BN_DEBUG
+                        OPENSSL_assert(i > 0); /* because 'field' is 1111...1111 */
+#endif
+                        return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+                        }
+                }
+
+        if (BN_num_bits(a) > 2*521)
+                return BN_nnmod(r, field, a, ctx);
 
         BN_CTX_start(ctx);
         tmp = BN_CTX_get(ctx);
@@ -673,15 +761,11 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
         if (!BN_uadd(r, tmp, r))
                 goto err;
-        top = r->top;
-        r_d = r->d;
-        if (top == BN_NIST_521_TOP  && 
-           (r_d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))
+
+        if (BN_ucmp(field, r) <= 0)
                 {
-                BN_NIST_ADD_ONE(r_d)
-                r->d[BN_NIST_521_TOP-1] &= BN_NIST_521_TOP_MASK; 
+                if (!BN_usub(r, r, field)) goto err;
                 }
-        bn_correct_top(r);
 
         ret = 1;
 err:
diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c
index f79c504e91..b35d28d411 100644
--- a/src/lib/libcrypto/cms/cms_smime.c
+++ b/src/lib/libcrypto/cms/cms_smime.c
@@ -89,11 +89,13 @@ static int cms_copy_content(BIO *out, BIO *in, unsigned int flags)
                                 if (!BIO_get_cipher_status(in))
                                         goto err;
                                 }
+                        if (i < 0)
+                                goto err;
                         break;
                         }
                                 
-                if (tmpout)
-                        BIO_write(tmpout, buf, i);
+                if (tmpout && (BIO_write(tmpout, buf, i) != i))
+                        goto err;
         }
 
         if(flags & CMS_TEXT)
diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h
index 5ceaa964b5..fc249c57f3 100644
--- a/src/lib/libcrypto/cryptlib.h
+++ b/src/lib/libcrypto/cryptlib.h
@@ -103,7 +103,6 @@ extern unsigned long OPENSSL_ia32cap_P;
 void OPENSSL_showfatal(const char *,...);
 void *OPENSSL_stderr(void);
 extern int OPENSSL_NONPIC_relocated;
-int OPENSSL_isservice(void);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index d2b5ffe332..fe2c1d6403 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -521,6 +521,7 @@ void OpenSSLDie(const char *file,int line,const char *assertion);
 
 unsigned long *OPENSSL_ia32cap_loc(void);
 #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
+int OPENSSL_isservice(void);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
diff --git a/src/lib/libcrypto/dh/Makefile b/src/lib/libcrypto/dh/Makefile
index d368e33b4c..950cad9c5b 100644
--- a/src/lib/libcrypto/dh/Makefile
+++ b/src/lib/libcrypto/dh/Makefile
@@ -123,11 +123,17 @@ dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dh_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dh_key.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_key.c
-dh_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
-dh_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dh_lib.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
+dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dh_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+dh_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 dh_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dh_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_lib.c
+dh_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+dh_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+dh_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dh_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dh_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+dh_lib.o: ../cryptlib.h dh_lib.c
diff --git a/src/lib/libcrypto/dsa/Makefile b/src/lib/libcrypto/dsa/Makefile
index 676baf7d49..5493f19e85 100644
--- a/src/lib/libcrypto/dsa/Makefile
+++ b/src/lib/libcrypto/dsa/Makefile
@@ -126,11 +126,16 @@ dsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-dsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+dsa_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+dsa_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+dsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+dsa_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 dsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+dsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+dsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 dsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dsa_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 dsa_lib.o: ../cryptlib.h dsa_lib.c
 dsa_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
diff --git a/src/lib/libcrypto/ecdh/Makefile b/src/lib/libcrypto/ecdh/Makefile
index 95aa69fea5..65d8904ee8 100644
--- a/src/lib/libcrypto/ecdh/Makefile
+++ b/src/lib/libcrypto/ecdh/Makefile
@@ -84,20 +84,30 @@ ech_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 ech_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 ech_err.o: ech_err.c
 ech_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ech_key.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ech_key.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-ech_key.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ech_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ech_key.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ech_key.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ech_key.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
+ech_key.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ech_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 ech_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ech_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ech_key.o: ../../include/openssl/symhacks.h ech_key.c ech_locl.h
+ech_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ech_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ech_key.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ech_key.o: ../../include/openssl/x509_vfy.h ech_key.c ech_locl.h
 ech_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ech_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ech_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+ech_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ech_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ech_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 ech_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-ech_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-ech_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ech_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ech_lib.o: ../../include/openssl/symhacks.h ech_lib.c ech_locl.h
+ech_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+ech_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ech_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ech_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+ech_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ech_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ech_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ech_lib.o: ech_lib.c ech_locl.h
 ech_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
 ech_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 ech_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
diff --git a/src/lib/libcrypto/ecdsa/Makefile b/src/lib/libcrypto/ecdsa/Makefile
index 16a93cd3ae..9b48d5641f 100644
--- a/src/lib/libcrypto/ecdsa/Makefile
+++ b/src/lib/libcrypto/ecdsa/Makefile
@@ -92,14 +92,18 @@ ecs_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 ecs_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 ecs_err.o: ecs_err.c
 ecs_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ecs_lib.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-ecs_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+ecs_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ecs_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 ecs_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
-ecs_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-ecs_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-ecs_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-ecs_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ecs_lib.o: ecs_lib.c ecs_locl.h
+ecs_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ecs_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ecs_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+ecs_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ecs_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ecs_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ecs_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ecs_lib.o: ../../include/openssl/x509_vfy.h ecs_lib.c ecs_locl.h
 ecs_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 ecs_ossl.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 ecs_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -110,16 +114,26 @@ ecs_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ecs_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 ecs_ossl.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_ossl.c
 ecs_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ecs_sign.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ecs_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
-ecs_sign.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ecs_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ecs_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_sign.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ecs_sign.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
+ecs_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ecs_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 ecs_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ecs_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ecs_sign.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_sign.c
+ecs_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ecs_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ecs_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ecs_sign.o: ../../include/openssl/x509_vfy.h ecs_locl.h ecs_sign.c
 ecs_vrf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-ecs_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ecs_vrf.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
-ecs_vrf.o: ../../include/openssl/engine.h ../../include/openssl/opensslconf.h
+ecs_vrf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ecs_vrf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecs_vrf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ecs_vrf.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
+ecs_vrf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ecs_vrf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 ecs_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ecs_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ecs_vrf.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_vrf.c
+ecs_vrf.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ecs_vrf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ecs_vrf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ecs_vrf.o: ../../include/openssl/x509_vfy.h ecs_locl.h ecs_vrf.c
diff --git a/src/lib/libcrypto/engine/Makefile b/src/lib/libcrypto/engine/Makefile
index 13f211a0ae..47cc619b8a 100644
--- a/src/lib/libcrypto/engine/Makefile
+++ b/src/lib/libcrypto/engine/Makefile
@@ -82,88 +82,142 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-eng_all.o: ../../e_os.h ../../include/openssl/bio.h
-eng_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_all.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-eng_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_all.o: ../cryptlib.h eng_all.c eng_int.h
-eng_cnf.o: ../../e_os.h ../../include/openssl/bio.h
-eng_cnf.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-eng_cnf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_all.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_all.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_all.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_all.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_all.c eng_int.h
+eng_cnf.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_cnf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_cnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+eng_cnf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_cnf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_cnf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_cnf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-eng_cnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_cnf.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_cnf.c eng_int.h
+eng_cnf.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_cnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_cnf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_cnf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_cnf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_cnf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_cnf.o: ../cryptlib.h eng_cnf.c eng_int.h
 eng_cryptodev.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-eng_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-eng_cryptodev.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/obj_mac.h
+eng_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+eng_cryptodev.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_cryptodev.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_cryptodev.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_cryptodev.o: ../../include/openssl/obj_mac.h
 eng_cryptodev.o: ../../include/openssl/objects.h
 eng_cryptodev.o: ../../include/openssl/opensslconf.h
 eng_cryptodev.o: ../../include/openssl/opensslv.h
-eng_cryptodev.o: ../../include/openssl/ossl_typ.h
-eng_cryptodev.o: ../../include/openssl/safestack.h
+eng_cryptodev.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_cryptodev.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 eng_cryptodev.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_cryptodev.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 eng_cryptodev.o: eng_cryptodev.c
-eng_ctrl.o: ../../e_os.h ../../include/openssl/bio.h
-eng_ctrl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_ctrl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_ctrl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_ctrl.o: ../../include/openssl/opensslconf.h
+eng_ctrl.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_ctrl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_ctrl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_ctrl.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_ctrl.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_ctrl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_ctrl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_ctrl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_ctrl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_ctrl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_ctrl.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_ctrl.c eng_int.h
-eng_dyn.o: ../../e_os.h ../../include/openssl/bio.h
-eng_dyn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_dyn.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+eng_ctrl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_ctrl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_ctrl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_ctrl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_ctrl.c eng_int.h
+eng_dyn.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_dyn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_dyn.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
+eng_dyn.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_dyn.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_dyn.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_dyn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-eng_dyn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_dyn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_dyn.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_dyn.c eng_int.h
-eng_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-eng_err.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+eng_dyn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_dyn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_dyn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_dyn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_dyn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_dyn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_dyn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_dyn.o: ../cryptlib.h eng_dyn.c eng_int.h
+eng_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+eng_err.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+eng_err.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_err.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+eng_err.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+eng_err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 eng_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+eng_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 eng_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 eng_err.o: eng_err.c
-eng_fat.o: ../../e_os.h ../../include/openssl/bio.h
-eng_fat.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-eng_fat.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_fat.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_fat.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_fat.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+eng_fat.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_fat.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_fat.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_fat.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-eng_fat.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_fat.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_fat.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_fat.c eng_int.h
-eng_init.o: ../../e_os.h ../../include/openssl/bio.h
-eng_init.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_init.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_init.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_init.o: ../../include/openssl/opensslconf.h
+eng_fat.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_fat.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_fat.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_fat.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_fat.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_fat.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_fat.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_fat.o: ../cryptlib.h eng_fat.c eng_int.h
+eng_init.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_init.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_init.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_init.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_init.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_init.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_init.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_init.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_init.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_init.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_init.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_init.c eng_int.h
-eng_lib.o: ../../e_os.h ../../include/openssl/bio.h
-eng_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-eng_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_lib.c
-eng_list.o: ../../e_os.h ../../include/openssl/bio.h
-eng_list.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_list.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_list.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_list.o: ../../include/openssl/opensslconf.h
+eng_init.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_init.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_init.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_init.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_init.c eng_int.h
+eng_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+eng_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_lib.o: ../cryptlib.h eng_int.h eng_lib.c
+eng_list.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_list.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_list.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_list.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_list.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_list.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_list.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_list.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_list.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_list.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_list.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_list.c
+eng_list.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_list.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_list.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_list.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h eng_list.c
 eng_openssl.o: ../../e_os.h ../../include/openssl/asn1.h
 eng_openssl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 eng_openssl.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
@@ -183,106 +237,166 @@ eng_openssl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 eng_openssl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 eng_openssl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_openssl.c
 eng_padlock.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-eng_padlock.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-eng_padlock.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+eng_padlock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_padlock.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
+eng_padlock.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+eng_padlock.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_padlock.o: ../../include/openssl/engine.h ../../include/openssl/err.h
 eng_padlock.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 eng_padlock.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 eng_padlock.o: ../../include/openssl/opensslconf.h
 eng_padlock.o: ../../include/openssl/opensslv.h
-eng_padlock.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-eng_padlock.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_padlock.o: ../../include/openssl/symhacks.h eng_padlock.c
-eng_pkey.o: ../../e_os.h ../../include/openssl/bio.h
-eng_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-eng_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-eng_pkey.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-eng_pkey.o: ../../include/openssl/opensslconf.h
+eng_padlock.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_padlock.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+eng_padlock.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_padlock.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_padlock.o: ../../include/openssl/x509_vfy.h eng_padlock.c
+eng_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_pkey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+eng_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+eng_pkey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 eng_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_pkey.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h eng_pkey.c
+eng_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h eng_pkey.c
 eng_table.o: ../../e_os.h ../../include/openssl/asn1.h
 eng_table.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 eng_table.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-eng_table.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_table.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-eng_table.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_table.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+eng_table.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+eng_table.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_table.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_table.o: ../../include/openssl/objects.h
 eng_table.o: ../../include/openssl/opensslconf.h
 eng_table.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_table.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-eng_table.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+eng_table.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_table.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
 eng_table.o: eng_table.c
-tb_cipher.o: ../../e_os.h ../../include/openssl/bio.h
-tb_cipher.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_cipher.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_cipher.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_cipher.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_cipher.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_cipher.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_cipher.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_cipher.o: ../../include/openssl/objects.h
 tb_cipher.o: ../../include/openssl/opensslconf.h
 tb_cipher.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_cipher.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_cipher.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+tb_cipher.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_cipher.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_cipher.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_cipher.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
 tb_cipher.o: tb_cipher.c
-tb_dh.o: ../../e_os.h ../../include/openssl/bio.h
+tb_dh.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 tb_dh.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_dh.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_dh.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_dh.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+tb_dh.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+tb_dh.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+tb_dh.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+tb_dh.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 tb_dh.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_dh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+tb_dh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+tb_dh.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 tb_dh.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_dh.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 tb_dh.o: ../cryptlib.h eng_int.h tb_dh.c
-tb_digest.o: ../../e_os.h ../../include/openssl/bio.h
-tb_digest.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_digest.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_digest.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_digest.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_digest.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_digest.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_digest.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_digest.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_digest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_digest.o: ../../include/openssl/objects.h
 tb_digest.o: ../../include/openssl/opensslconf.h
 tb_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_digest.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_digest.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
+tb_digest.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_digest.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_digest.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
 tb_digest.o: tb_digest.c
-tb_dsa.o: ../../e_os.h ../../include/openssl/bio.h
+tb_dsa.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 tb_dsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_dsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_dsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_dsa.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+tb_dsa.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+tb_dsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+tb_dsa.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+tb_dsa.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 tb_dsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_dsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+tb_dsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+tb_dsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 tb_dsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_dsa.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 tb_dsa.o: ../cryptlib.h eng_int.h tb_dsa.c
-tb_ecdh.o: ../../e_os.h ../../include/openssl/bio.h
-tb_ecdh.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_ecdh.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_ecdh.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_ecdh.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_ecdh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-tb_ecdh.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_ecdh.o: ../cryptlib.h eng_int.h tb_ecdh.c
-tb_ecdsa.o: ../../e_os.h ../../include/openssl/bio.h
-tb_ecdsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_ecdsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_ecdsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_ecdsa.o: ../../include/openssl/opensslconf.h
+tb_ecdh.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_ecdh.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_ecdh.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_ecdh.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_ecdh.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_ecdh.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_ecdh.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_ecdh.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_ecdh.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_ecdh.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_ecdh.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_ecdh.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_ecdh.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_ecdh.c
+tb_ecdsa.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_ecdsa.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_ecdsa.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_ecdsa.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_ecdsa.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_ecdsa.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_ecdsa.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_ecdsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 tb_ecdsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_ecdsa.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_ecdsa.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h tb_ecdsa.c
-tb_rand.o: ../../e_os.h ../../include/openssl/bio.h
-tb_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_rand.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-tb_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_rand.o: ../cryptlib.h eng_int.h tb_rand.c
-tb_rsa.o: ../../e_os.h ../../include/openssl/bio.h
+tb_ecdsa.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_ecdsa.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_ecdsa.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_ecdsa.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_ecdsa.c
+tb_rand.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_rand.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_rand.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_rand.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_rand.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_rand.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_rand.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_rand.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_rand.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_rand.c
+tb_rsa.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 tb_rsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_rsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_rsa.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tb_rsa.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+tb_rsa.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+tb_rsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+tb_rsa.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+tb_rsa.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 tb_rsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_rsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+tb_rsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+tb_rsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 tb_rsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_rsa.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 tb_rsa.o: ../cryptlib.h eng_int.h tb_rsa.c
-tb_store.o: ../../e_os.h ../../include/openssl/bio.h
-tb_store.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-tb_store.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-tb_store.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-tb_store.o: ../../include/openssl/opensslconf.h
+tb_store.o: ../../e_os.h ../../include/openssl/asn1.h
+tb_store.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+tb_store.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tb_store.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+tb_store.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+tb_store.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_store.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_store.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 tb_store.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_store.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-tb_store.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h tb_store.c
+tb_store.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_store.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_store.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_store.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_store.c
diff --git a/src/lib/libcrypto/engine/eng_all.c b/src/lib/libcrypto/engine/eng_all.c
index 8599046717..d29cd57dc2 100644
--- a/src/lib/libcrypto/engine/eng_all.c
+++ b/src/lib/libcrypto/engine/eng_all.c
@@ -107,6 +107,9 @@ void ENGINE_load_builtin_engines(void)
 #if defined(__OpenBSD__) || defined(__FreeBSD__)
         ENGINE_load_cryptodev();
 #endif
+#if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
+        ENGINE_load_capi();
+#endif
 #endif
         }
 
diff --git a/src/lib/libcrypto/engine/eng_cnf.c b/src/lib/libcrypto/engine/eng_cnf.c
index a97e01e619..8417ddaaef 100644
--- a/src/lib/libcrypto/engine/eng_cnf.c
+++ b/src/lib/libcrypto/engine/eng_cnf.c
@@ -98,6 +98,8 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
         CONF_VALUE *ecmd;
         char *ctrlname, *ctrlvalue;
         ENGINE *e = NULL;
+        int soft = 0;
+
         name = skip_dot(name);
 #ifdef ENGINE_CONF_DEBUG
         fprintf(stderr, "Configuring engine %s\n", name);
@@ -125,6 +127,8 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                 /* Override engine name to use */
                 if (!strcmp(ctrlname, "engine_id"))
                         name = ctrlvalue;
+                else if (!strcmp(ctrlname, "soft_load"))
+                        soft = 1;
                 /* Load a dynamic ENGINE */
                 else if (!strcmp(ctrlname, "dynamic_path"))
                         {
@@ -147,6 +151,11 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                         if (!e)
                                 {
                                 e = ENGINE_by_id(name);
+                                if (!e && soft)
+                                        {
+                                        ERR_clear_error();
+                                        return 1;
+                                        }
                                 if (!e)
                                         return 0;
                                 }
diff --git a/src/lib/libcrypto/engine/eng_err.c b/src/lib/libcrypto/engine/eng_err.c
index 369f2e22d3..574ffbb5c0 100644
--- a/src/lib/libcrypto/engine/eng_err.c
+++ b/src/lib/libcrypto/engine/eng_err.c
@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -92,6 +92,7 @@ static ERR_STRING_DATA ENGINE_str_functs[]=
 {ERR_FUNC(ENGINE_F_ENGINE_LIST_REMOVE), "ENGINE_LIST_REMOVE"},
 {ERR_FUNC(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY),    "ENGINE_load_private_key"},
 {ERR_FUNC(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY),     "ENGINE_load_public_key"},
+{ERR_FUNC(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT),        "ENGINE_load_ssl_client_cert"},
 {ERR_FUNC(ENGINE_F_ENGINE_NEW), "ENGINE_new"},
 {ERR_FUNC(ENGINE_F_ENGINE_REMOVE),      "ENGINE_remove"},
 {ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_STRING),  "ENGINE_set_default_string"},
diff --git a/src/lib/libcrypto/engine/eng_int.h b/src/lib/libcrypto/engine/eng_int.h
index a5b1edebf4..a66f107a44 100644
--- a/src/lib/libcrypto/engine/eng_int.h
+++ b/src/lib/libcrypto/engine/eng_int.h
@@ -170,6 +170,8 @@ struct engine_st
         ENGINE_LOAD_KEY_PTR load_privkey;
         ENGINE_LOAD_KEY_PTR load_pubkey;
 
+        ENGINE_SSL_CLIENT_CERT_PTR load_ssl_client_cert;
+
         const ENGINE_CMD_DEFN *cmd_defns;
         int flags;
         /* reference count on the structure itself */
diff --git a/src/lib/libcrypto/engine/eng_pkey.c b/src/lib/libcrypto/engine/eng_pkey.c
index bc8b21abec..1dfa2e3664 100644
--- a/src/lib/libcrypto/engine/eng_pkey.c
+++ b/src/lib/libcrypto/engine/eng_pkey.c
@@ -69,6 +69,13 @@ int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f)
         return 1;
         }
 
+int ENGINE_set_load_ssl_client_cert_function(ENGINE *e,
+                                ENGINE_SSL_CLIENT_CERT_PTR loadssl_f)
+        {
+        e->load_ssl_client_cert = loadssl_f;
+        return 1;
+        }
+
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e)
         {
         return e->load_privkey;
@@ -79,6 +86,11 @@ ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e)
         return e->load_pubkey;
         }
 
+ENGINE_SSL_CLIENT_CERT_PTR ENGINE_get_ssl_client_cert_function(const ENGINE *e)
+        {
+        return e->load_ssl_client_cert;
+        }
+
 /* API functions to load public/private keys */
 
 EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
@@ -152,3 +164,33 @@ EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
                 }
         return pkey;
         }
+
+int ENGINE_load_ssl_client_cert(ENGINE *e, SSL *s,
+        STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **ppkey,
+        STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data)
+        {
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(e->funct_ref == 0)
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                        ENGINE_R_NOT_INITIALISED);
+                return 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if (!e->load_ssl_client_cert)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                        ENGINE_R_NO_LOAD_FUNCTION);
+                return 0;
+                }
+        return e->load_ssl_client_cert(e, s, ca_dn, pcert, ppkey, pother,
+                                        ui_method, callback_data);
+        }
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
index 3ec59338ff..f503595ece 100644
--- a/src/lib/libcrypto/engine/engine.h
+++ b/src/lib/libcrypto/engine/engine.h
@@ -93,6 +93,8 @@
 #include <openssl/err.h>
 #endif
 
+#include <openssl/x509.h>
+
 #include <openssl/ossl_typ.h>
 #include <openssl/symhacks.h>
 
@@ -278,6 +280,9 @@ typedef int (*ENGINE_CTRL_FUNC_PTR)(ENGINE *, int, long, void *, void (*f)(void)
 /* Generic load_key function pointer */
 typedef EVP_PKEY * (*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *,
         UI_METHOD *ui_method, void *callback_data);
+typedef int (*ENGINE_SSL_CLIENT_CERT_PTR)(ENGINE *, SSL *ssl,
+        STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
+        STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data);
 /* These callback types are for an ENGINE's handler for cipher and digest logic.
  * These handlers have these prototypes;
  *   int foo(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
@@ -334,6 +339,9 @@ void ENGINE_load_ubsec(void);
 void ENGINE_load_cryptodev(void);
 void ENGINE_load_padlock(void);
 void ENGINE_load_builtin_engines(void);
+#ifndef OPENSSL_NO_CAPIENG
+void ENGINE_load_capi(void);
+#endif
 
 /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
  * "registry" handling. */
@@ -459,6 +467,8 @@ int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
 int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f);
 int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f);
 int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f);
+int ENGINE_set_load_ssl_client_cert_function(ENGINE *e,
+                                ENGINE_SSL_CLIENT_CERT_PTR loadssl_f);
 int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f);
 int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f);
 int ENGINE_set_flags(ENGINE *e, int flags);
@@ -494,6 +504,7 @@ ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e);
 ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e);
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e);
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e);
+ENGINE_SSL_CLIENT_CERT_PTR ENGINE_get_ssl_client_cert_function(const ENGINE *e);
 ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e);
 ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e);
 const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid);
@@ -529,6 +540,10 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
         UI_METHOD *ui_method, void *callback_data);
 EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
         UI_METHOD *ui_method, void *callback_data);
+int ENGINE_load_ssl_client_cert(ENGINE *e, SSL *s,
+        STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **ppkey,
+        STACK_OF(X509) **pother,
+        UI_METHOD *ui_method, void *callback_data);
 
 /* This returns a pointer for the current ENGINE structure that
  * is (by default) performing any RSA operations. The value returned
@@ -723,6 +738,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_LIST_REMOVE                      121
 #define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY                 150
 #define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY                  151
+#define ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT             192
 #define ENGINE_F_ENGINE_NEW                              122
 #define ENGINE_F_ENGINE_REMOVE                           123
 #define ENGINE_F_ENGINE_SET_DEFAULT_STRING               189
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index b6ff070e8f..7952e70ab0 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -149,6 +149,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
 {ERR_PACK(ERR_LIB_DSO,0,0)              ,"DSO support routines"},
 {ERR_PACK(ERR_LIB_ENGINE,0,0)           ,"engine routines"},
 {ERR_PACK(ERR_LIB_OCSP,0,0)             ,"OCSP routines"},
+{ERR_PACK(ERR_LIB_FIPS,0,0)             ,"FIPS routines"},
 {ERR_PACK(ERR_LIB_CMS,0,0)              ,"CMS routines"},
 {0,NULL},
         };
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index bf28fce492..8d9f0da172 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -140,7 +140,8 @@ typedef struct err_state_st
 #define ERR_LIB_ECDSA           42
 #define ERR_LIB_ECDH            43
 #define ERR_LIB_STORE           44
-#define ERR_LIB_CMS             45
+#define ERR_LIB_FIPS            45
+#define ERR_LIB_CMS             46
 
 #define ERR_LIB_USER            128
 
@@ -172,6 +173,7 @@ typedef struct err_state_st
 #define ECDSAerr(f,r)  ERR_PUT_error(ERR_LIB_ECDSA,(f),(r),__FILE__,__LINE__)
 #define ECDHerr(f,r)  ERR_PUT_error(ERR_LIB_ECDH,(f),(r),__FILE__,__LINE__)
 #define STOREerr(f,r) ERR_PUT_error(ERR_LIB_STORE,(f),(r),__FILE__,__LINE__)
+#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__)
 #define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),__FILE__,__LINE__)
 
 /* Borland C seems too stupid to be able to shift and do longs in
diff --git a/src/lib/libcrypto/evp/Makefile b/src/lib/libcrypto/evp/Makefile
index 8f2555c7e5..9de56dc03d 100644
--- a/src/lib/libcrypto/evp/Makefile
+++ b/src/lib/libcrypto/evp/Makefile
@@ -135,13 +135,17 @@ bio_ok.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 bio_ok.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_ok.c
 c_all.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-c_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-c_all.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-c_all.o: ../../include/openssl/symhacks.h ../cryptlib.h c_all.c
+c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+c_all.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+c_all.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+c_all.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+c_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+c_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+c_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+c_all.o: ../cryptlib.h c_all.c
 c_allc.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_allc.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 c_allc.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -170,13 +174,17 @@ c_alld.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 c_alld.o: ../cryptlib.h c_alld.c
 digest.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 digest.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-digest.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-digest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-digest.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-digest.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-digest.o: ../../include/openssl/symhacks.h ../cryptlib.h digest.c
+digest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+digest.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+digest.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+digest.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+digest.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+digest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+digest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+digest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+digest.o: ../cryptlib.h digest.c
 e_aes.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
 e_aes.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 e_aes.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -312,13 +320,17 @@ evp_acnf.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_acnf.c
 evp_enc.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_enc.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-evp_enc.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-evp_enc.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-evp_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-evp_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+evp_enc.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+evp_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+evp_enc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+evp_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+evp_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+evp_enc.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index c19d764c15..1aa2d6fb35 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -303,6 +303,8 @@ struct env_md_ctx_st
                                                 * cleaned */
 #define EVP_MD_CTX_FLAG_REUSE           0x0004 /* Don't free up ctx->md_data
                                                 * in EVP_MD_CTX_cleanup */
+#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW  0x0008  /* Allow use of non FIPS digest
+                                                 * in FIPS mode */
 
 struct evp_cipher_st
         {
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index a1904993bf..6e582c458d 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -279,7 +279,12 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         {
         int i,j,bl;
 
-        OPENSSL_assert(inl > 0);
+        if (inl <= 0)
+                {
+                *outl = 0;
+                return inl == 0;
+                }
+
         if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
                 {
                 if(ctx->cipher->do_cipher(ctx,out,in,inl))
@@ -381,10 +386,10 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         int fix_len;
         unsigned int b;
 
-        if (inl == 0)
+        if (inl <= 0)
                 {
-                *outl=0;
-                return 1;
+                *outl = 0;
+                return inl == 0;
                 }
 
         if (ctx->flags & EVP_CIPH_NO_PADDING)
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index c45e001492..1d140f7adb 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -171,3 +171,10 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
         return(md);
         }
 
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
+        {
+        EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
+        EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
+        EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
+        }
+
diff --git a/src/lib/libcrypto/hmac/hmac.h b/src/lib/libcrypto/hmac/hmac.h
index 719fc408ac..fc38ffb52b 100644
--- a/src/lib/libcrypto/hmac/hmac.h
+++ b/src/lib/libcrypto/hmac/hmac.h
@@ -100,6 +100,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
                     const unsigned char *d, size_t n, unsigned char *md,
                     unsigned int *md_len);
 
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/md32_common.h b/src/lib/libcrypto/md32_common.h
index 089c450290..61bcd9786f 100644
--- a/src/lib/libcrypto/md32_common.h
+++ b/src/lib/libcrypto/md32_common.h
@@ -301,7 +301,7 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, size_t len)
                 {
                 p=(unsigned char *)c->data;
 
-                if ((n+len) >= HASH_CBLOCK)
+                if (len >= HASH_CBLOCK || len+n >= HASH_CBLOCK)
                         {
                         memcpy (p+n,data,HASH_CBLOCK-n);
                         HASH_BLOCK_DATA_ORDER (c,p,1);
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 47815b1e4e..53c9cb0d6a 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -788,3 +788,69 @@ id_ct_asciiTextWithCRLF		787
 id_aes128_wrap          788
 id_aes192_wrap          789
 id_aes256_wrap          790
+ecdsa_with_Recommended          791
+ecdsa_with_Specified            792
+ecdsa_with_SHA224               793
+ecdsa_with_SHA256               794
+ecdsa_with_SHA384               795
+ecdsa_with_SHA512               796
+hmacWithMD5             797
+hmacWithSHA224          798
+hmacWithSHA256          799
+hmacWithSHA384          800
+hmacWithSHA512          801
+dsa_with_SHA224         802
+dsa_with_SHA256         803
+whirlpool               804
+cryptopro               805
+cryptocom               806
+id_GostR3411_94_with_GostR3410_2001             807
+id_GostR3411_94_with_GostR3410_94               808
+id_GostR3411_94         809
+id_HMACGostR3411_94             810
+id_GostR3410_2001               811
+id_GostR3410_94         812
+id_Gost28147_89         813
+gost89_cnt              814
+id_Gost28147_89_MAC             815
+id_GostR3411_94_prf             816
+id_GostR3410_2001DH             817
+id_GostR3410_94DH               818
+id_Gost28147_89_CryptoPro_KeyMeshing            819
+id_Gost28147_89_None_KeyMeshing         820
+id_GostR3411_94_TestParamSet            821
+id_GostR3411_94_CryptoProParamSet               822
+id_Gost28147_89_TestParamSet            823
+id_Gost28147_89_CryptoPro_A_ParamSet            824
+id_Gost28147_89_CryptoPro_B_ParamSet            825
+id_Gost28147_89_CryptoPro_C_ParamSet            826
+id_Gost28147_89_CryptoPro_D_ParamSet            827
+id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet            828
+id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet            829
+id_Gost28147_89_CryptoPro_RIC_1_ParamSet                830
+id_GostR3410_94_TestParamSet            831
+id_GostR3410_94_CryptoPro_A_ParamSet            832
+id_GostR3410_94_CryptoPro_B_ParamSet            833
+id_GostR3410_94_CryptoPro_C_ParamSet            834
+id_GostR3410_94_CryptoPro_D_ParamSet            835
+id_GostR3410_94_CryptoPro_XchA_ParamSet         836
+id_GostR3410_94_CryptoPro_XchB_ParamSet         837
+id_GostR3410_94_CryptoPro_XchC_ParamSet         838
+id_GostR3410_2001_TestParamSet          839
+id_GostR3410_2001_CryptoPro_A_ParamSet          840
+id_GostR3410_2001_CryptoPro_B_ParamSet          841
+id_GostR3410_2001_CryptoPro_C_ParamSet          842
+id_GostR3410_2001_CryptoPro_XchA_ParamSet               843
+id_GostR3410_2001_CryptoPro_XchB_ParamSet               844
+id_GostR3410_94_a               845
+id_GostR3410_94_aBis            846
+id_GostR3410_94_b               847
+id_GostR3410_94_bBis            848
+id_Gost28147_89_cc              849
+id_GostR3410_94_cc              850
+id_GostR3410_2001_cc            851
+id_GostR3411_94_with_GostR3410_94_cc            852
+id_GostR3411_94_with_GostR3410_2001_cc          853
+id_GostR3410_2001_ParamSet_cc           854
+hmac            855
+LocalKeySet             856
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index 34c8d1d647..e009702e55 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -79,6 +79,12 @@ X9-62_primeCurve 7	 	: prime256v1
 !Alias id-ecSigType ansi-X9-62 4
 !global
 X9-62_id-ecSigType 1            : ecdsa-with-SHA1
+X9-62_id-ecSigType 2            : ecdsa-with-Recommended
+X9-62_id-ecSigType 3            : ecdsa-with-Specified
+ecdsa-with-Specified 1          : ecdsa-with-SHA224
+ecdsa-with-Specified 2          : ecdsa-with-SHA256
+ecdsa-with-Specified 3          : ecdsa-with-SHA384
+ecdsa-with-Specified 4          : ecdsa-with-SHA512
 
 # SECG curve OIDs from "SEC 2: Recommended Elliptic Curve Domain Parameters"
 # (http://www.secg.org/)
@@ -313,6 +319,7 @@ pkcs9 20		:			: friendlyName
 pkcs9 21                :                       : localKeyID
 !Cname ms-csp-name
 1 3 6 1 4 1 311 17 1    : CSPName               : Microsoft CSP Name
+1 3 6 1 4 1 311 17 2    : LocalKeySet           : Microsoft Local Key set
 !Alias certTypes pkcs9 22
 certTypes 1             :                       : x509Certificate
 certTypes 2             :                       : sdsiCertificate
@@ -348,7 +355,15 @@ rsadsi 2 2		: MD2			: md2
 rsadsi 2 4              : MD4                   : md4
 rsadsi 2 5              : MD5                   : md5
                         : MD5-SHA1              : md5-sha1
+rsadsi 2 6              :                       : hmacWithMD5
 rsadsi 2 7              :                       : hmacWithSHA1
+
+# From RFC4231
+rsadsi 2 8              :                       : hmacWithSHA224
+rsadsi 2 9              :                       : hmacWithSHA256
+rsadsi 2 10             :                       : hmacWithSHA384
+rsadsi 2 11             :                       : hmacWithSHA512
+
 rsadsi 3 2              : RC2-CBC               : rc2-cbc
                         : RC2-ECB               : rc2-ecb
 !Cname rc2-cfb64
@@ -833,6 +848,11 @@ nist_hashalgs 2		: SHA384		: sha384
 nist_hashalgs 3         : SHA512                : sha512
 nist_hashalgs 4         : SHA224                : sha224
 
+# OIDs for dsa-with-sha224 and dsa-with-sha256
+!Alias dsa_with_sha2 nistAlgorithms 3
+dsa_with_sha2 1         : dsa_with_SHA224
+dsa_with_sha2 2         : dsa_with_SHA256
+
 # Hold instruction CRL entry extension
 !Cname hold-instruction-code
 id-ce 23                : holdInstructionCode   : Hold Instruction Code
@@ -1070,13 +1090,93 @@ rsadsi 1 1 6		: rsaOAEPEncryptionSET
                         : Oakley-EC2N-3         : ipsec3
                         : Oakley-EC2N-4         : ipsec4
 
+iso 0 10118 3 0 55      : whirlpool
+
+# GOST OIDs
+
+member-body 643 2 2     : cryptopro
+member-body 643 2 9     : cryptocom
+
+cryptopro 3             : id-GostR3411-94-with-GostR3410-2001 : GOST R 34.11-94 with GOST R 34.10-2001
+cryptopro 4             : id-GostR3411-94-with-GostR3410-94 : GOST R 34.11-94 with GOST R 34.10-94
+!Cname id-GostR3411-94
+cryptopro 9             : md_gost94             : GOST R 34.11-94
+cryptopro 10            : id-HMACGostR3411-94   : HMAC GOST 34.11-94
+!Cname id-GostR3410-2001
+cryptopro 19            : gost2001      : GOST R 34.10-2001
+!Cname id-GostR3410-94
+cryptopro 20            : gost94        : GOST R 34.10-94
+!Cname id-Gost28147-89
+cryptopro 21            : gost89                : GOST 28147-89
+                        : gost89-cnt
+!Cname id-Gost28147-89-MAC
+cryptopro 22            : gost-mac      : GOST 28147-89 MAC
+!Cname id-GostR3411-94-prf
+cryptopro 23            : prf-gostr3411-94      : GOST R 34.11-94 PRF
+cryptopro 98            : id-GostR3410-2001DH   : GOST R 34.10-2001 DH
+cryptopro 99            : id-GostR3410-94DH     : GOST R 34.10-94 DH
+
+cryptopro 14 1          : id-Gost28147-89-CryptoPro-KeyMeshing
+cryptopro 14 0          : id-Gost28147-89-None-KeyMeshing
+
+# GOST parameter set OIDs
+
+cryptopro 30 0          : id-GostR3411-94-TestParamSet
+cryptopro 30 1          : id-GostR3411-94-CryptoProParamSet
+
+cryptopro 31 0          : id-Gost28147-89-TestParamSet
+cryptopro 31 1          : id-Gost28147-89-CryptoPro-A-ParamSet
+cryptopro 31 2          : id-Gost28147-89-CryptoPro-B-ParamSet
+cryptopro 31 3          : id-Gost28147-89-CryptoPro-C-ParamSet
+cryptopro 31 4          : id-Gost28147-89-CryptoPro-D-ParamSet
+cryptopro 31 5          : id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet
+cryptopro 31 6          : id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet
+cryptopro 31 7          : id-Gost28147-89-CryptoPro-RIC-1-ParamSet
+
+cryptopro 32 0          : id-GostR3410-94-TestParamSet
+cryptopro 32 2          : id-GostR3410-94-CryptoPro-A-ParamSet
+cryptopro 32 3          : id-GostR3410-94-CryptoPro-B-ParamSet
+cryptopro 32 4          : id-GostR3410-94-CryptoPro-C-ParamSet
+cryptopro 32 5          : id-GostR3410-94-CryptoPro-D-ParamSet
+
+cryptopro 33 1          : id-GostR3410-94-CryptoPro-XchA-ParamSet
+cryptopro 33 2          : id-GostR3410-94-CryptoPro-XchB-ParamSet
+cryptopro 33 3          : id-GostR3410-94-CryptoPro-XchC-ParamSet
+
+cryptopro 35 0          : id-GostR3410-2001-TestParamSet
+cryptopro 35 1          : id-GostR3410-2001-CryptoPro-A-ParamSet
+cryptopro 35 2          : id-GostR3410-2001-CryptoPro-B-ParamSet
+cryptopro 35 3          : id-GostR3410-2001-CryptoPro-C-ParamSet
+
+cryptopro 36 0          : id-GostR3410-2001-CryptoPro-XchA-ParamSet
+cryptopro 36 1          : id-GostR3410-2001-CryptoPro-XchB-ParamSet
+
+id-GostR3410-94 1       : id-GostR3410-94-a
+id-GostR3410-94 2       : id-GostR3410-94-aBis
+id-GostR3410-94 3       : id-GostR3410-94-b
+id-GostR3410-94 4       : id-GostR3410-94-bBis
+
+# Cryptocom LTD GOST OIDs
+
+cryptocom 1 6 1         : id-Gost28147-89-cc    : GOST 28147-89 Cryptocom ParamSet
+!Cname id-GostR3410-94-cc
+cryptocom 1 5 3         : gost94cc      : GOST 34.10-94 Cryptocom
+!Cname id-GostR3410-2001-cc
+cryptocom 1 5 4         : gost2001cc    : GOST 34.10-2001 Cryptocom
+
+cryptocom 1 3 3         : id-GostR3411-94-with-GostR3410-94-cc : GOST R 34.11-94 with GOST R 34.10-94 Cryptocom
+cryptocom 1 3 4         : id-GostR3411-94-with-GostR3410-2001-cc : GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom
+
+cryptocom 1 8 1         : id-GostR3410-2001-ParamSet-cc : GOST R 3410-2001 Parameter Set Cryptocom
 
 # Definitions for Camellia cipher - CBC MODE
+
 1 2 392 200011 61 1 1 1 2 : CAMELLIA-128-CBC            : camellia-128-cbc
 1 2 392 200011 61 1 1 1 3 : CAMELLIA-192-CBC            : camellia-192-cbc
 1 2 392 200011 61 1 1 1 4 : CAMELLIA-256-CBC            : camellia-256-cbc
 
 # Definitions for Camellia cipher - ECB, CFB, OFB MODE
+
 !Alias ntt-ds 0 3 4401 5
 !Alias camellia ntt-ds 3 1 9 
 
@@ -1107,7 +1207,6 @@ camellia 44		: CAMELLIA-256-CFB		: camellia-256-cfb
                         : CAMELLIA-192-CFB8             : camellia-192-cfb8
                         : CAMELLIA-256-CFB8             : camellia-256-cfb8
 
-
 # Definitions for SEED cipher - ECB, CBC, OFB mode
 
 member-body 410 200004  : KISA          : kisa
@@ -1117,3 +1216,7 @@ kisa 1 4                : SEED-CBC      : seed-cbc
 kisa 1 5                : SEED-CFB      : seed-cfb
 !Cname seed-ofb128
 kisa 1 6                : SEED-OFB      : seed-ofb
+
+# There is no OID that just denotes "HMAC" oddly enough...
+
+                        : HMAC                          : hmac
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index b308894f18..5bdd370ac9 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x0090808fL
+#define OPENSSL_VERSION_NUMBER  0x0090809fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8h-fips 28 May 2008"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8i-fips 15 Sep 2008"
 #else
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8h 28 May 2008"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8i 15 Sep 2008"
 #endif
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/src/lib/libcrypto/ossl_typ.h b/src/lib/libcrypto/ossl_typ.h
index 345fb1dc4d..734200428f 100644
--- a/src/lib/libcrypto/ossl_typ.h
+++ b/src/lib/libcrypto/ossl_typ.h
@@ -140,6 +140,8 @@ typedef struct X509_crl_st X509_CRL;
 typedef struct X509_name_st X509_NAME;
 typedef struct x509_store_st X509_STORE;
 typedef struct x509_store_ctx_st X509_STORE_CTX;
+typedef struct ssl_st SSL;
+typedef struct ssl_ctx_st SSL_CTX;
 
 typedef struct v3_ext_ctx X509V3_CTX;
 typedef struct conf_st CONF;
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index dbafda17b6..9748256b6f 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -63,6 +63,19 @@
 
 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
 
+static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
+        {
+        int idx;
+        X509_ATTRIBUTE *attr;
+        idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1);
+        if (idx < 0)
+                return 1;
+        attr = EVP_PKEY_get_attr(pkey, idx);
+        if (!X509at_add1_attr(&bag->attrib, attr))
+                return 0;
+        return 1;
+        }
+
 PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
              STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,
              int keytype)
@@ -122,20 +135,15 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 
         if (pkey)
                 {
-                int cspidx;
                 bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
 
                 if (!bag)
                         goto err;
 
-                cspidx = EVP_PKEY_get_attr_by_NID(pkey, NID_ms_csp_name, -1);
-                if (cspidx >= 0)
-                        {
-                        X509_ATTRIBUTE *cspattr;
-                        cspattr = EVP_PKEY_get_attr(pkey, cspidx);
-                        if (!X509at_add1_attr(&bag->attrib, cspattr))
-                                goto err;
-                        }
+                if (!copy_bag_attr(bag, pkey, NID_ms_csp_name))
+                        goto err;
+                if (!copy_bag_attr(bag, pkey, NID_LocalKeySet))
+                        goto err;
 
                 if(name && !PKCS12_add_friendlyname(bag, name, -1))
                         goto err;
diff --git a/src/lib/libcrypto/rand/Makefile b/src/lib/libcrypto/rand/Makefile
index 3c1ab5bbae..27694aa664 100644
--- a/src/lib/libcrypto/rand/Makefile
+++ b/src/lib/libcrypto/rand/Makefile
@@ -97,14 +97,19 @@ rand_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rand_err.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 rand_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 rand_err.o: rand_err.c
-rand_lib.o: ../../e_os.h ../../include/openssl/bio.h
-rand_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rand_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-rand_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rand_lib.o: ../../include/openssl/opensslconf.h
+rand_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+rand_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+rand_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rand_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rand_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 rand_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rand_lib.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+rand_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rand_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 rand_lib.o: ../cryptlib.h rand_lib.c
 rand_nw.o: ../../e_os.h ../../include/openssl/asn1.h
 rand_nw.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
diff --git a/src/lib/libcrypto/rsa/Makefile b/src/lib/libcrypto/rsa/Makefile
index 13900812ac..8f1c611800 100644
--- a/src/lib/libcrypto/rsa/Makefile
+++ b/src/lib/libcrypto/rsa/Makefile
@@ -133,12 +133,17 @@ rsa_gen.o: ../cryptlib.h rsa_gen.c
 rsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-rsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+rsa_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+rsa_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+rsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+rsa_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 rsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-rsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+rsa_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 rsa_lib.o: ../cryptlib.h rsa_lib.c
 rsa_none.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_none.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 6b5e4f8a9a..3699afaaaf 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -281,6 +281,7 @@ int	RSA_print_fp(FILE *fp, const RSA *r,int offset);
 int     RSA_print(BIO *bp, const RSA *r,int offset);
 #endif
 
+#ifndef OPENSSL_NO_RC4
 int i2d_RSA_NET(const RSA *a, unsigned char **pp,
                 int (*cb)(char *buf, int len, const char *prompt, int verify),
                 int sgckey);
@@ -294,6 +295,7 @@ int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
 RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
                       int (*cb)(char *buf, int len, const char *prompt,
                                 int verify));
+#endif
 
 /* The following 2 functions sign and verify a X509_SIG ASN1 object
  * inside PKCS#1 padded RSA encryption */
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 272c5eed18..5a6eda7961 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -150,16 +150,6 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
         return(&rsa_pkcs1_eay_meth);
         }
 
-/* Usage example;
- *    MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
- */
-#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
-        if ((pre_cond) && ((method_mod) == NULL) && \
-                        !BN_MONT_CTX_set_locked(&(method_mod), \
-                                CRYPTO_LOCK_RSA, \
-                                (m), (ctx))) \
-                err_instr
-
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
@@ -233,7 +223,9 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                 goto err;
                 }
 
-        MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                        goto err;
 
         if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
                 rsa->_method_mod_n)) goto err;
@@ -460,7 +452,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                 else
                         d= rsa->d;
 
-                MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+                if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                        if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                                goto err;
 
                 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
                                 rsa->_method_mod_n)) goto err;
@@ -581,7 +575,9 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                 else
                         d = rsa->d;
 
-                MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+                if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                                goto err;
                 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
                                 rsa->_method_mod_n))
                   goto err;
@@ -691,7 +687,9 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                 goto err;
                 }
 
-        MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                        goto err;
 
         if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
                 rsa->_method_mod_n)) goto err;
@@ -769,11 +767,18 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
                         q = rsa->q;
                         }
 
-                MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
-                MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+                if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
+                        {
+                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
+                                goto err;
+                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
+                                goto err;
+                        }
         }
 
-        MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                        goto err;
 
         /* compute I mod q */
         if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
diff --git a/src/lib/libcrypto/rsa/rsa_ssl.c b/src/lib/libcrypto/rsa/rsa_ssl.c
index ea72629494..cfeff15bc9 100644
--- a/src/lib/libcrypto/rsa/rsa_ssl.c
+++ b/src/lib/libcrypto/rsa/rsa_ssl.c
@@ -130,7 +130,7 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
                 RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
                 return(-1);
                 }
-        for (k= -8; k<0; k++)
+        for (k = -9; k<-1; k++)
                 {
                 if (p[k] !=  0x03) break;
                 }
diff --git a/src/lib/libcrypto/sha/asm/sha1-586.pl b/src/lib/libcrypto/sha/asm/sha1-586.pl
index 0b4dab2bd5..a787dd37da 100644
--- a/src/lib/libcrypto/sha/asm/sha1-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-586.pl
@@ -149,7 +149,7 @@ sub BODY_40_59
         &add($f,$e);                    # f+=ROTATE(a,5)
         }
 
-&function_begin("sha1_block_data_order",16);
+&function_begin("sha1_block_data_order");
         &mov($tmp1,&wparam(0)); # SHA_CTX *c
         &mov($T,&wparam(1));    # const void *input
         &mov($A,&wparam(2));    # size_t num
diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h
index 78cc485e6d..40b17902e0 100644
--- a/src/lib/libcrypto/stack/safestack.h
+++ b/src/lib/libcrypto/stack/safestack.h
@@ -986,6 +986,50 @@ STACK_OF(type) \
 #define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
 #define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
 
+#define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st))
+#define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER)
+#define sk_MIME_HEADER_free(st) SKM_sk_free(MIME_HEADER, (st))
+#define sk_MIME_HEADER_num(st) SKM_sk_num(MIME_HEADER, (st))
+#define sk_MIME_HEADER_value(st, i) SKM_sk_value(MIME_HEADER, (st), (i))
+#define sk_MIME_HEADER_set(st, i, val) SKM_sk_set(MIME_HEADER, (st), (i), (val))
+#define sk_MIME_HEADER_zero(st) SKM_sk_zero(MIME_HEADER, (st))
+#define sk_MIME_HEADER_push(st, val) SKM_sk_push(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_unshift(st, val) SKM_sk_unshift(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_find(st, val) SKM_sk_find(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_find_ex(st, val) SKM_sk_find_ex(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_delete(st, i) SKM_sk_delete(MIME_HEADER, (st), (i))
+#define sk_MIME_HEADER_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_HEADER, (st), (ptr))
+#define sk_MIME_HEADER_insert(st, val, i) SKM_sk_insert(MIME_HEADER, (st), (val), (i))
+#define sk_MIME_HEADER_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_HEADER, (st), (cmp))
+#define sk_MIME_HEADER_dup(st) SKM_sk_dup(MIME_HEADER, st)
+#define sk_MIME_HEADER_pop_free(st, free_func) SKM_sk_pop_free(MIME_HEADER, (st), (free_func))
+#define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st))
+#define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st))
+#define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
+#define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
+
+#define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
+#define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
+#define sk_MIME_PARAM_free(st) SKM_sk_free(MIME_PARAM, (st))
+#define sk_MIME_PARAM_num(st) SKM_sk_num(MIME_PARAM, (st))
+#define sk_MIME_PARAM_value(st, i) SKM_sk_value(MIME_PARAM, (st), (i))
+#define sk_MIME_PARAM_set(st, i, val) SKM_sk_set(MIME_PARAM, (st), (i), (val))
+#define sk_MIME_PARAM_zero(st) SKM_sk_zero(MIME_PARAM, (st))
+#define sk_MIME_PARAM_push(st, val) SKM_sk_push(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_unshift(st, val) SKM_sk_unshift(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_find(st, val) SKM_sk_find(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_find_ex(st, val) SKM_sk_find_ex(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_delete(st, i) SKM_sk_delete(MIME_PARAM, (st), (i))
+#define sk_MIME_PARAM_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_PARAM, (st), (ptr))
+#define sk_MIME_PARAM_insert(st, val, i) SKM_sk_insert(MIME_PARAM, (st), (val), (i))
+#define sk_MIME_PARAM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_PARAM, (st), (cmp))
+#define sk_MIME_PARAM_dup(st) SKM_sk_dup(MIME_PARAM, st)
+#define sk_MIME_PARAM_pop_free(st, free_func) SKM_sk_pop_free(MIME_PARAM, (st), (free_func))
+#define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st))
+#define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st))
+#define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st))
+#define sk_MIME_PARAM_is_sorted(st) SKM_sk_is_sorted(MIME_PARAM, (st))
+
 #define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
 #define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
 #define sk_MIME_PARAM_free(st) SKM_sk_free(MIME_PARAM, (st))
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 2989500c4b..62664f3c37 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -725,7 +725,7 @@ d2i_DSAPublicKey                        731	EXIST::FUNCTION:DSA
 d2i_DSAparams                           732     EXIST::FUNCTION:DSA
 d2i_NETSCAPE_SPKAC                      733     EXIST::FUNCTION:
 d2i_NETSCAPE_SPKI                       734     EXIST::FUNCTION:
-d2i_Netscape_RSA                        735     EXIST::FUNCTION:RSA
+d2i_Netscape_RSA                        735     EXIST::FUNCTION:RC4,RSA
 d2i_PKCS7                               736     EXIST::FUNCTION:
 d2i_PKCS7_DIGEST                        737     EXIST::FUNCTION:
 d2i_PKCS7_ENCRYPT                       738     EXIST::FUNCTION:
@@ -827,7 +827,7 @@ i2d_DSAPublicKey                        834	EXIST::FUNCTION:DSA
 i2d_DSAparams                           835     EXIST::FUNCTION:DSA
 i2d_NETSCAPE_SPKAC                      836     EXIST::FUNCTION:
 i2d_NETSCAPE_SPKI                       837     EXIST::FUNCTION:
-i2d_Netscape_RSA                        838     EXIST::FUNCTION:RSA
+i2d_Netscape_RSA                        838     EXIST::FUNCTION:RC4,RSA
 i2d_PKCS7                               839     EXIST::FUNCTION:
 i2d_PKCS7_DIGEST                        840     EXIST::FUNCTION:
 i2d_PKCS7_ENCRYPT                       841     EXIST::FUNCTION:
@@ -1814,9 +1814,9 @@ RAND_egd_bytes                          2402	EXIST::FUNCTION:
 X509_REQ_get1_email                     2403    EXIST::FUNCTION:
 X509_get1_email                         2404    EXIST::FUNCTION:
 X509_email_free                         2405    EXIST::FUNCTION:
-i2d_RSA_NET                             2406    EXIST::FUNCTION:RSA
+i2d_RSA_NET                             2406    EXIST::FUNCTION:RC4,RSA
 d2i_RSA_NET_2                           2407    NOEXIST::FUNCTION:
-d2i_RSA_NET                             2408    EXIST::FUNCTION:RSA
+d2i_RSA_NET                             2408    EXIST::FUNCTION:RC4,RSA
 DSO_bind_func                           2409    EXIST::FUNCTION:
 CRYPTO_get_new_dynlockid                2410    EXIST::FUNCTION:
 sk_new_null                             2411    EXIST::FUNCTION:
@@ -2843,7 +2843,7 @@ FIPS_selftest_failed                    3284	NOEXIST::FUNCTION:
 sk_is_sorted                            3285    EXIST::FUNCTION:
 X509_check_ca                           3286    EXIST::FUNCTION:
 private_idea_set_encrypt_key            3287    NOEXIST::FUNCTION:
-HMAC_CTX_set_flags                      3288    NOEXIST::FUNCTION:
+HMAC_CTX_set_flags                      3288    EXIST::FUNCTION:HMAC
 private_SHA_Init                        3289    NOEXIST::FUNCTION:
 private_CAST_set_key                    3290    NOEXIST::FUNCTION:
 private_RIPEMD160_Init                  3291    NOEXIST::FUNCTION:
@@ -3652,3 +3652,51 @@ CMS_set1_eContentType                   4040	EXIST::FUNCTION:CMS
 CMS_ReceiptRequest_create0              4041    EXIST::FUNCTION:CMS
 CMS_add1_signer                         4042    EXIST::FUNCTION:CMS
 CMS_RecipientInfo_set0_pkey             4043    EXIST::FUNCTION:CMS
+ENGINE_set_load_ssl_client_cert_function 4044   EXIST::FUNCTION:ENGINE
+ENGINE_get_ssl_client_cert_function     4045    EXIST::FUNCTION:ENGINE
+ENGINE_load_ssl_client_cert             4046    EXIST::FUNCTION:ENGINE
+ENGINE_load_capi                        4047    EXIST::FUNCTION:CAPIENG,ENGINE
+OPENSSL_isservice                       4048    EXIST::FUNCTION:
+FIPS_dsa_sig_decode                     4049    NOEXIST::FUNCTION:
+EVP_CIPHER_CTX_clear_flags              4050    NOEXIST::FUNCTION:
+FIPS_rand_status                        4051    NOEXIST::FUNCTION:
+FIPS_rand_set_key                       4052    NOEXIST::FUNCTION:
+CRYPTO_set_mem_info_functions           4053    NOEXIST::FUNCTION:
+RSA_X931_generate_key_ex                4054    NOEXIST::FUNCTION:
+int_ERR_set_state_func                  4055    NOEXIST::FUNCTION:
+int_EVP_MD_set_engine_callbacks         4056    NOEXIST::FUNCTION:
+int_CRYPTO_set_do_dynlock_callback      4057    NOEXIST::FUNCTION:
+FIPS_rng_stick                          4058    NOEXIST::FUNCTION:
+EVP_CIPHER_CTX_set_flags                4059    NOEXIST::FUNCTION:
+BN_X931_generate_prime_ex               4060    NOEXIST::FUNCTION:
+FIPS_selftest_check                     4061    NOEXIST::FUNCTION:
+FIPS_rand_set_dt                        4062    NOEXIST::FUNCTION:
+CRYPTO_dbg_pop_info                     4063    NOEXIST::FUNCTION:
+FIPS_dsa_free                           4064    NOEXIST::FUNCTION:
+RSA_X931_derive_ex                      4065    NOEXIST::FUNCTION:
+FIPS_rsa_new                            4066    NOEXIST::FUNCTION:
+FIPS_rand_bytes                         4067    NOEXIST::FUNCTION:
+fips_cipher_test                        4068    NOEXIST::FUNCTION:
+EVP_CIPHER_CTX_test_flags               4069    NOEXIST::FUNCTION:
+CRYPTO_malloc_debug_init                4070    NOEXIST::FUNCTION:
+CRYPTO_dbg_push_info                    4071    NOEXIST::FUNCTION:
+FIPS_corrupt_rsa_keygen                 4072    NOEXIST::FUNCTION:
+FIPS_dh_new                             4073    NOEXIST::FUNCTION:
+FIPS_corrupt_dsa_keygen                 4074    NOEXIST::FUNCTION:
+FIPS_dh_free                            4075    NOEXIST::FUNCTION:
+fips_pkey_signature_test                4076    NOEXIST::FUNCTION:
+EVP_add_alg_module                      4077    NOEXIST::FUNCTION:
+int_RAND_init_engine_callbacks          4078    NOEXIST::FUNCTION:
+int_EVP_CIPHER_set_engine_callbacks     4079    NOEXIST::FUNCTION:
+int_EVP_MD_init_engine_callbacks        4080    NOEXIST::FUNCTION:
+FIPS_rand_test_mode                     4081    NOEXIST::FUNCTION:
+FIPS_rand_reset                         4082    NOEXIST::FUNCTION:
+FIPS_dsa_new                            4083    NOEXIST::FUNCTION:
+int_RAND_set_callbacks                  4084    NOEXIST::FUNCTION:
+BN_X931_derive_prime_ex                 4085    NOEXIST::FUNCTION:
+int_ERR_lib_init                        4086    NOEXIST::FUNCTION:
+int_EVP_CIPHER_init_engine_callbacks    4087    NOEXIST::FUNCTION:
+FIPS_rsa_free                           4088    NOEXIST::FUNCTION:
+FIPS_dsa_sig_encode                     4089    NOEXIST::FUNCTION:
+CRYPTO_dbg_remove_all_info              4090    NOEXIST::FUNCTION:
+OPENSSL_init                            4091    NOEXIST::FUNCTION:
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index 1ac5fd3a50..7ba804ce33 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -221,6 +221,7 @@ $cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2;
 $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
 $cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext;
 $cflags.=" -DOPENSSL_NO_CMS" if $no_cms;
+$cflags.=" -DOPENSSL_NO_CAPIENG" if $no_capieng;
 $cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
 $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
@@ -1017,6 +1018,7 @@ sub read_options
                 "no-ssl3" => \$no_ssl3,
                 "no-tlsext" => \$no_tlsext,
                 "no-cms" => \$no_cms,
+                "no-capieng" => \$no_capieng,
                 "no-err" => \$no_err,
                 "no-sock" => \$no_sock,
                 "no-krb5" => \$no_krb5,
@@ -1100,7 +1102,7 @@ sub read_options
                                 }
                         }
                 }
-        elsif (/^([^=]*)=(.*)$/){ $VARS{$1}=$2; }
+        elsif (/^([^=]*)=(.*)$/ && !/^-D/){ $VARS{$1}=$2; }
         elsif (/^-[lL].*$/)     { $l_flags.="$_ "; }
         elsif ((!/^-help/) && (!/^-h/) && (!/^-\?/) && /^-.*$/)
                 { $c_flags.="$_ "; }
diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl
index ef1cc6e513..8ecfde1848 100644
--- a/src/lib/libcrypto/util/mkdef.pl
+++ b/src/lib/libcrypto/util/mkdef.pl
@@ -100,6 +100,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                          "TLSEXT",
                          # CMS
                          "CMS",
+                         # CryptoAPI Engine
+                         "CAPIENG",
                          # Deprecated functions
                          "DEPRECATED" );
 
@@ -120,7 +122,7 @@ my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
 my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_camellia;
 my $no_seed;
 my $no_fp_api; my $no_static_engine; my $no_gmp; my $no_deprecated;
-my $no_rfc3779; my $no_tlsext; my $no_cms;
+my $no_rfc3779; my $no_tlsext; my $no_cms; my $no_capieng;
 
 
 foreach (@ARGV, split(/ /, $options))
@@ -206,6 +208,7 @@ foreach (@ARGV, split(/ /, $options))
         elsif (/^no-rfc3779$/)  { $no_rfc3779=1; }
         elsif (/^no-tlsext$/)   { $no_tlsext=1; }
         elsif (/^no-cms$/)      { $no_cms=1; }
+        elsif (/^no-capieng$/)  { $no_capieng=1; }
         }
 
 
@@ -1131,6 +1134,7 @@ sub is_valid
                         if ($keyword eq "RFC3779" && $no_rfc3779) { return 0; }
                         if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; }
                         if ($keyword eq "CMS" && $no_cms) { return 0; }
+                        if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
                         if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; }
 
                         # Nothing recognise as true
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index 9cb2ab7e99..1e254119e6 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -138,7 +138,7 @@ if ($FLAVOR =~ /CE/)
         }
 else
         {
-        $ex_libs.=' gdi32.lib advapi32.lib user32.lib';
+        $ex_libs.=' gdi32.lib crypt32.lib advapi32.lib user32.lib';
         $ex_libs.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
         }
 
@@ -259,7 +259,6 @@ sub do_lib_rule
                 $name =~ tr/a-z/A-Z/;
                 $name = "/def:ms/${name}.def";
                 }
-
 #       $target="\$(LIB_D)$o$target";
         $ret.="$target: $objs\n";
         if (!$shlib)
@@ -274,6 +273,10 @@ sub do_lib_rule
                 if ($name eq "")
                         {
                         $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
+                        if ($target =~ /capi/)
+                                {
+                                $ex.=' crypt32.lib advapi32.lib';
+                                }
                         }
                 elsif ($FLAVOR =~ /CE/)
                         {
@@ -283,6 +286,7 @@ sub do_lib_rule
                         {
                         $ex.=' unicows.lib' if ($FLAVOR =~ /NT/);
                         $ex.=' wsock32.lib gdi32.lib advapi32.lib user32.lib';
+                        $ex.=' crypt32.lib';
                         $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
                         }
                 $ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
diff --git a/src/lib/libcrypto/util/ssleay.num b/src/lib/libcrypto/util/ssleay.num
index b3ac136a56..2055cc1597 100644
--- a/src/lib/libcrypto/util/ssleay.num
+++ b/src/lib/libcrypto/util/ssleay.num
@@ -241,3 +241,4 @@ SSL_CTX_sess_get_remove_cb              289	EXIST::FUNCTION:
 SSL_set_SSL_CTX                         290     EXIST::FUNCTION:
 SSL_get_servername                      291     EXIST::FUNCTION:TLSEXT
 SSL_get_servername_type                 292     EXIST::FUNCTION:TLSEXT
+SSL_CTX_set_client_cert_engine          293     EXIST::FUNCTION:ENGINE
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
index 511b49d589..98460e8921 100644
--- a/src/lib/libcrypto/x509/x509_att.c
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -245,7 +245,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
                 goto err;
         if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
                 goto err;
-        
+
         if ((attr != NULL) && (*attr == NULL)) *attr=ret;
         return(ret);
 err:
@@ -302,8 +302,15 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
                 atype = attrtype;
         }
         if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
+        attr->single = 0;
+        /* This is a bit naughty because the attribute should really have
+         * at least one value but some types use and zero length SET and
+         * require this.
+         */
+        if (attrtype == 0)
+                return 1;
         if(!(ttmp = ASN1_TYPE_new())) goto err;
-        if (len == -1)
+        if ((len == -1) && !(attrtype & MBSTRING_FLAG))
                 {
                 if (!ASN1_TYPE_set1(ttmp, attrtype, data))
                         goto err;
@@ -311,7 +318,6 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
         else
                 ASN1_TYPE_set(ttmp, atype, stmp);
         if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
-        attr->single = 0;
         return 1;
         err:
         X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 9a62ebcf67..336c40ddd7 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -394,7 +394,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 #ifdef OPENSSL_NO_CHAIN_VERIFY
         return 1;
 #else
-        int i, ok=0, must_be_ca;
+        int i, ok=0, must_be_ca, plen = 0;
         X509 *x;
         int (*cb)(int xok,X509_STORE_CTX *xctx);
         int proxy_path_length = 0;
@@ -495,9 +495,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                                 if (!ok) goto end;
                                 }
                         }
-                /* Check pathlen */
-                if ((i > 1) && (x->ex_pathlen != -1)
-                           && (i > (x->ex_pathlen + proxy_path_length + 1)))
+                /* Check pathlen if not self issued */
+                if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
+                           && (x->ex_pathlen != -1)
+                           && (plen > (x->ex_pathlen + proxy_path_length + 1)))
                         {
                         ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                         ctx->error_depth = i;
@@ -505,6 +506,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                         ok=cb(0,ctx);
                         if (!ok) goto end;
                         }
+                /* Increment path length if not self issued */
+                if (!(x->ex_flags & EXFLAG_SI))
+                        plen++;
                 /* If this certificate is a proxy certificate, the next
                    certificate must be another proxy certificate or a EE
                    certificate.  If not, the next certificate must be a
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
index 614d2b4935..4711b1ee92 100644
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ b/src/lib/libcrypto/x509v3/pcy_data.c
@@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
         X509_POLICY_DATA *ret;
         if (!policy && !id)
                 return NULL;
+        if (id)
+                {
+                id = OBJ_dup(id);
+                if (!id)
+                        return NULL;
+                }
         ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
         if (!ret)
                 return NULL;
@@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
         if (!ret->expected_policy_set)
                 {
                 OPENSSL_free(ret);
+                if (id)
+                        ASN1_OBJECT_free(id);
                 return NULL;
                 }
 
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
index 4fda1d419a..b1ce77b9af 100644
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ b/src/lib/libcrypto/x509v3/pcy_tree.c
@@ -130,9 +130,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                         ret = 2;
                 if (explicit_policy > 0)
                         {
-                        explicit_policy--;
-                        if (!(x->ex_flags & EXFLAG_SS)
-                                && (cache->explicit_skip != -1)
+                        if (!(x->ex_flags & EXFLAG_SI))
+                                explicit_policy--;
+                        if ((cache->explicit_skip != -1)
                                 && (cache->explicit_skip < explicit_policy))
                                 explicit_policy = cache->explicit_skip;
                         }
@@ -197,13 +197,14 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                         /* Any matching allowed if certificate is self
                          * issued and not the last in the chain.
                          */
-                        if (!(x->ex_flags & EXFLAG_SS) || (i == 0))
+                        if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
                                 level->flags |= X509_V_FLAG_INHIBIT_ANY;
                         }
                 else
                         {
-                        any_skip--;
-                        if ((cache->any_skip > 0)
+                        if (!(x->ex_flags & EXFLAG_SI))
+                                any_skip--;
+                        if ((cache->any_skip >= 0)
                                 && (cache->any_skip < any_skip))
                                 any_skip = cache->any_skip;
                         }
@@ -213,7 +214,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                 else
                         {
                         map_skip--;
-                        if ((cache->map_skip > 0)
+                        if ((cache->map_skip >= 0)
                                 && (cache->map_skip < map_skip))
                                 map_skip = cache->map_skip;
                         }
@@ -310,7 +311,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
 
                 if (data == NULL)
                         return 0;
-                data->qualifier_set = curr->anyPolicy->data->qualifier_set;
+                /* Curr may not have anyPolicy */
+                data->qualifier_set = cache->anyPolicy->qualifier_set;
                 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
                 if (!level_add_node(curr, data, node, tree))
                         {
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
index ed9847b307..c6730ab3fd 100644
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -594,10 +594,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
     return NULL;
   switch (afi) {
   case IANA_AFI_IPV4:
-    sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
     break;
   case IANA_AFI_IPV6:
-    sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
     break;
   }
   f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
@@ -854,7 +854,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
       if (!make_addressRange(&merged, a_min, b_max, length))
         return 0;
       sk_IPAddressOrRange_set(aors, i, merged);
-      sk_IPAddressOrRange_delete(aors, i + 1);
+      (void)sk_IPAddressOrRange_delete(aors, i + 1);
       IPAddressOrRange_free(a);
       IPAddressOrRange_free(b);
       --i;
@@ -1122,7 +1122,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
     return 1;
   if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
     return 0;
-  sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
+  (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
   for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
     IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
     int j = sk_IPAddressFamily_find(b, fa);
@@ -1183,7 +1183,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
   }
   if (!v3_addr_is_canonical(ext))
     validation_err(X509_V_ERR_INVALID_EXTENSION);
-  sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
+  (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
   if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
     X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
     ret = 0;
@@ -1209,7 +1209,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
       }
       continue;
     }
-    sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
+    (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
     for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
       IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
       int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
diff --git a/src/lib/libcrypto/x509v3/v3_asid.c b/src/lib/libcrypto/x509v3/v3_asid.c
index 271930f967..abd497ed1f 100644
--- a/src/lib/libcrypto/x509v3/v3_asid.c
+++ b/src/lib/libcrypto/x509v3/v3_asid.c
@@ -466,7 +466,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
         break;
       }
       ASIdOrRange_free(b);
-      sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
+      (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
       i--;
       continue;
     }
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index b2f5cdfa05..c54e7887c7 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -291,7 +291,9 @@ int X509_supported_extension(X509_EXTENSION *ex)
                 NID_sbgp_ipAddrBlock,   /* 290 */
                 NID_sbgp_autonomousSysNum, /* 291 */
 #endif
-                NID_proxyCertInfo       /* 661 */
+                NID_policy_constraints, /* 401 */
+                NID_proxyCertInfo,      /* 661 */
+                NID_inhibit_any_policy  /* 748 */
         };
 
         int ex_nid;
@@ -325,7 +327,7 @@ static void x509v3_cache_extensions(X509 *x)
 #endif
         /* Does subject name match issuer ? */
         if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                         x->ex_flags |= EXFLAG_SS;
+                         x->ex_flags |= EXFLAG_SI;
         /* V1 should mean no extensions ... */
         if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
         /* Handle basic constraints */
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index db2b0482c1..5ba59f71c9 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -363,6 +363,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_NSCERT           0x8
 
 #define EXFLAG_CA               0x10
+/* Really self issued not necessarily self signed */
+#define EXFLAG_SI               0x20
 #define EXFLAG_SS               0x20
 #define EXFLAG_V1               0x40
 #define EXFLAG_INVALID          0x80
@@ -370,7 +372,7 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_CRITICAL         0x200
 #define EXFLAG_PROXY            0x400
 
-#define EXFLAG_INVALID_POLICY   0x400
+#define EXFLAG_INVALID_POLICY   0x800
 
 #define KU_DIGITAL_SIGNATURE    0x0080
 #define KU_NON_REPUDIATION      0x0040