300 files changed, 2951 insertions, 2319 deletions

diff --git a/src/lib/libcrypto/Makefile.ssl b/src/lib/libcrypto/Makefile.ssl
index db8baf385e..3071e3cb86 100644
--- a/src/lib/libcrypto/Makefile.ssl
+++ b/src/lib/libcrypto/Makefile.ssl
@@ -36,8 +36,8 @@ GENERAL=Makefile README crypto-lib.com install.com
 
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
-LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o
+LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o
 
 SRC= $(LIBSRC)
 
@@ -136,12 +136,12 @@ lint:
 
 depend:
         if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
         if [ ! -s buildinf.h ]; then rm buildinf.h; fi
         @for i in $(SDIRS) ;\
         do \
         (cd $$i && echo "making depend in crypto/$$i..." && \
-        $(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ); \
+        $(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ); \
         done;
 
 clean:
@@ -193,6 +193,10 @@ mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
 mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 mem.o: ../include/openssl/symhacks.h cryptlib.h mem.c
+mem_clr.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+mem_clr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+mem_clr.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+mem_clr.o: ../include/openssl/symhacks.h mem_clr.c
 mem_dbg.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem_dbg.o: ../include/openssl/err.h ../include/openssl/lhash.h
diff --git a/src/lib/libcrypto/aes/Makefile.ssl b/src/lib/libcrypto/aes/Makefile.ssl
index 9358802a2e..f353aeb697 100644
--- a/src/lib/libcrypto/aes/Makefile.ssl
+++ b/src/lib/libcrypto/aes/Makefile.ssl
@@ -75,7 +75,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/aes/aes.h b/src/lib/libcrypto/aes/aes.h
index e8da921ec5..8294a41a3a 100644
--- a/src/lib/libcrypto/aes/aes.h
+++ b/src/lib/libcrypto/aes/aes.h
@@ -56,8 +56,9 @@
 #error AES is disabled.
 #endif
 
-static const int AES_DECRYPT = 0;
-static const int AES_ENCRYPT = 1;
+#define AES_ENCRYPT     1
+#define AES_DECRYPT     0
+
 /* Because array size can't be a const in C, the following two are macros.
    Both sizes are in bytes. */
 #define AES_MAXNR 14
@@ -99,7 +100,9 @@ void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
         unsigned char *ivec, int *num);
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
         const unsigned long length, const AES_KEY *key,
-        unsigned char *counter, unsigned int *num);
+        unsigned char counter[AES_BLOCK_SIZE],
+        unsigned char ecount_buf[AES_BLOCK_SIZE],
+        unsigned int *num);
 
 
 #ifdef  __cplusplus
diff --git a/src/lib/libcrypto/aes/aes_cbc.c b/src/lib/libcrypto/aes/aes_cbc.c
index 3dfd7aba2a..de438306b1 100644
--- a/src/lib/libcrypto/aes/aes_cbc.c
+++ b/src/lib/libcrypto/aes/aes_cbc.c
@@ -49,7 +49,13 @@
  *
  */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
@@ -57,33 +63,49 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                      const unsigned long length, const AES_KEY *key,
                      unsigned char *ivec, const int enc) {
 
-        int n;
+        unsigned long n;
         unsigned long len = length;
-        unsigned char tmp[16];
+        unsigned char tmp[AES_BLOCK_SIZE];
 
         assert(in && out && key && ivec);
-        assert(length % AES_BLOCK_SIZE == 0);
         assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
 
-        if (AES_ENCRYPT == enc)
-                while (len > 0) {
-                        for(n=0; n < 16; ++n)
+        if (AES_ENCRYPT == enc) {
+                while (len >= AES_BLOCK_SIZE) {
+                        for(n=0; n < sizeof tmp; ++n)
                                 tmp[n] = in[n] ^ ivec[n];
                         AES_encrypt(tmp, out, key);
-                        memcpy(ivec, out, 16);
-                        len -= 16;
-                        in += 16;
-                        out += 16;
+                        memcpy(ivec, out, AES_BLOCK_SIZE);
+                        len -= AES_BLOCK_SIZE;
+                        in += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
                 }
-        else
-                while (len > 0) {
-                        memcpy(tmp, in, 16);
+                if (len) {
+                        for(n=0; n < len; ++n)
+                                tmp[n] = in[n] ^ ivec[n];
+                        for(n=len; n < AES_BLOCK_SIZE; ++n)
+                                tmp[n] = ivec[n];
+                        AES_encrypt(tmp, tmp, key);
+                        memcpy(out, tmp, len);
+                        memcpy(ivec, tmp, sizeof tmp);
+                }                       
+        } else {
+                while (len >= AES_BLOCK_SIZE) {
+                        memcpy(tmp, in, sizeof tmp);
                         AES_decrypt(in, out, key);
-                        for(n=0; n < 16; ++n)
+                        for(n=0; n < AES_BLOCK_SIZE; ++n)
                                 out[n] ^= ivec[n];
-                        memcpy(ivec, tmp, 16);
-                        len -= 16;
-                        in += 16;
-                        out += 16;
+                        memcpy(ivec, tmp, AES_BLOCK_SIZE);
+                        len -= AES_BLOCK_SIZE;
+                        in += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
                 }
+                if (len) {
+                        memcpy(tmp, in, sizeof tmp);
+                        AES_decrypt(tmp, tmp, key);
+                        for(n=0; n < len; ++n)
+                                out[n] ^= ivec[n];
+                        memcpy(ivec, tmp, sizeof tmp);
+                }                       
+        }
 }
diff --git a/src/lib/libcrypto/aes/aes_cfb.c b/src/lib/libcrypto/aes/aes_cfb.c
index 41c2a5ec3d..9b569dda90 100644
--- a/src/lib/libcrypto/aes/aes_cfb.c
+++ b/src/lib/libcrypto/aes/aes_cfb.c
@@ -105,7 +105,13 @@
  * [including the GNU Public Licence.]
  */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
diff --git a/src/lib/libcrypto/aes/aes_core.c b/src/lib/libcrypto/aes/aes_core.c
index 937988dd8c..2f41a825f8 100644
--- a/src/lib/libcrypto/aes/aes_core.c
+++ b/src/lib/libcrypto/aes/aes_core.c
@@ -28,7 +28,13 @@
 /* Note: rewritten a little bit to provide error control and an OpenSSL-
    compatible API */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <stdlib.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
@@ -744,7 +750,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
         rk[2] = GETU32(userKey +  8);
         rk[3] = GETU32(userKey + 12);
         if (bits == 128) {
-                for (;;) {
+                while (1) {
                         temp  = rk[3];
                         rk[4] = rk[0] ^
                                 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
@@ -764,7 +770,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
         rk[4] = GETU32(userKey + 16);
         rk[5] = GETU32(userKey + 20);
         if (bits == 192) {
-                for (;;) {
+                while (1) {
                         temp = rk[ 5];
                         rk[ 6] = rk[ 0] ^
                                 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
@@ -786,7 +792,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
         rk[6] = GETU32(userKey + 24);
         rk[7] = GETU32(userKey + 28);
         if (bits == 256) {
-                for (;;) {
+                while (1) {
                         temp = rk[ 7];
                         rk[ 8] = rk[ 0] ^
                                 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
diff --git a/src/lib/libcrypto/aes/aes_ctr.c b/src/lib/libcrypto/aes/aes_ctr.c
index aea3db2092..59088499a0 100644
--- a/src/lib/libcrypto/aes/aes_ctr.c
+++ b/src/lib/libcrypto/aes/aes_ctr.c
@@ -49,7 +49,13 @@
  *
  */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
@@ -90,26 +96,31 @@ static void AES_ctr128_inc(unsigned char *counter) {
 
 /* The input encrypted as though 128bit counter mode is being
  * used.  The extra state information to record how much of the
- * 128bit block we have used is contained in *num;
+ * 128bit block we have used is contained in *num, and the
+ * encrypted counter is kept in ecount_buf.  Both *num and
+ * ecount_buf must be initialised with zeros before the first
+ * call to AES_ctr128_encrypt().
  */
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
         const unsigned long length, const AES_KEY *key,
-        unsigned char *counter, unsigned int *num) {
+        unsigned char counter[AES_BLOCK_SIZE],
+        unsigned char ecount_buf[AES_BLOCK_SIZE],
+        unsigned int *num) {
 
         unsigned int n;
         unsigned long l=length;
-        unsigned char tmp[AES_BLOCK_SIZE];
 
         assert(in && out && key && counter && num);
+        assert(*num < AES_BLOCK_SIZE);
 
         n = *num;
 
         while (l--) {
                 if (n == 0) {
-                        AES_encrypt(counter, tmp, key);
+                        AES_encrypt(counter, ecount_buf, key);
                         AES_ctr128_inc(counter);
                 }
-                *(out++) = *(in++) ^ tmp[n];
+                *(out++) = *(in++) ^ ecount_buf[n];
                 n = (n+1) % AES_BLOCK_SIZE;
         }
 
diff --git a/src/lib/libcrypto/aes/aes_ecb.c b/src/lib/libcrypto/aes/aes_ecb.c
index 1cb2e07d3d..28aa561c2d 100644
--- a/src/lib/libcrypto/aes/aes_ecb.c
+++ b/src/lib/libcrypto/aes/aes_ecb.c
@@ -49,7 +49,13 @@
  *
  */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
diff --git a/src/lib/libcrypto/aes/aes_locl.h b/src/lib/libcrypto/aes/aes_locl.h
index 18fc2d0747..f290946058 100644
--- a/src/lib/libcrypto/aes/aes_locl.h
+++ b/src/lib/libcrypto/aes/aes_locl.h
@@ -62,7 +62,7 @@
 #include <stdlib.h>
 #include <string.h>
 
-#ifdef _MSC_VER
+#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
 # define GETU32(p) SWAP(*((u32 *)(p)))
 # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
diff --git a/src/lib/libcrypto/aes/aes_ofb.c b/src/lib/libcrypto/aes/aes_ofb.c
index e33bdaea28..f358bb39e2 100644
--- a/src/lib/libcrypto/aes/aes_ofb.c
+++ b/src/lib/libcrypto/aes/aes_ofb.c
@@ -105,7 +105,13 @@
  * [including the GNU Public Licence.]
  */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
diff --git a/src/lib/libcrypto/asn1/Makefile.ssl b/src/lib/libcrypto/asn1/Makefile.ssl
index b5a186c904..cb45194d48 100644
--- a/src/lib/libcrypto/asn1/Makefile.ssl
+++ b/src/lib/libcrypto/asn1/Makefile.ssl
@@ -98,7 +98,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -286,13 +286,14 @@ a_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 a_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 a_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 a_sign.o: ../cryptlib.h a_sign.c
-a_strex.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-a_strex.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-a_strex.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_strex.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-a_strex.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-a_strex.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-a_strex.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
+a_strex.o: ../../e_os.h ../../include/openssl/aes.h
+a_strex.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_strex.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+a_strex.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+a_strex.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+a_strex.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+a_strex.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+a_strex.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 a_strex.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 a_strex.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 a_strex.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
@@ -305,7 +306,7 @@ a_strex.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 a_strex.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 a_strex.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 a_strex.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-a_strex.o: ../../include/openssl/x509_vfy.h a_strex.c charmap.h
+a_strex.o: ../../include/openssl/x509_vfy.h ../cryptlib.h a_strex.c charmap.h
 a_strnid.o: ../../e_os.h ../../include/openssl/asn1.h
 a_strnid.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 a_strnid.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
diff --git a/src/lib/libcrypto/asn1/a_bitstr.c b/src/lib/libcrypto/asn1/a_bitstr.c
index e0265f69d2..f4ea96cd54 100644
--- a/src/lib/libcrypto/asn1/a_bitstr.c
+++ b/src/lib/libcrypto/asn1/a_bitstr.c
@@ -191,7 +191,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
                 if (a->data == NULL)
                         c=(unsigned char *)OPENSSL_malloc(w+1);
                 else
-                        c=(unsigned char *)OPENSSL_realloc(a->data,w+1);
+                        c=(unsigned char *)OPENSSL_realloc_clean(a->data,
+                                                                 a->length,
+                                                                 w+1);
                 if (c == NULL) return(0);
                 if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
                 a->data=c;
diff --git a/src/lib/libcrypto/asn1/a_bytes.c b/src/lib/libcrypto/asn1/a_bytes.c
index bb88660f58..afd27b80e1 100644
--- a/src/lib/libcrypto/asn1/a_bytes.c
+++ b/src/lib/libcrypto/asn1/a_bytes.c
@@ -285,7 +285,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
                         goto err;
                         }
 
-                if (!BUF_MEM_grow(&b,num+os->length))
+                if (!BUF_MEM_grow_clean(&b,num+os->length))
                         {
                         c->error=ERR_R_BUF_LIB;
                         goto err;
diff --git a/src/lib/libcrypto/asn1/a_d2i_fp.c b/src/lib/libcrypto/asn1/a_d2i_fp.c
index a80fbe9ff7..b67b75e7c2 100644
--- a/src/lib/libcrypto/asn1/a_d2i_fp.c
+++ b/src/lib/libcrypto/asn1/a_d2i_fp.c
@@ -149,7 +149,12 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
         ASN1_CTX c;
         int want=HEADER_SIZE;
         int eos=0;
+#if defined(__GNUC__) && defined(__ia64)
+        /* pathetic compiler bug in all known versions as of Nov. 2002 */
+        long off=0;
+#else
         int off=0;
+#endif
         int len=0;
 
         b=BUF_MEM_new();
@@ -166,7 +171,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                         {
                         want-=(len-off);
 
-                        if (!BUF_MEM_grow(b,len+want))
+                        if (!BUF_MEM_grow_clean(b,len+want))
                                 {
                                 ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
                                 goto err;
@@ -221,18 +226,23 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                         if (want > (len-off))
                                 {
                                 want-=(len-off);
-                                if (!BUF_MEM_grow(b,len+want))
+                                if (!BUF_MEM_grow_clean(b,len+want))
                                         {
                                         ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
                                         goto err;
                                         }
-                                i=BIO_read(in,&(b->data[len]),want);
-                                if (i <= 0)
+                                while (want > 0)
                                         {
-                                        ASN1err(ASN1_F_ASN1_D2I_BIO,ASN1_R_NOT_ENOUGH_DATA);
-                                        goto err;
+                                        i=BIO_read(in,&(b->data[len]),want);
+                                        if (i <= 0)
+                                                {
+                                                ASN1err(ASN1_F_ASN1_D2I_BIO,
+                                                    ASN1_R_NOT_ENOUGH_DATA);
+                                                goto err;
+                                                }
+                                        len+=i;
+                                        want -= i;
                                         }
-                                len+=i;
                                 }
                         off+=(int)c.slen;
                         if (eos <= 0)
diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index 71ce7c3896..0a8e6c287c 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -183,8 +183,8 @@ int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
 
         if ((a == NULL) || (a->data == NULL))
                 return(BIO_write(bp,"NULL",4));
-        i=i2t_ASN1_OBJECT(buf,80,a);
-        if (i > 80) i=80;
+        i=i2t_ASN1_OBJECT(buf,sizeof buf,a);
+        if (i > sizeof buf) i=sizeof buf;
         BIO_write(bp,buf,i);
         return(i);
         }
diff --git a/src/lib/libcrypto/asn1/a_sign.c b/src/lib/libcrypto/asn1/a_sign.c
index de53b44144..52ce7e3974 100644
--- a/src/lib/libcrypto/asn1/a_sign.c
+++ b/src/lib/libcrypto/asn1/a_sign.c
@@ -204,9 +204,9 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
         EVP_MD_CTX_cleanup(&ctx);
         if (buf_in != NULL)
-                { memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+                { OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
         if (buf_out != NULL)
-                { memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+                { OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); }
         return(outl);
         }
 
@@ -287,8 +287,8 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
         EVP_MD_CTX_cleanup(&ctx);
         if (buf_in != NULL)
-                { memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+                { OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
         if (buf_out != NULL)
-                { memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+                { OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); }
         return(outl);
         }
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index 7ddb7662f1..1def6c6549 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -63,6 +63,7 @@
 #include <openssl/asn1.h>
 
 #include "charmap.h"
+#include "cryptlib.h"
 
 /* ASN1_STRING_print_ex() and X509_NAME_print_ex().
  * Enhanced string and name printing routines handling
@@ -114,14 +115,17 @@ typedef int char_io(void *arg, const void *buf, int len);
 static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, char_io *io_ch, void *arg)
 {
         unsigned char chflgs, chtmp;
-        char tmphex[11];
+        char tmphex[HEX_SIZE(long)+3];
+
+        if(c > 0xffffffffL)
+                return -1;
         if(c > 0xffff) {
-                BIO_snprintf(tmphex, 11, "\\W%08lX", c);
+                BIO_snprintf(tmphex, sizeof tmphex, "\\W%08lX", c);
                 if(!io_ch(arg, tmphex, 10)) return -1;
                 return 10;
         }
         if(c > 0xff) {
-                BIO_snprintf(tmphex, 11, "\\U%04lX", c);
+                BIO_snprintf(tmphex, sizeof tmphex, "\\U%04lX", c);
                 if(!io_ch(arg, tmphex, 6)) return -1;
                 return 6;
         }
@@ -195,7 +199,7 @@ static int do_buf(unsigned char *buf, int buflen,
                 if(type & BUF_TYPE_CONVUTF8) {
                         unsigned char utfbuf[6];
                         int utflen;
-                        utflen = UTF8_putc(utfbuf, 6, c);
+                        utflen = UTF8_putc(utfbuf, sizeof utfbuf, c);
                         for(i = 0; i < utflen; i++) {
                                 /* We don't need to worry about setting orflags correctly
                                  * because if utflen==1 its value will be correct anyway 
@@ -461,7 +465,7 @@ static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
                 if(fn_opt != XN_FLAG_FN_NONE) {
                         int objlen, fld_len;
                         if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) {
-                                OBJ_obj2txt(objtmp, 80, fn, 1);
+                                OBJ_obj2txt(objtmp, sizeof objtmp, fn, 1);
                                 fld_len = 0; /* XXX: what should this be? */
                                 objbuf = objtmp;
                         } else {
diff --git a/src/lib/libcrypto/asn1/a_strnid.c b/src/lib/libcrypto/asn1/a_strnid.c
index 04789d1c63..aa49e9d7d0 100644
--- a/src/lib/libcrypto/asn1/a_strnid.c
+++ b/src/lib/libcrypto/asn1/a_strnid.c
@@ -173,6 +173,7 @@ static ASN1_STRING_TABLE tbl_standard[] = {
 {NID_friendlyName,              -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK},
 {NID_name,                      1, ub_name, DIRSTRING_TYPE, 0},
 {NID_dnQualifier,               -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
+{NID_domainComponent,           1, -1, B_ASN1_IA5STRING, STABLE_NO_MASK},
 {NID_ms_csp_name,               -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}
 };
 
@@ -249,4 +250,38 @@ static void st_free(ASN1_STRING_TABLE *tbl)
         if(tbl->flags & STABLE_FLAGS_MALLOC) OPENSSL_free(tbl);
 }
 
+
 IMPLEMENT_STACK_OF(ASN1_STRING_TABLE)
+
+#ifdef STRING_TABLE_TEST
+
+main()
+{
+        ASN1_STRING_TABLE *tmp;
+        int i, last_nid = -1;
+
+        for (tmp = tbl_standard, i = 0;
+                i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++)
+                {
+                        if (tmp->nid < last_nid)
+                                {
+                                last_nid = 0;
+                                break;
+                                }
+                        last_nid = tmp->nid;
+                }
+
+        if (last_nid != 0)
+                {
+                printf("Table order OK\n");
+                exit(0);
+                }
+
+        for (tmp = tbl_standard, i = 0;
+                i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++)
+                        printf("Index %d, NID %d, Name=%s\n", i, tmp->nid,
+                                                        OBJ_nid2ln(tmp->nid));
+
+}
+
+#endif
diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c
index 8216783aa8..b8c031fc8f 100644
--- a/src/lib/libcrypto/asn1/a_time.c
+++ b/src/lib/libcrypto/asn1/a_time.c
@@ -105,7 +105,10 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
 
         ts=OPENSSL_gmtime(&t,&data);
         if (ts == NULL)
+                {
+                ASN1err(ASN1_F_ASN1_TIME_SET, ASN1_R_ERROR_GETTING_TIME);
                 return NULL;
+                }
         if((ts->tm_year >= 50) && (ts->tm_year < 150))
                                         return ASN1_UTCTIME_set(s, t);
         return ASN1_GENERALIZEDTIME_set(s,t);
diff --git a/src/lib/libcrypto/asn1/a_type.c b/src/lib/libcrypto/asn1/a_type.c
index 96e111cf23..fe3fcd40b0 100644
--- a/src/lib/libcrypto/asn1/a_type.c
+++ b/src/lib/libcrypto/asn1/a_type.c
@@ -62,7 +62,7 @@
 
 int ASN1_TYPE_get(ASN1_TYPE *a)
         {
-        if (a->value.ptr != NULL)
+        if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
                 return(a->type);
         else
                 return(0);
diff --git a/src/lib/libcrypto/asn1/a_verify.c b/src/lib/libcrypto/asn1/a_verify.c
index bf41de5146..da2a0a6d69 100644
--- a/src/lib/libcrypto/asn1/a_verify.c
+++ b/src/lib/libcrypto/asn1/a_verify.c
@@ -103,7 +103,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
         EVP_VerifyInit_ex(&ctx,type, NULL);
         EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
-        memset(buf_in,0,(unsigned int)inl);
+        OPENSSL_cleanse(buf_in,(unsigned int)inl);
         OPENSSL_free(buf_in);
 
         if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
@@ -153,7 +153,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
         EVP_VerifyInit_ex(&ctx,type, NULL);
         EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
-        memset(buf_in,0,(unsigned int)inl);
+        OPENSSL_cleanse(buf_in,(unsigned int)inl);
         OPENSSL_free(buf_in);
 
         if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index dbb30f4f22..3414509f1b 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -70,7 +70,6 @@
 
 #include <openssl/symhacks.h>
 
-#include <openssl/e_os2.h>
 #include <openssl/ossl_typ.h>
 
 #ifdef OPENSSL_BUILD_SHLIBCRYPTO
@@ -133,7 +132,7 @@ extern "C" {
 #define B_ASN1_NUMERICSTRING    0x0001
 #define B_ASN1_PRINTABLESTRING  0x0002
 #define B_ASN1_T61STRING        0x0004
-#define B_ASN1_TELETEXSTRING    0x0008
+#define B_ASN1_TELETEXSTRING    0x0004
 #define B_ASN1_VIDEOTEXSTRING   0x0008
 #define B_ASN1_IA5STRING        0x0010
 #define B_ASN1_GRAPHICSTRING    0x0020
@@ -981,6 +980,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_TEMPLATE_D2I                         131
 #define ASN1_F_ASN1_TEMPLATE_EX_D2I                      132
 #define ASN1_F_ASN1_TEMPLATE_NEW                         133
+#define ASN1_F_ASN1_TIME_SET                             175
 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING             134
 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING                 135
 #define ASN1_F_ASN1_UNPACK_STRING                        136
@@ -1038,6 +1038,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_DECODE_ERROR                              110
 #define ASN1_R_DECODING_ERROR                            111
 #define ASN1_R_ENCODE_ERROR                              112
+#define ASN1_R_ERROR_GETTING_TIME                        173
 #define ASN1_R_ERROR_LOADING_SECTION                     172
 #define ASN1_R_ERROR_PARSING_SET_ELEMENT                 113
 #define ASN1_R_ERROR_SETTING_CIPHER_PARAMS               114
diff --git a/src/lib/libcrypto/asn1/asn1_err.c b/src/lib/libcrypto/asn1/asn1_err.c
index c4c3d2a91d..094ec06fda 100644
--- a/src/lib/libcrypto/asn1/asn1_err.c
+++ b/src/lib/libcrypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -100,6 +100,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0),        "ASN1_TEMPLATE_D2I"},
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_EX_D2I,0),     "ASN1_TEMPLATE_EX_D2I"},
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_NEW,0),        "ASN1_TEMPLATE_NEW"},
+{ERR_PACK(0,ASN1_F_ASN1_TIME_SET,0),    "ASN1_TIME_set"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),    "ASN1_TYPE_get_int_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),        "ASN1_TYPE_get_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),       "ASN1_unpack_string"},
@@ -160,6 +161,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ASN1_R_DECODE_ERROR                     ,"decode error"},
 {ASN1_R_DECODING_ERROR                   ,"decoding error"},
 {ASN1_R_ENCODE_ERROR                     ,"encode error"},
+{ASN1_R_ERROR_GETTING_TIME               ,"error getting time"},
 {ASN1_R_ERROR_LOADING_SECTION            ,"error loading section"},
 {ASN1_R_ERROR_PARSING_SET_ELEMENT        ,"error parsing set element"},
 {ASN1_R_ERROR_SETTING_CIPHER_PARAMS      ,"error setting cipher params"},
diff --git a/src/lib/libcrypto/asn1/asn1_par.c b/src/lib/libcrypto/asn1/asn1_par.c
index 4223c9ae45..1799657141 100644
--- a/src/lib/libcrypto/asn1/asn1_par.c
+++ b/src/lib/libcrypto/asn1/asn1_par.c
@@ -79,12 +79,7 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
         else
                 p="prim: ";
         if (BIO_write(bp,p,6) < 6) goto err;
-        if (indent)
-                {
-                if (indent > 128) indent=128;
-                memset(str,' ',indent);
-                if (BIO_write(bp,str,indent) < indent) goto err;
-                }
+        BIO_indent(bp,indent,128);
 
         p=str;
         if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
diff --git a/src/lib/libcrypto/asn1/f_int.c b/src/lib/libcrypto/asn1/f_int.c
index 48cc3bfb90..9494e597ab 100644
--- a/src/lib/libcrypto/asn1/f_int.c
+++ b/src/lib/libcrypto/asn1/f_int.c
@@ -169,8 +169,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
                                 sp=(unsigned char *)OPENSSL_malloc(
                                         (unsigned int)num+i*2);
                         else
-                                sp=(unsigned char *)OPENSSL_realloc(s,
-                                        (unsigned int)num+i*2);
+                                sp=OPENSSL_realloc_clean(s,slen,num+i*2);
                         if (sp == NULL)
                                 {
                                 ASN1err(ASN1_F_A2I_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libcrypto/asn1/n_pkey.c b/src/lib/libcrypto/asn1/n_pkey.c
index 9146ee02c9..766b51c538 100644
--- a/src/lib/libcrypto/asn1/n_pkey.c
+++ b/src/lib/libcrypto/asn1/n_pkey.c
@@ -187,7 +187,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
         i2d_NETSCAPE_PKEY(pkey,&zz);
 
         /* Wipe the private key encoding */
-        memset(pkey->private_key->data, 0, rsalen);
+        OPENSSL_cleanse(pkey->private_key->data, rsalen);
                 
         if (cb == NULL)
                 cb=EVP_read_pw_string;
@@ -206,7 +206,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
         }
 
         EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
-        memset(buf,0,256);
+        OPENSSL_cleanse(buf,256);
 
         /* Encrypt private key in place */
         zz = enckey->enckey->digest->data;
@@ -294,7 +294,7 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
         }
                 
         EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
-        memset(buf,0,256);
+        OPENSSL_cleanse(buf,256);
 
         EVP_CIPHER_CTX_init(&ctx);
         EVP_DecryptInit_ex(&ctx,EVP_rc4(),NULL, key,NULL);
diff --git a/src/lib/libcrypto/asn1/p8_pkey.c b/src/lib/libcrypto/asn1/p8_pkey.c
index b634d5bc85..24b409132f 100644
--- a/src/lib/libcrypto/asn1/p8_pkey.c
+++ b/src/lib/libcrypto/asn1/p8_pkey.c
@@ -68,8 +68,8 @@ static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
         if(operation == ASN1_OP_FREE_PRE) {
                 PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
                 if (key->pkey->value.octet_string)
-                memset(key->pkey->value.octet_string->data,
-                                 0, key->pkey->value.octet_string->length);
+                OPENSSL_cleanse(key->pkey->value.octet_string->data,
+                        key->pkey->value.octet_string->length);
         }
         return 1;
 }
diff --git a/src/lib/libcrypto/asn1/t_crl.c b/src/lib/libcrypto/asn1/t_crl.c
index 60db305756..757c148df8 100644
--- a/src/lib/libcrypto/asn1/t_crl.c
+++ b/src/lib/libcrypto/asn1/t_crl.c
@@ -84,11 +84,11 @@ int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
 
 int X509_CRL_print(BIO *out, X509_CRL *x)
 {
-        char buf[256];
         STACK_OF(X509_REVOKED) *rev;
         X509_REVOKED *r;
         long l;
         int i, n;
+        char *p;
 
         BIO_printf(out, "Certificate Revocation List (CRL):\n");
         l = X509_CRL_get_version(x);
@@ -96,8 +96,9 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
         i = OBJ_obj2nid(x->sig_alg->algorithm);
         BIO_printf(out, "%8sSignature Algorithm: %s\n", "",
                                  (i == NID_undef) ? "NONE" : OBJ_nid2ln(i));
-        X509_NAME_oneline(X509_CRL_get_issuer(x),buf,256);
-        BIO_printf(out,"%8sIssuer: %s\n","",buf);
+        p=X509_NAME_oneline(X509_CRL_get_issuer(x),NULL,0);
+        BIO_printf(out,"%8sIssuer: %s\n","",p);
+        OPENSSL_free(p);
         BIO_printf(out,"%8sLast Update: ","");
         ASN1_TIME_print(out,X509_CRL_get_lastUpdate(x));
         BIO_printf(out,"\n%8sNext Update: ","");
diff --git a/src/lib/libcrypto/asn1/t_pkey.c b/src/lib/libcrypto/asn1/t_pkey.c
index b3f8364012..e1c5e5ae13 100644
--- a/src/lib/libcrypto/asn1/t_pkey.c
+++ b/src/lib/libcrypto/asn1/t_pkey.c
@@ -130,14 +130,10 @@ int RSA_print(BIO *bp, const RSA *x, int off)
                 goto err;
                 }
 
-        if (off)
-                {
-                if (off > 128) off=128;
-                memset(str,' ',off);
-                }
         if (x->d != NULL)
                 {
-                if (off && (BIO_write(bp,str,off) <= 0)) goto err;
+                if(!BIO_indent(bp,off,128))
+                   goto err;
                 if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->n))
                         <= 0) goto err;
                 }
@@ -183,7 +179,6 @@ int DSA_print_fp(FILE *fp, const DSA *x, int off)
 
 int DSA_print(BIO *bp, const DSA *x, int off)
         {
-        char str[128];
         unsigned char *m=NULL;
         int ret=0;
         size_t buf_len=0,i;
@@ -210,14 +205,10 @@ int DSA_print(BIO *bp, const DSA *x, int off)
                 goto err;
                 }
 
-        if (off)
-                {
-                if (off > 128) off=128;
-                memset(str,' ',off);
-                }
         if (x->priv_key != NULL)
                 {
-                if (off && (BIO_write(bp,str,off) <= 0)) goto err;
+                if(!BIO_indent(bp,off,128))
+                   goto err;
                 if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->p))
                         <= 0) goto err;
                 }
@@ -240,17 +231,12 @@ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
              int off)
         {
         int n,i;
-        char str[128];
         const char *neg;
 
         if (num == NULL) return(1);
         neg=(num->neg)?"-":"";
-        if (off)
-                {
-                if (off > 128) off=128;
-                memset(str,' ',off);
-                if (BIO_write(bp,str,off) <= 0) return(0);
-                }
+        if(!BIO_indent(bp,off,128))
+                return 0;
 
         if (BN_num_bytes(num) <= BN_BYTES)
                 {
@@ -274,9 +260,9 @@ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
                         {
                         if ((i%15) == 0)
                                 {
-                                str[0]='\n';
-                                memset(&(str[1]),' ',off+4);
-                                if (BIO_write(bp,str,off+1+4) <= 0) return(0);
+                                if(BIO_puts(bp,"\n") <= 0
+                                   || !BIO_indent(bp,off+4,128))
+                                    return 0;
                                 }
                         if (BIO_printf(bp,"%02x%s",buf[i],((i+1) == n)?"":":")
                                 <= 0) return(0);
diff --git a/src/lib/libcrypto/asn1/t_req.c b/src/lib/libcrypto/asn1/t_req.c
index eca97e00cb..740cee80c0 100644
--- a/src/lib/libcrypto/asn1/t_req.c
+++ b/src/lib/libcrypto/asn1/t_req.c
@@ -91,7 +91,6 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long
         EVP_PKEY *pkey;
         STACK_OF(X509_ATTRIBUTE) *sk;
         STACK_OF(X509_EXTENSION) *exts;
-        char str[128];
         char mlch = ' ';
         int nmindent = 0;
 
@@ -116,9 +115,9 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long
                 l=0;
                 for (i=0; i<ri->version->length; i++)
                         { l<<=8; l+=ri->version->data[i]; }
-                snprintf(str,sizeof str,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,
-                         l,neg,l);
-                if (BIO_puts(bp,str) <= 0) goto err;
+                if(BIO_printf(bp,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg,
+                              l) <= 0)
+                    goto err;
                 }
         if(!(cflag & X509_FLAG_NO_SUBJECT))
                 {
@@ -169,14 +168,14 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long
         if(!(cflag & X509_FLAG_NO_ATTRIBUTES))
                 {
                 /* may not be */
-                snprintf(str,sizeof str,"%8sAttributes:\n","");
-                if (BIO_puts(bp,str) <= 0) goto err;
+                if(BIO_printf(bp,"%8sAttributes:\n","") <= 0)
+                    goto err;
 
                 sk=x->req_info->attributes;
                 if (sk_X509_ATTRIBUTE_num(sk) == 0)
                         {
-                        snprintf(str,sizeof str,"%12sa0:00\n","");
-                        if (BIO_puts(bp,str) <= 0) goto err;
+                        if(BIO_printf(bp,"%12sa0:00\n","") <= 0)
+                            goto err;
                         }
                 else
                         {
@@ -191,8 +190,8 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long
                                 a=sk_X509_ATTRIBUTE_value(sk,i);
                                 if(X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
                                                                         continue;
-                                snprintf(str,sizeof str,"%12s","");
-                                if (BIO_puts(bp,str) <= 0) goto err;
+                                if(BIO_printf(bp,"%12s","") <= 0)
+                                    goto err;
                                 if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0)
                                 {
                                 if (a->single)
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index 5de4833ed0..d1034c47f8 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -433,15 +433,17 @@ err:
 
 int X509_NAME_print(BIO *bp, X509_NAME *name, int obase)
         {
-        char *s,*c;
+        char *s,*c,*b;
         int ret=0,l,ll,i,first=1;
-        char buf[256];
 
         ll=80-2-obase;
 
-        s=X509_NAME_oneline(name,buf,256);
+        b=s=X509_NAME_oneline(name,NULL,0);
         if (!*s)
+                {
+                OPENSSL_free(b);
                 return 1;
+                }
         s++; /* skip the first slash */
 
         l=ll;
@@ -497,6 +499,7 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase)
 err:
                 X509err(X509_F_X509_NAME_PRINT,ERR_R_BUF_LIB);
                 }
+        OPENSSL_free(b);
         return(ret);
         }
 
diff --git a/src/lib/libcrypto/asn1/t_x509a.c b/src/lib/libcrypto/asn1/t_x509a.c
index 7d4a6e6084..ffbbfb51f4 100644
--- a/src/lib/libcrypto/asn1/t_x509a.c
+++ b/src/lib/libcrypto/asn1/t_x509a.c
@@ -77,7 +77,7 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
                 for(i = 0; i < sk_ASN1_OBJECT_num(aux->trust); i++) {
                         if(!first) BIO_puts(out, ", ");
                         else first = 0;
-                        OBJ_obj2txt(oidstr, 80,
+                        OBJ_obj2txt(oidstr, sizeof oidstr,
                                 sk_ASN1_OBJECT_value(aux->trust, i), 0);
                         BIO_puts(out, oidstr);
                 }
@@ -90,7 +90,7 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
                 for(i = 0; i < sk_ASN1_OBJECT_num(aux->reject); i++) {
                         if(!first) BIO_puts(out, ", ");
                         else first = 0;
-                        OBJ_obj2txt(oidstr, 80,
+                        OBJ_obj2txt(oidstr, sizeof oidstr,
                                 sk_ASN1_OBJECT_value(aux->reject, i), 0);
                         BIO_puts(out, oidstr);
                 }
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index f87c08793a..76fc023230 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -664,7 +664,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl
                 if(!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) goto err;
                 len = buf.length;
                 /* Append a final null to string */
-                if(!BUF_MEM_grow(&buf, len + 1)) {
+                if(!BUF_MEM_grow_clean(&buf, len + 1)) {
                         ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
                         return 0;
                 }
@@ -857,7 +857,7 @@ static int collect_data(BUF_MEM *buf, unsigned char **p, long plen)
                 int len;
                 if(buf) {
                         len = buf->length;
-                        if(!BUF_MEM_grow(buf, len + plen)) {
+                        if(!BUF_MEM_grow_clean(buf, len + plen)) {
                                 ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE);
                                 return 0;
                         }
diff --git a/src/lib/libcrypto/asn1/tasn_fre.c b/src/lib/libcrypto/asn1/tasn_fre.c
index c7610776f2..2dd844159e 100644
--- a/src/lib/libcrypto/asn1/tasn_fre.c
+++ b/src/lib/libcrypto/asn1/tasn_fre.c
@@ -206,7 +206,10 @@ void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
                 break;
 
                 case V_ASN1_BOOLEAN:
-                *(ASN1_BOOLEAN *)pval = it->size;
+                if (it)
+                        *(ASN1_BOOLEAN *)pval = it->size;
+                else
+                        *(ASN1_BOOLEAN *)pval = -1;
                 return;
 
                 case V_ASN1_NULL:
diff --git a/src/lib/libcrypto/asn1/tasn_new.c b/src/lib/libcrypto/asn1/tasn_new.c
index e33861f864..a0e3db574f 100644
--- a/src/lib/libcrypto/asn1/tasn_new.c
+++ b/src/lib/libcrypto/asn1/tasn_new.c
@@ -305,7 +305,10 @@ int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
                 return 1;
 
                 case V_ASN1_BOOLEAN:
-                *(ASN1_BOOLEAN *)pval = it->size;
+                if (it)
+                        *(ASN1_BOOLEAN *)pval = it->size;
+                else
+                        *(ASN1_BOOLEAN *)pval = -1;
                 return 1;
 
                 case V_ASN1_NULL:
diff --git a/src/lib/libcrypto/asn1/tasn_prn.c b/src/lib/libcrypto/asn1/tasn_prn.c
index fab67ae5ac..719639b511 100644
--- a/src/lib/libcrypto/asn1/tasn_prn.c
+++ b/src/lib/libcrypto/asn1/tasn_prn.c
@@ -186,7 +186,7 @@ if(*bool == -1) printf("BOOL MISSING\n");
                         char objbuf[80], *ln;
                         ln = OBJ_nid2ln(OBJ_obj2nid(fld));
                         if(!ln) ln = "";
-                        OBJ_obj2txt(objbuf, 80, fld, 1);
+                        OBJ_obj2txt(objbuf, sizeof objbuf, fld, 1);
                         BIO_printf(out, "%*s%s:%s (%s)", indent, "", "OBJECT", ln, objbuf);
                 } else {
                         BIO_printf(out, "%*s%s:", indent, "", name);
diff --git a/src/lib/libcrypto/bf/Makefile.ssl b/src/lib/libcrypto/bf/Makefile.ssl
index 079f7e860c..7dfdf9d871 100644
--- a/src/lib/libcrypto/bf/Makefile.ssl
+++ b/src/lib/libcrypto/bf/Makefile.ssl
@@ -49,14 +49,8 @@ lib:	$(LIBOBJ)
         @touch lib
 
 # elf
-asm/bx86-elf.o: asm/bx86unix.cpp
-        $(CPP) -DELF -x c asm/bx86unix.cpp | as -o asm/bx86-elf.o
-
-# solaris
-asm/bx86-sol.o: asm/bx86unix.cpp
-        $(CC) -E -DSOL asm/bx86unix.cpp | sed 's/^#.*//' > asm/bx86-sol.s
-        as -o asm/bx86-sol.o asm/bx86-sol.s
-        rm -f asm/bx86-sol.s
+asm/bx86-elf.s: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+        (cd asm; $(PERL) bf-586.pl elf $(CFLAGS) $(PROCESSOR) > bx86-elf.s)
 
 # a.out
 asm/bx86-out.o: asm/bx86unix.cpp
@@ -96,14 +90,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/bx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/bx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libcrypto/bf/bftest.c b/src/lib/libcrypto/bf/bftest.c
index 09895f2542..24d526b14b 100644
--- a/src/lib/libcrypto/bf/bftest.c
+++ b/src/lib/libcrypto/bf/bftest.c
@@ -63,6 +63,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_BF
 int main(int argc, char *argv[])
 {
@@ -275,7 +277,7 @@ int main(int argc, char *argv[])
         else
                 ret=test();
 
-        exit(ret);
+        EXIT(ret);
         return(0);
         }
 
@@ -454,9 +456,9 @@ static int test(void)
         len=strlen(cbc_data)+1;
 
         BF_set_key(&key,16,cbc_key);
-        memset(cbc_in,0,40);
-        memset(cbc_out,0,40);
-        memcpy(iv,cbc_iv,8);
+        memset(cbc_in,0,sizeof cbc_in);
+        memset(cbc_out,0,sizeof cbc_out);
+        memcpy(iv,cbc_iv,sizeof iv);
         BF_cbc_encrypt((unsigned char *)cbc_data,cbc_out,len,
                 &key,iv,BF_ENCRYPT);
         if (memcmp(cbc_out,cbc_ok,32) != 0)
diff --git a/src/lib/libcrypto/bio/Makefile.ssl b/src/lib/libcrypto/bio/Makefile.ssl
index dfcee03448..d0b9e297b0 100644
--- a/src/lib/libcrypto/bio/Makefile.ssl
+++ b/src/lib/libcrypto/bio/Makefile.ssl
@@ -78,7 +78,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/bio/b_print.c b/src/lib/libcrypto/bio/b_print.c
index 80c9cb69db..a9e552f245 100644
--- a/src/lib/libcrypto/bio/b_print.c
+++ b/src/lib/libcrypto/bio/b_print.c
@@ -378,7 +378,7 @@ _dopr(
             case 'p':
                 value = (long)va_arg(args, void *);
                 fmtint(sbuffer, buffer, &currlen, maxlen,
-                    value, 16, min, max, flags);
+                    value, 16, min, max, flags|DP_F_NUM);
                 break;
             case 'n': /* XXX */
                 if (cflags == DP_C_SHORT) {
@@ -482,8 +482,9 @@ fmtint(
     int flags)
 {
     int signvalue = 0;
+    char *prefix = "";
     unsigned LLONG uvalue;
-    char convert[20];
+    char convert[DECIMAL_SIZE(value)+3];
     int place = 0;
     int spadlen = 0;
     int zpadlen = 0;
@@ -501,6 +502,10 @@ fmtint(
         else if (flags & DP_F_SPACE)
             signvalue = ' ';
     }
+    if (flags & DP_F_NUM) {
+        if (base == 8) prefix = "0";
+        if (base == 16) prefix = "0x";
+    }
     if (flags & DP_F_UP)
         caps = 1;
     do {
@@ -508,13 +513,13 @@ fmtint(
             (caps ? "0123456789ABCDEF" : "0123456789abcdef")
             [uvalue % (unsigned) base];
         uvalue = (uvalue / (unsigned) base);
-    } while (uvalue && (place < 20));
-    if (place == 20)
+    } while (uvalue && (place < sizeof convert));
+    if (place == sizeof convert)
         place--;
     convert[place] = 0;
 
     zpadlen = max - place;
-    spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0);
+    spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix);
     if (zpadlen < 0)
         zpadlen = 0;
     if (spadlen < 0)
@@ -536,6 +541,12 @@ fmtint(
     if (signvalue)
         doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
 
+    /* prefix */
+    while (*prefix) {
+        doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
+        prefix++;
+    }
+
     /* zeros */
     if (zpadlen > 0) {
         while (zpadlen > 0) {
@@ -641,8 +652,8 @@ fmtfp(
             (caps ? "0123456789ABCDEF"
               : "0123456789abcdef")[intpart % 10];
         intpart = (intpart / 10);
-    } while (intpart && (iplace < 20));
-    if (iplace == 20)
+    } while (intpart && (iplace < sizeof iplace));
+    if (iplace == sizeof iplace)
         iplace--;
     iconvert[iplace] = 0;
 
@@ -653,7 +664,7 @@ fmtfp(
               : "0123456789abcdef")[fracpart % 10];
         fracpart = (fracpart / 10);
     } while (fplace < max);
-    if (fplace == 20)
+    if (fplace == sizeof fplace)
         fplace--;
     fconvert[fplace] = 0;
 
@@ -692,7 +703,7 @@ fmtfp(
      * Decimal point. This should probably use locale to find the correct
      * char to print out.
      */
-    if (max > 0) {
+    if (max > 0 || (flags & DP_F_NUM)) {
         doapr_outch(sbuffer, buffer, currlen, maxlen, '.');
 
         while (fplace > 0)
diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c
index 7632c2d85e..5282f8a8f7 100644
--- a/src/lib/libcrypto/bio/b_sock.c
+++ b/src/lib/libcrypto/bio/b_sock.c
@@ -83,6 +83,7 @@
 static int wsa_init_done=0;
 #endif
 
+#if 0
 static unsigned long BIO_ghbn_hits=0L;
 static unsigned long BIO_ghbn_miss=0L;
 
@@ -93,6 +94,7 @@ static struct ghbn_cache_st
         struct hostent *ent;
         unsigned long order;
         } ghbn_cache[GHBN_NUM];
+#endif
 
 static int get_ip(const char *str,unsigned char *ip);
 #if 0
@@ -230,6 +232,7 @@ int BIO_sock_error(int sock)
                 return(j);
         }
 
+#if 0
 long BIO_ghbn_ctrl(int cmd, int iarg, char *parg)
         {
         int i;
@@ -267,6 +270,7 @@ long BIO_ghbn_ctrl(int cmd, int iarg, char *parg)
                 }
         return(1);
         }
+#endif
 
 #if 0
 static struct hostent *ghbn_dup(struct hostent *a)
@@ -463,6 +467,12 @@ int BIO_sock_init(void)
                         }
                 }
 #endif /* OPENSSL_SYS_WINDOWS */
+#ifdef WATT32
+        extern int _watt_do_exit;
+        _watt_do_exit = 0;    /* don't make sock_init() call exit() */
+        if (sock_init())
+                return (-1);
+#endif
         return(1);
         }
 
@@ -472,7 +482,9 @@ void BIO_sock_cleanup(void)
         if (wsa_init_done)
                 {
                 wsa_init_done=0;
+#ifndef OPENSSL_SYS_WINCE
                 WSACancelBlockingCall();
+#endif
                 WSACleanup();
                 }
 #endif
@@ -480,7 +492,7 @@ void BIO_sock_cleanup(void)
 
 #if !defined(OPENSSL_SYS_VMS) || __VMS_VER >= 70000000
 
-int BIO_socket_ioctl(int fd, long type, unsigned long *arg)
+int BIO_socket_ioctl(int fd, long type, void *arg)
         {
         int i;
 
@@ -730,7 +742,7 @@ int BIO_set_tcp_ndelay(int s, int on)
 int BIO_socket_nbio(int s, int mode)
         {
         int ret= -1;
-        unsigned long l;
+        int l;
 
         l=mode;
 #ifdef FIONBIO
diff --git a/src/lib/libcrypto/bio/bf_buff.c b/src/lib/libcrypto/bio/bf_buff.c
index 6ccda06596..1cecd70579 100644
--- a/src/lib/libcrypto/bio/bf_buff.c
+++ b/src/lib/libcrypto/bio/bf_buff.c
@@ -482,7 +482,7 @@ static int buffer_gets(BIO *b, char *buf, int size)
                         size-=i;
                         ctx->ibuf_len-=i;
                         ctx->ibuf_off+=i;
-                        if ((flag) || (i == size))
+                        if (flag || size == 0)
                                 {
                                 *buf='\0';
                                 return(num);
diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h
index c5caf253c9..fbbc16d00c 100644
--- a/src/lib/libcrypto/bio/bio.h
+++ b/src/lib/libcrypto/bio/bio.h
@@ -244,7 +244,7 @@ typedef struct bio_method_st
         long (_far *ctrl)();
         int (_far *create)();
         int (_far *destroy)();
-        long (_fat *callback_ctrl)();
+        long (_far *callback_ctrl)();
         } BIO_METHOD;
 #endif
 
@@ -522,6 +522,7 @@ int	BIO_read(BIO *b, void *data, int len);
 int     BIO_gets(BIO *bp,char *buf, int size);
 int     BIO_write(BIO *b, const void *data, int len);
 int     BIO_puts(BIO *bp,const char *buf);
+int     BIO_indent(BIO *b,int indent,int max);
 long    BIO_ctrl(BIO *bp,int cmd,long larg,void *parg);
 long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)(struct bio_st *, int, const char *, int, long, long));
 char *  BIO_ptr_ctrl(BIO *bp,int cmd,long larg);
@@ -584,7 +585,7 @@ struct hostent *BIO_gethostbyname(const char *name);
  * and an appropriate error code is set).
  */
 int BIO_sock_error(int sock);
-int BIO_socket_ioctl(int fd, long type, unsigned long *arg);
+int BIO_socket_ioctl(int fd, long type, void *arg);
 int BIO_socket_nbio(int fd,int mode);
 int BIO_get_port(const char *str, unsigned short *port_ptr);
 int BIO_get_host_ip(const char *str, unsigned char *ip);
@@ -608,7 +609,7 @@ int BIO_new_bio_pair(BIO **bio1, size_t writebuf1,
 
 void BIO_copy_next_retry(BIO *b);
 
-long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);
+/*long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);*/
 
 int BIO_printf(BIO *bio, const char *format, ...);
 int BIO_vprintf(BIO *bio, const char *format, va_list args);
diff --git a/src/lib/libcrypto/bio/bio_lib.c b/src/lib/libcrypto/bio/bio_lib.c
index 50df2238fa..692c8fb5c6 100644
--- a/src/lib/libcrypto/bio/bio_lib.c
+++ b/src/lib/libcrypto/bio/bio_lib.c
@@ -272,6 +272,18 @@ int BIO_gets(BIO *b, char *in, int inl)
         return(i);
         }
 
+int BIO_indent(BIO *b,int indent,int max)
+        {
+        if(indent < 0)
+                indent=0;
+        if(indent > max)
+                indent=max;
+        while(indent--)
+                if(BIO_puts(b," ") != 1)
+                        return 0;
+        return 1;
+        }
+
 long BIO_int_ctrl(BIO *b, int cmd, long larg, int iarg)
         {
         int i;
@@ -383,6 +395,8 @@ BIO *BIO_pop(BIO *b)
         if (b == NULL) return(NULL);
         ret=b->next_bio;
 
+        BIO_ctrl(b,BIO_CTRL_POP,0,NULL);
+
         if (b->prev_bio != NULL)
                 b->prev_bio->next_bio=b->next_bio;
         if (b->next_bio != NULL)
@@ -390,7 +404,6 @@ BIO *BIO_pop(BIO *b)
 
         b->next_bio=NULL;
         b->prev_bio=NULL;
-        BIO_ctrl(b,BIO_CTRL_POP,0,NULL);
         return(ret);
         }
 
diff --git a/src/lib/libcrypto/bio/bss_bio.c b/src/lib/libcrypto/bio/bss_bio.c
index 1c485a4479..aa58dab046 100644
--- a/src/lib/libcrypto/bio/bss_bio.c
+++ b/src/lib/libcrypto/bio/bss_bio.c
@@ -28,13 +28,12 @@
 
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#include <openssl/err.h>
 #include <openssl/crypto.h>
 
 #include "e_os.h"
 
 /* VxWorks defines SSIZE_MAX with an empty value causing compile errors */
-#if defined(OPENSSL_SYS_VSWORKS)
+#if defined(OPENSSL_SYS_VXWORKS)
 # undef SSIZE_MAX
 #endif
 #ifndef SSIZE_MAX
diff --git a/src/lib/libcrypto/bio/bss_conn.c b/src/lib/libcrypto/bio/bss_conn.c
index 81f27dba4c..8c694140ed 100644
--- a/src/lib/libcrypto/bio/bss_conn.c
+++ b/src/lib/libcrypto/bio/bss_conn.c
@@ -519,7 +519,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
                         else if (num == 2)
                                 {
                                 char buf[16];
-                                char *p = ptr;
+                                unsigned char *p = ptr;
 
                                 snprintf(buf,sizeof buf,"%d.%d.%d.%d",
                                          p[0],p[1],p[2],p[3]);
@@ -530,7 +530,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
                                 }
                         else if (num == 3)
                                 {
-                                char buf[16];
+                                char buf[DECIMAL_SIZE(int)+1];
 
                                 snprintf(buf,sizeof buf,"%d",*(int *)ptr);
                                 if (data->param_port != NULL)
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index 18e7bb86e6..e4e9df144c 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -247,7 +247,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                         ret=0;
                         break;
                         }
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2)
                 if (!(num & BIO_FP_TEXT))
                         strcat(p,"b");
                 else
diff --git a/src/lib/libcrypto/bio/bss_log.c b/src/lib/libcrypto/bio/bss_log.c
index a39d95297c..1eb678cac0 100644
--- a/src/lib/libcrypto/bio/bss_log.c
+++ b/src/lib/libcrypto/bio/bss_log.c
@@ -68,7 +68,8 @@
 
 #include "cryptlib.h"
 
-#if defined(OPENSSL_SYS_WIN32)
+#if defined(OPENSSL_SYS_WINCE)
+#elif defined(OPENSSL_SYS_WIN32)
 #  include <process.h>
 #elif defined(OPENSSL_SYS_VMS)
 #  include <opcdef.h>
@@ -77,7 +78,7 @@
 #  include <starlet.h>
 #elif defined(__ultrix)
 #  include <sys/syslog.h>
-#elif !defined(MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && !defined(NO_SYSLOG) /* Unix */
+#elif (!defined(MSDOS) || defined(WATT32)) && !defined(OPENSSL_SYS_VXWORKS) && !defined(NO_SYSLOG)
 #  include <syslog.h>
 #endif
 
@@ -274,7 +275,7 @@ static void xsyslog(BIO *bp, int priority, const char *string)
         LPCSTR lpszStrings[2];
         WORD evtype= EVENTLOG_ERROR_TYPE;
         int pid = _getpid();
-        char pidbuf[20];
+        char pidbuf[DECIMAL_SIZE(pid)+4];
 
         switch (priority)
                 {
@@ -373,11 +374,15 @@ static void xcloselog(BIO* bp)
 {
 }
 
-#else /* Unix */
+#else /* Unix/Watt32 */
 
 static void xopenlog(BIO* bp, char* name, int level)
 {
+#ifdef WATT32   /* djgpp/DOS */
+        openlog(name, LOG_PID|LOG_CONS|LOG_NDELAY, level);
+#else
         openlog(name, LOG_PID|LOG_CONS, level);
+#endif
 }
 
 static void xsyslog(BIO *bp, int priority, const char *string)
diff --git a/src/lib/libcrypto/bio/bss_mem.c b/src/lib/libcrypto/bio/bss_mem.c
index 28ff7582bf..a4edb711ae 100644
--- a/src/lib/libcrypto/bio/bss_mem.c
+++ b/src/lib/libcrypto/bio/bss_mem.c
@@ -190,7 +190,7 @@ static int mem_write(BIO *b, const char *in, int inl)
 
         BIO_clear_retry_flags(b);
         blen=bm->length;
-        if (BUF_MEM_grow(bm,blen+inl) != (blen+inl))
+        if (BUF_MEM_grow_clean(bm,blen+inl) != (blen+inl))
                 goto end;
         memcpy(&(bm->data[blen]),in,inl);
         ret=inl;
@@ -284,7 +284,11 @@ static int mem_gets(BIO *bp, char *buf, int size)
 
         BIO_clear_retry_flags(bp);
         j=bm->length;
-        if (j <= 0) return(0);
+        if (j <= 0)
+                {
+                *buf='\0';
+                return 0;
+                }
         p=bm->data;
         for (i=0; i<j; i++)
                 {
diff --git a/src/lib/libcrypto/bio/bss_sock.c b/src/lib/libcrypto/bio/bss_sock.c
index fdabd16d7e..2c1c405ec7 100644
--- a/src/lib/libcrypto/bio/bss_sock.c
+++ b/src/lib/libcrypto/bio/bss_sock.c
@@ -64,6 +64,12 @@
 #include "cryptlib.h"
 #include <openssl/bio.h>
 
+#ifdef WATT32
+#define sock_write SockWrite  /* Watt-32 uses same names */
+#define sock_read  SockRead
+#define sock_puts  SockPuts
+#endif
+
 static int sock_write(BIO *h, const char *buf, int num);
 static int sock_read(BIO *h, char *buf, int size);
 static int sock_puts(BIO *h, const char *str);
diff --git a/src/lib/libcrypto/bn/Makefile.ssl b/src/lib/libcrypto/bn/Makefile.ssl
index 6a479726c4..fa17d3c7d8 100644
--- a/src/lib/libcrypto/bn/Makefile.ssl
+++ b/src/lib/libcrypto/bn/Makefile.ssl
@@ -23,14 +23,6 @@ BN_ASM=		bn_asm.o
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
-# We let the C compiler driver to take care of .s files. This is done in
-# order to be excused from maintaining a separate set of architecture
-# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
-# gcc, then the driver will automatically translate it to -xarch=v8plus
-# and pass it down to assembler.
-AS=$(CC) -c
-ASFLAGS=$(CFLAGS)
-
 GENERAL=Makefile
 TEST=bntest.c exptest.c
 APPS=
@@ -73,22 +65,11 @@ lib:	$(LIBOBJ)
         @touch lib
 
 # elf
-asm/bn86-elf.o: asm/bn86unix.cpp
-        $(CPP) -DELF -x c asm/bn86unix.cpp | as -o asm/bn86-elf.o
-
-asm/co86-elf.o: asm/co86unix.cpp
-        $(CPP) -DELF -x c asm/co86unix.cpp | as -o asm/co86-elf.o
+asm/bn86-elf.s: asm/bn-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) bn-586.pl elf $(CFLAGS) > bn86-elf.s)
 
-# solaris
-asm/bn86-sol.o: asm/bn86unix.cpp
-        $(CC) -E -DSOL asm/bn86unix.cpp | sed 's/^#.*//' > asm/bn86-sol.s
-        as -o asm/bn86-sol.o asm/bn86-sol.s
-        rm -f asm/bn86-sol.s
-
-asm/co86-sol.o: asm/co86unix.cpp
-        $(CC) -E -DSOL asm/co86unix.cpp | sed 's/^#.*//' > asm/co86-sol.s
-        as -o asm/co86-sol.o asm/co86-sol.s
-        rm -f asm/co86-sol.s
+asm/co86-elf.s: asm/co-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) co-586.pl elf $(CFLAGS) > co86-elf.s)
 
 # a.out
 asm/bn86-out.o: asm/bn86unix.cpp
@@ -136,6 +117,8 @@ asm/ia64-cpp.o:	asm/ia64.S
         $(CC) $(ASFLAGS) -c -o asm/ia64-cpp.o /tmp/ia64.$$$$.s; \
         rm -f /tmp/ia64.$$$$.s
 
+asm/x86_64-gcc.o: asm/x86_64-gcc.c
+
 files:
         $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
 
@@ -169,14 +152,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/co86unix.cpp asm/bn86unix.cpp *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bn_asm.s
+        rm -f asm/co86unix.cpp asm/bn86unix.cpp asm/*-elf.* *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bn_asm.s
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libcrypto/bn/asm/ia64.S b/src/lib/libcrypto/bn/asm/ia64.S
index ae56066310..7dfda85566 100644
--- a/src/lib/libcrypto/bn/asm/ia64.S
+++ b/src/lib/libcrypto/bn/asm/ia64.S
@@ -1,6 +1,6 @@
 .explicit
 .text
-.ident  "ia64.S, Version 1.1"
+.ident  "ia64.S, Version 2.0"
 .ident  "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
 
 //
@@ -13,6 +13,35 @@
 // disclaimed.
 // ====================================================================
 //
+// Version 2.x is Itanium2 re-tune. Few words about how Itanum2 is
+// different from Itanium to this module viewpoint. Most notably, is it
+// "wider" than Itanium? Can you experience loop scalability as
+// discussed in commentary sections? Not really:-( Itanium2 has 6
+// integer ALU ports, i.e. it's 2 ports wider, but it's not enough to
+// spin twice as fast, as I need 8 IALU ports. Amount of floating point
+// ports is the same, i.e. 2, while I need 4. In other words, to this
+// module Itanium2 remains effectively as "wide" as Itanium. Yet it's
+// essentially different in respect to this module, and a re-tune was
+// required. Well, because some intruction latencies has changed. Most
+// noticeably those intensively used:
+//
+//                      Itanium Itanium2
+//      ldf8            9       6               L2 hit
+//      ld8             2       1               L1 hit
+//      getf            2       5
+//      xma[->getf]     7[+1]   4[+0]
+//      add[->st8]      1[+1]   1[+0]
+//
+// What does it mean? You might ratiocinate that the original code
+// should run just faster... Because sum of latencies is smaller...
+// Wrong! Note that getf latency increased. This means that if a loop is
+// scheduled for lower latency (and they are), then it will suffer from
+// stall condition and the code will therefore turn anti-scalable, e.g.
+// original bn_mul_words spun at 5*n or 2.5 times slower than expected
+// on Itanium2! What to do? Reschedule loops for Itanium2? But then
+// Itanium would exhibit anti-scalability. So I've chosen to reschedule
+// for worst latency for every instruction aiming for best *all-round*
+// performance.  
 
 // Q.   How much faster does it get?
 // A.   Here is the output from 'openssl speed rsa dsa' for vanilla
@@ -149,12 +178,27 @@ bn_add_words:
         brp.loop.imp    .L_bn_add_words_ctop,.L_bn_add_words_cend-16
                                         }
         .body
-{ .mib; mov             r14=r32                 // rp
+{ .mib;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r14=0,r32               // rp
+#else
+        mov             r14=r32                 // rp
+#endif
         mov             r9=pr           };;
-{ .mii; mov             r15=r33                 // ap
+{ .mii;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r15=0,r33               // ap
+#else
+        mov             r15=r33                 // ap
+#endif
         mov             ar.lc=r10
         mov             ar.ec=6         }
-{ .mib; mov             r16=r34                 // bp
+{ .mib;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r16=0,r34               // bp
+#else
+        mov             r16=r34                 // bp
+#endif
         mov             pr.rot=1<<16    };;
 
 .L_bn_add_words_ctop:
@@ -174,7 +218,7 @@ bn_add_words:
 
 { .mii;
 (p59)   add             r8=1,r8         // return value
-        mov             pr=r9,-1
+        mov             pr=r9,0x1ffff
         mov             ar.lc=r3        }
 { .mbb; nop.b           0x0
         br.ret.sptk.many        b0      };;
@@ -202,12 +246,27 @@ bn_sub_words:
         brp.loop.imp    .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16
                                         }
         .body
-{ .mib; mov             r14=r32                 // rp
+{ .mib;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r14=0,r32               // rp
+#else
+        mov             r14=r32                 // rp
+#endif
         mov             r9=pr           };;
-{ .mii; mov             r15=r33                 // ap
+{ .mii;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r15=0,r33               // ap
+#else
+        mov             r15=r33                 // ap
+#endif
         mov             ar.lc=r10
         mov             ar.ec=6         }
-{ .mib; mov             r16=r34                 // bp
+{ .mib;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r16=0,r34               // bp
+#else
+        mov             r16=r34                 // bp
+#endif
         mov             pr.rot=1<<16    };;
 
 .L_bn_sub_words_ctop:
@@ -227,7 +286,7 @@ bn_sub_words:
 
 { .mii;
 (p59)   add             r8=1,r8         // return value
-        mov             pr=r9,-1
+        mov             pr=r9,0x1ffff
         mov             ar.lc=r3        }
 { .mbb; nop.b           0x0
         br.ret.sptk.many        b0      };;
@@ -253,7 +312,7 @@ bn_mul_words:
 #ifdef XMA_TEMPTATION
 { .mfi; alloc           r2=ar.pfs,4,0,0,0       };;
 #else
-{ .mfi; alloc           r2=ar.pfs,4,4,0,8       };;
+{ .mfi; alloc           r2=ar.pfs,4,12,0,16     };;
 #endif
 { .mib; mov             r8=r0                   // return value
         cmp4.le         p6,p0=r34,r0
@@ -266,24 +325,30 @@ bn_mul_words:
 
         .body
 { .mib; setf.sig        f8=r35  // w
-        mov             pr.rot=0x400001<<16
-                        // ------^----- serves as (p48) at first (p26)
+        mov             pr.rot=0x800001<<16
+                        // ------^----- serves as (p50) at first (p27)
         brp.loop.imp    .L_bn_mul_words_ctop,.L_bn_mul_words_cend-16
                                         }
 
 #ifndef XMA_TEMPTATION
 
-{ .mii; mov             r14=r32 // rp
-        mov             r15=r33 // ap
+{ .mii;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r14=0,r32       // rp
+        addp4           r15=0,r33       // ap
+#else
+        mov             r14=r32         // rp
+        mov             r15=r33         // ap
+#endif
         mov             ar.lc=r10       }
-{ .mii; mov             r39=0   // serves as r33 at first (p26)
-        mov             ar.ec=12        };;
+{ .mii; mov             r40=0   // serves as r35 at first (p27)
+        mov             ar.ec=13        };;
 
-// This loop spins in 2*(n+11) ticks. It's scheduled for data in L2
-// cache (i.e. 9 ticks away) as floating point load/store instructions
+// This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium
+// L2 cache (i.e. 9 ticks away) as floating point load/store instructions
 // bypass L1 cache and L2 latency is actually best-case scenario for
-// ldf8. The loop is not scalable and shall run in 2*(n+11) even on
-// "wider" IA-64 implementations. It's a trade-off here. n+22 loop
+// ldf8. The loop is not scalable and shall run in 2*(n+12) even on
+// "wider" IA-64 implementations. It's a trade-off here. n+24 loop
 // would give us ~5% in *overall* performance improvement on "wider"
 // IA-64, but would hurt Itanium for about same because of longer
 // epilogue. As it's a matter of few percents in either case I've
@@ -291,25 +356,25 @@ bn_mul_words:
 // this very instruction sequence in bn_mul_add_words loop which in
 // turn is scalable).
 .L_bn_mul_words_ctop:
-{ .mfi; (p25)   getf.sig        r36=f49                 // low
-        (p21)   xmpy.lu         f45=f37,f8
-        (p27)   cmp.ltu         p52,p48=r39,r38 }
+{ .mfi; (p25)   getf.sig        r36=f52                 // low
+        (p21)   xmpy.lu         f48=f37,f8
+        (p28)   cmp.ltu         p54,p50=r41,r39 }
 { .mfi; (p16)   ldf8            f32=[r15],8
-        (p21)   xmpy.hu         f38=f37,f8
+        (p21)   xmpy.hu         f40=f37,f8
         (p0)    nop.i           0x0             };;
-{ .mii; (p26)   getf.sig        r32=f43                 // high
-        .pred.rel       "mutex",p48,p52
-        (p48)   add             r38=r37,r33             // (p26)
-        (p52)   add             r38=r37,r33,1   }       // (p26)
-{ .mfb; (p27)   st8             [r14]=r39,8
+{ .mii; (p25)   getf.sig        r32=f44                 // high
+        .pred.rel       "mutex",p50,p54
+        (p50)   add             r40=r38,r35             // (p27)
+        (p54)   add             r40=r38,r35,1   }       // (p27)
+{ .mfb; (p28)   st8             [r14]=r41,8
         (p0)    nop.f           0x0
         br.ctop.sptk    .L_bn_mul_words_ctop    };;
 .L_bn_mul_words_cend:
 
 { .mii; nop.m           0x0
-.pred.rel       "mutex",p49,p53
-(p49)   add             r8=r34,r0
-(p53)   add             r8=r34,r0,1     }
+.pred.rel       "mutex",p51,p55
+(p51)   add             r8=r36,r0
+(p55)   add             r8=r36,r0,1     }
 { .mfb; nop.m   0x0
         nop.f   0x0
         nop.b   0x0                     }
@@ -344,7 +409,7 @@ bn_mul_words:
 #endif  // XMA_TEMPTATION
 
 { .mii; nop.m           0x0
-        mov             pr=r9,-1
+        mov             pr=r9,0x1ffff
         mov             ar.lc=r3        }
 { .mfb; rum             1<<5            // clear um.mfh
         nop.f           0x0
@@ -376,59 +441,69 @@ bn_mul_add_words:
 
         .body
 { .mib; setf.sig        f8=r35  // w
-        mov             pr.rot=0x400001<<16
-                        // ------^----- serves as (p48) at first (p26)
+        mov             pr.rot=0x800001<<16
+                        // ------^----- serves as (p50) at first (p27)
         brp.loop.imp    .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16
                                         }
-{ .mii; mov             r14=r32 // rp
-        mov             r15=r33 // ap
+{ .mii;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r14=0,r32       // rp
+        addp4           r15=0,r33       // ap
+#else
+        mov             r14=r32         // rp
+        mov             r15=r33         // ap
+#endif
         mov             ar.lc=r10       }
-{ .mii; mov             r39=0   // serves as r33 at first (p26)
-        mov             r18=r32 // rp copy
-        mov             ar.ec=14        };;
+{ .mii; mov             r40=0   // serves as r35 at first (p27)
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r18=0,r32       // rp copy
+#else
+        mov             r18=r32         // rp copy
+#endif
+        mov             ar.ec=15        };;
 
-// This loop spins in 3*(n+13) ticks on Itanium and should spin in
-// 2*(n+13) on "wider" IA-64 implementations (to be verified with new
+// This loop spins in 3*(n+14) ticks on Itanium and should spin in
+// 2*(n+14) on "wider" IA-64 implementations (to be verified with new
 // µ-architecture manuals as they become available). As usual it's
 // possible to compress the epilogue, down to 10 in this case, at the
 // cost of scalability. Compressed (and therefore non-scalable) loop
-// running at 3*(n+10) would buy you ~10% on Itanium but take ~35%
+// running at 3*(n+11) would buy you ~10% on Itanium but take ~35%
 // from "wider" IA-64 so let it be scalable! Special attention was
 // paid for having the loop body split at 64-byte boundary. ld8 is
 // scheduled for L1 cache as the data is more than likely there.
 // Indeed, bn_mul_words has put it there a moment ago:-)
 .L_bn_mul_add_words_ctop:
-{ .mfi; (p25)   getf.sig        r36=f49                 // low
-        (p21)   xmpy.lu         f45=f37,f8
-        (p27)   cmp.ltu         p52,p48=r39,r38 }
+{ .mfi; (p25)   getf.sig        r36=f52                 // low
+        (p21)   xmpy.lu         f48=f37,f8
+        (p28)   cmp.ltu         p54,p50=r41,r39 }
 { .mfi; (p16)   ldf8            f32=[r15],8
-        (p21)   xmpy.hu         f38=f37,f8
-        (p27)   add             r43=r43,r39     };;
-{ .mii; (p26)   getf.sig        r32=f43                 // high
-        .pred.rel       "mutex",p48,p52
-        (p48)   add             r38=r37,r33             // (p26)
-        (p52)   add             r38=r37,r33,1   }       // (p26)
-{ .mfb; (p27)   cmp.ltu.unc     p56,p0=r43,r39
+        (p21)   xmpy.hu         f40=f37,f8
+        (p28)   add             r45=r45,r41     };;
+{ .mii; (p25)   getf.sig        r32=f44                 // high
+        .pred.rel       "mutex",p50,p54
+        (p50)   add             r40=r38,r35             // (p27)
+        (p54)   add             r40=r38,r35,1   }       // (p27)
+{ .mfb; (p28)   cmp.ltu.unc     p60,p0=r45,r41
         (p0)    nop.f           0x0
         (p0)    nop.b           0x0             }
-{ .mii; (p26)   ld8             r42=[r18],8
-        (p58)   cmp.eq.or       p57,p0=-1,r44
-        (p58)   add             r44=1,r44       }
-{ .mfb; (p29)   st8             [r14]=r45,8
+{ .mii; (p27)   ld8             r44=[r18],8
+        (p62)   cmp.eq.or       p61,p0=-1,r46
+        (p62)   add             r46=1,r46       }
+{ .mfb; (p30)   st8             [r14]=r47,8
         (p0)    nop.f           0x0
         br.ctop.sptk    .L_bn_mul_add_words_ctop};;
 .L_bn_mul_add_words_cend:
 
 { .mii; nop.m           0x0
-.pred.rel       "mutex",p51,p55
-(p51)   add             r8=r36,r0
-(p55)   add             r8=r36,r0,1     }
+.pred.rel       "mutex",p53,p57
+(p53)   add             r8=r38,r0
+(p57)   add             r8=r38,r0,1     }
 { .mfb; nop.m   0x0
         nop.f   0x0
         nop.b   0x0                     };;
 { .mii;
-(p59)   add             r8=1,r8
-        mov             pr=r9,-1
+(p63)   add             r8=1,r8
+        mov             pr=r9,0x1ffff
         mov             ar.lc=r3        }
 { .mfb; rum             1<<5            // clear um.mfh
         nop.f           0x0
@@ -461,6 +536,10 @@ bn_sqr_words:
         mov     r9=pr                   };;
 
         .body
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+{ .mii; addp4           r32=0,r32
+        addp4           r33=0,r33       };;
+#endif
 { .mib;
         mov             pr.rot=1<<16
         brp.loop.imp    .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16
@@ -492,7 +571,7 @@ bn_sqr_words:
 .L_bn_sqr_words_cend:
 
 { .mii; nop.m           0x0
-        mov             pr=r9,-1
+        mov             pr=r9,0x1ffff
         mov             ar.lc=r3        }
 { .mfb; rum             1<<5            // clear um.mfh
         nop.f           0x0
@@ -526,7 +605,14 @@ bn_sqr_comba8:
         .prologue
         .fframe 0
         .save   ar.pfs,r2
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
 { .mii; alloc   r2=ar.pfs,2,1,0,0
+        addp4   r33=0,r33
+        addp4   r32=0,r32               };;
+{ .mii;
+#else
+{ .mii; alloc   r2=ar.pfs,2,1,0,0
+#endif
         mov     r34=r33
         add     r14=8,r33               };;
         .body
@@ -587,7 +673,14 @@ bn_mul_comba8:
         .prologue
         .fframe 0
         .save   ar.pfs,r2
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
 { .mii; alloc   r2=ar.pfs,3,0,0,0
+        addp4   r33=0,r33
+        addp4   r34=0,r34               };;
+{ .mii; addp4   r32=0,r32
+#else
+{ .mii; alloc   r2=ar.pfs,3,0,0,0
+#endif
         add     r14=8,r33
         add     r17=8,r34               }
         .body
@@ -1138,7 +1231,14 @@ bn_sqr_comba4:
         .prologue
         .fframe 0
         .save   ar.pfs,r2
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+{ .mii; alloc   r2=ar.pfs,2,1,0,0
+        addp4   r32=0,r32
+        addp4   r33=0,r33               };;
+{ .mii;
+#else
 { .mii; alloc   r2=ar.pfs,2,1,0,0
+#endif
         mov     r34=r33
         add     r14=8,r33               };;
         .body
@@ -1164,7 +1264,14 @@ bn_mul_comba4:
         .prologue
         .fframe 0
         .save   ar.pfs,r2
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+{ .mii; alloc   r2=ar.pfs,3,0,0,0
+        addp4   r33=0,r33
+        addp4   r34=0,r34               };;
+{ .mii; addp4   r32=0,r32
+#else
 { .mii; alloc   r2=ar.pfs,3,0,0,0
+#endif
         add     r14=8,r33
         add     r17=8,r34               }
         .body
@@ -1464,7 +1571,7 @@ bn_div_words:
         or      r8=r8,r33
         mov     ar.pfs=r2               };;
 { .mii; shr.u   r9=H,I                  // remainder if anybody wants it
-        mov     pr=r10,-1               }
+        mov     pr=r10,0x1ffff          }
 { .mfb; br.ret.sptk.many        b0      };;
 
 // Unsigned 64 by 32 (well, by 64 for the moment) bit integer division
diff --git a/src/lib/libcrypto/bn/asm/pa-risc2.s b/src/lib/libcrypto/bn/asm/pa-risc2.s
index af9730d062..f3b16290eb 100644
--- a/src/lib/libcrypto/bn/asm/pa-risc2.s
+++ b/src/lib/libcrypto/bn/asm/pa-risc2.s
@@ -747,8 +747,8 @@ bn_div_words
         .PROC
         .EXPORT bn_div_words,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,RTNVAL=GR,LONG_RETURN
         .IMPORT BN_num_bits_word,CODE
-        .IMPORT __iob,DATA
-        .IMPORT fprintf,CODE
+        ;--- not PIC    .IMPORT __iob,DATA
+        ;--- not PIC    .IMPORT fprintf,CODE
         .IMPORT abort,CODE
         .IMPORT $$div2U,MILLICODE
         .CALLINFO CALLER,FRAME=144,ENTRY_GR=%r9,SAVE_RP,ARGS_SAVED,ORDERING_AWARE
@@ -844,12 +844,12 @@ $0006001A
         MOVIB,TR        2,%r8,$0006001C ;offset 0xa18
         EXTRD,U %r3,63,32,%r7   ;offset 0xa1c
 $D2
-        ADDIL   LR'__iob-$global$,%r27,%r1      ;offset 0xa20
-        LDIL    LR'C$7,%r21     ;offset 0xa24
-        LDO     RR'__iob-$global$+32(%r1),%r26  ;offset 0xa28
-        .CALL   ARGW0=GR,ARGW1=GR,ARGW2=GR,RTNVAL=GR    ;in=24,25,26;out=28;
-        B,L     fprintf,%r2     ;offset 0xa2c
-        LDO     RR'C$7(%r21),%r25       ;offset 0xa30
+        ;--- not PIC    ADDIL   LR'__iob-$global$,%r27,%r1      ;offset 0xa20
+        ;--- not PIC    LDIL    LR'C$7,%r21     ;offset 0xa24
+        ;--- not PIC    LDO     RR'__iob-$global$+32(%r1),%r26  ;offset 0xa28
+        ;--- not PIC    .CALL   ARGW0=GR,ARGW1=GR,ARGW2=GR,RTNVAL=GR    ;in=24,25,26;out=28;
+        ;--- not PIC    B,L     fprintf,%r2     ;offset 0xa2c
+        ;--- not PIC    LDO     RR'C$7(%r21),%r25       ;offset 0xa30
         .CALL           ;
         B,L     abort,%r2       ;offset 0xa34
         NOP             ;offset 0xa38
@@ -1605,14 +1605,14 @@ bn_mul_comba4
         .PROCEND        
 
 
-        .SPACE  $TEXT$
-        .SUBSPA $CODE$
-        .SPACE  $PRIVATE$,SORT=16
-        .IMPORT $global$,DATA
-        .SPACE  $TEXT$
-        .SUBSPA $CODE$
-        .SUBSPA $LIT$,ACCESS=0x2c
-C$7
-        .ALIGN  8
-        .STRINGZ        "Division would overflow (%d)\n"
+;--- not PIC    .SPACE  $TEXT$
+;--- not PIC    .SUBSPA $CODE$
+;--- not PIC    .SPACE  $PRIVATE$,SORT=16
+;--- not PIC    .IMPORT $global$,DATA
+;--- not PIC    .SPACE  $TEXT$
+;--- not PIC    .SUBSPA $CODE$
+;--- not PIC    .SUBSPA $LIT$,ACCESS=0x2c
+;--- not PIC    C$7
+;--- not PIC    .ALIGN  8
+;--- not PIC    .STRINGZ        "Division would overflow (%d)\n"
         .END
diff --git a/src/lib/libcrypto/bn/asm/vms.mar b/src/lib/libcrypto/bn/asm/vms.mar
index 465f2774b6..aefab15cdb 100644
--- a/src/lib/libcrypto/bn/asm/vms.mar
+++ b/src/lib/libcrypto/bn/asm/vms.mar
@@ -1,4 +1,4 @@
-        .title  vax_bn_mul_add_word  unsigned multiply & add, 32*32+32+32=>64
+        .title  vax_bn_mul_add_words  unsigned multiply & add, 32*32+32+32=>64
 ;
 ; w.j.m. 15-jan-1999
 ;
@@ -59,7 +59,7 @@ w=16 ;(AP)	w	by value (input)
         movl    r6,r0                   ; return c
         ret
 
-        .title  vax_bn_mul_word  unsigned multiply & add, 32*32+32=>64
+        .title  vax_bn_mul_words  unsigned multiply & add, 32*32+32=>64
 ;
 ; w.j.m. 15-jan-1999
 ;
@@ -172,147 +172,175 @@ n=12 ;(AP)	n	by value (input)
 ; }
 ;
 ; Using EDIV would be very easy, if it didn't do signed calculations.
-; Therefore, som extra things have to happen around it.  The way to
-; handle that is to shift all operands right one step (basically dividing
-; them by 2) and handle the different cases depending on what the lowest
-; bit of each operand was.
+; Any time any of the input numbers are signed, there are problems,
+; usually with integer overflow, at which point it returns useless
+; data (the quotient gets the value of l, and the remainder becomes 0).
 ;
-; To start with, let's define the following:
+; If it was just for the dividend, it would be very easy, just divide
+; it by 2 (unsigned), do the division, multiply the resulting quotient
+; and remainder by 2, add the bit that was dropped when dividing by 2
+; to the remainder, and do some adjustment so the remainder doesn't
+; end up larger than the divisor.  For some cases when the divisor is
+; negative (from EDIV's point of view, i.e. when the highest bit is set),
+; dividing the dividend by 2 isn't enough, and since some operations
+; might generate integer overflows even when the dividend is divided by
+; 4 (when the high part of the shifted down dividend ends up being exactly
+; half of the divisor, the result is the quotient 0x80000000, which is
+; negative...) it needs to be divided by 8.  Furthermore, the divisor needs
+; to be divided by 2 (unsigned) as well, to avoid more problems with the sign.
+; In this case, a little extra fiddling with the remainder is required.
 ;
-; a' = l & 1
-; a2 = <h,l> >> 1       # UNSIGNED shift!
-; b' = d & 1
-; b2 = d >> 1           # UNSIGNED shift!
+; So, the simplest way to handle this is always to divide the dividend
+; by 8, and to divide the divisor by 2 if it's highest bit is set.
+; After EDIV has been used, the quotient gets multiplied by 8 if the
+; original divisor was positive, otherwise 4.  The remainder, oddly
+; enough, is *always* multiplied by 8.
+; NOTE: in the case mentioned above, where the high part of the shifted
+; down dividend ends up being exactly half the shifted down divisor, we
+; end up with a 33 bit quotient.  That's no problem however, it usually
+; means we have ended up with a too large remainder as well, and the
+; problem is fixed by the last part of the algorithm (next paragraph).
 ;
-; Now, use EDIV to calculate a quotient and a remainder:
+; The routine ends with comparing the resulting remainder with the
+; original divisor and if the remainder is larger, subtract the
+; original divisor from it, and increase the quotient by 1.  This is
+; done until the remainder is smaller than the divisor.
 ;
-; q'' = a2/b2
-; r'' = a2 - q''*b2
+; The complete algorithm looks like this:
 ;
-; If b' is 0, the quotient is already correct, we just need to adjust the
-; remainder:
+; d'    = d
+; l'    = l & 7
+; [h,l] = [h,l] >> 3
+; [q,r] = floor([h,l] / d)      # This is the EDIV operation
+; if (q < 0) q = -q             # I doubt this is necessary any more
 ;
-; if (b' == 0)
-;   {
-;     r = 2*r'' + a'
-;     q = q''
-;   }
-;
-; If b' is 1, we need to do other adjustements.  The first thought is the
-; following (note that r' will not always have the right value, but an
-; adjustement follows further down):
-;
-; if (b' == 1)
-;   {
-;     q' = q''
-;     r' = a - q'*b
-;
-; However, one can note the folowing relationship:
-;
-;                         r'' = a2 - q''*b2
-;                  =>   2*r'' = 2*a2 - 2*q''*b2
-;                             = { a = 2*a2 + a', b = 2*b2 + b' = 2*b2 + 1,
-;                                 q' = q'' }
-;                             = a - a' - q'*(b - 1)
-;                             = a - q'*b - a' + q'
-;                             = r' - a' + q'
-;                  =>     r'  = 2*r'' - q' + a'
+; r'    = r >> 29
+; if (d' >= 0)
+;   q'  = q >> 29
+;   q   = q << 3
+; else
+;   q'  = q >> 30
+;   q   = q << 2
+; r     = (r << 3) + l'
 ;
-; This enables us to use r'' instead of discarding and calculating another
-; modulo:
-;
-; if (b' == 1)
+; if (d' < 0)
 ;   {
-;     q' = q''
-;     r' = (r'' << 1) - q' + a'
-;
-; Now, all we have to do is adjust r', because it might be < 0:
-;
-;     while (r' < 0)
+;     [r',r] = [r',r] - q
+;     while ([r',r] < 0)
 ;       {
-;         r' = r' + b
-;         q' = q' - 1
+;         [r',r] = [r',r] + d
+;         [q',q] = [q',q] - 1
 ;       }
 ;   }
 ;
-; return q'
+; while ([r',r] >= d')
+;   {
+;     [r',r] = [r',r] - d'
+;     [q',q] = [q',q] + 1
+;   }
+;
+; return q
 
 h=4 ;(AP)       h       by value (input)
 l=8 ;(AP)       l       by value (input)
 d=12 ;(AP)      d       by value (input)
 
-;aprim=r5
-;a2=r6
-;a20=r6
-;a21=r7
-;bprim=r8
-;b2=r9
-;qprim=r10      ; initially used as q''
-;rprim=r11      ; initially used as r''
-
+;r2 = l, q
+;r3 = h, r
+;r4 = d
+;r5 = l'
+;r6 = r'
+;r7 = d'
+;r8 = q'
 
         .psect  code,nowrt
 
-.entry  bn_div_words,^m<r2,r3,r4,r5,r6,r7,r8,r9,r10,r11>
+.entry  bn_div_words,^m<r2,r3,r4,r5,r6,r7,r8>
         movl    l(ap),r2
         movl    h(ap),r3
         movl    d(ap),r4
 
-        movl    #0,r5
-        movl    #0,r8
-        movl    #0,r0
-;       movl    #0,r1
+        bicl3   #^XFFFFFFF8,r2,r5 ; l' = l & 7
+        bicl3   #^X00000007,r2,r2
 
-        rotl    #-1,r2,r6       ; a20 = l >> 1 (almost)
-        rotl    #-1,r3,r7       ; a21 = h >> 1 (almost)
-        rotl    #-1,r4,r9       ; b2 = d >> 1 (almost)
+        bicl3   #^XFFFFFFF8,r3,r6
+        bicl3   #^X00000007,r3,r3
+        
+        addl    r6,r2
 
-        tstl    r6
-        bgeq    1$
-        xorl2   #^X80000000,r6  ; fixup a20 so highest bit is 0
-        incl    r5              ; a' = 1
-1$:
-        tstl    r7
-        bgeq    2$
-        xorl2   #^X80000000,r6  ; fixup a20 so highest bit is 1,
-                                ; since that's what was lowest in a21
-        xorl2   #^X80000000,r7  ; fixup a21 so highest bit is 1
-2$:
-        tstl    r9
+        rotl    #-3,r2,r2       ; l = l >> 3
+        rotl    #-3,r3,r3       ; h = h >> 3
+                
+        movl    r4,r7           ; d' = d
+
+        movl    #0,r6           ; r' = 0
+        movl    #0,r8           ; q' = 0
+
+        tstl    r4
         beql    666$            ; Uh-oh, the divisor is 0...
-        bgtr    3$
-        xorl2   #^X80000000,r9  ; fixup b2 so highest bit is 0
-        incl    r8              ; b' = 1
-3$:
-        tstl    r9
-        bneq    4$              ; if b2 is 0, we know that b' is 1
-        tstl    r3
-        bneq    666$            ; if higher half isn't 0, we overflow
-        movl    r2,r10          ; otherwise, we have our result
-        brb     42$             ; This is a success, really.
-4$:
-        ediv    r9,r6,r10,r11
-
-        tstl    r8
-        bneq    5$              ; If b' != 0, go to the other part
-;       addl3   r11,r11,r1
-;       addl2   r5,r1
-        brb     42$
-5$:
-        ashl    #1,r11,r11
-        subl2   r10,r11
-        addl2   r5,r11
-        bgeq    7$
-6$:
-        decl    r10
-        addl2   r4,r11
-        blss    6$
-7$:
-;       movl    r11,r1
+        bgtr    1$
+        rotl    #-1,r4,r4       ; If d is negative, shift it right.
+        bicl2   #^X80000000,r4  ; Since d is then a large number, the
+                                ; lowest bit is insignificant
+                                ; (contradict that, and I'll fix the problem!)
+1$:     
+        ediv    r4,r2,r2,r3     ; Do the actual division
+
+        tstl    r2
+        bgeq    3$
+        mnegl   r2,r2           ; if q < 0, negate it
+3$:     
+        tstl    r7
+        blss    4$
+        rotl    #3,r2,r2        ;   q = q << 3
+        bicl3   #^XFFFFFFF8,r2,r8 ;    q' gets the high bits from q
+        bicl3   #^X00000007,r2,r2
+        bsb     41$
+4$:                             ; else
+        rotl    #2,r2,r2        ;   q = q << 2
+        bicl3   #^XFFFFFFFC,r2,r8 ;   q' gets the high bits from q
+        bicl3   #^X00000003,r2,r2
+41$:
+        rotl    #3,r3,r3        ; r = r << 3
+        bicl3   #^XFFFFFFF8,r3,r6 ; r' gets the high bits from r
+        bicl3   #^X00000007,r3,r3
+        addl    r5,r3           ; r = r + l'
+
+        tstl    r7
+        bgeq    5$
+        bitl    #1,r7
+        beql    5$              ; if d' < 0 && d' & 1
+        subl    r2,r3           ;   [r',r] = [r',r] - [q',q]
+        sbwc    r8,r6
+45$:
+        bgeq    5$              ;   while r < 0
+        decl    r2              ;     [q',q] = [q',q] - 1
+        sbwc    #0,r8
+        addl    r7,r3           ;     [r',r] = [r',r] + d'
+        adwc    #0,r6
+        brb     45$
+
+; The return points are placed in the middle to keep a short distance from
+; all the branch points
 42$:
-        movl    r10,r0
+;       movl    r3,r1
+        movl    r2,r0
+        ret
 666$:
+        movl    #^XFFFFFFFF,r0
         ret
+
+5$:
+        tstl    r6
+        bneq    6$
+        cmpl    r3,r7
+        blssu   42$             ; while [r',r] >= d'
+6$:
+        subl    r7,r3           ;   [r',r] = [r',r] - d'
+        sbwc    #0,r6
+        incl    r2              ;   [q',q] = [q',q] + 1
+        adwc    #0,r8
+        brb     5$      
 
         .title  vax_bn_add_words  unsigned add of two arrays
 ;
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index b40682f831..3da6d8ced9 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -248,6 +248,8 @@ typedef struct bn_blinding_st
         BIGNUM *A;
         BIGNUM *Ai;
         BIGNUM *mod; /* just a reference */
+        unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
+                                  * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
         } BN_BLINDING;
 
 /* Used for montgomery multiplication */
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index f9a095e3b3..580d1201bc 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -150,6 +150,20 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
             q;                                  \
         })
 #  define REMAINDER_IS_ALREADY_CALCULATED
+#  elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
+   /*
+    * Same story here, but it's 128-bit by 64-bit division. Wow!
+    *                                   <appro@fy.chalmers.se>
+    */
+#  define bn_div_words(n0,n1,d0)                \
+        ({  asm volatile (                      \
+                "divq   %4"                     \
+                : "=a"(q), "=d"(rem)            \
+                : "a"(n1), "d"(n0), "g"(d0)     \
+                : "cc");                        \
+            q;                                  \
+        })
+#  define REMAINDER_IS_ALREADY_CALCULATED
 #  endif /* __<cpu> */
 # endif /* __GNUC__ */
 #endif /* OPENSSL_NO_ASM */
@@ -268,6 +282,11 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
                         q=(BN_ULONG)(((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0);
 #else
                         q=bn_div_words(n0,n1,d0);
+#ifdef BN_DEBUG_LEVITTE
+                        fprintf(stderr,"DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
+X) -> 0x%08X\n",
+                                n0, n1, d0, q);
+#endif
 #endif
 
 #ifndef REMAINDER_IS_ALREADY_CALCULATED
@@ -292,11 +311,18 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
                         BN_ULONG t2l,t2h,ql,qh;
 
                         q=bn_div_words(n0,n1,d0);
+#ifdef BN_DEBUG_LEVITTE
+                        fprintf(stderr,"DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
+X) -> 0x%08X\n",
+                                n0, n1, d0, q);
+#endif
 #ifndef REMAINDER_IS_ALREADY_CALCULATED
                         rem=(n1-q*d0)&BN_MASK2;
 #endif
 
-#ifdef BN_UMULT_HIGH
+#if defined(BN_UMULT_LOHI)
+                        BN_UMULT_LOHI(t2l,t2h,d1,q);
+#elif defined(BN_UMULT_HIGH)
                         t2l = d1 * q;
                         t2h = BN_UMULT_HIGH(d1,q);
 #else
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index 8a4dba375a..5614bc6164 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -230,6 +230,21 @@ struct bignum_ctx
              : "r"(a), "r"(b));         \
         ret;                    })
 #  endif        /* compiler */
+# elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
+#  if defined(__GNUC__)
+#   define BN_UMULT_HIGH(a,b)   ({      \
+        register BN_ULONG ret,discard;  \
+        asm ("mulq      %3"             \
+             : "=a"(discard),"=d"(ret)  \
+             : "a"(a), "g"(b)           \
+             : "cc");                   \
+        ret;                    })
+#   define BN_UMULT_LOHI(low,high,a,b)  \
+        asm ("mulq      %3"             \
+                : "=a"(low),"=d"(high)  \
+                : "a"(a),"g"(b)         \
+                : "cc");
+#  endif
 # endif         /* cpu */
 #endif          /* OPENSSL_NO_ASM */
 
@@ -337,7 +352,7 @@ struct bignum_ctx
 
 #define LBITS(a)        ((a)&BN_MASK2l)
 #define HBITS(a)        (((a)>>BN_BITS4)&BN_MASK2l)
-#define L2HBITS(a)      ((BN_ULONG)((a)&BN_MASK2l)<<BN_BITS4)
+#define L2HBITS(a)      (((a)<<BN_BITS4)&BN_MASK2)
 
 #define LLBITS(a)       ((a)&BN_MASKl)
 #define LHBITS(a)       (((a)>>BN_BITS2)&BN_MASKl)
@@ -353,7 +368,7 @@ struct bignum_ctx
         lt=(bl)*(lt); \
         m1=(bl)*(ht); \
         ht =(bh)*(ht); \
-        m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS(1L); \
+        m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \
         ht+=HBITS(m); \
         m1=L2HBITS(m); \
         lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \
@@ -418,20 +433,19 @@ void bn_sqr_comba4(BN_ULONG *r,const BN_ULONG *a);
 int bn_cmp_words(const BN_ULONG *a,const BN_ULONG *b,int n);
 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
         int cl, int dl);
+#if 0
+/* bn_mul.c rollback <appro> */
 void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
         int dna,int dnb,BN_ULONG *t);
 void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,
         int n,int tna,int tnb,BN_ULONG *t);
+#endif
 void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t);
 void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n);
 void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
         BN_ULONG *t);
 void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2,
         BN_ULONG *t);
-BN_ULONG bn_add_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
-        int cl, int dl);
-BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
-        int cl, int dl);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index ce2ae78419..463463cfcb 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -263,12 +263,12 @@ void BN_clear_free(BIGNUM *a)
         if (a == NULL) return;
         if (a->d != NULL)
                 {
-                memset(a->d,0,a->dmax*sizeof(a->d[0]));
+                OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0]));
                 if (!(BN_get_flags(a,BN_FLG_STATIC_DATA)))
                         OPENSSL_free(a->d);
                 }
         i=BN_get_flags(a,BN_FLG_MALLOCED);
-        memset(a,0,sizeof(BIGNUM));
+        OPENSSL_cleanse(a,sizeof(BIGNUM));
         if (i)
                 OPENSSL_free(a);
         }
diff --git a/src/lib/libcrypto/bn/bn_mul.c b/src/lib/libcrypto/bn/bn_mul.c
index b03458d002..cb93ac3356 100644
--- a/src/lib/libcrypto/bn/bn_mul.c
+++ b/src/lib/libcrypto/bn/bn_mul.c
@@ -56,325 +56,10 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef BN_DEBUG
-# undef NDEBUG /* avoid conflicting definitions */
-# define NDEBUG
-#endif
-
 #include <stdio.h>
-#include <assert.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
-#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__)) || defined(__DJGPP__) /* Assembler implementation exists only for x86 */
-/* Here follows specialised variants of bn_add_words() and
-   bn_sub_words().  They have the property performing operations on
-   arrays of different sizes.  The sizes of those arrays is expressed through
-   cl, which is the common length ( basicall, min(len(a),len(b)) ), and dl,
-   which is the delta between the two lengths, calculated as len(a)-len(b).
-   All lengths are the number of BN_ULONGs...  For the operations that require
-   a result array as parameter, it must have the length cl+abs(dl).
-   These functions should probably end up in bn_asm.c as soon as there are
-   assembler counterparts for the systems that use assembler files.  */
-
-BN_ULONG bn_sub_part_words(BN_ULONG *r,
-        const BN_ULONG *a, const BN_ULONG *b,
-        int cl, int dl)
-        {
-        BN_ULONG c, t;
-
-        assert(cl >= 0);
-        c = bn_sub_words(r, a, b, cl);
-
-        if (dl == 0)
-                return c;
-
-        r += cl;
-        a += cl;
-        b += cl;
-
-        if (dl < 0)
-                {
-#ifdef BN_COUNT
-                fprintf(stderr, "  bn_sub_part_words %d + %d (dl < 0, c = %d)\n", cl, dl, c);
-#endif
-                for (;;)
-                        {
-                        t = b[0];
-                        r[0] = (0-t-c)&BN_MASK2;
-                        if (t != 0) c=1;
-                        if (++dl >= 0) break;
-
-                        t = b[1];
-                        r[1] = (0-t-c)&BN_MASK2;
-                        if (t != 0) c=1;
-                        if (++dl >= 0) break;
-
-                        t = b[2];
-                        r[2] = (0-t-c)&BN_MASK2;
-                        if (t != 0) c=1;
-                        if (++dl >= 0) break;
-
-                        t = b[3];
-                        r[3] = (0-t-c)&BN_MASK2;
-                        if (t != 0) c=1;
-                        if (++dl >= 0) break;
-
-                        b += 4;
-                        r += 4;
-                        }
-                }
-        else
-                {
-                int save_dl = dl;
-#ifdef BN_COUNT
-                fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, c = %d)\n", cl, dl, c);
-#endif
-                while(c)
-                        {
-                        t = a[0];
-                        r[0] = (t-c)&BN_MASK2;
-                        if (t != 0) c=0;
-                        if (--dl <= 0) break;
-
-                        t = a[1];
-                        r[1] = (t-c)&BN_MASK2;
-                        if (t != 0) c=0;
-                        if (--dl <= 0) break;
-
-                        t = a[2];
-                        r[2] = (t-c)&BN_MASK2;
-                        if (t != 0) c=0;
-                        if (--dl <= 0) break;
-
-                        t = a[3];
-                        r[3] = (t-c)&BN_MASK2;
-                        if (t != 0) c=0;
-                        if (--dl <= 0) break;
-
-                        save_dl = dl;
-                        a += 4;
-                        r += 4;
-                        }
-                if (dl > 0)
-                        {
-#ifdef BN_COUNT
-                        fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, c == 0)\n", cl, dl);
-#endif
-                        if (save_dl > dl)
-                                {
-                                switch (save_dl - dl)
-                                        {
-                                case 1:
-                                        r[1] = a[1];
-                                        if (--dl <= 0) break;
-                                case 2:
-                                        r[2] = a[2];
-                                        if (--dl <= 0) break;
-                                case 3:
-                                        r[3] = a[3];
-                                        if (--dl <= 0) break;
-                                        }
-                                a += 4;
-                                r += 4;
-                                }
-                        }
-                if (dl > 0)
-                        {
-#ifdef BN_COUNT
-                        fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, copy)\n", cl, dl);
-#endif
-                        for(;;)
-                                {
-                                r[0] = a[0];
-                                if (--dl <= 0) break;
-                                r[1] = a[1];
-                                if (--dl <= 0) break;
-                                r[2] = a[2];
-                                if (--dl <= 0) break;
-                                r[3] = a[3];
-                                if (--dl <= 0) break;
-
-                                a += 4;
-                                r += 4;
-                                }
-                        }
-                }
-        return c;
-        }
-#endif
-
-BN_ULONG bn_add_part_words(BN_ULONG *r,
-        const BN_ULONG *a, const BN_ULONG *b,
-        int cl, int dl)
-        {
-        BN_ULONG c, l, t;
-
-        assert(cl >= 0);
-        c = bn_add_words(r, a, b, cl);
-
-        if (dl == 0)
-                return c;
-
-        r += cl;
-        a += cl;
-        b += cl;
-
-        if (dl < 0)
-                {
-                int save_dl = dl;
-#ifdef BN_COUNT
-                fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, c = %d)\n", cl, dl, c);
-#endif
-                while (c)
-                        {
-                        l=(c+b[0])&BN_MASK2;
-                        c=(l < c);
-                        r[0]=l;
-                        if (++dl >= 0) break;
-
-                        l=(c+b[1])&BN_MASK2;
-                        c=(l < c);
-                        r[1]=l;
-                        if (++dl >= 0) break;
-
-                        l=(c+b[2])&BN_MASK2;
-                        c=(l < c);
-                        r[2]=l;
-                        if (++dl >= 0) break;
-
-                        l=(c+b[3])&BN_MASK2;
-                        c=(l < c);
-                        r[3]=l;
-                        if (++dl >= 0) break;
-
-                        save_dl = dl;
-                        b+=4;
-                        r+=4;
-                        }
-                if (dl < 0)
-                        {
-#ifdef BN_COUNT
-                        fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, c == 0)\n", cl, dl);
-#endif
-                        if (save_dl < dl)
-                                {
-                                switch (dl - save_dl)
-                                        {
-                                case 1:
-                                        r[1] = b[1];
-                                        if (++dl >= 0) break;
-                                case 2:
-                                        r[2] = b[2];
-                                        if (++dl >= 0) break;
-                                case 3:
-                                        r[3] = b[3];
-                                        if (++dl >= 0) break;
-                                        }
-                                b += 4;
-                                r += 4;
-                                }
-                        }
-                if (dl < 0)
-                        {
-#ifdef BN_COUNT
-                        fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, copy)\n", cl, dl);
-#endif
-                        for(;;)
-                                {
-                                r[0] = b[0];
-                                if (++dl >= 0) break;
-                                r[1] = b[1];
-                                if (++dl >= 0) break;
-                                r[2] = b[2];
-                                if (++dl >= 0) break;
-                                r[3] = b[3];
-                                if (++dl >= 0) break;
-
-                                b += 4;
-                                r += 4;
-                                }
-                        }
-                }
-        else
-                {
-                int save_dl = dl;
-#ifdef BN_COUNT
-                fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0)\n", cl, dl);
-#endif
-                while (c)
-                        {
-                        t=(a[0]+c)&BN_MASK2;
-                        c=(t < c);
-                        r[0]=t;
-                        if (--dl <= 0) break;
-
-                        t=(a[1]+c)&BN_MASK2;
-                        c=(t < c);
-                        r[1]=t;
-                        if (--dl <= 0) break;
-
-                        t=(a[2]+c)&BN_MASK2;
-                        c=(t < c);
-                        r[2]=t;
-                        if (--dl <= 0) break;
-
-                        t=(a[3]+c)&BN_MASK2;
-                        c=(t < c);
-                        r[3]=t;
-                        if (--dl <= 0) break;
-
-                        save_dl = dl;
-                        a+=4;
-                        r+=4;
-                        }
-#ifdef BN_COUNT
-                fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0, c == 0)\n", cl, dl);
-#endif
-                if (dl > 0)
-                        {
-                        if (save_dl > dl)
-                                {
-                                switch (save_dl - dl)
-                                        {
-                                case 1:
-                                        r[1] = a[1];
-                                        if (--dl <= 0) break;
-                                case 2:
-                                        r[2] = a[2];
-                                        if (--dl <= 0) break;
-                                case 3:
-                                        r[3] = a[3];
-                                        if (--dl <= 0) break;
-                                        }
-                                a += 4;
-                                r += 4;
-                                }
-                        }
-                if (dl > 0)
-                        {
-#ifdef BN_COUNT
-                        fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0, copy)\n", cl, dl);
-#endif
-                        for(;;)
-                                {
-                                r[0] = a[0];
-                                if (--dl <= 0) break;
-                                r[1] = a[1];
-                                if (--dl <= 0) break;
-                                r[2] = a[2];
-                                if (--dl <= 0) break;
-                                r[3] = a[3];
-                                if (--dl <= 0) break;
-
-                                a += 4;
-                                r += 4;
-                                }
-                        }
-                }
-        return c;
-        }
-
 #ifdef BN_RECURSION
 /* Karatsuba recursive multiplication algorithm
  * (cf. Knuth, The Art of Computer Programming, Vol. 2) */
@@ -390,15 +75,14 @@ BN_ULONG bn_add_part_words(BN_ULONG *r,
  * a[1]*b[1]
  */
 void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
-        int dna, int dnb, BN_ULONG *t)
+             BN_ULONG *t)
         {
         int n=n2/2,c1,c2;
-        int tna=n+dna, tnb=n+dnb;
         unsigned int neg,zero;
         BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
-        fprintf(stderr," bn_mul_recursive %d * %d\n",n2,n2);
+        printf(" bn_mul_recursive %d * %d\n",n2,n2);
 # endif
 # ifdef BN_MUL_COMBA
 #  if 0
@@ -408,40 +92,34 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 return;
                 }
 #  endif
-        /* Only call bn_mul_comba 8 if n2 == 8 and the
-         * two arrays are complete [steve]
-         */
-        if (n2 == 8 && dna == 0 && dnb == 0)
+        if (n2 == 8)
                 {
                 bn_mul_comba8(r,a,b);
                 return; 
                 }
 # endif /* BN_MUL_COMBA */
-        /* Else do normal multiply */
         if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL)
                 {
-                bn_mul_normal(r,a,n2+dna,b,n2+dnb);
-                if ((dna + dnb) < 0)
-                        memset(&r[2*n2 + dna + dnb], 0,
-                                sizeof(BN_ULONG) * -(dna + dnb));
+                /* This should not happen */
+                bn_mul_normal(r,a,n2,b,n2);
                 return;
                 }
         /* r=(a[0]-a[1])*(b[1]-b[0]) */
-        c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna);
-        c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n);
+        c1=bn_cmp_words(a,&(a[n]),n);
+        c2=bn_cmp_words(&(b[n]),b,n);
         zero=neg=0;
         switch (c1*3+c2)
                 {
         case -4:
-                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
-                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
+                bn_sub_words(t,      &(a[n]),a,      n); /* - */
+                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
                 break;
         case -3:
                 zero=1;
                 break;
         case -2:
-                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
-                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n); /* + */
+                bn_sub_words(t,      &(a[n]),a,      n); /* - */
+                bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
                 neg=1;
                 break;
         case -1:
@@ -450,22 +128,21 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 zero=1;
                 break;
         case 2:
-                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna); /* + */
-                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
+                bn_sub_words(t,      a,      &(a[n]),n); /* + */
+                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
                 neg=1;
                 break;
         case 3:
                 zero=1;
                 break;
         case 4:
-                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna);
-                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n);
+                bn_sub_words(t,      a,      &(a[n]),n);
+                bn_sub_words(&(t[n]),&(b[n]),b,      n);
                 break;
                 }
 
 # ifdef BN_MUL_COMBA
-        if (n == 4 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba4 could take
-                                               extra args to do this well */
+        if (n == 4)
                 {
                 if (!zero)
                         bn_mul_comba4(&(t[n2]),t,&(t[n]));
@@ -475,9 +152,7 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 bn_mul_comba4(r,a,b);
                 bn_mul_comba4(&(r[n2]),&(a[n]),&(b[n]));
                 }
-        else if (n == 8 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba8 could
-                                                    take extra args to do this
-                                                    well */
+        else if (n == 8)
                 {
                 if (!zero)
                         bn_mul_comba8(&(t[n2]),t,&(t[n]));
@@ -492,11 +167,11 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 {
                 p= &(t[n2*2]);
                 if (!zero)
-                        bn_mul_recursive(&(t[n2]),t,&(t[n]),n,0,0,p);
+                        bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
                 else
                         memset(&(t[n2]),0,n2*sizeof(BN_ULONG));
-                bn_mul_recursive(r,a,b,n,0,0,p);
-                bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,dna,dnb,p);
+                bn_mul_recursive(r,a,b,n,p);
+                bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,p);
                 }
 
         /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
@@ -545,39 +220,39 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 
 /* n+tn is the word length
  * t needs to be n*4 is size, as does r */
-void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
-             int tna, int tnb, BN_ULONG *t)
+void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
+             int n, BN_ULONG *t)
         {
         int i,j,n2=n*2;
         unsigned int c1,c2,neg,zero;
         BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
-        fprintf(stderr," bn_mul_part_recursive (%d+%d) * (%d+%d)\n",
-                tna, n, tnb, n);
+        printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n);
 # endif
         if (n < 8)
                 {
-                bn_mul_normal(r,a,n+tna,b,n+tnb);
+                i=tn+n;
+                bn_mul_normal(r,a,i,b,i);
                 return;
                 }
 
         /* r=(a[0]-a[1])*(b[1]-b[0]) */
-        c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna);
-        c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n);
+        c1=bn_cmp_words(a,&(a[n]),n);
+        c2=bn_cmp_words(&(b[n]),b,n);
         zero=neg=0;
         switch (c1*3+c2)
                 {
         case -4:
-                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
-                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
+                bn_sub_words(t,      &(a[n]),a,      n); /* - */
+                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
                 break;
         case -3:
                 zero=1;
                 /* break; */
         case -2:
-                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
-                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n); /* + */
+                bn_sub_words(t,      &(a[n]),a,      n); /* - */
+                bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
                 neg=1;
                 break;
         case -1:
@@ -586,16 +261,16 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
                 zero=1;
                 /* break; */
         case 2:
-                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna); /* + */
-                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
+                bn_sub_words(t,      a,      &(a[n]),n); /* + */
+                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
                 neg=1;
                 break;
         case 3:
                 zero=1;
                 /* break; */
         case 4:
-                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna);
-                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n);
+                bn_sub_words(t,      a,      &(a[n]),n);
+                bn_sub_words(&(t[n]),&(b[n]),b,      n);
                 break;
                 }
                 /* The zero case isn't yet implemented here. The speedup
@@ -614,59 +289,54 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
                 {
                 bn_mul_comba8(&(t[n2]),t,&(t[n]));
                 bn_mul_comba8(r,a,b);
-                bn_mul_normal(&(r[n2]),&(a[n]),tna,&(b[n]),tnb);
-                memset(&(r[n2+tna+tnb]),0,sizeof(BN_ULONG)*(n2-tna-tnb));
+                bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
+                memset(&(r[n2+tn*2]),0,sizeof(BN_ULONG)*(n2-tn*2));
                 }
         else
                 {
                 p= &(t[n2*2]);
-                bn_mul_recursive(&(t[n2]),t,&(t[n]),n,0,0,p);
-                bn_mul_recursive(r,a,b,n,0,0,p);
+                bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
+                bn_mul_recursive(r,a,b,n,p);
                 i=n/2;
                 /* If there is only a bottom half to the number,
                  * just do it */
-                if (tna > tnb)
-                        j = tna - i;
-                else
-                        j = tnb - i;
+                j=tn-i;
                 if (j == 0)
                         {
-                        bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),
-                                i,tna-i,tnb-i,p);
+                        bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),i,p);
                         memset(&(r[n2+i*2]),0,sizeof(BN_ULONG)*(n2-i*2));
                         }
                 else if (j > 0) /* eg, n == 16, i == 8 and tn == 11 */
                                 {
                                 bn_mul_part_recursive(&(r[n2]),&(a[n]),&(b[n]),
-                                        i,tna-i,tnb-i,p);
-                                memset(&(r[n2+tna+tnb]),0,
-                                        sizeof(BN_ULONG)*(n2-tna-tnb));
+                                        j,i,p);
+                                memset(&(r[n2+tn*2]),0,
+                                        sizeof(BN_ULONG)*(n2-tn*2));
                                 }
                 else /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
                         {
                         memset(&(r[n2]),0,sizeof(BN_ULONG)*n2);
-                        if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL
-                                && tnb < BN_MUL_RECURSIVE_SIZE_NORMAL)
+                        if (tn < BN_MUL_RECURSIVE_SIZE_NORMAL)
                                 {
-                                bn_mul_normal(&(r[n2]),&(a[n]),tna,&(b[n]),tnb);
+                                bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
                                 }
                         else
                                 {
                                 for (;;)
                                         {
                                         i/=2;
-                                        if (i < tna && i < tnb)
+                                        if (i < tn)
                                                 {
                                                 bn_mul_part_recursive(&(r[n2]),
                                                         &(a[n]),&(b[n]),
-                                                        i,tna-i,tnb-i,p);
+                                                        tn-i,i,p);
                                                 break;
                                                 }
-                                        else if (i <= tna && i <= tnb)
+                                        else if (i == tn)
                                                 {
                                                 bn_mul_recursive(&(r[n2]),
                                                         &(a[n]),&(b[n]),
-                                                        i,tna-i,tnb-i,p);
+                                                        i,p);
                                                 break;
                                                 }
                                         }
@@ -727,10 +397,10 @@ void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
         int n=n2/2;
 
 # ifdef BN_COUNT
-        fprintf(stderr," bn_mul_low_recursive %d * %d\n",n2,n2);
+        printf(" bn_mul_low_recursive %d * %d\n",n2,n2);
 # endif
 
-        bn_mul_recursive(r,a,b,n,0,0,&(t[0]));
+        bn_mul_recursive(r,a,b,n,&(t[0]));
         if (n >= BN_MUL_LOW_RECURSIVE_SIZE_NORMAL)
                 {
                 bn_mul_low_recursive(&(t[0]),&(a[0]),&(b[n]),n,&(t[n2]));
@@ -761,7 +431,7 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
         BN_ULONG ll,lc,*lp,*mp;
 
 # ifdef BN_COUNT
-        fprintf(stderr," bn_mul_high %d * %d\n",n2,n2);
+        printf(" bn_mul_high %d * %d\n",n2,n2);
 # endif
         n=n2/2;
 
@@ -814,8 +484,8 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
         else
 # endif
                 {
-                bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,0,0,&(t[n2]));
-                bn_mul_recursive(r,&(a[n]),&(b[n]),n,0,0,&(t[n2]));
+                bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,&(t[n2]));
+                bn_mul_recursive(r,&(a[n]),&(b[n]),n,&(t[n2]));
                 }
 
         /* s0 == low(al*bl)
@@ -940,19 +610,19 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
 
 int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
         {
-        int ret=0;
         int top,al,bl;
         BIGNUM *rr;
+        int ret = 0;
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
         int i;
 #endif
 #ifdef BN_RECURSION
-        BIGNUM *t=NULL;
-        int j=0,k;
+        BIGNUM *t;
+        int j,k;
 #endif
 
 #ifdef BN_COUNT
-        fprintf(stderr,"BN_mul %d * %d\n",a->top,b->top);
+        printf("BN_mul %d * %d\n",a->top,b->top);
 #endif
 
         bn_check_top(a);
@@ -1005,55 +675,21 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 #ifdef BN_RECURSION
         if ((al >= BN_MULL_SIZE_NORMAL) && (bl >= BN_MULL_SIZE_NORMAL))
                 {
-                if (i >= -1 && i <= 1)
+                if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA) && bl<b->dmax)
                         {
-                        int sav_j =0;
-                        /* Find out the power of two lower or equal
-                           to the longest of the two numbers */
-                        if (i >= 0)
-                                {
-                                j = BN_num_bits_word((BN_ULONG)al);
-                                }
-                        if (i == -1)
-                                {
-                                j = BN_num_bits_word((BN_ULONG)bl);
-                                }
-                        sav_j = j;
-                        j = 1<<(j-1);
-                        assert(j <= al || j <= bl);
-                        k = j+j;
-                        t = BN_CTX_get(ctx);
-                        if (al > j || bl > j)
-                                {
-                                bn_wexpand(t,k*4);
-                                bn_wexpand(rr,k*4);
-                                bn_mul_part_recursive(rr->d,a->d,b->d,
-                                        j,al-j,bl-j,t->d);
-                                }
-                        else    /* al <= j || bl <= j */
-                                {
-                                bn_wexpand(t,k*2);
-                                bn_wexpand(rr,k*2);
-                                bn_mul_recursive(rr->d,a->d,b->d,
-                                        j,al-j,bl-j,t->d);
-                                }
-                        rr->top=top;
-                        goto end;
-                        }
-#if 0
-                if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA))
-                        {
-                        BIGNUM *tmp_bn = (BIGNUM *)b;
-                        if (bn_wexpand(tmp_bn,al) == NULL) goto err;
-                        tmp_bn->d[bl]=0;
+#if 0   /* tribute to const-ification, bl<b->dmax above covers for this */
+                        if (bn_wexpand(b,al) == NULL) goto err;
+#endif
+                        b->d[bl]=0;
                         bl++;
                         i--;
                         }
-                else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA))
+                else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA) && al<a->dmax)
                         {
-                        BIGNUM *tmp_bn = (BIGNUM *)a;
-                        if (bn_wexpand(tmp_bn,bl) == NULL) goto err;
-                        tmp_bn->d[al]=0;
+#if 0   /* tribute to const-ification, al<a->dmax above covers for this */
+                        if (bn_wexpand(a,bl) == NULL) goto err;
+#endif
+                        a->d[al]=0;
                         al++;
                         i++;
                         }
@@ -1070,17 +706,26 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
                                 if (bn_wexpand(t,k*2) == NULL) goto err;
                                 if (bn_wexpand(rr,k*2) == NULL) goto err;
                                 bn_mul_recursive(rr->d,a->d,b->d,al,t->d);
+                                rr->top=top;
+                                goto end;
                                 }
+#if 0   /* tribute to const-ification, rsa/dsa performance is not affected */
                         else
                                 {
-                                if (bn_wexpand(t,k*4) == NULL) goto err;
-                                if (bn_wexpand(rr,k*4) == NULL) goto err;
+                                if (bn_wexpand(a,k) == NULL ) goto err;
+                                if (bn_wexpand(b,k) == NULL ) goto err;
+                                if (bn_wexpand(t,k*4) == NULL ) goto err;
+                                if (bn_wexpand(rr,k*4) == NULL ) goto err;
+                                for (i=a->top; i<k; i++)
+                                        a->d[i]=0;
+                                for (i=b->top; i<k; i++)
+                                        b->d[i]=0;
                                 bn_mul_part_recursive(rr->d,a->d,b->d,al-j,j,t->d);
                                 }
                         rr->top=top;
                         goto end;
-                        }
 #endif
+                        }
                 }
 #endif /* BN_RECURSION */
         if (bn_wexpand(rr,top) == NULL) goto err;
@@ -1103,7 +748,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
         BN_ULONG *rr;
 
 #ifdef BN_COUNT
-        fprintf(stderr," bn_mul_normal %d * %d\n",na,nb);
+        printf(" bn_mul_normal %d * %d\n",na,nb);
 #endif
 
         if (na < nb)
@@ -1116,13 +761,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 
                 }
         rr= &(r[na]);
-        if (nb <= 0)
-                {
-                (void)bn_mul_words(r,a,na,0);
-                return;
-                }
-        else
-                rr[0]=bn_mul_words(r,a,na,b[0]);
+        rr[0]=bn_mul_words(r,a,na,b[0]);
 
         for (;;)
                 {
@@ -1143,7 +782,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
         {
 #ifdef BN_COUNT
-        fprintf(stderr," bn_mul_low_normal %d * %d\n",n,n);
+        printf(" bn_mul_low_normal %d * %d\n",n,n);
 #endif
         bn_mul_words(r,a,n,b[0]);
 
diff --git a/src/lib/libcrypto/bn/bn_prime.c b/src/lib/libcrypto/bn/bn_prime.c
index 918b9237c6..e072d9255c 100644
--- a/src/lib/libcrypto/bn/bn_prime.c
+++ b/src/lib/libcrypto/bn/bn_prime.c
@@ -140,6 +140,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
         BN_CTX *ctx;
         int checks = BN_prime_checks_for_size(bits);
 
+        BN_init(&t);
         ctx=BN_CTX_new();
         if (ctx == NULL) goto err;
         if (ret == NULL)
@@ -148,7 +149,6 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
                 }
         else
                 rnd=ret;
-        BN_init(&t);
 loop: 
         /* make a random number and set the top and bottom bits */
         if (add == NULL)
diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c
index 9e08ccd22e..893c9d2af9 100644
--- a/src/lib/libcrypto/bn/bn_rand.c
+++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -201,7 +201,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 err:
         if (buf != NULL)
                 {
-                memset(buf,0,bytes);
+                OPENSSL_cleanse(buf,bytes);
                 OPENSSL_free(buf);
                 }
         return(ret);
diff --git a/src/lib/libcrypto/bn/bn_word.c b/src/lib/libcrypto/bn/bn_word.c
index cd59baa2c4..988e0ca7b3 100644
--- a/src/lib/libcrypto/bn/bn_word.c
+++ b/src/lib/libcrypto/bn/bn_word.c
@@ -123,7 +123,10 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
         i=0;
         for (;;)
                 {
-                l=(a->d[i]+(BN_ULONG)w)&BN_MASK2;
+                if (i >= a->top)
+                        l=w;
+                else
+                        l=(a->d[i]+(BN_ULONG)w)&BN_MASK2;
                 a->d[i]=l;
                 if (w > l)
                         w=1;
diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c
index 8158a67374..3c8c540387 100644
--- a/src/lib/libcrypto/bn/bntest.c
+++ b/src/lib/libcrypto/bn/bntest.c
@@ -68,10 +68,6 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
 
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
-
 const int num0 = 100; /* number of tests */
 const int num1 = 50;  /* additional tests for some functions */
 const int num2 = 5;   /* number of tests for slow functions */
@@ -96,11 +92,6 @@ int test_sqrt(BIO *bp,BN_CTX *ctx);
 int rand_neg(void);
 static int results=0;
 
-#ifdef OPENSSL_NO_STDIO
-#define APPS_WIN16
-#include "bss_file.c"
-#endif
-
 static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
 
@@ -141,10 +132,10 @@ int main(int argc, char *argv[])
 
 
         ctx=BN_CTX_new();
-        if (ctx == NULL) exit(1);
+        if (ctx == NULL) EXIT(1);
 
         out=BIO_new(BIO_s_file());
-        if (out == NULL) exit(1);
+        if (out == NULL) EXIT(1);
         if (outfile == NULL)
                 {
                 BIO_set_fp(out,stdout,BIO_NOCLOSE);
@@ -154,7 +145,7 @@ int main(int argc, char *argv[])
                 if (!BIO_write_filename(out,outfile))
                         {
                         perror(outfile);
-                        exit(1);
+                        EXIT(1);
                         }
                 }
 
@@ -238,14 +229,14 @@ int main(int argc, char *argv[])
         BIO_free(out);
 
 /**/
-        exit(0);
+        EXIT(0);
 err:
         BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
                               * the failure, see test_bn in test/Makefile.ssl*/
         BIO_flush(out);
         ERR_load_crypto_strings();
         ERR_print_errors_fp(stderr);
-        exit(1);
+        EXIT(1);
         return(1);
         }
 
@@ -488,7 +479,7 @@ int test_mul(BIO *bp)
         BN_CTX *ctx;
 
         ctx = BN_CTX_new();
-        if (ctx == NULL) exit(1);
+        if (ctx == NULL) EXIT(1);
         
         BN_init(&a);
         BN_init(&b);
@@ -726,7 +717,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
                         while ((l=ERR_get_error()))
                                 fprintf(stderr,"ERROR:%s\n",
                                         ERR_error_string(l,NULL));
-                        exit(1);
+                        EXIT(1);
                         }
                 if (bp != NULL)
                         {
diff --git a/src/lib/libcrypto/bn/divtest.c b/src/lib/libcrypto/bn/divtest.c
index 13ba86e3c4..d3fc688f33 100644
--- a/src/lib/libcrypto/bn/divtest.c
+++ b/src/lib/libcrypto/bn/divtest.c
@@ -1,7 +1,7 @@
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 
-static int rand(n)
+static int Rand(n)
 {
     unsigned char x[2];
     RAND_pseudo_bytes(x,2);
@@ -26,8 +26,8 @@ main()
     BN_CTX *ctx=BN_CTX_new();
 
     for(;;) {
-        BN_pseudo_rand(a,rand(),0,0);
-        BN_pseudo_rand(b,rand(),0,0);
+        BN_pseudo_rand(a,Rand(),0,0);
+        BN_pseudo_rand(b,Rand(),0,0);
         if (BN_is_zero(b)) continue;
 
         BN_RECP_CTX_set(recp,b,ctx);
diff --git a/src/lib/libcrypto/bn/exptest.c b/src/lib/libcrypto/bn/exptest.c
index 5ca570d1a8..b09cf88705 100644
--- a/src/lib/libcrypto/bn/exptest.c
+++ b/src/lib/libcrypto/bn/exptest.c
@@ -59,13 +59,13 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+
+#include "../e_os.h"
+
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
 
 #define NUM_BITS        (BN_BITS*2)
 
@@ -86,7 +86,7 @@ int main(int argc, char *argv[])
         ERR_load_BN_strings();
 
         ctx=BN_CTX_new();
-        if (ctx == NULL) exit(1);
+        if (ctx == NULL) EXIT(1);
         r_mont=BN_new();
         r_recp=BN_new();
         r_simple=BN_new();
@@ -99,7 +99,7 @@ int main(int argc, char *argv[])
 
         out=BIO_new(BIO_s_file());
 
-        if (out == NULL) exit(1);
+        if (out == NULL) EXIT(1);
         BIO_set_fp(out,stdout,BIO_NOCLOSE);
 
         for (i=0; i<200; i++)
@@ -124,7 +124,7 @@ int main(int argc, char *argv[])
                         {
                         printf("BN_mod_exp_mont() problems\n");
                         ERR_print_errors(out);
-                        exit(1);
+                        EXIT(1);
                         }
 
                 ret=BN_mod_exp_recp(r_recp,a,b,m,ctx);
@@ -132,7 +132,7 @@ int main(int argc, char *argv[])
                         {
                         printf("BN_mod_exp_recp() problems\n");
                         ERR_print_errors(out);
-                        exit(1);
+                        EXIT(1);
                         }
 
                 ret=BN_mod_exp_simple(r_simple,a,b,m,ctx);
@@ -140,7 +140,7 @@ int main(int argc, char *argv[])
                         {
                         printf("BN_mod_exp_simple() problems\n");
                         ERR_print_errors(out);
-                        exit(1);
+                        EXIT(1);
                         }
 
                 if (BN_cmp(r_simple, r_mont) == 0
@@ -163,7 +163,7 @@ int main(int argc, char *argv[])
                         printf("\nrecp     ="); BN_print(out,r_recp);
                         printf("\nmont     ="); BN_print(out,r_mont);
                         printf("\n");
-                        exit(1);
+                        EXIT(1);
                         }
                 }
         BN_free(r_mont);
@@ -177,11 +177,11 @@ int main(int argc, char *argv[])
         CRYPTO_mem_leaks(out);
         BIO_free(out);
         printf(" done\n");
-        exit(0);
+        EXIT(0);
 err:
         ERR_load_crypto_strings();
         ERR_print_errors(out);
-        exit(1);
+        EXIT(1);
         return(1);
         }
 
diff --git a/src/lib/libcrypto/buffer/Makefile.ssl b/src/lib/libcrypto/buffer/Makefile.ssl
index 240a6b9a89..b131ca3078 100644
--- a/src/lib/libcrypto/buffer/Makefile.ssl
+++ b/src/lib/libcrypto/buffer/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/buffer/buffer.c b/src/lib/libcrypto/buffer/buffer.c
index 9299baba9e..d96487e7db 100644
--- a/src/lib/libcrypto/buffer/buffer.c
+++ b/src/lib/libcrypto/buffer/buffer.c
@@ -125,6 +125,43 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
         return(len);
         }
 
+int BUF_MEM_grow_clean(BUF_MEM *str, int len)
+        {
+        char *ret;
+        unsigned int n;
+
+        if (str->length >= len)
+                {
+                memset(&str->data[len],0,str->length-len);
+                str->length=len;
+                return(len);
+                }
+        if (str->max >= len)
+                {
+                memset(&str->data[str->length],0,len-str->length);
+                str->length=len;
+                return(len);
+                }
+        n=(len+3)/3*4;
+        if (str->data == NULL)
+                ret=OPENSSL_malloc(n);
+        else
+                ret=OPENSSL_realloc_clean(str->data,str->max,n);
+        if (ret == NULL)
+                {
+                BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+                len=0;
+                }
+        else
+                {
+                str->data=ret;
+                str->max=n;
+                memset(&str->data[str->length],0,len-str->length);
+                str->length=len;
+                }
+        return(len);
+        }
+
 char *BUF_strdup(const char *str)
         {
         char *ret;
@@ -143,3 +180,23 @@ char *BUF_strdup(const char *str)
         return(ret);
         }
 
+size_t BUF_strlcpy(char *dst, const char *src, size_t size)
+        {
+        size_t l = 0;
+        for(; size > 1 && *src; size--)
+                {
+                *dst++ = *src++;
+                l++;
+                }
+        if (size)
+                *dst = '\0';
+        return l + strlen(src);
+        }
+
+size_t BUF_strlcat(char *dst, const char *src, size_t size)
+        {
+        size_t l = 0;
+        for(; size > 0 && *dst; size--, dst++)
+                l++;
+        return l + BUF_strlcpy(dst, src, size);
+        }
diff --git a/src/lib/libcrypto/buffer/buffer.h b/src/lib/libcrypto/buffer/buffer.h
index 11e2d0359a..465dc34f3f 100644
--- a/src/lib/libcrypto/buffer/buffer.h
+++ b/src/lib/libcrypto/buffer/buffer.h
@@ -63,6 +63,9 @@
 extern "C" {
 #endif
 
+#include <stddef.h>
+#include <sys/types.h>
+
 typedef struct buf_mem_st
         {
         int length;     /* current number of bytes */
@@ -73,8 +76,14 @@ typedef struct buf_mem_st
 BUF_MEM *BUF_MEM_new(void);
 void    BUF_MEM_free(BUF_MEM *a);
 int     BUF_MEM_grow(BUF_MEM *str, int len);
+int     BUF_MEM_grow_clean(BUF_MEM *str, int len);
 char *  BUF_strdup(const char *str);
 
+/* safe string functions */
+size_t BUF_strlcpy(char *dst,const char *src,size_t siz);
+size_t BUF_strlcat(char *dst,const char *src,size_t siz);
+
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
diff --git a/src/lib/libcrypto/cast/Makefile.ssl b/src/lib/libcrypto/cast/Makefile.ssl
index 2defbdd68a..2dc1c855ad 100644
--- a/src/lib/libcrypto/cast/Makefile.ssl
+++ b/src/lib/libcrypto/cast/Makefile.ssl
@@ -52,14 +52,8 @@ lib:	$(LIBOBJ)
         @touch lib
 
 # elf
-asm/cx86-elf.o: asm/cx86unix.cpp
-        $(CPP) -DELF -x c asm/cx86unix.cpp | as -o asm/cx86-elf.o
-
-# solaris
-asm/cx86-sol.o: asm/cx86unix.cpp
-        $(CC) -E -DSOL asm/cx86unix.cpp | sed 's/^#.*//' > asm/cx86-sol.s
-        as -o asm/cx86-sol.o asm/cx86-sol.s
-        rm -f asm/cx86-sol.s
+asm/cx86-elf.s: asm/cast-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+        (cd asm; $(PERL) cast-586.pl elf $(CLAGS) $(PROCESSOR) > cx86-elf.s)
 
 # a.out
 asm/cx86-out.o: asm/cx86unix.cpp
@@ -97,14 +91,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/cx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/cx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libcrypto/cast/casttest.c b/src/lib/libcrypto/cast/casttest.c
index 099e790886..83e5a16c73 100644
--- a/src/lib/libcrypto/cast/casttest.c
+++ b/src/lib/libcrypto/cast/casttest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_CAST
 int main(int argc, char *argv[])
 {
@@ -224,7 +226,7 @@ int main(int argc, char *argv[])
       }
 #endif
 
-    exit(err);
+    EXIT(err);
     return(err);
     }
 #endif
diff --git a/src/lib/libcrypto/comp/Makefile.ssl b/src/lib/libcrypto/comp/Makefile.ssl
index 7c1ec81229..f70ba1b285 100644
--- a/src/lib/libcrypto/comp/Makefile.ssl
+++ b/src/lib/libcrypto/comp/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/comp/c_zlib.c b/src/lib/libcrypto/comp/c_zlib.c
index cd2f8a491b..8c0876151a 100644
--- a/src/lib/libcrypto/comp/c_zlib.c
+++ b/src/lib/libcrypto/comp/c_zlib.c
@@ -208,11 +208,11 @@ COMP_METHOD *COMP_zlib(void)
                                 = (inflateInit__ft) DSO_bind_func(zlib_dso,
                                         "inflateInit_");
                         zlib_loaded++;
-                        meth = &zlib_method;
                         }
                 }
 
-#elif defined(ZLIB)
+#endif
+#if defined(ZLIB) || defined(ZLIB_SHARED)
         meth = &zlib_method;
 #endif
 
diff --git a/src/lib/libcrypto/conf/Makefile.ssl b/src/lib/libcrypto/conf/Makefile.ssl
index 133c2329e6..c5873bc6e7 100644
--- a/src/lib/libcrypto/conf/Makefile.ssl
+++ b/src/lib/libcrypto/conf/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 48ff6f1120..b52ee01a3c 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -208,7 +208,8 @@ static int def_load(CONF *conf, const char *name, long *line)
 
 static int def_load_bio(CONF *conf, BIO *in, long *line)
         {
-#define BUFSIZE 512
+/* The macro BUFSIZE conflicts with a system macro in VxWorks */
+#define CONFBUFSIZE     512
         int bufnum=0,i,ii;
         BUF_MEM *buff=NULL;
         char *s,*p,*end;
@@ -252,20 +253,21 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
         section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
 
         bufnum=0;
+        again=0;
         for (;;)
                 {
-                again=0;
-                if (!BUF_MEM_grow(buff,bufnum+BUFSIZE))
+                if (!BUF_MEM_grow(buff,bufnum+CONFBUFSIZE))
                         {
                         CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
                         goto err;
                         }
                 p= &(buff->data[bufnum]);
                 *p='\0';
-                BIO_gets(in, p, BUFSIZE-1);
-                p[BUFSIZE-1]='\0';
+                BIO_gets(in, p, CONFBUFSIZE-1);
+                p[CONFBUFSIZE-1]='\0';
                 ii=i=strlen(p);
-                if (i == 0) break;
+                if (i == 0 && !again) break;
+                again=0;
                 while (i > 0)
                         {
                         if ((p[i-1] != '\r') && (p[i-1] != '\n'))
@@ -275,7 +277,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
                         }
                 /* we removed some trailing stuff so there is a new
                  * line on the end. */
-                if (i == ii)
+                if (ii && i == ii)
                         again=1; /* long line */
                 else
                         {
@@ -627,7 +629,7 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
                                 CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE);
                                 goto err;
                                 }
-                        BUF_MEM_grow(buf,(strlen(p)+len-(e-from)));
+                        BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from)));
                         while (*p)
                                 buf->data[to++]= *(p++);
                         from=e;
diff --git a/src/lib/libcrypto/conf/conf_mall.c b/src/lib/libcrypto/conf/conf_mall.c
index d702af689b..4ba40cf44c 100644
--- a/src/lib/libcrypto/conf/conf_mall.c
+++ b/src/lib/libcrypto/conf/conf_mall.c
@@ -63,7 +63,9 @@
 #include <openssl/dso.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 /* Load all OpenSSL builtin modules */
 
@@ -71,6 +73,8 @@ void OPENSSL_load_builtin_modules(void)
         {
         /* Add builtin modules here */
         ASN1_add_oid_module();
+#ifndef OPENSSL_NO_ENGINE
         ENGINE_add_conf_module();
+#endif
         }
 
diff --git a/src/lib/libcrypto/conf/conf_sap.c b/src/lib/libcrypto/conf/conf_sap.c
index 97fb174303..e15c2e5546 100644
--- a/src/lib/libcrypto/conf/conf_sap.c
+++ b/src/lib/libcrypto/conf/conf_sap.c
@@ -63,7 +63,9 @@
 #include <openssl/dso.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 /* This is the automatic configuration loader: it is called automatically by
  * OpenSSL when any of a number of standard initialisation functions are called,
@@ -78,8 +80,10 @@ void OPENSSL_config(const char *config_name)
                 return;
 
         OPENSSL_load_builtin_modules();
+#ifndef OPENSSL_NO_ENGINE
         /* Need to load ENGINEs */
         ENGINE_load_builtin_engines();
+#endif
         /* Add others here? */
 
 
diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index 612b3b93b4..2924def2bb 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -89,6 +89,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
         "ssl_session",
         "ssl_sess_cert",
         "ssl",
+        "ssl_method",
         "rand",
         "rand2",
         "debug_malloc",
@@ -103,7 +104,8 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
         "dynlock",
         "engine",
         "ui",
-#if CRYPTO_NUM_LOCKS != 31
+        "hwcrhk",               /* This is a HACK which will disappear in 0.9.8 */
+#if CRYPTO_NUM_LOCKS != 33
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
         };
@@ -206,10 +208,18 @@ int CRYPTO_get_new_dynlockid(void)
         i=sk_CRYPTO_dynlock_find(dyn_locks,NULL);
         /* If there was none, push, thereby creating a new one */
         if (i == -1)
-                i=sk_CRYPTO_dynlock_push(dyn_locks,pointer);
+                /* Since sk_push() returns the number of items on the
+                   stack, not the location of the pushed item, we need
+                   to transform the returned number into a position,
+                   by decreasing it.  */
+                i=sk_CRYPTO_dynlock_push(dyn_locks,pointer) - 1;
+        else
+                /* If we found a place with a NULL pointer, put our pointer
+                   in it.  */
+                sk_CRYPTO_dynlock_set(dyn_locks,i,pointer);
         CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
 
-        if (!i)
+        if (i == -1)
                 {
                 dynlock_destroy_callback(pointer->data,__FILE__,__LINE__);
                 OPENSSL_free(pointer);
@@ -401,15 +411,17 @@ void CRYPTO_lock(int mode, int type, const char *file, int line)
 #endif
         if (type < 0)
                 {
-                struct CRYPTO_dynlock_value *pointer
-                        = CRYPTO_get_dynlock_value(type);
-
-                if (pointer && dynlock_lock_callback)
+                if (dynlock_lock_callback != NULL)
                         {
+                        struct CRYPTO_dynlock_value *pointer
+                                = CRYPTO_get_dynlock_value(type);
+
+                        OPENSSL_assert(pointer != NULL);
+
                         dynlock_lock_callback(mode, pointer, file, line);
-                        }
 
-                CRYPTO_destroy_dynlockid(type);
+                        CRYPTO_destroy_dynlockid(type);
+                        }
                 }
         else
                 if (locking_callback != NULL)
@@ -460,7 +472,7 @@ const char *CRYPTO_get_lock_name(int type)
                 return("dynamic");
         else if (type < CRYPTO_NUM_LOCKS)
                 return(lock_names[type]);
-        else if (type-CRYPTO_NUM_LOCKS >= sk_num(app_locks))
+        else if (type-CRYPTO_NUM_LOCKS > sk_num(app_locks))
                 return("ERROR");
         else
                 return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
@@ -492,3 +504,11 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
 #endif
 
 #endif
+
+void OpenSSLDie(const char *file,int line,const char *assertion)
+        {
+        fprintf(stderr,
+                "%s(%d): OpenSSL internal error, assertion failed: %s\n",
+                file,line,assertion);
+        abort();
+        }
diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h
index 88e4ae509f..0d6b9d59f0 100644
--- a/src/lib/libcrypto/cryptlib.h
+++ b/src/lib/libcrypto/cryptlib.h
@@ -89,9 +89,9 @@ extern "C" {
 #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
 #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
 
-/* size of string represenations */
-#define DECIMAL_SIZE(type)     ((sizeof(type)*8+2)/3+1)
-#define HEX_SIZE(type)         ((sizeof(type)*2)
+/* size of string representations */
+#define DECIMAL_SIZE(type)      ((sizeof(type)*8+2)/3+1)
+#define HEX_SIZE(type)          (sizeof(type)*2)
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com
index dfcff11860..39e78c69e5 100644
--- a/src/lib/libcrypto/crypto-lib.com
+++ b/src/lib/libcrypto/crypto-lib.com
@@ -21,22 +21,10 @@ $!    		LIBRARY    To just compile the [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library.
 $!              APPS       To just compile the [.xxx.EXE.CRYPTO]*.EXE
 $!              ALL        To do both LIBRARY and APPS
 $!
-$!  Specify RSAREF as P2 to compile with the RSAREF library instead of
-$!  the regular one.  If you specify NORSAREF it will compile with the
-$!  regular RSAREF routines.  (Note: If you are in the United States
-$!  you MUST compile with RSAREF unless you have a license from RSA).
-$!
-$!  Note: The RSAREF libraries are NOT INCLUDED and you have to
-$!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
-$!        get the ".tar-Z" file as the ".zip" file dosen't have the
-$!        directory structure stored.  You have to extract the file
-$!        into the [.RSAREF] directory under the root directory as that
-$!        is where the scripts will look for the files.
-$!
-$!  Specify DEBUG or NODEBUG as P3 to compile with or without debugger
+$!  Specify DEBUG or NODEBUG as P2 to compile with or without debugger
 $!  information.
 $!
-$!  Specify which compiler at P4 to try to compile under.
+$!  Specify which compiler at P3 to try to compile under.
 $!
 $!         VAXC  For VAX C.
 $!         DECC  For DEC C.
@@ -45,16 +33,16 @@ $!
 $!  If you don't speficy a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
-$!  P5, if defined, sets a TCP/IP library to use, through one of the following
+$!  P4, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!      UCX             for UCX
 $!      TCPIP           for TCPIP (post UCX)
 $!      SOCKETSHR       for SOCKETSHR+NETLIB
 $!
-$!  P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
-$!  P7, if defined, sets a choice of crypto methods to compile.
+$!  P6, if defined, sets a choice of crypto methods to compile.
 $!  WARNING: this should only be done to recompile some part of an already
 $!  fully compiled library.
 $!
@@ -93,7 +81,6 @@ $ ENCRYPT_TYPES = "Basic,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,"+ -
                   "BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,"+ -
                   "EVP,EVP_2,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
                   "CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5"
-$ ENCRYPT_PROGRAMS = "DES,PKCS7"
 $!
 $! Check To Make Sure We Have Valid Command Line Parameters.
 $!
@@ -149,10 +136,6 @@ $! Define The CRYPTO-LIB We Are To Use.
 $!
 $ CRYPTO_LIB := 'EXE_DIR'LIBCRYPTO.OLB
 $!
-$! Define The RSAREF-LIB We Are To Use.
-$!
-$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
-$!
 $! Check To See If We Already Have A "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" Library...
 $!
 $ IF (F$SEARCH(LIB_NAME).EQS."")
@@ -175,7 +158,7 @@ $!
 $ APPS_DES = "DES/DES,CBC3_ENC"
 $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
 $
-$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time"
+$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time"
 $ LIB_MD2 = "md2_dgst,md2_one"
 $ LIB_MD4 = "md4_dgst,md4_one"
 $ LIB_MD5 = "md5_dgst,md5_one"
@@ -216,7 +199,7 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ -
         "tb_rsa,tb_dsa,tb_dh,tb_rand,tb_cipher,tb_digest,"+ -
         "eng_openssl,eng_dyn,eng_cnf,"+ -
         "hw_atalla,hw_cswift,hw_ncipher,hw_nuron,hw_ubsec,"+ -
-        "hw_openbsd_dev_crypto,hw_aep,hw_sureware,hw_4758_cca"
+        "hw_cryptodev,hw_aep,hw_sureware,hw_4758_cca"
 $ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,aes_ctr"
 $ LIB_BUFFER = "buffer,buf_err"
 $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
@@ -287,86 +270,6 @@ $ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time,"
 $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + -
                     "sha_dgst,sha1dgst,rmd_dgst,bf_enc,"
 $!
-$! Check To See If We Are Going To Use RSAREF.
-$!
-$ IF (RSAREF.EQS."TRUE" .AND. ENCRYPT_TYPES - "RSA".NES.ENCRYPT_TYPES -
-      .AND. (BUILDALL .EQS. "TRUE" .OR. BUILDALL .EQS. "LIBRARY"))
-$ THEN
-$!
-$!  Check To See If The File [-.RSAREF]RSAREF.C Is Actually There.
-$!
-$   IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAREF.C").EQS."")
-$   THEN
-$!
-$!    Tell The User That The File Doesn't Exist.
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAREF.C Doesn't Exist."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Exit The Build.
-$!
-$     GOTO EXIT
-$!
-$!  End The [-.RSAREF]RSAREF.C Check.
-$!
-$   ENDIF
-$!
-$!  Tell The User We Are Compiling The [-.RSAREF]RSAREF File.
-$!
-$   WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAREF File."
-$!
-$!  Compile [-.RSAREF]RSAREF.C
-$!
-$   CC/OBJECT='OBJ_DIR'RSAREF.OBJ SYS$DISK:[-.RSAREF]RSAREF.C
-$!
-$!  Add It To The Library.
-$!
-$   LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAREF.OBJ
-$!
-$!  Delete The Object File.
-$!
-$   DELETE 'OBJ_DIR'RSAREF.OBJ;*
-$!
-$!  Check To See If The File [-.RSAREF]RSAR_ERR.C Is Actually There.
-$!
-$   IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAR_ERR.C").EQS."")
-$   THEN
-$!
-$!    Tell The User That The File Doesn't Exist.
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAR_ERR.C Doesn't Exist."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Exit The Build.
-$!
-$     GOTO EXIT
-$!
-$!  End The [-.RSAREF]RSAR_ERR.C File Check.
-$!
-$   ENDIF
-$!
-$!  Tell The User We Are Compiling The [-.RSAREF]RSAR_ERR File.
-$!
-$   WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAR_ERR File."
-$!
-$!  Compile [-.RSAREF]RSAR_ERR.C
-$!
-$   CC/OBJECT='OBJ_DIR'RSAR_ERR.OBJ SYS$DISK:[-.RSAREF]RSAR_ERR.C
-$!
-$!  Add It To The Library.
-$!
-$   LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAR_ERR.OBJ
-$!
-$!  Delete The Object File.
-$!
-$   DELETE 'OBJ_DIR'RSAR_ERR.OBJ;*
-$!
-$! End The RSAREF Check.
-$!
-$ ENDIF
-$!
 $! Figure Out What Other Modules We Are To Build.
 $!
 $ BUILD_SET:
@@ -639,74 +542,34 @@ $! Tell the user what happens
 $!
 $   WRITE SYS$OUTPUT "  ",APPLICATION,".exe"
 $!
-$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$! Link The Program.
 $!
 $   ON ERROR THEN GOTO NEXT_APPLICATION
-$   IF (RSAREF.EQS."TRUE")
-$   THEN
 $!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
-$     IF (TCPIP_LIB.NES."")
-$     THEN
-$!
-$!    Link With The RSAREF Library And A Specific TCP/IP Library.
-$!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS', -
-            'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-            'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$!    Else...
-$!
-$     ELSE
-$!
-$!      Link With The RSAREF Library And NO TCP/IP Library.
+$   IF (TCPIP_LIB.NES."")
+$   THEN
 $!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS', -
-            'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-            'OPT_FILE'/OPTION
+$!    Link With A TCP/IP Library.
 $!
-$!    End The TCP/IP Library Check.
+$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
+          'OBJ_DIR''APPLICATION_OBJECTS', -
+          'CRYPTO_LIB'/LIBRARY, -
+          'TCPIP_LIB','OPT_FILE'/OPTION
 $!
-$     ENDIF
-$!
-$!   Else...
+$! Else...
 $!
 $   ELSE
 $!
-$!    Don't Link With The RSAREF Routines.
-$!
-$!
-$!    Check To See If We Are To Link With A Specific TCP/IP Library.
-$!
-$     IF (TCPIP_LIB.NES."")
-$     THEN
-$!
-$!      Don't Link With The RSAREF Routines And TCP/IP Library.
-$!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS', -
-            'CRYPTO_LIB'/LIBRARY, -
-            'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$!    Else...
-$!
-$     ELSE
-$!
-$!      Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
-$!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS',-
-            'CRYPTO_LIB'/LIBRARY, -
-            'OPT_FILE'/OPTION
+$!    Don't Link With A TCP/IP Library.
 $!
-$!    End The TCP/IP Library Check.
+$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
+          'OBJ_DIR''APPLICATION_OBJECTS',-
+          'CRYPTO_LIB'/LIBRARY, -
+          'OPT_FILE'/OPTION
 $!
-$     ENDIF
-$!
-$!   End The RSAREF Link Check.
+$! End The TCP/IP Library Check.
 $!
 $   ENDIF
 $   GOTO NEXT_APPLICATION
@@ -912,75 +775,10 @@ $ ENDIF
 $!
 $! Check To See If P2 Is Blank.
 $!
-$ P2 = "NORSAREF"
-$ IF (P2.EQS."NORSAREF")
+$ IF (P2.EQS."NODEBUG")
 $ THEN
 $!
-$!   P2 Is NORSAREF, So Compile With The Regular RSA Libraries.
-$!
-$    RSAREF = "FALSE"
-$ ELSE
-$!
-$!  Check To See If We Are To Use The RSAREF Library.
-$!
-$   IF (P2.EQS."RSAREF")
-$   THEN
-$!
-$!    Check To Make Sure We Have The RSAREF Source Code Directory.
-$!
-$     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
-$     THEN
-$!
-$!      We Don't Have The RSAREF Souce Code Directory, So Tell The
-$!      User This.
-$!
-$       WRITE SYS$OUTPUT ""
-$       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
-$       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
-$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file doesn't have the"
-$       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
-$       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
-$       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
-$       WRITE SYS$OUTPUT ""
-$!
-$!      Time To Exit.
-$!
-$       EXIT
-$!
-$!    Else, Compile Using The RSAREF Library.
-$!
-$     ELSE
-$       RSAREF = "TRUE"
-$     ENDIF
-$   ELSE 
-$!
-$!    They Entered An Invalid Option..
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
-$     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Time To EXIT.
-$!
-$     EXIT
-$!
-$!  End The Valid Arguement Check.
-$!
-$   ENDIF
-$!
-$! End The P2 Check.
-$!
-$ ENDIF
-$!
-$! Check To See If P3 Is Blank.
-$!
-$ IF (P3.EQS."NODEBUG")
-$ THEN
-$!
-$!   P3 Is NODEBUG, So Compile Without The Debugger Information.
+$!   P2 Is NODEBUG, So Compile Without The Debugger Information.
 $!
 $    DEBUGGER = "NODEBUG"
 $    TRACEBACK = "NOTRACEBACK" 
@@ -993,7 +791,7 @@ $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
 $!
-$   IF (P3.EQS."DEBUG")
+$   IF (P2.EQS."DEBUG")
 $   THEN
 $!
 $!    Compile With Debugger Information.
@@ -1010,7 +808,7 @@ $!
 $!    They Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "     DEBUG   :  Compile With The Debugger Information."
 $     WRITE SYS$OUTPUT "     NODEBUG :  Compile Without The Debugger Information."
@@ -1024,7 +822,7 @@ $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
-$! End The P3 Check.
+$! End The P2 Check.
 $!
 $ ENDIF
 $!
@@ -1034,9 +832,9 @@ $! Written By:  Richard Levitte
 $!              richard@levitte.org
 $!
 $!
-$! Check To See If We Have A Option For P6.
+$! Check To See If We Have A Option For P5.
 $!
-$ IF (P6.EQS."")
+$ IF (P5.EQS."")
 $ THEN
 $!
 $!  Get The Version Of VMS We Are Using.
@@ -1058,13 +856,13 @@ $!  End The VMS Version Check.
 $!
 $   ENDIF
 $!
-$! End The P6 Check.
+$! End The P5 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P4 Is Blank.
+$! Check To See If P3 Is Blank.
 $!
-$ IF (P4.EQS."")
+$ IF (P3.EQS."")
 $ THEN
 $!
 $!  O.K., The User Didn't Specify A Compiler, Let's Try To
@@ -1077,7 +875,7 @@ $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
 $!
-$     P4 = "GNUC"
+$     P3 = "GNUC"
 $!
 $!  Else...
 $!
@@ -1090,7 +888,7 @@ $     THEN
 $!
 $!      Looks Like DECC, Set To Use DECC.
 $!
-$       P4 = "DECC"
+$       P3 = "DECC"
 $!
 $!    Else...
 $!
@@ -1098,7 +896,7 @@ $     ELSE
 $!
 $!      Looks Like VAXC, Set To Use VAXC.
 $!
-$       P4 = "VAXC"
+$       P3 = "VAXC"
 $!
 $!    End The VAXC Compiler Check.
 $!
@@ -1112,9 +910,9 @@ $!  End The Compiler Check.
 $!
 $ ENDIF
 $!
-$! Check To See If We Have A Option For P5.
+$! Check To See If We Have A Option For P4.
 $!
-$ IF (P5.EQS."")
+$ IF (P4.EQS."")
 $ THEN
 $!
 $!  Find out what socket library we have available
@@ -1124,7 +922,7 @@ $   THEN
 $!
 $!    We have SOCKETSHR, and it is my opinion that it's the best to use.
 $!
-$     P5 = "SOCKETSHR"
+$     P4 = "SOCKETSHR"
 $!
 $!    Tell the user
 $!
@@ -1144,7 +942,7 @@ $     THEN
 $!
 $!      Last resort: a UCX or UCX-compatible library
 $!
-$       P5 = "UCX"
+$       P4 = "UCX"
 $!
 $!      Tell the user
 $!
@@ -1158,7 +956,7 @@ $ ENDIF
 $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
-$ CCDEFS = "TCPIP_TYPE_''P5',DSO_VMS"
+$ CCDEFS = "TCPIP_TYPE_''P4',DSO_VMS"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
@@ -1168,12 +966,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 $!
 $!  Check To See If The User Entered A Valid Paramter.
 $!
-$ IF (P4.EQS."VAXC").OR.(P4.EQS."DECC").OR.(P4.EQS."GNUC")
+$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
 $ THEN
 $!
 $!    Check To See If The User Wanted DECC.
 $!
-$   IF (P4.EQS."DECC")
+$   IF (P3.EQS."DECC")
 $   THEN
 $!
 $!    Looks Like DECC, Set To Use DECC.
@@ -1204,7 +1002,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use VAXC.
 $!
-$   IF (P4.EQS."VAXC")
+$   IF (P3.EQS."VAXC")
 $   THEN
 $!
 $!    Looks Like VAXC, Set To Use VAXC.
@@ -1243,7 +1041,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use GNU C.
 $!
-$   IF (P4.EQS."GNUC")
+$   IF (P3.EQS."GNUC")
 $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
@@ -1272,31 +1070,6 @@ $!  Set up default defines
 $!
 $   CCDEFS = """FLAT_INC=1""," + CCDEFS
 $!
-$!  Check To See If We Are To Compile With RSAREF Routines.
-$!
-$   IF (RSAREF.EQS."TRUE")
-$   THEN
-$!
-$!    Compile With RSAREF.
-$!
-$     CCDEFS = CCDEFS + ",""RSAref=1"""
-$!
-$!    Tell The User This.
-$!
-$     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
-$!
-$!    Else, We Don't Care.  Compile Without The RSAREF Library.
-$!
-$   ELSE
-$!
-$!    Tell The User We Are Compile Without The RSAREF Routines.
-$!
-$     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
-$!
-$!  End The RSAREF Check.
-$!
-$   ENDIF
-$!
 $!  Finish up the definition of CC.
 $!
 $   IF COMPILER .EQS. "DECC"
@@ -1315,7 +1088,7 @@ $     CC4DISABLEWARNINGS = ""
 $   ENDIF
 $   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
 $   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
-$   IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P3 .NES. "DEBUG"
+$   IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P2 .NES. "DEBUG"
 $   THEN
 $     CC5 = CC + "/OPTIMIZE=NODISJOINT"
 $   ELSE
@@ -1334,7 +1107,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
 $   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
@@ -1360,13 +1133,13 @@ $   WRITE/SYMBOL SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX" -
-     .OR. P5.EQS."TCPIP" .OR. P5.EQS."NONE"
+$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" -
+     .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
 $!
-$   IF P5.EQS."SOCKETSHR"
+$   IF P4.EQS."SOCKETSHR"
 $   THEN
 $!
 $!    Set the library to use SOCKETSHR
@@ -1379,12 +1152,12 @@ $   ENDIF
 $!
 $!  Check to see if MULTINET was chosen
 $!
-$   IF P5.EQS."MULTINET"
+$   IF P4.EQS."MULTINET"
 $   THEN
 $!
 $!    Set the library to use UCX emulation.
 $!
-$     P5 = "UCX"
+$     P4 = "UCX"
 $!
 $!    Done with MULTINET
 $!
@@ -1392,7 +1165,7 @@ $   ENDIF
 $!
 $!  Check to see if UCX was chosen
 $!
-$   IF P5.EQS."UCX"
+$   IF P4.EQS."UCX"
 $   THEN
 $!
 $!    Set the library to use UCX.
@@ -1412,7 +1185,7 @@ $   ENDIF
 $!
 $!  Check to see if TCPIP was chosen
 $!
-$   IF P5.EQS."TCPIP"
+$   IF P4.EQS."TCPIP"
 $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
@@ -1425,7 +1198,7 @@ $   ENDIF
 $!
 $!  Check to see if NONE was chosen
 $!
-$   IF P5.EQS."NONE"
+$   IF P4.EQS."NONE"
 $   THEN
 $!
 $!    Do not use a TCPIP library.
@@ -1447,7 +1220,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P5," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
@@ -1465,10 +1238,9 @@ $!
 $! Check if the user wanted to compile just a subset of all the encryption
 $! methods.
 $!
-$ IF P7 .NES. ""
+$ IF P6 .NES. ""
 $ THEN
-$   ENCRYPT_TYPES = P7
-$! NYI:   ENCRYPT_PROGRAMS = P7
+$   ENCRYPT_TYPES = P6
 $ ENDIF
 $!
 $!  Time To RETURN...
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index fc6ff860af..273bc5e3f8 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -96,37 +96,39 @@ extern "C" {
  * names in cryptlib.c
  */
 
-#define CRYPTO_LOCK_ERR                 1
-#define CRYPTO_LOCK_EX_DATA             2
-#define CRYPTO_LOCK_X509                3
-#define CRYPTO_LOCK_X509_INFO           4
-#define CRYPTO_LOCK_X509_PKEY           5
+#define CRYPTO_LOCK_ERR                 1
+#define CRYPTO_LOCK_EX_DATA             2
+#define CRYPTO_LOCK_X509                3
+#define CRYPTO_LOCK_X509_INFO           4
+#define CRYPTO_LOCK_X509_PKEY           5
 #define CRYPTO_LOCK_X509_CRL            6
 #define CRYPTO_LOCK_X509_REQ            7
 #define CRYPTO_LOCK_DSA                 8
 #define CRYPTO_LOCK_RSA                 9
 #define CRYPTO_LOCK_EVP_PKEY            10
-#define CRYPTO_LOCK_X509_STORE          11
-#define CRYPTO_LOCK_SSL_CTX             12
-#define CRYPTO_LOCK_SSL_CERT            13
-#define CRYPTO_LOCK_SSL_SESSION         14
-#define CRYPTO_LOCK_SSL_SESS_CERT       15
-#define CRYPTO_LOCK_SSL                 16
-#define CRYPTO_LOCK_RAND                17
-#define CRYPTO_LOCK_RAND2               18
-#define CRYPTO_LOCK_MALLOC              19
-#define CRYPTO_LOCK_BIO                 20
-#define CRYPTO_LOCK_GETHOSTBYNAME       21
-#define CRYPTO_LOCK_GETSERVBYNAME       22
-#define CRYPTO_LOCK_READDIR             23
-#define CRYPTO_LOCK_RSA_BLINDING        24
-#define CRYPTO_LOCK_DH                  25
-#define CRYPTO_LOCK_MALLOC2             26
-#define CRYPTO_LOCK_DSO                 27
-#define CRYPTO_LOCK_DYNLOCK             28
-#define CRYPTO_LOCK_ENGINE              29
-#define CRYPTO_LOCK_UI                  30
-#define CRYPTO_NUM_LOCKS                31
+#define CRYPTO_LOCK_X509_STORE          11
+#define CRYPTO_LOCK_SSL_CTX             12
+#define CRYPTO_LOCK_SSL_CERT            13
+#define CRYPTO_LOCK_SSL_SESSION         14
+#define CRYPTO_LOCK_SSL_SESS_CERT       15
+#define CRYPTO_LOCK_SSL                 16
+#define CRYPTO_LOCK_SSL_METHOD          17
+#define CRYPTO_LOCK_RAND                18
+#define CRYPTO_LOCK_RAND2               19
+#define CRYPTO_LOCK_MALLOC              20
+#define CRYPTO_LOCK_BIO                 21
+#define CRYPTO_LOCK_GETHOSTBYNAME       22
+#define CRYPTO_LOCK_GETSERVBYNAME       23
+#define CRYPTO_LOCK_READDIR             24
+#define CRYPTO_LOCK_RSA_BLINDING        25
+#define CRYPTO_LOCK_DH                  26
+#define CRYPTO_LOCK_MALLOC2             27
+#define CRYPTO_LOCK_DSO                 28
+#define CRYPTO_LOCK_DYNLOCK             29
+#define CRYPTO_LOCK_ENGINE              30
+#define CRYPTO_LOCK_UI                  31
+#define CRYPTO_LOCK_HWCRHK              32 /* This is a HACK which will disappear in 0.9.8 */
+#define CRYPTO_NUM_LOCKS                33
 
 #define CRYPTO_LOCK             1
 #define CRYPTO_UNLOCK           2
@@ -148,7 +150,7 @@ extern "C" {
 #endif
 #else
 #define CRYPTO_w_lock(a)
-#define CRYPTO_w_unlock(a)
+#define CRYPTO_w_unlock(a)
 #define CRYPTO_r_lock(a)
 #define CRYPTO_r_unlock(a)
 #define CRYPTO_add(a,b,c)       ((*(a))+=(b))
@@ -278,6 +280,8 @@ int CRYPTO_is_mem_check_on(void);
 #define OPENSSL_malloc(num)     CRYPTO_malloc((int)num,__FILE__,__LINE__)
 #define OPENSSL_realloc(addr,num) \
         CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
+#define OPENSSL_realloc_clean(addr,old_num,num) \
+        CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__)
 #define OPENSSL_remalloc(addr,num) \
         CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)
 #define OPENSSL_freeFunc        CRYPTO_free
@@ -380,8 +384,12 @@ void CRYPTO_free_locked(void *);
 void *CRYPTO_malloc(int num, const char *file, int line);
 void CRYPTO_free(void *);
 void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
+void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
+                           int line);
 void *CRYPTO_remalloc(void *addr,int num, const char *file, int line);
 
+void OPENSSL_cleanse(void *ptr, size_t len);
+
 void CRYPTO_set_mem_debug_options(long bits);
 long CRYPTO_get_mem_debug_options(void);
 
@@ -422,6 +430,9 @@ void CRYPTO_mem_leaks(struct bio_st *bio);
 typedef void *CRYPTO_MEM_LEAK_CB(unsigned long, const char *, int, int, void *);
 void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);
 
+/* die if we have to */
+void OpenSSLDie(const char *file,int line,const char *assertion);
+#define OPENSSL_assert(e)       ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
diff --git a/src/lib/libcrypto/des/Makefile.ssl b/src/lib/libcrypto/des/Makefile.ssl
index 826ffcc58c..45eba0b3c9 100644
--- a/src/lib/libcrypto/des/Makefile.ssl
+++ b/src/lib/libcrypto/des/Makefile.ssl
@@ -66,22 +66,11 @@ des: des.o cbc3_enc.o lib
         $(CC) $(CFLAGS) -o des des.o cbc3_enc.o $(LIB)
 
 # elf
-asm/dx86-elf.o: asm/dx86unix.cpp
-        $(CPP) -DELF -x c asm/dx86unix.cpp | as -o asm/dx86-elf.o
+asm/dx86-elf.s: asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+        (cd asm; $(PERL) des-586.pl elf $(CFLAGS) > dx86-elf.s)
 
-asm/yx86-elf.o: asm/yx86unix.cpp
-        $(CPP) -DELF -x c asm/yx86unix.cpp | as -o asm/yx86-elf.o
-
-# solaris
-asm/dx86-sol.o: asm/dx86unix.cpp
-        $(CC) -E -DSOL asm/dx86unix.cpp | sed 's/^#.*//' > asm/dx86-sol.s
-        as -o asm/dx86-sol.o asm/dx86-sol.s
-        rm -f asm/dx86-sol.s
-
-asm/yx86-sol.o: asm/yx86unix.cpp
-        $(CC) -E -DSOL asm/yx86unix.cpp | sed 's/^#.*//' > asm/yx86-sol.s
-        as -o asm/yx86-sol.o asm/yx86-sol.s
-        rm -f asm/yx86-sol.s
+asm/yx86-elf.s: asm/crypt586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+        (cd asm; $(PERL) crypt586.pl elf $(CFLAGS) > yx86-elf.s)
 
 # a.out
 asm/dx86-out.o: asm/dx86unix.cpp
@@ -130,14 +119,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/dx86unix.cpp asm/yx86unix.cpp *.o asm/*.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/dx86unix.cpp asm/yx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libcrypto/des/asm/crypt586.pl b/src/lib/libcrypto/des/asm/crypt586.pl
index 3d41d82f69..1d04ed6def 100644
--- a/src/lib/libcrypto/des/asm/crypt586.pl
+++ b/src/lib/libcrypto/des/asm/crypt586.pl
@@ -26,11 +26,18 @@ sub fcrypt_body
 
         &comment("");
         &comment("Load the 2 words");
-        $ks="ebp";
+        $trans="ebp";
 
         &xor(   $L,     $L);
         &xor(   $R,     $R);
-        &mov($ks,&wparam(1));
+
+        # PIC-ification:-)
+        &picmeup("edx","DES_SPtrans");
+        #if ($cpp)      { &picmeup("edx","DES_SPtrans");   }
+        #else           { &lea("edx",&DWP("DES_SPtrans")); }
+        &push("edx");   # becomes &swtmp(1)
+        #
+        &mov($trans,&wparam(1)); # reloaded with DES_SPtrans in D_ENCRYPT
 
         &push(&DWC(25)); # add a variable
 
@@ -39,11 +46,11 @@ sub fcrypt_body
                 {
                 &comment("");
                 &comment("Round $i");
-                &D_ENCRYPT($i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i,$L,$R,$i*2,$trans,"eax","ebx","ecx","edx");
 
                 &comment("");
                 &comment("Round ".sprintf("%d",$i+1));
-                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$trans,"eax","ebx","ecx","edx");
                 }
          &mov("ebx",    &swtmp(0));
         &mov("eax",     $L);
@@ -61,14 +68,14 @@ sub fcrypt_body
         &mov(&DWP(0,"edx","",0),"eax");
         &mov(&DWP(4,"edx","",0),$L);
 
-        &pop("ecx");    # remove variable
+        &add("esp",8);  # remove variables
 
         &function_end($name);
         }
 
 sub D_ENCRYPT
         {
-        local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_;
+        local($r,$L,$R,$S,$trans,$u,$tmp1,$tmp2,$t)=@_;
 
         &mov(   $u,             &wparam(2));                    # 2
         &mov(   $t,             $R);
@@ -85,9 +92,9 @@ sub D_ENCRYPT
         &shl(   $tmp2,          16);                            # 1
         &xor(   $u,             $tmp1);                         # 2
         &xor(   $t,             $tmp2);                         # 2
-        &mov(   $tmp1,          &DWP(&n2a($S*4),$ks,"",0));     # 2
+        &mov(   $tmp1,          &DWP(&n2a($S*4),$trans,"",0));  # 2
         &xor(   $u,             $tmp1);
-        &mov(   $tmp2,          &DWP(&n2a(($S+1)*4),$ks,"",0)); # 2
+        &mov(   $tmp2,          &DWP(&n2a(($S+1)*4),$trans,"",0));      # 2
         &xor(   $u,             $R);
         &xor(   $t,             $R);
         &xor(   $t,             $tmp2);
@@ -99,31 +106,28 @@ sub D_ENCRYPT
         &movb(  &LB($tmp1),     &LB($u) );
         &movb(  &LB($tmp2),     &HB($u) );
         &rotr(  $t,             4               );
-        &mov(   $ks,            &DWP("      $desSP",$tmp1,"",0));
+        &mov(   $trans,         &swtmp(1));
+        &xor(   $L,             &DWP("     ",$trans,$tmp1,0));
         &movb(  &LB($tmp1),     &LB($t) );
-        &xor(   $L,             $ks);
-        &mov(   $ks,            &DWP("0x200+$desSP",$tmp2,"",0));
-        &xor(   $L,             $ks);
+        &xor(   $L,             &DWP("0x200",$trans,$tmp2,0));
         &movb(  &LB($tmp2),     &HB($t) );
         &shr(   $u,             16);
-        &mov(   $ks,            &DWP("0x100+$desSP",$tmp1,"",0));
-        &xor(   $L,             $ks); 
+        &xor(   $L,             &DWP("0x100",$trans,$tmp1,0));
         &movb(  &LB($tmp1),     &HB($u) );
         &shr(   $t,             16);
-        &mov(   $ks,            &DWP("0x300+$desSP",$tmp2,"",0));
-        &xor(   $L,             $ks);
-        &mov(   $ks,            &wparam(1));
+        &xor(   $L,             &DWP("0x300",$trans,$tmp2,0));
         &movb(  &LB($tmp2),     &HB($t) );
         &and(   $u,             "0xff"  );
         &and(   $t,             "0xff"  );
-        &mov(   $tmp1,          &DWP("0x600+$desSP",$tmp1,"",0));
+        &mov(   $tmp1,          &DWP("0x600",$trans,$tmp1,0));
         &xor(   $L,             $tmp1);
-        &mov(   $tmp1,          &DWP("0x700+$desSP",$tmp2,"",0));
+        &mov(   $tmp1,          &DWP("0x700",$trans,$tmp2,0));
         &xor(   $L,             $tmp1);
-        &mov(   $tmp1,          &DWP("0x400+$desSP",$u,"",0));
+        &mov(   $tmp1,          &DWP("0x400",$trans,$u,0));
         &xor(   $L,             $tmp1);
-        &mov(   $tmp1,          &DWP("0x500+$desSP",$t,"",0));
+        &mov(   $tmp1,          &DWP("0x500",$trans,$t,0));
         &xor(   $L,             $tmp1);
+        &mov(   $trans,         &wparam(1));
         }
 
 sub n2a
diff --git a/src/lib/libcrypto/des/asm/des-586.pl b/src/lib/libcrypto/des/asm/des-586.pl
index 0d08e8a3a9..b75d3c6b3a 100644
--- a/src/lib/libcrypto/des/asm/des-586.pl
+++ b/src/lib/libcrypto/des/asm/des-586.pl
@@ -40,7 +40,7 @@ sub DES_encrypt
 
         &comment("");
         &comment("Load the 2 words");
-        $ks="ebp";
+        $trans="ebp";
 
         if ($do_ip)
                 {
@@ -72,7 +72,12 @@ sub DES_encrypt
                 &rotl($L,3);
                 }
 
-        &mov(   $ks,            &wparam(1)      );
+        # PIC-ification:-)
+        &picmeup($trans,"DES_SPtrans");
+        #if ($cpp)      { &picmeup($trans,"DES_SPtrans");   }
+        #else           { &lea($trans,&DWP("DES_SPtrans")); }
+
+        &mov(   "ecx",  &wparam(1)      );
         &cmp("ebx","0");
         &je(&label("start_decrypt"));
 
@@ -80,11 +85,11 @@ sub DES_encrypt
                 {
                 &comment("");
                 &comment("Round $i");
-                &D_ENCRYPT($i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i,$L,$R,$i*2,$trans,"eax","ebx","ecx","edx");
 
                 &comment("");
                 &comment("Round ".sprintf("%d",$i+1));
-                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$trans,"eax","ebx","ecx","edx");
                 }
         &jmp(&label("end"));
 
@@ -94,10 +99,10 @@ sub DES_encrypt
                 {
                 &comment("");
                 &comment("Round $i");
-                &D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT(15-$i,$L,$R,$i*2,$trans,"eax","ebx","ecx","edx");
                 &comment("");
                 &comment("Round ".sprintf("%d",$i-1));
-                &D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$trans,"eax","ebx","ecx","edx");
                 }
 
         &set_label("end");
@@ -134,43 +139,36 @@ sub DES_encrypt
 
 sub D_ENCRYPT
         {
-        local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_;
+        local($r,$L,$R,$S,$trans,$u,$tmp1,$tmp2,$t)=@_;
 
-         &mov(  $u,             &DWP(&n2a($S*4),$ks,"",0));
+         &mov(  $u,             &DWP(&n2a($S*4),$tmp2,"",0));
         &xor(   $tmp1,          $tmp1);
-         &mov(  $t,             &DWP(&n2a(($S+1)*4),$ks,"",0));
+         &mov(  $t,             &DWP(&n2a(($S+1)*4),$tmp2,"",0));
         &xor(   $u,             $R);
+        &xor(   $tmp2,          $tmp2);
          &xor(  $t,             $R);
         &and(   $u,             "0xfcfcfcfc"    );
          &and(  $t,             "0xcfcfcfcf"    );
         &movb(  &LB($tmp1),     &LB($u) );
          &movb( &LB($tmp2),     &HB($u) );
         &rotr(  $t,             4               );
-        &mov(   $ks,            &DWP("      $desSP",$tmp1,"",0));
+        &xor(   $L,             &DWP("     ",$trans,$tmp1,0));
          &movb( &LB($tmp1),     &LB($t) );
-        &xor(   $L,             $ks);
-         &mov(  $ks,            &DWP("0x200+$desSP",$tmp2,"",0));
-        &xor(   $L,             $ks); ######
+         &xor(  $L,             &DWP("0x200",$trans,$tmp2,0));
          &movb( &LB($tmp2),     &HB($t) );
         &shr(   $u,             16);
-         &mov(  $ks,            &DWP("0x100+$desSP",$tmp1,"",0));
-        &xor(   $L,             $ks); ######
+         &xor(  $L,             &DWP("0x100",$trans,$tmp1,0));
          &movb( &LB($tmp1),     &HB($u) );
         &shr(   $t,             16);
-         &mov(  $ks,            &DWP("0x300+$desSP",$tmp2,"",0));
-        &xor(   $L,             $ks);
-         &mov(  $ks,            &wparam(1)      );
+         &xor(  $L,             &DWP("0x300",$trans,$tmp2,0));
         &movb(  &LB($tmp2),     &HB($t) );
          &and(  $u,             "0xff"  );
         &and(   $t,             "0xff"  );
-         &mov(  $tmp1,          &DWP("0x600+$desSP",$tmp1,"",0));
-        &xor(   $L,             $tmp1);
-         &mov(  $tmp1,          &DWP("0x700+$desSP",$tmp2,"",0));
-        &xor(   $L,             $tmp1);
-         &mov(  $tmp1,          &DWP("0x400+$desSP",$u,"",0));
-        &xor(   $L,             $tmp1);
-         &mov(  $tmp1,          &DWP("0x500+$desSP",$t,"",0));
-        &xor(   $L,             $tmp1);
+         &xor(  $L,             &DWP("0x600",$trans,$tmp1,0));
+         &xor(  $L,             &DWP("0x700",$trans,$tmp2,0));
+        &mov(   $tmp2,          &wparam(1)      );
+         &xor(  $L,             &DWP("0x400",$trans,$u,0));
+         &xor(  $L,             &DWP("0x500",$trans,$t,0));
         }
 
 sub n2a
diff --git a/src/lib/libcrypto/des/cbc_cksm.c b/src/lib/libcrypto/des/cbc_cksm.c
index 6c5305b99d..09a7ba56aa 100644
--- a/src/lib/libcrypto/des/cbc_cksm.c
+++ b/src/lib/libcrypto/des/cbc_cksm.c
@@ -93,5 +93,14 @@ DES_LONG DES_cbc_cksum(const unsigned char *in, DES_cblock *output,
                 l2c(tout1,out);
                 }
         tout0=tin0=tin1=tin[0]=tin[1]=0;
+        /*
+          Transform the data in tout1 so that it will
+          match the return value that the MIT Kerberos
+          mit_des_cbc_cksum API returns.
+        */
+        tout1 = ((tout1 >> 24L) & 0x000000FF)
+              | ((tout1 >> 8L)  & 0x0000FF00)
+              | ((tout1 << 8L)  & 0x00FF0000)
+              | ((tout1 << 24L) & 0xFF000000);
         return(tout1);
         }
diff --git a/src/lib/libcrypto/des/des.c b/src/lib/libcrypto/des/des.c
index d8c846b23d..343135ff9e 100644
--- a/src/lib/libcrypto/des/des.c
+++ b/src/lib/libcrypto/des/des.c
@@ -427,7 +427,7 @@ void doencryption(void)
                                 k2[i-8]=k;
                         }
                 DES_set_key_unchecked(&k2,&ks2);
-                memset(k2,0,sizeof(k2));
+                OPENSSL_cleanse(k2,sizeof(k2));
                 }
         else if (longk || flag3)
                 {
@@ -435,7 +435,7 @@ void doencryption(void)
                         {
                         DES_string_to_2keys(key,&kk,&k2);
                         DES_set_key_unchecked(&k2,&ks2);
-                        memset(k2,0,sizeof(k2));
+                        OPENSSL_cleanse(k2,sizeof(k2));
                         }
                 else
                         DES_string_to_key(key,&kk);
@@ -457,8 +457,8 @@ void doencryption(void)
                         }
 
         DES_set_key_unchecked(&kk,&ks);
-        memset(key,0,sizeof(key));
-        memset(kk,0,sizeof(kk));
+        OPENSSL_cleanse(key,sizeof(key));
+        OPENSSL_cleanse(kk,sizeof(kk));
         /* woops - A bug that does not showup under unix :-( */
         memset(iv,0,sizeof(iv));
         memset(iv2,0,sizeof(iv2));
@@ -666,18 +666,18 @@ void doencryption(void)
                 if (l) fclose(CKSUM_OUT);
                 }
 problems:
-        memset(buf,0,sizeof(buf));
-        memset(obuf,0,sizeof(obuf));
-        memset(&ks,0,sizeof(ks));
-        memset(&ks2,0,sizeof(ks2));
-        memset(iv,0,sizeof(iv));
-        memset(iv2,0,sizeof(iv2));
-        memset(kk,0,sizeof(kk));
-        memset(k2,0,sizeof(k2));
-        memset(uubuf,0,sizeof(uubuf));
-        memset(b,0,sizeof(b));
-        memset(bb,0,sizeof(bb));
-        memset(cksum,0,sizeof(cksum));
+        OPENSSL_cleanse(buf,sizeof(buf));
+        OPENSSL_cleanse(obuf,sizeof(obuf));
+        OPENSSL_cleanse(&ks,sizeof(ks));
+        OPENSSL_cleanse(&ks2,sizeof(ks2));
+        OPENSSL_cleanse(iv,sizeof(iv));
+        OPENSSL_cleanse(iv2,sizeof(iv2));
+        OPENSSL_cleanse(kk,sizeof(kk));
+        OPENSSL_cleanse(k2,sizeof(k2));
+        OPENSSL_cleanse(uubuf,sizeof(uubuf));
+        OPENSSL_cleanse(b,sizeof(b));
+        OPENSSL_cleanse(bb,sizeof(bb));
+        OPENSSL_cleanse(cksum,sizeof(cksum));
         if (Exit) EXIT(Exit);
         }
 
diff --git a/src/lib/libcrypto/des/des_locl.h b/src/lib/libcrypto/des/des_locl.h
index 70e833be3f..e44e8e98b2 100644
--- a/src/lib/libcrypto/des/des_locl.h
+++ b/src/lib/libcrypto/des/des_locl.h
@@ -162,7 +162,18 @@
 
 #if defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER)
 #define ROTATE(a,n)     (_lrotr(a,n))
-#else
+#elif defined(__GNUC__) && __GNUC__>=2 && !defined(__STRICT_ANSI__) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
+# if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
+#  define ROTATE(a,n)   ({ register unsigned int ret;   \
+                                asm ("rorl %1,%0"       \
+                                        : "=r"(ret)     \
+                                        : "I"(n),"0"(a) \
+                                        : "cc");        \
+                           ret;                         \
+                        })
+# endif
+#endif
+#ifndef ROTATE
 #define ROTATE(a,n)     (((a)>>(n))+((a)<<(32-(n))))
 #endif
 
diff --git a/src/lib/libcrypto/des/des_old.h b/src/lib/libcrypto/des/des_old.h
index fe32f21f61..1d8bf65101 100644
--- a/src/lib/libcrypto/des/des_old.h
+++ b/src/lib/libcrypto/des/des_old.h
@@ -173,10 +173,12 @@ typedef struct _ossl_old_des_ks_struct
         DES_fcrypt((b),(s),(r))
 #define des_crypt(b,s)\
         DES_crypt((b),(s))
+#if 0
 #if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(__OpenBSD__)
 #define crypt(b,s)\
         DES_crypt((b),(s))
 #endif
+#endif
 #define des_ofb_encrypt(i,o,n,l,k,iv)\
         DES_ofb_encrypt((i),(o),(n),(l),&(k),(iv))
 #define des_pcbc_encrypt(i,o,l,k,iv,e)\
diff --git a/src/lib/libcrypto/des/des_ver.h b/src/lib/libcrypto/des/des_ver.h
index ec9cc736e3..379bbadda2 100644
--- a/src/lib/libcrypto/des/des_ver.h
+++ b/src/lib/libcrypto/des/des_ver.h
@@ -63,5 +63,9 @@
 # define OPENSSL_EXTERN OPENSSL_EXPORT
 #endif
 
-OPENSSL_EXTERN const char *DES_version; /* SSLeay version string */
-OPENSSL_EXTERN const char *libdes_version;      /* old libdes version string */
+/* The following macros make sure the names are different from libdes names */
+#define DES_version OSSL_DES_version
+#define libdes_version OSSL_libdes_version
+
+OPENSSL_EXTERN const char *OSSL_DES_version;    /* SSLeay version string */
+OPENSSL_EXTERN const char *OSSL_libdes_version; /* old libdes version string */
diff --git a/src/lib/libcrypto/des/destest.c b/src/lib/libcrypto/des/destest.c
index 58e8c35dcb..687c00c792 100644
--- a/src/lib/libcrypto/des/destest.c
+++ b/src/lib/libcrypto/des/destest.c
@@ -84,9 +84,7 @@ int main(int argc, char *argv[])
 #else
 #include <openssl/des.h>
 
-#if defined(PERL5) || defined(__FreeBSD__) || defined(NeXT)
 #define crypt(c,s) (des_crypt((c),(s)))
-#endif
 
 /* tisk tisk - the test keys don't all have odd parity :-( */
 /* test data */
@@ -322,7 +320,11 @@ static unsigned char ofb_cipher[24]=
         0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3
         };
 
+#if 0
 static DES_LONG cbc_cksum_ret=0xB462FEF7L;
+#else
+static DES_LONG cbc_cksum_ret=0xF7FE62B4L;
+#endif
 static unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4};
 
 static char *pt(unsigned char *p);
diff --git a/src/lib/libcrypto/des/read2pwd.c b/src/lib/libcrypto/des/read2pwd.c
index b4720c3a98..3a63c4016c 100644
--- a/src/lib/libcrypto/des/read2pwd.c
+++ b/src/lib/libcrypto/des/read2pwd.c
@@ -120,8 +120,8 @@ int DES_read_password(DES_cblock *key, const char *prompt, int verify)
 
         if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
                 DES_string_to_key(buf,key);
-        memset(buf,0,BUFSIZ);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buf,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return(ok);
         }
 
@@ -133,7 +133,7 @@ int DES_read_2passwords(DES_cblock *key1, DES_cblock *key2, const char *prompt,
 
         if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
                 DES_string_to_2keys(buf,key1,key2);
-        memset(buf,0,BUFSIZ);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buf,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return(ok);
         }
diff --git a/src/lib/libcrypto/des/read_pwd.c b/src/lib/libcrypto/des/read_pwd.c
index 9061935f21..ce5fa00a37 100644
--- a/src/lib/libcrypto/des/read_pwd.c
+++ b/src/lib/libcrypto/des/read_pwd.c
@@ -101,8 +101,10 @@
 
 #ifdef WIN_CONSOLE_BUG
 #include <windows.h>
+#ifndef OPENSSL_SYS_WINCE
 #include <wincon.h>
 #endif
+#endif
 
 
 /* There are 5 types of terminal interface supported,
@@ -133,7 +135,7 @@
 #define SGTTY
 #endif
 
-#if defined(OPENSSL_SYS_VSWORKS)
+#if defined(OPENSSL_SYS_VXWORKS)
 #undef TERMIOS
 #undef TERMIO
 #undef SGTTY
@@ -167,7 +169,7 @@
 #include <sys/ioctl.h>
 #endif
 
-#if defined(OPENSSL_SYS_MSDOS) && !defined(__CYGWIN32__)
+#if defined(OPENSSL_SYS_MSDOS) && !defined(__CYGWIN32__) && !defined(OPENSSL_SYS_WINCE)
 #include <conio.h>
 #define fgets(a,b,c) noecho_fgets(a,b,c)
 #endif
@@ -218,11 +220,29 @@ int des_read_pw_string(char *buf, int length, const char *prompt,
         int ret;
 
         ret=des_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return(ret);
         }
 
-#ifndef OPENSSL_SYS_WIN16
+#ifdef OPENSSL_SYS_WINCE
+
+int des_read_pw(char *buf, char *buff, int size, const char *prompt, int verify)
+        { 
+        memset(buf,0,size);
+        memset(buff,0,size);
+        return(0);
+        }
+
+#elif defined(OPENSSL_SYS_WIN16)
+
+int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify)
+        { 
+        memset(buf,0,size);
+        memset(buff,0,size);
+        return(0);
+        }
+
+#else /* !OPENSSL_SYS_WINCE && !OPENSSL_SYS_WIN16 */
 
 static void read_till_nl(FILE *in)
         {
@@ -274,7 +294,7 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,
 #ifdef OPENSSL_SYS_MSDOS
         if ((tty=fopen("con","r")) == NULL)
                 tty=stdin;
-#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VSWORKS)
+#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VXWORKS)
         tty=stdin;
 #else
 #ifndef OPENSSL_SYS_MPE
@@ -393,17 +413,6 @@ error:
         return(!ok);
         }
 
-#else /* OPENSSL_SYS_WIN16 */
-
-int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify)
-        { 
-        memset(buf,0,size);
-        memset(buff,0,size);
-        return(0);
-        }
-
-#endif
-
 static void pushsig(void)
         {
         int i;
@@ -466,7 +475,7 @@ static void recsig(int i)
 #endif
         }
 
-#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
+#ifdef OPENSSL_SYS_MSDOS
 static int noecho_fgets(char *buf, int size, FILE *tty)
         {
         int i;
@@ -509,3 +518,4 @@ static int noecho_fgets(char *buf, int size, FILE *tty)
         return(strlen(buf));
         }
 #endif
+#endif /* !OPENSSL_SYS_WINCE && !WIN16 */
diff --git a/src/lib/libcrypto/des/str2key.c b/src/lib/libcrypto/des/str2key.c
index 36c3f81d99..0373db469c 100644
--- a/src/lib/libcrypto/des/str2key.c
+++ b/src/lib/libcrypto/des/str2key.c
@@ -94,7 +94,7 @@ void DES_string_to_key(const char *str, DES_cblock *key)
         DES_set_key_unchecked(key,&ks);
 #endif
         DES_cbc_cksum((const unsigned char*)str,key,length,&ks,key);
-        memset(&ks,0,sizeof(ks));
+        OPENSSL_cleanse(&ks,sizeof(ks));
         DES_set_odd_parity(key);
         }
 
@@ -167,7 +167,7 @@ void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2)
         DES_set_key_unchecked(key2,&ks);
 #endif
         DES_cbc_cksum((const unsigned char*)str,key2,length,&ks,key2);
-        memset(&ks,0,sizeof(ks));
+        OPENSSL_cleanse(&ks,sizeof(ks));
         DES_set_odd_parity(key1);
         DES_set_odd_parity(key2);
         }
diff --git a/src/lib/libcrypto/dh/Makefile.ssl b/src/lib/libcrypto/dh/Makefile.ssl
index 5e1aaae160..e05fc01a12 100644
--- a/src/lib/libcrypto/dh/Makefile.ssl
+++ b/src/lib/libcrypto/dh/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -112,17 +112,14 @@ dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dh_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dh_gen.o: ../cryptlib.h dh_gen.c
-dh_key.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dh_key.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dh_key.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dh_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-dh_key.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dh_key.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dh_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dh_key.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+dh_key.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_key.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
+dh_key.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dh_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-dh_key.o: ../cryptlib.h dh_key.c
+dh_key.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_key.c
 dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 1a0efca2c4..77f2f50b51 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -61,7 +61,6 @@
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 #include <openssl/dh.h>
-#include <openssl/engine.h>
 
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
diff --git a/src/lib/libcrypto/dh/dh_lib.c b/src/lib/libcrypto/dh/dh_lib.c
index ba5fd41057..09965ee2ea 100644
--- a/src/lib/libcrypto/dh/dh_lib.c
+++ b/src/lib/libcrypto/dh/dh_lib.c
@@ -60,7 +60,9 @@
 #include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/dh.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
 
@@ -85,11 +87,13 @@ int DH_set_method(DH *dh, const DH_METHOD *meth)
         const DH_METHOD *mtmp;
         mtmp = dh->meth;
         if (mtmp->finish) mtmp->finish(dh);
+#ifndef OPENSSL_NO_ENGINE
         if (dh->engine)
                 {
                 ENGINE_finish(dh->engine);
                 dh->engine = NULL;
                 }
+#endif
         dh->meth = meth;
         if (meth->init) meth->init(dh);
         return 1;
@@ -112,6 +116,7 @@ DH *DH_new_method(ENGINE *engine)
                 }
 
         ret->meth = DH_get_default_method();
+#ifndef OPENSSL_NO_ENGINE
         if (engine)
                 {
                 if (!ENGINE_init(engine))
@@ -135,6 +140,7 @@ DH *DH_new_method(ENGINE *engine)
                         return NULL;
                         }
                 }
+#endif
 
         ret->pad=0;
         ret->version=0;
@@ -154,8 +160,10 @@ DH *DH_new_method(ENGINE *engine)
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
         if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                 {
+#ifndef OPENSSL_NO_ENGINE
                 if (ret->engine)
                         ENGINE_finish(ret->engine);
+#endif
                 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
                 OPENSSL_free(ret);
                 ret=NULL;
@@ -182,8 +190,10 @@ void DH_free(DH *r)
 
         if (r->meth->finish)
                 r->meth->finish(r);
+#ifndef OPENSSL_NO_ENGINE
         if (r->engine)
                 ENGINE_finish(r->engine);
+#endif
 
         CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, r, &r->ex_data);
 
diff --git a/src/lib/libcrypto/dh/dhtest.c b/src/lib/libcrypto/dh/dhtest.c
index 34894ced73..d75077f9fa 100644
--- a/src/lib/libcrypto/dh/dhtest.c
+++ b/src/lib/libcrypto/dh/dhtest.c
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c" 
-#endif
+
+#include "../e_os.h"
+
 #include <openssl/crypto.h>
 #include <openssl/bio.h>
 #include <openssl/bn.h>
@@ -84,10 +84,6 @@ int main(int argc, char *argv[])
 #endif
 
 static void MS_CALLBACK cb(int p, int n, void *arg);
-#ifdef OPENSSL_NO_STDIO
-#define APPS_WIN16
-#include "bss_file.c"
-#endif
 
 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
 
@@ -111,7 +107,7 @@ int main(int argc, char *argv[])
         RAND_seed(rnd_seed, sizeof rnd_seed);
 
         out=BIO_new(BIO_s_file());
-        if (out == NULL) exit(1);
+        if (out == NULL) EXIT(1);
         BIO_set_fp(out,stdout,BIO_NOCLOSE);
 
         a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out);
@@ -195,7 +191,7 @@ err:
         CRYPTO_cleanup_all_ex_data();
         ERR_remove_state(0);
         CRYPTO_mem_leaks_fp(stderr);
-        exit(ret);
+        EXIT(ret);
         return(ret);
         }
 
diff --git a/src/lib/libcrypto/doc/DH_generate_parameters.pod b/src/lib/libcrypto/doc/DH_generate_parameters.pod
index 4a2d653758..9081e9ea7c 100644
--- a/src/lib/libcrypto/doc/DH_generate_parameters.pod
+++ b/src/lib/libcrypto/doc/DH_generate_parameters.pod
@@ -59,7 +59,8 @@ a usable generator.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DH_free(3)|DH_free(3)>
+L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
+L<DH_free(3)|DH_free(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/DSA_SIG_new.pod b/src/lib/libcrypto/doc/DSA_SIG_new.pod
index 45df4c0661..3ac6140038 100644
--- a/src/lib/libcrypto/doc/DSA_SIG_new.pod
+++ b/src/lib/libcrypto/doc/DSA_SIG_new.pod
@@ -30,7 +30,8 @@ DSA_SIG_free() returns no value.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<DSA_do_sign(3)|DSA_do_sign(3)>
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
+L<DSA_do_sign(3)|DSA_do_sign(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/DSA_generate_key.pod b/src/lib/libcrypto/doc/DSA_generate_key.pod
index 9906a2d7e0..af83ccfaa1 100644
--- a/src/lib/libcrypto/doc/DSA_generate_key.pod
+++ b/src/lib/libcrypto/doc/DSA_generate_key.pod
@@ -24,7 +24,8 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/ERR_get_error.pod b/src/lib/libcrypto/doc/ERR_get_error.pod
index 9fdedbcb91..34443045fc 100644
--- a/src/lib/libcrypto/doc/ERR_get_error.pod
+++ b/src/lib/libcrypto/doc/ERR_get_error.pod
@@ -5,7 +5,7 @@
 ERR_get_error, ERR_peek_error, ERR_peek_last_error,
 ERR_get_error_line, ERR_peek_error_line, ERR_peek_last_error_line,
 ERR_get_error_line_data, ERR_peek_error_line_data,
-ERR_peek_error_line_data - obtain error code and data
+ERR_peek_last_error_line_data - obtain error code and data
 
 =head1 SYNOPSIS
 
diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
index 75cceb1ca2..daf57e5895 100644
--- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod
+++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
@@ -419,7 +419,7 @@ Encrypt a string using blowfish:
         EVP_CIPHER_CTX ctx;
         FILE *out;
         EVP_CIPHER_CTX_init(&ctx);
-        EVP_EncryptInit_ex(&ctx, NULL, EVP_bf_cbc(), key, iv);
+        EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv);
 
         if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext)))
                 {
diff --git a/src/lib/libcrypto/doc/EVP_SealInit.pod b/src/lib/libcrypto/doc/EVP_SealInit.pod
index 25ef07f7c7..b5e477e294 100644
--- a/src/lib/libcrypto/doc/EVP_SealInit.pod
+++ b/src/lib/libcrypto/doc/EVP_SealInit.pod
@@ -18,22 +18,28 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
 =head1 DESCRIPTION
 
 The EVP envelope routines are a high level interface to envelope
-encryption. They generate a random key and then "envelope" it by
-using public key encryption. Data can then be encrypted using this
-key.
+encryption. They generate a random key and IV (if required) then
+"envelope" it by using public key encryption. Data can then be
+encrypted using this key.
 
 EVP_SealInit() initializes a cipher context B<ctx> for encryption
-with cipher B<type> using a random secret key and IV supplied in
-the B<iv> parameter. B<type> is normally supplied by a function such
-as EVP_des_cbc(). The secret key is encrypted using one or more public
-keys, this allows the same encrypted data to be decrypted using any
-of the corresponding private keys. B<ek> is an array of buffers where
-the public key encrypted secret key will be written, each buffer must
-contain enough room for the corresponding encrypted key: that is
+with cipher B<type> using a random secret key and IV. B<type> is normally
+supplied by a function such as EVP_des_cbc(). The secret key is encrypted
+using one or more public keys, this allows the same encrypted data to be
+decrypted using any of the corresponding private keys. B<ek> is an array of
+buffers where the public key encrypted secret key will be written, each buffer
+must contain enough room for the corresponding encrypted key: that is
 B<ek[i]> must have room for B<EVP_PKEY_size(pubk[i])> bytes. The actual
 size of each encrypted secret key is written to the array B<ekl>. B<pubk> is
 an array of B<npubk> public keys.
 
+The B<iv> parameter is a buffer where the generated IV is written to. It must
+contain enough room for the corresponding cipher's IV, as determined by (for
+example) EVP_CIPHER_iv_length(type).
+
+If the cipher does not require an IV then the B<iv> parameter is ignored
+and can be B<NULL>.
+
 EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties
 as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as 
 documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
diff --git a/src/lib/libcrypto/doc/RAND_bytes.pod b/src/lib/libcrypto/doc/RAND_bytes.pod
index b03748b918..ce6329ce54 100644
--- a/src/lib/libcrypto/doc/RAND_bytes.pod
+++ b/src/lib/libcrypto/doc/RAND_bytes.pod
@@ -35,7 +35,8 @@ method.
 
 =head1 SEE ALSO
 
-L<rand(3)|rand(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<RAND_add(3)|RAND_add(3)>
+L<rand(3)|rand(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
+L<RAND_add(3)|RAND_add(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/RSA_generate_key.pod b/src/lib/libcrypto/doc/RSA_generate_key.pod
index 11bc0b3459..52dbb14a53 100644
--- a/src/lib/libcrypto/doc/RSA_generate_key.pod
+++ b/src/lib/libcrypto/doc/RSA_generate_key.pod
@@ -59,7 +59,8 @@ RSA_generate_key() goes into an infinite loop for illegal input values.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_free(3)|RSA_free(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_free(3)|RSA_free(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/RSA_print.pod b/src/lib/libcrypto/doc/RSA_print.pod
index ff2d353d1a..c971e91f4d 100644
--- a/src/lib/libcrypto/doc/RSA_print.pod
+++ b/src/lib/libcrypto/doc/RSA_print.pod
@@ -2,9 +2,9 @@
 
 =head1 NAME
 
-RSA_print, RSA_print_fp, DHparams_print, DHparams_print_fp, DSA_print,
-DSA_print_fp, DHparams_print, DHparams_print_fp - print cryptographic
-parameters
+RSA_print, RSA_print_fp,
+DSAparams_print, DSAparams_print_fp, DSA_print, DSA_print_fp,
+DHparams_print, DHparams_print_fp - print cryptographic parameters
 
 =head1 SYNOPSIS
 
diff --git a/src/lib/libcrypto/doc/RSA_private_encrypt.pod b/src/lib/libcrypto/doc/RSA_private_encrypt.pod
index 0d1b2bd541..746a80c79e 100644
--- a/src/lib/libcrypto/doc/RSA_private_encrypt.pod
+++ b/src/lib/libcrypto/doc/RSA_private_encrypt.pod
@@ -59,8 +59,8 @@ obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
-L<RSA_verify(3)|RSA_verify(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/RSA_public_encrypt.pod b/src/lib/libcrypto/doc/RSA_public_encrypt.pod
index 8022a23f99..d53e19d2b7 100644
--- a/src/lib/libcrypto/doc/RSA_public_encrypt.pod
+++ b/src/lib/libcrypto/doc/RSA_public_encrypt.pod
@@ -72,7 +72,8 @@ SSL, PKCS #1 v2.0
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_size(3)|RSA_size(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_size(3)|RSA_size(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/RSA_set_method.pod b/src/lib/libcrypto/doc/RSA_set_method.pod
index 0687c2242a..0a305f6b14 100644
--- a/src/lib/libcrypto/doc/RSA_set_method.pod
+++ b/src/lib/libcrypto/doc/RSA_set_method.pod
@@ -3,13 +3,12 @@
 =head1 NAME
 
 RSA_set_default_method, RSA_get_default_method, RSA_set_method,
-RSA_get_method, RSA_PKCS1_SSLeay,
-RSA_null_method, RSA_flags, RSA_new_method - select RSA method
+RSA_get_method, RSA_PKCS1_SSLeay, RSA_null_method, RSA_flags,
+RSA_new_method - select RSA method
 
 =head1 SYNOPSIS
 
  #include <openssl/rsa.h>
- #include <openssl/engine.h>
 
  void RSA_set_default_method(const RSA_METHOD *meth);
 
@@ -25,7 +24,7 @@ RSA_null_method, RSA_flags, RSA_new_method - select RSA method
 
  int RSA_flags(const RSA *rsa);
 
- RSA *RSA_new_method(ENGINE *engine);
+ RSA *RSA_new_method(RSA_METHOD *method);
 
 =head1 DESCRIPTION
 
@@ -70,6 +69,12 @@ B<engine> will be used for the RSA operations. If B<engine> is NULL, the
 default ENGINE for RSA operations is used, and if no default ENGINE is set,
 the RSA_METHOD controlled by RSA_set_default_method() is used.
 
+RSA_flags() returns the B<flags> that are set for B<rsa>'s current method.
+
+RSA_new_method() allocates and initializes an B<RSA> structure so that
+B<method> will be used for the RSA operations. If B<method> is B<NULL>,
+the default method is used.
+
 =head1 THE RSA_METHOD STRUCTURE
 
  typedef struct rsa_meth_st
diff --git a/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod b/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod
index b8c7bbb7e3..e70380bbfc 100644
--- a/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod
+++ b/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod
@@ -47,8 +47,8 @@ These functions serve no recognizable purpose.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>, L<rand(3)|rand(3)>,
-L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
+L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
 L<RSA_verify(3)|RSA_verify(3)>
 
 =head1 HISTORY
diff --git a/src/lib/libcrypto/doc/d2i_DHparams.pod b/src/lib/libcrypto/doc/d2i_DHparams.pod
index a6d1743d39..1e98aebeca 100644
--- a/src/lib/libcrypto/doc/d2i_DHparams.pod
+++ b/src/lib/libcrypto/doc/d2i_DHparams.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-d2i_DHparams, i2d_DHparams - ...
+d2i_DHparams, i2d_DHparams - PKCS#3 DH parameter functions.
 
 =head1 SYNOPSIS
 
@@ -13,18 +13,18 @@ d2i_DHparams, i2d_DHparams - ...
 
 =head1 DESCRIPTION
 
-...
+These functions decode and encode PKCS#3 DH parameters using the
+DHparameter structure described in PKCS#3.
 
-=head1 RETURN VALUES
-
-...
+Othewise these behave in a similar way to d2i_X509() and i2d_X509()
+described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
 
 =head1 SEE ALSO
 
-...
+L<d2i_X509(3)|d2i_X509(3)>
 
 =head1 HISTORY
 
-...
+TBA
 
 =cut
diff --git a/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod b/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
index ff4d0d57db..7c71bcbf3d 100644
--- a/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
+++ b/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
@@ -2,7 +2,9 @@
 
 =head1 NAME
 
-d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Netscape_RSA, d2i_Netscape_RSA - ...
+d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey,
+d2i_RSA_PUBKEY, i2d_RSA_PUBKEY, i2d_Netscape_RSA,
+d2i_Netscape_RSA - RSA public and private key encoding functions.
 
 =head1 SYNOPSIS
 
@@ -12,6 +14,10 @@ d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Ne
 
  int i2d_RSAPublicKey(RSA *a, unsigned char **pp);
 
+ RSA * d2i_RSA_PUBKEY(RSA **a, unsigned char **pp, long length);
+
+ int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp);
+
  RSA * d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);
 
  int i2d_RSAPrivateKey(RSA *a, unsigned char **pp);
@@ -22,18 +28,39 @@ d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Ne
 
 =head1 DESCRIPTION
 
-...
+d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1 RSAPublicKey
+structure.
+
+d2i_RSA_PUKEY() and i2d_RSA_PUKEY() decode and encode an RSA public key using a
+SubjectPublicKeyInfo (certificate public key) structure.
+
+d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1 RSAPrivateKey
+structure.
+
+d2i_Netscape_RSA(), i2d_Netscape_RSA() decode and encode an RSA private key in
+NET format.
+
+The usage of all of these functions is similar to the d2i_X509() and
+i2d_X509() described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+
+=head1 NOTES
+
+The B<RSA> structure passed to the private key encoding functions should have
+all the PKCS#1 private key components present.
 
-=head1 RETURN VALUES
+The data encoded by the private key functions is unencrypted and therefore 
+offers no private key security. 
 
-...
+The NET format functions are present to provide compatibility with certain very
+old software. This format has some severe security weaknesses and should be
+avoided if possible.
 
 =head1 SEE ALSO
 
-...
+L<d2i_X509(3)|d2i_X509(3)>
 
 =head1 HISTORY
 
-...
+TBA
 
 =cut
diff --git a/src/lib/libcrypto/dsa/Makefile.ssl b/src/lib/libcrypto/dsa/Makefile.ssl
index d308caafca..e5f8a8cf51 100644
--- a/src/lib/libcrypto/dsa/Makefile.ssl
+++ b/src/lib/libcrypto/dsa/Makefile.ssl
@@ -70,7 +70,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -143,35 +143,29 @@ dsa_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_ossl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-dsa_ossl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-dsa_ossl.o: ../../include/openssl/opensslconf.h
+dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-dsa_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dsa_ossl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dsa_ossl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dsa_ossl.o: ../cryptlib.h dsa_ossl.c
 dsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-dsa_sign.o: ../../include/openssl/opensslconf.h
+dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dsa_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dsa_sign.o: ../cryptlib.h dsa_sign.c
 dsa_vrf.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_vrf.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
 dsa_vrf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 dsa_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-dsa_vrf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dsa_vrf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dsa_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_vrf.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_vrf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dsa_vrf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-dsa_vrf.o: ../cryptlib.h dsa_vrf.c
+dsa_vrf.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_vrf.c
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
index da2cdfa3d6..4171af24c6 100644
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -63,7 +63,9 @@
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT;
 
@@ -93,11 +95,13 @@ int DSA_set_method(DSA *dsa, const DSA_METHOD *meth)
         const DSA_METHOD *mtmp;
         mtmp = dsa->meth;
         if (mtmp->finish) mtmp->finish(dsa);
+#ifndef OPENSSL_NO_ENGINE
         if (dsa->engine)
                 {
                 ENGINE_finish(dsa->engine);
                 dsa->engine = NULL;
                 }
+#endif
         dsa->meth = meth;
         if (meth->init) meth->init(dsa);
         return 1;
@@ -114,6 +118,7 @@ DSA *DSA_new_method(ENGINE *engine)
                 return(NULL);
                 }
         ret->meth = DSA_get_default_method();
+#ifndef OPENSSL_NO_ENGINE
         if (engine)
                 {
                 if (!ENGINE_init(engine))
@@ -138,6 +143,7 @@ DSA *DSA_new_method(ENGINE *engine)
                         return NULL;
                         }
                 }
+#endif
 
         ret->pad=0;
         ret->version=0;
@@ -158,8 +164,10 @@ DSA *DSA_new_method(ENGINE *engine)
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
         if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                 {
+#ifndef OPENSSL_NO_ENGINE
                 if (ret->engine)
                         ENGINE_finish(ret->engine);
+#endif
                 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
                 OPENSSL_free(ret);
                 ret=NULL;
@@ -189,8 +197,10 @@ void DSA_free(DSA *r)
 
         if(r->meth->finish)
                 r->meth->finish(r);
+#ifndef OPENSSL_NO_ENGINE
         if(r->engine)
                 ENGINE_finish(r->engine);
+#endif
 
         CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, r, &r->ex_data);
 
@@ -224,7 +234,10 @@ int DSA_size(const DSA *r)
         {
         int ret,i;
         ASN1_INTEGER bs;
-        unsigned char buf[4];
+        unsigned char buf[4];   /* 4 bytes looks really small.
+                                   However, i2d_ASN1_INTEGER() will not look
+                                   beyond the first byte, as long as the second
+                                   parameter is NULL. */
 
         i=BN_num_bits(r->q);
         bs.length=(i+7)/8;
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 37dd5fc994..b9e7f3ea5c 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -64,7 +64,6 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
-#include <openssl/engine.h>
 
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
@@ -106,13 +105,15 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         int i,reason=ERR_R_BN_LIB;
         DSA_SIG *ret=NULL;
 
+        BN_init(&m);
+        BN_init(&xr);
+
         if (!dsa->p || !dsa->q || !dsa->g)
                 {
                 reason=DSA_R_MISSING_PARAMETERS;
                 goto err;
                 }
-        BN_init(&m);
-        BN_init(&xr);
+
         s=BN_new();
         if (s == NULL) goto err;
 
@@ -178,6 +179,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                 DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS);
                 return 0;
                 }
+
+        BN_init(&k);
+
         if (ctx_in == NULL)
                 {
                 if ((ctx=BN_CTX_new()) == NULL) goto err;
@@ -185,7 +189,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
         else
                 ctx=ctx_in;
 
-        BN_init(&k);
         if ((r=BN_new()) == NULL) goto err;
         kinv=NULL;
 
@@ -241,11 +244,12 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                 return -1;
                 }
 
-        if ((ctx=BN_CTX_new()) == NULL) goto err;
         BN_init(&u1);
         BN_init(&u2);
         BN_init(&t1);
 
+        if ((ctx=BN_CTX_new()) == NULL) goto err;
+
         if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0)
                 {
                 ret = 0;
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index e9469ca62f..89205026f0 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -64,7 +64,6 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
-#include <openssl/engine.h>
 
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         {
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index 066c6b5b28..c4aeddd056 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -65,7 +65,6 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
-#include <openssl/engine.h>
 
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                   DSA *dsa)
diff --git a/src/lib/libcrypto/dsa/dsagen.c b/src/lib/libcrypto/dsa/dsagen.c
index a0b0976640..1b6a1cca0f 100644
--- a/src/lib/libcrypto/dsa/dsagen.c
+++ b/src/lib/libcrypto/dsa/dsagen.c
@@ -103,7 +103,7 @@ main()
                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 
         memcpy(seed_buf,seed,20);
-        dsa=DSA_generate_parameters(1024,seed,20,&counter,&h,cb);
+        dsa=DSA_generate_parameters(1024,seed,20,&counter,&h,cb,bio_err);
 
         if (dsa == NULL)
                 DSA_print(bio_err,dsa,0);
diff --git a/src/lib/libcrypto/dsa/dsatest.c b/src/lib/libcrypto/dsa/dsatest.c
index 12da64f9f4..4734ce4af8 100644
--- a/src/lib/libcrypto/dsa/dsatest.c
+++ b/src/lib/libcrypto/dsa/dsatest.c
@@ -61,14 +61,13 @@
 #include <string.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+
+#include "../e_os.h"
+
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#include <openssl/engine.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
 
 #ifdef OPENSSL_NO_DSA
 int main(int argc, char *argv[])
@@ -212,10 +211,16 @@ end:
                 BIO_free(bio_err);
                 bio_err = NULL;
                 }
-        exit(!ret);
+        EXIT(!ret);
         return(0);
         }
 
+static int cb_exit(int ec)
+        {
+        EXIT(ec);
+        return(0);              /* To keep some compilers quiet */
+        }
+
 static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
         {
         char c='*';
@@ -231,7 +236,7 @@ static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
         if (!ok && (p == 0) && (num > 1))
                 {
                 BIO_printf((BIO *)arg,"error in dsatest\n");
-                exit(1);
+                cb_exit(1);
                 }
         }
 #endif
diff --git a/src/lib/libcrypto/dso/Makefile.ssl b/src/lib/libcrypto/dso/Makefile.ssl
index 5a55125824..c0449d184e 100644
--- a/src/lib/libcrypto/dso/Makefile.ssl
+++ b/src/lib/libcrypto/dso/Makefile.ssl
@@ -70,7 +70,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/dso/dso_dl.c b/src/lib/libcrypto/dso/dso_dl.c
index 195717e993..79d2cb4d8c 100644
--- a/src/lib/libcrypto/dso/dso_dl.c
+++ b/src/lib/libcrypto/dso/dso_dl.c
@@ -126,7 +126,7 @@ static int dl_load(DSO *dso)
                 DSOerr(DSO_F_DL_LOAD,DSO_R_NO_FILENAME);
                 goto err;
                 }
-        ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, NULL);
+        ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, 0L);
         if(ptr == NULL)
                 {
                 DSOerr(DSO_F_DL_LOAD,DSO_R_LOAD_FAILED);
diff --git a/src/lib/libcrypto/dso/dso_win32.c b/src/lib/libcrypto/dso/dso_win32.c
index af8586d754..6c30deb250 100644
--- a/src/lib/libcrypto/dso/dso_win32.c
+++ b/src/lib/libcrypto/dso/dso_win32.c
@@ -61,7 +61,7 @@
 #include "cryptlib.h"
 #include <openssl/dso.h>
 
-#ifndef OPENSSL_SYS_WIN32
+#if !defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
 DSO_METHOD *DSO_METHOD_win32(void)
         {
         return NULL;
diff --git a/src/lib/libcrypto/ec/Makefile.ssl b/src/lib/libcrypto/ec/Makefile.ssl
index ed602b4a7f..a2805c47a2 100644
--- a/src/lib/libcrypto/ec/Makefile.ssl
+++ b/src/lib/libcrypto/ec/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/ec/ec.h b/src/lib/libcrypto/ec/ec.h
index a52d4edf14..6d6a9b7127 100644
--- a/src/lib/libcrypto/ec/ec.h
+++ b/src/lib/libcrypto/ec/ec.h
@@ -195,7 +195,6 @@ void ERR_load_EC_strings(void);
 #define EC_F_EC_GROUP_GET0_GENERATOR                     139
 #define EC_F_EC_GROUP_GET_COFACTOR                       140
 #define EC_F_EC_GROUP_GET_CURVE_GFP                      130
-#define EC_F_EC_GROUP_GET_EXTRA_DATA                     107
 #define EC_F_EC_GROUP_GET_ORDER                          141
 #define EC_F_EC_GROUP_NEW                                108
 #define EC_F_EC_GROUP_PRECOMPUTE_MULT                    142
@@ -232,7 +231,6 @@ void ERR_load_EC_strings(void);
 #define EC_R_INVALID_FIELD                               103
 #define EC_R_INVALID_FORM                                104
 #define EC_R_NOT_INITIALIZED                             111
-#define EC_R_NO_SUCH_EXTRA_DATA                          105
 #define EC_R_POINT_AT_INFINITY                           106
 #define EC_R_POINT_IS_NOT_ON_CURVE                       107
 #define EC_R_SLOT_FULL                                   108
diff --git a/src/lib/libcrypto/ec/ec_err.c b/src/lib/libcrypto/ec/ec_err.c
index 394cdc021f..d37b6aba87 100644
--- a/src/lib/libcrypto/ec/ec_err.c
+++ b/src/lib/libcrypto/ec/ec_err.c
@@ -84,7 +84,6 @@ static ERR_STRING_DATA EC_str_functs[]=
 {ERR_PACK(0,EC_F_EC_GROUP_GET0_GENERATOR,0),    "EC_GROUP_get0_generator"},
 {ERR_PACK(0,EC_F_EC_GROUP_GET_COFACTOR,0),      "EC_GROUP_get_cofactor"},
 {ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GFP,0),     "EC_GROUP_get_curve_GFp"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET_EXTRA_DATA,0),    "EC_GROUP_get_extra_data"},
 {ERR_PACK(0,EC_F_EC_GROUP_GET_ORDER,0), "EC_GROUP_get_order"},
 {ERR_PACK(0,EC_F_EC_GROUP_NEW,0),       "EC_GROUP_new"},
 {ERR_PACK(0,EC_F_EC_GROUP_PRECOMPUTE_MULT,0),   "EC_GROUP_precompute_mult"},
@@ -124,7 +123,6 @@ static ERR_STRING_DATA EC_str_reasons[]=
 {EC_R_INVALID_FIELD                      ,"invalid field"},
 {EC_R_INVALID_FORM                       ,"invalid form"},
 {EC_R_NOT_INITIALIZED                    ,"not initialized"},
-{EC_R_NO_SUCH_EXTRA_DATA                 ,"no such extra data"},
 {EC_R_POINT_AT_INFINITY                  ,"point at infinity"},
 {EC_R_POINT_IS_NOT_ON_CURVE              ,"point is not on curve"},
 {EC_R_SLOT_FULL                          ,"slot full"},
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 0cf485de60..deb522060f 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -128,7 +128,7 @@ void EC_GROUP_clear_free(EC_GROUP *group)
 
         EC_GROUP_clear_free_extra_data(group);
 
-        memset(group, 0, sizeof *group);
+        OPENSSL_cleanse(group, sizeof *group);
         OPENSSL_free(group);
         }
 
@@ -268,7 +268,9 @@ void *EC_GROUP_get_extra_data(const EC_GROUP *group, void *(*extra_data_dup_func
                 || (group->extra_data_free_func != extra_data_free_func)
                 || (group->extra_data_clear_free_func != extra_data_clear_free_func))
                 {
-                ECerr(EC_F_EC_GROUP_GET_EXTRA_DATA, EC_R_NO_SUCH_EXTRA_DATA);
+#if 0 /* this was an error in 0.9.7, but that does not make a lot of sense */
+                ECerr(..._F_EC_GROUP_GET_EXTRA_DATA, ..._R_NO_SUCH_EXTRA_DATA);
+#endif
                 return NULL;
                 }
 
@@ -357,7 +359,7 @@ void EC_POINT_clear_free(EC_POINT *point)
                 point->meth->point_clear_finish(point);
         else if (point->meth != NULL && point->meth->point_finish != 0)
                 point->meth->point_finish(point);
-        memset(point, 0, sizeof *point);
+        OPENSSL_cleanse(point, sizeof *point);
         OPENSSL_free(point);
         }
 
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 603ba31b81..4dbc931120 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -209,6 +209,17 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
         EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' */
         int ret = 0;
         
+        if (group->meth != r->meth)
+                {
+                ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+
+        if ((scalar == NULL) && (num == 0))
+                {
+                return EC_POINT_set_to_infinity(group, r);
+                }
+
         if (scalar != NULL)
                 {
                 generator = EC_GROUP_get0_generator(group);
diff --git a/src/lib/libcrypto/ec/ectest.c b/src/lib/libcrypto/ec/ectest.c
index eab46cc080..345d3e4289 100644
--- a/src/lib/libcrypto/ec/ectest.c
+++ b/src/lib/libcrypto/ec/ectest.c
@@ -55,6 +55,11 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#ifdef FLAT_INC
+#include "e_os.h"
+#else
+#include "../e_os.h"
+#endif
 #include <string.h>
 #include <time.h>
 
@@ -65,14 +70,16 @@ int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); retur
 
 
 #include <openssl/ec.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/err.h>
 
 #define ABORT do { \
         fflush(stdout); \
         fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
         ERR_print_errors_fp(stderr); \
-        exit(1); \
+        EXIT(1); \
 } while (0)
 
 #if 0
@@ -623,7 +630,9 @@ int main(int argc, char *argv[])
         if (P_384) EC_GROUP_free(P_384);
         if (P_521) EC_GROUP_free(P_521);
 
+#ifndef OPENSSL_NO_ENGINE
         ENGINE_cleanup();
+#endif
         CRYPTO_cleanup_all_ex_data();
         ERR_free_strings();
         ERR_remove_state(0);
diff --git a/src/lib/libcrypto/engine/Makefile.ssl b/src/lib/libcrypto/engine/Makefile.ssl
index 8bc8985e02..30a4446ff9 100644
--- a/src/lib/libcrypto/engine/Makefile.ssl
+++ b/src/lib/libcrypto/engine/Makefile.ssl
@@ -50,7 +50,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -82,7 +82,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -304,6 +304,27 @@ hw_atalla.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 hw_atalla.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 hw_atalla.o: ../cryptlib.h hw_atalla.c hw_atalla_err.c hw_atalla_err.h
 hw_atalla.o: vendor_defns/atalla.h
+hw_cryptodev.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+hw_cryptodev.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+hw_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
+hw_cryptodev.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+hw_cryptodev.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+hw_cryptodev.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+hw_cryptodev.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+hw_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+hw_cryptodev.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+hw_cryptodev.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+hw_cryptodev.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+hw_cryptodev.o: ../../include/openssl/objects.h
+hw_cryptodev.o: ../../include/openssl/opensslconf.h
+hw_cryptodev.o: ../../include/openssl/opensslv.h
+hw_cryptodev.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+hw_cryptodev.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+hw_cryptodev.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+hw_cryptodev.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+hw_cryptodev.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+hw_cryptodev.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+hw_cryptodev.o: ../../include/openssl/ui_compat.h hw_cryptodev.c
 hw_cswift.o: ../../e_os.h ../../include/openssl/asn1.h
 hw_cswift.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 hw_cswift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -354,45 +375,6 @@ hw_nuron.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 hw_nuron.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 hw_nuron.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 hw_nuron.o: ../cryptlib.h hw_nuron.c hw_nuron_err.c hw_nuron_err.h
-hw_cryptodev.o: ../../include/openssl/aes.h
-hw_cryptodev.o: ../../include/openssl/asn1.h
-hw_cryptodev.o: ../../include/openssl/bio.h
-hw_cryptodev.o: ../../include/openssl/blowfish.h
-hw_cryptodev.o: ../../include/openssl/bn.h
-hw_cryptodev.o: ../../include/openssl/cast.h
-hw_cryptodev.o: ../../include/openssl/conf.h
-hw_cryptodev.o: ../../include/openssl/crypto.h
-hw_cryptodev.o: ../../include/openssl/des.h
-hw_cryptodev.o: ../../include/openssl/des_old.h
-hw_cryptodev.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-hw_cryptodev.o: ../../include/openssl/e_os2.h
-hw_cryptodev.o: ../../include/openssl/engine.h
-hw_cryptodev.o: ../../include/openssl/err.h
-hw_cryptodev.o: ../../include/openssl/evp.h
-hw_cryptodev.o: ../../include/openssl/idea.h
-hw_cryptodev.o: ../../include/openssl/lhash.h
-hw_cryptodev.o: ../../include/openssl/md2.h
-hw_cryptodev.o: ../../include/openssl/md4.h
-hw_cryptodev.o: ../../include/openssl/md5.h
-hw_cryptodev.o: ../../include/openssl/mdc2.h
-hw_cryptodev.o: ../../include/openssl/obj_mac.h
-hw_cryptodev.o: ../../include/openssl/objects.h
-hw_cryptodev.o: ../../include/openssl/opensslconf.h
-hw_cryptodev.o: ../../include/openssl/opensslv.h
-hw_cryptodev.o: ../../include/openssl/ossl_typ.h
-hw_cryptodev.o: ../../include/openssl/rand.h
-hw_cryptodev.o: ../../include/openssl/rc2.h
-hw_cryptodev.o: ../../include/openssl/rc4.h
-hw_cryptodev.o: ../../include/openssl/rc5.h
-hw_cryptodev.o: ../../include/openssl/ripemd.h
-hw_cryptodev.o: ../../include/openssl/rsa.h
-hw_cryptodev.o: ../../include/openssl/safestack.h
-hw_cryptodev.o: ../../include/openssl/sha.h
-hw_cryptodev.o: ../../include/openssl/stack.h
-hw_cryptodev.o: ../../include/openssl/symhacks.h
-hw_cryptodev.o: ../../include/openssl/ui.h
-hw_cryptodev.o: ../../include/openssl/ui_compat.h ../evp/evp_locl.h
-hw_cryptodev.o: eng_int.h hw_cryptodev.c
 hw_sureware.o: ../../e_os.h ../../include/openssl/aes.h
 hw_sureware.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 hw_sureware.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
diff --git a/src/lib/libcrypto/engine/eng_all.c b/src/lib/libcrypto/engine/eng_all.c
index bc50465422..0f6992a40d 100644
--- a/src/lib/libcrypto/engine/eng_all.c
+++ b/src/lib/libcrypto/engine/eng_all.c
@@ -60,10 +60,6 @@
 #include <openssl/engine.h>
 #include "eng_int.h"
 
-#ifdef __OpenBSD__
-static int openbsd_default_loaded = 0;
-#endif
-
 void ENGINE_load_builtin_engines(void)
         {
         /* There's no longer any need for an "openssl" ENGINE unless, one day,
@@ -99,21 +95,19 @@ void ENGINE_load_builtin_engines(void)
 #ifndef OPENSSL_NO_HW_4758_CCA
         ENGINE_load_4758cca();
 #endif
-#ifdef OPENSSL_OPENBSD_DEV_CRYPTO
-        ENGINE_load_openbsd_dev_crypto();
-#endif
-#ifdef __OpenBSD__
+#if defined(__OpenBSD__) || defined(__FreeBSD__)
         ENGINE_load_cryptodev();
 #endif
 #endif
         }
 
-#ifdef __OpenBSD__
-void ENGINE_setup_openbsd(void) {
-        if (!openbsd_default_loaded) {
+#if defined(__OpenBSD__) || defined(__FreeBSD__)
+void ENGINE_setup_bsd_cryptodev(void) {
+        static int bsd_cryptodev_default_loaded = 0;
+        if (!bsd_cryptodev_default_loaded) {
                 ENGINE_load_cryptodev();
                 ENGINE_register_all_complete();
         }
-        openbsd_default_loaded=1;
+        bsd_cryptodev_default_loaded=1;
 }
 #endif
diff --git a/src/lib/libcrypto/engine/eng_err.c b/src/lib/libcrypto/engine/eng_err.c
index f6c5630395..814d95ee32 100644
--- a/src/lib/libcrypto/engine/eng_err.c
+++ b/src/lib/libcrypto/engine/eng_err.c
@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -96,6 +96,7 @@ static ERR_STRING_DATA ENGINE_str_functs[]=
 {ERR_PACK(0,ENGINE_F_ENGINE_SET_NAME,0),        "ENGINE_set_name"},
 {ERR_PACK(0,ENGINE_F_ENGINE_TABLE_REGISTER,0),  "ENGINE_TABLE_REGISTER"},
 {ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0),      "ENGINE_UNLOAD_KEY"},
+{ERR_PACK(0,ENGINE_F_ENGINE_UP_REF,0),  "ENGINE_up_ref"},
 {ERR_PACK(0,ENGINE_F_INT_CTRL_HELPER,0),        "INT_CTRL_HELPER"},
 {ERR_PACK(0,ENGINE_F_INT_ENGINE_CONFIGURE,0),   "INT_ENGINE_CONFIGURE"},
 {ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0),    "LOG_MESSAGE"},
diff --git a/src/lib/libcrypto/engine/eng_fat.c b/src/lib/libcrypto/engine/eng_fat.c
index f7edb5ad32..0d7dae00b2 100644
--- a/src/lib/libcrypto/engine/eng_fat.c
+++ b/src/lib/libcrypto/engine/eng_fat.c
@@ -66,18 +66,18 @@ int ENGINE_set_default(ENGINE *e, unsigned int flags)
         if((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e))
                 return 0;
 #ifndef OPENSSL_NO_RSA
-        if((flags & ENGINE_METHOD_RSA) & !ENGINE_set_default_RSA(e))
+        if((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e))
                 return 0;
 #endif
 #ifndef OPENSSL_NO_DSA
-        if((flags & ENGINE_METHOD_DSA) & !ENGINE_set_default_DSA(e))
+        if((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e))
                 return 0;
 #endif
 #ifndef OPENSSL_NO_DH
-        if((flags & ENGINE_METHOD_DH) & !ENGINE_set_default_DH(e))
+        if((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e))
                 return 0;
 #endif
-        if((flags & ENGINE_METHOD_RAND) & !ENGINE_set_default_RAND(e))
+        if((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e))
                 return 0;
         return 1;
         }
diff --git a/src/lib/libcrypto/engine/eng_list.c b/src/lib/libcrypto/engine/eng_list.c
index 0c220558e7..1cc3217f4c 100644
--- a/src/lib/libcrypto/engine/eng_list.c
+++ b/src/lib/libcrypto/engine/eng_list.c
@@ -191,14 +191,14 @@ ENGINE *ENGINE_get_first(void)
         {
         ENGINE *ret;
 
-        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
         ret = engine_list_head;
         if(ret)
                 {
                 ret->struct_ref++;
                 engine_ref_debug(ret, 0, 1)
                 }
-        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
         return ret;
         }
 
@@ -206,14 +206,14 @@ ENGINE *ENGINE_get_last(void)
         {
         ENGINE *ret;
 
-        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
-                ret = engine_list_tail;
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        ret = engine_list_tail;
         if(ret)
                 {
                 ret->struct_ref++;
                 engine_ref_debug(ret, 0, 1)
                 }
-        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
         return ret;
         }
 
@@ -227,7 +227,7 @@ ENGINE *ENGINE_get_next(ENGINE *e)
                         ERR_R_PASSED_NULL_PARAMETER);
                 return 0;
                 }
-        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
         ret = e->next;
         if(ret)
                 {
@@ -235,7 +235,7 @@ ENGINE *ENGINE_get_next(ENGINE *e)
                 ret->struct_ref++;
                 engine_ref_debug(ret, 0, 1)
                 }
-        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
         /* Release the structural reference to the previous ENGINE */
         ENGINE_free(e);
         return ret;
@@ -250,7 +250,7 @@ ENGINE *ENGINE_get_prev(ENGINE *e)
                         ERR_R_PASSED_NULL_PARAMETER);
                 return 0;
                 }
-        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
         ret = e->prev;
         if(ret)
                 {
@@ -258,7 +258,7 @@ ENGINE *ENGINE_get_prev(ENGINE *e)
                 ret->struct_ref++;
                 engine_ref_debug(ret, 0, 1)
                 }
-        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
         /* Release the structural reference to the previous ENGINE */
         ENGINE_free(e);
         return ret;
@@ -346,7 +346,7 @@ ENGINE *ENGINE_by_id(const char *id)
                         ERR_R_PASSED_NULL_PARAMETER);
                 return NULL;
                 }
-        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
         iterator = engine_list_head;
         while(iterator && (strcmp(id, iterator->id) != 0))
                 iterator = iterator->next;
@@ -372,7 +372,7 @@ ENGINE *ENGINE_by_id(const char *id)
                         engine_ref_debug(iterator, 0, 1)
                         }
                 }
-        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
         if(iterator == NULL)
                 {
                 ENGINEerr(ENGINE_F_ENGINE_BY_ID,
@@ -381,3 +381,14 @@ ENGINE *ENGINE_by_id(const char *id)
                 }
         return iterator;
         }
+
+int ENGINE_up_ref(ENGINE *e)
+        {
+        if (e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_UP_REF,ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_add(&e->struct_ref,1,CRYPTO_LOCK_ENGINE);
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/eng_openssl.c b/src/lib/libcrypto/engine/eng_openssl.c
index e9d976f46b..54579eea2e 100644
--- a/src/lib/libcrypto/engine/eng_openssl.c
+++ b/src/lib/libcrypto/engine/eng_openssl.c
@@ -63,6 +63,7 @@
 #include <openssl/engine.h>
 #include <openssl/dso.h>
 #include <openssl/pem.h>
+#include <openssl/evp.h>
 
 /* This testing gunk is implemented (and explained) lower down. It also assumes
  * the application explicitly calls "ENGINE_load_openssl()" because this is no
@@ -78,6 +79,21 @@
 /* #define TEST_ENG_OPENSSL_SHA_P_UPDATE */
 /* #define TEST_ENG_OPENSSL_SHA_P_FINAL */
 
+/* Now check what of those algorithms are actually enabled */
+#ifdef OPENSSL_NO_RC4
+#undef TEST_ENG_OPENSSL_RC4
+#undef TEST_ENG_OPENSSL_RC4_OTHERS
+#undef TEST_ENG_OPENSSL_RC4_P_INIT
+#undef TEST_ENG_OPENSSL_RC4_P_CIPHER
+#endif
+#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA0) || defined(OPENSSL_NO_SHA1)
+#undef TEST_ENG_OPENSSL_SHA
+#undef TEST_ENG_OPENSSL_SHA_OTHERS
+#undef TEST_ENG_OPENSSL_SHA_P_INIT
+#undef TEST_ENG_OPENSSL_SHA_P_UPDATE
+#undef TEST_ENG_OPENSSL_SHA_P_FINAL 
+#endif
+
 #ifdef TEST_ENG_OPENSSL_RC4
 static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
                                 const int **nids, int nid);
@@ -180,7 +196,6 @@ IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
  *        the "init_key" handler is called.
  *    TEST_ENG_OPENSSL_RC4_P_CIPHER - ditto for the "cipher" handler.
  */
-#include <openssl/evp.h>
 #include <openssl/rc4.h>
 #define TEST_RC4_KEY_SIZE               16
 static int test_cipher_nids[] = {NID_rc4,NID_rc4_40};
@@ -265,7 +280,6 @@ static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
 
 #ifdef TEST_ENG_OPENSSL_SHA
 /* Much the same sort of comment as for TEST_ENG_OPENSSL_RC4 */
-#include <openssl/evp.h>
 #include <openssl/sha.h>
 static int test_digest_nids[] = {NID_sha1};
 static int test_digest_nids_number = 1;
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
index fd17ff616d..8686879e1a 100644
--- a/src/lib/libcrypto/engine/engine.h
+++ b/src/lib/libcrypto/engine/engine.h
@@ -59,6 +59,12 @@
 #ifndef HEADER_ENGINE_H
 #define HEADER_ENGINE_H
 
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_NO_ENGINE
+#error ENGINE is disabled.
+#endif
+
 #include <openssl/ossl_typ.h>
 #include <openssl/bn.h>
 #ifndef OPENSSL_NO_RSA
@@ -307,11 +313,8 @@ void ENGINE_load_ubsec(void);
 void ENGINE_load_aep(void);
 void ENGINE_load_sureware(void);
 void ENGINE_load_4758cca(void);
-void ENGINE_load_openbsd_dev_crypto(void);
-void ENGINE_load_builtin_engines(void);
-#ifdef __OpenBSD__
 void ENGINE_load_cryptodev(void);
-#endif  
+void ENGINE_load_builtin_engines(void);
 
 /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
  * "registry" handling. */
@@ -409,6 +412,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
  * compatibility! */
 ENGINE *ENGINE_new(void);
 int ENGINE_free(ENGINE *e);
+int ENGINE_up_ref(ENGINE *e);
 int ENGINE_set_id(ENGINE *e, const char *id);
 int ENGINE_set_name(ENGINE *e, const char *name);
 int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth);
@@ -665,6 +669,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_SET_NAME                         130
 #define ENGINE_F_ENGINE_TABLE_REGISTER                   184
 #define ENGINE_F_ENGINE_UNLOAD_KEY                       152
+#define ENGINE_F_ENGINE_UP_REF                           190
 #define ENGINE_F_INT_CTRL_HELPER                         172
 #define ENGINE_F_INT_ENGINE_CONFIGURE                    188
 #define ENGINE_F_LOG_MESSAGE                             141
diff --git a/src/lib/libcrypto/engine/enginetest.c b/src/lib/libcrypto/engine/enginetest.c
index 87fa8c57b7..c2d0297392 100644
--- a/src/lib/libcrypto/engine/enginetest.c
+++ b/src/lib/libcrypto/engine/enginetest.c
@@ -56,9 +56,17 @@
  *
  */
 
-#include <openssl/e_os2.h>
 #include <stdio.h>
 #include <string.h>
+
+#ifdef OPENSSL_NO_ENGINE
+int main(int argc, char *argv[])
+{
+    printf("No ENGINE support\n");
+    return(0);
+}
+#else
+#include <openssl/e_os2.h>
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
 #include <openssl/engine.h>
@@ -272,3 +280,4 @@ end:
         CRYPTO_mem_leaks_fp(stderr);
         return to_return;
         }
+#endif
diff --git a/src/lib/libcrypto/engine/hw_4758_cca.c b/src/lib/libcrypto/engine/hw_4758_cca.c
index 6d41b9ed2a..4f5ae8a46d 100644
--- a/src/lib/libcrypto/engine/hw_4758_cca.c
+++ b/src/lib/libcrypto/engine/hw_4758_cca.c
@@ -223,6 +223,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_4758_cca(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -244,6 +245,7 @@ void ENGINE_load_4758cca(void)
         ENGINE_free(e_4758);
         ERR_clear_error();   
         }
+#endif
 
 static int ibm_4758_cca_destroy(ENGINE *e)
         {
@@ -715,7 +717,7 @@ static int cca_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
 
         if (type == NID_sha1 || type == NID_md5)
                 {
-                memset(hashBuffer, 0, keyLength+1);
+                OPENSSL_cleanse(hashBuffer, keyLength+1);
                 OPENSSL_free(hashBuffer);
                 }
 
@@ -838,7 +840,7 @@ static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
 
         if (type == NID_sha1 || type == NID_md5)
                 {
-                memset(hashBuffer, 0, keyLength+1);
+                OPENSSL_cleanse(hashBuffer, keyLength+1);
                 OPENSSL_free(hashBuffer);
                 }
 
diff --git a/src/lib/libcrypto/engine/hw_atalla.c b/src/lib/libcrypto/engine/hw_atalla.c
index 6151c46902..e9eff9fad1 100644
--- a/src/lib/libcrypto/engine/hw_atalla.c
+++ b/src/lib/libcrypto/engine/hw_atalla.c
@@ -242,6 +242,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_atalla(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -264,6 +265,7 @@ void ENGINE_load_atalla(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the Atalla library. NB: This is only set (or unset) during an
diff --git a/src/lib/libcrypto/engine/hw_cryptodev.c b/src/lib/libcrypto/engine/hw_cryptodev.c
index 034c7ca213..139119b80c 100644
--- a/src/lib/libcrypto/engine/hw_cryptodev.c
+++ b/src/lib/libcrypto/engine/hw_cryptodev.c
@@ -29,8 +29,32 @@
  *
  */
 
-#include <sys/types.h>
+#include <openssl/objects.h>
+#include <openssl/engine.h>
+#include <openssl/evp.h>
+
+#if (defined(__unix__) || defined(unix)) && !defined(USG)
 #include <sys/param.h>
+# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
+# define HAVE_CRYPTODEV
+# endif
+# if (OpenBSD >= 200110)
+# define HAVE_SYSLOG_R
+# endif
+#endif
+
+#ifndef HAVE_CRYPTODEV
+
+void
+ENGINE_load_cryptodev(void)
+{
+        /* This is a NOP on platforms without /dev/crypto */
+        return;
+}
+
+#else 
+
+#include <sys/types.h>
 #include <crypto/cryptodev.h>
 #include <sys/ioctl.h>
 #include <errno.h>
@@ -39,9 +63,6 @@
 #include <fcntl.h>
 #include <stdarg.h>
 #include <syslog.h>
-#include <ssl/objects.h>
-#include <ssl/engine.h>
-#include <ssl/evp.h>
 #include <errno.h>
 #include <string.h>
 
@@ -101,10 +122,6 @@ static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
 void ENGINE_load_cryptodev(void);
 
 static const ENGINE_CMD_DEFN cryptodev_defns[] = {
-        {ENGINE_CMD_BASE,
-                "SO_PATH",
-                "Specifies the path to the some stupid shared library",
-                ENGINE_CMD_FLAG_STRING},
         { 0, NULL, NULL, 0 }
 };
 
@@ -1011,12 +1028,18 @@ static DH_METHOD cryptodev_dh = {
 static int
 cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
 {
+#ifdef HAVE_SYSLOG_R
         struct syslog_data sd = SYSLOG_DATA_INIT;
+#endif
 
         switch (cmd) {
         default:
+#ifdef HAVE_SYSLOG_R
                 syslog_r(LOG_ERR, &sd,
                     "cryptodev_ctrl: unknown command %d", cmd);
+#else
+                syslog(LOG_ERR, "cryptodev_ctrl: unknown command %d", cmd);
+#endif
                 break;
         }
         return (1);
@@ -1043,7 +1066,7 @@ ENGINE_load_cryptodev(void)
         close(fd);
 
         if (!ENGINE_set_id(engine, "cryptodev") ||
-            !ENGINE_set_name(engine, "OpenBSD cryptodev engine") ||
+            !ENGINE_set_name(engine, "BSD cryptodev engine") ||
             !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
             !ENGINE_set_digests(engine, cryptodev_engine_digests) ||
             !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
@@ -1104,3 +1127,5 @@ ENGINE_load_cryptodev(void)
         ENGINE_free(engine);
         ERR_clear_error();
 }
+
+#endif /* HAVE_CRYPTODEV */
diff --git a/src/lib/libcrypto/engine/hw_cswift.c b/src/lib/libcrypto/engine/hw_cswift.c
index f5c897bdbb..f128ee5a68 100644
--- a/src/lib/libcrypto/engine/hw_cswift.c
+++ b/src/lib/libcrypto/engine/hw_cswift.c
@@ -121,6 +121,10 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 #endif
 
+/* RAND stuff */
+static int cswift_rand_bytes(unsigned char *buf, int num);
+static int cswift_rand_status(void);
+
 /* The definitions for control commands specific to this engine */
 #define CSWIFT_CMD_SO_PATH              ENGINE_CMD_BASE
 static const ENGINE_CMD_DEFN cswift_cmd_defns[] = {
@@ -183,6 +187,18 @@ static DH_METHOD cswift_dh =
         };
 #endif
 
+static RAND_METHOD cswift_random =
+    {
+    /* "CryptoSwift RAND method", */
+    NULL,
+    cswift_rand_bytes,
+    NULL,
+    NULL,
+    cswift_rand_bytes,
+    cswift_rand_status,
+    };
+
+
 /* Constants used when creating the ENGINE */
 static const char *engine_cswift_id = "cswift";
 static const char *engine_cswift_name = "CryptoSwift hardware engine support";
@@ -208,6 +224,7 @@ static int bind_helper(ENGINE *e)
 #ifndef OPENSSL_NO_DH
                         !ENGINE_set_DH(e, &cswift_dh) ||
 #endif
+                        !ENGINE_set_RAND(e, &cswift_random) ||
                         !ENGINE_set_destroy_function(e, cswift_destroy) ||
                         !ENGINE_set_init_function(e, cswift_init) ||
                         !ENGINE_set_finish_function(e, cswift_finish) ||
@@ -242,6 +259,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_cswift(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -264,6 +282,7 @@ void ENGINE_load_cswift(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the CryptoSwift library. NB: This is only set (or unset) during an
@@ -905,6 +924,60 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
         }
 #endif
 
+/* Random bytes are good */
+static int cswift_rand_bytes(unsigned char *buf, int num)
+{
+        SW_CONTEXT_HANDLE hac;
+        SW_STATUS swrc;
+        SW_LARGENUMBER largenum;
+        size_t nbytes = 0;
+        int acquired = 0;
+        int to_return = 0; /* assume failure */
+
+        if (!get_context(&hac))
+        {
+                CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_UNIT_FAILURE);
+                goto err;
+        }
+        acquired = 1;
+
+        while (nbytes < (size_t)num)
+        {
+                /* tell CryptoSwift how many bytes we want and where we want it.
+                 * Note: - CryptoSwift cannot do more than 4096 bytes at a time.
+                 *       - CryptoSwift can only do multiple of 32-bits. */
+                largenum.value = (SW_BYTE *) buf + nbytes;
+                if (4096 > num - nbytes)
+                        largenum.nbytes = num - nbytes;
+                else
+                        largenum.nbytes = 4096;
+
+                swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
+                if (swrc != SW_OK)
+                {
+                        char tmpbuf[20];
+                        CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_REQUEST_FAILED);
+                        sprintf(tmpbuf, "%ld", swrc);
+                        ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf);
+                        goto err;
+                }
+
+                nbytes += largenum.nbytes;
+        }
+        to_return = 1;  /* success */
+
+err:
+        if (acquired)
+                release_context(hac);
+        return to_return;
+}
+
+static int cswift_rand_status(void)
+{
+        return 1;
+}
+
+
 /* This stuff is needed if this ENGINE is being compiled into a self-contained
  * shared-library. */
 #ifdef ENGINE_DYNAMIC_SUPPORT
diff --git a/src/lib/libcrypto/engine/hw_ncipher.c b/src/lib/libcrypto/engine/hw_ncipher.c
index a43d4360f2..0d1c6b8df0 100644
--- a/src/lib/libcrypto/engine/hw_ncipher.c
+++ b/src/lib/libcrypto/engine/hw_ncipher.c
@@ -91,11 +91,19 @@ static int hwcrhk_init(ENGINE *e);
 static int hwcrhk_finish(ENGINE *e);
 static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); 
 
-/* Functions to handle mutexes */
+/* Functions to handle mutexes if have dynamic locks */
 static int hwcrhk_mutex_init(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext*);
 static int hwcrhk_mutex_lock(HWCryptoHook_Mutex*);
 static void hwcrhk_mutex_unlock(HWCryptoHook_Mutex*);
 static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex*);
+#if 1 /* This is a HACK which will disappear in 0.9.8 */
+/* Functions to handle mutexes if only have static locks */
+static int hwcrhk_static_mutex_init(HWCryptoHook_Mutex *m,
+                                    HWCryptoHook_CallerContext *c);
+static int hwcrhk_static_mutex_lock(HWCryptoHook_Mutex *m);
+static void hwcrhk_static_mutex_unlock(HWCryptoHook_Mutex *m);
+static void hwcrhk_static_mutex_destroy(HWCryptoHook_Mutex *m);
+#endif
 
 /* BIGNUM stuff */
 static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -373,6 +381,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_ncipher(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -395,6 +404,7 @@ void ENGINE_load_chil(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the HWCryptoHook library. NB: This is only set (or unset) during an
@@ -558,15 +568,31 @@ static int hwcrhk_init(ENGINE *e)
 
         /* Check if the application decided to support dynamic locks,
            and if it does, use them. */
-        if (disable_mutex_callbacks == 0 &&
-                CRYPTO_get_dynlock_create_callback() != NULL &&
-                CRYPTO_get_dynlock_lock_callback() != NULL &&
-                CRYPTO_get_dynlock_destroy_callback() != NULL)
+        if (disable_mutex_callbacks == 0)
                 {
-                hwcrhk_globals.mutex_init = hwcrhk_mutex_init;
-                hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock;
-                hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock;
-                hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy;
+                if (CRYPTO_get_dynlock_create_callback() != NULL &&
+                        CRYPTO_get_dynlock_lock_callback() != NULL &&
+                        CRYPTO_get_dynlock_destroy_callback() != NULL)
+                        {
+                        hwcrhk_globals.mutex_init = hwcrhk_mutex_init;
+                        hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock;
+                        hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock;
+                        hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy;
+                        }
+                else if (CRYPTO_get_locking_callback() != NULL)
+                        {
+                        HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_DYNAMIC_LOCKING_MISSING);
+                        ERR_add_error_data(1,"You HAVE to add dynamic locking callbacks via CRYPTO_set_dynlock_{create,lock,destroy}_callback()");
+#if 1 /* This is a HACK which will disappear in 0.9.8 */
+                        hwcrhk_globals.maxmutexes    = 1; /* Only have one lock */
+                        hwcrhk_globals.mutex_init    = hwcrhk_static_mutex_init;
+                        hwcrhk_globals.mutex_acquire = hwcrhk_static_mutex_lock;
+                        hwcrhk_globals.mutex_release = hwcrhk_static_mutex_unlock;
+                        hwcrhk_globals.mutex_destroy = hwcrhk_static_mutex_destroy;
+#else
+                        goto err;
+#endif
+                        }
                 }
 
         /* Try and get a context - if not, we may have a DSO but no
@@ -1020,7 +1046,7 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
 
                 /* Perform the operation */
                 ret = p_hwcrhk_ModExpCRT(hwcrhk_context, m_a, m_p, m_q,
-                        m_dmp1, m_dmq1, m_iqmp, &m_r, NULL);
+                        m_dmp1, m_dmq1, m_iqmp, &m_r, &rmsg);
 
                 /* Convert the response */
                 r->top = m_r.size / sizeof(BN_ULONG);
@@ -1171,6 +1197,26 @@ static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex *mt)
         CRYPTO_destroy_dynlockid(mt->lockid);
         }
 
+/* Mutex upcalls to use if the application does not support dynamic locks */
+
+static int hwcrhk_static_mutex_init(HWCryptoHook_Mutex *m,
+        HWCryptoHook_CallerContext *c)
+        {
+        return 0;
+        }
+static int hwcrhk_static_mutex_lock(HWCryptoHook_Mutex *m)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_HWCRHK);
+        return 0;
+        }
+static void hwcrhk_static_mutex_unlock(HWCryptoHook_Mutex *m)
+        {
+        CRYPTO_w_unlock(CRYPTO_LOCK_HWCRHK);
+        }
+static void hwcrhk_static_mutex_destroy(HWCryptoHook_Mutex *m)
+        {
+        }
+
 static int hwcrhk_get_pass(const char *prompt_info,
         int *len_io, char *buf,
         HWCryptoHook_PassphraseContext *ppctx,
@@ -1318,7 +1364,7 @@ static void hwcrhk_log_message(void *logstr, const char *message)
                 lstream=*(BIO **)logstr;
         if (lstream)
                 {
-                BIO_write(lstream, message, strlen(message));
+                BIO_printf(lstream, "%s\n", message);
                 }
         CRYPTO_w_unlock(CRYPTO_LOCK_BIO);
         }
diff --git a/src/lib/libcrypto/engine/hw_ncipher_err.c b/src/lib/libcrypto/engine/hw_ncipher_err.c
index 24024cfc6f..5bc94581b7 100644
--- a/src/lib/libcrypto/engine/hw_ncipher_err.c
+++ b/src/lib/libcrypto/engine/hw_ncipher_err.c
@@ -1,6 +1,6 @@
 /* hw_ncipher_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -86,6 +86,7 @@ static ERR_STRING_DATA HWCRHK_str_reasons[]=
 {HWCRHK_R_CHIL_ERROR                     ,"chil error"},
 {HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
 {HWCRHK_R_DSO_FAILURE                    ,"dso failure"},
+{HWCRHK_R_DYNAMIC_LOCKING_MISSING        ,"dynamic locking missing"},
 {HWCRHK_R_MISSING_KEY_COMPONENTS         ,"missing key components"},
 {HWCRHK_R_NOT_INITIALISED                ,"not initialised"},
 {HWCRHK_R_NOT_LOADED                     ,"not loaded"},
diff --git a/src/lib/libcrypto/engine/hw_ncipher_err.h b/src/lib/libcrypto/engine/hw_ncipher_err.h
index 4d65b1d470..d232d02319 100644
--- a/src/lib/libcrypto/engine/hw_ncipher_err.h
+++ b/src/lib/libcrypto/engine/hw_ncipher_err.h
@@ -84,6 +84,7 @@ static void ERR_HWCRHK_error(int function, int reason, char *file, int line);
 #define HWCRHK_R_CHIL_ERROR                              102
 #define HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED            103
 #define HWCRHK_R_DSO_FAILURE                             104
+#define HWCRHK_R_DYNAMIC_LOCKING_MISSING                 114
 #define HWCRHK_R_MISSING_KEY_COMPONENTS                  105
 #define HWCRHK_R_NOT_INITIALISED                         106
 #define HWCRHK_R_NOT_LOADED                              107
diff --git a/src/lib/libcrypto/engine/hw_nuron.c b/src/lib/libcrypto/engine/hw_nuron.c
index 130b6d8b40..fb9188bfe5 100644
--- a/src/lib/libcrypto/engine/hw_nuron.c
+++ b/src/lib/libcrypto/engine/hw_nuron.c
@@ -374,6 +374,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_nuron(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -396,6 +397,7 @@ void ENGINE_load_nuron(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This stuff is needed if this ENGINE is being compiled into a self-contained
  * shared-library. */      
diff --git a/src/lib/libcrypto/engine/hw_ubsec.c b/src/lib/libcrypto/engine/hw_ubsec.c
index ed8401ec16..6286dd851c 100644
--- a/src/lib/libcrypto/engine/hw_ubsec.c
+++ b/src/lib/libcrypto/engine/hw_ubsec.c
@@ -242,6 +242,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_ubsec(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -264,6 +265,7 @@ void ENGINE_load_ubsec(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the UBSEC library. NB: This is only set (or unset) during an
diff --git a/src/lib/libcrypto/engine/tb_cipher.c b/src/lib/libcrypto/engine/tb_cipher.c
index c5a50fc910..50b3cec1fa 100644
--- a/src/lib/libcrypto/engine/tb_cipher.c
+++ b/src/lib/libcrypto/engine/tb_cipher.c
@@ -81,7 +81,7 @@ int ENGINE_register_ciphers(ENGINE *e)
                 int num_nids = e->ciphers(e, NULL, &nids, 0);
                 if(num_nids > 0)
                         return engine_table_register(&cipher_table,
-                                        &engine_unregister_all_ciphers, e, nids,
+                                        engine_unregister_all_ciphers, e, nids,
                                         num_nids, 0);
                 }
         return 1;
@@ -103,7 +103,7 @@ int ENGINE_set_default_ciphers(ENGINE *e)
                 int num_nids = e->ciphers(e, NULL, &nids, 0);
                 if(num_nids > 0)
                         return engine_table_register(&cipher_table,
-                                        &engine_unregister_all_ciphers, e, nids,
+                                        engine_unregister_all_ciphers, e, nids,
                                         num_nids, 1);
                 }
         return 1;
diff --git a/src/lib/libcrypto/engine/tb_dh.c b/src/lib/libcrypto/engine/tb_dh.c
index c9347235ea..e290e1702b 100644
--- a/src/lib/libcrypto/engine/tb_dh.c
+++ b/src/lib/libcrypto/engine/tb_dh.c
@@ -78,7 +78,7 @@ int ENGINE_register_DH(ENGINE *e)
         {
         if(e->dh_meth)
                 return engine_table_register(&dh_table,
-                                &engine_unregister_all_DH, e, &dummy_nid, 1, 0);
+                                engine_unregister_all_DH, e, &dummy_nid, 1, 0);
         return 1;
         }
 
@@ -94,7 +94,7 @@ int ENGINE_set_default_DH(ENGINE *e)
         {
         if(e->dh_meth)
                 return engine_table_register(&dh_table,
-                                &engine_unregister_all_DH, e, &dummy_nid, 1, 1);
+                                engine_unregister_all_DH, e, &dummy_nid, 1, 1);
         return 1;
         }
 
diff --git a/src/lib/libcrypto/engine/tb_digest.c b/src/lib/libcrypto/engine/tb_digest.c
index 2c4dd6f796..e82d2a17c9 100644
--- a/src/lib/libcrypto/engine/tb_digest.c
+++ b/src/lib/libcrypto/engine/tb_digest.c
@@ -81,7 +81,7 @@ int ENGINE_register_digests(ENGINE *e)
                 int num_nids = e->digests(e, NULL, &nids, 0);
                 if(num_nids > 0)
                         return engine_table_register(&digest_table,
-                                        &engine_unregister_all_digests, e, nids,
+                                        engine_unregister_all_digests, e, nids,
                                         num_nids, 0);
                 }
         return 1;
@@ -103,7 +103,7 @@ int ENGINE_set_default_digests(ENGINE *e)
                 int num_nids = e->digests(e, NULL, &nids, 0);
                 if(num_nids > 0)
                         return engine_table_register(&digest_table,
-                                        &engine_unregister_all_digests, e, nids,
+                                        engine_unregister_all_digests, e, nids,
                                         num_nids, 1);
                 }
         return 1;
diff --git a/src/lib/libcrypto/engine/tb_dsa.c b/src/lib/libcrypto/engine/tb_dsa.c
index e9209476b8..80170591f2 100644
--- a/src/lib/libcrypto/engine/tb_dsa.c
+++ b/src/lib/libcrypto/engine/tb_dsa.c
@@ -78,7 +78,7 @@ int ENGINE_register_DSA(ENGINE *e)
         {
         if(e->dsa_meth)
                 return engine_table_register(&dsa_table,
-                                &engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+                                engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
         return 1;
         }
 
@@ -94,7 +94,7 @@ int ENGINE_set_default_DSA(ENGINE *e)
         {
         if(e->dsa_meth)
                 return engine_table_register(&dsa_table,
-                                &engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+                                engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
         return 1;
         }
 
diff --git a/src/lib/libcrypto/engine/tb_rand.c b/src/lib/libcrypto/engine/tb_rand.c
index 0b1d031f1e..69b67111bc 100644
--- a/src/lib/libcrypto/engine/tb_rand.c
+++ b/src/lib/libcrypto/engine/tb_rand.c
@@ -78,7 +78,7 @@ int ENGINE_register_RAND(ENGINE *e)
         {
         if(e->rand_meth)
                 return engine_table_register(&rand_table,
-                                &engine_unregister_all_RAND, e, &dummy_nid, 1, 0);
+                                engine_unregister_all_RAND, e, &dummy_nid, 1, 0);
         return 1;
         }
 
@@ -94,7 +94,7 @@ int ENGINE_set_default_RAND(ENGINE *e)
         {
         if(e->rand_meth)
                 return engine_table_register(&rand_table,
-                                &engine_unregister_all_RAND, e, &dummy_nid, 1, 1);
+                                engine_unregister_all_RAND, e, &dummy_nid, 1, 1);
         return 1;
         }
 
diff --git a/src/lib/libcrypto/engine/tb_rsa.c b/src/lib/libcrypto/engine/tb_rsa.c
index f84fea3968..fee4867f52 100644
--- a/src/lib/libcrypto/engine/tb_rsa.c
+++ b/src/lib/libcrypto/engine/tb_rsa.c
@@ -78,7 +78,7 @@ int ENGINE_register_RSA(ENGINE *e)
         {
         if(e->rsa_meth)
                 return engine_table_register(&rsa_table,
-                                &engine_unregister_all_RSA, e, &dummy_nid, 1, 0);
+                                engine_unregister_all_RSA, e, &dummy_nid, 1, 0);
         return 1;
         }
 
@@ -94,7 +94,7 @@ int ENGINE_set_default_RSA(ENGINE *e)
         {
         if(e->rsa_meth)
                 return engine_table_register(&rsa_table,
-                                &engine_unregister_all_RSA, e, &dummy_nid, 1, 1);
+                                engine_unregister_all_RSA, e, &dummy_nid, 1, 1);
         return 1;
         }
 
diff --git a/src/lib/libcrypto/err/Makefile.ssl b/src/lib/libcrypto/err/Makefile.ssl
index f0c95e2ef2..b253061d07 100644
--- a/src/lib/libcrypto/err/Makefile.ssl
+++ b/src/lib/libcrypto/err/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index 9b532d1f4c..a4f4a260af 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -211,6 +211,7 @@ static ERR_STRING_DATA ERR_str_reasons[]=
 
 {0,NULL},
         };
+#endif
 
 
 /* Define the predeclared (but externally opaque) "ERR_FNS" type */
@@ -491,6 +492,7 @@ static int int_err_get_next_lib(void)
         }
 
 
+#ifndef OPENSSL_NO_ERR
 #define NUM_SYS_STR_REASONS 127
 #define LEN_SYS_STR_REASON 32
 
diff --git a/src/lib/libcrypto/err/err_all.c b/src/lib/libcrypto/err/err_all.c
index 90029fd159..dc505d9d9d 100644
--- a/src/lib/libcrypto/err/err_all.c
+++ b/src/lib/libcrypto/err/err_all.c
@@ -82,7 +82,9 @@
 #include <openssl/pkcs12.h>
 #include <openssl/rand.h>
 #include <openssl/dso.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
 
@@ -122,7 +124,9 @@ void ERR_load_crypto_strings(void)
         ERR_load_PKCS12_strings();
         ERR_load_RAND_strings();
         ERR_load_DSO_strings();
+#ifndef OPENSSL_NO_ENGINE
         ERR_load_ENGINE_strings();
+#endif
         ERR_load_OCSP_strings();
         ERR_load_UI_strings();
 #endif
diff --git a/src/lib/libcrypto/err/err_prn.c b/src/lib/libcrypto/err/err_prn.c
index c156663f0e..81e34bd6ce 100644
--- a/src/lib/libcrypto/err/err_prn.c
+++ b/src/lib/libcrypto/err/err_prn.c
@@ -62,7 +62,6 @@
 #include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/err.h>
-#include <openssl/crypto.h>
 
 void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u),
                          void *u)
diff --git a/src/lib/libcrypto/evp/Makefile.ssl b/src/lib/libcrypto/evp/Makefile.ssl
index 58843f61a9..b4172406ae 100644
--- a/src/lib/libcrypto/evp/Makefile.ssl
+++ b/src/lib/libcrypto/evp/Makefile.ssl
@@ -70,7 +70,7 @@ links:
         @sh $(TOP)/util/point.sh Makefile.ssl Makefile
         @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
         @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TESTDATA)
+        cp $(TESTDATA) ../../test
         @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
@@ -89,7 +89,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -496,21 +496,19 @@ evp_acnf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 evp_acnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 evp_acnf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 evp_acnf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-evp_acnf.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-evp_acnf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_acnf.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_acnf.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_acnf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-evp_acnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_acnf.o: ../../include/openssl/opensslconf.h
+evp_acnf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+evp_acnf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+evp_acnf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+evp_acnf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+evp_acnf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+evp_acnf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-evp_acnf.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-evp_acnf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-evp_acnf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-evp_acnf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_acnf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_acnf.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-evp_acnf.o: ../cryptlib.h evp_acnf.c
+evp_acnf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+evp_acnf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+evp_acnf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+evp_acnf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_acnf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+evp_acnf.o: ../../include/openssl/ui_compat.h ../cryptlib.h evp_acnf.c
 evp_enc.o: ../../e_os.h ../../include/openssl/aes.h
 evp_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
diff --git a/src/lib/libcrypto/evp/bio_b64.c b/src/lib/libcrypto/evp/bio_b64.c
index f12eac1b55..6e550f6a43 100644
--- a/src/lib/libcrypto/evp/bio_b64.c
+++ b/src/lib/libcrypto/evp/bio_b64.c
@@ -165,6 +165,7 @@ static int b64_read(BIO *b, char *out, int outl)
                 {
                 i=ctx->buf_len-ctx->buf_off;
                 if (i > outl) i=outl;
+                OPENSSL_assert(ctx->buf_off+i < sizeof ctx->buf);
                 memcpy(out,&(ctx->buf[ctx->buf_off]),i);
                 ret=i;
                 out+=i;
diff --git a/src/lib/libcrypto/evp/bio_enc.c b/src/lib/libcrypto/evp/bio_enc.c
index 64fb2353af..ab81851503 100644
--- a/src/lib/libcrypto/evp/bio_enc.c
+++ b/src/lib/libcrypto/evp/bio_enc.c
@@ -132,7 +132,7 @@ static int enc_free(BIO *a)
         if (a == NULL) return(0);
         b=(BIO_ENC_CTX *)a->ptr;
         EVP_CIPHER_CTX_cleanup(&(b->cipher));
-        memset(a->ptr,0,sizeof(BIO_ENC_CTX));
+        OPENSSL_cleanse(a->ptr,sizeof(BIO_ENC_CTX));
         OPENSSL_free(a->ptr);
         a->ptr=NULL;
         a->init=0;
@@ -271,7 +271,7 @@ static int enc_write(BIO *b, const char *in, int inl)
                         if (i <= 0)
                                 {
                                 BIO_copy_next_retry(b);
-                                return(i);
+                                return (ret == inl) ? i : ret - inl;
                                 }
                         n-=i;
                         ctx->buf_off+=i;
@@ -325,10 +325,7 @@ again:
                         {
                         i=enc_write(b,NULL,0);
                         if (i < 0)
-                                {
-                                ret=i;
-                                break;
-                                }
+                                return i;
                         }
 
                 if (!ctx->finished)
diff --git a/src/lib/libcrypto/evp/bio_ok.c b/src/lib/libcrypto/evp/bio_ok.c
index d2be03be82..4e3f10141b 100644
--- a/src/lib/libcrypto/evp/bio_ok.c
+++ b/src/lib/libcrypto/evp/bio_ok.c
@@ -211,7 +211,7 @@ static int ok_free(BIO *a)
         {
         if (a == NULL) return(0);
         EVP_MD_CTX_cleanup(&((BIO_OK_CTX *)a->ptr)->md);
-        memset(a->ptr,0,sizeof(BIO_OK_CTX));
+        OPENSSL_cleanse(a->ptr,sizeof(BIO_OK_CTX));
         OPENSSL_free(a->ptr);
         a->ptr=NULL;
         a->init=0;
diff --git a/src/lib/libcrypto/evp/c_all.c b/src/lib/libcrypto/evp/c_all.c
index 3d59812e20..1b31a14e37 100644
--- a/src/lib/libcrypto/evp/c_all.c
+++ b/src/lib/libcrypto/evp/c_all.c
@@ -73,5 +73,9 @@ void OPENSSL_add_all_algorithms_noconf(void)
         {
         OpenSSL_add_all_ciphers();
         OpenSSL_add_all_digests();
-        ENGINE_setup_openbsd();
+#ifndef OPENSSL_NO_ENGINE
+# if defined(__OpenBSD__) || defined(__FreeBSD__)
+        ENGINE_setup_bsd_cryptodev();
+# endif
+#endif
         }
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index a969ac69ed..b22eed4421 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -113,7 +113,9 @@
 #include "cryptlib.h"
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
         {
@@ -138,6 +140,7 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
         {
         EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
+#ifndef OPENSSL_NO_ENGINE
         /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
          * so this context may already have an ENGINE! Try to avoid releasing
          * the previous handle, re-querying for an ENGINE, and having a
@@ -183,11 +186,13 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
                 else
                         ctx->engine = NULL;
                 }
-        else if(!ctx->digest)
+        else
+        if(!ctx->digest)
                 {
                 EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_NO_DIGEST_SET);
                 return 0;
                 }
+#endif
         if (ctx->digest != type)
                 {
                 if (ctx->digest && ctx->digest->ctx_size)
@@ -196,7 +201,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
                 if (type->ctx_size)
                         ctx->md_data=OPENSSL_malloc(type->ctx_size);
                 }
+#ifndef OPENSSL_NO_ENGINE
 skip_to_init:
+#endif
         return ctx->digest->init(ctx);
         }
 
@@ -219,6 +226,8 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
 int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
         {
         int ret;
+
+        OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
         ret=ctx->digest->final(ctx,md);
         if (size != NULL)
                 *size=ctx->digest->md_size;
@@ -244,12 +253,14 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
                 EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED);
                 return 0;
                 }
+#ifndef OPENSSL_NO_ENGINE
         /* Make sure it's safe to copy a digest context using an ENGINE */
         if (in->engine && !ENGINE_init(in->engine))
                 {
                 EVPerr(EVP_F_EVP_MD_CTX_COPY,ERR_R_ENGINE_LIB);
                 return 0;
                 }
+#endif
 
         EVP_MD_CTX_cleanup(out);
         memcpy(out,in,sizeof *out);
@@ -299,13 +310,15 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
                 ctx->digest->cleanup(ctx);
         if (ctx->digest && ctx->digest->ctx_size && ctx->md_data)
                 {
-                memset(ctx->md_data,0,ctx->digest->ctx_size);
+                OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
                 OPENSSL_free(ctx->md_data);
                 }
+#ifndef OPENSSL_NO_ENGINE
         if(ctx->engine)
                 /* The EVP_MD we used belongs to an ENGINE, release the
                  * functional reference we held for this reason. */
                 ENGINE_finish(ctx->engine);
+#endif
         memset(ctx,'\0',sizeof *ctx);
 
         return 1;
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index c323fa2892..fe8bcda631 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -52,7 +52,6 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <string.h>
-#include <assert.h>
 #include <openssl/aes.h>
 #include "evp_locl.h"
 
diff --git a/src/lib/libcrypto/evp/e_idea.c b/src/lib/libcrypto/evp/e_idea.c
index ed838d3e62..b9efa75ae7 100644
--- a/src/lib/libcrypto/evp/e_idea.c
+++ b/src/lib/libcrypto/evp/e_idea.c
@@ -109,7 +109,7 @@ static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 
                 idea_set_encrypt_key(key,&tmp);
                 idea_set_decrypt_key(&tmp,ctx->cipher_data);
-                memset((unsigned char *)&tmp,0,
+                OPENSSL_cleanse((unsigned char *)&tmp,
                                 sizeof(IDEA_KEY_SCHEDULE));
                 }
         return 1;
diff --git a/src/lib/libcrypto/evp/e_rc2.c b/src/lib/libcrypto/evp/e_rc2.c
index 4685198e2e..d42cbfd17e 100644
--- a/src/lib/libcrypto/evp/e_rc2.c
+++ b/src/lib/libcrypto/evp/e_rc2.c
@@ -174,6 +174,7 @@ static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         if (type != NULL)
                 {
                 l=EVP_CIPHER_CTX_iv_length(c);
+                OPENSSL_assert(l <= sizeof iv);
                 i=ASN1_TYPE_get_int_octetstring(type,&num,iv,l);
                 if (i != l)
                         return(-1);
diff --git a/src/lib/libcrypto/evp/e_rc4.c b/src/lib/libcrypto/evp/e_rc4.c
index 4064cc5fa0..d58f507837 100644
--- a/src/lib/libcrypto/evp/e_rc4.c
+++ b/src/lib/libcrypto/evp/e_rc4.c
@@ -69,8 +69,6 @@
 
 typedef struct
     {
-    /* FIXME: what is the key for? */
-    unsigned char key[EVP_RC4_KEY_SIZE];
     RC4_KEY ks; /* working key */
     } EVP_RC4_KEY;
 
@@ -121,9 +119,8 @@ const EVP_CIPHER *EVP_rc4_40(void)
 static int rc4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv, int enc)
         {
-        memcpy(&data(ctx)->key[0],key,EVP_CIPHER_CTX_key_length(ctx));
         RC4_set_key(&data(ctx)->ks,EVP_CIPHER_CTX_key_length(ctx),
-                data(ctx)->key);
+                    key);
         return 1;
         }
 
diff --git a/src/lib/libcrypto/evp/encode.c b/src/lib/libcrypto/evp/encode.c
index 12c6379df1..08209357ce 100644
--- a/src/lib/libcrypto/evp/encode.c
+++ b/src/lib/libcrypto/evp/encode.c
@@ -136,6 +136,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 
         *outl=0;
         if (inl == 0) return;
+        OPENSSL_assert(ctx->length <= sizeof ctx->enc_data);
         if ((ctx->num+inl) < ctx->length)
                 {
                 memcpy(&(ctx->enc_data[ctx->num]),in,inl);
@@ -258,6 +259,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
                 /* only save the good data :-) */
                 if (!B64_NOT_BASE64(v))
                         {
+                        OPENSSL_assert(n < sizeof ctx->enc_data);
                         d[n++]=tmp;
                         ln++;
                         }
diff --git a/src/lib/libcrypto/evp/evp_acnf.c b/src/lib/libcrypto/evp/evp_acnf.c
index a68b979bdb..ff3e311cc5 100644
--- a/src/lib/libcrypto/evp/evp_acnf.c
+++ b/src/lib/libcrypto/evp/evp_acnf.c
@@ -59,7 +59,6 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/conf.h>
-#include <openssl/engine.h>
 
 
 /* Load all algorithms and configure OpenSSL.
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index 32a1c7a2e9..be0758a879 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -60,11 +60,11 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/err.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include "evp_locl.h"
 
-#include <assert.h>
-
 const char *EVP_version="EVP" OPENSSL_VERSION_PTEXT;
 
 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
@@ -93,6 +93,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                         enc = 1;
                 ctx->encrypt = enc;
                 }
+#ifndef OPENSSL_NO_ENGINE
         /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
          * so this context may already have an ENGINE! Try to avoid releasing
          * the previous handle, re-querying for an ENGINE, and having a
@@ -100,6 +101,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
         if (ctx->engine && ctx->cipher && (!cipher ||
                         (cipher && (cipher->nid == ctx->cipher->nid))))
                 goto skip_to_init;
+#endif
         if (cipher)
                 {
                 /* Ensure a context left lying around from last time is cleared
@@ -109,6 +111,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 
                 /* Restore encrypt field: it is zeroed by cleanup */
                 ctx->encrypt = enc;
+#ifndef OPENSSL_NO_ENGINE
                 if(impl)
                         {
                         if (!ENGINE_init(impl))
@@ -142,6 +145,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                         }
                 else
                         ctx->engine = NULL;
+#endif
 
                 ctx->cipher=cipher;
                 ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size);
@@ -161,11 +165,13 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                 EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_NO_CIPHER_SET);
                 return 0;
                 }
+#ifndef OPENSSL_NO_ENGINE
 skip_to_init:
+#endif
         /* we assume block size is a power of 2 in *cryptUpdate */
-        assert(ctx->cipher->block_size == 1
-               || ctx->cipher->block_size == 8
-               || ctx->cipher->block_size == 16);
+        OPENSSL_assert(ctx->cipher->block_size == 1
+            || ctx->cipher->block_size == 8
+            || ctx->cipher->block_size == 16);
 
         if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
                 switch(EVP_CIPHER_CTX_mode(ctx)) {
@@ -181,6 +187,7 @@ skip_to_init:
 
                         case EVP_CIPH_CBC_MODE:
 
+                        OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof ctx->iv);
                         if(iv) memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx));
                         memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));
                         break;
@@ -237,7 +244,7 @@ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *imp
 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
              const unsigned char *key, const unsigned char *iv)
         {
-        return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0);
+        return EVP_CipherInit(ctx, cipher, key, iv, 0);
         }
 
 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
@@ -251,6 +258,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         {
         int i,j,bl;
 
+        OPENSSL_assert(inl > 0);
         if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
                 {
                 if(ctx->cipher->do_cipher(ctx,out,in,inl))
@@ -266,6 +274,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
                 }
         i=ctx->buf_len;
         bl=ctx->cipher->block_size;
+        OPENSSL_assert(bl <= sizeof ctx->buf);
         if (i != 0)
                 {
                 if (i+inl < bl)
@@ -314,6 +323,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
         int i,n,b,bl,ret;
 
         b=ctx->cipher->block_size;
+        OPENSSL_assert(b <= sizeof ctx->buf);
         if (b == 1)
                 {
                 *outl=0;
@@ -358,6 +368,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
                 return EVP_EncryptUpdate(ctx, out, outl, in, inl);
 
         b=ctx->cipher->block_size;
+        OPENSSL_assert(b <= sizeof ctx->final);
 
         if(ctx->final_used)
                 {
@@ -420,6 +431,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
                         EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
                         return(0);
                         }
+                OPENSSL_assert(b <= sizeof ctx->final);
                 n=ctx->final[b-1];
                 if (n > b)
                         {
@@ -450,16 +462,18 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
                 {
                 if(c->cipher->cleanup && !c->cipher->cleanup(c))
                         return 0;
-                /* Zero cipher context data */
+                /* Cleanse cipher context data */
                 if (c->cipher_data)
-                        memset(c->cipher_data, 0, c->cipher->ctx_size);
+                        OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
                 }
         if (c->cipher_data)
                 OPENSSL_free(c->cipher_data);
+#ifndef OPENSSL_NO_ENGINE
         if (c->engine)
                 /* The EVP_CIPHER we used belongs to an ENGINE, release the
                  * functional reference we held for this reason. */
                 ENGINE_finish(c->engine);
+#endif
         memset(c,0,sizeof(EVP_CIPHER_CTX));
         return 1;
         }
diff --git a/src/lib/libcrypto/evp/evp_key.c b/src/lib/libcrypto/evp/evp_key.c
index 4271393069..5f387a94d3 100644
--- a/src/lib/libcrypto/evp/evp_key.c
+++ b/src/lib/libcrypto/evp/evp_key.c
@@ -103,7 +103,7 @@ int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify)
                         buff,0,(len>=BUFSIZ)?BUFSIZ-1:len,buf);
         ret = UI_process(ui);
         UI_free(ui);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return ret;
         }
 
@@ -118,6 +118,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
 
         nkey=type->key_len;
         niv=type->iv_len;
+        OPENSSL_assert(nkey <= EVP_MAX_KEY_LENGTH);
+        OPENSSL_assert(niv <= EVP_MAX_IV_LENGTH);
 
         if (data == NULL) return(nkey);
 
@@ -166,7 +168,7 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
                 if ((nkey == 0) && (niv == 0)) break;
                 }
         EVP_MD_CTX_cleanup(&c);
-        memset(&(md_buf[0]),0,EVP_MAX_MD_SIZE);
+        OPENSSL_cleanse(&(md_buf[0]),EVP_MAX_MD_SIZE);
         return(type->key_len);
         }
 
diff --git a/src/lib/libcrypto/evp/evp_lib.c b/src/lib/libcrypto/evp/evp_lib.c
index a431945ef5..52a3b287be 100644
--- a/src/lib/libcrypto/evp/evp_lib.c
+++ b/src/lib/libcrypto/evp/evp_lib.c
@@ -90,6 +90,7 @@ int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         if (type != NULL) 
                 {
                 l=EVP_CIPHER_CTX_iv_length(c);
+                OPENSSL_assert(l <= sizeof c->iv);
                 i=ASN1_TYPE_get_octetstring(type,c->oiv,l);
                 if (i != l)
                         return(-1);
@@ -106,6 +107,7 @@ int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         if (type != NULL)
                 {
                 j=EVP_CIPHER_CTX_iv_length(c);
+                OPENSSL_assert(j <= sizeof c->iv);
                 i=ASN1_TYPE_set_octetstring(type,c->oiv,j);
                 }
         return(i);
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index 4234cd7684..bc98e63363 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -88,7 +88,7 @@ int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
                 char obj_tmp[80];
                 EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM);
                 if (!pbe_obj) strlcpy (obj_tmp, "NULL", sizeof obj_tmp);
-                else i2t_ASN1_OBJECT(obj_tmp, 80, pbe_obj);
+                else i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, pbe_obj);
                 ERR_add_error_data(2, "TYPE=", obj_tmp);
                 return 0;
         }
diff --git a/src/lib/libcrypto/evp/evp_test.c b/src/lib/libcrypto/evp/evp_test.c
index 90294ef686..28460173f7 100644
--- a/src/lib/libcrypto/evp/evp_test.c
+++ b/src/lib/libcrypto/evp/evp_test.c
@@ -49,8 +49,14 @@
 
 #include <stdio.h>
 #include <string.h>
+
+#include "../e_os.h"
+
 #include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
+#include <openssl/err.h>
 #include <openssl/conf.h>
 
 static void hexdump(FILE *f,const char *title,const unsigned char *s,int l)
@@ -78,7 +84,7 @@ static int convert(unsigned char *s)
         if(!s[1])
             {
             fprintf(stderr,"Odd number of hex digits!");
-            exit(4);
+            EXIT(4);
             }
         sscanf((char *)s,"%2x",&n);
         *d=(unsigned char)n;
@@ -120,6 +126,12 @@ static char *sstrsep(char **string, const char *delim)
 static unsigned char *ustrsep(char **p,const char *sep)
     { return (unsigned char *)sstrsep(p,sep); }
 
+static int test1_exit(int ec)
+        {
+        EXIT(ec);
+        return(0);              /* To keep some compilers quiet */
+        }
+
 static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
                   const unsigned char *iv,int in,
                   const unsigned char *plaintext,int pn,
@@ -142,7 +154,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
         {
         fprintf(stderr,"Key length doesn't match, got %d expected %d\n",kn,
                 c->key_len);
-        exit(5);
+        test1_exit(5);
         }
     EVP_CIPHER_CTX_init(&ctx);
     if (encdec != 0)
@@ -150,26 +162,26 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
         if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
             {
             fprintf(stderr,"EncryptInit failed\n");
-            exit(10);
+            test1_exit(10);
             }
         EVP_CIPHER_CTX_set_padding(&ctx,0);
 
         if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn))
             {
             fprintf(stderr,"Encrypt failed\n");
-            exit(6);
+            test1_exit(6);
             }
         if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2))
             {
             fprintf(stderr,"EncryptFinal failed\n");
-            exit(7);
+            test1_exit(7);
             }
 
         if(outl+outl2 != cn)
             {
             fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n",
                     outl+outl2,cn);
-            exit(8);
+            test1_exit(8);
             }
 
         if(memcmp(out,ciphertext,cn))
@@ -177,7 +189,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
             fprintf(stderr,"Ciphertext mismatch\n");
             hexdump(stderr,"Got",out,cn);
             hexdump(stderr,"Expected",ciphertext,cn);
-            exit(9);
+            test1_exit(9);
             }
         }
 
@@ -186,26 +198,26 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
         if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
             {
             fprintf(stderr,"DecryptInit failed\n");
-            exit(11);
+            test1_exit(11);
             }
         EVP_CIPHER_CTX_set_padding(&ctx,0);
 
         if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn))
             {
             fprintf(stderr,"Decrypt failed\n");
-            exit(6);
+            test1_exit(6);
             }
         if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2))
             {
             fprintf(stderr,"DecryptFinal failed\n");
-            exit(7);
+            test1_exit(7);
             }
 
         if(outl+outl2 != cn)
             {
             fprintf(stderr,"Plaintext length mismatch got %d expected %d\n",
                     outl+outl2,cn);
-            exit(8);
+            test1_exit(8);
             }
 
         if(memcmp(out,plaintext,cn))
@@ -213,7 +225,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
             fprintf(stderr,"Plaintext mismatch\n");
             hexdump(stderr,"Got",out,cn);
             hexdump(stderr,"Expected",plaintext,cn);
-            exit(9);
+            test1_exit(9);
             }
         }
 
@@ -260,24 +272,24 @@ static int test_digest(const char *digest,
     if(!EVP_DigestInit_ex(&ctx,d, NULL))
         {
         fprintf(stderr,"DigestInit failed\n");
-        exit(100);
+        EXIT(100);
         }
     if(!EVP_DigestUpdate(&ctx,plaintext,pn))
         {
         fprintf(stderr,"DigestUpdate failed\n");
-        exit(101);
+        EXIT(101);
         }
     if(!EVP_DigestFinal_ex(&ctx,md,&mdn))
         {
         fprintf(stderr,"DigestFinal failed\n");
-        exit(101);
+        EXIT(101);
         }
     EVP_MD_CTX_cleanup(&ctx);
 
     if(mdn != cn)
         {
         fprintf(stderr,"Digest length mismatch, got %d expected %d\n",mdn,cn);
-        exit(102);
+        EXIT(102);
         }
 
     if(memcmp(md,ciphertext,cn))
@@ -285,7 +297,7 @@ static int test_digest(const char *digest,
         fprintf(stderr,"Digest mismatch\n");
         hexdump(stderr,"Got",md,cn);
         hexdump(stderr,"Expected",ciphertext,cn);
-        exit(103);
+        EXIT(103);
         }
 
     printf("\n");
@@ -303,7 +315,7 @@ int main(int argc,char **argv)
     if(argc != 2)
         {
         fprintf(stderr,"%s <test file>\n",argv[0]);
-        exit(1);
+        EXIT(1);
         }
     CRYPTO_malloc_debug_init();
     CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
@@ -315,17 +327,20 @@ int main(int argc,char **argv)
     if(!f)
         {
         perror(szTestFile);
-        exit(2);
+        EXIT(2);
         }
 
     /* Load up the software EVP_CIPHER and EVP_MD definitions */
     OpenSSL_add_all_ciphers();
     OpenSSL_add_all_digests();
+#ifndef OPENSSL_NO_ENGINE
     /* Load all compiled-in ENGINEs */
     ENGINE_load_builtin_engines();
+#endif
 #if 0
     OPENSSL_config();
 #endif
+#ifndef OPENSSL_NO_ENGINE
     /* Register all available ENGINE implementations of ciphers and digests.
      * This could perhaps be changed to "ENGINE_register_all_complete()"? */
     ENGINE_register_all_ciphers();
@@ -334,6 +349,7 @@ int main(int argc,char **argv)
      * It'll prevent ENGINEs being ENGINE_init()ialised for cipher/digest use if
      * they weren't already initialised. */
     /* ENGINE_set_cipher_flags(ENGINE_CIPHER_FLAG_NOINIT); */
+#endif
 
     for( ; ; )
         {
@@ -371,11 +387,13 @@ int main(int argc,char **argv)
            && !test_digest(cipher,plaintext,pn,ciphertext,cn))
             {
             fprintf(stderr,"Can't find %s\n",cipher);
-            exit(3);
+            EXIT(3);
             }
         }
 
+#ifndef OPENSSL_NO_ENGINE
     ENGINE_cleanup();
+#endif
     EVP_cleanup();
     CRYPTO_cleanup_all_ex_data();
     ERR_remove_state(0);
diff --git a/src/lib/libcrypto/evp/p5_crpt.c b/src/lib/libcrypto/evp/p5_crpt.c
index 27a8286489..a1874e83b2 100644
--- a/src/lib/libcrypto/evp/p5_crpt.c
+++ b/src/lib/libcrypto/evp/p5_crpt.c
@@ -140,12 +140,14 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
                 EVP_DigestFinal_ex (&ctx, md_tmp, NULL);
         }
         EVP_MD_CTX_cleanup(&ctx);
+        OPENSSL_assert(EVP_CIPHER_key_length(cipher) <= sizeof md_tmp);
         memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
+        OPENSSL_assert(EVP_CIPHER_iv_length(cipher) <= 16);
         memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
                                                  EVP_CIPHER_iv_length(cipher));
         EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de);
-        memset(md_tmp, 0, EVP_MAX_MD_SIZE);
-        memset(key, 0, EVP_MAX_KEY_LENGTH);
-        memset(iv, 0, EVP_MAX_IV_LENGTH);
+        OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE);
+        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+        OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
         return 1;
 }
diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c
index 7485d6a278..1f94e1ef88 100644
--- a/src/lib/libcrypto/evp/p5_crpt2.c
+++ b/src/lib/libcrypto/evp/p5_crpt2.c
@@ -190,6 +190,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                 goto err;
         }
         keylen = EVP_CIPHER_CTX_key_length(ctx);
+        OPENSSL_assert(keylen <= sizeof key);
 
         /* Now decode key derivation function */
 
@@ -230,7 +231,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
         iter = ASN1_INTEGER_get(kdf->iter);
         PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
         EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
-        memset(key, 0, keylen);
+        OPENSSL_cleanse(key, keylen);
         PBKDF2PARAM_free(kdf);
         return 1;
 
diff --git a/src/lib/libcrypto/evp/p_open.c b/src/lib/libcrypto/evp/p_open.c
index 6976f2a867..5a933d1cda 100644
--- a/src/lib/libcrypto/evp/p_open.c
+++ b/src/lib/libcrypto/evp/p_open.c
@@ -101,7 +101,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char *ek,
 
         ret=1;
 err:
-        if (key != NULL) memset(key,0,size);
+        if (key != NULL) OPENSSL_cleanse(key,size);
         OPENSSL_free(key);
         return(ret);
         }
diff --git a/src/lib/libcrypto/hmac/Makefile.ssl b/src/lib/libcrypto/hmac/Makefile.ssl
index 2bb3264f0e..f1c07322c4 100644
--- a/src/lib/libcrypto/hmac/Makefile.ssl
+++ b/src/lib/libcrypto/hmac/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -79,21 +79,23 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-hmac.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+hmac.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
 hmac.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-hmac.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-hmac.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-hmac.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-hmac.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+hmac.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+hmac.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+hmac.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+hmac.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 hmac.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h
-hmac.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
-hmac.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-hmac.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-hmac.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-hmac.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-hmac.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-hmac.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-hmac.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-hmac.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-hmac.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-hmac.o: ../../include/openssl/ui_compat.h hmac.c
+hmac.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+hmac.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hmac.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+hmac.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+hmac.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
+hmac.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+hmac.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+hmac.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+hmac.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+hmac.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+hmac.o: ../cryptlib.h hmac.c
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index da363b7950..4c91f919d5 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -59,6 +59,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/hmac.h>
+#include "cryptlib.h"
 
 void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
                   const EVP_MD *md, ENGINE *impl)
@@ -78,6 +79,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
                 {
                 reset=1;
                 j=EVP_MD_block_size(md);
+                OPENSSL_assert(j <= sizeof ctx->key);
                 if (j < len)
                         {
                         EVP_DigestInit_ex(&ctx->md_ctx,md, impl);
@@ -87,6 +89,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
                         }
                 else
                         {
+                        OPENSSL_assert(len <= sizeof ctx->key);
                         memcpy(ctx->key,key,len);
                         ctx->key_length=len;
                         }
diff --git a/src/lib/libcrypto/hmac/hmactest.c b/src/lib/libcrypto/hmac/hmactest.c
index 96d3beb8e6..1b906b81af 100644
--- a/src/lib/libcrypto/hmac/hmactest.c
+++ b/src/lib/libcrypto/hmac/hmactest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_HMAC
 int main(int argc, char *argv[])
 {
@@ -68,12 +70,15 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/hmac.h>
+#ifndef OPENSSL_NO_MD5
 #include <openssl/md5.h>
+#endif
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
 #endif
 
+#ifndef OPENSSL_NO_MD5
 static struct test_st
         {
         unsigned char key[16];
@@ -113,13 +118,20 @@ static struct test_st
                 (unsigned char *)"56be34521d144c88dbb8c733f0e8b3f6",
         },
         };
-
+#endif
 
 static char *pt(unsigned char *md);
 int main(int argc, char *argv[])
         {
-        int i,err=0;
+#ifndef OPENSSL_NO_MD5
+        int i;
         char *p;
+#endif
+        int err=0;
+
+#ifdef OPENSSL_NO_MD5
+        printf("test skipped: MD5 disabled\n");
+#else
 
 #ifdef CHARSET_EBCDIC
         ebcdic2ascii(test[0].data, test[0].data, test[0].data_len);
@@ -144,10 +156,12 @@ int main(int argc, char *argv[])
                 else
                         printf("test %d ok\n",i);
                 }
-        exit(err);
+#endif /* OPENSSL_NO_MD5 */
+        EXIT(err);
         return(0);
         }
 
+#ifndef OPENSSL_NO_MD5
 static char *pt(unsigned char *md)
         {
         int i;
@@ -158,3 +172,4 @@ static char *pt(unsigned char *md)
         return(buf);
         }
 #endif
+#endif
diff --git a/src/lib/libcrypto/idea/Makefile.ssl b/src/lib/libcrypto/idea/Makefile.ssl
index 87c9aa484b..fa016ea399 100644
--- a/src/lib/libcrypto/idea/Makefile.ssl
+++ b/src/lib/libcrypto/idea/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/krb5/Makefile.ssl b/src/lib/libcrypto/krb5/Makefile.ssl
index 7ad0cbb0bc..d9224c0f09 100644
--- a/src/lib/libcrypto/krb5/Makefile.ssl
+++ b/src/lib/libcrypto/krb5/Makefile.ssl
@@ -41,7 +41,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -69,7 +69,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/lhash/Makefile.ssl b/src/lib/libcrypto/lhash/Makefile.ssl
index b3ad272cf7..60e7ee3393 100644
--- a/src/lib/libcrypto/lhash/Makefile.ssl
+++ b/src/lib/libcrypto/lhash/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/lhash/lh_stats.c b/src/lib/libcrypto/lhash/lh_stats.c
index 8e6f57c741..5aa7766aa6 100644
--- a/src/lib/libcrypto/lhash/lh_stats.c
+++ b/src/lib/libcrypto/lhash/lh_stats.c
@@ -179,63 +179,29 @@ end:;
 
 void lh_stats_bio(const LHASH *lh, BIO *out)
         {
-        char buf[128];
-
-        snprintf(buf,sizeof buf,"num_items             = %lu\n",lh->num_items);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_nodes             = %u\n",lh->num_nodes);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_alloc_nodes       = %u\n",
-                 lh->num_alloc_nodes);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_expands           = %lu\n",
-                 lh->num_expands);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_expand_reallocs   = %lu\n",
-                 lh->num_expand_reallocs);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_contracts         = %lu\n",
-                 lh->num_contracts);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_contract_reallocs = %lu\n",
-                 lh->num_contract_reallocs);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_hash_calls        = %lu\n",
-                 lh->num_hash_calls);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_comp_calls        = %lu\n",
-                 lh->num_comp_calls);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_insert            = %lu\n",
-                 lh->num_insert);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_replace           = %lu\n",
-                 lh->num_replace);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_delete            = %lu\n",
-                 lh->num_delete);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_no_delete         = %lu\n",
-                 lh->num_no_delete);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_retrieve          = %lu\n",
-                 lh->num_retrieve);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_retrieve_miss     = %lu\n",
-                 lh->num_retrieve_miss);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_hash_comps        = %lu\n",
-                 lh->num_hash_comps);
-        BIO_puts(out,buf);
+        BIO_printf(out,"num_items             = %lu\n",lh->num_items);
+        BIO_printf(out,"num_nodes             = %u\n",lh->num_nodes);
+        BIO_printf(out,"num_alloc_nodes       = %u\n",lh->num_alloc_nodes);
+        BIO_printf(out,"num_expands           = %lu\n",lh->num_expands);
+        BIO_printf(out,"num_expand_reallocs   = %lu\n",
+                   lh->num_expand_reallocs);
+        BIO_printf(out,"num_contracts         = %lu\n",lh->num_contracts);
+        BIO_printf(out,"num_contract_reallocs = %lu\n",
+                   lh->num_contract_reallocs);
+        BIO_printf(out,"num_hash_calls        = %lu\n",lh->num_hash_calls);
+        BIO_printf(out,"num_comp_calls        = %lu\n",lh->num_comp_calls);
+        BIO_printf(out,"num_insert            = %lu\n",lh->num_insert);
+        BIO_printf(out,"num_replace           = %lu\n",lh->num_replace);
+        BIO_printf(out,"num_delete            = %lu\n",lh->num_delete);
+        BIO_printf(out,"num_no_delete         = %lu\n",lh->num_no_delete);
+        BIO_printf(out,"num_retrieve          = %lu\n",lh->num_retrieve);
+        BIO_printf(out,"num_retrieve_miss     = %lu\n",lh->num_retrieve_miss);
+        BIO_printf(out,"num_hash_comps        = %lu\n",lh->num_hash_comps);
 #if 0
-        snprintf(buf,sizeof buf,"p                     = %u\n",lh->p);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"pmax                  = %u\n",lh->pmax);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"up_load               = %lu\n",lh->up_load);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"down_load             = %lu\n",lh->down_load);
-        BIO_puts(out,buf);
+        BIO_printf(out,"p                     = %u\n",lh->p);
+        BIO_printf(out,"pmax                  = %u\n",lh->pmax);
+        BIO_printf(out,"up_load               = %lu\n",lh->up_load);
+        BIO_printf(out,"down_load             = %lu\n",lh->down_load);
 #endif
         }
 
@@ -243,14 +209,12 @@ void lh_node_stats_bio(const LHASH *lh, BIO *out)
         {
         LHASH_NODE *n;
         unsigned int i,num;
-        char buf[128];
 
         for (i=0; i<lh->num_nodes; i++)
                 {
                 for (n=lh->b[i],num=0; n != NULL; n=n->next)
                         num++;
-                snprintf(buf,sizeof buf,"node %6u -> %3u\n",i,num);
-                BIO_puts(out,buf);
+                BIO_printf(out,"node %6u -> %3u\n",i,num);
                 }
         }
 
@@ -260,7 +224,6 @@ void lh_node_usage_stats_bio(const LHASH *lh, BIO *out)
         unsigned long num;
         unsigned int i;
         unsigned long total=0,n_used=0;
-        char buf[128];
 
         for (i=0; i<lh->num_nodes; i++)
                 {
@@ -272,18 +235,14 @@ void lh_node_usage_stats_bio(const LHASH *lh, BIO *out)
                         total+=num;
                         }
                 }
-        snprintf(buf,sizeof buf,"%lu nodes used out of %u\n",n_used,
-                 lh->num_nodes);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"%lu items\n",total);
-        BIO_puts(out,buf);
+        BIO_printf(out,"%lu nodes used out of %u\n",n_used,lh->num_nodes);
+        BIO_printf(out,"%lu items\n",total);
         if (n_used == 0) return;
-        snprintf(buf,sizeof buf,"load %d.%02d  actual load %d.%02d\n",
-                (int)(total/lh->num_nodes),
-                (int)((total%lh->num_nodes)*100/lh->num_nodes),
-                (int)(total/n_used),
-                (int)((total%n_used)*100/n_used));
-        BIO_puts(out,buf);
+        BIO_printf(out,"load %d.%02d  actual load %d.%02d\n",
+                   (int)(total/lh->num_nodes),
+                   (int)((total%lh->num_nodes)*100/lh->num_nodes),
+                   (int)(total/n_used),
+                   (int)((total%n_used)*100/n_used));
         }
 
 #endif
diff --git a/src/lib/libcrypto/md2/Makefile.ssl b/src/lib/libcrypto/md2/Makefile.ssl
index e89a17f3a4..3206924c90 100644
--- a/src/lib/libcrypto/md2/Makefile.ssl
+++ b/src/lib/libcrypto/md2/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -79,8 +79,11 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
+md2_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 md2_dgst.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h
-md2_dgst.o: ../../include/openssl/opensslv.h md2_dgst.c
+md2_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md2_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+md2_dgst.o: md2_dgst.c
 md2_one.o: ../../e_os.h ../../include/openssl/bio.h
 md2_one.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 md2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
diff --git a/src/lib/libcrypto/md2/md2_dgst.c b/src/lib/libcrypto/md2/md2_dgst.c
index e25dd00e02..ecb64f0ec4 100644
--- a/src/lib/libcrypto/md2/md2_dgst.c
+++ b/src/lib/libcrypto/md2/md2_dgst.c
@@ -61,6 +61,7 @@
 #include <string.h>
 #include <openssl/md2.h>
 #include <openssl/opensslv.h>
+#include <openssl/crypto.h>
 
 const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT;
 
@@ -118,9 +119,9 @@ const char *MD2_options(void)
 int MD2_Init(MD2_CTX *c)
         {
         c->num=0;
-        memset(c->state,0,MD2_BLOCK*sizeof(MD2_INT));
-        memset(c->cksm,0,MD2_BLOCK*sizeof(MD2_INT));
-        memset(c->data,0,MD2_BLOCK);
+        memset(c->state,0,sizeof c->state);
+        memset(c->cksm,0,sizeof c->cksm);
+        memset(c->data,0,sizeof c->data);
         return 1;
         }
 
@@ -196,7 +197,7 @@ static void md2_block(MD2_CTX *c, const unsigned char *d)
                 t=(t+i)&0xff;
                 }
         memcpy(sp1,state,16*sizeof(MD2_INT));
-        memset(state,0,48*sizeof(MD2_INT));
+        OPENSSL_cleanse(state,48*sizeof(MD2_INT));
         }
 
 int MD2_Final(unsigned char *md, MD2_CTX *c)
diff --git a/src/lib/libcrypto/md2/md2_one.c b/src/lib/libcrypto/md2/md2_one.c
index b12c37ce4d..835160ef56 100644
--- a/src/lib/libcrypto/md2/md2_one.c
+++ b/src/lib/libcrypto/md2/md2_one.c
@@ -88,6 +88,6 @@ unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md)
         }
 #endif
         MD2_Final(md,&c);
-        memset(&c,0,sizeof(c)); /* Security consideration */
+        OPENSSL_cleanse(&c,sizeof(c));  /* Security consideration */
         return(md);
         }
diff --git a/src/lib/libcrypto/md2/md2test.c b/src/lib/libcrypto/md2/md2test.c
index 7d3664faf5..901d0a7d8e 100644
--- a/src/lib/libcrypto/md2/md2test.c
+++ b/src/lib/libcrypto/md2/md2test.c
@@ -61,6 +61,8 @@
 #include <string.h>
 #include <openssl/md2.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_MD2
 int main(int argc, char *argv[])
 {
@@ -122,8 +124,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
-        return(0);
+        EXIT(err);
         }
 
 static char *pt(unsigned char *md)
diff --git a/src/lib/libcrypto/md32_common.h b/src/lib/libcrypto/md32_common.h
index 353d2b96ad..573850b122 100644
--- a/src/lib/libcrypto/md32_common.h
+++ b/src/lib/libcrypto/md32_common.h
@@ -1,6 +1,6 @@
 /* crypto/md32_common.h */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -198,7 +198,7 @@
    *
    *                                    <appro@fy.chalmers.se>
    */
-#  if defined(__i386) || defined(__i386__)
+#  if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
 #   define ROTATE(a,n)  ({ register unsigned int ret;   \
                                 asm (                   \
                                 "roll %1,%0"            \
@@ -224,7 +224,7 @@
  */
 # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
   /* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
-#  if (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)
+#  if (defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)) && !defined(I386_ONLY)
 #   define BE_FETCH32(a)        ({ register unsigned int l=(a);\
                                 asm (                   \
                                 "bswapl %0"             \
@@ -456,7 +456,10 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
                                 {
                                 ew=(c->num>>2);
                                 ec=(c->num&0x03);
-                                l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
+                                if (sc)
+                                        l=p[sw];
+                                HOST_p_c2l(data,l,sc);
+                                p[sw++]=l;
                                 for (; sw < ew; sw++)
                                         {
                                         HOST_c2l(data,l); p[sw]=l;
@@ -603,7 +606,32 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
         c->num=0;
         /* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
          * but I'm not worried :-)
-        memset((void *)c,0,sizeof(HASH_CTX));
+        OPENSSL_cleanse((void *)c,sizeof(HASH_CTX));
          */
         return 1;
         }
+
+#ifndef MD32_REG_T
+#define MD32_REG_T long
+/*
+ * This comment was originaly written for MD5, which is why it
+ * discusses A-D. But it basically applies to all 32-bit digests,
+ * which is why it was moved to common header file.
+ *
+ * In case you wonder why A-D are declared as long and not
+ * as MD5_LONG. Doing so results in slight performance
+ * boost on LP64 architectures. The catch is we don't
+ * really care if 32 MSBs of a 64-bit register get polluted
+ * with eventual overflows as we *save* only 32 LSBs in
+ * *either* case. Now declaring 'em long excuses the compiler
+ * from keeping 32 MSBs zeroed resulting in 13% performance
+ * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
+ * Well, to be honest it should say that this *prevents* 
+ * performance degradation.
+ *                              <appro@fy.chalmers.se>
+ * Apparently there're LP64 compilers that generate better
+ * code if A-D are declared int. Most notably GCC-x86_64
+ * generates better code.
+ *                              <appro@fy.chalmers.se>
+ */
+#endif
diff --git a/src/lib/libcrypto/md4/Makefile.ssl b/src/lib/libcrypto/md4/Makefile.ssl
index 1de72571d8..7d2e8d8d3b 100644
--- a/src/lib/libcrypto/md4/Makefile.ssl
+++ b/src/lib/libcrypto/md4/Makefile.ssl
@@ -69,7 +69,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -84,5 +84,8 @@ md4_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md4.h
 md4_dgst.o: ../../include/openssl/opensslconf.h
 md4_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md4_dgst.c
 md4_dgst.o: md4_locl.h
-md4_one.o: ../../include/openssl/e_os2.h ../../include/openssl/md4.h
-md4_one.o: ../../include/openssl/opensslconf.h md4_one.c
+md4_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+md4_one.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h
+md4_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md4_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+md4_one.o: md4_one.c
diff --git a/src/lib/libcrypto/md4/md4.c b/src/lib/libcrypto/md4/md4.c
index e4b0aac011..141415ad4d 100644
--- a/src/lib/libcrypto/md4/md4.c
+++ b/src/lib/libcrypto/md4/md4.c
@@ -64,7 +64,7 @@
 
 void do_fp(FILE *f);
 void pt(unsigned char *md);
-#ifndef _OSD_POSIX
+#if !defined(_OSD_POSIX) && !defined(__DJGPP__)
 int read(int, void *, unsigned int);
 #endif
 
@@ -108,7 +108,7 @@ void do_fp(FILE *f)
         MD4_Init(&c);
         for (;;)
                 {
-                i=read(fd,buf,BUFSIZE);
+                i=read(fd,buf,sizeof buf);
                 if (i <= 0) break;
                 MD4_Update(&c,buf,(unsigned long)i);
                 }
diff --git a/src/lib/libcrypto/md4/md4_dgst.c b/src/lib/libcrypto/md4/md4_dgst.c
index 6446f5f5e7..7afb7185b6 100644
--- a/src/lib/libcrypto/md4/md4_dgst.c
+++ b/src/lib/libcrypto/md4/md4_dgst.c
@@ -86,21 +86,7 @@ int MD4_Init(MD4_CTX *c)
 void md4_block_host_order (MD4_CTX *c, const void *data, int num)
         {
         const MD4_LONG *X=data;
-        register unsigned long A,B,C,D;
-        /*
-         * In case you wonder why A-D are declared as long and not
-         * as MD4_LONG. Doing so results in slight performance
-         * boost on LP64 architectures. The catch is we don't
-         * really care if 32 MSBs of a 64-bit register get polluted
-         * with eventual overflows as we *save* only 32 LSBs in
-         * *either* case. Now declaring 'em long excuses the compiler
-         * from keeping 32 MSBs zeroed resulting in 13% performance
-         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
-         * Well, to be honest it should say that this *prevents* 
-         * performance degradation.
-         *
-         *                              <appro@fy.chalmers.se>
-         */
+        register unsigned MD32_REG_T A,B,C,D;
 
         A=c->A;
         B=c->B;
@@ -176,25 +162,11 @@ void md4_block_host_order (MD4_CTX *c, const void *data, int num)
 void md4_block_data_order (MD4_CTX *c, const void *data_, int num)
         {
         const unsigned char *data=data_;
-        register unsigned long A,B,C,D,l;
-        /*
-         * In case you wonder why A-D are declared as long and not
-         * as MD4_LONG. Doing so results in slight performance
-         * boost on LP64 architectures. The catch is we don't
-         * really care if 32 MSBs of a 64-bit register get polluted
-         * with eventual overflows as we *save* only 32 LSBs in
-         * *either* case. Now declaring 'em long excuses the compiler
-         * from keeping 32 MSBs zeroed resulting in 13% performance
-         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
-         * Well, to be honest it should say that this *prevents* 
-         * performance degradation.
-         *
-         *                              <appro@fy.chalmers.se>
-         */
+        register unsigned MD32_REG_T A,B,C,D,l;
 #ifndef MD32_XARRAY
         /* See comment in crypto/sha/sha_locl.h for details. */
-        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
-                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+        unsigned MD32_REG_T     XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                                XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
 # define X(i)   XX##i
 #else
         MD4_LONG XX[MD4_LBLOCK];
diff --git a/src/lib/libcrypto/md4/md4_one.c b/src/lib/libcrypto/md4/md4_one.c
index 87a995d38d..00565507e4 100644
--- a/src/lib/libcrypto/md4/md4_one.c
+++ b/src/lib/libcrypto/md4/md4_one.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/md4.h>
+#include <openssl/crypto.h>
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
@@ -89,7 +90,7 @@ unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md)
         }
 #endif
         MD4_Final(md,&c);
-        memset(&c,0,sizeof(c)); /* security consideration */
+        OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
         return(md);
         }
 
diff --git a/src/lib/libcrypto/md4/md4test.c b/src/lib/libcrypto/md4/md4test.c
index e0fdc42282..21a77d96f7 100644
--- a/src/lib/libcrypto/md4/md4test.c
+++ b/src/lib/libcrypto/md4/md4test.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_MD4
 int main(int argc, char *argv[])
 {
@@ -118,7 +120,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libcrypto/md5/Makefile.ssl b/src/lib/libcrypto/md5/Makefile.ssl
index 5f1bbfb8ff..b11ab476d6 100644
--- a/src/lib/libcrypto/md5/Makefile.ssl
+++ b/src/lib/libcrypto/md5/Makefile.ssl
@@ -21,14 +21,6 @@ MD5_ASM_OBJ=
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
-# We let the C compiler driver to take care of .s files. This is done in
-# order to be excused from maintaining a separate set of architecture
-# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
-# gcc, then the driver will automatically translate it to -xarch=v8plus
-# and pass it down to assembler.
-AS=$(CC) -c
-ASFLAGS=$(CFLAGS)
-
 GENERAL=Makefile
 TEST=md5test.c
 APPS=
@@ -55,14 +47,8 @@ lib:    $(LIBOBJ)
         @touch lib
 
 # elf
-asm/mx86-elf.o: asm/mx86unix.cpp
-        $(CPP) -DELF -x c asm/mx86unix.cpp | as -o asm/mx86-elf.o
-
-# solaris
-asm/mx86-sol.o: asm/mx86unix.cpp
-        $(CC) -E -DSOL asm/mx86unix.cpp | sed 's/^#.*//' > asm/mx86-sol.s
-        as -o asm/mx86-sol.o asm/mx86-sol.s
-        rm -f asm/mx86-sol.s
+asm/mx86-elf.s: asm/md5-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) md5-586.pl elf $(CFLAGS) > mx86-elf.s)
 
 # a.out
 asm/mx86-out.o: asm/mx86unix.cpp
@@ -118,18 +104,23 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/mx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/mx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
+md5_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md5.h
+md5_dgst.o: ../../include/openssl/opensslconf.h
 md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_dgst.c
 md5_dgst.o: md5_locl.h
-md5_one.o: ../../include/openssl/md5.h md5_one.c
+md5_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+md5_one.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
+md5_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md5_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+md5_one.o: md5_one.c
diff --git a/src/lib/libcrypto/md5/md5.c b/src/lib/libcrypto/md5/md5.c
index 7ed0024ae1..563733abc5 100644
--- a/src/lib/libcrypto/md5/md5.c
+++ b/src/lib/libcrypto/md5/md5.c
@@ -64,7 +64,7 @@
 
 void do_fp(FILE *f);
 void pt(unsigned char *md);
-#ifndef _OSD_POSIX
+#if !defined(_OSD_POSIX) && !defined(__DJGPP__)
 int read(int, void *, unsigned int);
 #endif
 
diff --git a/src/lib/libcrypto/md5/md5.h b/src/lib/libcrypto/md5/md5.h
index 52cb753e6a..a252e02115 100644
--- a/src/lib/libcrypto/md5/md5.h
+++ b/src/lib/libcrypto/md5/md5.h
@@ -59,6 +59,8 @@
 #ifndef HEADER_MD5_H
 #define HEADER_MD5_H
 
+#include <openssl/e_os2.h>
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -76,7 +78,7 @@ extern "C" {
 
 #if defined(OPENSSL_SYS_WIN16) || defined(__LP32__)
 #define MD5_LONG unsigned long
-#elif defined(OENSSL_SYS_CRAY) || defined(__ILP64__)
+#elif defined(OPENSSL_SYS_CRAY) || defined(__ILP64__)
 #define MD5_LONG unsigned long
 #define MD5_LONG_LOG2 3
 /*
diff --git a/src/lib/libcrypto/md5/md5_dgst.c b/src/lib/libcrypto/md5/md5_dgst.c
index c38a3f021e..9c7abc3697 100644
--- a/src/lib/libcrypto/md5/md5_dgst.c
+++ b/src/lib/libcrypto/md5/md5_dgst.c
@@ -86,21 +86,7 @@ int MD5_Init(MD5_CTX *c)
 void md5_block_host_order (MD5_CTX *c, const void *data, int num)
         {
         const MD5_LONG *X=data;
-        register unsigned long A,B,C,D;
-        /*
-         * In case you wonder why A-D are declared as long and not
-         * as MD5_LONG. Doing so results in slight performance
-         * boost on LP64 architectures. The catch is we don't
-         * really care if 32 MSBs of a 64-bit register get polluted
-         * with eventual overflows as we *save* only 32 LSBs in
-         * *either* case. Now declaring 'em long excuses the compiler
-         * from keeping 32 MSBs zeroed resulting in 13% performance
-         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
-         * Well, to be honest it should say that this *prevents* 
-         * performance degradation.
-         *
-         *                              <appro@fy.chalmers.se>
-         */
+        register unsigned MD32_REG_T A,B,C,D;
 
         A=c->A;
         B=c->B;
@@ -193,25 +179,11 @@ void md5_block_host_order (MD5_CTX *c, const void *data, int num)
 void md5_block_data_order (MD5_CTX *c, const void *data_, int num)
         {
         const unsigned char *data=data_;
-        register unsigned long A,B,C,D,l;
-        /*
-         * In case you wonder why A-D are declared as long and not
-         * as MD5_LONG. Doing so results in slight performance
-         * boost on LP64 architectures. The catch is we don't
-         * really care if 32 MSBs of a 64-bit register get polluted
-         * with eventual overflows as we *save* only 32 LSBs in
-         * *either* case. Now declaring 'em long excuses the compiler
-         * from keeping 32 MSBs zeroed resulting in 13% performance
-         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
-         * Well, to be honest it should say that this *prevents* 
-         * performance degradation.
-         *
-         *                              <appro@fy.chalmers.se>
-         */
+        register unsigned MD32_REG_T A,B,C,D,l;
 #ifndef MD32_XARRAY
         /* See comment in crypto/sha/sha_locl.h for details. */
-        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
-                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+        unsigned MD32_REG_T     XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                                XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
 # define X(i)   XX##i
 #else
         MD5_LONG XX[MD5_LBLOCK];
diff --git a/src/lib/libcrypto/md5/md5_locl.h b/src/lib/libcrypto/md5/md5_locl.h
index 34c5257306..9e360da732 100644
--- a/src/lib/libcrypto/md5/md5_locl.h
+++ b/src/lib/libcrypto/md5/md5_locl.h
@@ -58,7 +58,7 @@
 
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/opensslconf.h>
+#include <openssl/e_os2.h>
 #include <openssl/md5.h>
 
 #ifndef MD5_LONG_LOG2
diff --git a/src/lib/libcrypto/md5/md5_one.c b/src/lib/libcrypto/md5/md5_one.c
index b89dec850d..c5dd2d81db 100644
--- a/src/lib/libcrypto/md5/md5_one.c
+++ b/src/lib/libcrypto/md5/md5_one.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/md5.h>
+#include <openssl/crypto.h>
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
@@ -89,7 +90,7 @@ unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md)
         }
 #endif
         MD5_Final(md,&c);
-        memset(&c,0,sizeof(c)); /* security consideration */
+        OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
         return(md);
         }
 
diff --git a/src/lib/libcrypto/md5/md5test.c b/src/lib/libcrypto/md5/md5test.c
index 862b89658a..bfd62629ed 100644
--- a/src/lib/libcrypto/md5/md5test.c
+++ b/src/lib/libcrypto/md5/md5test.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_MD5
 int main(int argc, char *argv[])
 {
@@ -118,7 +120,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libcrypto/mdc2/Makefile.ssl b/src/lib/libcrypto/mdc2/Makefile.ssl
index 087b8eb9ee..33f366fb08 100644
--- a/src/lib/libcrypto/mdc2/Makefile.ssl
+++ b/src/lib/libcrypto/mdc2/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/mem.c b/src/lib/libcrypto/mem.c
index 87d0ebc714..29df7d35b2 100644
--- a/src/lib/libcrypto/mem.c
+++ b/src/lib/libcrypto/mem.c
@@ -250,6 +250,7 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
 void *CRYPTO_malloc_locked(int num, const char *file, int line)
         {
         void *ret = NULL;
+        extern unsigned char cleanse_ctr;
 
         if (num < 0) return NULL;
 
@@ -266,6 +267,12 @@ void *CRYPTO_malloc_locked(int num, const char *file, int line)
         if (malloc_debug_func != NULL)
                 malloc_debug_func(ret, num, file, line, 1);
 
+        /* Create a dependency on the value of 'cleanse_ctr' so our memory
+         * sanitisation function can't be optimised out. NB: We only do
+         * this for >2Kb so the overhead doesn't bother us. */
+        if(ret && (num > 2048))
+                ((unsigned char *)ret)[0] = cleanse_ctr;
+
         return ret;
         }
 
@@ -284,6 +291,7 @@ void CRYPTO_free_locked(void *str)
 void *CRYPTO_malloc(int num, const char *file, int line)
         {
         void *ret = NULL;
+        extern unsigned char cleanse_ctr;
 
         if (num < 0) return NULL;
 
@@ -300,6 +308,12 @@ void *CRYPTO_malloc(int num, const char *file, int line)
         if (malloc_debug_func != NULL)
                 malloc_debug_func(ret, num, file, line, 1);
 
+        /* Create a dependency on the value of 'cleanse_ctr' so our memory
+         * sanitisation function can't be optimised out. NB: We only do
+         * this for >2Kb so the overhead doesn't bother us. */
+        if(ret && (num > 2048))
+                ((unsigned char *)ret)[0] = cleanse_ctr;
+
         return ret;
         }
 
@@ -310,8 +324,8 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line)
         if (str == NULL)
                 return CRYPTO_malloc(num, file, line);
 
-        if (num < 0) return NULL;
-
+        if (num < 0) return NULL;
+ 
         if (realloc_debug_func != NULL)
                 realloc_debug_func(str, NULL, num, file, line, 0);
         ret = realloc_ex_func(str,num,file,line);
@@ -324,6 +338,32 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line)
         return ret;
         }
 
+void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file,
+                           int line)
+        {
+        void *ret = NULL;
+
+        if (str == NULL)
+                return CRYPTO_malloc(num, file, line);
+ 
+        if (num < 0) return NULL;
+ 
+        if (realloc_debug_func != NULL)
+                realloc_debug_func(str, NULL, num, file, line, 0);
+        ret=malloc_ex_func(num,file,line);
+        if(ret)
+                memcpy(ret,str,old_len);
+        OPENSSL_cleanse(str,old_len);
+        free_func(str);
+#ifdef LEVITTE_DEBUG_MEM
+        fprintf(stderr, "LEVITTE_DEBUG_MEM:         | 0x%p -> 0x%p (%d)\n", str, ret, num);
+#endif
+        if (realloc_debug_func != NULL)
+                realloc_debug_func(str, ret, num, file, line, 1);
+
+        return ret;
+        }
+
 void CRYPTO_free(void *str)
         {
         if (free_debug_func != NULL)
@@ -343,7 +383,6 @@ void *CRYPTO_remalloc(void *a, int num, const char *file, int line)
         return(a);
         }
 
-
 void CRYPTO_set_mem_debug_options(long bits)
         {
         if (set_debug_options_func != NULL)
diff --git a/src/lib/libcrypto/mem_dbg.c b/src/lib/libcrypto/mem_dbg.c
index ea94eee6f4..9221df00bd 100644
--- a/src/lib/libcrypto/mem_dbg.c
+++ b/src/lib/libcrypto/mem_dbg.c
@@ -102,6 +102,8 @@ typedef struct app_mem_info_st
         int references;
         } APP_INFO;
 
+static void app_info_free(APP_INFO *);
+
 static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's
                           * that are at the top of their thread's stack
                           * (with `thread' as key);
@@ -140,6 +142,18 @@ static unsigned long disabling_thread = 0; /* Valid iff num_disable > 0.
                                             * thread named in disabling_thread).
                                             */
 
+static void app_info_free(APP_INFO *inf)
+        {
+        if (--(inf->references) <= 0)
+                {
+                if (inf->next != NULL)
+                        {
+                        app_info_free(inf->next);
+                        }
+                OPENSSL_free(inf);
+                }
+        }
+
 int CRYPTO_mem_ctrl(int mode)
         {
         int ret=mh_mode;
@@ -502,9 +516,7 @@ void CRYPTO_dbg_free(void *addr, int before_p)
                                 mp->order, mp->addr, mp->num);
 #endif
                                 if (mp->app_info != NULL)
-                                        {
-                                        mp->app_info->references--;
-                                        }
+                                        app_info_free(mp->app_info);
                                 OPENSSL_free(mp);
                                 }
 
@@ -669,7 +681,6 @@ static IMPLEMENT_LHASH_DOALL_ARG_FN(print_leak, const MEM *, MEM_LEAK *)
 void CRYPTO_mem_leaks(BIO *b)
         {
         MEM_LEAK ml;
-        char buf[80];
 
         if (mh == NULL && amih == NULL)
                 return;
@@ -684,9 +695,8 @@ void CRYPTO_mem_leaks(BIO *b)
                                 (char *)&ml);
         if (ml.chunks != 0)
                 {
-                snprintf(buf,sizeof buf,"%ld bytes leaked in %d chunks\n",
-                        ml.bytes,ml.chunks);
-                BIO_puts(b,buf);
+                BIO_printf(b,"%ld bytes leaked in %d chunks\n",
+                           ml.bytes,ml.chunks);
                 }
         else
                 {
diff --git a/src/lib/libcrypto/o_time.c b/src/lib/libcrypto/o_time.c
index 1bc0297b36..723eb1b5af 100644
--- a/src/lib/libcrypto/o_time.c
+++ b/src/lib/libcrypto/o_time.c
@@ -80,6 +80,9 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
         ts = result;
 #elif !defined(OPENSSL_SYS_VMS)
         ts = gmtime(timer);
+        if (ts == NULL)
+                return NULL;
+
         memcpy(result, ts, sizeof(struct tm));
         ts = result;
 #endif
diff --git a/src/lib/libcrypto/objects/Makefile.ssl b/src/lib/libcrypto/objects/Makefile.ssl
index cd5cbc95ce..3e7a194cf9 100644
--- a/src/lib/libcrypto/objects/Makefile.ssl
+++ b/src/lib/libcrypto/objects/Makefile.ssl
@@ -76,7 +76,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 202bd168ac..ae97108e93 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -464,7 +464,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
 
                 snprintf(tbuf,sizeof tbuf,"%d.%lu",i,l);
                 i=strlen(tbuf);
-                strncpy(buf,tbuf,buf_len);
+                BUF_strlcpy(buf,tbuf,buf_len);
                 buf_len-=i;
                 buf+=i;
                 n+=i;
@@ -476,7 +476,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
                                 snprintf(tbuf,sizeof tbuf,".%lu",l);
                                 i=strlen(tbuf);
                                 if (buf_len > 0)
-                                        strncpy(buf,tbuf,buf_len);
+                                        BUF_strlcpy(buf,tbuf,buf_len);
                                 buf_len-=i;
                                 buf+=i;
                                 n+=i;
@@ -488,10 +488,9 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
                 s=OBJ_nid2ln(nid);
                 if (s == NULL)
                         s=OBJ_nid2sn(nid);
-                strncpy(buf,s,buf_len);
+                BUF_strlcpy(buf,s,buf_len);
                 n=strlen(s);
         }
-        buf[buf_len-1]='\0';
         return(n);
 }
 
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 1486199661..9838072b65 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -645,3 +645,5 @@ rsaOAEPEncryptionSET		644
 itu_t           645
 joint_iso_itu_t         646
 international_organizations             647
+ms_smartcard_login              648
+ms_upn          649
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index 71a4908485..3ba11f65cc 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -276,6 +276,10 @@ rsadsi 3 8		: RC5-CBC		: rc5-cbc
 1 3 6 1 4 1 311 10 3 3  : msSGC                 : Microsoft Server Gated Crypto
 !Cname ms-efs
 1 3 6 1 4 1 311 10 3 4  : msEFS                 : Microsoft Encrypted File System
+!Cname ms-smartcard-login
+1 3 6 1 4 1 311 20 2 2  : msSmartcardLogin      : Microsoft Smartcardlogin
+!Cname ms-upn
+1 3 6 1 4 1 311 20 2 3  : msUPN                 : Microsoft Universal Principal Name
 
 1 3 6 1 4 1 188 7 1 1 2 : IDEA-CBC              : idea-cbc
                         : IDEA-ECB              : idea-ecb
@@ -537,7 +541,7 @@ X509 11			: OU			: organizationalUnitName
 X509 12                 :                       : title
 X509 13                 :                       : description
 X509 41                 : name                  : name
-X509 42                 : gn                    : givenName
+X509 42                 : GN                    : givenName
 X509 43                 :                       : initials
 X509 44                 :                       : generationQualifier
 X509 45                 :                       : x500UniqueIdentifier
diff --git a/src/lib/libcrypto/ocsp/Makefile.ssl b/src/lib/libcrypto/ocsp/Makefile.ssl
index 2be98179ae..02477be538 100644
--- a/src/lib/libcrypto/ocsp/Makefile.ssl
+++ b/src/lib/libcrypto/ocsp/Makefile.ssl
@@ -43,7 +43,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -71,7 +71,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c
index 8c148cda6a..6a3a360d54 100644
--- a/src/lib/libcrypto/ocsp/ocsp_asn.c
+++ b/src/lib/libcrypto/ocsp/ocsp_asn.c
@@ -117,7 +117,7 @@ IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPONSE)
 
 ASN1_CHOICE(OCSP_RESPID) = {
            ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1),
-           ASN1_IMP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
+           ASN1_EXP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
 } ASN1_CHOICE_END(OCSP_RESPID)
 
 IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPID)
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
index b78cd37092..9213e58ae4 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ht.c
@@ -64,6 +64,9 @@
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
 #include <openssl/buffer.h>
+#ifdef OPENSSL_SYS_SUNOS
+#define strtoul (unsigned long)strtol
+#endif /* OPENSSL_SYS_SUNOS */
 
 /* Quick and dirty HTTP OCSP request handler.
  * Could make this a bit cleverer by adding
@@ -94,7 +97,7 @@ Content-Length: %d\r\n\r\n";
         }
         if(!(mem = BIO_new(BIO_s_mem()))) goto err;
         /* Copy response to a memory BIO: socket bios can't do gets! */
-        while ((len = BIO_read(b, tmpbuf, 1024))) {
+        while ((len = BIO_read(b, tmpbuf, sizeof tmpbuf))) {
                 if(len < 0) {
                         OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_READ_ERROR);
                         goto err;
@@ -107,7 +110,7 @@ Content-Length: %d\r\n\r\n";
         }
         /* Parse the HTTP response. This will look like this:
          * "HTTP/1.0 200 OK". We need to obtain the numeric code and
-         * informational message.
+         * (optional) informational message.
          */
 
         /* Skip to first white space (passed protocol info) */
@@ -135,13 +138,19 @@ Content-Length: %d\r\n\r\n";
         if(*r) goto err;
         /* Skip over any leading white space in message */
         while(*q && isspace((unsigned char)*q))  q++;
-        if(!*q) goto err;
+        if(*q) {
         /* Finally zap any trailing white space in message (include CRLF) */
         /* We know q has a non white space character so this is OK */
-        for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0;
+                for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0;
+        }
         if(retcode != 200) {
                 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR);
-                ERR_add_error_data(4, "Code=", p, ",Reason=", q);
+                if(!*q) { 
+                        ERR_add_error_data(2, "Code=", p);
+                }
+                else {
+                        ERR_add_error_data(4, "Code=", p, ",Reason=", q);
+                }
                 goto err;
         }
         /* Find blank line marking beginning of content */      
diff --git a/src/lib/libcrypto/opensslconf.h.in b/src/lib/libcrypto/opensslconf.h.in
index 9082a16c46..685e83b7a3 100644
--- a/src/lib/libcrypto/opensslconf.h.in
+++ b/src/lib/libcrypto/opensslconf.h.in
@@ -47,7 +47,7 @@
 #endif
 #endif
 
-#if (defined(HEADER_DES_H) || defined(HEADER_DES_OLD_H)) && !defined(DES_LONG)
+#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
 /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
  * %20 speed up (longs are 8 bytes, int's are 4). */
 #ifndef DES_LONG
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 9689b49c5b..08cb1d5018 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,8 +25,8 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x00907003L
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7-beta3 30 Jul 2002"
+#define OPENSSL_VERSION_NUMBER  0x0090702fL
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7b 10 Apr 2003"
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
 
diff --git a/src/lib/libcrypto/ossl_typ.h b/src/lib/libcrypto/ossl_typ.h
index 6bd42aee4d..285fd0b1d9 100644
--- a/src/lib/libcrypto/ossl_typ.h
+++ b/src/lib/libcrypto/ossl_typ.h
@@ -55,6 +55,8 @@
 #ifndef HEADER_OPENSSL_TYPES_H
 #define HEADER_OPENSSL_TYPES_H
 
+#include <openssl/e_os2.h>
+
 #ifdef NO_ASN1_TYPEDEFS
 #define ASN1_INTEGER            ASN1_STRING
 #define ASN1_ENUMERATED         ASN1_STRING
diff --git a/src/lib/libcrypto/pem/Makefile.ssl b/src/lib/libcrypto/pem/Makefile.ssl
index 5075d9107b..d3043eb401 100644
--- a/src/lib/libcrypto/pem/Makefile.ssl
+++ b/src/lib/libcrypto/pem/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/pem/pem.h b/src/lib/libcrypto/pem/pem.h
index 3785fca77d..d330cbf9a3 100644
--- a/src/lib/libcrypto/pem/pem.h
+++ b/src/lib/libcrypto/pem/pem.h
@@ -149,7 +149,7 @@ typedef struct pem_recip_st
 
         int cipher;
         int key_enc;
-        char iv[8];
+        /*      char iv[8]; unused and wrong size */
         } PEM_USER;
 
 typedef struct pem_ctx_st
@@ -165,7 +165,8 @@ typedef struct pem_ctx_st
 
         struct  {
                 int cipher;
-                unsigned char iv[8];
+        /* unused, and wrong size
+           unsigned char iv[8]; */
                 } DEK_info;
                 
         PEM_USER *originator;
@@ -187,7 +188,8 @@ typedef struct pem_ctx_st
         EVP_CIPHER *dec;        /* date encryption cipher */
         int key_len;            /* key length */
         unsigned char *key;     /* key */
-        unsigned char iv[8];    /* the iv */
+        /* unused, and wrong size
+           unsigned char iv[8]; */
 
         
         int  data_enc;          /* is the data encrypted */
diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c
index 9a6dffb45c..9e4af29c95 100644
--- a/src/lib/libcrypto/pem/pem_info.c
+++ b/src/lib/libcrypto/pem/pem_info.c
@@ -324,6 +324,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
                                 }
 
                         /* create the right magic header stuff */
+                        OPENSSL_assert(strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf);
                         buf[0]='\0';
                         PEM_proc_type(buf,PEM_TYPE_ENCRYPTED);
                         PEM_dek_info(buf,objstr,enc->iv_len,(char *)iv);
@@ -358,7 +359,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
         ret=1;
 
 err:
-        memset((char *)&ctx,0,sizeof(ctx));
-        memset(buf,0,PEM_BUFSIZE);
+        OPENSSL_cleanse((char *)&ctx,sizeof(ctx));
+        OPENSSL_cleanse(buf,PEM_BUFSIZE);
         return(ret);
         }
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 50f5733654..3bec2d7e9f 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -138,7 +138,7 @@ void PEM_proc_type(char *buf, int type)
 
 void PEM_dek_info(char *buf, const char *type, int len, char *str)
         {
-        static unsigned char map[17]="0123456789ABCDEF";
+        static const unsigned char map[17]="0123456789ABCDEF";
         long i;
         int j;
 
@@ -251,7 +251,7 @@ int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, const char
         ret = 1;
 
 err:
-        if (!pnm) OPENSSL_free(nm);
+        if (!ret || !pnm) OPENSSL_free(nm);
         OPENSSL_free(header);
         if (!ret) OPENSSL_free(data);
         return ret;
@@ -306,6 +306,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
                 goto err;
                 }
         /* dzise + 8 bytes are needed */
+        /* actually it needs the cipher block size extra... */
         data=(unsigned char *)OPENSSL_malloc((unsigned int)dsize+20);
         if (data == NULL)
                 {
@@ -335,13 +336,16 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
                         kstr=(unsigned char *)buf;
                         }
                 RAND_add(data,i,0);/* put in the RSA key. */
+                OPENSSL_assert(enc->iv_len <= sizeof iv);
                 if (RAND_pseudo_bytes(iv,enc->iv_len) < 0) /* Generate a salt */
                         goto err;
                 /* The 'iv' is used as the iv and as a salt.  It is
                  * NOT taken from the BytesToKey function */
                 EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
 
-                if (kstr == (unsigned char *)buf) memset(buf,0,PEM_BUFSIZE);
+                if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE);
+
+                OPENSSL_assert(strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf);
 
                 buf[0]='\0';
                 PEM_proc_type(buf,PEM_TYPE_ENCRYPTED);
@@ -364,13 +368,13 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
         i=PEM_write_bio(bp,name,buf,data,i);
         if (i <= 0) ret=0;
 err:
-        memset(key,0,sizeof(key));
-        memset(iv,0,sizeof(iv));
-        memset((char *)&ctx,0,sizeof(ctx));
-        memset(buf,0,PEM_BUFSIZE);
+        OPENSSL_cleanse(key,sizeof(key));
+        OPENSSL_cleanse(iv,sizeof(iv));
+        OPENSSL_cleanse((char *)&ctx,sizeof(ctx));
+        OPENSSL_cleanse(buf,PEM_BUFSIZE);
         if (data != NULL)
                 {
-                memset(data,0,(unsigned int)dsize);
+                OPENSSL_cleanse(data,(unsigned int)dsize);
                 OPENSSL_free(data);
                 }
         return(ret);
@@ -411,8 +415,8 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
         EVP_DecryptUpdate(&ctx,data,&i,data,j);
         o=EVP_DecryptFinal_ex(&ctx,&(data[i]),&j);
         EVP_CIPHER_CTX_cleanup(&ctx);
-        memset((char *)buf,0,sizeof(buf));
-        memset((char *)key,0,sizeof(key));
+        OPENSSL_cleanse((char *)buf,sizeof(buf));
+        OPENSSL_cleanse((char *)key,sizeof(key));
         j+=i;
         if (!o)
                 {
@@ -693,7 +697,7 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
                         if (strncmp(buf,"-----END ",9) == 0)
                                 break;
                         if (i > 65) break;
-                        if (!BUF_MEM_grow(dataB,i+bl+9))
+                        if (!BUF_MEM_grow_clean(dataB,i+bl+9))
                                 {
                                 PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE);
                                 goto err;
diff --git a/src/lib/libcrypto/pem/pem_pk8.c b/src/lib/libcrypto/pem/pem_pk8.c
index f44182ffb5..db38a2a79d 100644
--- a/src/lib/libcrypto/pem/pem_pk8.c
+++ b/src/lib/libcrypto/pem/pem_pk8.c
@@ -136,7 +136,7 @@ static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER
                         kstr = buf;
                 }
                 p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf);
-                if(kstr == buf) memset(buf, 0, klen);
+                if(kstr == buf) OPENSSL_cleanse(buf, klen);
                 PKCS8_PRIV_KEY_INFO_free(p8inf);
                 if(isder) ret = i2d_PKCS8_bio(bp, p8);
                 else ret = PEM_write_bio_PKCS8(bp, p8);
diff --git a/src/lib/libcrypto/pem/pem_seal.c b/src/lib/libcrypto/pem/pem_seal.c
index ae463a301d..56e08abd70 100644
--- a/src/lib/libcrypto/pem/pem_seal.c
+++ b/src/lib/libcrypto/pem/pem_seal.c
@@ -112,7 +112,7 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
         ret=npubk;
 err:
         if (s != NULL) OPENSSL_free(s);
-        memset(key,0,EVP_MAX_KEY_LENGTH);
+        OPENSSL_cleanse(key,EVP_MAX_KEY_LENGTH);
         return(ret);
         }
 
diff --git a/src/lib/libcrypto/perlasm/cbc.pl b/src/lib/libcrypto/perlasm/cbc.pl
index 0145c4f0cc..22149c680e 100644
--- a/src/lib/libcrypto/perlasm/cbc.pl
+++ b/src/lib/libcrypto/perlasm/cbc.pl
@@ -146,9 +146,15 @@ sub cbc
         &mov($count,    &wparam(2));    # length
         &and($count,    7);
         &jz(&label("finish"));
+        &call(&label("PIC_point"));
+&set_label("PIC_point");
+        &blindpop("edx");
+        &lea("ecx",&DWP(&label("cbc_enc_jmp_table")."-".&label("PIC_point"),"edx"));
+        &mov($count,&DWP(0,"ecx",$count,4))
+        &add($count,"edx");
         &xor("ecx","ecx");
         &xor("edx","edx");
-        &mov($count,&DWP(&label("cbc_enc_jmp_table"),"",$count,4));
+        #&mov($count,&DWP(&label("cbc_enc_jmp_table"),"",$count,4));
         &jmp_ptr($count);
 
 &set_label("ej7");
@@ -318,22 +324,23 @@ sub cbc
 
         &set_label("cbc_enc_jmp_table",1);
         &data_word("0");
-        &data_word(&label("ej1"));
-        &data_word(&label("ej2"));
-        &data_word(&label("ej3"));
-        &data_word(&label("ej4"));
-        &data_word(&label("ej5"));
-        &data_word(&label("ej6"));
-        &data_word(&label("ej7"));
-        &set_label("cbc_dec_jmp_table",1);
-        &data_word("0");
-        &data_word(&label("dj1"));
-        &data_word(&label("dj2"));
-        &data_word(&label("dj3"));
-        &data_word(&label("dj4"));
-        &data_word(&label("dj5"));
-        &data_word(&label("dj6"));
-        &data_word(&label("dj7"));
+        &data_word(&label("ej1")."-".&label("PIC_point"));
+        &data_word(&label("ej2")."-".&label("PIC_point"));
+        &data_word(&label("ej3")."-".&label("PIC_point"));
+        &data_word(&label("ej4")."-".&label("PIC_point"));
+        &data_word(&label("ej5")."-".&label("PIC_point"));
+        &data_word(&label("ej6")."-".&label("PIC_point"));
+        &data_word(&label("ej7")."-".&label("PIC_point"));
+        # not used
+        #&set_label("cbc_dec_jmp_table",1);
+        #&data_word("0");
+        #&data_word(&label("dj1")."-".&label("PIC_point"));
+        #&data_word(&label("dj2")."-".&label("PIC_point"));
+        #&data_word(&label("dj3")."-".&label("PIC_point"));
+        #&data_word(&label("dj4")."-".&label("PIC_point"));
+        #&data_word(&label("dj5")."-".&label("PIC_point"));
+        #&data_word(&label("dj6")."-".&label("PIC_point"));
+        #&data_word(&label("dj7")."-".&label("PIC_point"));
 
         &function_end_B($name);
         
diff --git a/src/lib/libcrypto/perlasm/x86asm.pl b/src/lib/libcrypto/perlasm/x86asm.pl
index 9a3d85b098..1cb96e914a 100644
--- a/src/lib/libcrypto/perlasm/x86asm.pl
+++ b/src/lib/libcrypto/perlasm/x86asm.pl
@@ -18,9 +18,9 @@ sub main'asm_init
         ($type,$fn,$i386)=@_;
         $filename=$fn;
 
-        $cpp=$sol=$aout=$win32=$gaswin=0;
+        $elf=$cpp=$sol=$aout=$win32=$gaswin=0;
         if (    ($type eq "elf"))
-                { require "x86unix.pl"; }
+                { $elf=1; require "x86unix.pl"; }
         elsif ( ($type eq "a.out"))
                 { $aout=1; require "x86unix.pl"; }
         elsif ( ($type eq "gaswin"))
@@ -47,6 +47,9 @@ EOF
                 exit(1);
                 }
 
+        $pic=0;
+        for (@ARGV) {   $pic=1 if (/\-[fK]PIC/i);       }
+
         &asm_init_output();
 
 &comment("Don't even think of reading this code");
@@ -91,7 +94,7 @@ $tmp
 #undef SIZE
 #undef TYPE
 #define SIZE(a,b)
-#define TYPE(a,b)
+#define TYPE(a,b)       .def a; .scl 2; .type 32; .endef
 #endif /* __CYGWIN || __DJGPP */
 #endif
 
diff --git a/src/lib/libcrypto/perlasm/x86ms.pl b/src/lib/libcrypto/perlasm/x86ms.pl
index 206452341d..35f1a4ddb9 100644
--- a/src/lib/libcrypto/perlasm/x86ms.pl
+++ b/src/lib/libcrypto/perlasm/x86ms.pl
@@ -92,6 +92,8 @@ sub get_mem
                 $addr="_$addr";
                 }
 
+        if ($addr =~ /^.+\-.+$/) { $addr="($addr)"; }
+
         $reg1="$regs{$reg1}" if defined($regs{$reg1});
         $reg2="$regs{$reg2}" if defined($regs{$reg2});
         if (($addr ne "") && ($addr ne 0))
@@ -111,6 +113,7 @@ sub get_mem
                 {
                 $ret.="[$reg1$post]"
                 }
+        $ret =~ s/\[\]//;       # in case $addr was the only argument
         return($ret);
         }
 
@@ -151,7 +154,7 @@ sub main'push	{ &out1("push",@_); $stack+=4; }
 sub main'pop    { &out1("pop",@_); $stack-=4; }
 sub main'bswap  { &out1("bswap",@_); &using486(); }
 sub main'not    { &out1("not",@_); }
-sub main'call   { &out1("call",'_'.$_[0]); }
+sub main'call   { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
 
@@ -338,7 +341,7 @@ sub main'set_label
         {
         if (!defined($label{$_[0]}))
                 {
-                $label{$_[0]}="${label}${_[0]}";
+                $label{$_[0]}="\$${label}${_[0]}";
                 $label++;
                 }
         if((defined $_[2]) && ($_[2] == 1))
@@ -363,3 +366,11 @@ sub out1p
 
         push(@out,"\t$name\t ".&conv($p1)."\n");
         }
+
+sub main'picmeup
+        {
+        local($dst,$sym)=@_;
+        &main'lea($dst,&main'DWP($sym));
+        }
+
+sub main'blindpop { &out1("pop",@_); }
diff --git a/src/lib/libcrypto/perlasm/x86nasm.pl b/src/lib/libcrypto/perlasm/x86nasm.pl
index 519d8a5867..f30b7466d4 100644
--- a/src/lib/libcrypto/perlasm/x86nasm.pl
+++ b/src/lib/libcrypto/perlasm/x86nasm.pl
@@ -98,6 +98,8 @@ sub get_mem
                 $addr="_$addr";
                 }
 
+        if ($addr =~ /^.+\-.+$/) { $addr="($addr)"; }
+
         $reg1="$regs{$reg1}" if defined($regs{$reg1});
         $reg2="$regs{$reg2}" if defined($regs{$reg2});
         if (($addr ne "") && ($addr ne 0))
@@ -117,6 +119,7 @@ sub get_mem
                 {
                 $ret.="$reg1$post]"
                 }
+        $ret =~ s/\+\]/]/; # in case $addr was the only argument
         return($ret);
         }
 
@@ -160,7 +163,7 @@ sub main'push	{ &out1("push",@_); $stack+=4; }
 sub main'pop    { &out1("pop",@_); $stack-=4; }
 sub main'bswap  { &out1("bswap",@_); &using486(); }
 sub main'not    { &out1("not",@_); }
-sub main'call   { &out1("call",'_'.$_[0]); }
+sub main'call   { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
 
@@ -322,7 +325,7 @@ sub main'set_label
         {
         if (!defined($label{$_[0]}))
                 {
-                $label{$_[0]}="${label}${_[0]}";
+                $label{$_[0]}="\$${label}${_[0]}";
                 $label++;
                 }
         push(@out,"$label{$_[0]}:\n");
@@ -340,3 +343,11 @@ sub out1p
 
         push(@out,"\t$name\t ".&conv($p1)."\n");
         }
+
+sub main'picmeup
+        {
+        local($dst,$sym)=@_;
+        &main'lea($dst,&main'DWP($sym));
+        }
+
+sub main'blindpop { &out1("pop",@_); }
diff --git a/src/lib/libcrypto/perlasm/x86unix.pl b/src/lib/libcrypto/perlasm/x86unix.pl
index 9ceabf0705..72bde061c5 100644
--- a/src/lib/libcrypto/perlasm/x86unix.pl
+++ b/src/lib/libcrypto/perlasm/x86unix.pl
@@ -87,12 +87,12 @@ sub main'DWP
         $ret.=$addr if ($addr ne "") && ($addr ne 0);
         if ($reg2 ne "")
                 {
-                if($idx ne "")
+                if($idx ne "" && $idx != 0)
                     { $ret.="($reg1,$reg2,$idx)"; }
                 else
                     { $ret.="($reg1,$reg2)"; }
                 }
-        else
+        elsif ($reg1 ne "")
                 { $ret.="($reg1)" }
         return($ret);
         }
@@ -167,7 +167,7 @@ sub main'pop	{ &out1("popl",@_); $stack-=4; }
 sub main'pushf  { &out0("pushf"); $stack+=4; }
 sub main'popf   { &out0("popf"); $stack-=4; }
 sub main'not    { &out1("notl",@_); }
-sub main'call   { &out1("call",$under.$_[0]); }
+sub main'call   { &out1("call",($_[0]=~/^\.L/?'':$under).$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
 
@@ -345,15 +345,15 @@ sub main'function_end
         popl    %ebx
         popl    %ebp
         ret
-.${func}_end:
+.L_${func}_end:
 EOF
         push(@out,$tmp);
 
         if ($main'cpp)
-                { push(@out,"\tSIZE($func,.${func}_end-$func)\n"); }
+                { push(@out,"\tSIZE($func,.L_${func}_end-$func)\n"); }
         elsif ($main'gaswin)
                 { $tmp=push(@out,"\t.align 4\n"); }
-        else    { push(@out,"\t.size\t$func,.${func}_end-$func\n"); }
+        else    { push(@out,"\t.size\t$func,.L_${func}_end-$func\n"); }
         push(@out,".ident       \"$func\"\n");
         $stack=0;
         %label=();
@@ -426,6 +426,11 @@ sub main'swtmp
 
 sub main'comment
         {
+        if ($main'elf)  # GNU and SVR4 as'es use different comment delimiters,
+                {       # so we just skip comments...
+                push(@out,"\n");
+                return;
+                }
         foreach (@_)
                 {
                 if (/^\s*$/)
@@ -542,3 +547,39 @@ sub popvars
         &main'pop("edx");
         &main'popf();
         }
+
+sub main'picmeup
+        {
+        local($dst,$sym)=@_;
+        if ($main'cpp)
+                {
+                local($tmp)=<<___;
+#if (defined(ELF) || defined(SOL)) && defined(PIC)
+        .align  8
+        call    1f
+1:      popl    $regs{$dst}
+        addl    \$_GLOBAL_OFFSET_TABLE_+[.-1b],$regs{$dst}
+        movl    $sym\@GOT($regs{$dst}),$regs{$dst}
+#else
+        leal    $sym,$regs{$dst}
+#endif
+___
+                push(@out,$tmp);
+                }
+        elsif ($main'pic && ($main'elf || $main'aout))
+                {
+                push(@out,"\t.align\t8\n");
+                &main'call(&main'label("PIC_me_up"));
+                &main'set_label("PIC_me_up");
+                &main'blindpop($dst);
+                &main'add($dst,"\$$under"."_GLOBAL_OFFSET_TABLE_+[.-".
+                                &main'label("PIC_me_up") . "]");
+                &main'mov($dst,&main'DWP($sym."\@GOT",$dst));
+                }
+        else
+                {
+                &main'lea($dst,&main'DWP($sym));
+                }
+        }
+
+sub main'blindpop { &out1("popl",@_); }
diff --git a/src/lib/libcrypto/pkcs12/Makefile.ssl b/src/lib/libcrypto/pkcs12/Makefile.ssl
index 2b1d175157..a6e47b4085 100644
--- a/src/lib/libcrypto/pkcs12/Makefile.ssl
+++ b/src/lib/libcrypto/pkcs12/Makefile.ssl
@@ -74,7 +74,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/pkcs12/p12_crpt.c b/src/lib/libcrypto/pkcs12/p12_crpt.c
index 97be6a5fb5..5e8958612b 100644
--- a/src/lib/libcrypto/pkcs12/p12_crpt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crpt.c
@@ -118,7 +118,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
         }
         PBEPARAM_free(pbe);
         EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
-        memset(key, 0, EVP_MAX_KEY_LENGTH);
-        memset(iv, 0, EVP_MAX_IV_LENGTH);
+        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+        OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
         return 1;
 }
diff --git a/src/lib/libcrypto/pkcs12/p12_decr.c b/src/lib/libcrypto/pkcs12/p12_decr.c
index 394af368f4..b5684a83ba 100644
--- a/src/lib/libcrypto/pkcs12/p12_decr.c
+++ b/src/lib/libcrypto/pkcs12/p12_decr.c
@@ -136,7 +136,7 @@ void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
         }
 #endif
         ret = ASN1_item_d2i(NULL, &p, outlen, it);
-        if (zbuf) memset(out, 0, outlen);
+        if (zbuf) OPENSSL_cleanse(out, outlen);
         if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
         OPENSSL_free(out);
         return ret;
@@ -168,7 +168,7 @@ ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *i
                 OPENSSL_free(in);
                 return NULL;
         }
-        if (zbuf) memset(in, 0, inlen);
+        if (zbuf) OPENSSL_cleanse(in, inlen);
         OPENSSL_free(in);
         return oct;
 }
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index 0d39ebde8c..9196a34b4a 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -91,7 +91,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
         ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen,
                                                  id, iter, n, out, md_type);
         if(unipass) {
-                memset(unipass, 0, uniplen);    /* Clear password from memory */
+                OPENSSL_cleanse(unipass, uniplen);      /* Clear password from memory */
                 OPENSSL_free(unipass);
         }
         return ret;
diff --git a/src/lib/libcrypto/pkcs12/p12_npas.c b/src/lib/libcrypto/pkcs12/p12_npas.c
index a549433eeb..af708a2743 100644
--- a/src/lib/libcrypto/pkcs12/p12_npas.c
+++ b/src/lib/libcrypto/pkcs12/p12_npas.c
@@ -107,7 +107,7 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
 {
         STACK_OF(PKCS7) *asafes, *newsafes;
         STACK_OF(PKCS12_SAFEBAG) *bags;
-        int i, bagnid, pbe_nid, pbe_iter, pbe_saltlen;
+        int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0;
         PKCS7 *p7, *p7new;
         ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;
         unsigned char mac[EVP_MAX_MD_SIZE];
diff --git a/src/lib/libcrypto/pkcs7/Makefile.ssl b/src/lib/libcrypto/pkcs7/Makefile.ssl
index 1302469def..c3bfc7d560 100644
--- a/src/lib/libcrypto/pkcs7/Makefile.ssl
+++ b/src/lib/libcrypto/pkcs7/Makefile.ssl
@@ -89,7 +89,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/pkcs7/bio_ber.c b/src/lib/libcrypto/pkcs7/bio_ber.c
index 42331f7ab0..895a91177b 100644
--- a/src/lib/libcrypto/pkcs7/bio_ber.c
+++ b/src/lib/libcrypto/pkcs7/bio_ber.c
@@ -145,7 +145,7 @@ static int ber_free(BIO *a)
 
         if (a == NULL) return(0);
         b=(BIO_BER_CTX *)a->ptr;
-        memset(a->ptr,0,sizeof(BIO_BER_CTX));
+        OPENSSL_cleanse(a->ptr,sizeof(BIO_BER_CTX));
         OPENSSL_free(a->ptr);
         a->ptr=NULL;
         a->init=0;
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 4a4ff340ce..0060a2ea3d 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -241,7 +241,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                         M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
                         }
                 OPENSSL_free(tmp);
-                memset(key, 0, keylen);
+                OPENSSL_cleanse(key, keylen);
 
                 if (out == NULL)
                         out=btmp;
@@ -448,7 +448,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                 } 
                 EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0);
 
-                memset(tmp,0,jj);
+                OPENSSL_cleanse(tmp,jj);
 
                 if (out == NULL)
                         out=etmp;
@@ -578,7 +578,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                         /* We now have the EVP_MD_CTX, lets do the
                          * signing. */
                         EVP_MD_CTX_copy_ex(&ctx_tmp,mdc);
-                        if (!BUF_MEM_grow(buf,EVP_PKEY_size(si->pkey)))
+                        if (!BUF_MEM_grow_clean(buf,EVP_PKEY_size(si->pkey)))
                                 {
                                 PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
                                 goto err;
diff --git a/src/lib/libcrypto/rand/Makefile.ssl b/src/lib/libcrypto/rand/Makefile.ssl
index 73b5f568e8..df80702373 100644
--- a/src/lib/libcrypto/rand/Makefile.ssl
+++ b/src/lib/libcrypto/rand/Makefile.ssl
@@ -70,7 +70,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c
index a00ed70718..eeffc0df4c 100644
--- a/src/lib/libcrypto/rand/md_rand.c
+++ b/src/lib/libcrypto/rand/md_rand.c
@@ -177,10 +177,10 @@ RAND_METHOD *RAND_SSLeay(void)
 
 static void ssleay_rand_cleanup(void)
         {
-        memset(state,0,sizeof(state));
+        OPENSSL_cleanse(state,sizeof(state));
         state_num=0;
         state_index=0;
-        memset(md,0,MD_DIGEST_LENGTH);
+        OPENSSL_cleanse(md,MD_DIGEST_LENGTH);
         md_count[0]=0;
         md_count[1]=0;
         entropy=0;
diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h
index 66e39991ec..606382dd21 100644
--- a/src/lib/libcrypto/rand/rand.h
+++ b/src/lib/libcrypto/rand/rand.h
@@ -87,7 +87,9 @@ extern int rand_predictable;
 
 int RAND_set_rand_method(const RAND_METHOD *meth);
 const RAND_METHOD *RAND_get_rand_method(void);
+#ifndef OPENSSL_NO_ENGINE
 int RAND_set_rand_engine(ENGINE *engine);
+#endif
 RAND_METHOD *RAND_SSLeay(void);
 void RAND_cleanup(void );
 int  RAND_bytes(unsigned char *buf,int num);
diff --git a/src/lib/libcrypto/rand/rand_egd.c b/src/lib/libcrypto/rand/rand_egd.c
index 96019c07a6..895967476e 100644
--- a/src/lib/libcrypto/rand/rand_egd.c
+++ b/src/lib/libcrypto/rand/rand_egd.c
@@ -94,7 +94,7 @@
  *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
  */
 
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(__DJGPP__)
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS)
 int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
         {
         return(-1);
@@ -114,7 +114,7 @@ int RAND_egd_bytes(const char *path,int bytes)
 #include <sys/types.h>
 #include <sys/socket.h>
 #ifndef NO_SYS_UN_H
-# ifdef OPENSSL_SYS_VSWORKS
+# ifdef OPENSSL_SYS_VXWORKS
 #   include <streams/un.h>
 # else
 #   include <sys/un.h>
@@ -143,7 +143,7 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
 
         memset(&addr, 0, sizeof(addr));
         addr.sun_family = AF_UNIX;
-        if (strlen(path) > sizeof(addr.sun_path))
+        if (strlen(path) >= sizeof(addr.sun_path))
                 return (-1);
         strlcpy(addr.sun_path,path,sizeof addr.sun_path);
         len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c
index 5cf5dc1188..513e338985 100644
--- a/src/lib/libcrypto/rand/rand_lib.c
+++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -60,19 +60,25 @@
 #include <time.h>
 #include "cryptlib.h"
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
+#ifndef OPENSSL_NO_ENGINE
 /* non-NULL if default_RAND_meth is ENGINE-provided */
 static ENGINE *funct_ref =NULL;
+#endif
 static const RAND_METHOD *default_RAND_meth = NULL;
 
 int RAND_set_rand_method(const RAND_METHOD *meth)
         {
+#ifndef OPENSSL_NO_ENGINE
         if(funct_ref)
                 {
                 ENGINE_finish(funct_ref);
                 funct_ref = NULL;
                 }
+#endif
         default_RAND_meth = meth;
         return 1;
         }
@@ -81,6 +87,7 @@ const RAND_METHOD *RAND_get_rand_method(void)
         {
         if (!default_RAND_meth)
                 {
+#ifndef OPENSSL_NO_ENGINE
                 ENGINE *e = ENGINE_get_default_RAND();
                 if(e)
                         {
@@ -94,11 +101,13 @@ const RAND_METHOD *RAND_get_rand_method(void)
                 if(e)
                         funct_ref = e;
                 else
+#endif
                         default_RAND_meth = RAND_SSLeay();
                 }
         return default_RAND_meth;
         }
 
+#ifndef OPENSSL_NO_ENGINE
 int RAND_set_rand_engine(ENGINE *engine)
         {
         const RAND_METHOD *tmp_meth = NULL;
@@ -118,6 +127,7 @@ int RAND_set_rand_engine(ENGINE *engine)
         funct_ref = engine;
         return 1;
         }
+#endif
 
 void RAND_cleanup(void)
         {
diff --git a/src/lib/libcrypto/rand/rand_unix.c b/src/lib/libcrypto/rand/rand_unix.c
index fa2bab57c6..0599719dd1 100644
--- a/src/lib/libcrypto/rand/rand_unix.c
+++ b/src/lib/libcrypto/rand/rand_unix.c
@@ -115,7 +115,7 @@
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2))
+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS))
 
 #include <sys/types.h>
 #include <sys/time.h>
@@ -233,7 +233,7 @@ int RAND_poll(void)
         if (n > 0)
                 {
                 RAND_add(tmpbuf,sizeof tmpbuf,n);
-                memset(tmpbuf,0,n);
+                OPENSSL_cleanse(tmpbuf,n);
                 }
 #endif
 
@@ -255,3 +255,10 @@ int RAND_poll(void)
 
 #endif
 #endif
+
+#if defined(OPENSSL_SYS_VXWORKS)
+int RAND_poll(void)
+{
+    return 0;
+}
+#endif
diff --git a/src/lib/libcrypto/rand/rand_win.c b/src/lib/libcrypto/rand/rand_win.c
index c1b955b06f..113b58678f 100644
--- a/src/lib/libcrypto/rand/rand_win.c
+++ b/src/lib/libcrypto/rand/rand_win.c
@@ -125,7 +125,7 @@
  * http://developer.intel.com/design/security/rng/redist_license.htm
  */
 #define PROV_INTEL_SEC 22
-#define INTEL_DEF_PROV "Intel Hardware Cryptographic Service Provider"
+#define INTEL_DEF_PROV TEXT("Intel Hardware Cryptographic Service Provider")
 
 static void readtimer(void);
 static void readscreen(void);
@@ -170,7 +170,9 @@ typedef BOOL (WINAPI *THREAD32)(HANDLE, LPTHREADENTRY32);
 typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32);
 
 #include <lmcons.h>
+#ifndef OPENSSL_SYS_WINCE
 #include <lmstats.h>
+#endif
 #if 1 /* The NET API is Unicode only.  It requires the use of the UNICODE
        * macro.  When UNICODE is defined LPTSTR becomes LPWSTR.  LMSTR was
        * was added to the Platform SDK to allow the NET API to be used in
@@ -209,20 +211,32 @@ int RAND_poll(void)
         osverinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO) ;
         GetVersionEx( &osverinfo ) ;
 
+#if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO
+        /* poll the CryptoAPI PRNG */
+        /* The CryptoAPI returns sizeof(buf) bytes of randomness */
+        if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
+                {
+                if (CryptGenRandom(hProvider, sizeof(buf), buf))
+                        RAND_add(buf, sizeof(buf), sizeof(buf));
+                CryptReleaseContext(hProvider, 0); 
+                }
+#endif
+
         /* load functions dynamically - not available on all systems */
-        advapi = LoadLibrary("ADVAPI32.DLL");
-        kernel = LoadLibrary("KERNEL32.DLL");
-        user = LoadLibrary("USER32.DLL");
-        netapi = LoadLibrary("NETAPI32.DLL");
+        advapi = LoadLibrary(TEXT("ADVAPI32.DLL"));
+        kernel = LoadLibrary(TEXT("KERNEL32.DLL"));
+        user = LoadLibrary(TEXT("USER32.DLL"));
+        netapi = LoadLibrary(TEXT("NETAPI32.DLL"));
 
+#ifndef OPENSSL_SYS_WINCE
 #if 1 /* There was previously a problem with NETSTATGET.  Currently, this
        * section is still experimental, but if all goes well, this conditional
        * will be removed
        */
         if (netapi)
                 {
-                netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet");
-                netfree = (NETFREE) GetProcAddress(netapi,"NetApiBufferFree");
+                netstatget = (NETSTATGET) GetProcAddress(netapi,TEXT("NetStatisticsGet"));
+                netfree = (NETFREE) GetProcAddress(netapi,TEXT("NetApiBufferFree"));
                 }
 
         if (netstatget && netfree)
@@ -249,7 +263,9 @@ int RAND_poll(void)
         if (netapi)
                 FreeLibrary(netapi);
 #endif /* 1 */
+#endif /* !OPENSSL_SYS_WINCE */
  
+#ifndef OPENSSL_SYS_WINCE
         /* It appears like this can cause an exception deep within ADVAPI32.DLL
          * at random times on Windows 2000.  Reported by Jeffrey Altman.  
          * Only use it on NT.
@@ -280,30 +296,40 @@ int RAND_poll(void)
                         bufsz += 8192;
 
                         length = bufsz;
-                        rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, "Global",
+                        rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, TEXT("Global"),
                                 NULL, NULL, buf, &length);
                         }
                 if (rc == ERROR_SUCCESS)
                         {
                         /* For entropy count assume only least significant
                          * byte of each DWORD is random.
-                         */
+                         */
                         RAND_add(&length, sizeof(length), 0);
                         RAND_add(buf, length, length / 4.0);
+
+                        /* Close the Registry Key to allow Windows to cleanup/close
+                         * the open handle
+                         * Note: The 'HKEY_PERFORMANCE_DATA' key is implicitly opened
+                         *       when the RegQueryValueEx above is done.  However, if
+                         *       it is not explicitly closed, it can cause disk
+                         *       partition manipulation problems.
+                         */
+                        RegCloseKey(HKEY_PERFORMANCE_DATA);
                         }
                 if (buf)
                         free(buf);
                 }
 #endif
+#endif /* !OPENSSL_SYS_WINCE */
 
         if (advapi)
                 {
                 acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi,
-                        "CryptAcquireContextA");
+                        TEXT("CryptAcquireContextA"));
                 gen = (CRYPTGENRANDOM) GetProcAddress(advapi,
-                        "CryptGenRandom");
+                        TEXT("CryptGenRandom"));
                 release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi,
-                        "CryptReleaseContext");
+                        TEXT("CryptReleaseContext"));
                 }
 
         if (acquire && gen && release)
@@ -357,9 +383,9 @@ int RAND_poll(void)
                 GETFOREGROUNDWINDOW win;
                 GETQUEUESTATUS queue;
 
-                win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow");
-                cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo");
-                queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus");
+                win = (GETFOREGROUNDWINDOW) GetProcAddress(user, TEXT("GetForegroundWindow"));
+                cursor = (GETCURSORINFO) GetProcAddress(user, TEXT("GetCursorInfo"));
+                queue = (GETQUEUESTATUS) GetProcAddress(user, TEXT("GetQueueStatus"));
 
                 if (win)
                         {
@@ -430,17 +456,17 @@ int RAND_poll(void)
                 MODULEENTRY32 m;
 
                 snap = (CREATETOOLHELP32SNAPSHOT)
-                        GetProcAddress(kernel, "CreateToolhelp32Snapshot");
-                heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First");
-                heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next");
-                heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst");
-                heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext");
-                process_first = (PROCESS32) GetProcAddress(kernel, "Process32First");
-                process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next");
-                thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First");
-                thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next");
-                module_first = (MODULE32) GetProcAddress(kernel, "Module32First");
-                module_next = (MODULE32) GetProcAddress(kernel, "Module32Next");
+                        GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot"));
+                heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First"));
+                heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next"));
+                heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst"));
+                heaplist_next = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListNext"));
+                process_first = (PROCESS32) GetProcAddress(kernel, TEXT("Process32First"));
+                process_next = (PROCESS32) GetProcAddress(kernel, TEXT("Process32Next"));
+                thread_first = (THREAD32) GetProcAddress(kernel, TEXT("Thread32First"));
+                thread_next = (THREAD32) GetProcAddress(kernel, TEXT("Thread32Next"));
+                module_first = (MODULE32) GetProcAddress(kernel, TEXT("Module32First"));
+                module_next = (MODULE32) GetProcAddress(kernel, TEXT("Module32Next"));
 
                 if (snap && heap_first && heap_next && heaplist_first &&
                         heaplist_next && process_first && process_next &&
@@ -575,7 +601,7 @@ static void readtimer(void)
         DWORD w;
         LARGE_INTEGER l;
         static int have_perfc = 1;
-#ifdef _MSC_VER
+#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
         static int have_tsc = 1;
         DWORD cyclecount;
 
@@ -628,6 +654,7 @@ static void readtimer(void)
 
 static void readscreen(void)
 {
+#ifndef OPENSSL_SYS_WINCE
   HDC           hScrDC;         /* screen DC */
   HDC           hMemDC;         /* memory DC */
   HBITMAP       hBitmap;        /* handle for our bitmap */
@@ -641,7 +668,7 @@ static void readscreen(void)
   int           n = 16;         /* number of screen lines to grab at a time */
 
   /* Create a screen DC and a memory DC compatible to screen DC */
-  hScrDC = CreateDC("DISPLAY", NULL, NULL, NULL);
+  hScrDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL);
   hMemDC = CreateCompatibleDC(hScrDC);
 
   /* Get screen resolution */
@@ -688,6 +715,7 @@ static void readscreen(void)
   DeleteObject(hBitmap);
   DeleteDC(hMemDC);
   DeleteDC(hScrDC);
+#endif /* !OPENSSL_SYS_WINCE */
 }
 
 #endif
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index 311dd27a7b..cfbec2ac1f 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -132,7 +132,7 @@ int RAND_load_file(const char *file, long bytes)
                         }
                 }
         fclose(in);
-        memset(buf,0,BUFSIZE);
+        OPENSSL_cleanse(buf,BUFSIZE);
 err:
         return(ret);
         }
@@ -210,7 +210,7 @@ int RAND_write_file(const char *file)
 #endif /* OPENSSL_SYS_VMS */
 
         fclose(out);
-        memset(buf,0,BUFSIZE);
+        OPENSSL_cleanse(buf,BUFSIZE);
 err:
         return (rand_err ? -1 : ret);
         }
@@ -225,8 +225,8 @@ const char *RAND_file_name(char *buf, size_t size)
                 s=getenv("RANDFILE");
         if (s != NULL && *s && strlen(s) + 1 < size)
                 {
-                strlcpy(buf,s,size);
-                ok = 1;
+                if (strlcpy(buf,s,size) >= size)
+                        return NULL;
                 }
         else
                 {
diff --git a/src/lib/libcrypto/rand/randtest.c b/src/lib/libcrypto/rand/randtest.c
index b64de616db..701932e6ee 100644
--- a/src/lib/libcrypto/rand/randtest.c
+++ b/src/lib/libcrypto/rand/randtest.c
@@ -60,6 +60,8 @@
 #include <stdlib.h>
 #include <openssl/rand.h>
 
+#include "../e_os.h"
+
 /* some FIPS 140-1 random number test */
 /* some simple tests */
 
@@ -209,6 +211,6 @@ int main()
         printf("test 4 done\n");
  err:
         err=((err)?1:0);
-        exit(err);
+        EXIT(err);
         return(err);
         }
diff --git a/src/lib/libcrypto/rc2/Makefile.ssl b/src/lib/libcrypto/rc2/Makefile.ssl
index 88e41bb98e..98d5960d5d 100644
--- a/src/lib/libcrypto/rc2/Makefile.ssl
+++ b/src/lib/libcrypto/rc2/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/rc2/rc2test.c b/src/lib/libcrypto/rc2/rc2test.c
index d9a2a0a1cb..b67bafb49f 100644
--- a/src/lib/libcrypto/rc2/rc2test.c
+++ b/src/lib/libcrypto/rc2/rc2test.c
@@ -63,6 +63,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_RC2
 int main(int argc, char *argv[])
 {
@@ -203,7 +205,7 @@ int main(int argc, char *argv[])
                 printf("ok\n");
 #endif
 
-        exit(err);
+        EXIT(err);
         return(err);
         }
 
diff --git a/src/lib/libcrypto/rc4/Makefile.ssl b/src/lib/libcrypto/rc4/Makefile.ssl
index 6e5bbf9894..9f9e16068f 100644
--- a/src/lib/libcrypto/rc4/Makefile.ssl
+++ b/src/lib/libcrypto/rc4/Makefile.ssl
@@ -52,14 +52,8 @@ lib:	$(LIBOBJ)
         @touch lib
 
 # elf
-asm/rx86-elf.o: asm/rx86unix.cpp
-        $(CPP) -DELF -x c asm/rx86unix.cpp | as -o asm/rx86-elf.o
-
-# solaris
-asm/rx86-sol.o: asm/rx86unix.cpp
-        $(CC) -E -DSOL asm/rx86unix.cpp | sed 's/^#.*//' > asm/rx86-sol.s
-        as -o asm/rx86-sol.o asm/rx86-sol.s
-        rm -f asm/rx86-sol.s
+asm/rx86-elf.s: asm/rc4-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) rc4-586.pl elf $(CFLAGS) > rx86-elf.s)
 
 # a.out
 asm/rx86-out.o: asm/rx86unix.cpp
@@ -97,14 +91,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/rx86unix.cpp *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
+        rm -f asm/rx86unix.cpp asm/*-elf.* *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libcrypto/rc4/rc4.c b/src/lib/libcrypto/rc4/rc4.c
index c2165b0b75..b39c070292 100644
--- a/src/lib/libcrypto/rc4/rc4.c
+++ b/src/lib/libcrypto/rc4/rc4.c
@@ -155,7 +155,7 @@ bad:
                 i=EVP_read_pw_string(buf,BUFSIZ,"Enter RC4 password:",0);
                 if (i != 0)
                         {
-                        memset(buf,0,BUFSIZ);
+                        OPENSSL_cleanse(buf,BUFSIZ);
                         fprintf(stderr,"bad password read\n");
                         exit(1);
                         }
@@ -163,7 +163,7 @@ bad:
                 }
 
         EVP_Digest((unsigned char *)keystr,(unsigned long)strlen(keystr),md,NULL,EVP_md5());
-        memset(keystr,0,strlen(keystr));
+        OPENSSL_cleanse(keystr,strlen(keystr));
         RC4_set_key(&key,MD5_DIGEST_LENGTH,md);
         
         for(;;)
diff --git a/src/lib/libcrypto/rc4/rc4test.c b/src/lib/libcrypto/rc4/rc4test.c
index a28d457c8d..b9d8f20975 100644
--- a/src/lib/libcrypto/rc4/rc4test.c
+++ b/src/lib/libcrypto/rc4/rc4test.c
@@ -60,6 +60,8 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_RC4
 int main(int argc, char *argv[])
 {
@@ -195,7 +197,7 @@ int main(int argc, char *argv[])
                         }
                 }
         printf("done\n");
-        exit(err);
+        EXIT(err);
         return(0);
         }
 #endif
diff --git a/src/lib/libcrypto/rc5/Makefile.ssl b/src/lib/libcrypto/rc5/Makefile.ssl
index ff31ab47a9..a86f202f7b 100644
--- a/src/lib/libcrypto/rc5/Makefile.ssl
+++ b/src/lib/libcrypto/rc5/Makefile.ssl
@@ -49,14 +49,8 @@ lib:	$(LIBOBJ)
         @touch lib
 
 # elf
-asm/r586-elf.o: asm/r586unix.cpp
-        $(CPP) -DELF -x c asm/r586unix.cpp | as -o asm/r586-elf.o
-
-# solaris
-asm/r586-sol.o: asm/r586unix.cpp
-        $(CC) -E -DSOL asm/r586unix.cpp | sed 's/^#.*//' > asm/r586-sol.s
-        as -o asm/r586-sol.o asm/r586-sol.s
-        rm -f asm/r586-sol.s
+asm/r586-elf.s: asm/rc5-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+        (cd asm; $(PERL) rc5-586.pl elf $(CFLAGS) > r586-elf.s)
 
 # a.out
 asm/r586-out.o: asm/r586unix.cpp
@@ -94,14 +88,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/r586unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/r586unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libcrypto/ripemd/Makefile.ssl b/src/lib/libcrypto/ripemd/Makefile.ssl
index 7ab5d2fc9e..d85515353b 100644
--- a/src/lib/libcrypto/ripemd/Makefile.ssl
+++ b/src/lib/libcrypto/ripemd/Makefile.ssl
@@ -47,14 +47,8 @@ lib:    $(LIBOBJ)
         @touch lib
 
 # elf
-asm/rm86-elf.o: asm/rm86unix.cpp
-        $(CPP) -DELF -x c asm/rm86unix.cpp | as -o asm/rm86-elf.o
-
-# solaris
-asm/rm86-sol.o: asm/rm86unix.cpp
-        $(CC) -E -DSOL asm/rm86unix.cpp | sed 's/^#.*//' > asm/rm86-sol.s
-        as -o asm/rm86-sol.o asm/rm86-sol.s
-        rm -f asm/rm86-sol.s
+asm/rm86-elf.s: asm/rmd-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) rmd-586.pl elf $(CFLAGS) > rm86-elf.s)
 
 # a.out
 asm/rm86-out.o: asm/rm86unix.cpp
@@ -92,19 +86,22 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/rm86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/rm86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 rmd_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h
 rmd_dgst.o: ../md32_common.h rmd_dgst.c rmd_locl.h rmdconst.h
-rmd_one.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-rmd_one.o: ../../include/openssl/ripemd.h rmd_one.c
+rmd_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+rmd_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rmd_one.o: ../../include/openssl/ripemd.h ../../include/openssl/safestack.h
+rmd_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rmd_one.o: rmd_one.c
diff --git a/src/lib/libcrypto/ripemd/rmd160.c b/src/lib/libcrypto/ripemd/rmd160.c
index 4f8b88a18a..b0ec574498 100644
--- a/src/lib/libcrypto/ripemd/rmd160.c
+++ b/src/lib/libcrypto/ripemd/rmd160.c
@@ -64,7 +64,7 @@
 
 void do_fp(FILE *f);
 void pt(unsigned char *md);
-#ifndef _OSD_POSIX
+#if !defined(_OSD_POSIX) && !defined(__DJGPP__)
 int read(int, void *, unsigned int);
 #endif
 
diff --git a/src/lib/libcrypto/ripemd/rmd_dgst.c b/src/lib/libcrypto/ripemd/rmd_dgst.c
index a3170f7c8a..f351f00eea 100644
--- a/src/lib/libcrypto/ripemd/rmd_dgst.c
+++ b/src/lib/libcrypto/ripemd/rmd_dgst.c
@@ -90,8 +90,8 @@ int RIPEMD160_Init(RIPEMD160_CTX *c)
 void ripemd160_block_host_order (RIPEMD160_CTX *ctx, const void *p, int num)
         {
         const RIPEMD160_LONG *XX=p;
-        register unsigned long A,B,C,D,E;
-        register unsigned long a,b,c,d,e;
+        register unsigned MD32_REG_T A,B,C,D,E;
+        register unsigned MD32_REG_T a,b,c,d,e;
 
         for (;num--;XX+=HASH_LBLOCK)
                 {
@@ -290,12 +290,12 @@ void ripemd160_block_host_order (RIPEMD160_CTX *ctx, const void *p, int num)
 void ripemd160_block_data_order (RIPEMD160_CTX *ctx, const void *p, int num)
         {
         const unsigned char *data=p;
-        register unsigned long A,B,C,D,E;
-        unsigned long a,b,c,d,e,l;
+        register unsigned MD32_REG_T A,B,C,D,E;
+        unsigned MD32_REG_T a,b,c,d,e,l;
 #ifndef MD32_XARRAY
         /* See comment in crypto/sha/sha_locl.h for details. */
-        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
-                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+        unsigned MD32_REG_T     XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                                XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
 # define X(i)   XX##i
 #else
         RIPEMD160_LONG  XX[16];
diff --git a/src/lib/libcrypto/ripemd/rmd_one.c b/src/lib/libcrypto/ripemd/rmd_one.c
index efdf2dd6ef..f8b580c33a 100644
--- a/src/lib/libcrypto/ripemd/rmd_one.c
+++ b/src/lib/libcrypto/ripemd/rmd_one.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/ripemd.h>
+#include <openssl/crypto.h>
 
 unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
              unsigned char *md)
@@ -70,7 +71,7 @@ unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
         RIPEMD160_Init(&c);
         RIPEMD160_Update(&c,d,n);
         RIPEMD160_Final(md,&c);
-        memset(&c,0,sizeof(c)); /* security consideration */
+        OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
         return(md);
         }
 
diff --git a/src/lib/libcrypto/ripemd/rmdtest.c b/src/lib/libcrypto/ripemd/rmdtest.c
index be1fb8b1f6..d4c709e646 100644
--- a/src/lib/libcrypto/ripemd/rmdtest.c
+++ b/src/lib/libcrypto/ripemd/rmdtest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_RIPEMD
 int main(int argc, char *argv[])
 {
@@ -127,7 +129,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libcrypto/rsa/Makefile.ssl b/src/lib/libcrypto/rsa/Makefile.ssl
index 8c44b7f142..8089344a04 100644
--- a/src/lib/libcrypto/rsa/Makefile.ssl
+++ b/src/lib/libcrypto/rsa/Makefile.ssl
@@ -72,7 +72,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -104,14 +104,12 @@ rsa_chk.o: rsa_chk.c
 rsa_eay.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_eay.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_eay.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_eay.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-rsa_eay.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-rsa_eay.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rsa_eay.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rsa_eay.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-rsa_eay.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_eay.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_eay.o: ../../include/openssl/ui.h ../cryptlib.h rsa_eay.c
+rsa_eay.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_eay.c
 rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 rsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 rsa_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -217,21 +215,21 @@ rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 rsa_sign.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 rsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-rsa_sign.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-rsa_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-rsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-rsa_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-rsa_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-rsa_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rsa_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+rsa_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+rsa_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+rsa_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rsa_sign.o: ../../include/openssl/opensslconf.h
 rsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-rsa_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-rsa_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-rsa_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-rsa_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-rsa_sign.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-rsa_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h rsa_sign.c
+rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+rsa_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+rsa_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+rsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+rsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+rsa_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+rsa_sign.o: ../cryptlib.h rsa_sign.c
 rsa_ssl.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_ssl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_ssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 98b3bd7cc5..e26a68b482 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -158,6 +158,11 @@ struct rsa_st
 #define RSA_FLAG_CACHE_PUBLIC           0x02
 #define RSA_FLAG_CACHE_PRIVATE          0x04
 #define RSA_FLAG_BLINDING               0x08
+#define RSA_FLAG_NO_BLINDING            0x80 /* new with 0.9.6j and 0.9.7b; the built-in
+                                              * RSA implementation now uses blinding by
+                                              * default (ignoring RSA_FLAG_BLINDING),
+                                              * but other engines might not need it
+                                              */
 #define RSA_FLAG_THREAD_SAFE            0x10
 /* This flag means the private key operations will be handled by rsa_mod_exp
  * and that they do not depend on the private key components being present:
@@ -170,11 +175,15 @@ struct rsa_st
  */
 #define RSA_FLAG_SIGN_VER               0x40
 
+#define RSA_FLAG_NO_BLINDING            0x80
+
 #define RSA_PKCS1_PADDING       1
 #define RSA_SSLV23_PADDING      2
 #define RSA_NO_PADDING          3
 #define RSA_PKCS1_OAEP_PADDING  4
 
+#define RSA_PKCS1_PADDING_SIZE  11
+
 #define RSA_set_app_data(s,arg)         RSA_set_ex_data(s,0,arg)
 #define RSA_get_app_data(s)             RSA_get_ex_data(s,0)
 
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index a3f549d8e6..027b4dc754 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -61,7 +61,6 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
-#include <openssl/engine.h>
 
 #ifndef RSA_NULL
 
@@ -187,7 +186,7 @@ err:
         BN_clear_free(&ret);
         if (buf != NULL) 
                 {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                 OPENSSL_free(buf);
                 }
         return(r);
@@ -206,12 +205,46 @@ static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
 
 #define BLINDING_HELPER(rsa, ctx, err_instr) \
         do { \
-                if(((rsa)->flags & RSA_FLAG_BLINDING) && \
-                                ((rsa)->blinding == NULL) && \
-                                !rsa_eay_blinding(rsa, ctx)) \
-                        err_instr \
+                if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
+                    ((rsa)->blinding == NULL) && \
+                    !rsa_eay_blinding(rsa, ctx)) \
+                    err_instr \
         } while(0)
 
+static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx)
+        {
+        BIGNUM *A, *Ai;
+        BN_BLINDING *ret = NULL;
+
+        /* added in OpenSSL 0.9.6j and 0.9.7b */
+
+        /* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
+         * this should be placed in a new function of its own, but for reasons
+         * of binary compatibility can't */
+
+        BN_CTX_start(ctx);
+        A = BN_CTX_get(ctx);
+        if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+                {
+                /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+                RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+                if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+                }
+        else
+                {
+                if (!BN_rand_range(A,rsa->n)) goto err;
+                }
+        if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
+
+        if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
+                goto err;
+        ret = BN_BLINDING_new(A,Ai,rsa->n);
+        BN_free(Ai);
+err:
+        BN_CTX_end(ctx);
+        return ret;
+        }
+
 /* signing */
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
@@ -220,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
         int i,j,k,num=0,r= -1;
         unsigned char *buf=NULL;
         BN_CTX *ctx=NULL;
+        int local_blinding = 0;
+        BN_BLINDING *blinding = NULL;
 
         BN_init(&f);
         BN_init(&ret);
@@ -257,9 +292,38 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                 }
 
         BLINDING_HELPER(rsa, ctx, goto err;);
+        blinding = rsa->blinding;
+        
+        /* Now unless blinding is disabled, 'blinding' is non-NULL.
+         * But the BN_BLINDING object may be owned by some other thread
+         * (we don't want to keep it constant and we don't want to use
+         * lots of locking to avoid race conditions, so only a single
+         * thread can use it; other threads have to use local blinding
+         * factors) */
+        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+                {
+                if (blinding == NULL)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (blinding != NULL)
+                {
+                if (blinding->thread_id != CRYPTO_thread_id())
+                        {
+                        /* we need a local one-time blinding factor */
+
+                        blinding = setup_blinding(rsa, ctx);
+                        if (blinding == NULL)
+                                goto err;
+                        local_blinding = 1;
+                        }
+                }
 
-        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+        if (blinding)
+                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
 
         if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
                 ((rsa->p != NULL) &&
@@ -273,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
                 }
 
-        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+        if (blinding)
+                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
 
         /* put in leading 0 bytes if the number is less than the
          * length of the modulus */
@@ -288,9 +352,11 @@ err:
         if (ctx != NULL) BN_CTX_free(ctx);
         BN_clear_free(&ret);
         BN_clear_free(&f);
+        if (local_blinding)
+                BN_BLINDING_free(blinding);
         if (buf != NULL)
                 {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                 OPENSSL_free(buf);
                 }
         return(r);
@@ -304,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
         unsigned char *p;
         unsigned char *buf=NULL;
         BN_CTX *ctx=NULL;
+        int local_blinding = 0;
+        BN_BLINDING *blinding = NULL;
 
         BN_init(&f);
         BN_init(&ret);
@@ -336,9 +404,38 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                 }
 
         BLINDING_HELPER(rsa, ctx, goto err;);
+        blinding = rsa->blinding;
+        
+        /* Now unless blinding is disabled, 'blinding' is non-NULL.
+         * But the BN_BLINDING object may be owned by some other thread
+         * (we don't want to keep it constant and we don't want to use
+         * lots of locking to avoid race conditions, so only a single
+         * thread can use it; other threads have to use local blinding
+         * factors) */
+        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+                {
+                if (blinding == NULL)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (blinding != NULL)
+                {
+                if (blinding->thread_id != CRYPTO_thread_id())
+                        {
+                        /* we need a local one-time blinding factor */
+
+                        blinding = setup_blinding(rsa, ctx);
+                        if (blinding == NULL)
+                                goto err;
+                        local_blinding = 1;
+                        }
+                }
 
-        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+        if (blinding)
+                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
 
         /* do the decrypt */
         if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -354,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                         goto err;
                 }
 
-        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+        if (blinding)
+                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
 
         p=buf;
         j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
@@ -389,7 +486,7 @@ err:
         BN_clear_free(&ret);
         if (buf != NULL)
                 {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                 OPENSSL_free(buf);
                 }
         return(r);
@@ -486,7 +583,7 @@ err:
         BN_clear_free(&ret);
         if (buf != NULL)
                 {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                 OPENSSL_free(buf);
                 }
         return(r);
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index 37fff8bce3..53c5092014 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -62,7 +62,10 @@
 #include <openssl/lhash.h>
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
+#include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;
 
@@ -72,10 +75,6 @@ RSA *RSA_new(void)
         {
         RSA *r=RSA_new_method(NULL);
 
-#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
-        r->flags|=RSA_FLAG_BLINDING;
-#endif
-
         return r;
         }
 
@@ -114,11 +113,13 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
         const RSA_METHOD *mtmp;
         mtmp = rsa->meth;
         if (mtmp->finish) mtmp->finish(rsa);
+#ifndef OPENSSL_NO_ENGINE
         if (rsa->engine)
                 {
                 ENGINE_finish(rsa->engine);
                 rsa->engine = NULL;
                 }
+#endif
         rsa->meth = meth;
         if (meth->init) meth->init(rsa);
         return 1;
@@ -136,6 +137,7 @@ RSA *RSA_new_method(ENGINE *engine)
                 }
 
         ret->meth = RSA_get_default_method();
+#ifndef OPENSSL_NO_ENGINE
         if (engine)
                 {
                 if (!ENGINE_init(engine))
@@ -160,6 +162,7 @@ RSA *RSA_new_method(ENGINE *engine)
                         return NULL;
                         }
                 }
+#endif
 
         ret->pad=0;
         ret->version=0;
@@ -181,8 +184,10 @@ RSA *RSA_new_method(ENGINE *engine)
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
         if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                 {
+#ifndef OPENSSL_NO_ENGINE
                 if (ret->engine)
                         ENGINE_finish(ret->engine);
+#endif
                 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
                 OPENSSL_free(ret);
                 ret=NULL;
@@ -211,8 +216,10 @@ void RSA_free(RSA *r)
 
         if (r->meth->finish)
                 r->meth->finish(r);
+#ifndef OPENSSL_NO_ENGINE
         if (r->engine)
                 ENGINE_finish(r->engine);
+#endif
 
         CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
 
@@ -303,7 +310,8 @@ void RSA_blinding_off(RSA *rsa)
                 BN_BLINDING_free(rsa->blinding);
                 rsa->blinding=NULL;
                 }
-        rsa->flags&= ~RSA_FLAG_BLINDING;
+        rsa->flags &= ~RSA_FLAG_BLINDING;
+        rsa->flags |= RSA_FLAG_NO_BLINDING;
         }
 
 int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
@@ -322,15 +330,32 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
         if (rsa->blinding != NULL)
                 BN_BLINDING_free(rsa->blinding);
 
+        /* NB: similar code appears in setup_blinding (rsa_eay.c);
+         * this should be placed in a new function of its own, but for reasons
+         * of binary compatibility can't */
+
         BN_CTX_start(ctx);
         A = BN_CTX_get(ctx);
-        if (!BN_rand_range(A,rsa->n)) goto err;
+        if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+                {
+                /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+                RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+                if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+                }
+        else
+                {
+                if (!BN_rand_range(A,rsa->n)) goto err;
+                }
         if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
 
         if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
-            goto err;
-        rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);
-        rsa->flags|=RSA_FLAG_BLINDING;
+                goto err;
+        if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err;
+        /* to make things thread-safe without excessive locking,
+         * rsa->blinding will be used just by the current thread: */
+        rsa->blinding->thread_id = CRYPTO_thread_id();
+        rsa->flags |= RSA_FLAG_BLINDING;
+        rsa->flags &= ~RSA_FLAG_NO_BLINDING;
         BN_free(Ai);
         ret=1;
 err:
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
index c1edd6764f..8560755f1d 100644
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -68,7 +68,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
         int j;
         unsigned char *p;
 
-        if (flen > (tlen-11))
+        if (flen > (tlen-RSA_PKCS1_PADDING_SIZE))
                 {
                 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
                 return(0);
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index 85adacc08f..f462716a57 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -77,7 +77,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type,
 
         i=i2d_ASN1_OCTET_STRING(&sig,NULL);
         j=RSA_size(rsa);
-        if ((i-RSA_PKCS1_PADDING) > j)
+        if (i > (j-RSA_PKCS1_PADDING_SIZE))
                 {
                 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
                 return(0);
@@ -96,7 +96,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type,
         else
                 *siglen=i;
 
-        memset(s,0,(unsigned int)j+1);
+        OPENSSL_cleanse(s,(unsigned int)j+1);
         OPENSSL_free(s);
         return(ret);
         }
@@ -139,7 +139,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
                 ret=1;
 err:
         if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
-        memset(s,0,(unsigned int)siglen);
+        OPENSSL_cleanse(s,(unsigned int)siglen);
         OPENSSL_free(s);
         return(ret);
         }
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 2a440901de..8a1e642183 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -62,7 +62,6 @@
 #include <openssl/rsa.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#include <openssl/engine.h>
 
 /* Size of an SSL signature: MD5+SHA1 */
 #define SSL_SIG_LENGTH  36
@@ -77,10 +76,11 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
         const unsigned char *s = NULL;
         X509_ALGOR algor;
         ASN1_OCTET_STRING digest;
-        if((rsa->flags & RSA_FLAG_SIGN_VER)
-              && ENGINE_get_RSA(rsa->engine)->rsa_sign)
-              return ENGINE_get_RSA(rsa->engine)->rsa_sign(type,
-                        m, m_len, sigret, siglen, rsa);
+        if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
+                {
+                return rsa->meth->rsa_sign(type, m, m_len,
+                        sigret, siglen, rsa);
+                }
         /* Special case: SSL signature, just check the length */
         if(type == NID_md5_sha1) {
                 if(m_len != SSL_SIG_LENGTH) {
@@ -113,7 +113,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                 i=i2d_X509_SIG(&sig,NULL);
         }
         j=RSA_size(rsa);
-        if ((i-RSA_PKCS1_PADDING) > j)
+        if (i > (j-RSA_PKCS1_PADDING_SIZE))
                 {
                 RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
                 return(0);
@@ -136,7 +136,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                 *siglen=i;
 
         if(type != NID_md5_sha1) {
-                memset(tmps,0,(unsigned int)j+1);
+                OPENSSL_cleanse(tmps,(unsigned int)j+1);
                 OPENSSL_free(tmps);
         }
         return(ret);
@@ -155,10 +155,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
                 return(0);
                 }
 
-        if((rsa->flags & RSA_FLAG_SIGN_VER)
-            && ENGINE_get_RSA(rsa->engine)->rsa_verify)
-            return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype,
-                        m, m_len, sigbuf, siglen, rsa);
+        if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
+                {
+                return rsa->meth->rsa_verify(dtype, m, m_len,
+                        sigbuf, siglen, rsa);
+                }
 
         s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
         if (s == NULL)
@@ -221,7 +222,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
         }
 err:
         if (sig != NULL) X509_SIG_free(sig);
-        memset(s,0,(unsigned int)siglen);
+        OPENSSL_cleanse(s,(unsigned int)siglen);
         OPENSSL_free(s);
         return(ret);
         }
diff --git a/src/lib/libcrypto/rsa/rsa_test.c b/src/lib/libcrypto/rsa/rsa_test.c
index b8b462d33b..924e9ad1f6 100644
--- a/src/lib/libcrypto/rsa/rsa_test.c
+++ b/src/lib/libcrypto/rsa/rsa_test.c
@@ -16,7 +16,6 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/rsa.h>
-#include <openssl/engine.h>
 
 #define SetKey \
   key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \
diff --git a/src/lib/libcrypto/sha/Makefile.ssl b/src/lib/libcrypto/sha/Makefile.ssl
index 0aa678d6f4..d52fb62b4f 100644
--- a/src/lib/libcrypto/sha/Makefile.ssl
+++ b/src/lib/libcrypto/sha/Makefile.ssl
@@ -47,14 +47,8 @@ lib:    $(LIBOBJ)
         @touch lib
 
 # elf
-asm/sx86-elf.o: asm/sx86unix.cpp
-        $(CPP) -DELF -x c asm/sx86unix.cpp | as -o asm/sx86-elf.o
-
-# solaris
-asm/sx86-sol.o: asm/sx86unix.cpp
-        $(CC) -E -DSOL asm/sx86unix.cpp | sed 's/^#.*//' > asm/sx86-sol.s
-        as -o asm/sx86-sol.o asm/sx86-sol.s
-        rm -f asm/sx86-sol.s
+asm/sx86-elf.s: asm/sha1-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) sha1-586.pl elf $(CFLAGS) $(PROCESSOR) > sx86-elf.s)
 
 # a.out
 asm/sx86-out.o: asm/sx86unix.cpp
@@ -92,24 +86,30 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/sx86unix.cpp *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
+        rm -f asm/sx86unix.cpp asm/*-elf.* *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-sha1_one.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-sha1_one.o: ../../include/openssl/sha.h sha1_one.c
+sha1_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+sha1_one.o: ../../include/openssl/opensslconf.h
+sha1_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+sha1_one.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+sha1_one.o: ../../include/openssl/symhacks.h sha1_one.c
 sha1dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
 sha1dgst.o: ../md32_common.h sha1dgst.c sha_locl.h
 sha_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
 sha_dgst.o: ../md32_common.h sha_dgst.c sha_locl.h
-sha_one.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-sha_one.o: ../../include/openssl/sha.h sha_one.c
+sha_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+sha_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+sha_one.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+sha_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+sha_one.o: sha_one.c
diff --git a/src/lib/libcrypto/sha/sha1_one.c b/src/lib/libcrypto/sha/sha1_one.c
index e6a24888ed..20e660c71d 100644
--- a/src/lib/libcrypto/sha/sha1_one.c
+++ b/src/lib/libcrypto/sha/sha1_one.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/sha.h>
+#include <openssl/crypto.h>
 
 #ifndef OPENSSL_NO_SHA1
 unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
@@ -70,7 +71,7 @@ unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
         SHA1_Init(&c);
         SHA1_Update(&c,d,n);
         SHA1_Final(md,&c);
-        memset(&c,0,sizeof(c));
+        OPENSSL_cleanse(&c,sizeof(c));
         return(md);
         }
 #endif
diff --git a/src/lib/libcrypto/sha/sha1test.c b/src/lib/libcrypto/sha/sha1test.c
index 499a1cf5af..4f2e4ada2d 100644
--- a/src/lib/libcrypto/sha/sha1test.c
+++ b/src/lib/libcrypto/sha/sha1test.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_SHA
 int main(int argc, char *argv[])
 {
@@ -155,7 +157,7 @@ int main(int argc, char *argv[])
                 }
         else
                 printf("test 3 ok\n");
-        exit(err);
+        EXIT(err);
         EVP_MD_CTX_cleanup(&c);
         return(0);
         }
diff --git a/src/lib/libcrypto/sha/sha_locl.h b/src/lib/libcrypto/sha/sha_locl.h
index 471dfb9f8f..2dd63a62a6 100644
--- a/src/lib/libcrypto/sha/sha_locl.h
+++ b/src/lib/libcrypto/sha/sha_locl.h
@@ -224,10 +224,10 @@ int HASH_INIT (SHA_CTX *c)
 void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num)
         {
         const SHA_LONG *W=d;
-        register unsigned long A,B,C,D,E,T;
+        register unsigned MD32_REG_T A,B,C,D,E,T;
 #ifndef MD32_XARRAY
-        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
-                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+        unsigned MD32_REG_T     XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                                XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
 #else
         SHA_LONG        XX[16];
 #endif
@@ -349,10 +349,10 @@ void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num)
 void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, int num)
         {
         const unsigned char *data=p;
-        register unsigned long A,B,C,D,E,T,l;
+        register unsigned MD32_REG_T A,B,C,D,E,T,l;
 #ifndef MD32_XARRAY
-        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
-                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+        unsigned MD32_REG_T     XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                                XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
 #else
         SHA_LONG        XX[16];
 #endif
diff --git a/src/lib/libcrypto/sha/sha_one.c b/src/lib/libcrypto/sha/sha_one.c
index 5426faae4a..e61c63f3e9 100644
--- a/src/lib/libcrypto/sha/sha_one.c
+++ b/src/lib/libcrypto/sha/sha_one.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/sha.h>
+#include <openssl/crypto.h>
 
 #ifndef OPENSSL_NO_SHA0
 unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
@@ -70,7 +71,7 @@ unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
         SHA_Init(&c);
         SHA_Update(&c,d,n);
         SHA_Final(md,&c);
-        memset(&c,0,sizeof(c));
+        OPENSSL_cleanse(&c,sizeof(c));
         return(md);
         }
 #endif
diff --git a/src/lib/libcrypto/sha/shatest.c b/src/lib/libcrypto/sha/shatest.c
index 331294a74f..5d2b1d3b1a 100644
--- a/src/lib/libcrypto/sha/shatest.c
+++ b/src/lib/libcrypto/sha/shatest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_SHA
 int main(int argc, char *argv[])
 {
@@ -156,7 +158,7 @@ int main(int argc, char *argv[])
         else
                 printf("test 3 ok\n");
         EVP_MD_CTX_cleanup(&c);
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libcrypto/stack/Makefile.ssl b/src/lib/libcrypto/stack/Makefile.ssl
index 8574739c76..7120fb804a 100644
--- a/src/lib/libcrypto/stack/Makefile.ssl
+++ b/src/lib/libcrypto/stack/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/threads/mttest.c b/src/lib/libcrypto/threads/mttest.c
index c474a63c74..8973921778 100644
--- a/src/lib/libcrypto/threads/mttest.c
+++ b/src/lib/libcrypto/threads/mttest.c
@@ -86,11 +86,6 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
-#ifdef OPENSSL_NO_FP_API
-#define APPS_WIN16
-#include "../buffer/bss_file.c"
-#endif
-
 #define TEST_SERVER_CERT "../../apps/server.pem"
 #define TEST_CLIENT_CERT "../../apps/client.pem"
 
diff --git a/src/lib/libcrypto/tmdiff.c b/src/lib/libcrypto/tmdiff.c
index 7ebf2b202a..307523ebba 100644
--- a/src/lib/libcrypto/tmdiff.c
+++ b/src/lib/libcrypto/tmdiff.c
@@ -59,13 +59,16 @@
 #include <stdlib.h>
 #include "cryptlib.h"
 #include <openssl/tmdiff.h>
+#if !defined(OPENSSL_SYS_MSDOS)
+#include OPENSSL_UNISTD
+#endif
 
 #ifdef TIMEB
 #undef OPENSSL_SYS_WIN32
 #undef TIMES
 #endif
 
-#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) || defined(__DECC) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_VXWORKS)
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !(defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX_RHAPSODY) && !defined(OPENSSL_SYS_VXWORKS)
 # define TIMES
 #endif
 
@@ -101,14 +104,19 @@
 
 /* The following if from times(3) man page.  It may need to be changed */
 #ifndef HZ
-# ifndef CLK_TCK
-#  ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
-#   define HZ  100.0
-#  else /* _BSD_CLK_TCK_ */
-#   define HZ ((double)_BSD_CLK_TCK_)
+# if defined(_SC_CLK_TCK) \
+     && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000)
+#  define HZ ((double)sysconf(_SC_CLK_TCK))
+# else
+#  ifndef CLK_TCK
+#   ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
+#    define HZ  100.0
+#   else /* _BSD_CLK_TCK_ */
+#    define HZ ((double)_BSD_CLK_TCK_)
+#   endif
+#  else /* CLK_TCK */
+#   define HZ ((double)CLK_TCK)
 #  endif
-# else /* CLK_TCK */
-#  define HZ ((double)CLK_TCK)
 # endif
 #endif
 
@@ -121,7 +129,7 @@ typedef struct ms_tm
         HANDLE thread_id;
         FILETIME ms_win32;
 #  else
-#    ifdef OPENSSL_SYS_VSWORKS
+#    ifdef OPENSSL_SYS_VXWORKS
           unsigned long ticks;
 #    else
         struct timeb ms_timeb;
@@ -163,7 +171,7 @@ void ms_time_get(char *a)
 #  ifdef OPENSSL_SYS_WIN32
         GetThreadTimes(tm->thread_id,&tmpa,&tmpb,&tmpc,&(tm->ms_win32));
 #  else
-#    ifdef OPENSSL_SYS_VSWORKS
+#    ifdef OPENSSL_SYS_VXWORKS
         tm->ticks = tickGet();
 #    else
         ftime(&tm->ms_timeb);
@@ -197,7 +205,7 @@ double ms_time_diff(char *ap, char *bp)
         ret=((double)(lb-la))/1e7;
         }
 # else
-#  ifdef OPENSSL_SYS_VSWORKS
+#  ifdef OPENSSL_SYS_VXWORKS
         ret = (double)(b->ticks - a->ticks) / (double)sysClkRateGet();
 #  else
         ret=     (double)(b->ms_timeb.time-a->ms_timeb.time)+
@@ -222,7 +230,7 @@ int ms_time_cmp(char *ap, char *bp)
         d =(b->ms_win32.dwHighDateTime&0x000fffff)*10+b->ms_win32.dwLowDateTime/1e7;
         d-=(a->ms_win32.dwHighDateTime&0x000fffff)*10+a->ms_win32.dwLowDateTime/1e7;
 # else
-#  ifdef OPENSSL_SYS_VSWORKS
+#  ifdef OPENSSL_SYS_VXWORKS
         d = (b->ticks - a->ticks);
 #  else
         d=       (double)(b->ms_timeb.time-a->ms_timeb.time)+
diff --git a/src/lib/libcrypto/txt_db/Makefile.ssl b/src/lib/libcrypto/txt_db/Makefile.ssl
index 61ff361348..6221dfae4d 100644
--- a/src/lib/libcrypto/txt_db/Makefile.ssl
+++ b/src/lib/libcrypto/txt_db/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/txt_db/txt_db.c b/src/lib/libcrypto/txt_db/txt_db.c
index 9b186f2da5..58b300b00b 100644
--- a/src/lib/libcrypto/txt_db/txt_db.c
+++ b/src/lib/libcrypto/txt_db/txt_db.c
@@ -108,7 +108,7 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
                 if (offset != 0)
                         {
                         size+=BUFSIZE;
-                        if (!BUF_MEM_grow(buf,size)) goto err;
+                        if (!BUF_MEM_grow_clean(buf,size)) goto err;
                         }
                 buf->data[offset]='\0';
                 BIO_gets(in,&(buf->data[offset]),size-offset);
@@ -268,7 +268,7 @@ long TXT_DB_write(BIO *out, TXT_DB *db)
                         if (pp[j] != NULL)
                                 l+=strlen(pp[j]);
                         }
-                if (!BUF_MEM_grow(buf,(int)(l*2+nn))) goto err;
+                if (!BUF_MEM_grow_clean(buf,(int)(l*2+nn))) goto err;
 
                 p=buf->data;
                 for (j=0; j<nn; j++)
diff --git a/src/lib/libcrypto/ui/Makefile.ssl b/src/lib/libcrypto/ui/Makefile.ssl
index 57b2e38335..ba46951d1c 100644
--- a/src/lib/libcrypto/ui/Makefile.ssl
+++ b/src/lib/libcrypto/ui/Makefile.ssl
@@ -44,7 +44,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -72,7 +72,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -95,13 +95,13 @@ ui_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 ui_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 ui_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 ui_err.o: ../../include/openssl/ui.h ui_err.c
-ui_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-ui_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ui_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-ui_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-ui_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ui_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ui_lib.c
-ui_lib.o: ui_locl.h
+ui_lib.o: ../../e_os.h ../../include/openssl/bio.h
+ui_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ui_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+ui_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+ui_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ui_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ui_lib.o: ../../include/openssl/ui.h ../cryptlib.h ui_lib.c ui_locl.h
 ui_openssl.o: ../../e_os.h ../../include/openssl/bio.h
 ui_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 ui_openssl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
diff --git a/src/lib/libcrypto/ui/ui_lib.c b/src/lib/libcrypto/ui/ui_lib.c
index cce9075ac1..33c86d76ef 100644
--- a/src/lib/libcrypto/ui/ui_lib.c
+++ b/src/lib/libcrypto/ui/ui_lib.c
@@ -62,6 +62,7 @@
 #include <openssl/ui.h>
 #include <openssl/err.h>
 #include "ui_locl.h"
+#include "cryptlib.h"
 
 IMPLEMENT_STACK_OF(UI_STRING_ST)
 
@@ -144,7 +145,8 @@ static UI_STRING *general_allocate_prompt(UI *ui, const char *prompt,
                 {
                 UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,ERR_R_PASSED_NULL_PARAMETER);
                 }
-        else if (result_buf == NULL)
+        else if ((type == UIT_PROMPT || type == UIT_VERIFY
+                         || type == UIT_BOOLEAN) && result_buf == NULL)
                 {
                 UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,UI_R_NO_RESULT_BUFFER);
                 }
@@ -235,7 +237,7 @@ static int general_allocate_boolean(UI *ui,
         return ret;
         }
 
-/* Returns the index to the place in the stack or 0 for error.  Uses a
+/* Returns the index to the place in the stack or -1 for error.  Uses a
    direct reference to the prompt.  */
 int UI_add_input_string(UI *ui, const char *prompt, int flags,
         char *result_buf, int minsize, int maxsize)
@@ -831,8 +833,8 @@ int UI_set_result(UI *ui, UI_STRING *uis, const char *result)
         case UIT_PROMPT:
         case UIT_VERIFY:
                 {
-                char number1[20];
-                char number2[20];
+                char number1[DECIMAL_SIZE(uis->_.string_data.result_minsize)+1];
+                char number2[DECIMAL_SIZE(uis->_.string_data.result_maxsize)+1];
 
                 BIO_snprintf(number1, sizeof(number1), "%d",
                         uis->_.string_data.result_minsize);
diff --git a/src/lib/libcrypto/ui/ui_openssl.c b/src/lib/libcrypto/ui/ui_openssl.c
index f47ed31cb0..75318d48a1 100644
--- a/src/lib/libcrypto/ui/ui_openssl.c
+++ b/src/lib/libcrypto/ui/ui_openssl.c
@@ -159,8 +159,10 @@
 
 #ifdef WIN_CONSOLE_BUG
 # include <windows.h>
+#ifndef OPENSSL_SYS_WINCE
 # include <wincon.h>
 #endif
+#endif
 
 
 /* There are 5 types of terminal interface supported,
@@ -191,7 +193,7 @@
 # define SGTTY
 #endif
 
-#if defined(OPENSSL_SYS_VSWORKS)
+#if defined(OPENSSL_SYS_VXWORKS)
 #undef TERMIOS
 #undef TERMIO
 #undef SGTTY
@@ -221,7 +223,7 @@
 # define TTY_set(tty,data)      ioctl(tty,TIOCSETP,data)
 #endif
 
-#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC)
+#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(OPENSSL_SYS_SUNOS)
 # include <sys/ioctl.h>
 #endif
 
@@ -241,6 +243,10 @@ struct IOSB {
         };
 #endif
 
+#ifdef OPENSSL_SYS_SUNOS
+        typedef int sig_atomic_t;
+#endif
+
 #if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(MAC_OS_GUSI_SOURCE)
 /*
  * This one needs work. As a matter of fact the code is unoperational
@@ -277,10 +283,12 @@ static FILE *tty_in, *tty_out;
 static int is_a_tty;
 
 /* Declare static functions */
+#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
 static void read_till_nl(FILE *);
 static void recsig(int);
 static void pushsig(void);
 static void popsig(void);
+#endif
 #if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
 static int noecho_fgets(char *buf, int size, FILE *tty);
 #endif
@@ -367,6 +375,7 @@ static int read_string(UI *ui, UI_STRING *uis)
         }
 
 
+#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
 /* Internal functions to read a string without echoing */
 static void read_till_nl(FILE *in)
         {
@@ -379,6 +388,7 @@ static void read_till_nl(FILE *in)
         }
 
 static volatile sig_atomic_t intr_signal;
+#endif
 
 static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl)
         {
@@ -386,9 +396,9 @@ static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl)
         int ok;
         char result[BUFSIZ];
         int maxsize = BUFSIZ-1;
+#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
         char *p;
 
-#ifndef OPENSSL_SYS_WIN16
         intr_signal=0;
         ok=0;
         ps=0;
@@ -439,7 +449,7 @@ error:
         ok=1;
 #endif
 
-        memset(result,0,BUFSIZ);
+        OPENSSL_cleanse(result,BUFSIZ);
         return ok;
         }
 
@@ -450,7 +460,7 @@ static int open_console(UI *ui)
         CRYPTO_w_lock(CRYPTO_LOCK_UI);
         is_a_tty = 1;
 
-#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VSWORKS)
+#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VXWORKS)
         tty_in=stdin;
         tty_out=stderr;
 #else
@@ -540,7 +550,7 @@ static int echo_console(UI *ui)
 
 static int close_console(UI *ui)
         {
-        if (tty_in != stderr) fclose(tty_in);
+        if (tty_in != stdin) fclose(tty_in);
         if (tty_out != stderr) fclose(tty_out);
 #ifdef OPENSSL_SYS_VMS
         status = sys$dassgn(channel);
@@ -551,6 +561,7 @@ static int close_console(UI *ui)
         }
 
 
+#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
 /* Internal functions to handle signals and act on them */
 static void pushsig(void)
         {
@@ -614,9 +625,10 @@ static void recsig(int i)
         {
         intr_signal=i;
         }
+#endif
 
 /* Internal functions specific for Windows */
-#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
+#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
 static int noecho_fgets(char *buf, int size, FILE *tty)
         {
         int i;
diff --git a/src/lib/libcrypto/ui/ui_util.c b/src/lib/libcrypto/ui/ui_util.c
index f05573df33..46bc8c1a9a 100644
--- a/src/lib/libcrypto/ui/ui_util.c
+++ b/src/lib/libcrypto/ui/ui_util.c
@@ -62,7 +62,7 @@ int UI_UTIL_read_pw_string(char *buf,int length,const char *prompt,int verify)
         int ret;
 
         ret=UI_UTIL_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return(ret);
         }
 
@@ -78,12 +78,14 @@ int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify)
         if (ui)
                 {
                 ok = UI_add_input_string(ui,prompt,0,buf,0,size-1);
-                if (ok == 0 && verify)
+                if (ok >= 0 && verify)
                         ok = UI_add_verify_string(ui,prompt,0,buff,0,size-1,
                                 buf);
-                if (ok == 0)
+                if (ok >= 0)
                         ok=UI_process(ui);
                 UI_free(ui);
                 }
+        if (ok > 0)
+                ok = 0;
         return(ok);
         }
diff --git a/src/lib/libcrypto/uid.c b/src/lib/libcrypto/uid.c
index d3d249c36f..73205a4baa 100644
--- a/src/lib/libcrypto/uid.c
+++ b/src/lib/libcrypto/uid.c
@@ -65,7 +65,7 @@ int OPENSSL_issetugid(void)
         return issetugid();
         }
 
-#elif defined(OPENSSL_SYS_WIN32)
+#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)
 
 int OPENSSL_issetugid(void)
         {
diff --git a/src/lib/libcrypto/util/cygwin.sh b/src/lib/libcrypto/util/cygwin.sh
index b607399b02..930f766b4f 100644
--- a/src/lib/libcrypto/util/cygwin.sh
+++ b/src/lib/libcrypto/util/cygwin.sh
@@ -96,6 +96,8 @@ fi
 
 get_openssl_version
 
+make depend || exit 1
+
 make || exit 1
 
 base_install
diff --git a/src/lib/libcrypto/util/domd b/src/lib/libcrypto/util/domd
index 8cbe383c16..49310bbdd1 100644
--- a/src/lib/libcrypto/util/domd
+++ b/src/lib/libcrypto/util/domd
@@ -15,9 +15,14 @@ cp Makefile.ssl Makefile.save
 # fake the presence of Kerberos
 touch $TOP/krb5.h
 if [ "$MAKEDEPEND" = "gcc" ]; then
+    args=""
+    while [ $# -gt 0 ]; do
+        if [ "$1" != "--" ]; then args="$args $1"; fi
+        shift
+    done
     sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp
     echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
-    gcc -D OPENSSL_DOING_MAKEDEPEND -M $@ >> Makefile.tmp
+    gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp
     ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
     rm -f Makefile.tmp
 else
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 7e5728495f..f5c8c0be8a 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -980,7 +980,7 @@ BN_mul_word                             999	EXIST::FUNCTION:
 BN_sub_word                             1000    EXIST::FUNCTION:
 BN_dec2bn                               1001    EXIST::FUNCTION:
 BN_bn2dec                               1002    EXIST::FUNCTION:
-BIO_ghbn_ctrl                           1003    EXIST::FUNCTION:
+BIO_ghbn_ctrl                           1003    NOEXIST::FUNCTION:
 CRYPTO_free_ex_data                     1004    EXIST::FUNCTION:
 CRYPTO_get_ex_data                      1005    EXIST::FUNCTION:
 CRYPTO_set_ex_data                      1007    EXIST::FUNCTION:
@@ -1881,72 +1881,72 @@ BIO_f_linebuffer                        2463	EXIST:VMS:FUNCTION:
 BN_bntest_rand                          2464    EXIST::FUNCTION:
 OPENSSL_issetugid                       2465    EXIST::FUNCTION:
 BN_rand_range                           2466    EXIST::FUNCTION:
-ERR_load_ENGINE_strings                 2467    EXIST::FUNCTION:
-ENGINE_set_DSA                          2468    EXIST::FUNCTION:
-ENGINE_get_finish_function              2469    EXIST::FUNCTION:
-ENGINE_get_default_RSA                  2470    EXIST::FUNCTION:
+ERR_load_ENGINE_strings                 2467    EXIST::FUNCTION:ENGINE
+ENGINE_set_DSA                          2468    EXIST::FUNCTION:ENGINE
+ENGINE_get_finish_function              2469    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_RSA                  2470    EXIST::FUNCTION:ENGINE
 ENGINE_get_BN_mod_exp                   2471    NOEXIST::FUNCTION:
 DSA_get_default_openssl_method          2472    NOEXIST::FUNCTION:
-ENGINE_set_DH                           2473    EXIST::FUNCTION:
+ENGINE_set_DH                           2473    EXIST::FUNCTION:ENGINE
 ENGINE_set_def_BN_mod_exp_crt           2474    NOEXIST::FUNCTION:
 ENGINE_set_default_BN_mod_exp_crt       2474    NOEXIST::FUNCTION:
-ENGINE_init                             2475    EXIST::FUNCTION:
+ENGINE_init                             2475    EXIST::FUNCTION:ENGINE
 DH_get_default_openssl_method           2476    NOEXIST::FUNCTION:
 RSA_set_default_openssl_method          2477    NOEXIST::FUNCTION:
-ENGINE_finish                           2478    EXIST::FUNCTION:
-ENGINE_load_public_key                  2479    EXIST::FUNCTION:
-ENGINE_get_DH                           2480    EXIST::FUNCTION:
-ENGINE_ctrl                             2481    EXIST::FUNCTION:
-ENGINE_get_init_function                2482    EXIST::FUNCTION:
-ENGINE_set_init_function                2483    EXIST::FUNCTION:
-ENGINE_set_default_DSA                  2484    EXIST::FUNCTION:
-ENGINE_get_name                         2485    EXIST::FUNCTION:
-ENGINE_get_last                         2486    EXIST::FUNCTION:
-ENGINE_get_prev                         2487    EXIST::FUNCTION:
-ENGINE_get_default_DH                   2488    EXIST::FUNCTION:
-ENGINE_get_RSA                          2489    EXIST::FUNCTION:
-ENGINE_set_default                      2490    EXIST::FUNCTION:
-ENGINE_get_RAND                         2491    EXIST::FUNCTION:
-ENGINE_get_first                        2492    EXIST::FUNCTION:
-ENGINE_by_id                            2493    EXIST::FUNCTION:
-ENGINE_set_finish_function              2494    EXIST::FUNCTION:
+ENGINE_finish                           2478    EXIST::FUNCTION:ENGINE
+ENGINE_load_public_key                  2479    EXIST::FUNCTION:ENGINE
+ENGINE_get_DH                           2480    EXIST::FUNCTION:ENGINE
+ENGINE_ctrl                             2481    EXIST::FUNCTION:ENGINE
+ENGINE_get_init_function                2482    EXIST::FUNCTION:ENGINE
+ENGINE_set_init_function                2483    EXIST::FUNCTION:ENGINE
+ENGINE_set_default_DSA                  2484    EXIST::FUNCTION:ENGINE
+ENGINE_get_name                         2485    EXIST::FUNCTION:ENGINE
+ENGINE_get_last                         2486    EXIST::FUNCTION:ENGINE
+ENGINE_get_prev                         2487    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_DH                   2488    EXIST::FUNCTION:ENGINE
+ENGINE_get_RSA                          2489    EXIST::FUNCTION:ENGINE
+ENGINE_set_default                      2490    EXIST::FUNCTION:ENGINE
+ENGINE_get_RAND                         2491    EXIST::FUNCTION:ENGINE
+ENGINE_get_first                        2492    EXIST::FUNCTION:ENGINE
+ENGINE_by_id                            2493    EXIST::FUNCTION:ENGINE
+ENGINE_set_finish_function              2494    EXIST::FUNCTION:ENGINE
 ENGINE_get_def_BN_mod_exp_crt           2495    NOEXIST::FUNCTION:
 ENGINE_get_default_BN_mod_exp_crt       2495    NOEXIST::FUNCTION:
 RSA_get_default_openssl_method          2496    NOEXIST::FUNCTION:
-ENGINE_set_RSA                          2497    EXIST::FUNCTION:
-ENGINE_load_private_key                 2498    EXIST::FUNCTION:
-ENGINE_set_default_RAND                 2499    EXIST::FUNCTION:
+ENGINE_set_RSA                          2497    EXIST::FUNCTION:ENGINE
+ENGINE_load_private_key                 2498    EXIST::FUNCTION:ENGINE
+ENGINE_set_default_RAND                 2499    EXIST::FUNCTION:ENGINE
 ENGINE_set_BN_mod_exp                   2500    NOEXIST::FUNCTION:
-ENGINE_remove                           2501    EXIST::FUNCTION:
-ENGINE_free                             2502    EXIST::FUNCTION:
+ENGINE_remove                           2501    EXIST::FUNCTION:ENGINE
+ENGINE_free                             2502    EXIST::FUNCTION:ENGINE
 ENGINE_get_BN_mod_exp_crt               2503    NOEXIST::FUNCTION:
-ENGINE_get_next                         2504    EXIST::FUNCTION:
-ENGINE_set_name                         2505    EXIST::FUNCTION:
-ENGINE_get_default_DSA                  2506    EXIST::FUNCTION:
+ENGINE_get_next                         2504    EXIST::FUNCTION:ENGINE
+ENGINE_set_name                         2505    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_DSA                  2506    EXIST::FUNCTION:ENGINE
 ENGINE_set_default_BN_mod_exp           2507    NOEXIST::FUNCTION:
-ENGINE_set_default_RSA                  2508    EXIST::FUNCTION:
-ENGINE_get_default_RAND                 2509    EXIST::FUNCTION:
+ENGINE_set_default_RSA                  2508    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_RAND                 2509    EXIST::FUNCTION:ENGINE
 ENGINE_get_default_BN_mod_exp           2510    NOEXIST::FUNCTION:
-ENGINE_set_RAND                         2511    EXIST::FUNCTION:
-ENGINE_set_id                           2512    EXIST::FUNCTION:
+ENGINE_set_RAND                         2511    EXIST::FUNCTION:ENGINE
+ENGINE_set_id                           2512    EXIST::FUNCTION:ENGINE
 ENGINE_set_BN_mod_exp_crt               2513    NOEXIST::FUNCTION:
-ENGINE_set_default_DH                   2514    EXIST::FUNCTION:
-ENGINE_new                              2515    EXIST::FUNCTION:
-ENGINE_get_id                           2516    EXIST::FUNCTION:
+ENGINE_set_default_DH                   2514    EXIST::FUNCTION:ENGINE
+ENGINE_new                              2515    EXIST::FUNCTION:ENGINE
+ENGINE_get_id                           2516    EXIST::FUNCTION:ENGINE
 DSA_set_default_openssl_method          2517    NOEXIST::FUNCTION:
-ENGINE_add                              2518    EXIST::FUNCTION:
+ENGINE_add                              2518    EXIST::FUNCTION:ENGINE
 DH_set_default_openssl_method           2519    NOEXIST::FUNCTION:
-ENGINE_get_DSA                          2520    EXIST::FUNCTION:
-ENGINE_get_ctrl_function                2521    EXIST::FUNCTION:
-ENGINE_set_ctrl_function                2522    EXIST::FUNCTION:
+ENGINE_get_DSA                          2520    EXIST::FUNCTION:ENGINE
+ENGINE_get_ctrl_function                2521    EXIST::FUNCTION:ENGINE
+ENGINE_set_ctrl_function                2522    EXIST::FUNCTION:ENGINE
 BN_pseudo_rand_range                    2523    EXIST::FUNCTION:
 X509_STORE_CTX_set_verify_cb            2524    EXIST::FUNCTION:
 ERR_load_COMP_strings                   2525    EXIST::FUNCTION:
 PKCS12_item_decrypt_d2i                 2526    EXIST::FUNCTION:
 ASN1_UTF8STRING_it                      2527    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_UTF8STRING_it                      2527    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_unregister_ciphers               2528    EXIST::FUNCTION:
-ENGINE_get_ciphers                      2529    EXIST::FUNCTION:
+ENGINE_unregister_ciphers               2528    EXIST::FUNCTION:ENGINE
+ENGINE_get_ciphers                      2529    EXIST::FUNCTION:ENGINE
 d2i_OCSP_BASICRESP                      2530    EXIST::FUNCTION:
 KRB5_CHECKSUM_it                        2531    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_CHECKSUM_it                        2531    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -1959,15 +1959,15 @@ X509V3_add1_i2d                         2536	EXIST::FUNCTION:
 PKCS7_ENVELOPE_it                       2537    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS7_ENVELOPE_it                       2537    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_add_input_boolean                    2538    EXIST::FUNCTION:
-ENGINE_unregister_RSA                   2539    EXIST::FUNCTION:
+ENGINE_unregister_RSA                   2539    EXIST::FUNCTION:ENGINE
 X509V3_EXT_nconf                        2540    EXIST::FUNCTION:
 ASN1_GENERALSTRING_free                 2541    EXIST::FUNCTION:
 d2i_OCSP_CERTSTATUS                     2542    EXIST::FUNCTION:
 X509_REVOKED_set_serialNumber           2543    EXIST::FUNCTION:
 X509_print_ex                           2544    EXIST::FUNCTION:BIO
 OCSP_ONEREQ_get1_ext_d2i                2545    EXIST::FUNCTION:
-ENGINE_register_all_RAND                2546    EXIST::FUNCTION:
-ENGINE_load_dynamic                     2547    EXIST::FUNCTION:
+ENGINE_register_all_RAND                2546    EXIST::FUNCTION:ENGINE
+ENGINE_load_dynamic                     2547    EXIST::FUNCTION:ENGINE
 PBKDF2PARAM_it                          2548    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PBKDF2PARAM_it                          2548    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 EXTENDED_KEY_USAGE_new                  2549    EXIST::FUNCTION:
@@ -1987,7 +1987,7 @@ X509_STORE_set_purpose                  2559	EXIST::FUNCTION:
 i2d_ASN1_GENERALSTRING                  2560    EXIST::FUNCTION:
 OCSP_response_status                    2561    EXIST::FUNCTION:
 i2d_OCSP_SERVICELOC                     2562    EXIST::FUNCTION:
-ENGINE_get_digest_engine                2563    EXIST::FUNCTION:
+ENGINE_get_digest_engine                2563    EXIST::FUNCTION:ENGINE
 EC_GROUP_set_curve_GFp                  2564    EXIST::FUNCTION:EC
 OCSP_REQUEST_get_ext_by_OBJ             2565    EXIST::FUNCTION:
 _ossl_old_des_random_key                2566    EXIST::FUNCTION:DES
@@ -2011,7 +2011,7 @@ _shadow_DES_rw_mode                     2581	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 _shadow_DES_rw_mode                     2581    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DES
 asn1_do_adb                             2582    EXIST::FUNCTION:
 ASN1_template_i2d                       2583    EXIST::FUNCTION:
-ENGINE_register_DH                      2584    EXIST::FUNCTION:
+ENGINE_register_DH                      2584    EXIST::FUNCTION:ENGINE
 UI_construct_prompt                     2585    EXIST::FUNCTION:
 X509_STORE_set_trust                    2586    EXIST::FUNCTION:
 UI_dup_input_string                     2587    EXIST::FUNCTION:
@@ -2039,7 +2039,7 @@ OCSP_resp_find                          2605	EXIST::FUNCTION:
 BN_nnmod                                2606    EXIST::FUNCTION:
 X509_CRL_sort                           2607    EXIST::FUNCTION:
 X509_REVOKED_set_revocationDate         2608    EXIST::FUNCTION:
-ENGINE_register_RAND                    2609    EXIST::FUNCTION:
+ENGINE_register_RAND                    2609    EXIST::FUNCTION:ENGINE
 OCSP_SERVICELOC_new                     2610    EXIST::FUNCTION:
 EC_POINT_set_affine_coordinates_GFp     2611    EXIST:!VMS:FUNCTION:EC
 EC_POINT_set_affine_coords_GFp          2611    EXIST:VMS:FUNCTION:EC
@@ -2049,11 +2049,11 @@ SXNET_it                                2613	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 UI_dup_input_boolean                    2614    EXIST::FUNCTION:
 PKCS12_add_CSPName_asc                  2615    EXIST::FUNCTION:
 EC_POINT_is_at_infinity                 2616    EXIST::FUNCTION:EC
-ENGINE_load_openbsd_dev_crypto          2617    EXIST::FUNCTION:
+ENGINE_load_cryptodev                   2617    EXIST::FUNCTION:ENGINE
 DSO_convert_filename                    2618    EXIST::FUNCTION:
 POLICYQUALINFO_it                       2619    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 POLICYQUALINFO_it                       2619    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_register_ciphers                 2620    EXIST::FUNCTION:
+ENGINE_register_ciphers                 2620    EXIST::FUNCTION:ENGINE
 BN_mod_lshift_quick                     2621    EXIST::FUNCTION:
 DSO_set_filename                        2622    EXIST::FUNCTION:
 ASN1_item_free                          2623    EXIST::FUNCTION:
@@ -2062,7 +2062,7 @@ AUTHORITY_KEYID_it                      2625	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 AUTHORITY_KEYID_it                      2625    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 KRB5_APREQBODY_new                      2626    EXIST::FUNCTION:
 X509V3_EXT_REQ_add_nconf                2627    EXIST::FUNCTION:
-ENGINE_ctrl_cmd_string                  2628    EXIST::FUNCTION:
+ENGINE_ctrl_cmd_string                  2628    EXIST::FUNCTION:ENGINE
 i2d_OCSP_RESPDATA                       2629    EXIST::FUNCTION:
 EVP_MD_CTX_init                         2630    EXIST::FUNCTION:
 EXTENDED_KEY_USAGE_free                 2631    EXIST::FUNCTION:
@@ -2071,8 +2071,8 @@ PKCS7_ATTR_SIGN_it                      2632	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 UI_add_error_string                     2633    EXIST::FUNCTION:
 KRB5_CHECKSUM_free                      2634    EXIST::FUNCTION:
 OCSP_REQUEST_get_ext                    2635    EXIST::FUNCTION:
-ENGINE_load_ubsec                       2636    EXIST::FUNCTION:
-ENGINE_register_all_digests             2637    EXIST::FUNCTION:
+ENGINE_load_ubsec                       2636    EXIST::FUNCTION:ENGINE
+ENGINE_register_all_digests             2637    EXIST::FUNCTION:ENGINE
 PKEY_USAGE_PERIOD_it                    2638    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKEY_USAGE_PERIOD_it                    2638    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 PKCS12_unpack_authsafes                 2639    EXIST::FUNCTION:
@@ -2098,16 +2098,16 @@ OCSP_CERTSTATUS_free                    2653	EXIST::FUNCTION:
 _ossl_old_des_crypt                     2654    EXIST::FUNCTION:DES
 ASN1_item_i2d                           2655    EXIST::FUNCTION:
 EVP_DecryptFinal_ex                     2656    EXIST::FUNCTION:
-ENGINE_load_openssl                     2657    EXIST::FUNCTION:
-ENGINE_get_cmd_defns                    2658    EXIST::FUNCTION:
-ENGINE_set_load_privkey_function        2659    EXIST:!VMS:FUNCTION:
-ENGINE_set_load_privkey_fn              2659    EXIST:VMS:FUNCTION:
+ENGINE_load_openssl                     2657    EXIST::FUNCTION:ENGINE
+ENGINE_get_cmd_defns                    2658    EXIST::FUNCTION:ENGINE
+ENGINE_set_load_privkey_function        2659    EXIST:!VMS:FUNCTION:ENGINE
+ENGINE_set_load_privkey_fn              2659    EXIST:VMS:FUNCTION:ENGINE
 EVP_EncryptFinal_ex                     2660    EXIST::FUNCTION:
-ENGINE_set_default_digests              2661    EXIST::FUNCTION:
+ENGINE_set_default_digests              2661    EXIST::FUNCTION:ENGINE
 X509_get0_pubkey_bitstr                 2662    EXIST::FUNCTION:
 asn1_ex_i2c                             2663    EXIST::FUNCTION:
-ENGINE_register_RSA                     2664    EXIST::FUNCTION:
-ENGINE_unregister_DSA                   2665    EXIST::FUNCTION:
+ENGINE_register_RSA                     2664    EXIST::FUNCTION:ENGINE
+ENGINE_unregister_DSA                   2665    EXIST::FUNCTION:ENGINE
 _ossl_old_des_key_sched                 2666    EXIST::FUNCTION:DES
 X509_EXTENSION_it                       2667    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_EXTENSION_it                       2667    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2120,7 +2120,7 @@ PKCS12_certbag2x509                     2672	EXIST::FUNCTION:
 _ossl_old_des_ofb64_encrypt             2673    EXIST::FUNCTION:DES
 d2i_EXTENDED_KEY_USAGE                  2674    EXIST::FUNCTION:
 ERR_print_errors_cb                     2675    EXIST::FUNCTION:
-ENGINE_set_ciphers                      2676    EXIST::FUNCTION:
+ENGINE_set_ciphers                      2676    EXIST::FUNCTION:ENGINE
 d2i_KRB5_APREQBODY                      2677    EXIST::FUNCTION:
 UI_method_get_flusher                   2678    EXIST::FUNCTION:
 X509_PUBKEY_it                          2679    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2156,7 +2156,7 @@ NCONF_get_number_e                      2704	EXIST::FUNCTION:
 _ossl_old_des_decrypt3                  2705    EXIST::FUNCTION:DES
 X509_signature_print                    2706    EXIST::FUNCTION:EVP
 OCSP_SINGLERESP_free                    2707    EXIST::FUNCTION:
-ENGINE_load_builtin_engines             2708    EXIST::FUNCTION:
+ENGINE_load_builtin_engines             2708    EXIST::FUNCTION:ENGINE
 i2d_OCSP_ONEREQ                         2709    EXIST::FUNCTION:
 OCSP_REQUEST_add_ext                    2710    EXIST::FUNCTION:
 OCSP_RESPBYTES_new                      2711    EXIST::FUNCTION:
@@ -2184,7 +2184,7 @@ X509_CERT_AUX_it                        2727	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 CERTIFICATEPOLICIES_it                  2728    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 CERTIFICATEPOLICIES_it                  2728    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 _ossl_old_des_ede3_cbc_encrypt          2729    EXIST::FUNCTION:DES
-RAND_set_rand_engine                    2730    EXIST::FUNCTION:
+RAND_set_rand_engine                    2730    EXIST::FUNCTION:ENGINE
 DSO_get_loaded_filename                 2731    EXIST::FUNCTION:
 X509_ATTRIBUTE_it                       2732    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_ATTRIBUTE_it                       2732    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2206,7 +2206,7 @@ i2d_OCSP_BASICRESP                      2744	EXIST::FUNCTION:
 i2d_OCSP_RESPBYTES                      2745    EXIST::FUNCTION:
 PKCS12_unpack_p7encdata                 2746    EXIST::FUNCTION:
 HMAC_CTX_init                           2747    EXIST::FUNCTION:HMAC
-ENGINE_get_digest                       2748    EXIST::FUNCTION:
+ENGINE_get_digest                       2748    EXIST::FUNCTION:ENGINE
 OCSP_RESPONSE_print                     2749    EXIST::FUNCTION:
 KRB5_TKTBODY_it                         2750    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_TKTBODY_it                         2750    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2219,16 +2219,16 @@ PBE2PARAM_it                            2753	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 PKCS12_certbag2x509crl                  2754    EXIST::FUNCTION:
 PKCS7_SIGNED_it                         2755    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS7_SIGNED_it                         2755    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_cipher                       2756    EXIST::FUNCTION:
+ENGINE_get_cipher                       2756    EXIST::FUNCTION:ENGINE
 i2d_OCSP_CRLID                          2757    EXIST::FUNCTION:
 OCSP_SINGLERESP_new                     2758    EXIST::FUNCTION:
-ENGINE_cmd_is_executable                2759    EXIST::FUNCTION:
+ENGINE_cmd_is_executable                2759    EXIST::FUNCTION:ENGINE
 RSA_up_ref                              2760    EXIST::FUNCTION:RSA
 ASN1_GENERALSTRING_it                   2761    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_GENERALSTRING_it                   2761    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_register_DSA                     2762    EXIST::FUNCTION:
+ENGINE_register_DSA                     2762    EXIST::FUNCTION:ENGINE
 X509V3_EXT_add_nconf_sk                 2763    EXIST::FUNCTION:
-ENGINE_set_load_pubkey_function         2764    EXIST::FUNCTION:
+ENGINE_set_load_pubkey_function         2764    EXIST::FUNCTION:ENGINE
 PKCS8_decrypt                           2765    EXIST::FUNCTION:
 PEM_bytes_read_bio                      2766    EXIST::FUNCTION:BIO
 DIRECTORYSTRING_it                      2767    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2265,7 +2265,7 @@ UI_method_set_flusher                   2789	EXIST::FUNCTION:
 X509_ocspid_print                       2790    EXIST::FUNCTION:BIO
 KRB5_ENCDATA_it                         2791    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_ENCDATA_it                         2791    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_load_pubkey_function         2792    EXIST::FUNCTION:
+ENGINE_get_load_pubkey_function         2792    EXIST::FUNCTION:ENGINE
 UI_add_user_data                        2793    EXIST::FUNCTION:
 OCSP_REQUEST_delete_ext                 2794    EXIST::FUNCTION:
 UI_get_method                           2795    EXIST::FUNCTION:
@@ -2289,16 +2289,16 @@ ASN1_FBOOLEAN_it                        2806	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 ASN1_FBOOLEAN_it                        2806    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_set_ex_data                          2807    EXIST::FUNCTION:
 _ossl_old_des_string_to_key             2808    EXIST::FUNCTION:DES
-ENGINE_register_all_RSA                 2809    EXIST::FUNCTION:
+ENGINE_register_all_RSA                 2809    EXIST::FUNCTION:ENGINE
 d2i_KRB5_PRINCNAME                      2810    EXIST::FUNCTION:
 OCSP_RESPBYTES_it                       2811    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_RESPBYTES_it                       2811    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 X509_CINF_it                            2812    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_CINF_it                            2812    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_unregister_digests               2813    EXIST::FUNCTION:
+ENGINE_unregister_digests               2813    EXIST::FUNCTION:ENGINE
 d2i_EDIPARTYNAME                        2814    EXIST::FUNCTION:
 d2i_OCSP_SERVICELOC                     2815    EXIST::FUNCTION:
-ENGINE_get_digests                      2816    EXIST::FUNCTION:
+ENGINE_get_digests                      2816    EXIST::FUNCTION:ENGINE
 _ossl_old_des_set_odd_parity            2817    EXIST::FUNCTION:DES
 OCSP_RESPDATA_free                      2818    EXIST::FUNCTION:
 d2i_KRB5_TICKET                         2819    EXIST::FUNCTION:
@@ -2309,7 +2309,7 @@ d2i_ASN1_GENERALSTRING                  2822	EXIST::FUNCTION:
 X509_CRL_set_version                    2823    EXIST::FUNCTION:
 BN_mod_sub                              2824    EXIST::FUNCTION:
 OCSP_SINGLERESP_get_ext_by_NID          2825    EXIST::FUNCTION:
-ENGINE_get_ex_new_index                 2826    EXIST::FUNCTION:
+ENGINE_get_ex_new_index                 2826    EXIST::FUNCTION:ENGINE
 OCSP_REQUEST_free                       2827    EXIST::FUNCTION:
 OCSP_REQUEST_add1_ext_i2d               2828    EXIST::FUNCTION:
 X509_VAL_it                             2829    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2343,7 +2343,7 @@ EC_POINT_method_of                      2852	EXIST::FUNCTION:EC
 i2d_KRB5_APREQBODY                      2853    EXIST::FUNCTION:
 _ossl_old_des_ecb3_encrypt              2854    EXIST::FUNCTION:DES
 CRYPTO_get_mem_ex_functions             2855    EXIST::FUNCTION:
-ENGINE_get_ex_data                      2856    EXIST::FUNCTION:
+ENGINE_get_ex_data                      2856    EXIST::FUNCTION:ENGINE
 UI_destroy_method                       2857    EXIST::FUNCTION:
 ASN1_item_i2d_bio                       2858    EXIST::FUNCTION:BIO
 OCSP_ONEREQ_get_ext_by_OBJ              2859    EXIST::FUNCTION:
@@ -2367,7 +2367,7 @@ PKCS12_SAFEBAGS_it                      2872	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 PKCS12_SAFEBAGS_it                      2872    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 d2i_OCSP_SIGNATURE                      2873    EXIST::FUNCTION:
 OCSP_request_add1_nonce                 2874    EXIST::FUNCTION:
-ENGINE_set_cmd_defns                    2875    EXIST::FUNCTION:
+ENGINE_set_cmd_defns                    2875    EXIST::FUNCTION:ENGINE
 OCSP_SERVICELOC_free                    2876    EXIST::FUNCTION:
 EC_GROUP_free                           2877    EXIST::FUNCTION:EC
 ASN1_BIT_STRING_it                      2878    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2384,7 +2384,7 @@ EC_GROUP_new_curve_GFp                  2885	EXIST::FUNCTION:EC
 OCSP_REQUEST_get1_ext_d2i               2886    EXIST::FUNCTION:
 PKCS12_item_pack_safebag                2887    EXIST::FUNCTION:
 asn1_ex_c2i                             2888    EXIST::FUNCTION:
-ENGINE_register_digests                 2889    EXIST::FUNCTION:
+ENGINE_register_digests                 2889    EXIST::FUNCTION:ENGINE
 i2d_OCSP_REVOKEDINFO                    2890    EXIST::FUNCTION:
 asn1_enc_restore                        2891    EXIST::FUNCTION:
 UI_free                                 2892    EXIST::FUNCTION:
@@ -2395,7 +2395,7 @@ EC_POINT_invert                         2896	EXIST::FUNCTION:EC
 OCSP_basic_sign                         2897    EXIST::FUNCTION:
 i2d_OCSP_RESPID                         2898    EXIST::FUNCTION:
 OCSP_check_nonce                        2899    EXIST::FUNCTION:
-ENGINE_ctrl_cmd                         2900    EXIST::FUNCTION:
+ENGINE_ctrl_cmd                         2900    EXIST::FUNCTION:ENGINE
 d2i_KRB5_ENCKEY                         2901    EXIST::FUNCTION:
 OCSP_parse_url                          2902    EXIST::FUNCTION:
 OCSP_SINGLERESP_get_ext                 2903    EXIST::FUNCTION:
@@ -2403,12 +2403,12 @@ OCSP_CRLID_free                         2904	EXIST::FUNCTION:
 OCSP_BASICRESP_get1_ext_d2i             2905    EXIST::FUNCTION:
 RSAPrivateKey_it                        2906    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
 RSAPrivateKey_it                        2906    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA
-ENGINE_register_all_DH                  2907    EXIST::FUNCTION:
+ENGINE_register_all_DH                  2907    EXIST::FUNCTION:ENGINE
 i2d_EDIPARTYNAME                        2908    EXIST::FUNCTION:
 EC_POINT_get_affine_coordinates_GFp     2909    EXIST:!VMS:FUNCTION:EC
 EC_POINT_get_affine_coords_GFp          2909    EXIST:VMS:FUNCTION:EC
 OCSP_CRLID_new                          2910    EXIST::FUNCTION:
-ENGINE_get_flags                        2911    EXIST::FUNCTION:
+ENGINE_get_flags                        2911    EXIST::FUNCTION:ENGINE
 OCSP_ONEREQ_it                          2912    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_ONEREQ_it                          2912    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_process                              2913    EXIST::FUNCTION:
@@ -2416,8 +2416,8 @@ ASN1_INTEGER_it                         2914	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 ASN1_INTEGER_it                         2914    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 EVP_CipherInit_ex                       2915    EXIST::FUNCTION:
 UI_get_string_type                      2916    EXIST::FUNCTION:
-ENGINE_unregister_DH                    2917    EXIST::FUNCTION:
-ENGINE_register_all_DSA                 2918    EXIST::FUNCTION:
+ENGINE_unregister_DH                    2917    EXIST::FUNCTION:ENGINE
+ENGINE_register_all_DSA                 2918    EXIST::FUNCTION:ENGINE
 OCSP_ONEREQ_get_ext_by_critical         2919    EXIST::FUNCTION:
 bn_dup_expand                           2920    EXIST::FUNCTION:
 OCSP_cert_id_new                        2921    EXIST::FUNCTION:
@@ -2438,11 +2438,11 @@ BN_mod_sub_quick                        2933	EXIST::FUNCTION:
 OCSP_ONEREQ_add_ext                     2934    EXIST::FUNCTION:
 OCSP_request_sign                       2935    EXIST::FUNCTION:
 EVP_DigestFinal_ex                      2936    EXIST::FUNCTION:
-ENGINE_set_digests                      2937    EXIST::FUNCTION:
+ENGINE_set_digests                      2937    EXIST::FUNCTION:ENGINE
 OCSP_id_issuer_cmp                      2938    EXIST::FUNCTION:
 OBJ_NAME_do_all                         2939    EXIST::FUNCTION:
 EC_POINTs_mul                           2940    EXIST::FUNCTION:EC
-ENGINE_register_complete                2941    EXIST::FUNCTION:
+ENGINE_register_complete                2941    EXIST::FUNCTION:ENGINE
 X509V3_EXT_nconf_nid                    2942    EXIST::FUNCTION:
 ASN1_SEQUENCE_it                        2943    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_SEQUENCE_it                        2943    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2451,7 +2451,7 @@ RAND_query_egd_bytes                    2945	EXIST::FUNCTION:
 UI_method_get_writer                    2946    EXIST::FUNCTION:
 UI_OpenSSL                              2947    EXIST::FUNCTION:
 PEM_def_callback                        2948    EXIST::FUNCTION:
-ENGINE_cleanup                          2949    EXIST::FUNCTION:
+ENGINE_cleanup                          2949    EXIST::FUNCTION:ENGINE
 DIST_POINT_it                           2950    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 DIST_POINT_it                           2950    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 OCSP_SINGLERESP_it                      2951    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2475,7 +2475,7 @@ OCSP_RESPID_new                         2967	EXIST::FUNCTION:
 OCSP_RESPDATA_it                        2968    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_RESPDATA_it                        2968    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 d2i_OCSP_RESPDATA                       2969    EXIST::FUNCTION:
-ENGINE_register_all_complete            2970    EXIST::FUNCTION:
+ENGINE_register_all_complete            2970    EXIST::FUNCTION:ENGINE
 OCSP_check_validity                     2971    EXIST::FUNCTION:
 PKCS12_BAGS_it                          2972    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS12_BAGS_it                          2972    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2487,7 +2487,7 @@ KRB5_AUTHENTBODY_it                     2976	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 X509_supported_extension                2977    EXIST::FUNCTION:
 i2d_KRB5_AUTHDATA                       2978    EXIST::FUNCTION:
 UI_method_get_opener                    2979    EXIST::FUNCTION:
-ENGINE_set_ex_data                      2980    EXIST::FUNCTION:
+ENGINE_set_ex_data                      2980    EXIST::FUNCTION:ENGINE
 OCSP_REQUEST_print                      2981    EXIST::FUNCTION:
 CBIGNUM_it                              2982    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 CBIGNUM_it                              2982    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2501,7 +2501,7 @@ OCSP_single_get0_status                 2989	EXIST::FUNCTION:
 BN_swap                                 2990    EXIST::FUNCTION:
 POLICYINFO_it                           2991    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 POLICYINFO_it                           2991    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_set_destroy_function             2992    EXIST::FUNCTION:
+ENGINE_set_destroy_function             2992    EXIST::FUNCTION:ENGINE
 asn1_enc_free                           2993    EXIST::FUNCTION:
 OCSP_RESPID_it                          2994    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_RESPID_it                          2994    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2523,8 +2523,8 @@ EDIPARTYNAME_it                         3005	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 NETSCAPE_SPKI_it                        3006    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 NETSCAPE_SPKI_it                        3006    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_get0_test_string                     3007    EXIST::FUNCTION:
-ENGINE_get_cipher_engine                3008    EXIST::FUNCTION:
-ENGINE_register_all_ciphers             3009    EXIST::FUNCTION:
+ENGINE_get_cipher_engine                3008    EXIST::FUNCTION:ENGINE
+ENGINE_register_all_ciphers             3009    EXIST::FUNCTION:ENGINE
 EC_POINT_copy                           3010    EXIST::FUNCTION:EC
 BN_kronecker                            3011    EXIST::FUNCTION:
 _ossl_old_des_ede3_ofb64_encrypt        3012    EXIST:!VMS:FUNCTION:DES
@@ -2545,9 +2545,9 @@ OCSP_RESPONSE_new                       3023	EXIST::FUNCTION:
 AES_set_encrypt_key                     3024    EXIST::FUNCTION:AES
 OCSP_resp_count                         3025    EXIST::FUNCTION:
 KRB5_CHECKSUM_new                       3026    EXIST::FUNCTION:
-ENGINE_load_cswift                      3027    EXIST::FUNCTION:
+ENGINE_load_cswift                      3027    EXIST::FUNCTION:ENGINE
 OCSP_onereq_get0_id                     3028    EXIST::FUNCTION:
-ENGINE_set_default_ciphers              3029    EXIST::FUNCTION:
+ENGINE_set_default_ciphers              3029    EXIST::FUNCTION:ENGINE
 NOTICEREF_it                            3030    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 NOTICEREF_it                            3030    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 X509V3_EXT_CRL_add_nconf                3031    EXIST::FUNCTION:
@@ -2565,7 +2565,7 @@ AES_decrypt                             3040	EXIST::FUNCTION:AES
 asn1_enc_init                           3041    EXIST::FUNCTION:
 UI_get_result_maxsize                   3042    EXIST::FUNCTION:
 OCSP_CERTID_new                         3043    EXIST::FUNCTION:
-ENGINE_unregister_RAND                  3044    EXIST::FUNCTION:
+ENGINE_unregister_RAND                  3044    EXIST::FUNCTION:ENGINE
 UI_method_get_closer                    3045    EXIST::FUNCTION:
 d2i_KRB5_ENCDATA                        3046    EXIST::FUNCTION:
 OCSP_request_onereq_count               3047    EXIST::FUNCTION:
@@ -2576,7 +2576,7 @@ ASN1_primitive_free                     3051	EXIST::FUNCTION:
 i2d_EXTENDED_KEY_USAGE                  3052    EXIST::FUNCTION:
 i2d_OCSP_SIGNATURE                      3053    EXIST::FUNCTION:
 asn1_enc_save                           3054    EXIST::FUNCTION:
-ENGINE_load_nuron                       3055    EXIST::FUNCTION:
+ENGINE_load_nuron                       3055    EXIST::FUNCTION:ENGINE
 _ossl_old_des_pcbc_encrypt              3056    EXIST::FUNCTION:DES
 PKCS12_MAC_DATA_it                      3057    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS12_MAC_DATA_it                      3057    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2598,15 +2598,15 @@ ASN1_item_d2i_bio                       3069	EXIST::FUNCTION:BIO
 EC_POINT_dbl                            3070    EXIST::FUNCTION:EC
 asn1_get_choice_selector                3071    EXIST::FUNCTION:
 i2d_KRB5_CHECKSUM                       3072    EXIST::FUNCTION:
-ENGINE_set_table_flags                  3073    EXIST::FUNCTION:
+ENGINE_set_table_flags                  3073    EXIST::FUNCTION:ENGINE
 AES_options                             3074    EXIST::FUNCTION:AES
-ENGINE_load_chil                        3075    EXIST::FUNCTION:
+ENGINE_load_chil                        3075    EXIST::FUNCTION:ENGINE
 OCSP_id_cmp                             3076    EXIST::FUNCTION:
 OCSP_BASICRESP_new                      3077    EXIST::FUNCTION:
 OCSP_REQUEST_get_ext_by_NID             3078    EXIST::FUNCTION:
 KRB5_APREQ_it                           3079    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_APREQ_it                           3079    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_destroy_function             3080    EXIST::FUNCTION:
+ENGINE_get_destroy_function             3080    EXIST::FUNCTION:ENGINE
 CONF_set_nconf                          3081    EXIST::FUNCTION:
 ASN1_PRINTABLE_free                     3082    EXIST::FUNCTION:
 OCSP_BASICRESP_get_ext_by_NID           3083    EXIST::FUNCTION:
@@ -2667,7 +2667,7 @@ OCSP_CRLID_it                           3127	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 OCSP_CRLID_it                           3127    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 i2d_KRB5_AUTHENTBODY                    3128    EXIST::FUNCTION:
 OCSP_REQUEST_get_ext_count              3129    EXIST::FUNCTION:
-ENGINE_load_atalla                      3130    EXIST::FUNCTION:
+ENGINE_load_atalla                      3130    EXIST::FUNCTION:ENGINE
 X509_NAME_it                            3131    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_NAME_it                            3131    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 USERNOTICE_it                           3132    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2685,7 +2685,7 @@ UI_method_set_opener                    3140	EXIST::FUNCTION:
 ASN1_item_ex_free                       3141    EXIST::FUNCTION:
 ASN1_BOOLEAN_it                         3142    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_BOOLEAN_it                         3142    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_table_flags                  3143    EXIST::FUNCTION:
+ENGINE_get_table_flags                  3143    EXIST::FUNCTION:ENGINE
 UI_create_method                        3144    EXIST::FUNCTION:
 OCSP_ONEREQ_add1_ext_i2d                3145    EXIST::FUNCTION:
 _shadow_DES_check_key                   3146    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DES
@@ -2709,7 +2709,7 @@ PKCS7_it                                3160	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 PKCS7_it                                3160    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 OCSP_REQUEST_get_ext_by_critical        3161    EXIST:!VMS:FUNCTION:
 OCSP_REQUEST_get_ext_by_crit            3161    EXIST:VMS:FUNCTION:
-ENGINE_set_flags                        3162    EXIST::FUNCTION:
+ENGINE_set_flags                        3162    EXIST::FUNCTION:ENGINE
 _ossl_old_des_ecb_encrypt               3163    EXIST::FUNCTION:DES
 OCSP_response_get1_basic                3164    EXIST::FUNCTION:
 EVP_Digest                              3165    EXIST::FUNCTION:
@@ -2721,8 +2721,8 @@ ASN1_TIME_to_generalizedtime            3169	EXIST::FUNCTION:
 BIGNUM_it                               3170    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 BIGNUM_it                               3170    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 AES_cbc_encrypt                         3171    EXIST::FUNCTION:AES
-ENGINE_get_load_privkey_function        3172    EXIST:!VMS:FUNCTION:
-ENGINE_get_load_privkey_fn              3172    EXIST:VMS:FUNCTION:
+ENGINE_get_load_privkey_function        3172    EXIST:!VMS:FUNCTION:ENGINE
+ENGINE_get_load_privkey_fn              3172    EXIST:VMS:FUNCTION:ENGINE
 OCSP_RESPONSE_free                      3173    EXIST::FUNCTION:
 UI_method_set_reader                    3174    EXIST::FUNCTION:
 i2d_ASN1_T61STRING                      3175    EXIST::FUNCTION:
@@ -2736,7 +2736,7 @@ OCSP_crlID_new                          3181	EXIST:!OS2,!VMS,!WIN16:FUNCTION:
 OCSP_crlID2_new                         3181    EXIST:OS2,VMS,WIN16:FUNCTION:
 CONF_modules_load_file                  3182    EXIST::FUNCTION:
 CONF_imodule_set_usr_data               3183    EXIST::FUNCTION:
-ENGINE_set_default_string               3184    EXIST::FUNCTION:
+ENGINE_set_default_string               3184    EXIST::FUNCTION:ENGINE
 CONF_module_get_usr_data                3185    EXIST::FUNCTION:
 ASN1_add_oid_module                     3186    EXIST::FUNCTION:
 CONF_modules_finish                     3187    EXIST::FUNCTION:
@@ -2754,7 +2754,7 @@ CONF_imodule_get_name                   3198	EXIST::FUNCTION:
 ERR_peek_top_error                      3199    NOEXIST::FUNCTION:
 CONF_imodule_get_usr_data               3200    EXIST::FUNCTION:
 CONF_imodule_set_flags                  3201    EXIST::FUNCTION:
-ENGINE_add_conf_module                  3202    EXIST::FUNCTION:
+ENGINE_add_conf_module                  3202    EXIST::FUNCTION:ENGINE
 ERR_peek_last_error_line                3203    EXIST::FUNCTION:
 ERR_peek_last_error_line_data           3204    EXIST::FUNCTION:
 ERR_peek_last_error                     3205    EXIST::FUNCTION:
@@ -2762,8 +2762,8 @@ DES_read_2passwords                     3206	EXIST::FUNCTION:DES
 DES_read_password                       3207    EXIST::FUNCTION:DES
 UI_UTIL_read_pw                         3208    EXIST::FUNCTION:
 UI_UTIL_read_pw_string                  3209    EXIST::FUNCTION:
-ENGINE_load_aep                         3210    EXIST::FUNCTION:
-ENGINE_load_sureware                    3211    EXIST::FUNCTION:
+ENGINE_load_aep                         3210    EXIST::FUNCTION:ENGINE
+ENGINE_load_sureware                    3211    EXIST::FUNCTION:ENGINE
 OPENSSL_add_all_algorithms_noconf       3212    EXIST:!VMS:FUNCTION:
 OPENSSL_add_all_algo_noconf             3212    EXIST:VMS:FUNCTION:
 OPENSSL_add_all_algorithms_conf         3213    EXIST:!VMS:FUNCTION:
@@ -2772,7 +2772,7 @@ OPENSSL_load_builtin_modules            3214	EXIST::FUNCTION:
 AES_ofb128_encrypt                      3215    EXIST::FUNCTION:AES
 AES_ctr128_encrypt                      3216    EXIST::FUNCTION:AES
 AES_cfb128_encrypt                      3217    EXIST::FUNCTION:AES
-ENGINE_load_4758cca                     3218    EXIST::FUNCTION:
+ENGINE_load_4758cca                     3218    EXIST::FUNCTION:ENGINE
 _ossl_096_des_random_seed               3219    EXIST::FUNCTION:DES
 EVP_aes_256_ofb                         3220    EXIST::FUNCTION:AES
 EVP_aes_192_ofb                         3221    EXIST::FUNCTION:AES
@@ -2793,3 +2793,11 @@ ASN1_UNIVERSALSTRING_it                 3234	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 d2i_ASN1_UNIVERSALSTRING                3235    EXIST::FUNCTION:
 EVP_des_ede3_ecb                        3236    EXIST::FUNCTION:DES
 X509_REQ_print_ex                       3237    EXIST::FUNCTION:BIO
+ENGINE_up_ref                           3238    EXIST::FUNCTION:ENGINE
+BUF_MEM_grow_clean                      3239    EXIST::FUNCTION:
+CRYPTO_realloc_clean                    3240    EXIST::FUNCTION:
+BUF_strlcat                             3241    EXIST::FUNCTION:
+BIO_indent                              3242    EXIST::FUNCTION:
+BUF_strlcpy                             3243    EXIST::FUNCTION:
+OpenSSLDie                              3244    EXIST::FUNCTION:
+OPENSSL_cleanse                         3245    EXIST::FUNCTION:
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index c9271bbffe..c538f9dffb 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -24,6 +24,7 @@ $infile="MINFO";
 
 %ops=(
         "VC-WIN32",   "Microsoft Visual C++ [4-6] - Windows NT or 9X",
+        "VC-CE",   "Microsoft eMbedded Visual C++ 3.0 - Windows CE ONLY",
         "VC-NT",   "Microsoft Visual C++ [4-6] - Windows NT ONLY",
         "VC-W31-16",  "Microsoft Visual C++ 1.52 - Windows 3.1 - 286",
         "VC-WIN16",   "Alias for VC-W31-32",
@@ -63,6 +64,8 @@ and [options] can be one of
         no-asm                                  - No x86 asm
         no-krb5                                 - No KRB5
         no-ec                                   - No EC
+        no-engine                               - No engine
+        no-hw                                   - No hw
         nasm                                    - Use NASM for x86 asm
         gaswin                                  - Use GNU as with Mingw32
         no-socks                                - No socket code
@@ -137,6 +140,10 @@ elsif (($platform eq "VC-WIN32") || ($platform eq "VC-NT"))
         $NT = 1 if $platform eq "VC-NT";
         require 'VC-32.pl';
         }
+elsif ($platform eq "VC-CE")
+        {
+        require 'VC-CE.pl';
+        }
 elsif ($platform eq "Mingw32")
         {
         require 'Mingw32.pl';
@@ -213,7 +220,7 @@ $cflags.=" -DOPENSSL_NO_MD4"  if $no_md4;
 $cflags.=" -DOPENSSL_NO_MD5"  if $no_md5;
 $cflags.=" -DOPENSSL_NO_SHA"  if $no_sha;
 $cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1;
-$cflags.=" -DOPENSSL_NO_RIPEMD" if $no_rmd160;
+$cflags.=" -DOPENSSL_NO_RIPEMD" if $no_ripemd;
 $cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2;
 $cflags.=" -DOPENSSL_NO_BF"  if $no_bf;
 $cflags.=" -DOPENSSL_NO_CAST" if $no_cast;
@@ -227,6 +234,8 @@ $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
 $cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
 $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
+$cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
+$cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
 #$cflags.=" -DRSAref"  if $rsaref ne "";
 
 ## if ($unix)
@@ -266,6 +275,17 @@ $defs= <<"EOF";
 # The one monster makefile better suits building in non-unix
 # environments.
 
+EOF
+
+if ($platform eq "VC-CE")
+        {
+        $defs.= <<"EOF";
+!INCLUDE <\$(WCECOMPAT)/wcedefs.mak>
+
+EOF
+        }
+
+$defs.= <<"EOF";
 INSTALLTOP=$INSTALLTOP
 
 # Set your compiler options
@@ -632,6 +652,8 @@ sub var_add
         local($dir,$val)=@_;
         local(@a,$_,$ret);
 
+        return("") if $no_engine && $dir =~ /\/engine/;
+        return("") if $no_hw   && $dir =~ /\/hw/;
         return("") if $no_idea && $dir =~ /\/idea/;
         return("") if $no_aes  && $dir =~ /\/aes/;
         return("") if $no_rc2  && $dir =~ /\/rc2/;
@@ -641,6 +663,7 @@ sub var_add
         return("") if $no_rsa  && $dir =~ /^rsaref/;
         return("") if $no_dsa  && $dir =~ /\/dsa/;
         return("") if $no_dh   && $dir =~ /\/dh/;
+        return("") if $no_ec   && $dir =~ /\/ec/;
         if ($no_des && $dir =~ /\/des/)
                 {
                 if ($val =~ /read_pwd/)
@@ -675,7 +698,7 @@ sub var_add
         @a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2;
         @a=grep(!/(^md4)|(_md4$)/,@a) if $no_md4;
         @a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5;
-        @a=grep(!/(rmd)|(ripemd)/,@a) if $no_rmd160;
+        @a=grep(!/(rmd)|(ripemd)/,@a) if $no_ripemd;
 
         @a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa;
         @a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa;
@@ -692,6 +715,8 @@ sub var_add
         @a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1;
         @a=grep(!/_mdc2$/,@a) if $no_mdc2;
 
+        @a=grep(!/^engine$/,@a) if $no_engine;
+        @a=grep(!/^hw$/,@a) if $no_hw;
         @a=grep(!/(^rsa$)|(^genrsa$)/,@a) if $no_rsa;
         @a=grep(!/(^dsa$)|(^gendsa$)|(^dsaparam$)/,@a) if $no_dsa;
         @a=grep(!/^gendsa$/,@a) if $no_sha1;
@@ -885,10 +910,12 @@ sub read_options
         elsif (/^no-sock$/)     { $no_sock=1; }
         elsif (/^no-krb5$/)     { $no_krb5=1; }
         elsif (/^no-ec$/)       { $no_ec=1; }
+        elsif (/^no-engine$/)   { $no_engine=1; }
+        elsif (/^no-hw$/)       { $no_hw=1; }
 
         elsif (/^just-ssl$/)    { $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1;
                                   $no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1;
-                                  $no_ssl2=$no_err=$no_rmd160=$no_rc5=1;
+                                  $no_ssl2=$no_err=$no_ripemd=$no_rc5=1;
                                   $no_aes=1; }
 
         elsif (/^rsaref$/)      { }
diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl
index adfd447dd3..cdd2164c4e 100644
--- a/src/lib/libcrypto/util/mkdef.pl
+++ b/src/lib/libcrypto/util/mkdef.pl
@@ -91,7 +91,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                          "BIO", "COMP", "BUFFER", "LHASH", "STACK", "ERR",
                          "LOCKING",
                          # External "algorithms"
-                         "FP_API", "STDIO", "SOCK", "KRB5" );
+                         "FP_API", "STDIO", "SOCK", "KRB5", "ENGINE", "HW" );
 
 my $options="";
 open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n";
@@ -107,7 +107,7 @@ my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf;
 my $no_cast;
 my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
 my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
-my $no_ec;
+my $no_ec; my $no_engine; my $no_hw;
 my $no_fp_api;
 
 foreach (@ARGV, split(/ /, $options))
@@ -176,6 +176,8 @@ foreach (@ARGV, split(/ /, $options))
         elsif (/^no-comp$/)     { $no_comp=1; }
         elsif (/^no-dso$/)      { $no_dso=1; }
         elsif (/^no-krb5$/)     { $no_krb5=1; }
+        elsif (/^no-engine$/)   { $no_engine=1; }
+        elsif (/^no-hw$/)       { $no_hw=1; }
         }
 
 
@@ -235,7 +237,7 @@ $crypto.=" crypto/dh/dh.h" ; # unless $no_dh;
 $crypto.=" crypto/ec/ec.h" ; # unless $no_ec;
 $crypto.=" crypto/hmac/hmac.h" ; # unless $no_hmac;
 
-$crypto.=" crypto/engine/engine.h";
+$crypto.=" crypto/engine/engine.h"; # unless $no_engine;
 $crypto.=" crypto/stack/stack.h" ; # unless $no_stack;
 $crypto.=" crypto/buffer/buffer.h" ; # unless $no_buffer;
 $crypto.=" crypto/bio/bio.h" ; # unless $no_bio;
@@ -438,7 +440,12 @@ sub do_defs
                         }
 
                         s/\/\*.*?\*\///gs;                   # ignore comments
+                        if (/\/\*/) {                        # if we have part
+                                $line = $_;                  # of a comment,
+                                next;                        # continue reading
+                        }
                         s/{[^{}]*}//gs;                      # ignore {} blocks
+                        print STDERR "DEBUG: \$def=\"$def\"\n" if $debug && $def ne "";
                         print STDERR "DEBUG: \$_=\"$_\"\n" if $debug;
                         if (/^\#\s*ifndef\s+(.*)/) {
                                 push(@tag,"-");
@@ -812,14 +819,14 @@ sub do_defs
                         } elsif (/\(\*(\w*(\{[0-9]+\})?)\([^\)]+/) {
                                 $s = $1;
                                 print STDERR "DEBUG: found ANSI C function $s\n" if $debug;
-                        } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s) {
+                        } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s) {
                                 # K&R C
                                 print STDERR "DEBUG: found K&R C function $s\n" if $debug;
                                 next;
-                        } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)$/s) {
-                                while (not /\(\)$/s) {
-                                        s/[^\(\)]*\)$/\)/s;
-                                        s/\([^\(\)]*\)\)$/\)/s;
+                        } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) {
+                                while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) {
+                                        s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
+                                        s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
                                 }
                                 s/\(void\)//;
                                 /(\w+(\{[0-9]+\})?)\W*\(\)/s;
@@ -1052,6 +1059,8 @@ sub is_valid
                         if ($keyword eq "COMP" && $no_comp) { return 0; }
                         if ($keyword eq "DSO" && $no_dso) { return 0; }
                         if ($keyword eq "KRB5" && $no_krb5) { return 0; }
+                        if ($keyword eq "ENGINE" && $no_engine) { return 0; }
+                        if ($keyword eq "HW" && $no_hw) { return 0; }
                         if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
 
                         # Nothing recognise as true
diff --git a/src/lib/libcrypto/util/mkerr.pl b/src/lib/libcrypto/util/mkerr.pl
index 4105047b21..1b2915c767 100644
--- a/src/lib/libcrypto/util/mkerr.pl
+++ b/src/lib/libcrypto/util/mkerr.pl
@@ -132,16 +132,16 @@ while (($hdr, $lib) = each %libinc)
                 my $name = $1;
                 $name =~ tr/[a-z]/[A-Z]/;
                 $ftrans{$name} = $1;
-            } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s){
+            } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s){
                 # K&R C
                 next ;
-            } elsif (/\w+\W+\w+\W*\(.*\)$/s) {
-                while (not /\(\)$/s) {
-                    s/[^\(\)]*\)$/\)/s;
-                    s/\([^\(\)]*\)\)$/\)/s;
+            } elsif (/\w+\W+\w+\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) {
+                while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) {
+                    s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
+                    s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
                 }
                 s/\(void\)//;
-                /(\w+)\W*\(\)/s;
+                /(\w+(\{[0-9]+\})?)\W*\(\)/s;
                 my $name = $1;
                 $name =~ tr/[a-z]/[A-Z]/;
                 $ftrans{$name} = $1;
@@ -262,7 +262,7 @@ foreach $lib (keys %csrc)
         } else {
             push @out,
 "/* ====================================================================\n",
-" * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.\n",
+" * Copyright (c) 2001-2003 The OpenSSL Project.  All rights reserved.\n",
 " *\n",
 " * Redistribution and use in source and binary forms, with or without\n",
 " * modification, are permitted provided that the following conditions\n",
@@ -404,7 +404,7 @@ EOF
         print OUT <<"EOF";
 /* $cfile */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/src/lib/libcrypto/util/pl/BC-32.pl b/src/lib/libcrypto/util/pl/BC-32.pl
index bd7a9d9301..e83b336190 100644
--- a/src/lib/libcrypto/util/pl/BC-32.pl
+++ b/src/lib/libcrypto/util/pl/BC-32.pl
@@ -51,9 +51,9 @@ $lfile='';
 $shlib_ex_obj="";
 $app_ex_obj="c0x32.obj"; 
 
-$asm='nasmw';
+$asm='nasmw -f obj';
 $asm.=" /Zi" if $debug;
-$afile='-f obj -o';
+$afile='-o';
 
 $bn_mulw_obj='';
 $bn_mulw_src='';
diff --git a/src/lib/libcrypto/util/pl/Mingw32.pl b/src/lib/libcrypto/util/pl/Mingw32.pl
index 45ab685974..043a3a53ee 100644
--- a/src/lib/libcrypto/util/pl/Mingw32.pl
+++ b/src/lib/libcrypto/util/pl/Mingw32.pl
@@ -1,17 +1,17 @@
 #!/usr/local/bin/perl
 #
-# Mingw32.pl -- Mingw32 with GNU cp (Mingw32f.pl uses DOS tools) 
+# Mingw32.pl -- Mingw
 #
 
 $o='/';
 $cp='cp';
-$rm='rem'; # use 'rm -f' if using GNU file utilities
+$rm='rm -f';
 $mkdir='gmkdir';
 
-# gcc wouldn't accept backslashes in paths
-#$o='\\';
-#$cp='copy';
-#$rm='del';
+$o='\\';
+$cp='copy';
+$rm='del';
+$mkdir='mkdir';
 
 # C compiler stuff
 
@@ -19,29 +19,29 @@ $cc='gcc';
 if ($debug)
         { $cflags="-DL_ENDIAN -DDSO_WIN32 -g2 -ggdb"; }
 else
-        { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -m486 -Wall"; }
+        { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -mcpu=i486 -Wall"; }
 
 if ($gaswin and !$no_asm)
         {
-        $bn_asm_obj='$(OBJ_D)/bn-win32.o';
+        $bn_asm_obj='$(OBJ_D)\bn-win32.o';
         $bn_asm_src='crypto/bn/asm/bn-win32.s';
-        $bnco_asm_obj='$(OBJ_D)/co-win32.o';
+        $bnco_asm_obj='$(OBJ_D)\co-win32.o';
         $bnco_asm_src='crypto/bn/asm/co-win32.s';
-        $des_enc_obj='$(OBJ_D)/d-win32.o $(OBJ_D)/y-win32.o';
+        $des_enc_obj='$(OBJ_D)\d-win32.o $(OBJ_D)\y-win32.o';
         $des_enc_src='crypto/des/asm/d-win32.s crypto/des/asm/y-win32.s';
-        $bf_enc_obj='$(OBJ_D)/b-win32.o';
+        $bf_enc_obj='$(OBJ_D)\b-win32.o';
         $bf_enc_src='crypto/bf/asm/b-win32.s';
-#       $cast_enc_obj='$(OBJ_D)/c-win32.o';
+#       $cast_enc_obj='$(OBJ_D)\c-win32.o';
 #       $cast_enc_src='crypto/cast/asm/c-win32.s';
-        $rc4_enc_obj='$(OBJ_D)/r4-win32.o';
+        $rc4_enc_obj='$(OBJ_D)\r4-win32.o';
         $rc4_enc_src='crypto/rc4/asm/r4-win32.s';
-        $rc5_enc_obj='$(OBJ_D)/r5-win32.o';
+        $rc5_enc_obj='$(OBJ_D)\r5-win32.o';
         $rc5_enc_src='crypto/rc5/asm/r5-win32.s';
-        $md5_asm_obj='$(OBJ_D)/m5-win32.o';
+        $md5_asm_obj='$(OBJ_D)\m5-win32.o';
         $md5_asm_src='crypto/md5/asm/m5-win32.s';
-        $rmd160_asm_obj='$(OBJ_D)/rm-win32.o';
+        $rmd160_asm_obj='$(OBJ_D)\rm-win32.o';
         $rmd160_asm_src='crypto/ripemd/asm/rm-win32.s';
-        $sha1_asm_obj='$(OBJ_D)/s1-win32.o';
+        $sha1_asm_obj='$(OBJ_D)\s1-win32.o';
         $sha1_asm_src='crypto/sha/asm/s1-win32.s';
         $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM";
         }
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index d6e3a11530..285990c589 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -91,7 +91,7 @@ if ($shlib)
         {
         $mlflags.=" $lflags /dll";
 #       $cflags =~ s| /MD| /MT|;
-        $lib_cflag=" -D_WINDLL -D_DLL";
+        $lib_cflag=" -D_WINDLL";
         $out_def="out32dll";
         $tmp_def="tmp32dll";
         }
diff --git a/src/lib/libcrypto/util/ssleay.num b/src/lib/libcrypto/util/ssleay.num
index fdea47205d..46e38a131f 100644
--- a/src/lib/libcrypto/util/ssleay.num
+++ b/src/lib/libcrypto/util/ssleay.num
@@ -169,7 +169,7 @@ SSL_add_file_cert_subjects_to_stack     185	EXIST:!VMS:FUNCTION:STDIO
 SSL_add_file_cert_subjs_to_stk          185     EXIST:VMS:FUNCTION:STDIO
 SSL_set_tmp_rsa_callback                186     EXIST::FUNCTION:RSA
 SSL_set_tmp_dh_callback                 187     EXIST::FUNCTION:DH
-SSL_add_dir_cert_subjects_to_stack      188     EXIST:!VMS,!WIN32:FUNCTION:STDIO
+SSL_add_dir_cert_subjects_to_stack      188     EXIST:!VMS:FUNCTION:STDIO
 SSL_add_dir_cert_subjs_to_stk           188     NOEXIST::FUNCTION:
 SSL_set_session_id_context              189     EXIST::FUNCTION:
 SSL_CTX_use_certificate_chain_file      222     EXIST:!VMS:FUNCTION:STDIO
diff --git a/src/lib/libcrypto/x509/Makefile.ssl b/src/lib/libcrypto/x509/Makefile.ssl
index ee53294699..3a3452536c 100644
--- a/src/lib/libcrypto/x509/Makefile.ssl
+++ b/src/lib/libcrypto/x509/Makefile.ssl
@@ -78,7 +78,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
index 92e00d2d73..b4b04183d0 100644
--- a/src/lib/libcrypto/x509/by_file.c
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -100,18 +100,19 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
         case X509_L_FILE_LOAD:
                 if (argl == X509_FILETYPE_DEFAULT)
                         {
-                        ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
-                                X509_FILETYPE_PEM) != 0);
+                        file = (char *)Getenv(X509_get_default_cert_file_env());
+                        if (file)
+                                ok = (X509_load_cert_crl_file(ctx,file,
+                                              X509_FILETYPE_PEM) != 0);
+
+                        else
+                                ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
+                                              X509_FILETYPE_PEM) != 0);
+
                         if (!ok)
                                 {
                                 X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
                                 }
-                        else
-                                {
-                                file=(char *)Getenv(X509_get_default_cert_file_env());
-                                ok = (X509_load_cert_crl_file(ctx,file,
-                                        X509_FILETYPE_PEM) != 0);
-                                }
                         }
                 else
                         {
@@ -284,7 +285,8 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
                 if(itmp->x509) {
                         X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
                         count++;
-                } else if(itmp->crl) {
+                }
+                if(itmp->crl) {
                         X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
                         count++;
                 }
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index 7095440d36..eaad5685a8 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -87,7 +87,6 @@
 #ifndef OPENSSL_NO_SHA
 #include <openssl/sha.h>
 #endif
-#include <openssl/evp.h>
 #include <openssl/e_os2.h>
 #include <openssl/ossl_typ.h>
 
@@ -487,10 +486,12 @@ typedef struct Netscape_certificate_sequence
         STACK_OF(X509) *certs;
         } NETSCAPE_CERT_SEQUENCE;
 
+/* Unused (and iv length is wrong)
 typedef struct CBCParameter_st
         {
         unsigned char iv[8];
         } CBC_PARAM;
+*/
 
 /* Password based encryption structure */
 
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index cd20b6d66f..f460102f49 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <ctype.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
@@ -81,13 +82,14 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
         unsigned long ret=0;
         EVP_MD_CTX ctx;
         unsigned char md[16];
-        char str[256];
+        char *f;
 
         EVP_MD_CTX_init(&ctx);
-        X509_NAME_oneline(a->cert_info->issuer,str,256);
-        ret=strlen(str);
+        f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
+        ret=strlen(f);
         EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
-        EVP_DigestUpdate(&ctx,(unsigned char *)str,ret);
+        EVP_DigestUpdate(&ctx,(unsigned char *)f,ret);
+        OPENSSL_free(f);
         EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
                 (unsigned long)a->cert_info->serialNumber->length);
         EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);
@@ -159,6 +161,99 @@ int X509_cmp(const X509 *a, const X509 *b)
 }
 #endif
 
+
+/* Case insensitive string comparision */
+static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
+{
+        int i;
+
+        if (a->length != b->length)
+                return (a->length - b->length);
+
+        for (i=0; i<a->length; i++)
+        {
+                int ca, cb;
+
+                ca = tolower(a->data[i]);
+                cb = tolower(b->data[i]);
+
+                if (ca != cb)
+                        return(ca-cb);
+        }
+        return 0;
+}
+
+/* Case insensitive string comparision with space normalization 
+ * Space normalization - ignore leading, trailing spaces, 
+ *       multiple spaces between characters are replaced by single space  
+ */
+static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
+{
+        unsigned char *pa = NULL, *pb = NULL;
+        int la, lb;
+        
+        la = a->length;
+        lb = b->length;
+        pa = a->data;
+        pb = b->data;
+
+        /* skip leading spaces */
+        while (la > 0 && isspace(*pa))
+        {
+                la--;
+                pa++;
+        }
+        while (lb > 0 && isspace(*pb))
+        {
+                lb--;
+                pb++;
+        }
+
+        /* skip trailing spaces */
+        while (la > 0 && isspace(pa[la-1]))
+                la--;
+        while (lb > 0 && isspace(pb[lb-1]))
+                lb--;
+
+        /* compare strings with space normalization */
+        while (la > 0 && lb > 0)
+        {
+                int ca, cb;
+
+                /* compare character */
+                ca = tolower(*pa);
+                cb = tolower(*pb);
+                if (ca != cb)
+                        return (ca - cb);
+
+                pa++; pb++;
+                la--; lb--;
+
+                if (la <= 0 || lb <= 0)
+                        break;
+
+                /* is white space next character ? */
+                if (isspace(*pa) && isspace(*pb))
+                {
+                        /* skip remaining white spaces */
+                        while (la > 0 && isspace(*pa))
+                        {
+                                la--;
+                                pa++;
+                        }
+                        while (lb > 0 && isspace(*pb))
+                        {
+                                lb--;
+                                pb++;
+                        }
+                }
+        }
+        if (la > 0 || lb > 0)
+                return la - lb;
+
+        return 0;
+}
+
 int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
         {
         int i,j;
@@ -172,10 +267,20 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
                 {
                 na=sk_X509_NAME_ENTRY_value(a->entries,i);
                 nb=sk_X509_NAME_ENTRY_value(b->entries,i);
-                j=na->value->length-nb->value->length;
+                j=na->value->type-nb->value->type;
                 if (j) return(j);
-                j=memcmp(na->value->data,nb->value->data,
-                        na->value->length);
+                if (na->value->type == V_ASN1_PRINTABLESTRING)
+                        j=nocase_spacenorm_cmp(na->value, nb->value);
+                else if (na->value->type == V_ASN1_IA5STRING
+                        && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
+                        j=nocase_cmp(na->value, nb->value);
+                else
+                        {
+                        j=na->value->length-nb->value->length;
+                        if (j) return(j);
+                        j=memcmp(na->value->data,nb->value->data,
+                                na->value->length);
+                        }
                 if (j) return(j);
                 j=na->set-nb->set;
                 if (j) return(j);
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
index b5f7daa2e5..67b1796a92 100644
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -116,7 +116,7 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
                 {
                 ex=sk_X509_EXTENSION_value(sk,lastpos);
                 if (    ((ex->critical > 0) && crit) ||
-                        (!(ex->critical <= 0) && !crit))
+                        ((ex->critical <= 0) && !crit))
                         return(lastpos);
                 }
         return(-1);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index db12f7bd35..552d1e7251 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -756,7 +756,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
         {
         char *str;
         ASN1_TIME atm;
-        time_t offset;
+        long offset;
         char buff1[24],buff2[24],*p;
         int i,j;
 
diff --git a/src/lib/libcrypto/x509v3/Makefile.ssl b/src/lib/libcrypto/x509v3/Makefile.ssl
index 3534e8b236..66df90c346 100644
--- a/src/lib/libcrypto/x509v3/Makefile.ssl
+++ b/src/lib/libcrypto/x509v3/Makefile.ssl
@@ -74,7 +74,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 2fb97d8925..5442480595 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -90,17 +90,23 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_crld,
 &v3_ext_ku,
 &v3_crl_reason,
+#ifndef OPENSSL_NO_OCSP
 &v3_crl_invdate,
+#endif
 &v3_sxnet,
 &v3_info,
+#ifndef OPENSSL_NO_OCSP
 &v3_ocsp_nonce,
 &v3_ocsp_crlid,
 &v3_ocsp_accresp,
 &v3_ocsp_nocheck,
 &v3_ocsp_acutoff,
 &v3_ocsp_serviceloc,
+#endif
 &v3_sinfo,
+#ifndef OPENSSL_NO_OCSP
 &v3_crl_hold
+#endif
 };
 
 /* Number of standard extensions */
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
index 92b9316b02..28cc00686a 100644
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ b/src/lib/libcrypto/x509v3/v3_info.c
@@ -113,8 +113,8 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method
                 ret = i2v_GENERAL_NAME(method, desc->location, ret);
                 if(!ret) break;
                 vtmp = sk_CONF_VALUE_value(ret, i);
-                i2t_ASN1_OBJECT(objtmp, 80, desc->method);
-                nlen = strlen(objtmp) + strlen(vtmp->name) + 4;
+                i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);
+                nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
                 ntmp = OPENSSL_malloc(nlen);
                 if(!ntmp) {
                         X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
index 083112314e..21badc13f9 100644
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ b/src/lib/libcrypto/x509v3/v3_ocsp.c
@@ -56,6 +56,8 @@
  *
  */
 
+#ifndef OPENSSL_NO_OCSP
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/conf.h>
@@ -270,3 +272,4 @@ static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int
 err:
         return 0;
         }
+#endif
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
index aeaf6170fe..754808b625 100644
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ b/src/lib/libcrypto/x509v3/v3_prn.c
@@ -178,7 +178,7 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts
                 ASN1_OBJECT *obj;
                 X509_EXTENSION *ex;
                 ex=sk_X509_EXTENSION_value(exts, i);
-                if (BIO_printf(bp,"%*s",indent, "") <= 0) return 0;
+                if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0;
                 obj=X509_EXTENSION_get_object(ex);
                 i2a_ASN1_OBJECT(bp,obj);
                 j=X509_EXTENSION_get_critical(ex);
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index b739e4fd83..4d145f71fd 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -378,6 +378,10 @@ static void x509v3_cache_extensions(X509 *x)
                                 case NID_time_stamp:
                                 x->ex_xkusage |= XKU_TIMESTAMP;
                                 break;
+
+                                case NID_dvcs:
+                                x->ex_xkusage |= XKU_DVCS;
+                                break;
                         }
                 }
                 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
index 283e943e46..34ac2998de 100644
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ b/src/lib/libcrypto/x509v3/v3_utl.c
@@ -491,7 +491,7 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens)
         i = -1;
         /* First supplied X509_NAME */
         while((i = X509_NAME_get_index_by_NID(name,
-                                         NID_pkcs9_emailAddress, i)) > 0) {
+                                         NID_pkcs9_emailAddress, i)) >= 0) {
                 ne = X509_NAME_get_entry(name, i);
                 email = X509_NAME_ENTRY_get_data(ne);
                 if(!append_ia5(&ret, email)) return NULL;
diff --git a/src/lib/libcrypto/x509v3/v3conf.c b/src/lib/libcrypto/x509v3/v3conf.c
index 67ee14f334..00cf5b4a5b 100644
--- a/src/lib/libcrypto/x509v3/v3conf.c
+++ b/src/lib/libcrypto/x509v3/v3conf.c
@@ -118,7 +118,7 @@ int main(int argc, char **argv)
                 printf("%s", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
                 if(ext->critical) printf(",critical:\n");
                 else printf(":\n");
-                X509V3_EXT_print_fp(stdout, ext, 0);
+                X509V3_EXT_print_fp(stdout, ext, 0, 0);
                 printf("\n");
                 
         }
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index daecc55271..fb07a19016 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -352,6 +352,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 #define XKU_SGC                 0x10
 #define XKU_OCSP_SIGN           0x20
 #define XKU_TIMESTAMP           0x40
+#define XKU_DVCS                0x80
 
 #define X509_PURPOSE_DYNAMIC    0x1
 #define X509_PURPOSE_DYNAMIC_NAME       0x2