72 files changed, 1587 insertions, 286 deletions

diff --git a/src/lib/libcrypto/Attic/Makefile b/src/lib/libcrypto/Attic/Makefile
index cffaeedc5d..cda9de0ac9 100644
--- a/src/lib/libcrypto/Attic/Makefile
+++ b/src/lib/libcrypto/Attic/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/Makefile
+# OpenSSL/crypto/Makefile
 #
 
 DIR=            crypto
diff --git a/src/lib/libcrypto/asn1/Makefile b/src/lib/libcrypto/asn1/Makefile
index b11298d621..d1c2d8f490 100644
--- a/src/lib/libcrypto/asn1/Makefile
+++ b/src/lib/libcrypto/asn1/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/asn1/Makefile
+# OpenSSL/crypto/asn1/Makefile
 #
 
 DIR=    asn1
diff --git a/src/lib/libcrypto/bf/Makefile b/src/lib/libcrypto/bf/Makefile
index 0e2121efdc..42e2c050f8 100644
--- a/src/lib/libcrypto/bf/Makefile
+++ b/src/lib/libcrypto/bf/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/blowfish/Makefile
+# OpenSSL/crypto/blowfish/Makefile
 #
 
 DIR=    bf
@@ -110,7 +110,7 @@ bf_enc.o: ../../include/openssl/opensslconf.h bf_enc.c bf_locl.h
 bf_ofb64.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h
 bf_ofb64.o: ../../include/openssl/opensslconf.h bf_locl.h bf_ofb64.c
 bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/crypto.h
-bf_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-bf_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bf_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bf_skey.o: bf_locl.h bf_pi.h bf_skey.c
+bf_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/fips.h
+bf_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bf_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bf_skey.o: ../../include/openssl/symhacks.h bf_locl.h bf_pi.h bf_skey.c
diff --git a/src/lib/libcrypto/bio/Makefile b/src/lib/libcrypto/bio/Makefile
index 19d9350760..a565154499 100644
--- a/src/lib/libcrypto/bio/Makefile
+++ b/src/lib/libcrypto/bio/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/bio/Makefile
+# OpenSSL/crypto/bio/Makefile
 #
 
 DIR=    bio
diff --git a/src/lib/libcrypto/bn/Makefile b/src/lib/libcrypto/bn/Makefile
index f693d35d87..9969d242cc 100644
--- a/src/lib/libcrypto/bn/Makefile
+++ b/src/lib/libcrypto/bn/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/bn/Makefile
+# OpenSSL/crypto/bn/Makefile
 #
 
 DIR=    bn
@@ -31,12 +31,12 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC= bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
         bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
         bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
-        bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c
+        bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_x931p.c
 
 LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
         bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
         bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
-        bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o
+        bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_x931p.o
 
 SRC= $(LIBSRC)
 
@@ -329,3 +329,5 @@ bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_word.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bn_word.o: ../cryptlib.h bn_lcl.h bn_word.c
+bn_x931p.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
+bn_x931p.o: ../../include/openssl/opensslconf.h bn_x931p.c
diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c
index 28cd3339da..685007d330 100644
--- a/src/lib/libcrypto/bn/bntest.c
+++ b/src/lib/libcrypto/bn/bntest.c
@@ -86,6 +86,7 @@ int test_mont(BIO *bp,BN_CTX *ctx);
 int test_mod(BIO *bp,BN_CTX *ctx);
 int test_mod_mul(BIO *bp,BN_CTX *ctx);
 int test_mod_exp(BIO *bp,BN_CTX *ctx);
+int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
 int test_exp(BIO *bp,BN_CTX *ctx);
 int test_kron(BIO *bp,BN_CTX *ctx);
 int test_sqrt(BIO *bp,BN_CTX *ctx);
@@ -213,6 +214,10 @@ int main(int argc, char *argv[])
         if (!test_mod_exp(out,ctx)) goto err;
         BIO_flush(out);
 
+        message(out,"BN_mod_exp_mont_consttime");
+        if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
+        BIO_flush(out);
+
         message(out,"BN_exp");
         if (!test_exp(out,ctx)) goto err;
         BIO_flush(out);
@@ -813,6 +818,57 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
         return(1);
         }
 
+int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
+        {
+        BIGNUM *a,*b,*c,*d,*e;
+        int i;
+
+        a=BN_new();
+        b=BN_new();
+        c=BN_new();
+        d=BN_new();
+        e=BN_new();
+
+        BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
+        for (i=0; i<num2; i++)
+                {
+                BN_bntest_rand(a,20+i*5,0,0); /**/
+                BN_bntest_rand(b,2+i,0,0); /**/
+
+                if (!BN_mod_exp_mont_consttime(d,a,b,c,ctx,NULL))
+                        return(00);
+
+                if (bp != NULL)
+                        {
+                        if (!results)
+                                {
+                                BN_print(bp,a);
+                                BIO_puts(bp," ^ ");
+                                BN_print(bp,b);
+                                BIO_puts(bp," % ");
+                                BN_print(bp,c);
+                                BIO_puts(bp," - ");
+                                }
+                        BN_print(bp,d);
+                        BIO_puts(bp,"\n");
+                        }
+                BN_exp(e,a,b,ctx);
+                BN_sub(e,e,d);
+                BN_div(a,b,e,c,ctx);
+                if(!BN_is_zero(b))
+                    {
+                    fprintf(stderr,"Modulo exponentiation test failed!\n");
+                    return 0;
+                    }
+                }
+        BN_free(a);
+        BN_free(b);
+        BN_free(c);
+        BN_free(d);
+        BN_free(e);
+        return(1);
+        }
+
 int test_exp(BIO *bp, BN_CTX *ctx)
         {
         BIGNUM *a,*b,*d,*e,*one;
diff --git a/src/lib/libcrypto/bn/expspeed.c b/src/lib/libcrypto/bn/expspeed.c
index 07a1bcf51c..4d5f221f33 100644
--- a/src/lib/libcrypto/bn/expspeed.c
+++ b/src/lib/libcrypto/bn/expspeed.c
@@ -321,7 +321,7 @@ void do_mul_exp(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *c, BN_CTX *ctx)
 #else /* TEST_SQRT */
                         "2*sqrt [prime == %d (mod 64)] %4d %4d mod %4d"
 #endif
-                        " -> %8.3fms %5.1f (%ld)\n",
+                        " -> %8.6fms %5.1f (%ld)\n",
 #ifdef TEST_SQRT
                         P_MOD_64,
 #endif
diff --git a/src/lib/libcrypto/bn/exptest.c b/src/lib/libcrypto/bn/exptest.c
index b09cf88705..28aaac2ac1 100644
--- a/src/lib/libcrypto/bn/exptest.c
+++ b/src/lib/libcrypto/bn/exptest.c
@@ -77,7 +77,7 @@ int main(int argc, char *argv[])
         BIO *out=NULL;
         int i,ret;
         unsigned char c;
-        BIGNUM *r_mont,*r_recp,*r_simple,*a,*b,*m;
+        BIGNUM *r_mont,*r_mont_const,*r_recp,*r_simple,*a,*b,*m;
 
         RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't
                                                * even check its return value
@@ -88,6 +88,7 @@ int main(int argc, char *argv[])
         ctx=BN_CTX_new();
         if (ctx == NULL) EXIT(1);
         r_mont=BN_new();
+        r_mont_const=BN_new();
         r_recp=BN_new();
         r_simple=BN_new();
         a=BN_new();
@@ -143,8 +144,17 @@ int main(int argc, char *argv[])
                         EXIT(1);
                         }
 
+                ret=BN_mod_exp_mont_consttime(r_mont_const,a,b,m,ctx,NULL);
+                if (ret <= 0)
+                        {
+                        printf("BN_mod_exp_mont_consttime() problems\n");
+                        ERR_print_errors(out);
+                        EXIT(1);
+                        }
+
                 if (BN_cmp(r_simple, r_mont) == 0
-                    && BN_cmp(r_simple,r_recp) == 0)
+                    && BN_cmp(r_simple,r_recp) == 0
+                        && BN_cmp(r_simple,r_mont_const) == 0)
                         {
                         printf(".");
                         fflush(stdout);
@@ -153,6 +163,8 @@ int main(int argc, char *argv[])
                         {
                         if (BN_cmp(r_simple,r_mont) != 0)
                                 printf("\nsimple and mont results differ\n");
+                        if (BN_cmp(r_simple,r_mont) != 0)
+                                printf("\nsimple and mont const time results differ\n");
                         if (BN_cmp(r_simple,r_recp) != 0)
                                 printf("\nsimple and recp results differ\n");
 
@@ -162,11 +174,13 @@ int main(int argc, char *argv[])
                         printf("\nsimple   ="); BN_print(out,r_simple);
                         printf("\nrecp     ="); BN_print(out,r_recp);
                         printf("\nmont     ="); BN_print(out,r_mont);
+                        printf("\nmont_ct  ="); BN_print(out,r_mont_const);
                         printf("\n");
                         EXIT(1);
                         }
                 }
         BN_free(r_mont);
+        BN_free(r_mont_const);
         BN_free(r_recp);
         BN_free(r_simple);
         BN_free(a);
diff --git a/src/lib/libcrypto/buffer/Makefile b/src/lib/libcrypto/buffer/Makefile
index 3911baf513..4b53c595a3 100644
--- a/src/lib/libcrypto/buffer/Makefile
+++ b/src/lib/libcrypto/buffer/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/buffer/Makefile
+# OpenSSL/crypto/buffer/Makefile
 #
 
 DIR=    buffer
diff --git a/src/lib/libcrypto/cast/Makefile b/src/lib/libcrypto/cast/Makefile
index 8b0d04bb7c..b388f6271c 100644
--- a/src/lib/libcrypto/cast/Makefile
+++ b/src/lib/libcrypto/cast/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/cast/Makefile
+# OpenSSL/crypto/cast/Makefile
 #
 
 DIR=    cast
@@ -115,6 +115,7 @@ c_ofb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 c_ofb64.o: c_ofb64.c cast_lcl.h
 c_skey.o: ../../e_os.h ../../include/openssl/cast.h
 c_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-c_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-c_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-c_skey.o: ../../include/openssl/symhacks.h c_skey.c cast_lcl.h cast_s.h
+c_skey.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
+c_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+c_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+c_skey.o: c_skey.c cast_lcl.h cast_s.h
diff --git a/src/lib/libcrypto/comp/Makefile b/src/lib/libcrypto/comp/Makefile
index 68109a8013..df1babec5c 100644
--- a/src/lib/libcrypto/comp/Makefile
+++ b/src/lib/libcrypto/comp/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/comp/Makefile
+# OpenSSL/crypto/comp/Makefile
 #
 
 DIR=    comp
diff --git a/src/lib/libcrypto/conf/Makefile b/src/lib/libcrypto/conf/Makefile
index 6d2f8ffd9a..403d12b28c 100644
--- a/src/lib/libcrypto/conf/Makefile
+++ b/src/lib/libcrypto/conf/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/conf/Makefile
+# OpenSSL/crypto/conf/Makefile
 #
 
 DIR=    conf
diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com
index c044ce0099..427c321f25 100644
--- a/src/lib/libcrypto/crypto-lib.com
+++ b/src/lib/libcrypto/crypto-lib.com
@@ -184,10 +184,10 @@ $ IF F$TRNLNM("OPENSSL_NO_ASM").OR.ARCH.EQS."AXP" THEN LIB_BN_ASM = "bn_asm"
 $ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,"+ -
         "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ -
         "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ -
-        "bn_recp,bn_mont,bn_mpi,bn_exp2"
+        "bn_recp,bn_mont,bn_mpi,bn_exp2,bn_x931p"
 $ LIB_RSA = "rsa_eay,rsa_gen,rsa_lib,rsa_sign,rsa_saos,rsa_err,"+ -
         "rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk,rsa_null,"+ -
-        "rsa_asn1"
+        "rsa_pss,rsa_x931,rsa_asn1"
 $ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_recp,ecp_nist,ec_cvt,ec_mult,"+ -
         "ec_err"
 $ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,dsa_err,dsa_ossl"
@@ -265,10 +265,15 @@ $ LIB_KRB5 = "krb5_asn"
 $!
 $! Setup exceptional compilations
 $!
+$ ! Add definitions for no threads on OpenVMS 7.1 and higher
 $ COMPILEWITH_CC3 = ",bss_rtcp,"
+$ ! Disable the DOLLARID warning
 $ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time,"
+$ ! Disable disjoint optimization
 $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + -
                     "sha_dgst,sha1dgst,rmd_dgst,bf_enc,"
+$ ! Disable the MIXLINKAGE warning
+$ COMPILEWITH_CC6 = ",enc_read,set_key,"
 $!
 $! Figure Out What Other Modules We Are To Build.
 $!
@@ -497,7 +502,12 @@ $       IF COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5
 $       THEN
 $         CC5/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $       ELSE
-$         CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         IF COMPILEWITH_CC6 - FILE_NAME0 .NES. COMPILEWITH_CC6
+$         THEN
+$           CC6/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         ELSE
+$           CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         ENDIF
 $       ENDIF
 $     ENDIF
 $   ENDIF
@@ -960,7 +970,7 @@ $ CCDEFS = "TCPIP_TYPE_''P4',DSO_VMS"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX"
+$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
 $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
         CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
 $!
@@ -1077,14 +1087,18 @@ $   THEN
 $     IF CCDISABLEWARNINGS .EQS. ""
 $     THEN
 $       CC4DISABLEWARNINGS = "DOLLARID"
+$       CC6DISABLEWARNINGS = "MIXLINKAGE"
 $     ELSE
 $       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
+$       CC6DISABLEWARNINGS = CCDISABLEWARNINGS + ",MIXLINKAGE"
 $       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
 $     ENDIF
 $     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$     CC6DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC6DISABLEWARNINGS + "))"
 $   ELSE
 $     CCDISABLEWARNINGS = ""
 $     CC4DISABLEWARNINGS = ""
+$     CC6DISABLEWARNINGS = ""
 $   ENDIF
 $   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
 $   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
@@ -1095,6 +1109,7 @@ $   ELSE
 $     CC5 = CC + "/NOOPTIMIZE"
 $   ENDIF
 $   CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
+$   CC6 = CC - CCDISABLEWARNINGS + CC6DISABLEWARNINGS
 $!
 $!  Show user the result
 $!
diff --git a/src/lib/libcrypto/des/Makefile b/src/lib/libcrypto/des/Makefile
index 655f2ea1a8..800af0b123 100644
--- a/src/lib/libcrypto/des/Makefile
+++ b/src/lib/libcrypto/des/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/des/Makefile
+# OpenSSL/crypto/des/Makefile
 #
 
 DIR=    des
diff --git a/src/lib/libcrypto/dh/Makefile b/src/lib/libcrypto/dh/Makefile
index c091a8130a..352678b94a 100644
--- a/src/lib/libcrypto/dh/Makefile
+++ b/src/lib/libcrypto/dh/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dh/Makefile
+# OpenSSL/crypto/dh/Makefile
 #
 
 DIR=    dh
diff --git a/src/lib/libcrypto/dh/dhtest.c b/src/lib/libcrypto/dh/dhtest.c
index d75077f9fa..b76dede771 100644
--- a/src/lib/libcrypto/dh/dhtest.c
+++ b/src/lib/libcrypto/dh/dhtest.c
@@ -136,6 +136,10 @@ int main(int argc, char *argv[])
         b->g=BN_dup(a->g);
         if ((b->p == NULL) || (b->g == NULL)) goto err;
 
+        /* Set a to run with normal modexp and b to use constant time */
+        a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME;
+        b->flags |= DH_FLAG_NO_EXP_CONSTTIME;
+
         if (!DH_generate_key(a)) goto err;
         BIO_puts(out,"pri 1=");
         BN_print(out,a->priv_key);
diff --git a/src/lib/libcrypto/dsa/Makefile b/src/lib/libcrypto/dsa/Makefile
index 3a55058973..4f10278039 100644
--- a/src/lib/libcrypto/dsa/Makefile
+++ b/src/lib/libcrypto/dsa/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dsa/Makefile
+# OpenSSL/crypto/dsa/Makefile
 #
 
 DIR=    dsa
diff --git a/src/lib/libcrypto/dsa/dsatest.c b/src/lib/libcrypto/dsa/dsatest.c
index 4734ce4af8..55a3756aff 100644
--- a/src/lib/libcrypto/dsa/dsatest.c
+++ b/src/lib/libcrypto/dsa/dsatest.c
@@ -194,10 +194,19 @@ int main(int argc, char **argv)
                 BIO_printf(bio_err,"g value is wrong\n");
                 goto end;
                 }
+
+        dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME;
         DSA_generate_key(dsa);
         DSA_sign(0, str1, 20, sig, &siglen, dsa);
         if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
                 ret=1;
+
+        dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
+        DSA_generate_key(dsa);
+        DSA_sign(0, str1, 20, sig, &siglen, dsa);
+        if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
+                ret=1;
+
 end:
         if (!ret)
                 ERR_print_errors(bio_err);
diff --git a/src/lib/libcrypto/dso/Makefile b/src/lib/libcrypto/dso/Makefile
index 168951bc3e..c16278c3ff 100644
--- a/src/lib/libcrypto/dso/Makefile
+++ b/src/lib/libcrypto/dso/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dso/Makefile
+# OpenSSL/crypto/dso/Makefile
 #
 
 DIR=    dso
diff --git a/src/lib/libcrypto/dso/dso_dl.c b/src/lib/libcrypto/dso/dso_dl.c
index 79d2cb4d8c..f7b4dfc0c3 100644
--- a/src/lib/libcrypto/dso/dso_dl.c
+++ b/src/lib/libcrypto/dso/dso_dl.c
@@ -126,7 +126,8 @@ static int dl_load(DSO *dso)
                 DSOerr(DSO_F_DL_LOAD,DSO_R_NO_FILENAME);
                 goto err;
                 }
-        ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, 0L);
+        ptr = shl_load(filename, BIND_IMMEDIATE |
+                (dso->flags&DSO_FLAG_NO_NAME_TRANSLATION?0:DYNAMIC_PATH), 0L);
         if(ptr == NULL)
                 {
                 DSOerr(DSO_F_DL_LOAD,DSO_R_LOAD_FAILED);
@@ -281,4 +282,36 @@ static char *dl_name_converter(DSO *dso, const char *filename)
         return(translated);
         }
 
+#ifdef OPENSSL_FIPS
+static void dl_ref_point(){}
+
+int DSO_pathbyaddr(void *addr,char *path,int sz)
+        {
+        struct shl_descriptor inf;
+        int i,len;
+
+        if (addr == NULL)
+                {
+                union { void(*f)(); void *p; } t = { dl_ref_point };
+                addr = t.p;
+                }
+
+        for (i=-1;shl_get_r(i,&inf)==0;i++)
+                {
+                if (((size_t)addr >= inf.tstart && (size_t)addr < inf.tend) ||
+                    ((size_t)addr >= inf.dstart && (size_t)addr < inf.dend))
+                        {
+                        len = (int)strlen(inf.filename);
+                        if (sz <= 0) return len+1;
+                        if (len >= sz) len=sz-1;
+                        memcpy(path,inf.filename,len);
+                        path[len++] = 0;
+                        return len;
+                        }
+                }
+
+        return -1;
+        }
+#endif
+
 #endif /* DSO_DL */
diff --git a/src/lib/libcrypto/dso/dso_win32.c b/src/lib/libcrypto/dso/dso_win32.c
index 3fa90eb27c..cc4ac68696 100644
--- a/src/lib/libcrypto/dso/dso_win32.c
+++ b/src/lib/libcrypto/dso/dso_win32.c
@@ -68,6 +68,25 @@ DSO_METHOD *DSO_METHOD_win32(void)
         }
 #else
 
+#ifdef _WIN32_WCE
+# if _WIN32_WCE < 300
+static FARPROC GetProcAddressA(HMODULE hModule,LPCSTR lpProcName)
+        {
+        WCHAR lpProcNameW[64];
+        int i;
+
+        for (i=0;lpProcName[i] && i<64;i++)
+                lpProcNameW[i] = (WCHAR)lpProcName[i];
+        if (i==64) return NULL;
+        lpProcNameW[i] = 0;
+
+        return GetProcAddressW(hModule,lpProcNameW);
+        }
+# endif
+# undef GetProcAddress
+# define GetProcAddress GetProcAddressA
+#endif
+
 /* Part of the hack in "win32_load" ... */
 #define DSO_MAX_TRANSLATED_SIZE 256
 
@@ -122,7 +141,7 @@ static int win32_load(DSO *dso)
                 DSOerr(DSO_F_WIN32_LOAD,DSO_R_NO_FILENAME);
                 goto err;
                 }
-        h = LoadLibrary(filename);
+        h = LoadLibraryA(filename);
         if(h == NULL)
                 {
                 DSOerr(DSO_F_WIN32_LOAD,DSO_R_LOAD_FAILED);
diff --git a/src/lib/libcrypto/engine/hw_aep.c b/src/lib/libcrypto/engine/hw_aep.c
index 8b8380a582..5f1772ea99 100644
--- a/src/lib/libcrypto/engine/hw_aep.c
+++ b/src/lib/libcrypto/engine/hw_aep.c
@@ -474,6 +474,7 @@ static int aep_init(ENGINE *e)
 
         if(aep_dso)
                 DSO_free(aep_dso);
+        aep_dso = NULL;
                 
         p_AEP_OpenConnection    = NULL;
         p_AEP_ModExp            = NULL;
diff --git a/src/lib/libcrypto/engine/hw_atalla.c b/src/lib/libcrypto/engine/hw_atalla.c
index e9eff9fad1..2b8342bbdd 100644
--- a/src/lib/libcrypto/engine/hw_atalla.c
+++ b/src/lib/libcrypto/engine/hw_atalla.c
@@ -375,6 +375,7 @@ static int atalla_init(ENGINE *e)
 err:
         if(atalla_dso)
                 DSO_free(atalla_dso);
+        atalla_dso = NULL;
         p_Atalla_GetHardwareConfig = NULL;
         p_Atalla_RSAPrivateKeyOpFn = NULL;
         p_Atalla_GetPerformanceStatistics = NULL;
diff --git a/src/lib/libcrypto/engine/hw_cswift.c b/src/lib/libcrypto/engine/hw_cswift.c
index f128ee5a68..1411fd8333 100644
--- a/src/lib/libcrypto/engine/hw_cswift.c
+++ b/src/lib/libcrypto/engine/hw_cswift.c
@@ -90,6 +90,7 @@ static int cswift_destroy(ENGINE *e);
 static int cswift_init(ENGINE *e);
 static int cswift_finish(ENGINE *e);
 static int cswift_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+static int cswift_bn_32copy(SW_LARGENUMBER * out, const BIGNUM * in);
 
 /* BIGNUM stuff */
 static int cswift_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -403,7 +404,10 @@ static int cswift_init(ENGINE *e)
         return 1;
 err:
         if(cswift_dso)
+        {
                 DSO_free(cswift_dso);
+                cswift_dso = NULL;
+        }
         p_CSwift_AcquireAccContext = NULL;
         p_CSwift_AttachKeyParam = NULL;
         p_CSwift_SimpleRequest = NULL;
@@ -553,6 +557,29 @@ err:
         return to_return;
         }
 
+
+int cswift_bn_32copy(SW_LARGENUMBER * out, const BIGNUM * in)
+{
+        int mod;
+        int numbytes = BN_num_bytes(in);
+
+        mod = 0;
+        while( ((out->nbytes = (numbytes+mod)) % 32) )
+        {
+                mod++;
+        }
+        out->value = (unsigned char*)OPENSSL_malloc(out->nbytes);
+        if(!out->value)
+        {
+                return 0;
+        }
+        BN_bn2bin(in, &out->value[mod]);
+        if(mod)
+                memset(out->value, 0, mod);
+
+        return 1;
+}
+
 /* Un petit mod_exp chinois */
 static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *q, const BIGNUM *dmp1,
@@ -562,15 +589,16 @@ static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
         SW_LARGENUMBER arg, res;
         SW_PARAM sw_param;
         SW_CONTEXT_HANDLE hac;
-        BIGNUM *rsa_p = NULL;
-        BIGNUM *rsa_q = NULL;
-        BIGNUM *rsa_dmp1 = NULL;
-        BIGNUM *rsa_dmq1 = NULL;
-        BIGNUM *rsa_iqmp = NULL;
-        BIGNUM *argument = NULL;
         BIGNUM *result = NULL;
+        BIGNUM *argument = NULL;
         int to_return = 0; /* expect failure */
         int acquired = 0;
+
+        sw_param.up.crt.p.value = NULL;
+        sw_param.up.crt.q.value = NULL;
+        sw_param.up.crt.dmp1.value = NULL;
+        sw_param.up.crt.dmq1.value = NULL;
+        sw_param.up.crt.iqmp.value = NULL;
  
         if(!get_context(&hac))
                 {
@@ -578,44 +606,55 @@ static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 goto err;
                 }
         acquired = 1;
+
         /* Prepare the params */
-        BN_CTX_start(ctx);
-        rsa_p = BN_CTX_get(ctx);
-        rsa_q = BN_CTX_get(ctx);
-        rsa_dmp1 = BN_CTX_get(ctx);
-        rsa_dmq1 = BN_CTX_get(ctx);
-        rsa_iqmp = BN_CTX_get(ctx);
-        argument = BN_CTX_get(ctx);
-        result = BN_CTX_get(ctx);
-        if(!result)
+        argument = BN_new();
+        result = BN_new();
+        if(!result || !argument)
                 {
                 CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_CTX_FULL);
                 goto err;
                 }
-        if(!bn_wexpand(rsa_p, p->top) || !bn_wexpand(rsa_q, q->top) ||
-                        !bn_wexpand(rsa_dmp1, dmp1->top) ||
-                        !bn_wexpand(rsa_dmq1, dmq1->top) ||
-                        !bn_wexpand(rsa_iqmp, iqmp->top) ||
-                        !bn_wexpand(argument, a->top) ||
+
+
+        sw_param.type = SW_ALG_CRT;
+        /************************************************************************/
+        /* 04/02/2003                                                           */
+        /* Modified by Frederic Giudicelli (deny-all.com) to overcome the       */
+        /* limitation of cswift with values not a multiple of 32                */
+        /************************************************************************/
+        if(!cswift_bn_32copy(&sw_param.up.crt.p, p))
+        {
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+        if(!cswift_bn_32copy(&sw_param.up.crt.q, q))
+        {
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+        if(!cswift_bn_32copy(&sw_param.up.crt.dmp1, dmp1))
+        {
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+        if(!cswift_bn_32copy(&sw_param.up.crt.dmq1, dmq1))
+        {
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+        if(!cswift_bn_32copy(&sw_param.up.crt.iqmp, iqmp))
+        {
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+        if(     !bn_wexpand(argument, a->top) ||
                         !bn_wexpand(result, p->top + q->top))
                 {
                 CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
                 goto err;
                 }
-        sw_param.type = SW_ALG_CRT;
-        sw_param.up.crt.p.nbytes = BN_bn2bin(p, (unsigned char *)rsa_p->d);
-        sw_param.up.crt.p.value = (unsigned char *)rsa_p->d;
-        sw_param.up.crt.q.nbytes = BN_bn2bin(q, (unsigned char *)rsa_q->d);
-        sw_param.up.crt.q.value = (unsigned char *)rsa_q->d;
-        sw_param.up.crt.dmp1.nbytes = BN_bn2bin(dmp1,
-                (unsigned char *)rsa_dmp1->d);
-        sw_param.up.crt.dmp1.value = (unsigned char *)rsa_dmp1->d;
-        sw_param.up.crt.dmq1.nbytes = BN_bn2bin(dmq1,
-                (unsigned char *)rsa_dmq1->d);
-        sw_param.up.crt.dmq1.value = (unsigned char *)rsa_dmq1->d;
-        sw_param.up.crt.iqmp.nbytes = BN_bn2bin(iqmp,
-                (unsigned char *)rsa_iqmp->d);
-        sw_param.up.crt.iqmp.value = (unsigned char *)rsa_iqmp->d;
+
         /* Attach the key params */
         sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
         switch(sw_status)
@@ -654,9 +693,22 @@ static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
         BN_bin2bn((unsigned char *)result->d, res.nbytes, r);
         to_return = 1;
 err:
+        if(sw_param.up.crt.p.value)
+                OPENSSL_free(sw_param.up.crt.p.value);
+        if(sw_param.up.crt.q.value)
+                OPENSSL_free(sw_param.up.crt.q.value);
+        if(sw_param.up.crt.dmp1.value)
+                OPENSSL_free(sw_param.up.crt.dmp1.value);
+        if(sw_param.up.crt.dmq1.value)
+                OPENSSL_free(sw_param.up.crt.dmq1.value);
+        if(sw_param.up.crt.iqmp.value)
+                OPENSSL_free(sw_param.up.crt.iqmp.value);
+        if(result)
+                BN_free(result);
+        if(argument)
+                BN_free(argument);
         if(acquired)
                 release_context(hac);
-        BN_CTX_end(ctx);
         return to_return;
         }
  
@@ -665,6 +717,27 @@ static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
         {
         BN_CTX *ctx;
         int to_return = 0;
+        const RSA_METHOD * def_rsa_method;
+
+        /* Try the limits of RSA (2048 bits) */
+        if(BN_num_bytes(rsa->p) > 128 ||
+                BN_num_bytes(rsa->q) > 128 ||
+                BN_num_bytes(rsa->dmp1) > 128 ||
+                BN_num_bytes(rsa->dmq1) > 128 ||
+                BN_num_bytes(rsa->iqmp) > 128)
+        {
+#ifdef RSA_NULL
+                def_rsa_method=RSA_null_method();
+#else
+#if 0
+                def_rsa_method=RSA_PKCS1_RSAref();
+#else
+                def_rsa_method=RSA_PKCS1_SSLeay();
+#endif
+#endif
+                if(def_rsa_method)
+                        return def_rsa_method->rsa_mod_exp(r0, I, rsa);
+        }
 
         if((ctx = BN_CTX_new()) == NULL)
                 goto err;
@@ -686,6 +759,26 @@ err:
 static int cswift_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
         {
+        const RSA_METHOD * def_rsa_method;
+
+        /* Try the limits of RSA (2048 bits) */
+        if(BN_num_bytes(r) > 256 ||
+                BN_num_bytes(a) > 256 ||
+                BN_num_bytes(m) > 256)
+        {
+#ifdef RSA_NULL
+                def_rsa_method=RSA_null_method();
+#else
+#if 0
+                def_rsa_method=RSA_PKCS1_RSAref();
+#else
+                def_rsa_method=RSA_PKCS1_SSLeay();
+#endif
+#endif
+                if(def_rsa_method)
+                        return def_rsa_method->bn_mod_exp(r, a, p, m, ctx, m_ctx);
+        }
+
         return cswift_mod_exp(r, a, p, m, ctx);
         }
 
@@ -930,9 +1023,10 @@ static int cswift_rand_bytes(unsigned char *buf, int num)
         SW_CONTEXT_HANDLE hac;
         SW_STATUS swrc;
         SW_LARGENUMBER largenum;
-        size_t nbytes = 0;
         int acquired = 0;
         int to_return = 0; /* assume failure */
+        unsigned char buf32[1024];
+
 
         if (!get_context(&hac))
         {
@@ -941,17 +1035,19 @@ static int cswift_rand_bytes(unsigned char *buf, int num)
         }
         acquired = 1;
 
-        while (nbytes < (size_t)num)
+        /************************************************************************/
+        /* 04/02/2003                                                           */
+        /* Modified by Frederic Giudicelli (deny-all.com) to overcome the       */
+        /* limitation of cswift with values not a multiple of 32                */
+        /************************************************************************/
+
+        while(num >= sizeof(buf32))
         {
+                largenum.value = buf;
+                largenum.nbytes = sizeof(buf32);
                 /* tell CryptoSwift how many bytes we want and where we want it.
                  * Note: - CryptoSwift cannot do more than 4096 bytes at a time.
                  *       - CryptoSwift can only do multiple of 32-bits. */
-                largenum.value = (SW_BYTE *) buf + nbytes;
-                if (4096 > num - nbytes)
-                        largenum.nbytes = num - nbytes;
-                else
-                        largenum.nbytes = 4096;
-
                 swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
                 if (swrc != SW_OK)
                 {
@@ -961,14 +1057,30 @@ static int cswift_rand_bytes(unsigned char *buf, int num)
                         ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf);
                         goto err;
                 }
-
-                nbytes += largenum.nbytes;
+                buf += sizeof(buf32);
+                num -= sizeof(buf32);
+        }
+        if(num)
+        {
+                largenum.nbytes = sizeof(buf32);
+                largenum.value = buf32;
+                swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
+                if (swrc != SW_OK)
+                {
+                        char tmpbuf[20];
+                        CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_REQUEST_FAILED);
+                        sprintf(tmpbuf, "%ld", swrc);
+                        ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf);
+                        goto err;
+                }
+                memcpy(buf, largenum.value, num);
         }
-        to_return = 1;  /* success */
 
+        to_return = 1;  /* success */
 err:
         if (acquired)
                 release_context(hac);
+
         return to_return;
 }
 
diff --git a/src/lib/libcrypto/engine/hw_ubsec.c b/src/lib/libcrypto/engine/hw_ubsec.c
index 5234a08a07..8fb834af31 100644
--- a/src/lib/libcrypto/engine/hw_ubsec.c
+++ b/src/lib/libcrypto/engine/hw_ubsec.c
@@ -454,6 +454,7 @@ static int ubsec_init(ENGINE *e)
 err:
         if(ubsec_dso)
                 DSO_free(ubsec_dso);
+        ubsec_dso = NULL;
         p_UBSEC_ubsec_bytes_to_bits = NULL;
         p_UBSEC_ubsec_bits_to_bytes = NULL;
         p_UBSEC_ubsec_open = NULL;
diff --git a/src/lib/libcrypto/err/Makefile b/src/lib/libcrypto/err/Makefile
index 149f3e0eb9..4adec55302 100644
--- a/src/lib/libcrypto/err/Makefile
+++ b/src/lib/libcrypto/err/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/err/Makefile
+# OpenSSL/crypto/err/Makefile
 #
 
 DIR=    err
diff --git a/src/lib/libcrypto/evp/Makefile b/src/lib/libcrypto/evp/Makefile
index 5027a3855a..d1c2a272bb 100644
--- a/src/lib/libcrypto/evp/Makefile
+++ b/src/lib/libcrypto/evp/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/evp/Makefile
+# OpenSSL/crypto/evp/Makefile
 #
 
 DIR=    evp
diff --git a/src/lib/libcrypto/evp/c_alld.c b/src/lib/libcrypto/evp/c_alld.c
index aae7bf7482..929ea56a3e 100644
--- a/src/lib/libcrypto/evp/c_alld.c
+++ b/src/lib/libcrypto/evp/c_alld.c
@@ -100,4 +100,14 @@ void OpenSSL_add_all_digests(void)
         EVP_add_digest_alias(SN_ripemd160,"ripemd");
         EVP_add_digest_alias(SN_ripemd160,"rmd160");
 #endif
+#ifdef OPENSSL_FIPS
+#ifndef OPENSSL_NO_SHA256
+        EVP_add_digest(EVP_sha224());
+        EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+        EVP_add_digest(EVP_sha384());
+        EVP_add_digest(EVP_sha512());
+#endif
+#endif
         }
diff --git a/src/lib/libcrypto/evp/m_sha.c b/src/lib/libcrypto/evp/m_sha.c
index d1785e5f74..ed54909b16 100644
--- a/src/lib/libcrypto/evp/m_sha.c
+++ b/src/lib/libcrypto/evp/m_sha.c
@@ -59,6 +59,9 @@
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
 #include <stdio.h>
 #include "cryptlib.h"
+/* Including sha.h prior evp.h masks FIPS SHA declarations, but that's
+ * exactly what we want to achieve here... */
+#include <openssl/sha.h>
 #include <openssl/evp.h>
 #include "evp_locl.h"
 #include <openssl/objects.h>
diff --git a/src/lib/libcrypto/hmac/Makefile b/src/lib/libcrypto/hmac/Makefile
index f634dab79d..3d53d8240f 100644
--- a/src/lib/libcrypto/hmac/Makefile
+++ b/src/lib/libcrypto/hmac/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md/Makefile
+# OpenSSL/crypto/md/Makefile
 #
 
 DIR=    hmac
diff --git a/src/lib/libcrypto/idea/Makefile b/src/lib/libcrypto/idea/Makefile
index f652783027..6b8e530d9d 100644
--- a/src/lib/libcrypto/idea/Makefile
+++ b/src/lib/libcrypto/idea/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/idea/Makefile
+# OpenSSL/crypto/idea/Makefile
 #
 
 DIR=    idea
@@ -86,7 +86,7 @@ i_ecb.o: ../../include/openssl/opensslv.h i_ecb.c idea_lcl.h
 i_ofb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
 i_ofb64.o: i_ofb64.c idea_lcl.h
 i_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-i_skey.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
-i_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-i_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-i_skey.o: i_skey.c idea_lcl.h
+i_skey.o: ../../include/openssl/fips.h ../../include/openssl/idea.h
+i_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+i_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+i_skey.o: ../../include/openssl/symhacks.h i_skey.c idea_lcl.h
diff --git a/src/lib/libcrypto/lhash/Makefile b/src/lib/libcrypto/lhash/Makefile
index d325a1644d..cdb0e77fad 100644
--- a/src/lib/libcrypto/lhash/Makefile
+++ b/src/lib/libcrypto/lhash/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/lhash/Makefile
+# OpenSSL/crypto/lhash/Makefile
 #
 
 DIR=    lhash
diff --git a/src/lib/libcrypto/md2/Makefile b/src/lib/libcrypto/md2/Makefile
index 90628511da..9d0351bb2f 100644
--- a/src/lib/libcrypto/md2/Makefile
+++ b/src/lib/libcrypto/md2/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md/Makefile
+# OpenSSL/crypto/md/Makefile
 #
 
 DIR=    md2
diff --git a/src/lib/libcrypto/md2/md2_one.c b/src/lib/libcrypto/md2/md2_one.c
index 835160ef56..8c36ba5779 100644
--- a/src/lib/libcrypto/md2/md2_one.c
+++ b/src/lib/libcrypto/md2/md2_one.c
@@ -69,7 +69,8 @@ unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md)
         static unsigned char m[MD2_DIGEST_LENGTH];
 
         if (md == NULL) md=m;
-        MD2_Init(&c);
+        if (!MD2_Init(&c))
+                return NULL;
 #ifndef CHARSET_EBCDIC
         MD2_Update(&c,d,n);
 #else
diff --git a/src/lib/libcrypto/md4/Makefile b/src/lib/libcrypto/md4/Makefile
index 0b7c8d7ad8..eeb457f20f 100644
--- a/src/lib/libcrypto/md4/Makefile
+++ b/src/lib/libcrypto/md4/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md4/Makefile
+# OpenSSL/crypto/md4/Makefile
 #
 
 DIR=    md4
diff --git a/src/lib/libcrypto/md5/Makefile b/src/lib/libcrypto/md5/Makefile
index 832446fff2..1ed018526f 100644
--- a/src/lib/libcrypto/md5/Makefile
+++ b/src/lib/libcrypto/md5/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md5/Makefile
+# OpenSSL/crypto/md5/Makefile
 #
 
 DIR=    md5
diff --git a/src/lib/libcrypto/mdc2/Makefile b/src/lib/libcrypto/mdc2/Makefile
index 38c785bf95..b8e9a9a4fa 100644
--- a/src/lib/libcrypto/mdc2/Makefile
+++ b/src/lib/libcrypto/mdc2/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/mdc2/Makefile
+# OpenSSL/crypto/mdc2/Makefile
 #
 
 DIR=    mdc2
diff --git a/src/lib/libcrypto/objects/Makefile b/src/lib/libcrypto/objects/Makefile
index e449147129..23b2a69e6d 100644
--- a/src/lib/libcrypto/objects/Makefile
+++ b/src/lib/libcrypto/objects/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/objects/Makefile
+# OpenSSL/crypto/objects/Makefile
 #
 
 DIR=    objects
diff --git a/src/lib/libcrypto/objects/obj_dat.h b/src/lib/libcrypto/objects/obj_dat.h
index 8785127055..cc22152682 100644
--- a/src/lib/libcrypto/objects/obj_dat.h
+++ b/src/lib/libcrypto/objects/obj_dat.h
@@ -62,12 +62,12 @@
  * [including the GNU Public Licence.]
  */
 
-#define NUM_NID 668
-#define NUM_SN 660
-#define NUM_LN 660
-#define NUM_OBJ 624
+#define NUM_NID 676
+#define NUM_SN 669
+#define NUM_LN 669
+#define NUM_OBJ 633
 
-static unsigned char lvalues[4500]={
+static unsigned char lvalues[4575]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -330,9 +330,9 @@ static unsigned char lvalues[4500]={
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x04,     /* [2092] OBJ_ac_auditEntity */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x05,     /* [2100] OBJ_ac_targeting */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x06,     /* [2108] OBJ_aaControls */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2116] OBJ_sbqp_ipAddrBlock */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2124] OBJ_sbqp_autonomousSysNum */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2132] OBJ_sbqp_routerIdentifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2116] OBJ_sbgp_ipAddrBlock */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2124] OBJ_sbgp_autonomousSysNum */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2132] OBJ_sbgp_routerIdentifier */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03,     /* [2140] OBJ_textNotice */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05,     /* [2148] OBJ_ipsecEndSystem */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06,     /* [2156] OBJ_ipsecTunnel */
@@ -691,7 +691,16 @@ static unsigned char lvalues[4500]={
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E,     /* [4467] OBJ_proxyCertInfo */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,     /* [4475] OBJ_id_ppl_anyLanguage */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,     /* [4483] OBJ_id_ppl_inheritAll */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4491] OBJ_Independent */
+0x55,0x1D,0x1E,                              /* [4491] OBJ_name_constraints */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4494] OBJ_Independent */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,/* [4502] OBJ_sha256WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,/* [4511] OBJ_sha384WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0D,/* [4520] OBJ_sha512WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0E,/* [4529] OBJ_sha224WithRSAEncryption */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,/* [4538] OBJ_sha256 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4547] OBJ_sha384 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4556] OBJ_sha512 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4565] OBJ_sha224 */
 };
 
 static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -1134,12 +1143,12 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
         &(lvalues[2092]),0},
 {"ac-targeting","ac-targeting",NID_ac_targeting,8,&(lvalues[2100]),0},
 {"aaControls","aaControls",NID_aaControls,8,&(lvalues[2108]),0},
-{"sbqp-ipAddrBlock","sbqp-ipAddrBlock",NID_sbqp_ipAddrBlock,8,
+{"sbgp-ipAddrBlock","sbgp-ipAddrBlock",NID_sbgp_ipAddrBlock,8,
         &(lvalues[2116]),0},
-{"sbqp-autonomousSysNum","sbqp-autonomousSysNum",
-        NID_sbqp_autonomousSysNum,8,&(lvalues[2124]),0},
-{"sbqp-routerIdentifier","sbqp-routerIdentifier",
-        NID_sbqp_routerIdentifier,8,&(lvalues[2132]),0},
+{"sbgp-autonomousSysNum","sbgp-autonomousSysNum",
+        NID_sbgp_autonomousSysNum,8,&(lvalues[2124]),0},
+{"sbgp-routerIdentifier","sbgp-routerIdentifier",
+        NID_sbgp_routerIdentifier,8,&(lvalues[2132]),0},
 {"textNotice","textNotice",NID_textNotice,8,&(lvalues[2140]),0},
 {"ipsecEndSystem","IPSec End System",NID_ipsecEndSystem,8,
         &(lvalues[2148]),0},
@@ -1754,8 +1763,21 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
         &(lvalues[4475]),0},
 {"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8,
         &(lvalues[4483]),0},
-{NULL,NULL,NID_undef,0,NULL},
-{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4491]),0},
+{"nameConstraints","X509v3 Name Constraints",NID_name_constraints,3,
+        &(lvalues[4491]),0},
+{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4494]),0},
+{"RSA-SHA256","sha256WithRSAEncryption",NID_sha256WithRSAEncryption,9,
+        &(lvalues[4502]),0},
+{"RSA-SHA384","sha384WithRSAEncryption",NID_sha384WithRSAEncryption,9,
+        &(lvalues[4511]),0},
+{"RSA-SHA512","sha512WithRSAEncryption",NID_sha512WithRSAEncryption,9,
+        &(lvalues[4520]),0},
+{"RSA-SHA224","sha224WithRSAEncryption",NID_sha224WithRSAEncryption,9,
+        &(lvalues[4529]),0},
+{"SHA256","sha256",NID_sha256,9,&(lvalues[4538]),0},
+{"SHA384","sha384",NID_sha384,9,&(lvalues[4547]),0},
+{"SHA512","sha512",NID_sha512,9,&(lvalues[4556]),0},
+{"SHA224","sha224",NID_sha224,9,&(lvalues[4565]),0},
 };
 
 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -1881,8 +1903,16 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[42]),/* "RSA-SHA" */
 &(nid_objs[65]),/* "RSA-SHA1" */
 &(nid_objs[115]),/* "RSA-SHA1-2" */
+&(nid_objs[671]),/* "RSA-SHA224" */
+&(nid_objs[668]),/* "RSA-SHA256" */
+&(nid_objs[669]),/* "RSA-SHA384" */
+&(nid_objs[670]),/* "RSA-SHA512" */
 &(nid_objs[41]),/* "SHA" */
 &(nid_objs[64]),/* "SHA1" */
+&(nid_objs[675]),/* "SHA224" */
+&(nid_objs[672]),/* "SHA256" */
+&(nid_objs[673]),/* "SHA384" */
+&(nid_objs[674]),/* "SHA512" */
 &(nid_objs[188]),/* "SMIME" */
 &(nid_objs[167]),/* "SMIME-CAPS" */
 &(nid_objs[100]),/* "SN" */
@@ -2182,6 +2212,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[649]),/* "msUPN" */
 &(nid_objs[481]),/* "nSRecord" */
 &(nid_objs[173]),/* "name" */
+&(nid_objs[666]),/* "nameConstraints" */
 &(nid_objs[369]),/* "noCheck" */
 &(nid_objs[403]),/* "noRevAvail" */
 &(nid_objs[72]),/* "nsBaseUrl" */
@@ -2254,9 +2285,9 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[ 1]),/* "rsadsi" */
 &(nid_objs[482]),/* "sOARecord" */
 &(nid_objs[155]),/* "safeContentsBag" */
-&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
-&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
-&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[291]),/* "sbgp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbgp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
 &(nid_objs[154]),/* "secretBag" */
 &(nid_objs[474]),/* "secretary" */
@@ -2517,6 +2548,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[126]),/* "X509v3 Extended Key Usage" */
 &(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */
 &(nid_objs[83]),/* "X509v3 Key Usage" */
+&(nid_objs[666]),/* "X509v3 Name Constraints" */
 &(nid_objs[403]),/* "X509v3 No Revocation Available" */
 &(nid_objs[401]),/* "X509v3 Policy Constraints" */
 &(nid_objs[84]),/* "X509v3 Private Key Usage Period" */
@@ -2930,9 +2962,9 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[124]),/* "run length compression" */
 &(nid_objs[482]),/* "sOARecord" */
 &(nid_objs[155]),/* "safeContentsBag" */
-&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
-&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
-&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[291]),/* "sbgp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbgp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
 &(nid_objs[154]),/* "secretBag" */
 &(nid_objs[474]),/* "secretary" */
@@ -3059,6 +3091,14 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[64]),/* "sha1" */
 &(nid_objs[115]),/* "sha1WithRSA" */
 &(nid_objs[65]),/* "sha1WithRSAEncryption" */
+&(nid_objs[675]),/* "sha224" */
+&(nid_objs[671]),/* "sha224WithRSAEncryption" */
+&(nid_objs[672]),/* "sha256" */
+&(nid_objs[668]),/* "sha256WithRSAEncryption" */
+&(nid_objs[673]),/* "sha384" */
+&(nid_objs[669]),/* "sha384WithRSAEncryption" */
+&(nid_objs[674]),/* "sha512" */
+&(nid_objs[670]),/* "sha512WithRSAEncryption" */
 &(nid_objs[42]),/* "shaWithRSAEncryption" */
 &(nid_objs[52]),/* "signingTime" */
 &(nid_objs[454]),/* "simpleSecurityObject" */
@@ -3133,6 +3173,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[430]),/* OBJ_hold_instruction_code        2 5 29 23 */
 &(nid_objs[142]),/* OBJ_invalidity_date              2 5 29 24 */
 &(nid_objs[140]),/* OBJ_delta_crl                    2 5 29 27 */
+&(nid_objs[666]),/* OBJ_name_constraints             2 5 29 30 */
 &(nid_objs[103]),/* OBJ_crl_distribution_points      2 5 29 31 */
 &(nid_objs[89]),/* OBJ_certificate_policies         2 5 29 32 */
 &(nid_objs[90]),/* OBJ_authority_key_identifier     2 5 29 35 */
@@ -3383,9 +3424,9 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[287]),/* OBJ_ac_auditEntity               1 3 6 1 5 5 7 1 4 */
 &(nid_objs[288]),/* OBJ_ac_targeting                 1 3 6 1 5 5 7 1 5 */
 &(nid_objs[289]),/* OBJ_aaControls                   1 3 6 1 5 5 7 1 6 */
-&(nid_objs[290]),/* OBJ_sbqp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
-&(nid_objs[291]),/* OBJ_sbqp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
-&(nid_objs[292]),/* OBJ_sbqp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
+&(nid_objs[290]),/* OBJ_sbgp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
+&(nid_objs[291]),/* OBJ_sbgp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
+&(nid_objs[292]),/* OBJ_sbgp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
 &(nid_objs[397]),/* OBJ_ac_proxying                  1 3 6 1 5 5 7 1 10 */
 &(nid_objs[398]),/* OBJ_sinfo_access                 1 3 6 1 5 5 7 1 11 */
 &(nid_objs[663]),/* OBJ_proxyCertInfo                1 3 6 1 5 5 7 1 14 */
@@ -3480,6 +3521,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[ 8]),/* OBJ_md5WithRSAEncryption         1 2 840 113549 1 1 4 */
 &(nid_objs[65]),/* OBJ_sha1WithRSAEncryption        1 2 840 113549 1 1 5 */
 &(nid_objs[644]),/* OBJ_rsaOAEPEncryptionSET         1 2 840 113549 1 1 6 */
+&(nid_objs[668]),/* OBJ_sha256WithRSAEncryption      1 2 840 113549 1 1 11 */
+&(nid_objs[669]),/* OBJ_sha384WithRSAEncryption      1 2 840 113549 1 1 12 */
+&(nid_objs[670]),/* OBJ_sha512WithRSAEncryption      1 2 840 113549 1 1 13 */
+&(nid_objs[671]),/* OBJ_sha224WithRSAEncryption      1 2 840 113549 1 1 14 */
 &(nid_objs[28]),/* OBJ_dhKeyAgreement               1 2 840 113549 1 3 1 */
 &(nid_objs[ 9]),/* OBJ_pbeWithMD2AndDES_CBC         1 2 840 113549 1 5 1 */
 &(nid_objs[10]),/* OBJ_pbeWithMD5AndDES_CBC         1 2 840 113549 1 5 3 */
@@ -3544,6 +3589,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[427]),/* OBJ_aes_256_cbc                  2 16 840 1 101 3 4 1 42 */
 &(nid_objs[428]),/* OBJ_aes_256_ofb128               2 16 840 1 101 3 4 1 43 */
 &(nid_objs[429]),/* OBJ_aes_256_cfb128               2 16 840 1 101 3 4 1 44 */
+&(nid_objs[672]),/* OBJ_sha256                       2 16 840 1 101 3 4 2 1 */
+&(nid_objs[673]),/* OBJ_sha384                       2 16 840 1 101 3 4 2 2 */
+&(nid_objs[674]),/* OBJ_sha512                       2 16 840 1 101 3 4 2 3 */
+&(nid_objs[675]),/* OBJ_sha224                       2 16 840 1 101 3 4 2 4 */
 &(nid_objs[71]),/* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */
 &(nid_objs[72]),/* OBJ_netscape_base_url            2 16 840 1 113730 1 2 */
 &(nid_objs[73]),/* OBJ_netscape_revocation_url      2 16 840 1 113730 1 3 */
diff --git a/src/lib/libcrypto/objects/obj_mac.h b/src/lib/libcrypto/objects/obj_mac.h
index d28894cf41..51bb50047f 100644
--- a/src/lib/libcrypto/objects/obj_mac.h
+++ b/src/lib/libcrypto/objects/obj_mac.h
@@ -241,6 +241,26 @@
 #define NID_sha1WithRSAEncryption               65
 #define OBJ_sha1WithRSAEncryption               OBJ_pkcs1,5L
 
+#define SN_sha256WithRSAEncryption              "RSA-SHA256"
+#define LN_sha256WithRSAEncryption              "sha256WithRSAEncryption"
+#define NID_sha256WithRSAEncryption             668
+#define OBJ_sha256WithRSAEncryption             OBJ_pkcs1,11L
+
+#define SN_sha384WithRSAEncryption              "RSA-SHA384"
+#define LN_sha384WithRSAEncryption              "sha384WithRSAEncryption"
+#define NID_sha384WithRSAEncryption             669
+#define OBJ_sha384WithRSAEncryption             OBJ_pkcs1,12L
+
+#define SN_sha512WithRSAEncryption              "RSA-SHA512"
+#define LN_sha512WithRSAEncryption              "sha512WithRSAEncryption"
+#define NID_sha512WithRSAEncryption             670
+#define OBJ_sha512WithRSAEncryption             OBJ_pkcs1,13L
+
+#define SN_sha224WithRSAEncryption              "RSA-SHA224"
+#define LN_sha224WithRSAEncryption              "sha224WithRSAEncryption"
+#define NID_sha224WithRSAEncryption             671
+#define OBJ_sha224WithRSAEncryption             OBJ_pkcs1,14L
+
 #define SN_pkcs3                "pkcs3"
 #define NID_pkcs3               27
 #define OBJ_pkcs3               OBJ_pkcs,3L
@@ -1048,17 +1068,17 @@
 #define NID_aaControls          289
 #define OBJ_aaControls          OBJ_id_pe,6L
 
-#define SN_sbqp_ipAddrBlock             "sbqp-ipAddrBlock"
-#define NID_sbqp_ipAddrBlock            290
-#define OBJ_sbqp_ipAddrBlock            OBJ_id_pe,7L
+#define SN_sbgp_ipAddrBlock             "sbgp-ipAddrBlock"
+#define NID_sbgp_ipAddrBlock            290
+#define OBJ_sbgp_ipAddrBlock            OBJ_id_pe,7L
 
-#define SN_sbqp_autonomousSysNum                "sbqp-autonomousSysNum"
-#define NID_sbqp_autonomousSysNum               291
-#define OBJ_sbqp_autonomousSysNum               OBJ_id_pe,8L
+#define SN_sbgp_autonomousSysNum                "sbgp-autonomousSysNum"
+#define NID_sbgp_autonomousSysNum               291
+#define OBJ_sbgp_autonomousSysNum               OBJ_id_pe,8L
 
-#define SN_sbqp_routerIdentifier                "sbqp-routerIdentifier"
-#define NID_sbqp_routerIdentifier               292
-#define OBJ_sbqp_routerIdentifier               OBJ_id_pe,9L
+#define SN_sbgp_routerIdentifier                "sbgp-routerIdentifier"
+#define NID_sbgp_routerIdentifier               292
+#define OBJ_sbgp_routerIdentifier               OBJ_id_pe,9L
 
 #define SN_ac_proxying          "ac-proxying"
 #define NID_ac_proxying         397
@@ -1779,6 +1799,11 @@
 #define NID_delta_crl           140
 #define OBJ_delta_crl           OBJ_id_ce,27L
 
+#define SN_name_constraints             "nameConstraints"
+#define LN_name_constraints             "X509v3 Name Constraints"
+#define NID_name_constraints            666
+#define OBJ_name_constraints            OBJ_id_ce,30L
+
 #define SN_crl_distribution_points              "crlDistributionPoints"
 #define LN_crl_distribution_points              "X509v3 CRL Distribution Points"
 #define NID_crl_distribution_points             103
@@ -2081,6 +2106,28 @@
 #define LN_des_ede3_cfb8                "des-ede3-cfb8"
 #define NID_des_ede3_cfb8               659
 
+#define OBJ_nist_hashalgs               OBJ_nistAlgorithms,2L
+
+#define SN_sha256               "SHA256"
+#define LN_sha256               "sha256"
+#define NID_sha256              672
+#define OBJ_sha256              OBJ_nist_hashalgs,1L
+
+#define SN_sha384               "SHA384"
+#define LN_sha384               "sha384"
+#define NID_sha384              673
+#define OBJ_sha384              OBJ_nist_hashalgs,2L
+
+#define SN_sha512               "SHA512"
+#define LN_sha512               "sha512"
+#define NID_sha512              674
+#define OBJ_sha512              OBJ_nist_hashalgs,3L
+
+#define SN_sha224               "SHA224"
+#define LN_sha224               "sha224"
+#define NID_sha224              675
+#define OBJ_sha224              OBJ_nist_hashalgs,4L
+
 #define SN_hold_instruction_code                "holdInstructionCode"
 #define LN_hold_instruction_code                "Hold Instruction Code"
 #define NID_hold_instruction_code               430
diff --git a/src/lib/libcrypto/pem/Makefile b/src/lib/libcrypto/pem/Makefile
index f3dfea2ac8..fbc2b5d056 100644
--- a/src/lib/libcrypto/pem/Makefile
+++ b/src/lib/libcrypto/pem/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pem/Makefile
+# OpenSSL/crypto/pem/Makefile
 #
 
 DIR=    pem
diff --git a/src/lib/libcrypto/perlasm/x86nasm.pl b/src/lib/libcrypto/perlasm/x86nasm.pl
index 5009acb4b3..4bdb3fe180 100644
--- a/src/lib/libcrypto/perlasm/x86nasm.pl
+++ b/src/lib/libcrypto/perlasm/x86nasm.pl
@@ -221,7 +221,15 @@ sub using486
 
 sub main'file
         {
-        push(@out, "segment .text use32\n");
+        local $tmp;
+        $tmp=<<___;
+%ifdef __omf__
+section code    use32 class=code
+%else
+section .text
+%endif
+___
+        push(@out,$tmp);
         }
 
 sub main'function_begin
diff --git a/src/lib/libcrypto/pkcs12/Makefile b/src/lib/libcrypto/pkcs12/Makefile
index 854b641f7c..bef4f27912 100644
--- a/src/lib/libcrypto/pkcs12/Makefile
+++ b/src/lib/libcrypto/pkcs12/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pkcs12/Makefile
+# OpenSSL/crypto/pkcs12/Makefile
 #
 
 DIR=    pkcs12
diff --git a/src/lib/libcrypto/pkcs7/Makefile b/src/lib/libcrypto/pkcs7/Makefile
index f15c65f690..a213ae2227 100644
--- a/src/lib/libcrypto/pkcs7/Makefile
+++ b/src/lib/libcrypto/pkcs7/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pkcs7/Makefile
+# OpenSSL/crypto/pkcs7/Makefile
 #
 
 DIR=    pkcs7
diff --git a/src/lib/libcrypto/rand/Makefile b/src/lib/libcrypto/rand/Makefile
index 665eaa18e5..b1d1a75f98 100644
--- a/src/lib/libcrypto/rand/Makefile
+++ b/src/lib/libcrypto/rand/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rand/Makefile
+# OpenSSL/crypto/rand/Makefile
 #
 
 DIR=    rand
diff --git a/src/lib/libcrypto/rc2/Makefile b/src/lib/libcrypto/rc2/Makefile
index 18edaca6c6..34080ab741 100644
--- a/src/lib/libcrypto/rc2/Makefile
+++ b/src/lib/libcrypto/rc2/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc2/Makefile
+# OpenSSL/crypto/rc2/Makefile
 #
 
 DIR=    rc2
@@ -82,7 +82,7 @@ rc2_cbc.o: rc2_cbc.c rc2_locl.h
 rc2_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 rc2_ecb.o: ../../include/openssl/rc2.h rc2_ecb.c rc2_locl.h
 rc2_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-rc2_skey.o: ../../include/openssl/opensslconf.h
+rc2_skey.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
 rc2_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
 rc2_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rc2_skey.o: ../../include/openssl/symhacks.h rc2_locl.h rc2_skey.c
diff --git a/src/lib/libcrypto/rc2/rc2speed.c b/src/lib/libcrypto/rc2/rc2speed.c
index 47d34b444e..4d0e1242ea 100644
--- a/src/lib/libcrypto/rc2/rc2speed.c
+++ b/src/lib/libcrypto/rc2/rc2speed.c
@@ -102,10 +102,10 @@ OPENSSL_DECLARE_EXIT
 #ifndef HZ
 #ifndef CLK_TCK
 #define HZ      100.0
-#endif
-#else /* CLK_TCK */
+#else   /* CLK_TCK */
 #define HZ ((double)CLK_TCK)
-#endif
+#endif  /* CLK_TCK */
+#endif  /* HZ */
 
 #define BUFSIZE ((long)1024)
 long run=0;
diff --git a/src/lib/libcrypto/rc4/Makefile b/src/lib/libcrypto/rc4/Makefile
index 64e06924f4..20d078ec87 100644
--- a/src/lib/libcrypto/rc4/Makefile
+++ b/src/lib/libcrypto/rc4/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc4/Makefile
+# OpenSSL/crypto/rc4/Makefile
 #
 
 DIR=    rc4
@@ -66,10 +66,14 @@ asm/rx86bsdi.o: asm/rx86unix.cpp
 asm/rx86unix.cpp: asm/rc4-586.pl ../perlasm/x86asm.pl
         (cd asm; $(PERL) rc4-586.pl cpp >rx86unix.cpp)
 
-asm/rc4-amd64.s: asm/rc4-amd64.pl;      $(PERL) asm/rc4-amd64.pl $@
+asm/rc4-x86_64.s: asm/rc4-x86_64.pl;    $(PERL) asm/rc4-x86_64.pl $@
 
 asm/rc4-ia64.s: asm/rc4-ia64.S
-        $(CC) $(CFLAGS) -E asm/rc4-ia64.S > $@
+        @case `awk '/^#define RC4_INT/{print$$NF}' $(TOP)/include/openssl/opensslconf.h` in \
+        int)    set -x; $(CC) $(CFLAGS) -DSZ=4 -E asm/rc4-ia64.S > $@ ;; \
+        char)   set -x; $(CC) $(CFLAGS) -DSZ=1 -E asm/rc4-ia64.S > $@ ;; \
+        *)      exit 1 ;; \
+        esac
 
 files:
         $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -116,7 +120,8 @@ rc4_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h rc4_enc.c rc4_locl.h
 rc4_skey.o: ../../e_os.h ../../include/openssl/bio.h
 rc4_skey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rc4_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-rc4_skey.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rc4_skey.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+rc4_skey.o: ../../include/openssl/opensslconf.h
 rc4_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc4.h
 rc4_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rc4_skey.o: ../../include/openssl/symhacks.h ../cryptlib.h rc4_locl.h
diff --git a/src/lib/libcrypto/rc4/asm/rc4-ia64.S b/src/lib/libcrypto/rc4/asm/rc4-ia64.S
index b517d2e88f..a322d0c718 100644
--- a/src/lib/libcrypto/rc4/asm/rc4-ia64.S
+++ b/src/lib/libcrypto/rc4/asm/rc4-ia64.S
@@ -7,7 +7,7 @@
 // disclaimed.
 // ====================================================================
 
-.ident  "rc4-ia64.S, Version 1.1"
+.ident  "rc4-ia64.S, Version 2.0"
 .ident  "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
 
 // What's wrong with compiler generated code? Because of the nature of
@@ -27,17 +27,10 @@
 // Legitimate "collisions" do occur within every 256^2 bytes window.
 // Fortunately there're enough free instruction slots to keep prior
 // reference to key[x+1], detect "collision" and compensate for it.
-// All this without sacrificing a single clock cycle:-)
-// Furthermore. In order to compress loop body to the minimum, I chose
-// to deploy deposit instruction, which substitutes for the whole
-// key->data+((x&255)<<log2(sizeof(key->data[0]))). This unfortunately
-// requires key->data to be aligned at sizeof(key->data) boundary.
-// This is why you'll find "RC4_INT pad[512-256-2];" addenum to RC4_KEY
-// and "d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));" in
-// rc4_skey.c [and rc4_enc.c, where it's retained for debugging
-// purposes]. Throughput is ~210MBps on 900MHz CPU, which is is >3x
-// faster than gcc generated code and +30% - if compared to HP-UX C.
-// Unrolling loop below should give >30% on top of that...
+// All this without sacrificing a single clock cycle:-) Throughput is
+// ~210MBps on 900MHz CPU, which is is >3x faster than gcc generated
+// code and +30% - if compared to HP-UX C. Unrolling loop below should
+// give >30% on top of that...
 
 .text
 .explicit
@@ -48,7 +41,9 @@
 # define ADDP   add
 #endif
 
+#ifndef SZ
 #define SZ      4       // this is set to sizeof(RC4_INT)
+#endif
 // SZ==4 seems to be optimal. At least SZ==8 is not any faster, not for
 // assembler implementation, while SZ==1 code is ~30% slower.
 #if SZ==1       // RC4_INT is unsigned char
@@ -101,45 +96,53 @@ RC4:
         ADDP    out=0,in3
         brp.loop.imp    .Ltop,.Lexit-16 };;
 { .mmi; LDKEY   yy=[key]                        // load key->y
-        add     ksch=(255+1)*SZ,key             // as ksch will be used with
-                                                // deposit instruction only,
-                                                // I don't have to &~255...
+        add     ksch=SZ,key
         mov     ar.lc=in1               }
 { .mmi; mov     key_y[1]=r0                     // guarantee inequality
                                                 // in first iteration
         add     xx=1,xx
         mov     pr.rot=1<<16            };;
 { .mii; nop.m   0
-        dep     key_x[1]=xx,ksch,OFF,8
+        dep     key_x[1]=xx,r0,OFF,8
         mov     ar.ec=3                 };;     // note that epilogue counter
                                                 // is off by 1. I compensate
                                                 // for this at exit...
 .Ltop:
-// The loop is scheduled for 3*(n+2) spin-rate on Itanium 2, which
+// The loop is scheduled for 4*(n+2) spin-rate on Itanium 2, which
 // theoretically gives asymptotic performance of clock frequency
-// divided by 3 bytes per seconds, or 500MBps on 1.5GHz CPU. Measured
-// performance however is distinctly lower than 1/4:-( The culplrit
-// seems to be *(out++)=dat, which inadvertently splits the bundle,
-// even though there is M-port available... Unrolling is due...
-// Unrolled loop should collect output with variable shift instruction
-// in order to avoid starvation for integer shifter... It should be
-// possible to get pretty close to theoretical peak...
-{ .mmi; (p16)   LDKEY   tx[0]=[key_x[1]]                // tx=key[xx]
-        (p17)   LDKEY   ty[0]=[key_y[1]]                // ty=key[yy]   
-        (p18)   dep     rnd[1]=rnd[1],ksch,OFF,8}       // &key[(tx+ty)&255]
+// divided by 4 bytes per seconds, or 400MBps on 1.6GHz CPU. This is
+// for sizeof(RC4_INT)==4. For smaller RC4_INT STKEY inadvertently
+// splits the last bundle and you end up with 5*n spin-rate:-(
+// Originally the loop was scheduled for 3*n and relied on key
+// schedule to be aligned at 256*sizeof(RC4_INT) boundary. But
+// *(out++)=dat, which maps to st1, had same effect [inadvertent
+// bundle split] and holded the loop back. Rescheduling for 4*n
+// made it possible to eliminate dependence on specific alignment
+// and allow OpenSSH keep "abusing" our API. Reaching for 3*n would
+// require unrolling, sticking to variable shift instruction for
+// collecting output [to avoid starvation for integer shifter] and
+// copying of key schedule to controlled place in stack [so that
+// deposit instruction can serve as substitute for whole
+// key->data+((x&255)<<log2(sizeof(key->data[0])))]...
 { .mmi; (p19)   st1     [out]=dat[3],1                  // *(out++)=dat
         (p16)   add     xx=1,xx                         // x++
-        (p16)   cmp.ne.unc p20,p21=key_x[1],key_y[1]    };;
+        (p18)   dep     rnd[1]=rnd[1],r0,OFF,8  }       // ((tx+ty)&255)<<OFF
+{ .mmi; (p16)   add     key_x[1]=ksch,key_x[1]          // &key[xx&255]
+        (p17)   add     key_y[1]=ksch,key_y[1]  };;     // &key[yy&255] 
+{ .mmi; (p16)   LDKEY   tx[0]=[key_x[1]]                // tx=key[xx]
+        (p17)   LDKEY   ty[0]=[key_y[1]]                // ty=key[yy]   
+        (p16)   dep     key_x[0]=xx,r0,OFF,8    }       // (xx&255)<<OFF
+{ .mmi; (p18)   add     rnd[1]=ksch,rnd[1]              // &key[(tx+ty)&255]
+        (p16)   cmp.ne.unc p20,p21=key_x[1],key_y[1] };;
 { .mmi; (p18)   LDKEY   rnd[1]=[rnd[1]]                 // rnd=key[(tx+ty)&255]
-        (p16)   ld1     dat[0]=[inp],1                  // dat=*(inp++)
-        (p16)   dep     key_x[0]=xx,ksch,OFF,8  }       // &key[xx&255]
+        (p16)   ld1     dat[0]=[inp],1          }       // dat=*(inp++)
 .pred.rel       "mutex",p20,p21
 { .mmi; (p21)   add     yy=yy,tx[1]                     // (p16)
         (p20)   add     yy=yy,tx[0]                     // (p16) y+=tx
         (p21)   mov     tx[0]=tx[1]             };;     // (p16)
 { .mmi; (p17)   STKEY   [key_y[1]]=tx[1]                // key[yy]=tx
         (p17)   STKEY   [key_x[2]]=ty[0]                // key[xx]=ty
-        (p16)   dep     key_y[0]=yy,ksch,OFF,8  }       // &key[yy&255]
+        (p16)   dep     key_y[0]=yy,r0,OFF,8    }       // &key[yy&255]
 { .mmb; (p17)   add     rnd[0]=tx[1],ty[0]              // tx+=ty
         (p18)   xor     dat[2]=dat[2],rnd[1]            // dat^=rnd
         br.ctop.sptk    .Ltop                   };;
diff --git a/src/lib/libcrypto/rc5/Makefile b/src/lib/libcrypto/rc5/Makefile
index 3a8d309b29..16e6a60017 100644
--- a/src/lib/libcrypto/rc5/Makefile
+++ b/src/lib/libcrypto/rc5/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc5/Makefile
+# OpenSSL/crypto/rc5/Makefile
 #
 
 DIR=    rc5
@@ -102,7 +102,7 @@ rc5_ecb.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h
 rc5_ecb.o: rc5_ecb.c rc5_locl.h
 rc5_enc.o: ../../include/openssl/rc5.h rc5_enc.c rc5_locl.h
 rc5_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-rc5_skey.o: ../../include/openssl/opensslconf.h
+rc5_skey.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
 rc5_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h
 rc5_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rc5_skey.o: ../../include/openssl/symhacks.h rc5_locl.h rc5_skey.c
diff --git a/src/lib/libcrypto/ripemd/Makefile b/src/lib/libcrypto/ripemd/Makefile
index dc086e3434..20c8b4d8db 100644
--- a/src/lib/libcrypto/ripemd/Makefile
+++ b/src/lib/libcrypto/ripemd/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/ripemd/Makefile
+# OpenSSL/crypto/ripemd/Makefile
 #
 
 DIR=    ripemd
diff --git a/src/lib/libcrypto/rsa/Makefile b/src/lib/libcrypto/rsa/Makefile
index 5748b0d3d0..8851825250 100644
--- a/src/lib/libcrypto/rsa/Makefile
+++ b/src/lib/libcrypto/rsa/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rsa/Makefile
+# OpenSSL/crypto/rsa/Makefile
 #
 
 DIR=    rsa
@@ -24,10 +24,10 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \
         rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c \
-        rsa_asn1.c
+        rsa_pss.c rsa_x931.c rsa_asn1.c
 LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \
         rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o \
-        rsa_asn1.o
+        rsa_pss.o rsa_x931.o rsa_asn1.o
 
 SRC= $(LIBSRC)
 
@@ -184,6 +184,26 @@ rsa_pk1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_pk1.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_pk1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_pk1.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_pk1.c
+rsa_pss.o: ../../e_os.h ../../include/openssl/aes.h
+rsa_pss.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+rsa_pss.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+rsa_pss.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+rsa_pss.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rsa_pss.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+rsa_pss.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+rsa_pss.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rsa_pss.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+rsa_pss.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+rsa_pss.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+rsa_pss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rsa_pss.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rsa_pss.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+rsa_pss.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+rsa_pss.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+rsa_pss.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_pss.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_pss.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+rsa_pss.o: ../../include/openssl/ui_compat.h ../cryptlib.h rsa_pss.c
 rsa_saos.o: ../../e_os.h ../../include/openssl/aes.h
 rsa_saos.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 rsa_saos.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
@@ -237,3 +257,13 @@ rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_ssl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_ssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_ssl.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_ssl.c
+rsa_x931.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_x931.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_x931.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_x931.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_x931.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rsa_x931.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_x931.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_x931.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_x931.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_x931.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_x931.c
diff --git a/src/lib/libcrypto/rsa/rsa_test.c b/src/lib/libcrypto/rsa/rsa_test.c
index 924e9ad1f6..218bb2a39b 100644
--- a/src/lib/libcrypto/rsa/rsa_test.c
+++ b/src/lib/libcrypto/rsa/rsa_test.c
@@ -227,10 +227,10 @@ int main(int argc, char *argv[])
 
     plen = sizeof(ptext_ex) - 1;
 
-    for (v = 0; v < 3; v++)
+    for (v = 0; v < 6; v++)
         {
         key = RSA_new();
-        switch (v) {
+        switch (v%3) {
     case 0:
         clen = key1(key, ctext_ex);
         break;
@@ -241,6 +241,7 @@ int main(int argc, char *argv[])
         clen = key3(key, ctext_ex);
         break;
         }
+        if (v/3 > 1) key->flags |= RSA_FLAG_NO_EXP_CONSTTIME;
 
         num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
                                  RSA_PKCS1_PADDING);
diff --git a/src/lib/libcrypto/sha/Makefile b/src/lib/libcrypto/sha/Makefile
index 0426786aa0..46103bbc83 100644
--- a/src/lib/libcrypto/sha/Makefile
+++ b/src/lib/libcrypto/sha/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/sha/Makefile
+# OpenSSL/crypto/sha/Makefile
 #
 
 DIR=    sha
diff --git a/src/lib/libcrypto/sha/sha_one.c b/src/lib/libcrypto/sha/sha_one.c
index e61c63f3e9..d4f4d344df 100644
--- a/src/lib/libcrypto/sha/sha_one.c
+++ b/src/lib/libcrypto/sha/sha_one.c
@@ -68,7 +68,8 @@ unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
         static unsigned char m[SHA_DIGEST_LENGTH];
 
         if (md == NULL) md=m;
-        SHA_Init(&c);
+        if (!SHA_Init(&c))
+                return NULL;
         SHA_Update(&c,d,n);
         SHA_Final(md,&c);
         OPENSSL_cleanse(&c,sizeof(c));
diff --git a/src/lib/libcrypto/stack/Makefile b/src/lib/libcrypto/stack/Makefile
index 4d5199a000..711b16832a 100644
--- a/src/lib/libcrypto/stack/Makefile
+++ b/src/lib/libcrypto/stack/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/stack/Makefile
+# OpenSSL/crypto/stack/Makefile
 #
 
 DIR=    stack
diff --git a/src/lib/libcrypto/txt_db/Makefile b/src/lib/libcrypto/txt_db/Makefile
index f91a08f006..3cb550a795 100644
--- a/src/lib/libcrypto/txt_db/Makefile
+++ b/src/lib/libcrypto/txt_db/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/txt_db/Makefile
+# OpenSSL/crypto/txt_db/Makefile
 #
 
 DIR=    txt_db
diff --git a/src/lib/libcrypto/util/checkhash.pl b/src/lib/libcrypto/util/checkhash.pl
new file mode 100644
index 0000000000..c61fa72178
--- /dev/null
+++ b/src/lib/libcrypto/util/checkhash.pl
@@ -0,0 +1,222 @@
+#!/usr/bin/env perl -w
+
+my $package = caller;
+
+if (!(defined $package))
+        {
+        my $retval = check_hashes(@ARGV);
+        exit $retval;
+        }
+
+1;
+
+sub check_hashes
+        {
+
+        my @args = @_;
+
+        my $change_dir = "";
+        my $check_program = "sha/fips_standalone_sha1";
+
+        my $verbose = 0;
+        my $badfiles = 0;
+        my $rebuild = 0;
+        my $force_rewrite = 0;
+        my $hash_file = "fipshashes.c";
+        my $recurse = 0;
+
+        my @fingerprint_files;
+
+        while (@args)
+                {
+                my $arg = $args[0];
+                if ($arg eq "-chdir")
+                        {
+                        shift @args;
+                        $change_dir = shift @args;
+                        }
+                elsif ($arg eq "-rebuild")
+                        {
+                        shift @args;
+                        $rebuild = 1;
+                        }
+                elsif ($arg eq "-verbose")
+                        {
+                        shift @args;
+                        $verbose = 1;
+                        }
+                elsif ($arg eq "-force-rewrite")
+                        {
+                        shift @args;
+                        $force_rewrite = 1;
+                        }
+                elsif ($arg eq "-hash_file")
+                        {
+                        shift @args;
+                        $hash_file = shift @args;
+                        }
+                elsif ($arg eq "-recurse")
+                        {
+                        shift @args;
+                        $recurse = 1;
+                        }
+                elsif ($arg eq "-program_path")
+                        {
+                        shift @args;
+                        $check_program = shift @args;
+                        }
+                else
+                        {
+                        print STDERR "Unknown Option $arg";
+                        return 1;
+                        }
+
+                }
+
+        chdir $change_dir if $change_dir ne "";
+
+        if ($recurse)
+                {
+                @fingerprint_files = ("fingerprint.sha1",
+                                        <*/fingerprint.sha1>);
+                }
+        else
+                {
+                push @fingerprint_files, $hash_file;
+                }
+
+        foreach $fp (@fingerprint_files)
+                {
+                if (!open(IN, "$fp"))
+                        {
+                        print STDERR "Can't open file $fp";
+                        return 1;
+                        }
+                print STDERR "Opening Fingerprint file $fp\n" if $verbose;
+                my $dir = $fp;
+                $dir =~ s/[^\/]*$//;
+                while (<IN>)
+                        {
+                        chomp;
+                        if (!(($file, $hash) = /^\"HMAC-SHA1\((.*)\)\s*=\s*(\w*)\",$/))
+                                {
+                                /^\"/ || next;
+                                print STDERR "FATAL: Invalid syntax in file $fp\n";
+                                print STDERR "Line:\n$_\n";
+                                fatal_error();
+                                return 1;
+                                }
+                        if (!$rebuild && length($hash) != 40)
+                                {
+                                print STDERR "FATAL: Invalid hash length in $fp for file $file\n";
+                                fatal_error();
+                                return 1;
+                                }
+                        push @hashed_files, "$dir$file";
+                        if (exists $hashes{"$dir$file"})
+                                {
+                                print STDERR "FATAL: Duplicate Hash file $dir$file\n";
+                                fatal_error();
+                                return 1;
+                                }
+                        if (! -r "$dir$file")
+                                {
+                                print STDERR "FATAL: Can't access $dir$file\n";
+                                fatal_error();
+                                return 1;
+                                }
+                        $hashes{"$dir$file"} = $hash;
+                        }
+                close IN;
+                }
+
+        @checked_hashes = `$check_program @hashed_files`;
+
+        if ($? != 0)
+                {
+                print STDERR "Error running hash program $check_program\n";
+                fatal_error();
+                return 1;
+                }
+
+        if (@checked_hashes != @hashed_files)
+                {
+                print STDERR "FATAL: hash count incorrect\n";
+                fatal_error();
+                return 1;
+                }
+
+        foreach (@checked_hashes)
+                {
+                chomp;
+                if (!(($file, $hash) = /^HMAC-SHA1\((.*)\)\s*=\s*(\w*)$/))
+                        {
+                        print STDERR "FATAL: Invalid syntax in file $fp\n";
+                        print STDERR "Line:\n$_\n";
+                        fatal_error();
+                        return 1;
+                        }
+                if (length($hash) != 40)
+                        {
+                        print STDERR "FATAL: Invalid hash length for file $file\n";
+                        fatal_error();
+                        return 1;
+                        }
+                if ($hash ne $hashes{$file})
+                        {
+                        if ($rebuild)
+                                {
+                                print STDERR "Updating hash on file $file\n";
+                                $hashes{$file} = $hash;
+                                }
+                        else
+                                {
+                                print STDERR "Hash check failed for file $file\n";
+                                }
+                        $badfiles++;
+                        }
+                elsif ($verbose)
+                        { print "Hash Check OK for $file\n";}
+                }
+                
+
+        if ($badfiles && !$rebuild)
+                {
+                print STDERR "FATAL: hash mismatch on $badfiles files\n";
+                fatal_error();
+                return 1;
+                }
+
+        if ($badfiles || $force_rewrite)
+                {
+                print "Updating Hash file $hash_file\n";
+                if (!open(OUT, ">$hash_file"))
+                        {
+                        print STDERR "Error rewriting $hash_file";
+                        return 1;
+                        }
+                print OUT "const char * const FIPS_source_hashes[] = {\n";
+                foreach (@hashed_files)
+                        {
+                        print OUT "\"HMAC-SHA1($_)= $hashes{$_}\",\n";
+                        }
+                print OUT "};\n";
+                close OUT;
+                }
+
+        if (!$badfiles)
+                {
+                print "FIPS hash check successful\n";
+                }
+
+        return 0;
+
+        }
+
+
+sub fatal_error
+        {
+        print STDERR "*** Your source code does not match the FIPS validated source ***\n";
+        }
+
+
diff --git a/src/lib/libcrypto/util/fipslink.pl b/src/lib/libcrypto/util/fipslink.pl
new file mode 100644
index 0000000000..a893833c5c
--- /dev/null
+++ b/src/lib/libcrypto/util/fipslink.pl
@@ -0,0 +1,78 @@
+#!/usr/bin/perl
+
+sub check_env
+        {
+        my @ret;
+        foreach (@_)
+                {
+                die "Environment variable $_ not defined!\n" unless exists $ENV{$_};
+                push @ret, $ENV{$_};
+                }
+        return @ret;
+        }
+
+
+my ($fips_cc,$fips_cc_args, $fips_link,$fips_target, $fips_libdir, $sha1_exe)
+         = check_env("FIPS_CC", "FIPS_CC_ARGS", "FIPS_LINK", "FIPS_TARGET",
+                "FIPSLIB_D", "FIPS_SHA1_EXE");
+
+
+
+if (exists $ENV{"PREMAIN_DSO_EXE"})
+        {
+        $fips_premain_dso = $ENV{"PREMAIN_DSO_EXE"};
+        }
+        else
+        {
+        $fips_premain_dso = "";
+        }
+
+check_hash($sha1_exe, "fips_premain.c");
+check_hash($sha1_exe, "fipscanister.o");
+
+
+print "Integrity check OK\n";
+
+print "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c\n";
+system "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c";
+die "First stage Compile failure" if $? != 0;
+
+print "$fips_link @ARGV\n";
+system "$fips_link @ARGV";
+die "First stage Link failure" if $? != 0;
+
+
+print "$fips_premain_dso $fips_target\n";
+$fips_hash=`$fips_premain_dso $fips_target`;
+chomp $fips_hash;
+die "Get hash failure" if $? != 0;
+
+
+print "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c\n";
+system "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c";
+die "Second stage Compile failure" if $? != 0;
+
+
+print "$fips_link @ARGV\n";
+system "$fips_link @ARGV";
+die "Second stage Link failure" if $? != 0;
+
+sub check_hash
+        {
+        my ($sha1_exe, $filename) = @_;
+        my ($hashfile, $hashval);
+
+        open(IN, "${fips_libdir}/${filename}.sha1") || die "Cannot open file hash file ${fips_libdir}/${filename}.sha1";
+        $hashfile = <IN>;
+        close IN;
+        $hashval = `$sha1_exe ${fips_libdir}/$filename`;
+        chomp $hashfile;
+        chomp $hashval;
+        $hashfile =~ s/^.*=\s+//;
+        $hashval =~ s/^.*=\s+//;
+        die "Invalid hash syntax in file" if (length($hashfile) != 40);
+        die "Invalid hash received for file" if (length($hashval) != 40);
+        die "***HASH VALUE MISMATCH FOR FILE $filename ***" if ($hashval ne $hashfile); 
+        }
+
+
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 56fb7446e0..4222bef6d6 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -2811,7 +2811,7 @@ EVP_aes_192_cfb8                        3252	EXIST::FUNCTION:AES
 FIPS_mode_set                           3253    EXIST:OPENSSL_FIPS:FUNCTION:
 FIPS_selftest_dsa                       3254    EXIST:OPENSSL_FIPS:FUNCTION:
 EVP_aes_256_cfb8                        3255    EXIST::FUNCTION:AES
-FIPS_allow_md5                          3256    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_allow_md5                          3256    NOEXIST::FUNCTION:
 DES_ede3_cfb_encrypt                    3257    EXIST::FUNCTION:DES
 EVP_des_ede3_cfb8                       3258    EXIST::FUNCTION:DES
 FIPS_rand_seeded                        3259    EXIST:OPENSSL_FIPS:FUNCTION:
@@ -2837,7 +2837,7 @@ FIPS_dsa_check                          3278	EXIST:OPENSSL_FIPS:FUNCTION:
 AES_cfb1_encrypt                        3279    EXIST::FUNCTION:AES
 EVP_des_ede3_cfb1                       3280    EXIST::FUNCTION:DES
 FIPS_rand_check                         3281    EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_md5_allowed                        3282    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_md5_allowed                        3282    NOEXIST::FUNCTION:
 FIPS_mode                               3283    EXIST:OPENSSL_FIPS:FUNCTION:
 FIPS_selftest_failed                    3284    EXIST:OPENSSL_FIPS:FUNCTION:
 sk_is_sorted                            3285    EXIST::FUNCTION:
@@ -2867,3 +2867,41 @@ PROXY_CERT_INFO_EXTENSION_it            3307	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 PROXY_CERT_INFO_EXTENSION_it            3307    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 PROXY_POLICY_free                       3308    EXIST::FUNCTION:
 PROXY_POLICY_new                        3309    EXIST::FUNCTION:
+BN_MONT_CTX_set_locked                  3310    EXIST::FUNCTION:
+FIPS_selftest_rng                       3311    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_sha384                              3312    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+EVP_sha512                              3313    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+EVP_sha224                              3314    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+EVP_sha256                              3315    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+FIPS_selftest_hmac                      3316    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_rng                        3317    EXIST:OPENSSL_FIPS:FUNCTION:
+BN_mod_exp_mont_consttime               3318    EXIST::FUNCTION:
+RSA_X931_hash_id                        3319    EXIST::FUNCTION:RSA
+RSA_padding_check_X931                  3320    EXIST::FUNCTION:RSA
+RSA_verify_PKCS1_PSS                    3321    EXIST::FUNCTION:RSA
+RSA_padding_add_X931                    3322    EXIST::FUNCTION:RSA
+RSA_padding_add_PKCS1_PSS               3323    EXIST::FUNCTION:RSA
+PKCS1_MGF1                              3324    EXIST::FUNCTION:RSA
+BN_X931_generate_Xpq                    3325    EXIST:OPENSSL_FIPS:FUNCTION:
+RSA_X931_generate_key                   3326    EXIST:OPENSSL_FIPS:FUNCTION:RSA
+BN_X931_derive_prime                    3327    EXIST:OPENSSL_FIPS:FUNCTION:
+BN_X931_generate_prime                  3328    EXIST:OPENSSL_FIPS:FUNCTION:
+RSA_X931_derive                         3329    EXIST:OPENSSL_FIPS:FUNCTION:RSA
+SHA512_Update                           3356    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA256_Init                             3479    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA224                                  3510    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA384_Update                           3551    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA224_Final                            3560    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA224_Update                           3562    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA512_Final                            3581    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA224_Init                             3631    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA512_Init                             3633    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA256                                  3654    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA256_Transform                        3664    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA512                                  3669    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA512_Transform                        3675    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA256_Final                            3712    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA384_Init                             3737    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA384_Final                            3740    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA384                                  3745    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA256_Update                           3765    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index 957264c6b5..05a6086164 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -10,6 +10,20 @@ $OPTIONS="";
 $ssl_version="";
 $banner="\t\@echo Building OpenSSL";
 
+local $zlib_opt = 0;    # 0 = no zlib, 1 = static, 2 = dynamic
+local $zlib_lib = "";
+
+my $fips_canister_path = "";
+my $fips_premain_dso_exe_path = "";
+my $fips_premain_c_path = "";
+my $fips_sha1_exe_path = "";
+
+my $fipslibdir = "";
+my $baseaddr = "";
+
+my $ex_l_libs = "";
+
+
 open(IN,"<Makefile") || die "unable to open Makefile!\n";
 while(<IN>) {
     $ssl_version=$1 if (/^VERSION=(.*)$/);
@@ -24,6 +38,7 @@ $infile="MINFO";
 
 %ops=(
         "VC-WIN32",   "Microsoft Visual C++ [4-6] - Windows NT or 9X",
+        "VC-WIN32-GMAKE", "Microsoft Visual C++ [4-6] - Windows NT or 9X, GNU make",
         "VC-CE",   "Microsoft eMbedded Visual C++ 3.0 - Windows CE ONLY",
         "VC-NT",   "Microsoft Visual C++ [4-6] - Windows NT ONLY",
         "VC-W31-16",  "Microsoft Visual C++ 1.52 - Windows 3.1 - 286",
@@ -43,6 +58,7 @@ $infile="MINFO";
         );
 
 $platform="";
+my $xcflags="";
 foreach (@ARGV)
         {
         if (!&read_options && !defined($ops{$_}))
@@ -104,8 +120,12 @@ $inc_def="outinc";
 $tmp_def="tmp";
 
 $mkdir="-mkdir";
+$mkcanister="ld -r -o";
+
+$ex_build_targets = "";
 
 ($ssl,$crypto)=("ssl","crypto");
+$cryptocompat = "";
 $ranlib="echo ranlib";
 
 $cc=(defined($VARS{'CC'}))?$VARS{'CC'}:'cc';
@@ -140,6 +160,10 @@ elsif (($platform eq "VC-WIN32") || ($platform eq "VC-NT"))
         $NT = 1 if $platform eq "VC-NT";
         require 'VC-32.pl';
         }
+elsif ($platform eq "VC-WIN32-GMAKE")
+        {
+        require 'VC-32-GMAKE.pl';
+        }
 elsif ($platform eq "VC-CE")
         {
         require 'VC-CE.pl';
@@ -210,6 +234,8 @@ $inc_dir=(defined($VARS{'INC'}))?$VARS{'INC'}:$inc_def;
 
 $bin_dir=$bin_dir.$o unless ((substr($bin_dir,-1,1) eq $o) || ($bin_dir eq ''));
 
+$cflags= "$xcflags$cflags" if $xcflags ne "";
+
 $cflags.=" -DOPENSSL_NO_IDEA" if $no_idea;
 $cflags.=" -DOPENSSL_NO_AES"  if $no_aes;
 $cflags.=" -DOPENSSL_NO_RC2"  if $no_rc2;
@@ -239,6 +265,9 @@ $cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
 $cflags.=" -DOPENSSL_FIPS"    if $fips;
 #$cflags.=" -DRSAref"  if $rsaref ne "";
 
+$cflags.= " -DZLIB" if $zlib_opt;
+$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
+
 ## if ($unix)
 ##      { $cflags="$c_flags" if ($c_flags ne ""); }
 ##else
@@ -246,6 +275,7 @@ $cflags.=" -DOPENSSL_FIPS"    if $fips;
 
 $ex_libs="$l_flags$ex_libs" if ($l_flags ne "");
 
+
 %shlib_ex_cflags=("SSL" => " -DOPENSSL_BUILD_SHLIBSSL",
                   "CRYPTO" => " -DOPENSSL_BUILD_SHLIBCRYPTO");
 
@@ -262,6 +292,135 @@ $link="$bin_dir$link" if ($link !~ /^\$/);
 
 $INSTALLTOP =~ s|/|$o|g;
 
+#############################################
+# We parse in input file and 'store' info for later printing.
+open(IN,"<$infile") || die "unable to open $infile:$!\n";
+$_=<IN>;
+for (;;)
+        {
+        chop;
+
+        ($key,$val)=/^([^=]+)=(.*)/;
+        if ($key eq "RELATIVE_DIRECTORY")
+                {
+                if ($lib ne "")
+                        {
+                        if ($fips && $dir =~ /^fips/)
+                                {
+                                $uc = "FIPS";
+                                }
+                        else
+                                {
+                                $uc=$lib;
+                                $uc =~ s/^lib(.*)\.a/$1/;
+                                $uc =~ tr/a-z/A-Z/;
+                                }
+                        if (($uc ne "FIPS") || $fips_canister_build)
+                                {
+                                $lib_nam{$uc}=$uc;
+                                $lib_obj{$uc}.=$libobj." ";
+                                }
+                        }
+                last if ($val eq "FINISHED");
+                $lib="";
+                $libobj="";
+                $dir=$val;
+                }
+
+        if ($key eq "KRB5_INCLUDES")
+                { $cflags .= " $val";}
+
+        if ($key eq "ZLIB_INCLUDE")
+                { $cflags .= " $val" if $val ne "";}
+
+        if ($key eq "LIBZLIB")
+                { $zlib_lib = "$val" if $val ne "";}
+
+        if ($key eq "LIBKRB5")
+                { $ex_libs .= " $val" if $val ne "";}
+
+        if ($key eq "TEST")
+                { $test.=&var_add($dir,$val); }
+
+        if (($key eq "PROGS") || ($key eq "E_OBJ"))
+                { $e_exe.=&var_add($dir,$val); }
+
+        if ($key eq "LIB")
+                {
+                $lib=$val;
+                $lib =~ s/^.*\/([^\/]+)$/$1/;
+                }
+
+        if ($key eq "EXHEADER")
+                { $exheader.=&var_add($dir,$val); }
+
+        if ($key eq "HEADER")
+                { $header.=&var_add($dir,$val); }
+
+        if ($key eq "LIBOBJ")
+                { $libobj=&var_add($dir,$val); }
+
+        if ($key eq "FIPSLIBDIR")
+                { $fipslibdir=$val;}
+
+        if ($key eq "BASEADDR")
+                { $baseaddr=$val;}
+
+        if (!($_=<IN>))
+                { $_="RELATIVE_DIRECTORY=FINISHED\n"; }
+        }
+close(IN);
+
+if ($fips_canister_path eq "")
+        {
+        $fips_canister_path = "\$(FIPSLIB_D)${o}fipscanister.o";
+        }
+
+if ($fips_premain_c_path eq "")
+        {
+        $fips_premain_c_path = "\$(FIPSLIB_D)${o}fips_premain.c";
+        }
+
+if ($fips)
+        {
+        if ($fips_sha1_exe_path eq "")
+                {
+                $fips_sha1_exe_path =
+                        "\$(BIN_D)${o}fips_standalone_sha1$exep";
+                }
+        }
+        else
+        {
+        $fips_sha1_exe_path = "";
+        }
+
+if ($fips_premain_dso_exe_path eq "")
+        {
+        $fips_premain_dso_exe_path = "\$(BIN_D)${o}fips_premain_dso$exep";
+        }
+
+#       $ex_build_targets .= "\$(BIN_D)${o}\$(E_PREMAIN_DSO)$exep" if ($fips);
+
+if ($fips)
+        {
+        if (!$shlib)
+                {
+                $ex_build_targets .= " \$(LIB_D)$o$crypto_compat \$(PREMAIN_DSO_EXE)";
+                $ex_l_libs .= " \$(O_FIPSCANISTER)";
+                }
+        if ($fipslibdir eq "")
+                {
+                open (IN, "util/fipslib_path.txt") || fipslib_error();
+                $fipslibdir = <IN>;
+                chomp $fipslibdir;
+                close IN;
+                }
+        fips_check_files($fipslibdir,
+                        "fipscanister.o", "fipscanister.o.sha1",
+                        "fips_premain.c", "fips_premain.c.sha1");
+        }
+        
+
 $defs= <<"EOF";
 # This makefile has been automatically generated from the OpenSSL distribution.
 # This single makefile will build the complete OpenSSL distribution and
@@ -286,6 +445,7 @@ if ($platform eq "VC-CE")
 !INCLUDE <\$(WCECOMPAT)/wcedefs.mak>
 
 EOF
+        $ex_libs .= " $zlib_lib" if $zlib_opt == 1;
         }
 
 $defs.= <<"EOF";
@@ -308,6 +468,8 @@ EX_LIBS=$ex_libs
 SRC_D=$src_dir
 
 LINK=$link
+PERL=perl
+FIPSLINK=\$(PERL) util${o}fipslink.pl
 LFLAGS=$lflags
 
 BN_ASM_OBJ=$bn_asm_obj
@@ -339,6 +501,9 @@ TMP_D=$tmp_dir
 INC_D=$inc_dir
 INCO_D=$inc_dir${o}openssl
 
+# Directory containing FIPS module
+
+
 CP=$cp
 RM=$rm
 RANLIB=$ranlib
@@ -346,6 +511,18 @@ MKDIR=$mkdir
 MKLIB=$bin_dir$mklib
 MLFLAGS=$mlflags
 ASM=$bin_dir$asm
+MKCANISTER=$mkcanister
+
+# FIPS validated module and support file locations
+
+E_PREMAIN_DSO=fips_premain_dso
+
+FIPSLIB_D=$fipslibdir
+BASEADDR=$baseaddr
+FIPS_PREMAIN_SRC=$fips_premain_c_path
+O_FIPSCANISTER=$fips_canister_path
+FIPS_SHA1_EXE=$fips_sha1_exe_path
+PREMAIN_DSO_EXE=$fips_premain_dso_exe_path
 
 ######################################################
 # You should not need to touch anything below this point
@@ -377,7 +554,7 @@ SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp
 L_SSL=     \$(LIB_D)$o$plib\$(SSL)$libp
 L_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$libp
 
-L_LIBS= \$(L_SSL) \$(L_CRYPTO)
+L_LIBS= \$(L_SSL) \$(L_CRYPTO) $ex_l_libs
 
 ######################################################
 # Don't touch anything below this point
@@ -387,13 +564,13 @@ INC=-I\$(INC_D) -I\$(INCL_D)
 APP_CFLAGS=\$(INC) \$(CFLAG) \$(APP_CFLAG)
 LIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG)
 SHLIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG) \$(SHLIB_CFLAG)
-LIBS_DEP=\$(O_CRYPTO) \$(O_SSL)
+LIBS_DEP=\$(O_CRYPTO) \$(O_SSL) $ex_libs_dep
 
 #############################################
 EOF
 
 $rules=<<"EOF";
-all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe
+all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers \$(FIPS_SHA1_EXE) lib exe $ex_build_targets
 
 banner:
 $banner
@@ -479,57 +656,6 @@ printf OUT "  #define DATE \"%s\"\n", scalar gmtime();
 printf OUT "#endif\n";
 close(OUT);
 
-#############################################
-# We parse in input file and 'store' info for later printing.
-open(IN,"<$infile") || die "unable to open $infile:$!\n";
-$_=<IN>;
-for (;;)
-        {
-        chop;
-
-        ($key,$val)=/^([^=]+)=(.*)/;
-        if ($key eq "RELATIVE_DIRECTORY")
-                {
-                if ($lib ne "")
-                        {
-                        $uc=$lib;
-                        $uc =~ s/^lib(.*)\.a/$1/;
-                        $uc =~ tr/a-z/A-Z/;
-                        $lib_nam{$uc}=$uc;
-                        $lib_obj{$uc}.=$libobj." ";
-                        }
-                last if ($val eq "FINISHED");
-                $lib="";
-                $libobj="";
-                $dir=$val;
-                }
-
-        if ($key eq "TEST")
-                { $test.=&var_add($dir,$val); }
-
-        if (($key eq "PROGS") || ($key eq "E_OBJ"))
-                { $e_exe.=&var_add($dir,$val); }
-
-        if ($key eq "LIB")
-                {
-                $lib=$val;
-                $lib =~ s/^.*\/([^\/]+)$/$1/;
-                }
-
-        if ($key eq "EXHEADER")
-                { $exheader.=&var_add($dir,$val); }
-
-        if ($key eq "HEADER")
-                { $header.=&var_add($dir,$val); }
-
-        if ($key eq "LIBOBJ")
-                { $libobj=&var_add($dir,$val); }
-
-        if (!($_=<IN>))
-                { $_="RELATIVE_DIRECTORY=FINISHED\n"; }
-        }
-close(IN);
-
 # Strip of trailing ' '
 foreach (keys %lib_obj) { $lib_obj{$_}=&clean_up_ws($lib_obj{$_}); }
 $test=&clean_up_ws($test);
@@ -554,6 +680,29 @@ $rules.=&do_compile_rule("\$(OBJ_D)",$test,"\$(APP_CFLAGS)");
 $defs.=&do_defs("E_OBJ",$e_exe,"\$(OBJ_D)",$obj);
 $rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)');
 
+# Special case rules for fips_start and fips_end fips_premain_dso
+
+if ($fips)
+        {
+        if ($fips_canister_build)
+                {
+                $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_start$obj",
+                        "fips-1.0${o}fips_canister.c",
+                        "-DFIPS_START \$(SHLIB_CFLAGS)");
+                $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_end$obj",
+                        "fips-1.0${o}fips_canister.c", "\$(SHLIB_CFLAGS)");
+                }
+        $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_standalone_sha1$obj",
+                "fips-1.0${o}sha${o}fips_standalone_sha1.c",
+                "\$(SHLIB_CFLAGS)");
+        $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_sha1dgst$obj",
+                "fips-1.0${o}sha${o}fips_sha1dgst.c",
+                "\$(SHLIB_CFLAGS)") unless $fips_canister_build;
+        $rules.=&cc_compile_target("\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj",
+                "fips-1.0${o}fips_premain.c",
+                "-DFINGERPRINT_PREMAIN_DSO_LOAD \$(SHLIB_CFLAGS)");
+        }
+
 foreach (values %lib_nam)
         {
         $lib_obj=$lib_obj{$_};
@@ -630,16 +779,42 @@ foreach (split(/\s+/,$test))
         }
 
 $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
-$rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
+
 
 if ($fips)
         {
-        $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)","\$(BIN_D)$o.sha1","\$(BIN_D)$o\$(E_EXE)$exep");
+        if ($shlib)
+                {
+                $rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
+                        "\$(O_CRYPTO)",
+                        "$crypto",
+                        $shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
+                }
+        else
+                {
+                $rules.= &do_lib_rule("\$(CRYPTOOBJ)",
+                        "\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)", "");
+                $rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
+                        "\$(LIB_D)$o$crypto_compat",$crypto,$shlib,"\$(SO_CRYPTO)", "");
+                }
         }
-else
+        else
         {
-        $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+        $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,
+                                                        "\$(SO_CRYPTO)");
         }
+
+
+if ($fips)
+        {
+        $rules.= &do_rlink_rule("\$(O_FIPSCANISTER)", "\$(OBJ_D)${o}fips_start$obj \$(FIPSOBJ) \$(OBJ_D)${o}fips_end$obj", "\$(FIPSLIB_D)${o}fips_standalone_sha1$exep", "") if $fips_canister_build;
+        $rules.=&do_link_rule("\$(PREMAIN_DSO_EXE)","\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj \$(CRYPTOOBJ) \$(O_FIPSCANISTER)","","\$(EX_LIBS)", 1);
+        
+        $rules.=&do_link_rule("\$(FIPS_SHA1_EXE)","\$(OBJ_D)${o}fips_standalone_sha1$obj \$(OBJ_D)${o}fips_sha1dgst$obj","","", 1);
+        }
+
+        $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)",0);
+
 print $defs;
 
 if ($platform eq "linux-elf") {
@@ -935,6 +1110,24 @@ sub read_options
         elsif (/^shlib$/)       { $shlib=1; }
         elsif (/^dll$/)         { $shlib=1; }
         elsif (/^shared$/)      { } # We just need to ignore it for now...
+        elsif (/^zlib$/) { $zlib_opt = 1 if $zlib_opt == 0 }
+        elsif (/^zlib-dynamic$/){ $zlib_opt = 2; }
+        elsif (/^--with-krb5-flavor=(.*)$/)
+                {
+                my $krb5_flavor = $1;
+                if ($krb5_flavor =~ /^force-[Hh]eimdal$/)
+                        {
+                        $xcflags="-DKRB5_HEIMDAL $xcflags";
+                        }
+                elsif ($krb5_flavor =~ /^MIT/i)
+                        {
+                        $xcflags="-DKRB5_MIT $xcflags";
+                        if ($krb5_flavor =~ /^MIT[._-]*1[._-]*[01]/i)
+                                {
+                                $xcflags="-DKRB5_MIT_OLD11 $xcflags"
+                                }
+                        }
+                }
         elsif (/^([^=]*)=(.*)$/){ $VARS{$1}=$2; }
         elsif (/^-[lL].*$/)     { $l_flags.="$_ "; }
         elsif ((!/^-help/) && (!/^-h/) && (!/^-\?/) && /^-.*$/)
@@ -942,3 +1135,31 @@ sub read_options
         else { return(0); }
         return(1);
         }
+
+sub fipslib_error
+        {
+        print STDERR "***FIPS module directory sanity check failed***\n";
+        print STDERR "FIPS module build failed, or was deleted\n";
+        print STDERR "Please rebuild FIPS module.\n"; 
+        exit 1;
+        }
+
+sub fips_check_files
+        {
+        my $dir = shift @_;
+        my $ret = 1;
+        if (!-d $dir)
+                {
+                print STDERR "FIPS module directory $dir does not exist\n";
+                fipslib_error();
+                }
+        foreach (@_)
+                {
+                if (!-f "$dir${o}$_")
+                        {
+                        print STDERR "FIPS module file $_ does not exist!\n";
+                        $ret = 0;
+                        }
+                }
+        fipslib_error() if ($ret == 0);
+        }
diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl
index 9918c3d549..6c1e53bb14 100644
--- a/src/lib/libcrypto/util/mkdef.pl
+++ b/src/lib/libcrypto/util/mkdef.pl
@@ -83,7 +83,7 @@ my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT",
 my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" );
 my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                          "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
-                         "RIPEMD",
+                         "SHA256", "SHA512", "RIPEMD",
                          "MDC2", "RSA", "DSA", "DH", "EC", "HMAC", "AES",
                          # Envelope "algorithms"
                          "EVP", "X509", "ASN1_TYPEDEFS",
@@ -267,7 +267,7 @@ $crypto.=" crypto/ocsp/ocsp.h";
 $crypto.=" crypto/ui/ui.h crypto/ui/ui_compat.h";
 $crypto.=" crypto/krb5/krb5_asn.h";
 $crypto.=" crypto/tmdiff.h";
-$crypto.=" fips/fips.h fips/rand/fips_rand.h";
+$crypto.=" fips-1.0/fips.h fips-1.0/rand/fips_rand.h fips-1.0/sha/fips_sha.h";
 
 my $symhacks="crypto/symhacks.h";
 
@@ -864,6 +864,9 @@ sub do_defs
                         $a .= ",RSA" if($s =~ /PEM_Seal(Final|Init|Update)/);
                         $a .= ",RSA" if($s =~ /RSAPrivateKey/);
                         $a .= ",RSA" if($s =~ /SSLv23?_((client|server)_)?method/);
+                        # SHA2 algorithms only defined in FIPS mode for
+                        # OpenSSL 0.9.7
+                        $p .= "OPENSSL_FIPS" if($s =~ /SHA[235]/);
 
                         $platform{$s} =
                             &reduce_platforms((defined($platform{$s})?$platform{$s}.',':"").$p);
@@ -1011,7 +1014,7 @@ sub is_valid
 {
         my ($keywords_txt,$platforms) = @_;
         my (@keywords) = split /,/,$keywords_txt;
-        my ($falsesum, $truesum) = (0, !grep(/^[^!]/,@keywords));
+        my ($falsesum, $truesum) = (0, 1);
 
         # Param: one keyword
         sub recognise
@@ -1079,7 +1082,7 @@ sub is_valid
                 if ($k =~ /^!(.*)$/) {
                         $falsesum += &recognise($1,$platforms);
                 } else {
-                        $truesum += &recognise($k,$platforms);
+                        $truesum *= &recognise($k,$platforms);
                 }
         }
         print STDERR "DEBUG: [",$#keywords,",",$#keywords < 0,"] is_valid($keywords_txt) => (\!$falsesum) && $truesum = ",(!$falsesum) && $truesum,"\n" if $debug;
diff --git a/src/lib/libcrypto/util/mkfiles.pl b/src/lib/libcrypto/util/mkfiles.pl
index 928a274303..bc78510f56 100644
--- a/src/lib/libcrypto/util/mkfiles.pl
+++ b/src/lib/libcrypto/util/mkfiles.pl
@@ -51,14 +51,15 @@ my @dirs = (
 "crypto/ocsp",
 "crypto/ui",
 "crypto/krb5",
-"fips",
-"fips/aes",
-"fips/des",
-"fips/dsa",
-"fips/dh",
-"fips/rand",
-"fips/rsa",
-"fips/sha1",
+"fips-1.0",
+"fips-1.0/aes",
+"fips-1.0/des",
+"fips-1.0/dsa",
+"fips-1.0/dh",
+"fips-1.0/hmac",
+"fips-1.0/rand",
+"fips-1.0/rsa",
+"fips-1.0/sha",
 "ssl",
 "apps",
 "test",
diff --git a/src/lib/libcrypto/util/mklink.pl b/src/lib/libcrypto/util/mklink.pl
index c8653cecc3..182732d959 100644
--- a/src/lib/libcrypto/util/mklink.pl
+++ b/src/lib/libcrypto/util/mklink.pl
@@ -14,13 +14,16 @@
 # not contain symbolic links and that the parent of / is never referenced.
 # Apart from this, this script should be able to handle even the most
 # pathological cases.
+#
+
+use Cwd;
 
 my $from = shift;
 my @files = @ARGV;
 
 my @from_path = split(/[\\\/]/, $from);
-my $pwd = `pwd`;
-chop($pwd);
+my $pwd = getcwd();
+chomp($pwd);
 my @pwd_path = split(/[\\\/]/, $pwd);
 
 my @to_path = ();
diff --git a/src/lib/libcrypto/util/pl/BC-32.pl b/src/lib/libcrypto/util/pl/BC-32.pl
index 897ae9d824..28869c868d 100644
--- a/src/lib/libcrypto/util/pl/BC-32.pl
+++ b/src/lib/libcrypto/util/pl/BC-32.pl
@@ -18,7 +18,7 @@ $out_def="out32";
 $tmp_def="tmp32";
 $inc_def="inc32";
 #enable max error messages, disable most common warnings
-$cflags="-DWIN32_LEAN_AND_MEAN -q -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp ";
+$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp ";
 if ($debug)
 {
     $cflags.="-Od -y -v -vi- -D_DEBUG";
@@ -51,7 +51,7 @@ $lfile='';
 $shlib_ex_obj="";
 $app_ex_obj="c0x32.obj"; 
 
-$asm='nasmw -f obj';
+$asm='nasmw -f obj -d__omf__';
 $asm.=" /Zi" if $debug;
 $afile='-o';
 
@@ -106,9 +106,13 @@ sub do_lib_rule
         $ret.="$target: $objs\n";
         if (!$shlib)
                 {
-                #               $ret.="\t\$(RM) \$(O_$Name)\n";
-                $ret.="\techo LIB $<\n";    
-                $ret.="\t&\$(MKLIB) $lfile$target -+\$**\n";
+                $ret.=<<___;
+        -\$(RM) $lfile$target
+        \$(MKLIB) $lfile$target \@&&!
++\$(**: = &^
++)
+!
+___
                 }
         else
                 {
diff --git a/src/lib/libcrypto/util/pl/OS2-EMX.pl b/src/lib/libcrypto/util/pl/OS2-EMX.pl
index 75d72ebbcb..8dbeaa7a08 100644
--- a/src/lib/libcrypto/util/pl/OS2-EMX.pl
+++ b/src/lib/libcrypto/util/pl/OS2-EMX.pl
@@ -68,6 +68,7 @@ if (!$no_asm && !$fips)
         $sha1_asm_src="crypto/sha/asm/s1-os2.asm";
         $rmd160_asm_obj="crypto/ripemd/asm/rm-os2$obj";
         $rmd160_asm_src="crypto/ripemd/asm/rm-os2.asm";
+        $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DOPENSSL_BN_ASM_PART_WORDS";
         }
 
 if ($shlib)
diff --git a/src/lib/libcrypto/util/pl/VC-32-GMAKE.pl b/src/lib/libcrypto/util/pl/VC-32-GMAKE.pl
new file mode 100644
index 0000000000..b5bbcac6c2
--- /dev/null
+++ b/src/lib/libcrypto/util/pl/VC-32-GMAKE.pl
@@ -0,0 +1,222 @@
+#!/usr/local/bin/perl
+# VCw32lib.pl - the file for Visual C++ 4.[01] for windows NT, static libraries
+#
+
+
+if ($fips && !$shlib)
+        {
+        $crypto="libeayfips32";
+        $crypto_compat = "libeaycompat32.lib";
+        }
+else
+        {
+        $crypto="libeay32";
+        }
+$ssl=   "ssleay32";
+
+$o='/';
+#$cp='copy nul+';       # Timestamps get stuffed otherwise
+#$rm='del';
+
+$cp='cp';
+$rm='rm';
+
+$zlib_lib="zlib1.lib";
+
+# C compiler stuff
+$cc='cl';
+$cflags=' -MD -W3 -WX -Ox -O2 -Ob2 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
+$cflags.=' -D_CRT_SECURE_NO_DEPRECATE';         # shut up VC8
+$cflags.=' -D_CRT_NONSTDC_NO_DEPRECATE';        # shut up VC8
+$lflags="-nologo -subsystem:console -machine:I386 -opt:ref";
+$mlflags='';
+
+$out_def="gmout32";
+$tmp_def="gmtmp32";
+$inc_def="gminc32";
+
+if ($debug)
+        {
+        $cflags=" -MDd -W3 -WX -Zi -Yd -Od -nologo -DOPENSSL_SYSNAME_WIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32";
+        $lflags.=" -debug";
+        $mlflags.=' -debug';
+        }
+$cflags .= " -DOPENSSL_SYSNAME_WINNT" if $NT == 1;
+
+$obj='.obj';
+$ofile="-Fo";
+
+# EXE linking stuff
+$link="link";
+$efile="-out:";
+$exep='.exe';
+if ($no_sock)
+        { $ex_libs=""; }
+else    { $ex_libs="wsock32.lib user32.lib gdi32.lib"; }
+
+# static library stuff
+$mklib='lib';
+$ranlib='';
+$plib="";
+$libp=".lib";
+$shlibp=($shlib)?".dll":".lib";
+$lfile='-out:';
+
+$shlib_ex_obj="";
+$app_ex_obj="setargv.obj";
+if ($nasm) {
+        $asm='nasmw -f win32';
+        $afile='-o ';
+} else {
+        $asm='ml -Cp -coff -c -Cx';
+        $asm.=" -Zi" if $debug;
+        $afile='-Fo';
+}
+
+$bn_asm_obj='';
+$bn_asm_src='';
+$des_enc_obj='';
+$des_enc_src='';
+$bf_enc_obj='';
+$bf_enc_src='';
+
+if (!$no_asm && !$fips)
+        {
+        $bn_asm_obj='crypto/bn/asm/bn_win32.obj';
+        $bn_asm_src='crypto/bn/asm/bn_win32.asm';
+        $des_enc_obj='crypto/des/asm/d_win32.obj crypto/des/asm/y_win32.obj';
+        $des_enc_src='crypto/des/asm/d_win32.asm crypto/des/asm/y_win32.asm';
+        $bf_enc_obj='crypto/bf/asm/b_win32.obj';
+        $bf_enc_src='crypto/bf/asm/b_win32.asm';
+        $cast_enc_obj='crypto/cast/asm/c_win32.obj';
+        $cast_enc_src='crypto/cast/asm/c_win32.asm';
+        $rc4_enc_obj='crypto/rc4/asm/r4_win32.obj';
+        $rc4_enc_src='crypto/rc4/asm/r4_win32.asm';
+        $rc5_enc_obj='crypto/rc5/asm/r5_win32.obj';
+        $rc5_enc_src='crypto/rc5/asm/r5_win32.asm';
+        $md5_asm_obj='crypto/md5/asm/m5_win32.obj';
+        $md5_asm_src='crypto/md5/asm/m5_win32.asm';
+        $sha1_asm_obj='crypto/sha/asm/s1_win32.obj';
+        $sha1_asm_src='crypto/sha/asm/s1_win32.asm';
+        $rmd160_asm_obj='crypto/ripemd/asm/rm_win32.obj';
+        $rmd160_asm_src='crypto/ripemd/asm/rm_win32.asm';
+        $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM";
+        }
+
+if ($shlib)
+        {
+        $mlflags.=" $lflags -dll";
+#       $cflags =~ s| -MD| -MT|;
+        $lib_cflag=" -D_WINDLL";
+        $out_def="gmout32dll";
+        $tmp_def="gmtmp32dll";
+        }
+
+$cflags.=" -Fd$out_def";
+
+sub do_lib_rule
+        {
+        local($objs,$target,$name,$shlib,$ign,$base_addr, $fips_get_sig, $fips_premain_src)=@_;
+        local($ret,$Name);
+
+        $taget =~ s/\//$o/g if $o ne '/';
+        ($Name=$name) =~ tr/a-z/A-Z/;
+        my $base_arg;
+        if ($base_addr ne "")
+                {
+                $base_arg= " -base:$base_addr";
+                }
+        else
+                {
+                $base_arg = "";
+                }
+
+
+#       $target="\$(LIB_D)$o$target";
+        if (!$shlib)
+                {
+#               $ret.="\t\$(RM) \$(O_$Name)\n";
+                $ret.="$target: $objs\n";
+                $ex =' advapi32.lib';
+                $ret.="\t\$(MKLIB) $lfile$target $objs $ex\n\n";
+                }
+        else
+                {
+                local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
+                $ex.=' wsock32.lib gdi32.lib advapi32.lib user32.lib';
+                $ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
+                if (defined $fips_get_sig)
+                        {
+                        $ret.="$target: \$(O_FIPSCANISTER) $objs $fips_get_sig\n";
+                        $ret.="\tFIPS_LINK=\$(LINK) ";
+                        $ret.="FIPS_CC=\$(CC) ";
+                        $ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\" ";
+                        $ret.="FIPS_PREMAIN_DSO=$fips_get_sig ";
+                        $ret.="FIPS_TARGET=$target ";
+                        $ret.="FIPS_LIBDIR=\$(FIPSLIB_D) ";
+                        $ret.="\$(FIPSLINK) \$(MLFLAGS) $base_arg $efile$target ";
+                        $ret.="-def:ms/${Name}.def \$(SHLIB_EX_OBJ) $objs ";
+                        $ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n\n";
+                        }
+                else
+                        {
+                        $ret.="$target: $objs\n";
+                        $ret.="\t\$(LINK) \$(MLFLAGS) $base_arg $efile$target /def:ms/${Name}.def \$(SHLIB_EX_OBJ) $objs $ex\n\n";
+                        }
+                }
+        $ret.="\n";
+        return($ret);
+        }
+
+sub do_link_rule
+        {
+        local($target,$files,$dep_libs,$libs,$standalone)=@_;
+        local($ret,$_);
+        $file =~ s/\//$o/g if $o ne '/';
+        $n=&bname($targer);
+        if ($standalone)
+                {
+                $ret.="$target: $files $dep_libs\n";
+                $ret.="\t\$(LINK) \$(LFLAGS) $efile$target ";
+                $ret.="$files $libs\n\n";
+                }
+        elsif ($fips && !$shlib)
+                {
+                $ret.="$target: \$(O_FIPSCANISTER) $files $dep_libs\n";
+                $ret.="\tFIPS_LINK=\$(LINK) ";
+                $ret.="FIPS_CC=\$(CC) ";
+                $ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\" ";
+                $ret.="FIPS_PREMAIN_DSO= ";
+                $ret.="FIPS_TARGET=$target ";
+                $ret.="FIPS_LIBDIR=\$(FIPSLIB_D) ";
+                $ret.=" \$(FIPSLINK) \$(LFLAGS) $efile$target ";
+                $ret.="\$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n\n";
+                }
+        else
+                {
+                $ret.="$target: $files $dep_libs\n";
+                $ret.="\t\$(LINK) \$(LFLAGS) $efile$target ";
+                $ret.="\$(APP_EX_OBJ) $files $libs\n\n";
+                }
+        $ret.="\n";
+        return($ret);
+        }
+
+sub do_rlink_rule
+        {
+        local($target,$files,$check_hash, $deps)=@_;
+        local($ret,$_);
+
+        $file =~ s/\//$o/g if $o ne '/';
+        $n=&bname($targer);
+        $ret.="$target: $check_hash $files $deps\n";
+        $ret.="\t\$(PERL) util${o}checkhash.pl -chdir fips-1.0 -program_path ..$o$check_hash\n";
+        $ret.="\t\$(MKCANISTER) $target $files\n";
+        $ret.="\t$check_hash $target > $target.sha1\n";
+        $ret.="\t\$(CP) fips-1.0${o}fips_premain.c \$(FIPSLIB_D)\n";
+        $ret.="\t$check_hash \$(FIPSLIB_D)${o}fips_premain.c > \$(FIPSLIB_D)${o}fips_premain.c.sha1\n\n";
+        return($ret);
+        }
+
+
+1;
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index cf689b9feb..4e97dfa9af 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -3,15 +3,28 @@
 #
 
 $ssl=   "ssleay32";
-$crypto="libeay32";
+
+if ($fips && !$shlib)
+        {
+        $crypto="libeayfips32";
+        $crypto_compat = "libeaycompat32.lib";
+        }
+else
+        {
+        $crypto="libeay32";
+        }
 
 $o='\\';
 $cp='copy nul+';        # Timestamps get stuffed otherwise
 $rm='del';
 
+$zlib_lib="zlib1.lib";
+
 # C compiler stuff
 $cc='cl';
-$cflags=' /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
+$cflags=' /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
+$cflags.=' -D_CRT_SECURE_NO_DEPRECATE';         # shut up VC8
+$cflags.=' -D_CRT_NONSTDC_NO_DEPRECATE';        # shut up VC8
 $lflags="/nologo /subsystem:console /machine:I386 /opt:ref";
 $mlflags='';
 
@@ -100,25 +113,56 @@ $cflags.=" /Fd$out_def";
 
 sub do_lib_rule
         {
-        local($objs,$target,$name,$shlib)=@_;
+        local($objs,$target,$name,$shlib,$ign,$base_addr) = @_;
         local($ret,$Name);
 
         $taget =~ s/\//$o/g if $o ne '/';
         ($Name=$name) =~ tr/a-z/A-Z/;
+        my $base_arg;
+        if ($base_addr ne "")
+                {
+                $base_arg= " /base:$base_addr";
+                }
+        else
+                {
+                $base_arg = "";
+                }
+
 
 #       $target="\$(LIB_D)$o$target";
-        $ret.="$target: $objs\n";
         if (!$shlib)
                 {
 #               $ret.="\t\$(RM) \$(O_$Name)\n";
+                $ret.="$target: $objs\n";
                 $ex =' advapi32.lib';
+                $ex.=" \$(FIPSLIB_D)${o}_chkstk.o" if $fips && $target =~ /O_CRYPTO/;
                 $ret.="\t\$(MKLIB) $lfile$target @<<\n  $objs $ex\n<<\n";
                 }
         else
                 {
                 local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
-                $ex.=' wsock32.lib gdi32.lib advapi32.lib';
-                $ret.="\t\$(LINK) \$(MLFLAGS) $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+                $ex.=' wsock32.lib gdi32.lib advapi32.lib user32.lib';
+                $ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
+                if ($fips && $target =~ /O_CRYPTO/)
+                        {
+                        $ex.=" \$(FIPSLIB_D)${o}_chkstk.o";
+                        $ret.="$target: $objs \$(PREMAIN_DSO_EXE)\n";
+                        $ret.="\tSET FIPS_LINK=\$(LINK)\n";
+                        $ret.="\tSET FIPS_CC=\$(CC)\n";
+                        $ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
+                        $ret.="\tSET PREMAIN_DSO_EXE=\$(PREMAIN_DSO_EXE)\n";
+                        $ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
+                        $ret.="\tSET FIPS_TARGET=$target\n";
+                        $ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
+                        $ret.="\t\$(FIPSLINK) \$(MLFLAGS) $base_arg $efile$target ";
+                        $ret.="/def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs ";
+                        $ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n<<\n";
+                        }
+                else
+                        {
+                        $ret.="$target: $objs\n";
+                        $ret.="\t\$(LINK) \$(MLFLAGS) $base_arg $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+                        }
                 }
         $ret.="\n";
         return($ret);
@@ -126,20 +170,51 @@ sub do_lib_rule
 
 sub do_link_rule
         {
-        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
+        local($target,$files,$dep_libs,$libs,$standalone)=@_;
         local($ret,$_);
-        
         $file =~ s/\//$o/g if $o ne '/';
         $n=&bname($targer);
         $ret.="$target: $files $dep_libs\n";
-        $ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n";
-        $ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n";
-        if (defined $sha1file)
+        if ($standalone)
+                {
+                $ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n\t";
+                $ret.="\$(FIPSLIB_D)${o}_chkstk.o " if ($files =~ /O_FIPSCANISTER/);
+                $ret.="$files $libs\n<<\n";
+                }
+        elsif ($fips && !$shlib)
                 {
-                $ret.="  $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                $ret.="\tSET FIPS_LINK=\$(LINK)\n";
+                $ret.="\tSET FIPS_CC=\$(CC)\n";
+                $ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
+                $ret.="\tSET PREMAIN_DSO_EXE=\n";
+                $ret.="\tSET FIPS_TARGET=$target\n";
+                $ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
+                $ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
+                $ret.="  \$(FIPSLINK) \$(LFLAGS) $efile$target @<<\n";
+                $ret.="  \$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n<<\n";
                 }
+        else
+                {
+                $ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n";
+                $ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n";
+                }
+        $ret.="\n";
+        return($ret);
+        }
+
+sub do_rlink_rule
+        {
+        local($target,$files,$dep_libs,$libs)=@_;
+        local($ret,$_);
+
+        $file =~ s/\//$o/g if $o ne '/';
+        $n=&bname($targer);
+        $ret.="$target: $files $dep_libs\n";
+        $ret.="  \$(MKCANISTER) $target <<\n";
+        $ret.="INPUT($files)\n<<\n";
         $ret.="\n";
         return($ret);
         }
 
+
 1;
diff --git a/src/lib/libcrypto/util/pod2man.pl b/src/lib/libcrypto/util/pod2man.pl
index 657e4e264e..546d1ec186 100644
--- a/src/lib/libcrypto/util/pod2man.pl
+++ b/src/lib/libcrypto/util/pod2man.pl
@@ -425,6 +425,7 @@ if ($name ne 'something') {
             }
             next if /^=cut\b/;  # DB_File and Net::Ping have =cut before NAME
             next if /^=pod\b/;  # It is OK to have =pod before NAME
+            next if /^=for\s+comment\b/;  # It is OK to have =for comment before NAME
             die "$0: Invalid man page - 1st pod line is not NAME in $ARGV[0]\n" unless $lax;
         }
         die "$0: Invalid man page - no documentation in $ARGV[0]\n" unless $lax;
diff --git a/src/lib/libcrypto/util/selftest.pl b/src/lib/libcrypto/util/selftest.pl
index e9d5aa8938..4778c5ab01 100644
--- a/src/lib/libcrypto/util/selftest.pl
+++ b/src/lib/libcrypto/util/selftest.pl
@@ -49,7 +49,7 @@ if (open(IN,"<Makefile")) {
 }
 
 $cversion=`$cc -v 2>&1`;
-$cversion=`$cc -V 2>&1` if $cversion =~ "usage";
+$cversion=`$cc -V 2>&1` if $cversion =~ "[Uu]sage";
 $cversion=`$cc -V |head -1` if $cversion =~ "Error";
 $cversion=`$cc --version` if $cversion eq "";
 $cversion =~ s/Reading specs.*\n//;
@@ -130,15 +130,21 @@ if (system("make 2>&1 | tee make.log") > 255) {
     goto err;
 }
 
-$_=$options;
-s/no-asm//;
-s/no-shared//;
-s/no-krb5//;
-if (/no-/)
-{
-    print OUT "Test skipped.\n";
-    goto err;
-}
+# Not sure why this is here.  The tests themselves can detect if their
+# particular feature isn't included, and should therefore skip themselves.
+# To skip *all* tests just because one algorithm isn't included is like
+# shooting mosquito with an elephant gun...
+#                   -- Richard Levitte, inspired by problem report 1089
+#
+#$_=$options;
+#s/no-asm//;
+#s/no-shared//;
+#s/no-krb5//;
+#if (/no-/)
+#{
+#    print OUT "Test skipped.\n";
+#    goto err;
+#}
 
 print "Running make test...\n";
 if (system("make test 2>&1 | tee maketest.log") > 255)
diff --git a/src/lib/libcrypto/x509/Makefile b/src/lib/libcrypto/x509/Makefile
index 5fb774f1c7..ee3f8a4a23 100644
--- a/src/lib/libcrypto/x509/Makefile
+++ b/src/lib/libcrypto/x509/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/x509/Makefile
+# OpenSSL/crypto/x509/Makefile
 #
 
 DIR=    x509
diff --git a/src/lib/libcrypto/x509v3/Makefile b/src/lib/libcrypto/x509v3/Makefile
index ed2f91cbb3..49423f39f7 100644
--- a/src/lib/libcrypto/x509v3/Makefile
+++ b/src/lib/libcrypto/x509v3/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/x509v3/Makefile
+# OpenSSL/crypto/x509v3/Makefile
 #
 
 DIR=    x509v3