49 files changed, 579 insertions, 74 deletions

diff --git a/src/lib/libcrypto/aes/aes_locl.h b/src/lib/libcrypto/aes/aes_locl.h
index 541d1d6e84..18fc2d0747 100644
--- a/src/lib/libcrypto/aes/aes_locl.h
+++ b/src/lib/libcrypto/aes/aes_locl.h
@@ -60,10 +60,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-
-#if defined(__STDC__) || defined(OPENSSL_SYS_VMS) || defined(M_XENIX) || defined(OPENSSL_SYS_MSDOS)
 #include <string.h>
-#endif
 
 #ifdef _MSC_VER
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index 128aa7e772..8dab29dca1 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -77,8 +77,8 @@
 /* Three IO functions for sending data to memory, a BIO and
  * and a FILE pointer.
  */
-
-int send_mem_chars(void *arg, const void *buf, int len)
+#if 0                           /* never used */
+static int send_mem_chars(void *arg, const void *buf, int len)
 {
         unsigned char **out = arg;
         if(!out) return 1;
@@ -86,15 +86,16 @@ int send_mem_chars(void *arg, const void *buf, int len)
         *out += len;
         return 1;
 }
+#endif
 
-int send_bio_chars(void *arg, const void *buf, int len)
+static int send_bio_chars(void *arg, const void *buf, int len)
 {
         if(!arg) return 1;
         if(BIO_write(arg, buf, len) != len) return 0;
         return 1;
 }
 
-int send_fp_chars(void *arg, const void *buf, int len)
+static int send_fp_chars(void *arg, const void *buf, int len)
 {
         if(!arg) return 1;
         if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0;
@@ -240,7 +241,7 @@ static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen
  * #01234 format.
  */
 
-int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
+static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
 {
         /* Placing the ASN1_STRING in a temp ASN1_TYPE allows
          * the DER encoding to readily obtained
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index 0d1713f8dd..dbb30f4f22 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -773,6 +773,7 @@ int 	ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b);
 int     ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, unsigned char *data, int len);
 
 DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
+DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_UTF8STRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_NULL)
 DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING)
diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c
index 830ff2af3c..422685a3b4 100644
--- a/src/lib/libcrypto/asn1/asn1_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_lib.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
 
 static int asn1_get_length(unsigned char **pp,int *inf,long *rl,int max);
 static void asn1_put_length(unsigned char **pp, int length);
@@ -123,15 +124,13 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
                 (int)(omax+ *pp));
 
 #endif
-#if 0
-        if ((p+ *plength) > (omax+ *pp))
+        if (*plength > (omax - (*pp - p)))
                 {
                 ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
                 /* Set this so that even if things are not long enough
                  * the values are set correctly */
                 ret|=0x80;
                 }
-#endif
         *pp=p;
         return(ret|inf);
 err:
@@ -158,6 +157,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
                 i= *p&0x7f;
                 if (*(p++) & 0x80)
                         {
+                        if (i > sizeof(long))
+                                return 0;
                         if (max-- == 0) return(0);
                         while (i-- > 0)
                                 {
@@ -169,6 +170,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
                 else
                         ret=i;
                 }
+        if (ret < 0)
+                return 0;
         *pp=p;
         *rl=ret;
         return(1);
@@ -406,7 +409,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)
 
 void asn1_add_error(unsigned char *address, int offset)
         {
-        char buf1[16],buf2[16];
+        char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
 
         sprintf(buf1,"%lu",(unsigned long)address);
         sprintf(buf2,"%d",offset);
diff --git a/src/lib/libcrypto/asn1/n_pkey.c b/src/lib/libcrypto/asn1/n_pkey.c
index 49f80fffd2..9146ee02c9 100644
--- a/src/lib/libcrypto/asn1/n_pkey.c
+++ b/src/lib/libcrypto/asn1/n_pkey.c
@@ -92,6 +92,8 @@ ASN1_BROKEN_SEQUENCE(NETSCAPE_ENCRYPTED_PKEY) = {
         ASN1_SIMPLE(NETSCAPE_ENCRYPTED_PKEY, enckey, X509_SIG)
 } ASN1_BROKEN_SEQUENCE_END(NETSCAPE_ENCRYPTED_PKEY)
 
+DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY)
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY,NETSCAPE_ENCRYPTED_PKEY)
 IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY)
 
 ASN1_SEQUENCE(NETSCAPE_PKEY) = {
@@ -100,6 +102,8 @@ ASN1_SEQUENCE(NETSCAPE_PKEY) = {
         ASN1_SIMPLE(NETSCAPE_PKEY, private_key, ASN1_OCTET_STRING)
 } ASN1_SEQUENCE_END(NETSCAPE_PKEY)
 
+DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_PKEY,NETSCAPE_PKEY)
 IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)
 
 static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
diff --git a/src/lib/libcrypto/asn1/t_pkey.c b/src/lib/libcrypto/asn1/t_pkey.c
index 8060115202..2d46914cb1 100644
--- a/src/lib/libcrypto/asn1/t_pkey.c
+++ b/src/lib/libcrypto/asn1/t_pkey.c
@@ -96,10 +96,34 @@ int RSA_print(BIO *bp, const RSA *x, int off)
         char str[128];
         const char *s;
         unsigned char *m=NULL;
-        int i,ret=0;
+        int ret=0;
+        size_t buf_len=0, i;
 
-        i=RSA_size(x);
-        m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+        if (x->n)
+                buf_len = (size_t)BN_num_bytes(x->n);
+        if (x->e)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->e)))
+                        buf_len = i;
+        if (x->d)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->d)))
+                        buf_len = i;
+        if (x->p)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->p)))
+                        buf_len = i;
+        if (x->q)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
+                        buf_len = i;
+        if (x->dmp1)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->dmp1)))
+                        buf_len = i;
+        if (x->dmq1)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->dmq1)))
+                        buf_len = i;
+        if (x->iqmp)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->iqmp)))
+                        buf_len = i;
+
+        m=(unsigned char *)OPENSSL_malloc(buf_len+10);
         if (m == NULL)
                 {
                 RSAerr(RSA_F_RSA_PRINT,ERR_R_MALLOC_FAILURE);
@@ -161,22 +185,25 @@ int DSA_print(BIO *bp, const DSA *x, int off)
         {
         char str[128];
         unsigned char *m=NULL;
-        int i,ret=0;
-        BIGNUM *bn=NULL;
+        int ret=0;
+        size_t buf_len=0,i;
 
-        if (x->p != NULL)
-                bn=x->p;
-        else if (x->priv_key != NULL)
-                bn=x->priv_key;
-        else if (x->pub_key != NULL)
-                bn=x->pub_key;
-                
-        /* larger than needed but what the hell :-) */
-        if (bn != NULL)
-                i=BN_num_bytes(bn)*2;
-        else
-                i=256;
-        m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+        if (x->p)
+                buf_len = (size_t)BN_num_bytes(x->p);
+        if (x->q)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
+                        buf_len = i;
+        if (x->g)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
+                        buf_len = i;
+        if (x->priv_key)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->priv_key)))
+                        buf_len = i;
+        if (x->pub_key)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->pub_key)))
+                        buf_len = i;
+
+        m=(unsigned char *)OPENSSL_malloc(buf_len+10);
         if (m == NULL)
                 {
                 DSAerr(DSA_F_DSA_PRINT,ERR_R_MALLOC_FAILURE);
@@ -281,10 +308,15 @@ int DHparams_print_fp(FILE *fp, const DH *x)
 int DHparams_print(BIO *bp, const DH *x)
         {
         unsigned char *m=NULL;
-        int reason=ERR_R_BUF_LIB,i,ret=0;
+        int reason=ERR_R_BUF_LIB,ret=0;
+        size_t buf_len=0, i;
 
-        i=BN_num_bytes(x->p);
-        m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+        if (x->p)
+                buf_len = (size_t)BN_num_bytes(x->p);
+        if (x->g)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
+                        buf_len = i;
+        m=(unsigned char *)OPENSSL_malloc(buf_len+10);
         if (m == NULL)
                 {
                 reason=ERR_R_MALLOC_FAILURE;
@@ -334,10 +366,18 @@ int DSAparams_print_fp(FILE *fp, const DSA *x)
 int DSAparams_print(BIO *bp, const DSA *x)
         {
         unsigned char *m=NULL;
-        int reason=ERR_R_BUF_LIB,i,ret=0;
+        int reason=ERR_R_BUF_LIB,ret=0;
+        size_t buf_len=0,i;
 
-        i=BN_num_bytes(x->p);
-        m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+        if (x->p)
+                buf_len = (size_t)BN_num_bytes(x->p);
+        if (x->q)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
+                        buf_len = i;
+        if (x->g)
+                if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
+                        buf_len = i;
+        m=(unsigned char *)OPENSSL_malloc(buf_len+10);
         if (m == NULL)
                 {
                 reason=ERR_R_MALLOC_FAILURE;
diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c
index dcaef68ea7..45bd7c47e8 100644
--- a/src/lib/libcrypto/bio/b_sock.c
+++ b/src/lib/libcrypto/bio/b_sock.c
@@ -484,7 +484,11 @@ int BIO_socket_ioctl(int fd, long type, unsigned long *arg)
         {
         int i;
 
+#ifdef __DJGPP__
+        i=ioctlsocket(fd,type,(char *)arg);
+#else
         i=ioctlsocket(fd,type,arg);
+#endif /* __DJGPP__ */
         if (i < 0)
                 SYSerr(SYS_F_IOCTLSOCKET,get_last_socket_error());
         return(i);
diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h
index b122c7069d..c5caf253c9 100644
--- a/src/lib/libcrypto/bio/bio.h
+++ b/src/lib/libcrypto/bio/bio.h
@@ -554,7 +554,9 @@ BIO_METHOD *BIO_s_socket(void);
 BIO_METHOD *BIO_s_connect(void);
 BIO_METHOD *BIO_s_accept(void);
 BIO_METHOD *BIO_s_fd(void);
+#ifndef OPENSSL_SYS_OS2
 BIO_METHOD *BIO_s_log(void);
+#endif
 BIO_METHOD *BIO_s_bio(void);
 BIO_METHOD *BIO_s_null(void);
 BIO_METHOD *BIO_f_null(void);
@@ -647,6 +649,7 @@ void ERR_load_BIO_strings(void);
 #define BIO_F_CONN_CTRL                                  127
 #define BIO_F_CONN_STATE                                 115
 #define BIO_F_FILE_CTRL                                  116
+#define BIO_F_FILE_READ                                  130
 #define BIO_F_LINEBUFFER_CTRL                            129
 #define BIO_F_MEM_READ                                   128
 #define BIO_F_MEM_WRITE                                  117
diff --git a/src/lib/libcrypto/bio/bio_err.c b/src/lib/libcrypto/bio/bio_err.c
index 99ca3cd0da..68a119d895 100644
--- a/src/lib/libcrypto/bio/bio_err.c
+++ b/src/lib/libcrypto/bio/bio_err.c
@@ -91,6 +91,7 @@ static ERR_STRING_DATA BIO_str_functs[]=
 {ERR_PACK(0,BIO_F_CONN_CTRL,0), "CONN_CTRL"},
 {ERR_PACK(0,BIO_F_CONN_STATE,0),        "CONN_STATE"},
 {ERR_PACK(0,BIO_F_FILE_CTRL,0), "FILE_CTRL"},
+{ERR_PACK(0,BIO_F_FILE_READ,0), "FILE_READ"},
 {ERR_PACK(0,BIO_F_LINEBUFFER_CTRL,0),   "LINEBUFFER_CTRL"},
 {ERR_PACK(0,BIO_F_MEM_READ,0),  "MEM_READ"},
 {ERR_PACK(0,BIO_F_MEM_WRITE,0), "MEM_WRITE"},
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index 8b3ff278d9..826b361fa2 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -162,6 +162,12 @@ static int MS_CALLBACK file_read(BIO *b, char *out, int outl)
         if (b->init && (out != NULL))
                 {
                 ret=fread(out,1,(int)outl,(FILE *)b->ptr);
+                if(ret == 0 && ferror((FILE *)b->ptr))
+                        {
+                        SYSerr(SYS_F_FREAD,get_last_sys_error());
+                        BIOerr(BIO_F_FILE_READ,ERR_R_SYS_LIB);
+                        ret=-1;
+                        }
                 }
         return(ret);
         }
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index a016cb7f53..8abe095af2 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -397,6 +397,12 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
         {
         BIGNUM *r = NULL;
 
+        /* This function does not work if
+         *      words <= b->dmax && top < words
+         * because BN_dup() does not preserve 'dmax'!
+         * (But bn_dup_expand() is not used anywhere yet.)
+         */
+        
         if (words > b->dmax)
                 {
                 BN_ULONG *a = bn_expand_internal(b, words);
diff --git a/src/lib/libcrypto/bn/bn_mul.c b/src/lib/libcrypto/bn/bn_mul.c
index fd598b8b3d..b03458d002 100644
--- a/src/lib/libcrypto/bn/bn_mul.c
+++ b/src/lib/libcrypto/bn/bn_mul.c
@@ -66,7 +66,7 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
-#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__))/* Assembler implementation exists only for x86 */
+#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__)) || defined(__DJGPP__) /* Assembler implementation exists only for x86 */
 /* Here follows specialised variants of bn_add_words() and
    bn_sub_words().  They have the property performing operations on
    arrays of different sizes.  The sizes of those arrays is expressed through
diff --git a/src/lib/libcrypto/conf/conf.h b/src/lib/libcrypto/conf/conf.h
index 3c03fb19c0..f4671442ab 100644
--- a/src/lib/libcrypto/conf/conf.h
+++ b/src/lib/libcrypto/conf/conf.h
@@ -129,6 +129,7 @@ int CONF_dump_fp(LHASH *conf, FILE *out);
 int CONF_dump_bio(LHASH *conf, BIO *out);
 
 void OPENSSL_config(const char *config_name);
+void OPENSSL_no_config(void);
 
 /* New conf code.  The semantics are different from the functions above.
    If that wasn't the case, the above functions would have been replaced */
@@ -141,10 +142,10 @@ struct conf_st
         };
 
 CONF *NCONF_new(CONF_METHOD *meth);
-CONF_METHOD *NCONF_default();
-CONF_METHOD *NCONF_WIN32();
+CONF_METHOD *NCONF_default(void);
+CONF_METHOD *NCONF_WIN32(void);
 #if 0 /* Just to give you an idea of what I have in mind */
-CONF_METHOD *NCONF_XML();
+CONF_METHOD *NCONF_XML(void);
 #endif
 void NCONF_free(CONF *conf);
 void NCONF_free_data(CONF *conf);
@@ -176,6 +177,7 @@ int CONF_modules_load_file(const char *filename, const char *appname,
                            unsigned long flags);
 void CONF_modules_unload(int all);
 void CONF_modules_finish(void);
+void CONF_modules_free(void);
 int CONF_module_add(const char *name, conf_init_func *ifunc,
                     conf_finish_func *ffunc);
 
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 31f2766246..5e194de60e 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -67,6 +67,7 @@
 #include "conf_def.h"
 #include <openssl/buffer.h>
 #include <openssl/err.h>
+#include "cryptlib.h"
 
 static char *eat_ws(CONF *conf, char *p);
 static char *eat_alpha_numeric(CONF *conf, char *p);
@@ -208,12 +209,12 @@ static int def_load(CONF *conf, const char *name, long *line)
 static int def_load_bio(CONF *conf, BIO *in, long *line)
         {
 #define BUFSIZE 512
-        char btmp[16];
         int bufnum=0,i,ii;
         BUF_MEM *buff=NULL;
         char *s,*p,*end;
         int again,n;
         long eline=0;
+        char btmp[DECIMAL_SIZE(eline)+1];
         CONF_VALUE *v=NULL,*tv;
         CONF_VALUE *sv=NULL;
         char *section=NULL,*buf;
diff --git a/src/lib/libcrypto/conf/conf_lib.c b/src/lib/libcrypto/conf/conf_lib.c
index 7998f34c7b..6a3cf109dd 100644
--- a/src/lib/libcrypto/conf/conf_lib.c
+++ b/src/lib/libcrypto/conf/conf_lib.c
@@ -382,8 +382,9 @@ int NCONF_dump_bio(const CONF *conf, BIO *out)
         return conf->meth->dump(conf, out);
         }
 
+
 /* This function should be avoided */
-#undef NCONF_get_number
+#if 0
 long NCONF_get_number(CONF *conf,char *group,char *name)
         {
         int status;
@@ -397,4 +398,4 @@ long NCONF_get_number(CONF *conf,char *group,char *name)
                 }
         return ret;
         }
-
+#endif
diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c
index f92babc2e2..edcc08921c 100644
--- a/src/lib/libcrypto/conf/conf_mod.c
+++ b/src/lib/libcrypto/conf/conf_mod.c
@@ -230,7 +230,7 @@ static int module_run(const CONF *cnf, char *name, char *value,
                 {
                 if (!(flags & CONF_MFLAGS_SILENT))
                         {
-                        char rcode[10];
+                        char rcode[DECIMAL_SIZE(ret)+1];
                         CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);
                         sprintf(rcode, "%-8d", ret);
                         ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);
diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index 612b3b93b4..d301b376f7 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -492,3 +492,11 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
 #endif
 
 #endif
+
+void OpenSSLDie(const char *file,int line,const char *assertion)
+    {
+    fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",
+            file,line,assertion);
+    abort();
+    }
+
diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h
index a0489e57fc..985a6d377c 100644
--- a/src/lib/libcrypto/cryptlib.h
+++ b/src/lib/libcrypto/cryptlib.h
@@ -89,6 +89,14 @@ extern "C" {
 #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
 #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
 
+/* size of string represenations */
+#define DECIMAL_SIZE(type)     ((sizeof(type)*8+2)/3+1)
+#define HEX_SIZE(type)         ((sizeof(type)*2)
+
+/* die if we have to */
+void OpenSSLDie(const char *file,int line,const char *assertion);
+#define die(e)  ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
+
 #ifdef  __cplusplus
 }
 #endif
diff --git a/src/lib/libcrypto/doc/DH_get_ex_new_index.pod b/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
index 82e2548bcd..fa5eab2650 100644
--- a/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
+++ b/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
@@ -26,7 +26,7 @@ as described in L<RSA_get_ex_new_index(3)>.
 
 =head1 SEE ALSO
 
-L<RSA_get_ex_new_index()|RSA_get_ex_new_index()>, L<dh(3)|dh(3)>
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dh(3)|dh(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/EVP_DigestInit.pod b/src/lib/libcrypto/doc/EVP_DigestInit.pod
index b3a61f1c5d..5901c39526 100644
--- a/src/lib/libcrypto/doc/EVP_DigestInit.pod
+++ b/src/lib/libcrypto/doc/EVP_DigestInit.pod
@@ -238,14 +238,19 @@ even though they are identical digests.
 
 L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
 L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
 
 =head1 HISTORY
 
 EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() are
 available in all versions of SSLeay and OpenSSL.
 
-EVP_DigestInit_ex(), EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex()
-were added in OpenSSL 0.9.7.
+EVP_MD_CTX_init(), EVP_MD_CTX_create(), EVP_MD_CTX_copy_ex(),
+EVP_MD_CTX_cleanup(), EVP_MD_CTX_destroy(), EVP_DigestInit_ex()
+and EVP_DigestFinal_ex() were added in OpenSSL 0.9.7.
+
+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(),
+EVP_dss(), EVP_dss1(), EVP_mdc2() and EVP_ripemd160() were
+changed to return truely const EVP_MD * in OpenSSL 0.9.7.
 
 =cut
diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
index 371b6a2287..75cceb1ca2 100644
--- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod
+++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
@@ -501,4 +501,9 @@ L<evp(3)|evp(3)>
 
 =head1 HISTORY
 
+EVP_CIPHER_CTX_init(), EVP_EncryptInit_ex(), EVP_EncryptFinal_ex(),
+EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), EVP_CipherInit_ex(),
+EVP_CipherFinal_ex() and EVP_CIPHER_CTX_set_padding() appeared in
+OpenSSL 0.9.7.
+
 =cut
diff --git a/src/lib/libcrypto/doc/EVP_SignInit.pod b/src/lib/libcrypto/doc/EVP_SignInit.pod
index 32e9d54809..b203c3a1c5 100644
--- a/src/lib/libcrypto/doc/EVP_SignInit.pod
+++ b/src/lib/libcrypto/doc/EVP_SignInit.pod
@@ -84,13 +84,13 @@ L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
 L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
 L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
 L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
 
 =head1 HISTORY
 
 EVP_SignInit(), EVP_SignUpdate() and EVP_SignFinal() are
 available in all versions of SSLeay and OpenSSL.
 
-EVP_SignInit_ex() was added in OpenSSL 0.9.7
+EVP_SignInit_ex() was added in OpenSSL 0.9.7.
 
 =cut
diff --git a/src/lib/libcrypto/doc/EVP_VerifyInit.pod b/src/lib/libcrypto/doc/EVP_VerifyInit.pod
index 80c656fde8..b6afaedee5 100644
--- a/src/lib/libcrypto/doc/EVP_VerifyInit.pod
+++ b/src/lib/libcrypto/doc/EVP_VerifyInit.pod
@@ -74,7 +74,7 @@ L<EVP_SignInit(3)|EVP_SignInit(3)>,
 L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
 L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
 L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/RSA_check_key.pod b/src/lib/libcrypto/doc/RSA_check_key.pod
index 79fed753ad..3d824a07f5 100644
--- a/src/lib/libcrypto/doc/RSA_check_key.pod
+++ b/src/lib/libcrypto/doc/RSA_check_key.pod
@@ -18,7 +18,9 @@ in fact prime, and that B<n = p*q>.
 It also checks that B<d*e = 1 mod (p-1*q-1)>,
 and that B<dmp1>, B<dmq1> and B<iqmp> are set correctly or are B<NULL>.
 
-The key's public components may not be B<NULL>.
+As such, this function can not be used with any arbitrary RSA key object,
+even if it is otherwise fit for regular RSA operation. See B<NOTES> for more
+information.
 
 =head1 RETURN VALUE
 
@@ -28,12 +30,38 @@ RSA_check_key() returns 1 if B<rsa> is a valid RSA key, and 0 otherwise.
 If the key is invalid or an error occurred, the reason code can be
 obtained using L<ERR_get_error(3)|ERR_get_error(3)>.
 
+=head1 NOTES
+
+This function does not work on RSA public keys that have only the modulus
+and public exponent elements populated. It performs integrity checks on all
+the RSA key material, so the RSA key structure must contain all the private
+key data too.
+
+Unlike most other RSA functions, this function does B<not> work
+transparently with any underlying ENGINE implementation because it uses the
+key data in the RSA structure directly. An ENGINE implementation can
+override the way key data is stored and handled, and can even provide
+support for HSM keys - in which case the RSA structure may contain B<no>
+key data at all! If the ENGINE in question is only being used for
+acceleration or analysis purposes, then in all likelihood the RSA key data
+is complete and untouched, but this can't be assumed in the general case.
+
+=head1 BUGS
+
+A method of verifying the RSA key using opaque RSA API functions might need
+to be considered. Right now RSA_check_key() simply uses the RSA structure
+elements directly, bypassing the RSA_METHOD table altogether (and
+completely violating encapsulation and object-orientation in the process).
+The best fix will probably be to introduce a "check_key()" handler to the
+RSA_METHOD function table so that alternative implementations can also
+provide their own verifiers.
+
 =head1 SEE ALSO
 
 L<rsa(3)|rsa(3)>, L<err(3)|err(3)>
 
 =head1 HISTORY
 
-RSA_check() appeared in OpenSSL 0.9.4.
+RSA_check_key() appeared in OpenSSL 0.9.4.
 
 =cut
diff --git a/src/lib/libcrypto/doc/rsa.pod b/src/lib/libcrypto/doc/rsa.pod
index 09ad30cab1..2b93a12b65 100644
--- a/src/lib/libcrypto/doc/rsa.pod
+++ b/src/lib/libcrypto/doc/rsa.pod
@@ -110,7 +110,7 @@ L<RSA_blinding_on(3)|RSA_blinding_on(3)>,
 L<RSA_set_method(3)|RSA_set_method(3)>, L<RSA_print(3)|RSA_print(3)>,
 L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
 L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
-L<RSA_sign_ASN_OCTET_STRING(3)|RSA_sign_ASN_OCTET_STRING(3)>,
+L<RSA_sign_ASN1_OCTET_STRING(3)|RSA_sign_ASN1_OCTET_STRING(3)>,
 L<RSA_padding_add_PKCS1_type_1(3)|RSA_padding_add_PKCS1_type_1(3)> 
 
 =cut
diff --git a/src/lib/libcrypto/engine/eng_cnf.c b/src/lib/libcrypto/engine/eng_cnf.c
index 8c0ae8a1ad..cdf670901a 100644
--- a/src/lib/libcrypto/engine/eng_cnf.c
+++ b/src/lib/libcrypto/engine/eng_cnf.c
@@ -92,7 +92,7 @@ static int int_engine_init(ENGINE *e)
         }
         
 
-int int_engine_configure(char *name, char *value, const CONF *cnf)
+static int int_engine_configure(char *name, char *value, const CONF *cnf)
         {
         int i;
         int ret = 0;
diff --git a/src/lib/libcrypto/engine/eng_dyn.c b/src/lib/libcrypto/engine/eng_dyn.c
index 4fefcc0cae..4139a16e76 100644
--- a/src/lib/libcrypto/engine/eng_dyn.c
+++ b/src/lib/libcrypto/engine/eng_dyn.c
@@ -157,6 +157,10 @@ static void dynamic_data_ctx_free_func(void *parent, void *ptr,
                 dynamic_data_ctx *ctx = (dynamic_data_ctx *)ptr;
                 if(ctx->dynamic_dso)
                         DSO_free(ctx->dynamic_dso);
+                if(ctx->DYNAMIC_LIBNAME)
+                        OPENSSL_free((void*)ctx->DYNAMIC_LIBNAME);
+                if(ctx->engine_id)
+                        OPENSSL_free((void*)ctx->engine_id);
                 OPENSSL_free(ctx);
                 }
         }
@@ -169,7 +173,7 @@ static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
         {
         dynamic_data_ctx *c;
         c = OPENSSL_malloc(sizeof(dynamic_data_ctx));
-        if(!ctx)
+        if(!c)
                 {
                 ENGINEerr(ENGINE_F_SET_DATA_CTX,ERR_R_MALLOC_FAILURE);
                 return 0;
@@ -310,8 +314,13 @@ static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
                 /* a NULL 'p' or a string of zero-length is the same thing */
                 if(p && (strlen((const char *)p) < 1))
                         p = NULL;
-                ctx->DYNAMIC_LIBNAME = (const char *)p;
-                return 1;
+                if(ctx->DYNAMIC_LIBNAME)
+                        OPENSSL_free((void*)ctx->DYNAMIC_LIBNAME);
+                if(p)
+                        ctx->DYNAMIC_LIBNAME = BUF_strdup(p);
+                else
+                        ctx->DYNAMIC_LIBNAME = NULL;
+                return (ctx->DYNAMIC_LIBNAME ? 1 : 0);
         case DYNAMIC_CMD_NO_VCHECK:
                 ctx->no_vcheck = ((i == 0) ? 0 : 1);
                 return 1;
@@ -319,8 +328,13 @@ static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
                 /* a NULL 'p' or a string of zero-length is the same thing */
                 if(p && (strlen((const char *)p) < 1))
                         p = NULL;
-                ctx->engine_id = (const char *)p;
-                return 1;
+                if(ctx->engine_id)
+                        OPENSSL_free((void*)ctx->engine_id);
+                if(p)
+                        ctx->engine_id = BUF_strdup(p);
+                else
+                        ctx->engine_id = NULL;
+                return (ctx->engine_id ? 1 : 0);
         case DYNAMIC_CMD_LIST_ADD:
                 if((i < 0) || (i > 2))
                         {
diff --git a/src/lib/libcrypto/engine/eng_fat.c b/src/lib/libcrypto/engine/eng_fat.c
index d49aa7ed40..f7edb5ad32 100644
--- a/src/lib/libcrypto/engine/eng_fat.c
+++ b/src/lib/libcrypto/engine/eng_fat.c
@@ -84,7 +84,7 @@ int ENGINE_set_default(ENGINE *e, unsigned int flags)
 
 /* Set default algorithms using a string */
 
-int int_def_cb(const char *alg, int len, void *arg)
+static int int_def_cb(const char *alg, int len, void *arg)
         {
         unsigned int *pflags = arg;
         if (!strncmp(alg, "ALL", len))
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index 04773d65a6..5abe44e6d5 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -166,6 +166,7 @@ static ERR_STRING_DATA ERR_str_functs[]=
         {ERR_PACK(0,SYS_F_WSASTARTUP,0),        "WSAstartup"},
 #endif
         {ERR_PACK(0,SYS_F_OPENDIR,0),           "opendir"},
+        {ERR_PACK(0,SYS_F_FREAD,0),             "fread"},
         {0,NULL},
         };
 
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index cc9bb649ea..988ef81aa0 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -182,6 +182,7 @@ typedef struct err_state_st
 #define SYS_F_ACCEPT            8
 #define SYS_F_WSASTARTUP        9 /* Winsock stuff */
 #define SYS_F_OPENDIR           10
+#define SYS_F_FREAD             11
 
 
 /* reasons */
diff --git a/src/lib/libcrypto/evp/c_all.c b/src/lib/libcrypto/evp/c_all.c
index 5ffd352ea0..2d3e57c4fa 100644
--- a/src/lib/libcrypto/evp/c_all.c
+++ b/src/lib/libcrypto/evp/c_all.c
@@ -60,12 +60,14 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 
+#if 0
 #undef OpenSSL_add_all_algorithms
 
 void OpenSSL_add_all_algorithms(void)
         {
         OPENSSL_add_all_algorithms_noconf();
         }
+#endif
 
 void OPENSSL_add_all_algorithms_noconf(void)
         {
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index fb16de6852..45a25f968d 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -74,6 +74,48 @@
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
+#ifndef OPENSSL_NO_MD2
+#include <openssl/md2.h>
+#endif
+#ifndef OPENSSL_NO_MD4
+#include <openssl/md4.h>
+#endif
+#ifndef OPENSSL_NO_MD5
+#include <openssl/md5.h>
+#endif
+#ifndef OPENSSL_NO_SHA
+#include <openssl/sha.h>
+#endif
+#ifndef OPENSSL_NO_RIPEMD
+#include <openssl/ripemd.h>
+#endif
+#ifndef OPENSSL_NO_DES
+#include <openssl/des.h>
+#endif
+#ifndef OPENSSL_NO_RC4
+#include <openssl/rc4.h>
+#endif
+#ifndef OPENSSL_NO_RC2
+#include <openssl/rc2.h>
+#endif
+#ifndef OPENSSL_NO_RC5
+#include <openssl/rc5.h>
+#endif
+#ifndef OPENSSL_NO_BF
+#include <openssl/blowfish.h>
+#endif
+#ifndef OPENSSL_NO_CAST
+#include <openssl/cast.h>
+#endif
+#ifndef OPENSSL_NO_IDEA
+#include <openssl/idea.h>
+#endif
+#ifndef OPENSSL_NO_MDC2
+#include <openssl/mdc2.h>
+#endif
+#ifndef OPENSSL_NO_AES
+#include <openssl/aes.h>
+#endif
 
 /*
 #define EVP_RC2_KEY_SIZE                16
@@ -91,6 +133,18 @@
 /* Default PKCS#5 iteration count */
 #define PKCS5_DEFAULT_ITER              2048
 
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+
 #include <openssl/objects.h>
 
 #define EVP_PK_RSA      0x0001
@@ -582,6 +636,8 @@ const EVP_CIPHER *EVP_enc_null(void);		/* does nothing :-) */
 const EVP_CIPHER *EVP_des_ecb(void);
 const EVP_CIPHER *EVP_des_ede(void);
 const EVP_CIPHER *EVP_des_ede3(void);
+const EVP_CIPHER *EVP_des_ede_ecb(void);
+const EVP_CIPHER *EVP_des_ede3_ecb(void);
 const EVP_CIPHER *EVP_des_cfb(void);
 const EVP_CIPHER *EVP_des_ede_cfb(void);
 const EVP_CIPHER *EVP_des_ede3_cfb(void);
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index 06afb9d152..bcd4d29f85 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -57,9 +57,9 @@
  */
 
 #include <stdio.h>
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "cryptlib.h"
 
 /* Password based encryption (PBE) functions */
 
diff --git a/src/lib/libcrypto/evp/p5_crpt.c b/src/lib/libcrypto/evp/p5_crpt.c
index 113c60fedb..27a8286489 100644
--- a/src/lib/libcrypto/evp/p5_crpt.c
+++ b/src/lib/libcrypto/evp/p5_crpt.c
@@ -58,9 +58,9 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/evp.h>
-#include "cryptlib.h"
 
 /* PKCS#5 v1.5 compatible PBE functions: see PKCS#5 v2.0 for more info.
  */
diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c
index 7881860b53..7485d6a278 100644
--- a/src/lib/libcrypto/evp/p5_crpt2.c
+++ b/src/lib/libcrypto/evp/p5_crpt2.c
@@ -58,10 +58,10 @@
 #if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
 #include <stdio.h>
 #include <stdlib.h>
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
-#include "cryptlib.h"
 
 /* set this to print out info about the keygen algorithm */
 /* #define DEBUG_PKCS5V2 */
diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 3ff64bb8d1..02c3719f04 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -436,7 +436,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
         unsigned long l;
         unsigned char *p;
         const char *s;
-        char tbuf[32];
+        char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
 
         if (buf_len <= 0) return(0);
 
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 02b39062fe..1486199661 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -507,3 +507,141 @@ mime_mhs_bodies		506
 id_hex_partial_message          507
 id_hex_multipart_message                508
 generationQualifier             509
+pseudonym               510
+InternationalRA         511
+id_set          512
+set_ctype               513
+set_msgExt              514
+set_attr                515
+set_policy              516
+set_certExt             517
+set_brand               518
+setct_PANData           519
+setct_PANToken          520
+setct_PANOnly           521
+setct_OIData            522
+setct_PI                523
+setct_PIData            524
+setct_PIDataUnsigned            525
+setct_HODInput          526
+setct_AuthResBaggage            527
+setct_AuthRevReqBaggage         528
+setct_AuthRevResBaggage         529
+setct_CapTokenSeq               530
+setct_PInitResData              531
+setct_PI_TBS            532
+setct_PResData          533
+setct_AuthReqTBS                534
+setct_AuthResTBS                535
+setct_AuthResTBSX               536
+setct_AuthTokenTBS              537
+setct_CapTokenData              538
+setct_CapTokenTBS               539
+setct_AcqCardCodeMsg            540
+setct_AuthRevReqTBS             541
+setct_AuthRevResData            542
+setct_AuthRevResTBS             543
+setct_CapReqTBS         544
+setct_CapReqTBSX                545
+setct_CapResData                546
+setct_CapRevReqTBS              547
+setct_CapRevReqTBSX             548
+setct_CapRevResData             549
+setct_CredReqTBS                550
+setct_CredReqTBSX               551
+setct_CredResData               552
+setct_CredRevReqTBS             553
+setct_CredRevReqTBSX            554
+setct_CredRevResData            555
+setct_PCertReqData              556
+setct_PCertResTBS               557
+setct_BatchAdminReqData         558
+setct_BatchAdminResData         559
+setct_CardCInitResTBS           560
+setct_MeAqCInitResTBS           561
+setct_RegFormResTBS             562
+setct_CertReqData               563
+setct_CertReqTBS                564
+setct_CertResData               565
+setct_CertInqReqTBS             566
+setct_ErrorTBS          567
+setct_PIDualSignedTBE           568
+setct_PIUnsignedTBE             569
+setct_AuthReqTBE                570
+setct_AuthResTBE                571
+setct_AuthResTBEX               572
+setct_AuthTokenTBE              573
+setct_CapTokenTBE               574
+setct_CapTokenTBEX              575
+setct_AcqCardCodeMsgTBE         576
+setct_AuthRevReqTBE             577
+setct_AuthRevResTBE             578
+setct_AuthRevResTBEB            579
+setct_CapReqTBE         580
+setct_CapReqTBEX                581
+setct_CapResTBE         582
+setct_CapRevReqTBE              583
+setct_CapRevReqTBEX             584
+setct_CapRevResTBE              585
+setct_CredReqTBE                586
+setct_CredReqTBEX               587
+setct_CredResTBE                588
+setct_CredRevReqTBE             589
+setct_CredRevReqTBEX            590
+setct_CredRevResTBE             591
+setct_BatchAdminReqTBE          592
+setct_BatchAdminResTBE          593
+setct_RegFormReqTBE             594
+setct_CertReqTBE                595
+setct_CertReqTBEX               596
+setct_CertResTBE                597
+setct_CRLNotificationTBS                598
+setct_CRLNotificationResTBS             599
+setct_BCIDistributionTBS                600
+setext_genCrypt         601
+setext_miAuth           602
+setext_pinSecure                603
+setext_pinAny           604
+setext_track2           605
+setext_cv               606
+set_policy_root         607
+setCext_hashedRoot              608
+setCext_certType                609
+setCext_merchData               610
+setCext_cCertRequired           611
+setCext_tunneling               612
+setCext_setExt          613
+setCext_setQualf                614
+setCext_PGWYcapabilities                615
+setCext_TokenIdentifier         616
+setCext_Track2Data              617
+setCext_TokenType               618
+setCext_IssuerCapabilities              619
+setAttr_Cert            620
+setAttr_PGWYcap         621
+setAttr_TokenType               622
+setAttr_IssCap          623
+set_rootKeyThumb                624
+set_addPolicy           625
+setAttr_Token_EMV               626
+setAttr_Token_B0Prime           627
+setAttr_IssCap_CVM              628
+setAttr_IssCap_T2               629
+setAttr_IssCap_Sig              630
+setAttr_GenCryptgrm             631
+setAttr_T2Enc           632
+setAttr_T2cleartxt              633
+setAttr_TokICCsig               634
+setAttr_SecDevSig               635
+set_brand_IATA_ATA              636
+set_brand_Diners                637
+set_brand_AmericanExpress               638
+set_brand_JCB           639
+set_brand_Visa          640
+set_brand_MasterCard            641
+set_brand_Novus         642
+des_cdmf                643
+rsaOAEPEncryptionSET            644
+itu_t           645
+joint_iso_itu_t         646
+international_organizations             647
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index 65d0b15629..71a4908485 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -542,6 +542,7 @@ X509 43			: 			: initials
 X509 44                 :                       : generationQualifier
 X509 45                 :                       : x500UniqueIdentifier
 X509 46                 : dnQualifier           : dnQualifier
+X509 65                 :                       : pseudonym
 X509 72                 : role                  : role
 
 X500 8                  : X500algorithms        : directory services - algorithms
@@ -762,3 +763,150 @@ pilotAttributeType 53	:			: personalSignature
 pilotAttributeType 54   :                       : dITRedirect
 pilotAttributeType 55   : audio
 pilotAttributeType 56   :                       : documentPublisher
+
+2 23 42                 : id-set                : Secure Electronic Transactions
+
+id-set 0                : set-ctype             : content types
+id-set 1                : set-msgExt            : message extensions
+id-set 3                : set-attr
+id-set 5                : set-policy
+id-set 7                : set-certExt           : certificate extensions
+id-set 8                : set-brand
+
+set-ctype 0             : setct-PANData
+set-ctype 1             : setct-PANToken
+set-ctype 2             : setct-PANOnly
+set-ctype 3             : setct-OIData
+set-ctype 4             : setct-PI
+set-ctype 5             : setct-PIData
+set-ctype 6             : setct-PIDataUnsigned
+set-ctype 7             : setct-HODInput
+set-ctype 8             : setct-AuthResBaggage
+set-ctype 9             : setct-AuthRevReqBaggage
+set-ctype 10            : setct-AuthRevResBaggage
+set-ctype 11            : setct-CapTokenSeq
+set-ctype 12            : setct-PInitResData
+set-ctype 13            : setct-PI-TBS
+set-ctype 14            : setct-PResData
+set-ctype 16            : setct-AuthReqTBS
+set-ctype 17            : setct-AuthResTBS
+set-ctype 18            : setct-AuthResTBSX
+set-ctype 19            : setct-AuthTokenTBS
+set-ctype 20            : setct-CapTokenData
+set-ctype 21            : setct-CapTokenTBS
+set-ctype 22            : setct-AcqCardCodeMsg
+set-ctype 23            : setct-AuthRevReqTBS
+set-ctype 24            : setct-AuthRevResData
+set-ctype 25            : setct-AuthRevResTBS
+set-ctype 26            : setct-CapReqTBS
+set-ctype 27            : setct-CapReqTBSX
+set-ctype 28            : setct-CapResData
+set-ctype 29            : setct-CapRevReqTBS
+set-ctype 30            : setct-CapRevReqTBSX
+set-ctype 31            : setct-CapRevResData
+set-ctype 32            : setct-CredReqTBS
+set-ctype 33            : setct-CredReqTBSX
+set-ctype 34            : setct-CredResData
+set-ctype 35            : setct-CredRevReqTBS
+set-ctype 36            : setct-CredRevReqTBSX
+set-ctype 37            : setct-CredRevResData
+set-ctype 38            : setct-PCertReqData
+set-ctype 39            : setct-PCertResTBS
+set-ctype 40            : setct-BatchAdminReqData
+set-ctype 41            : setct-BatchAdminResData
+set-ctype 42            : setct-CardCInitResTBS
+set-ctype 43            : setct-MeAqCInitResTBS
+set-ctype 44            : setct-RegFormResTBS
+set-ctype 45            : setct-CertReqData
+set-ctype 46            : setct-CertReqTBS
+set-ctype 47            : setct-CertResData
+set-ctype 48            : setct-CertInqReqTBS
+set-ctype 49            : setct-ErrorTBS
+set-ctype 50            : setct-PIDualSignedTBE
+set-ctype 51            : setct-PIUnsignedTBE
+set-ctype 52            : setct-AuthReqTBE
+set-ctype 53            : setct-AuthResTBE
+set-ctype 54            : setct-AuthResTBEX
+set-ctype 55            : setct-AuthTokenTBE
+set-ctype 56            : setct-CapTokenTBE
+set-ctype 57            : setct-CapTokenTBEX
+set-ctype 58            : setct-AcqCardCodeMsgTBE
+set-ctype 59            : setct-AuthRevReqTBE
+set-ctype 60            : setct-AuthRevResTBE
+set-ctype 61            : setct-AuthRevResTBEB
+set-ctype 62            : setct-CapReqTBE
+set-ctype 63            : setct-CapReqTBEX
+set-ctype 64            : setct-CapResTBE
+set-ctype 65            : setct-CapRevReqTBE
+set-ctype 66            : setct-CapRevReqTBEX
+set-ctype 67            : setct-CapRevResTBE
+set-ctype 68            : setct-CredReqTBE
+set-ctype 69            : setct-CredReqTBEX
+set-ctype 70            : setct-CredResTBE
+set-ctype 71            : setct-CredRevReqTBE
+set-ctype 72            : setct-CredRevReqTBEX
+set-ctype 73            : setct-CredRevResTBE
+set-ctype 74            : setct-BatchAdminReqTBE
+set-ctype 75            : setct-BatchAdminResTBE
+set-ctype 76            : setct-RegFormReqTBE
+set-ctype 77            : setct-CertReqTBE
+set-ctype 78            : setct-CertReqTBEX
+set-ctype 79            : setct-CertResTBE
+set-ctype 80            : setct-CRLNotificationTBS
+set-ctype 81            : setct-CRLNotificationResTBS
+set-ctype 82            : setct-BCIDistributionTBS
+
+set-msgExt 1            : setext-genCrypt       : generic cryptogram
+set-msgExt 3            : setext-miAuth         : merchant initiated auth
+set-msgExt 4            : setext-pinSecure
+set-msgExt 5            : setext-pinAny
+set-msgExt 7            : setext-track2
+set-msgExt 8            : setext-cv             : additional verification
+
+set-policy 0            : set-policy-root
+
+set-certExt 0           : setCext-hashedRoot
+set-certExt 1           : setCext-certType
+set-certExt 2           : setCext-merchData
+set-certExt 3           : setCext-cCertRequired
+set-certExt 4           : setCext-tunneling
+set-certExt 5           : setCext-setExt
+set-certExt 6           : setCext-setQualf
+set-certExt 7           : setCext-PGWYcapabilities
+set-certExt 8           : setCext-TokenIdentifier
+set-certExt 9           : setCext-Track2Data
+set-certExt 10          : setCext-TokenType
+set-certExt 11          : setCext-IssuerCapabilities
+
+set-attr 0              : setAttr-Cert
+set-attr 1              : setAttr-PGWYcap       : payment gateway capabilities
+set-attr 2              : setAttr-TokenType
+set-attr 3              : setAttr-IssCap        : issuer capabilities
+
+setAttr-Cert 0          : set-rootKeyThumb
+setAttr-Cert 1          : set-addPolicy
+
+setAttr-TokenType 1     : setAttr-Token-EMV
+setAttr-TokenType 2     : setAttr-Token-B0Prime
+
+setAttr-IssCap 3        : setAttr-IssCap-CVM
+setAttr-IssCap 4        : setAttr-IssCap-T2
+setAttr-IssCap 5        : setAttr-IssCap-Sig
+
+setAttr-IssCap-CVM 1    : setAttr-GenCryptgrm   : generate cryptogram
+setAttr-IssCap-T2 1     : setAttr-T2Enc         : encrypted track 2
+setAttr-IssCap-T2 2     : setAttr-T2cleartxt    : cleartext track 2
+
+setAttr-IssCap-Sig 1    : setAttr-TokICCsig     : ICC or token signature
+setAttr-IssCap-Sig 2    : setAttr-SecDevSig     : secure device signature
+
+set-brand 1             : set-brand-IATA-ATA
+set-brand 30            : set-brand-Diners
+set-brand 34            : set-brand-AmericanExpress
+set-brand 35            : set-brand-JCB
+set-brand 4             : set-brand-Visa
+set-brand 5             : set-brand-MasterCard
+set-brand 6011          : set-brand-Novus
+
+rsadsi 3 10             : DES-CDMF              : des-cdmf
+rsadsi 1 1 6            : rsaOAEPEncryptionSET
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 0d23a02fb2..9689b49c5b 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,8 +25,8 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x00907001L
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7-beta1 01 Jun 2002"
+#define OPENSSL_VERSION_NUMBER  0x00907003L
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7-beta3 30 Jul 2002"
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
 
diff --git a/src/lib/libcrypto/pem/pem2.h b/src/lib/libcrypto/pem/pem2.h
index 4e484bcd82..f31790d69c 100644
--- a/src/lib/libcrypto/pem/pem2.h
+++ b/src/lib/libcrypto/pem/pem2.h
@@ -61,7 +61,9 @@
 extern "C" {
 #endif
 
+#ifndef HEADER_PEM_H
 void ERR_load_PEM_strings(void);
+#endif
 
 #ifdef __cplusplus
 }
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
index 270892d72b..d96ecf6940 100644
--- a/src/lib/libcrypto/pem/pem_pkey.c
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -85,6 +85,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo
         else if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) {
                 PKCS8_PRIV_KEY_INFO *p8inf;
                 p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len);
+                if(!p8inf) goto p8err;
                 ret = EVP_PKCS82PKEY(p8inf);
                 PKCS8_PRIV_KEY_INFO_free(p8inf);
         } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) {
diff --git a/src/lib/libcrypto/perlasm/x86asm.pl b/src/lib/libcrypto/perlasm/x86asm.pl
index 81c6e64e87..9a3d85b098 100644
--- a/src/lib/libcrypto/perlasm/x86asm.pl
+++ b/src/lib/libcrypto/perlasm/x86asm.pl
@@ -87,6 +87,12 @@ $tmp
 #ifdef OUT
 #define OK      1
 #define ALIGN   4
+#if defined(__CYGWIN__) || defined(__DJGPP__)
+#undef SIZE
+#undef TYPE
+#define SIZE(a,b)
+#define TYPE(a,b)
+#endif /* __CYGWIN || __DJGPP */
 #endif
 
 #if defined(BSDI) && !defined(ELF)
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index 1786b6d4f3..dd338f266c 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -156,8 +156,8 @@ union {
 #define M_PKCS12_decrypt_skey PKCS12_decrypt_skey
 #define M_PKCS8_decrypt PKCS8_decrypt
 
-#define M_PKCS12_bag_type(bag) OBJ_obj2nid(bag->type)
-#define M_PKCS12_cert_bag_type(bag) OBJ_obj2nid(bag->value.bag->type)
+#define M_PKCS12_bag_type(bg) OBJ_obj2nid((bg)->type)
+#define M_PKCS12_cert_bag_type(bg) OBJ_obj2nid((bg)->value.bag->type)
 #define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type
 
 #define PKCS12_get_attr(bag, attr_nid) \
diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h
index e17aa7a9f7..66e39991ec 100644
--- a/src/lib/libcrypto/rand/rand.h
+++ b/src/lib/libcrypto/rand/rand.h
@@ -61,6 +61,11 @@
 
 #include <stdlib.h>
 #include <openssl/ossl_typ.h>
+#include <openssl/e_os2.h>
+
+#if defined(OPENSSL_SYS_WINDOWS)
+#include <windows.h>
+#endif
 
 #ifdef  __cplusplus
 extern "C" {
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 030a6c88e5..98b3bd7cc5 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -276,6 +276,9 @@ int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 int RSA_set_ex_data(RSA *r,int idx,void *arg);
 void *RSA_get_ex_data(const RSA *r, int idx);
 
+RSA *RSAPublicKey_dup(RSA *rsa);
+RSA *RSAPrivateKey_dup(RSA *rsa);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
diff --git a/src/lib/libcrypto/ui/ui_openssl.c b/src/lib/libcrypto/ui/ui_openssl.c
index 4e12165410..2c2fbc0443 100644
--- a/src/lib/libcrypto/ui/ui_openssl.c
+++ b/src/lib/libcrypto/ui/ui_openssl.c
@@ -269,7 +269,7 @@ static long tty_orig[3], tty_new[3]; /* XXX   Is there any guarantee that this w
 static long status;
 static unsigned short channel = 0;
 #else
-#ifndef OPENSSL_SYS_MSDOS
+#if !defined(OPENSSL_SYS_MSDOS) || defined(__DJGPP__)
 static TTY_STRUCT tty_orig,tty_new;
 #endif
 #endif
diff --git a/src/lib/libcrypto/ui/ui_util.c b/src/lib/libcrypto/ui/ui_util.c
index 7c6f7d3a73..f05573df33 100644
--- a/src/lib/libcrypto/ui/ui_util.c
+++ b/src/lib/libcrypto/ui/ui_util.c
@@ -71,12 +71,15 @@ int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify)
         int ok = 0;
         UI *ui;
 
+        if (size < 1)
+                return -1;
+
         ui = UI_new();
         if (ui)
                 {
-                ok = UI_add_input_string(ui,prompt,0,buf,0,BUFSIZ-1);
+                ok = UI_add_input_string(ui,prompt,0,buf,0,size-1);
                 if (ok == 0 && verify)
-                        ok = UI_add_verify_string(ui,prompt,0,buff,0,BUFSIZ-1,
+                        ok = UI_add_verify_string(ui,prompt,0,buff,0,size-1,
                                 buf);
                 if (ok == 0)
                         ok=UI_process(ui);
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 586f116db5..2fb97d8925 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -99,8 +99,8 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_ocsp_nocheck,
 &v3_ocsp_acutoff,
 &v3_ocsp_serviceloc,
-&v3_crl_hold,
-&v3_sinfo
+&v3_sinfo,
+&v3_crl_hold
 };
 
 /* Number of standard extensions */
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
index 7f17f3231d..e1cf01a9b4 100644
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ b/src/lib/libcrypto/x509v3/v3_info.c
@@ -158,6 +158,7 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *metho
                 objlen = ptmp - cnf->name;
                 ctmp.name = ptmp + 1;
                 ctmp.value = cnf->value;
+                GENERAL_NAME_free(acc->location);
                 if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp)))
                                                                  goto err; 
                 if(!(objtmp = OPENSSL_malloc(objlen + 1))) {