75 files changed, 822 insertions, 461 deletions

diff --git a/src/lib/libcrypto/Attic/Makefile b/src/lib/libcrypto/Attic/Makefile
index c1033f6d77..85d9f249c5 100644
--- a/src/lib/libcrypto/Attic/Makefile
+++ b/src/lib/libcrypto/Attic/Makefile
@@ -74,7 +74,9 @@ x86_64cpuid.s: x86_64cpuid.pl
         $(PERL) x86_64cpuid.pl $(PERLASM_SCHEME) > $@
 ia64cpuid.s: ia64cpuid.S
         $(CC) $(CFLAGS) -E ia64cpuid.S > $@
-ppccpuid.s:             ppccpuid.pl;    $(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
+ppccpuid.s:     ppccpuid.pl;    $(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
+alphacpuid.s:   alphacpuid.pl
+        $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
 
 testapps:
         [ -z "$(THIS)" ] || (   if echo $(SDIRS) | fgrep ' des '; \
diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c
index c6fd204ae3..3348b8762c 100644
--- a/src/lib/libcrypto/asn1/a_int.c
+++ b/src/lib/libcrypto/asn1/a_int.c
@@ -273,7 +273,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
         {
         ASN1_INTEGER *ret=NULL;
         const unsigned char *p;
-        unsigned char *to,*s;
+        unsigned char *s;
         long len;
         int inf,tag,xclass;
         int i;
@@ -308,7 +308,6 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
                 i=ERR_R_MALLOC_FAILURE;
                 goto err;
                 }
-        to=s;
         ret->type=V_ASN1_INTEGER;
         if(len) {
                 if ((*p == 0) && (len != 1))
diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index e5fbe7cbb1..3978c9150d 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -139,7 +139,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
                                 ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_INVALID_DIGIT);
                                 goto err;
                                 }
-                        if (!use_bn && l > (ULONG_MAX / 10L))
+                        if (!use_bn && l >= ((ULONG_MAX - 80) / 10L))
                                 {
                                 use_bn = 1;
                                 if (!bl)
@@ -293,7 +293,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
         /* Sanity check OID encoding: can't have leading 0x80 in
          * subidentifiers, see: X.690 8.19.2
          */
-        for (i = 0, p = *pp + 1; i < len - 1; i++, p++)
+        for (i = 0, p = *pp; i < len; i++, p++)
                 {
                 if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
                         {
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index 7fc14d3296..264ebf2393 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -74,6 +74,11 @@
 
 #define CHARTYPE_BS_ESC         (ASN1_STRFLGS_ESC_2253 | CHARTYPE_FIRST_ESC_2253 | CHARTYPE_LAST_ESC_2253)
 
+#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
+                  ASN1_STRFLGS_ESC_QUOTE | \
+                  ASN1_STRFLGS_ESC_CTRL | \
+                  ASN1_STRFLGS_ESC_MSB)
+
 
 /* Three IO functions for sending data to memory, a BIO and
  * and a FILE pointer.
@@ -148,6 +153,13 @@ static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, ch
                 if(!io_ch(arg, tmphex, 3)) return -1;
                 return 3;
         }
+        /* If we get this far and do any escaping at all must escape 
+         * the escape character itself: backslash.
+         */
+        if (chtmp == '\\' && flags & ESC_FLAGS) {
+                if(!io_ch(arg, "\\\\", 2)) return -1;
+                return 2;
+        }
         if(!io_ch(arg, &chtmp, 1)) return -1;
         return 1;
 }
@@ -292,11 +304,6 @@ static const signed char tag2nbyte[] = {
         4, -1, 2                /* 28-30 */
 };
 
-#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
-                  ASN1_STRFLGS_ESC_QUOTE | \
-                  ASN1_STRFLGS_ESC_CTRL | \
-                  ASN1_STRFLGS_ESC_MSB)
-
 /* This is the main function, print out an
  * ASN1_STRING taking note of various escape
  * and display options. Returns number of
diff --git a/src/lib/libcrypto/asn1/a_strnid.c b/src/lib/libcrypto/asn1/a_strnid.c
index 753021a7a2..2fc48c1551 100644
--- a/src/lib/libcrypto/asn1/a_strnid.c
+++ b/src/lib/libcrypto/asn1/a_strnid.c
@@ -95,7 +95,7 @@ unsigned long ASN1_STRING_get_default_mask(void)
  * default:   the default value, Printable, T61, BMP.
  */
 
-int ASN1_STRING_set_default_mask_asc(char *p)
+int ASN1_STRING_set_default_mask_asc(const char *p)
 {
         unsigned long mask;
         char *end;
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index f7718b5a94..59540e4e79 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -1067,7 +1067,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d,
 ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_OCTET_STRING **oct);
 
 void ASN1_STRING_set_default_mask(unsigned long mask);
-int ASN1_STRING_set_default_mask_asc(char *p);
+int ASN1_STRING_set_default_mask_asc(const char *p);
 unsigned long ASN1_STRING_get_default_mask(void);
 int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
                                         int inform, unsigned long mask);
diff --git a/src/lib/libcrypto/asn1/n_pkey.c b/src/lib/libcrypto/asn1/n_pkey.c
index 60bc437938..e7d0439062 100644
--- a/src/lib/libcrypto/asn1/n_pkey.c
+++ b/src/lib/libcrypto/asn1/n_pkey.c
@@ -242,7 +242,7 @@ RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
                  int sgckey)
         {
         RSA *ret=NULL;
-        const unsigned char *p, *kp;
+        const unsigned char *p;
         NETSCAPE_ENCRYPTED_PKEY *enckey = NULL;
 
         p = *pp;
@@ -265,7 +265,6 @@ RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
                 ASN1err(ASN1_F_D2I_RSA_NET,ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM);
                 goto err;
         }
-        kp = enckey->enckey->digest->data;
         if (cb == NULL)
                 cb=EVP_read_pw_string;
         if ((ret=d2i_RSA_NET_2(a, enckey->enckey->digest,cb, sgckey)) == NULL) goto err;
diff --git a/src/lib/libcrypto/asn1/t_crl.c b/src/lib/libcrypto/asn1/t_crl.c
index bdb244c015..ee5a687ce8 100644
--- a/src/lib/libcrypto/asn1/t_crl.c
+++ b/src/lib/libcrypto/asn1/t_crl.c
@@ -87,7 +87,7 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
         STACK_OF(X509_REVOKED) *rev;
         X509_REVOKED *r;
         long l;
-        int i, n;
+        int i;
         char *p;
 
         BIO_printf(out, "Certificate Revocation List (CRL):\n");
@@ -107,7 +107,6 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
         else BIO_printf(out,"NONE");
         BIO_printf(out,"\n");
 
-        n=X509_CRL_get_ext_count(x);
         X509V3_extensions_print(out, "CRL extensions",
                                                 x->crl->extensions, 0, 8);
 
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index 3bee439968..87d7dfdf5c 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -168,7 +168,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
         int i;
         int otag;
         int ret = 0;
-        ASN1_VALUE *pchval, **pchptr, *ptmpval;
+        ASN1_VALUE **pchptr, *ptmpval;
         if (!pval)
                 return 0;
         if (aux && aux->asn1_cb)
@@ -319,7 +319,6 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
                         goto err;
                         }
                 /* CHOICE type, try each possibility in turn */
-                pchval = NULL;
                 p = *in;
                 for (i = 0, tt=it->templates; i < it->tcount; i++, tt++)
                         {
diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c
index caa4409feb..49be08b4da 100644
--- a/src/lib/libcrypto/asn1/x_name.c
+++ b/src/lib/libcrypto/asn1/x_name.c
@@ -214,7 +214,9 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
         *val = nm.a;
         *in = p;
         return ret;
-        err:
+err:
+        if (nm.x != NULL)
+                X509_NAME_free(nm.x);
         ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
         return 0;
 }
@@ -464,7 +466,8 @@ static int asn1_string_canon(ASN1_STRING *out, ASN1_STRING *in)
                         }
                 else
                         {
-                        *to++ = tolower(*from++);
+                        *to++ = tolower(*from);
+                        from++;
                         i++;
                         }
                 }
diff --git a/src/lib/libcrypto/asn1/x_x509.c b/src/lib/libcrypto/asn1/x_x509.c
index dafd3cc921..de3df9eb51 100644
--- a/src/lib/libcrypto/asn1/x_x509.c
+++ b/src/lib/libcrypto/asn1/x_x509.c
@@ -63,7 +63,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-ASN1_SEQUENCE(X509_CINF) = {
+ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = {
         ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
         ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER),
         ASN1_SIMPLE(X509_CINF, signature, X509_ALGOR),
@@ -74,7 +74,7 @@ ASN1_SEQUENCE(X509_CINF) = {
         ASN1_IMP_OPT(X509_CINF, issuerUID, ASN1_BIT_STRING, 1),
         ASN1_IMP_OPT(X509_CINF, subjectUID, ASN1_BIT_STRING, 2),
         ASN1_EXP_SEQUENCE_OF_OPT(X509_CINF, extensions, X509_EXTENSION, 3)
-} ASN1_SEQUENCE_END(X509_CINF)
+} ASN1_SEQUENCE_END_enc(X509_CINF, X509_CINF)
 
 IMPLEMENT_ASN1_FUNCTIONS(X509_CINF)
 /* X509 top level structure needs a bit of customisation */
diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c
index 12b0a53a81..d47310d650 100644
--- a/src/lib/libcrypto/bio/b_sock.c
+++ b/src/lib/libcrypto/bio/b_sock.c
@@ -551,7 +551,30 @@ int BIO_socket_ioctl(int fd, long type, void *arg)
 #ifdef __DJGPP__
         i=ioctlsocket(fd,type,(char *)arg);
 #else
-        i=ioctlsocket(fd,type,arg);
+# if defined(OPENSSL_SYS_VMS)
+        /* 2011-02-18 SMS.
+         * VMS ioctl() can't tolerate a 64-bit "void *arg", but we
+         * observe that all the consumers pass in an "unsigned long *",
+         * so we arrange a local copy with a short pointer, and use
+         * that, instead.
+         */
+#  if __INITIAL_POINTER_SIZE == 64
+#   define ARG arg_32p
+#   pragma pointer_size save
+#   pragma pointer_size 32
+        unsigned long arg_32;
+        unsigned long *arg_32p;
+#   pragma pointer_size restore
+        arg_32p = &arg_32;
+        arg_32 = *((unsigned long *) arg);
+#  else /* __INITIAL_POINTER_SIZE == 64 */
+#   define ARG arg
+#  endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+# else /* defined(OPENSSL_SYS_VMS) */
+#  define ARG arg
+# endif /* defined(OPENSSL_SYS_VMS) [else] */
+
+        i=ioctlsocket(fd,type,ARG);
 #endif /* __DJGPP__ */
         if (i < 0)
                 SYSerr(SYS_F_IOCTLSOCKET,get_last_socket_error());
@@ -660,6 +683,7 @@ int BIO_get_accept_socket(char *host, int bind_mode)
          * note that commonly IPv6 wildchard socket can service
          * IPv4 connections just as well...  */
         memset(&hint,0,sizeof(hint));
+        hint.ai_flags = AI_PASSIVE;
         if (h)
                 {
                 if (strchr(h,':'))
@@ -672,7 +696,10 @@ int BIO_get_accept_socket(char *host, int bind_mode)
 #endif
                         }
                 else if (h[0]=='*' && h[1]=='\0')
+                        {
+                        hint.ai_family = AF_INET;
                         h=NULL;
+                        }
                 }
 
         if ((*p_getaddrinfo.f)(h,p,&hint,&res)) break;
diff --git a/src/lib/libcrypto/bio/bf_nbio.c b/src/lib/libcrypto/bio/bf_nbio.c
index c72a23c2e1..028616c064 100644
--- a/src/lib/libcrypto/bio/bf_nbio.c
+++ b/src/lib/libcrypto/bio/bf_nbio.c
@@ -125,7 +125,6 @@ static int nbiof_free(BIO *a)
         
 static int nbiof_read(BIO *b, char *out, int outl)
         {
-        NBIO_TEST *nt;
         int ret=0;
 #if 1
         int num;
@@ -134,7 +133,6 @@ static int nbiof_read(BIO *b, char *out, int outl)
 
         if (out == NULL) return(0);
         if (b->next_bio == NULL) return(0);
-        nt=(NBIO_TEST *)b->ptr;
 
         BIO_clear_retry_flags(b);
 #if 1
diff --git a/src/lib/libcrypto/bio/bio_lib.c b/src/lib/libcrypto/bio/bio_lib.c
index 77f4de9c32..e12bc3a2ca 100644
--- a/src/lib/libcrypto/bio/bio_lib.c
+++ b/src/lib/libcrypto/bio/bio_lib.c
@@ -110,7 +110,7 @@ int BIO_set(BIO *bio, BIO_METHOD *method)
 
 int BIO_free(BIO *a)
         {
-        int ret=0,i;
+        int i;
 
         if (a == NULL) return(0);
 
@@ -133,7 +133,7 @@ int BIO_free(BIO *a)
         CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, a, &a->ex_data);
 
         if ((a->method == NULL) || (a->method->destroy == NULL)) return(1);
-        ret=a->method->destroy(a);
+        a->method->destroy(a);
         OPENSSL_free(a);
         return(1);
         }
diff --git a/src/lib/libcrypto/bio/bss_acpt.c b/src/lib/libcrypto/bio/bss_acpt.c
index 826f761143..5d49e1a72b 100644
--- a/src/lib/libcrypto/bio/bss_acpt.c
+++ b/src/lib/libcrypto/bio/bss_acpt.c
@@ -340,7 +340,6 @@ static int acpt_write(BIO *b, const char *in, int inl)
 
 static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
         {
-        BIO *dbio;
         int *ip;
         long ret=1;
         BIO_ACCEPT *data;
@@ -437,8 +436,8 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
                 ret=(long)data->bind_mode;
                 break;
         case BIO_CTRL_DUP:
-                dbio=(BIO *)ptr;
-/*              if (data->param_port) EAY EAY
+/*              dbio=(BIO *)ptr;
+                if (data->param_port) EAY EAY
                         BIO_set_port(dbio,data->param_port);
                 if (data->param_hostname)
                         BIO_set_hostname(dbio,data->param_hostname);
diff --git a/src/lib/libcrypto/bio/bss_dgram.c b/src/lib/libcrypto/bio/bss_dgram.c
index eb7e365467..71ebe987b6 100644
--- a/src/lib/libcrypto/bio/bss_dgram.c
+++ b/src/lib/libcrypto/bio/bss_dgram.c
@@ -57,7 +57,6 @@
  *
  */
 
-#ifndef OPENSSL_NO_DGRAM
 
 #include <stdio.h>
 #include <errno.h>
@@ -65,6 +64,7 @@
 #include "cryptlib.h"
 
 #include <openssl/bio.h>
+#ifndef OPENSSL_NO_DGRAM
 
 #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS)
 #include <sys/timeb.h>
@@ -308,7 +308,6 @@ static int dgram_read(BIO *b, char *out, int outl)
                         OPENSSL_assert(sa.len.s<=sizeof(sa.peer));
                         sa.len.i = (int)sa.len.s;
                         }
-                dgram_reset_rcv_timeout(b);
 
                 if ( ! data->connected  && ret >= 0)
                         BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer);
@@ -322,6 +321,8 @@ static int dgram_read(BIO *b, char *out, int outl)
                                 data->_errno = get_last_socket_error();
                                 }
                         }
+
+                dgram_reset_rcv_timeout(b);
                 }
         return(ret);
         }
@@ -340,7 +341,7 @@ static int dgram_write(BIO *b, const char *in, int inl)
 
                 if (data->peer.sa.sa_family == AF_INET)
                         peerlen = sizeof(data->peer.sa_in);
-#if OPENSSL_USE_IVP6
+#if OPENSSL_USE_IPV6
                 else if (data->peer.sa.sa_family == AF_INET6)
                         peerlen = sizeof(data->peer.sa_in6);
 #endif
@@ -745,9 +746,13 @@ static int BIO_dgram_should_retry(int i)
                 {
                 err=get_last_socket_error();
 
-#if defined(OPENSSL_SYS_WINDOWS) && 0 /* more microsoft stupidity? perhaps not? Ben 4/1/99 */
-                if ((i == -1) && (err == 0))
-                        return(1);
+#if defined(OPENSSL_SYS_WINDOWS)
+        /* If the socket return value (i) is -1
+         * and err is unexpectedly 0 at this point,
+         * the error code was overwritten by
+         * another system call before this error
+         * handling is called.
+         */
 #endif
 
                 return(BIO_dgram_non_fatal_error(err));
@@ -810,7 +815,6 @@ int BIO_dgram_non_fatal_error(int err)
                 }
         return(0);
         }
-#endif
 
 static void get_current_time(struct timeval *t)
         {
@@ -828,3 +832,5 @@ static void get_current_time(struct timeval *t)
         gettimeofday(t, NULL);
 #endif
         }
+
+#endif
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index 8bfa0bcd97..b954fe7ebc 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -123,6 +123,7 @@ BIO *BIO_new_file(const char *filename, const char *mode)
 
 #if defined(_WIN32) && defined(CP_UTF8)
         int sz, len_0 = (int)strlen(filename)+1;
+        DWORD flags;
 
         /*
          * Basically there are three cases to cover: a) filename is
@@ -136,17 +137,22 @@ BIO *BIO_new_file(const char *filename, const char *mode)
          * ERROR_NO_UNICODE_TRANSLATION, in which case we fall
          * back to fopen...
          */
-        if ((sz=MultiByteToWideChar(CP_UTF8,MB_ERR_INVALID_CHARS,
+        if ((sz=MultiByteToWideChar(CP_UTF8,(flags=MB_ERR_INVALID_CHARS),
+                                        filename,len_0,NULL,0))>0 ||
+            (GetLastError()==ERROR_INVALID_FLAGS &&
+             (sz=MultiByteToWideChar(CP_UTF8,(flags=0),
                                         filename,len_0,NULL,0))>0)
+           )
                 {
                 WCHAR  wmode[8];
                 WCHAR *wfilename = _alloca(sz*sizeof(WCHAR));
 
-                if (MultiByteToWideChar(CP_UTF8,MB_ERR_INVALID_CHARS,
+                if (MultiByteToWideChar(CP_UTF8,flags,
                                         filename,len_0,wfilename,sz) &&
                     MultiByteToWideChar(CP_UTF8,0,mode,strlen(mode)+1,
                                         wmode,sizeof(wmode)/sizeof(wmode[0])) &&
-                    (file=_wfopen(wfilename,wmode))==NULL && errno==ENOENT
+                    (file=_wfopen(wfilename,wmode))==NULL &&
+                    (errno==ENOENT || errno==EBADF)
                    )    /* UTF-8 decode succeeded, but no file, filename
                          * could still have been locale-ized... */
                         file = fopen(filename,mode);
diff --git a/src/lib/libcrypto/bio/bss_log.c b/src/lib/libcrypto/bio/bss_log.c
index 7ead044b37..b7dce5c1a2 100644
--- a/src/lib/libcrypto/bio/bss_log.c
+++ b/src/lib/libcrypto/bio/bss_log.c
@@ -75,6 +75,15 @@
 #  include <descrip.h>
 #  include <lib$routines.h>
 #  include <starlet.h>
+/* Some compiler options may mask the declaration of "_malloc32". */
+#  if __INITIAL_POINTER_SIZE && defined _ANSI_C_SOURCE
+#    if __INITIAL_POINTER_SIZE == 64
+#      pragma pointer_size save
+#      pragma pointer_size 32
+    void * _malloc32  (__size_t);
+#      pragma pointer_size restore
+#    endif /* __INITIAL_POINTER_SIZE == 64 */
+#  endif /* __INITIAL_POINTER_SIZE && defined _ANSI_C_SOURCE */
 #elif defined(__ultrix)
 #  include <sys/syslog.h>
 #elif defined(OPENSSL_SYS_NETWARE)
@@ -300,7 +309,24 @@ static void xopenlog(BIO* bp, char* name, int level)
 static void xsyslog(BIO *bp, int priority, const char *string)
 {
         struct dsc$descriptor_s opc_dsc;
+
+/* Arrange 32-bit pointer to opcdef buffer and malloc(), if needed. */
+#if __INITIAL_POINTER_SIZE == 64
+# pragma pointer_size save
+# pragma pointer_size 32
+# define OPCDEF_TYPE __char_ptr32
+# define OPCDEF_MALLOC _malloc32
+#else /* __INITIAL_POINTER_SIZE == 64 */
+# define OPCDEF_TYPE char *
+# define OPCDEF_MALLOC OPENSSL_malloc
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
         struct opcdef *opcdef_p;
+
+#if __INITIAL_POINTER_SIZE == 64
+# pragma pointer_size restore
+#endif /* __INITIAL_POINTER_SIZE == 64 */
+
         char buf[10240];
         unsigned int len;
         struct dsc$descriptor_s buf_dsc;
@@ -326,8 +352,8 @@ static void xsyslog(BIO *bp, int priority, const char *string)
 
         lib$sys_fao(&fao_cmd, &len, &buf_dsc, priority_tag, string);
 
-        /* we know there's an 8 byte header.  That's documented */
-        opcdef_p = (struct opcdef *) OPENSSL_malloc(8 + len);
+        /* We know there's an 8-byte header.  That's documented. */
+        opcdef_p = OPCDEF_MALLOC( 8+ len);
         opcdef_p->opc$b_ms_type = OPC$_RQ_RQST;
         memcpy(opcdef_p->opc$z_ms_target_classes, &VMS_OPC_target, 3);
         opcdef_p->opc$l_ms_rqstid = 0;
@@ -335,7 +361,7 @@ static void xsyslog(BIO *bp, int priority, const char *string)
 
         opc_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
         opc_dsc.dsc$b_class = DSC$K_CLASS_S;
-        opc_dsc.dsc$a_pointer = (char *)opcdef_p;
+        opc_dsc.dsc$a_pointer = (OPCDEF_TYPE) opcdef_p;
         opc_dsc.dsc$w_length = len + 8;
 
         sys$sndopr(opc_dsc, 0);
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index e484b7fc11..a0bc47837d 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -253,6 +253,24 @@ extern "C" {
 #define BN_HEX_FMT2     "%08X"
 #endif
 
+/* 2011-02-22 SMS.
+ * In various places, a size_t variable or a type cast to size_t was
+ * used to perform integer-only operations on pointers.  This failed on
+ * VMS with 64-bit pointers (CC /POINTER_SIZE = 64) because size_t is
+ * still only 32 bits.  What's needed in these cases is an integer type
+ * with the same size as a pointer, which size_t is not certain to be. 
+ * The only fix here is VMS-specific.
+ */
+#if defined(OPENSSL_SYS_VMS)
+# if __INITIAL_POINTER_SIZE == 64
+#  define PTR_SIZE_INT long long
+# else /* __INITIAL_POINTER_SIZE == 64 */
+#  define PTR_SIZE_INT int
+# endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+#else /* defined(OPENSSL_SYS_VMS) */
+# define PTR_SIZE_INT size_t
+#endif /* defined(OPENSSL_SYS_VMS) [else] */
+
 #define BN_DEFAULT_BITS 1280
 
 #define BN_FLG_MALLOCED         0x01
diff --git a/src/lib/libcrypto/bn/bn_exp2.c b/src/lib/libcrypto/bn/bn_exp2.c
index b3f43cec8c..bd0c34b91b 100644
--- a/src/lib/libcrypto/bn/bn_exp2.c
+++ b/src/lib/libcrypto/bn/bn_exp2.c
@@ -301,7 +301,8 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
                         r_is_one = 0;
                         }
                 }
-        BN_from_montgomery(rr,r,mont,ctx);
+        if (!BN_from_montgomery(rr,r,mont,ctx))
+                goto err;
         ret=1;
 err:
         if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
diff --git a/src/lib/libcrypto/bn/bn_gf2m.c b/src/lib/libcrypto/bn/bn_gf2m.c
index 527b0fa15b..432a3aa338 100644
--- a/src/lib/libcrypto/bn/bn_gf2m.c
+++ b/src/lib/libcrypto/bn/bn_gf2m.c
@@ -545,6 +545,7 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                 {
                 while (!BN_is_odd(u))
                         {
+                        if (BN_is_zero(u)) goto err;
                         if (!BN_rshift1(u, u)) goto err;
                         if (BN_is_odd(b))
                                 {
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index 7224637ab3..1a866880f5 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -277,7 +277,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
         m1|=m2;                 /* (al!=ri) */
         m1|=(0-(size_t)v);      /* (al!=ri || v) */
         m1&=~m2;                /* (al!=ri || v) && !al>ri */
-        nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1));
+        nrp=(BN_ULONG *)(((PTR_SIZE_INT)rp&~m1)|((PTR_SIZE_INT)ap&m1));
         }
 
         /* 'i<ri' is chosen to eliminate dependency on input data, even
diff --git a/src/lib/libcrypto/bn/bn_mul.c b/src/lib/libcrypto/bn/bn_mul.c
index a0e9ec3b46..12e5be80eb 100644
--- a/src/lib/libcrypto/bn/bn_mul.c
+++ b/src/lib/libcrypto/bn/bn_mul.c
@@ -551,7 +551,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
              int tna, int tnb, BN_ULONG *t)
         {
         int i,j,n2=n*2;
-        int c1,c2,neg,zero;
+        int c1,c2,neg;
         BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
@@ -567,7 +567,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
         /* r=(a[0]-a[1])*(b[1]-b[0]) */
         c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna);
         c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n);
-        zero=neg=0;
+        neg=0;
         switch (c1*3+c2)
                 {
         case -4:
@@ -575,7 +575,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
                 bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
                 break;
         case -3:
-                zero=1;
                 /* break; */
         case -2:
                 bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
@@ -585,7 +584,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
         case -1:
         case 0:
         case 1:
-                zero=1;
                 /* break; */
         case 2:
                 bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna); /* + */
@@ -593,7 +591,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
                 neg=1;
                 break;
         case 3:
-                zero=1;
                 /* break; */
         case 4:
                 bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna);
@@ -1012,7 +1009,6 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
                 {
                 if (i >= -1 && i <= 1)
                         {
-                        int sav_j =0;
                         /* Find out the power of two lower or equal
                            to the longest of the two numbers */
                         if (i >= 0)
@@ -1023,7 +1019,6 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
                                 {
                                 j = BN_num_bits_word((BN_ULONG)bl);
                                 }
-                        sav_j = j;
                         j = 1<<(j-1);
                         assert(j <= al || j <= bl);
                         k = j+j;
diff --git a/src/lib/libcrypto/bn/bn_nist.c b/src/lib/libcrypto/bn/bn_nist.c
index 2ca5b01391..c6de032696 100644
--- a/src/lib/libcrypto/bn/bn_nist.c
+++ b/src/lib/libcrypto/bn/bn_nist.c
@@ -354,7 +354,7 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                  buf[BN_NIST_192_TOP],
                  c_d[BN_NIST_192_TOP],
                 *res;
-        size_t   mask;
+        PTR_SIZE_INT mask;
         static const BIGNUM _bignum_nist_p_192_sqr = {
                 (BN_ULONG *)_nist_p_192_sqr,
                 sizeof(_nist_p_192_sqr)/sizeof(_nist_p_192_sqr[0]),
@@ -405,9 +405,10 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
          * 'tmp=result-modulus; if (!carry || !borrow) result=tmp;'
          * this is what happens below, but without explicit if:-) a.
          */
-        mask  = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_192[0],BN_NIST_192_TOP);
-        mask &= 0-(size_t)carry;
-        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
+        mask  = 0-(PTR_SIZE_INT)bn_sub_words(c_d,r_d,_nist_p_192[0],BN_NIST_192_TOP);
+        mask &= 0-(PTR_SIZE_INT)carry;
+        res   = (BN_ULONG *)
+         (((PTR_SIZE_INT)c_d&~mask) | ((PTR_SIZE_INT)r_d&mask));
         nist_cp_bn(r_d, res, BN_NIST_192_TOP);
         r->top = BN_NIST_192_TOP;
         bn_correct_top(r);
@@ -438,8 +439,8 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                  buf[BN_NIST_224_TOP],
                  c_d[BN_NIST_224_TOP],
                 *res;
-        size_t   mask;
-        union { bn_addsub_f f; size_t p; } u;
+        PTR_SIZE_INT mask;
+        union { bn_addsub_f f; PTR_SIZE_INT p; } u;
         static const BIGNUM _bignum_nist_p_224_sqr = {
                 (BN_ULONG *)_nist_p_224_sqr,
                 sizeof(_nist_p_224_sqr)/sizeof(_nist_p_224_sqr[0]),
@@ -510,16 +511,18 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                  * to be compared to the modulus and conditionally
                  * adjusted by *subtracting* the latter. */
                 carry = (int)bn_add_words(r_d,r_d,_nist_p_224[-carry-1],BN_NIST_224_TOP);
-                mask = 0-(size_t)carry;
-                u.p = ((size_t)bn_sub_words&mask) | ((size_t)bn_add_words&~mask);
+                mask = 0-(PTR_SIZE_INT)carry;
+                u.p = ((PTR_SIZE_INT)bn_sub_words&mask) |
+                 ((PTR_SIZE_INT)bn_add_words&~mask);
                 }
         else
                 carry = 1;
 
         /* otherwise it's effectively same as in BN_nist_mod_192... */
-        mask  = 0-(size_t)(*u.f)(c_d,r_d,_nist_p_224[0],BN_NIST_224_TOP);
-        mask &= 0-(size_t)carry;
-        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
+        mask  = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_224[0],BN_NIST_224_TOP);
+        mask &= 0-(PTR_SIZE_INT)carry;
+        res   = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
+         ((PTR_SIZE_INT)r_d&mask));
         nist_cp_bn(r_d, res, BN_NIST_224_TOP);
         r->top = BN_NIST_224_TOP;
         bn_correct_top(r);
@@ -549,8 +552,8 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                  buf[BN_NIST_256_TOP],
                  c_d[BN_NIST_256_TOP],
                 *res;
-        size_t   mask;
-        union { bn_addsub_f f; size_t p; } u;
+        PTR_SIZE_INT mask;
+        union { bn_addsub_f f; PTR_SIZE_INT p; } u;
         static const BIGNUM _bignum_nist_p_256_sqr = {
                 (BN_ULONG *)_nist_p_256_sqr,
                 sizeof(_nist_p_256_sqr)/sizeof(_nist_p_256_sqr[0]),
@@ -629,15 +632,17 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (carry < 0)
                 {
                 carry = (int)bn_add_words(r_d,r_d,_nist_p_256[-carry-1],BN_NIST_256_TOP);
-                mask = 0-(size_t)carry;
-                u.p = ((size_t)bn_sub_words&mask) | ((size_t)bn_add_words&~mask);
+                mask = 0-(PTR_SIZE_INT)carry;
+                u.p = ((PTR_SIZE_INT)bn_sub_words&mask) |
+                 ((PTR_SIZE_INT)bn_add_words&~mask);
                 }
         else
                 carry = 1;
 
-        mask  = 0-(size_t)(*u.f)(c_d,r_d,_nist_p_256[0],BN_NIST_256_TOP);
-        mask &= 0-(size_t)carry;
-        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
+        mask  = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_256[0],BN_NIST_256_TOP);
+        mask &= 0-(PTR_SIZE_INT)carry;
+        res   = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
+         ((PTR_SIZE_INT)r_d&mask));
         nist_cp_bn(r_d, res, BN_NIST_256_TOP);
         r->top = BN_NIST_256_TOP;
         bn_correct_top(r);
@@ -671,8 +676,8 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                  buf[BN_NIST_384_TOP],
                  c_d[BN_NIST_384_TOP],
                 *res;
-        size_t   mask;
-        union { bn_addsub_f f; size_t p; } u;
+        PTR_SIZE_INT mask;
+        union { bn_addsub_f f; PTR_SIZE_INT p; } u;
         static const BIGNUM _bignum_nist_p_384_sqr = {
                 (BN_ULONG *)_nist_p_384_sqr,
                 sizeof(_nist_p_384_sqr)/sizeof(_nist_p_384_sqr[0]),
@@ -754,15 +759,17 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else if (carry < 0)
                 {
                 carry = (int)bn_add_words(r_d,r_d,_nist_p_384[-carry-1],BN_NIST_384_TOP);
-                mask = 0-(size_t)carry;
-                u.p = ((size_t)bn_sub_words&mask) | ((size_t)bn_add_words&~mask);
+                mask = 0-(PTR_SIZE_INT)carry;
+                u.p = ((PTR_SIZE_INT)bn_sub_words&mask) |
+                 ((PTR_SIZE_INT)bn_add_words&~mask);
                 }
         else
                 carry = 1;
 
-        mask  = 0-(size_t)(*u.f)(c_d,r_d,_nist_p_384[0],BN_NIST_384_TOP);
-        mask &= 0-(size_t)carry;
-        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
+        mask  = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_384[0],BN_NIST_384_TOP);
+        mask &= 0-(PTR_SIZE_INT)carry;
+        res   = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
+         ((PTR_SIZE_INT)r_d&mask));
         nist_cp_bn(r_d, res, BN_NIST_384_TOP);
         r->top = BN_NIST_384_TOP;
         bn_correct_top(r);
@@ -781,7 +788,7 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         BN_ULONG *r_d, *a_d = a->d,
                  t_d[BN_NIST_521_TOP],
                  val,tmp,*res;
-        size_t  mask;
+        PTR_SIZE_INT mask;
         static const BIGNUM _bignum_nist_p_521_sqr = {
                 (BN_ULONG *)_nist_p_521_sqr,
                 sizeof(_nist_p_521_sqr)/sizeof(_nist_p_521_sqr[0]),
@@ -826,8 +833,9 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         r_d[i] &= BN_NIST_521_TOP_MASK;
 
         bn_add_words(r_d,r_d,t_d,BN_NIST_521_TOP);
-        mask = 0-(size_t)bn_sub_words(t_d,r_d,_nist_p_521,BN_NIST_521_TOP);
-        res  = (BN_ULONG *)(((size_t)t_d&~mask) | ((size_t)r_d&mask));
+        mask = 0-(PTR_SIZE_INT)bn_sub_words(t_d,r_d,_nist_p_521,BN_NIST_521_TOP);
+        res  = (BN_ULONG *)(((PTR_SIZE_INT)t_d&~mask) |
+         ((PTR_SIZE_INT)r_d&mask));
         nist_cp_bn(r_d,res,BN_NIST_521_TOP);
         r->top = BN_NIST_521_TOP;
         bn_correct_top(r);
diff --git a/src/lib/libcrypto/comp/c_rle.c b/src/lib/libcrypto/comp/c_rle.c
index efd366fa22..18bceae51e 100644
--- a/src/lib/libcrypto/comp/c_rle.c
+++ b/src/lib/libcrypto/comp/c_rle.c
@@ -46,7 +46,7 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
         {
         int i;
 
-        if (olen < (ilen-1))
+        if (ilen == 0 || olen < (ilen-1))
                 {
                 /* ZZZZZZZZZZZZZZZZZZZZZZ */
                 return(-1);
@@ -59,4 +59,3 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
                 }
         return(ilen-1);
         }
-
diff --git a/src/lib/libcrypto/conf/conf_api.c b/src/lib/libcrypto/conf/conf_api.c
index 22617e5fa1..f5fcbb9f6b 100644
--- a/src/lib/libcrypto/conf/conf_api.c
+++ b/src/lib/libcrypto/conf/conf_api.c
@@ -64,6 +64,7 @@
 #endif
 
 #include <assert.h>
+#include <stdlib.h>
 #include <string.h>
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>
@@ -285,7 +286,7 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section)
         v->value=(char *)sk;
         
         vv=lh_CONF_VALUE_insert(conf->data,v);
-        assert(vv == NULL);
+        OPENSSL_assert(vv == NULL);
         ok=1;
 err:
         if (!ok)
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 0b571b0394..cf951320af 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -213,13 +213,12 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
         int bufnum=0,i,ii;
         BUF_MEM *buff=NULL;
         char *s,*p,*end;
-        int again,n;
+        int again;
         long eline=0;
         char btmp[DECIMAL_SIZE(eline)+1];
         CONF_VALUE *v=NULL,*tv;
         CONF_VALUE *sv=NULL;
         char *section=NULL,*buf;
-        STACK_OF(CONF_VALUE) *section_sk=NULL,*ts;
         char *start,*psection,*pname;
         void *h = (void *)(conf->data);
 
@@ -250,7 +249,6 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
                                         CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
                 goto err;
                 }
-        section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
 
         bufnum=0;
         again=0;
@@ -309,7 +307,6 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
                 buf=buff->data;
 
                 clear_comments(conf, buf);
-                n=strlen(buf);
                 s=eat_ws(conf, buf);
                 if (IS_EOF(conf,*s)) continue; /* blank line */
                 if (*s == '[')
@@ -343,7 +340,6 @@ again:
                                         CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
                                 goto err;
                                 }
-                        section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
                         continue;
                         }
                 else
@@ -406,13 +402,9 @@ again:
                                            CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
                                         goto err;
                                         }
-                                ts=(STACK_OF(CONF_VALUE) *)tv->value;
                                 }
                         else
-                                {
                                 tv=sv;
-                                ts=section_sk;
-                                }
 #if 1
                         if (_CONF_add_string(conf, tv, v) == 0)
                                 {
@@ -465,9 +457,6 @@ err:
 
 static void clear_comments(CONF *conf, char *p)
         {
-        char *to;
-
-        to=p;
         for (;;)
                 {
                 if (IS_FCOMMENT(conf,*p))
diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index b4449b86d6..24fe123e14 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -731,7 +731,6 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
         case DLL_THREAD_ATTACH:
                 break;
         case DLL_THREAD_DETACH:
-                ERR_remove_state(0);
                 break;
         case DLL_PROCESS_DETACH:
                 break;
@@ -743,6 +742,16 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
 #if defined(_WIN32) && !defined(__CYGWIN__)
 #include <tchar.h>
 #include <signal.h>
+#ifdef __WATCOMC__
+#if defined(_UNICODE) || defined(__UNICODE__)
+#define _vsntprintf _vsnwprintf
+#else
+#define _vsntprintf _vsnprintf
+#endif
+#endif
+#ifdef _MSC_VER
+#define alloca _alloca
+#endif
 
 #if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
 int OPENSSL_isservice(void)
@@ -773,11 +782,7 @@ int OPENSSL_isservice(void)
 
     if (len>512) return -1;             /* paranoia */
     len++,len&=~1;                      /* paranoia */
-#ifdef _MSC_VER
-    name=(WCHAR *)_alloca(len+sizeof(WCHAR));
-#else
     name=(WCHAR *)alloca(len+sizeof(WCHAR));
-#endif
     if (!GetUserObjectInformationW (h,UOI_NAME,name,len,&len))
         return -1;
 
@@ -822,11 +827,7 @@ void OPENSSL_showfatal (const char *fmta,...)
       size_t len_0=strlen(fmta)+1,i;
       WCHAR *fmtw;
 
-#ifdef _MSC_VER
-        fmtw = (WCHAR *)_alloca (len_0*sizeof(WCHAR));
-#else
-        fmtw = (WCHAR *)alloca (len_0*sizeof(WCHAR));
-#endif
+        fmtw = (WCHAR *)alloca(len_0*sizeof(WCHAR));
         if (fmtw == NULL) { fmt=(const TCHAR *)L"no stack?"; break; }
 
 #ifndef OPENSSL_NO_MULTIBYTE
diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com
index a4b6635091..a29c0afd93 100644
--- a/src/lib/libcrypto/crypto-lib.com
+++ b/src/lib/libcrypto/crypto-lib.com
@@ -47,11 +47,33 @@ $!  P6, if defined, sets a choice of crypto methods to compile.
 $!  WARNING: this should only be done to recompile some part of an already
 $!  fully compiled library.
 $!
+$!  P7, if defined, specifies the C pointer size.  Ignored on VAX.
+$!      ("64=ARGV" gives more efficient code with HP C V7.3 or newer.)
+$!      Supported values are:
+$!
+$!      ""       Compile with default (/NOPOINTER_SIZE)
+$!      32       Compile with /POINTER_SIZE=32 (SHORT)
+$!      64       Compile with /POINTER_SIZE=64[=ARGV] (LONG[=ARGV]).
+$!               (Automatically select ARGV if compiler supports it.)
+$!      64=      Compile with /POINTER_SIZE=64 (LONG).
+$!      64=ARGV  Compile with /POINTER_SIZE=64=ARGV (LONG=ARGV).
+$!
+$!  P8, if defined, specifies a directory where ZLIB files (zlib.h,
+$!  libz.olb) may be found.  Optionally, a non-default object library
+$!  name may be included ("dev:[dir]libz_64.olb", for example).
+$!
+$!
+$! Announce/identify.
+$!
+$ proc = f$environment( "procedure")
+$ write sys$output "@@@ "+ -
+   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
 $!
 $! Define A TCP/IP Library That We Will Need To Link To.
 $! (That Is, If We Need To Link To One.)
 $!
 $ TCPIP_LIB = ""
+$ ZLIB_LIB = ""
 $!
 $! Check Which Architecture We Are Using.
 $!
@@ -75,6 +97,11 @@ $! End The Architecture Check.
 $!
 $ ENDIF
 $!
+$ ARCHD = ARCH
+$ LIB32 = "32"
+$ OPT_FILE = ""
+$ POINTER_SIZE = ""
+$!
 $! Define The Different Encryption Types.
 $! NOTE: Some might think this list ugly.  However, it's made this way to
 $! reflect the SDIRS variable in [-]Makefile.org as closely as possible,
@@ -91,17 +118,29 @@ $ ENCRYPT_TYPES = "Basic,"+ -
                   "EVP,EVP_2,EVP_3,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
                   "CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5,"+ -
                   "STORE,CMS,PQUEUE,TS,JPAKE"
-$! Define The OBJ Directory.
 $!
-$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.CRYPTO]
+$! Check To Make Sure We Have Valid Command Line Parameters.
+$!
+$ GOSUB CHECK_OPTIONS
 $!
-$! Define The EXE Directory.
+$! Define The OBJ and EXE Directories.
 $!
-$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]
+$ OBJ_DIR := SYS$DISK:[-.'ARCHD'.OBJ.CRYPTO]
+$ EXE_DIR := SYS$DISK:[-.'ARCHD'.EXE.CRYPTO]
 $!
-$! Check To Make Sure We Have Valid Command Line Parameters.
+$! Specify the destination directory in any /MAP option.
 $!
-$ GOSUB CHECK_OPTIONS
+$ if (LINKMAP .eqs. "MAP")
+$ then
+$   LINKMAP = LINKMAP+ "=''EXE_DIR'"
+$ endif
+$!
+$! Add the location prefix to the linker options file name.
+$!
+$ if (OPT_FILE .nes. "")
+$ then
+$   OPT_FILE = EXE_DIR+ OPT_FILE
+$ endif
 $!
 $! Initialise logical names and such
 $!
@@ -109,7 +148,7 @@ $ GOSUB INITIALISE
 $!
 $! Tell The User What Kind of Machine We Run On.
 $!
-$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."
+$ WRITE SYS$OUTPUT "Host system architecture: ''ARCHD'"
 $!
 $!
 $! Check To See If The Architecture Specific OBJ Directory Exists.
@@ -140,11 +179,11 @@ $ ENDIF
 $!
 $! Define The Library Name.
 $!
-$ LIB_NAME := 'EXE_DIR'LIBCRYPTO.OLB
+$ LIB_NAME := 'EXE_DIR'SSL_LIBCRYPTO'LIB32'.OLB
 $!
 $! Define The CRYPTO-LIB We Are To Use.
 $!
-$ CRYPTO_LIB := 'EXE_DIR'LIBCRYPTO.OLB
+$ CRYPTO_LIB := 'EXE_DIR'SSL_LIBCRYPTO'LIB32'.OLB
 $!
 $! Check To See If We Already Have A "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" Library...
 $!
@@ -193,7 +232,7 @@ $ LIB_CAST = "c_skey,c_ecb,c_enc,c_cfb64,c_ofb64"
 $ LIB_CAMELLIA = "camellia,cmll_misc,cmll_ecb,cmll_cbc,cmll_ofb,"+ -
         "cmll_cfb,cmll_ctr"
 $ LIB_SEED = "seed,seed_ecb,seed_cbc,seed_cfb,seed_ofb"
-$ LIB_MODES = "cbc128,ctr128,cfb128,ofb128"
+$ LIB_MODES = "cbc128,ctr128,cts128,cfb128,ofb128"
 $ LIB_BN_ASM = "[.asm]vms.mar,vms-helper"
 $ IF F$TRNLNM("OPENSSL_NO_ASM") .OR. ARCH .NES. "VAX" THEN -
      LIB_BN_ASM = "bn_asm"
@@ -301,15 +340,23 @@ $ LIB_JPAKE = "jpake,jpake_err"
 $!
 $! Setup exceptional compilations
 $!
-$ ! Add definitions for no threads on OpenVMS 7.1 and higher
+$ CC3_SHOWN = 0
+$ CC4_SHOWN = 0
+$ CC5_SHOWN = 0
+$ CC6_SHOWN = 0
+$!
+$! The following lists must have leading and trailing commas, and no
+$! embedded spaces.  (They are scanned for ",name,".)
+$!
+$ ! Add definitions for no threads on OpenVMS 7.1 and higher.
 $ COMPILEWITH_CC3 = ",bss_rtcp,"
-$ ! Disable the DOLLARID warning
-$ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time,o_dir"
-$ ! Disable disjoint optimization
+$ ! Disable the DOLLARID warning.  Not needed with /STANDARD=RELAXED.
+$ COMPILEWITH_CC4 = "" !!! ",a_utctm,bss_log,o_time,o_dir,"
+$ ! Disable disjoint optimization on VAX with DECC.
 $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + -
                     "seed,sha_dgst,sha1dgst,rmd_dgst,bf_enc,"
-$ ! Disable the MIXLINKAGE warning
-$ COMPILEWITH_CC6 = ",enc_read,set_key,"
+$ ! Disable the MIXLINKAGE warning.
+$ COMPILEWITH_CC6 = "" !!! ",enc_read,set_key,"
 $!
 $! Figure Out What Other Modules We Are To Build.
 $!
@@ -515,31 +562,60 @@ $   WRITE SYS$OUTPUT "Compiling The ",FILE_NAME," File.  (",BUILDALL,",",STATE,"
 $ ENDIF
 $ IF (MODULE_NAME.NES."")
 $ THEN 
-$   WRITE SYS$OUTPUT "  ",FILE_NAME,""
+$   WRITE SYS$OUTPUT "        ",FILE_NAME,""
 $ ENDIF
 $!
 $! Compile The File.
 $!
 $ ON ERROR THEN GOTO NEXT_FILE
-$ FILE_NAME0 = F$ELEMENT(0,".",FILE_NAME)
+$ FILE_NAME0 = ","+ F$ELEMENT(0,".",FILE_NAME)+ ","
 $ IF FILE_NAME - ".mar" .NES. FILE_NAME
 $ THEN
 $   MACRO/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $ ELSE
 $   IF COMPILEWITH_CC3 - FILE_NAME0 .NES. COMPILEWITH_CC3
 $   THEN
+$     write sys$output "        \Using special rule (3)"
+$     if (.not. CC3_SHOWN)
+$     then
+$       CC3_SHOWN = 1
+$       x = "    "+ CC3
+$       write /symbol sys$output x
+$     endif
 $     CC3/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $   ELSE
 $     IF COMPILEWITH_CC4 - FILE_NAME0 .NES. COMPILEWITH_CC4
 $     THEN
+$       write /symbol sys$output "        \Using special rule (4)"
+$       if (.not. CC4_SHOWN)
+$       then
+$         CC4_SHOWN = 1
+$         x = "    "+ CC4
+$         write /symbol sys$output x
+$       endif
 $       CC4/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $     ELSE
-$       IF COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5
+$       IF CC5_DIFFERENT .AND. -
+         (COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5)
 $       THEN
+$         write sys$output "        \Using special rule (5)"
+$         if (.not. CC5_SHOWN)
+$         then
+$           CC5_SHOWN = 1
+$           x = "    "+ CC5
+$           write /symbol sys$output x
+$         endif
 $         CC5/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $       ELSE
 $         IF COMPILEWITH_CC6 - FILE_NAME0 .NES. COMPILEWITH_CC6
 $         THEN
+$           write sys$output "        \Using special rule (6)"
+$           if (.not. CC6_SHOWN)
+$           then
+$             CC6_SHOWN = 1
+$             x = "    "+ CC6
+$             write /symbol sys$output x
+$           endif
 $           CC6/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $         ELSE
 $           CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
@@ -586,38 +662,22 @@ $!   SHOW SYMBOL APPLICATION*
 $!
 $! Tell the user what happens
 $!
-$   WRITE SYS$OUTPUT "  ",APPLICATION,".exe"
+$   WRITE SYS$OUTPUT "        ",APPLICATION,".exe"
 $!
 $! Link The Program.
 $!
 $   ON ERROR THEN GOTO NEXT_APPLICATION
 $!
-$! Check To See If We Are To Link With A Specific TCP/IP Library.
+$!  Link With A TCP/IP Library.
 $!
-$   IF (TCPIP_LIB.NES."")
-$   THEN
+$   LINK /'DEBUGGER' /'LINKMAP' /'TRACEBACK' -
+     /EXE='EXE_DIR''APPLICATION'.EXE -
+     'OBJ_DIR''APPLICATION_OBJECTS', -
+     'CRYPTO_LIB'/LIBRARY -
+     'TCPIP_LIB' -
+     'ZLIB_LIB' -
+     ,'OPT_FILE' /OPTIONS
 $!
-$!    Link With A TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-          'OBJ_DIR''APPLICATION_OBJECTS', -
-          'CRYPTO_LIB'/LIBRARY, -
-          'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$! Else...
-$!
-$   ELSE
-$!
-$!    Don't Link With A TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-          'OBJ_DIR''APPLICATION_OBJECTS',-
-          'CRYPTO_LIB'/LIBRARY, -
-          'OPT_FILE'/OPTION
-$!
-$! End The TCP/IP Library Check.
-$!
-$   ENDIF
 $   GOTO NEXT_APPLICATION
 $  APPLICATION_DONE:
 $ ENDIF
@@ -656,7 +716,7 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable VAX C Runtime Library.
 !
 SYS$SHARE:VAXCRTL.EXE/SHARE
@@ -685,7 +745,7 @@ $!
 $     CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable C Runtime Library.
 !
 GNU_CC:[000000]GCCLIB/LIBRARY
@@ -720,7 +780,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File To Link Agianst 
+! Default System Options File To Link Against 
 ! The Sharable DEC C Runtime Library.
 !
 SYS$SHARE:DECC$SHR.EXE/SHARE
@@ -735,7 +795,7 @@ $!
 $       CREATE 'OPT_FILE'
 $DECK
 !
-! Default System Options File For non-VAX To Link Agianst 
+! Default System Options File For non-VAX To Link Against 
 ! The Sharable C Runtime Library.
 !
 SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
@@ -756,7 +816,7 @@ $ ENDIF
 $!
 $!  Tell The User What Linker Option File We Are Using.
 $!
-$ WRITE SYS$OUTPUT "Using Linker Option File ",OPT_FILE,"."     
+$ WRITE SYS$OUTPUT "Using Linker Option File ",OPT_FILE,"."
 $!
 $! Time To RETURN.
 $!
@@ -803,8 +863,8 @@ $     WRITE SYS$OUTPUT "    APPS     :  To Compile Just The [.xxx.EXE.CRYPTO]*.E
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT " Where 'xxx' Stands For:"
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "    ALPHA    :  Alpha Architecture."
-$     WRITE SYS$OUTPUT "    IA64     :  IA64 Architecture."
+$     WRITE SYS$OUTPUT "    ALPHA[64]:  Alpha Architecture."
+$     WRITE SYS$OUTPUT "    IA64[64] :  IA64 Architecture."
 $     WRITE SYS$OUTPUT "    VAX      :  VAX Architecture."
 $     WRITE SYS$OUTPUT ""
 $!
@@ -825,15 +885,16 @@ $!
 $ IF (P2.EQS."NODEBUG")
 $ THEN
 $!
-$!   P2 Is NODEBUG, So Compile Without The Debugger Information.
+$!  P2 Is NODEBUG, So Compile Without The Debugger Information.
 $!
-$    DEBUGGER = "NODEBUG"
-$    TRACEBACK = "NOTRACEBACK" 
-$    GCC_OPTIMIZE = "OPTIMIZE"
-$    CC_OPTIMIZE = "OPTIMIZE"
-$    MACRO_OPTIMIZE = "OPTIMIZE"
-$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
-$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$   DEBUGGER = "NODEBUG"
+$   LINKMAP = "NOMAP"
+$   TRACEBACK = "NOTRACEBACK" 
+$   GCC_OPTIMIZE = "OPTIMIZE"
+$   CC_OPTIMIZE = "OPTIMIZE"
+$   MACRO_OPTIMIZE = "OPTIMIZE"
+$   WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$   WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
 $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
@@ -844,6 +905,7 @@ $!
 $!    Compile With Debugger Information.
 $!
 $     DEBUGGER = "DEBUG"
+$     LINKMAP = "MAP"
 $     TRACEBACK = "TRACEBACK"
 $     GCC_OPTIMIZE = "NOOPTIMIZE"
 $     CC_OPTIMIZE = "NOOPTIMIZE"
@@ -852,7 +914,7 @@ $     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
 $     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
 $   ELSE 
 $!
-$!    They Entered An Invalid Option..
+$!    They Entered An Invalid Option.
 $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
@@ -907,6 +969,60 @@ $! End The P5 Check.
 $!
 $ ENDIF
 $!
+$! Check P7 (POINTER_SIZE).
+$!
+$ IF (P7 .NES. "") .AND. (ARCH .NES. "VAX")
+$ THEN
+$!
+$   IF (P7 .EQS. "32")
+$   THEN
+$     POINTER_SIZE = " /POINTER_SIZE=32"
+$   ELSE
+$     POINTER_SIZE = F$EDIT( P7, "COLLAPSE, UPCASE")
+$     IF ((POINTER_SIZE .EQS. "64") .OR. -
+       (POINTER_SIZE .EQS. "64=") .OR. -
+       (POINTER_SIZE .EQS. "64=ARGV"))
+$     THEN
+$       ARCHD = ARCH+ "_64"
+$       LIB32 = ""
+$       POINTER_SIZE = " /POINTER_SIZE=64"
+$     ELSE
+$!
+$!      Tell The User Entered An Invalid Option.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", P7, -
+         " Is Invalid.  The Valid Options Are:"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT -
+         "    """"       :  Compile with default (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    32       :  Compile with 32-bit (short) pointers."
+$       WRITE SYS$OUTPUT -
+         "    64       :  Compile with 64-bit (long) pointers (auto ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=      :  Compile with 64-bit (long) pointers (no ARGV)."
+$       WRITE SYS$OUTPUT -
+         "    64=ARGV  :  Compile with 64-bit (long) pointers (ARGV)."
+$       WRITE SYS$OUTPUT ""
+$! 
+$!      Time To EXIT.
+$!
+$       EXIT
+$!
+$     ENDIF
+$!
+$   ENDIF
+$!
+$! End The P7 (POINTER_SIZE) Check.
+$!
+$ ENDIF
+$!
+$! Set basic C compiler /INCLUDE directories.
+$!
+$ CC_INCLUDES = "SYS$DISK:[.''ARCHD'],SYS$DISK:[],SYS$DISK:[-],"+ -
+   "SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1]"
+$!
 $! Check To See If P3 Is Blank.
 $!
 $ IF (P3.EQS."")
@@ -1007,11 +1123,64 @@ $ CCDEFS = "TCPIP_TYPE_''P4',DSO_VMS"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
+$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
 $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
         CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
 $!
-$!  Check To See If The User Entered A Valid Paramter.
+$! Check To See If We Have A ZLIB Option.
+$!
+$ ZLIB = P8
+$ IF (ZLIB .NES. "")
+$ THEN
+$!
+$!  Check for expected ZLIB files.
+$!
+$   err = 0
+$   file1 = f$parse( "zlib.h", ZLIB, , , "SYNTAX_ONLY")
+$   if (f$search( file1) .eqs. "")
+$   then
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     WRITE SYS$OUTPUT "    Can't find header: ''file1'"
+$     err = 1
+$   endif
+$   file1 = f$parse( "A.;", ZLIB)- "A.;"
+$!
+$   file2 = f$parse( ZLIB, "libz.olb", , , "SYNTAX_ONLY")
+$   if (f$search( file2) .eqs. "")
+$   then
+$     if (err .eq. 0)
+$     then
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid."
+$     endif
+$     WRITE SYS$OUTPUT "    Can't find library: ''file2'"
+$     WRITE SYS$OUTPUT ""
+$     err = err+ 2
+$   endif
+$   if (err .eq. 1)
+$   then
+$     WRITE SYS$OUTPUT ""
+$   endif
+$!
+$   if (err .ne. 0)
+$   then
+$     EXIT
+$   endif
+$!
+$   CCDEFS = """ZLIB=1"", "+ CCDEFS
+$   CC_INCLUDES = CC_INCLUDES+ ", "+ file1
+$   ZLIB_LIB = ", ''file2' /library"
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "ZLIB library spec: ", file2
+$!
+$! End The ZLIB Check.
+$!
+$ ENDIF
+$!
+$!  Check To See If The User Entered A Valid Parameter.
 $!
 $ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
 $ THEN
@@ -1034,14 +1203,14 @@ $!
 $     CC = "CC"
 $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
          THEN CC = "CC/DECC"
-$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
-           "/NOLIST/PREFIX=ALL" + -
-           "/INCLUDE=(SYS$DISK:[],SYS$DISK:[._''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
-           CCEXTRAFLAGS
+$     CC = CC + " /''CC_OPTIMIZE' /''DEBUGGER' /STANDARD=RELAXED"+ -
+       "''POINTER_SIZE' /NOLIST /PREFIX=ALL" + -
+       " /INCLUDE=(''CC_INCLUDES')"+ -
+       CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_DECC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_DECC_OPTIONS.OPT"
 $!
 $!  End DECC Check.
 $!
@@ -1070,7 +1239,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-           "/INCLUDE=(SYS$DISK:[],SYS$DISK:[._''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
+       "/INCLUDE=(''CC_INCLUDES')"+ -
            CCEXTRAFLAGS
 $     CCDEFS = """VAXC""," + CCDEFS
 $!
@@ -1080,7 +1249,7 @@ $     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_VAXC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_VAXC_OPTIONS.OPT"
 $!
 $!  End VAXC Check
 $!
@@ -1102,12 +1271,12 @@ $!
 $!    Use GNU C...
 $!
 $     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-           "/INCLUDE=(SYS$DISK:[],SYS$DISK:[._''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1])" + -
+       "/INCLUDE=(''CC_INCLUDES')"+ -
            CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
-$     OPT_FILE = "''EXE_DIR'VAX_GNUC_OPTIONS.OPT"
+$     OPT_FILE = "VAX_GNUC_OPTIONS.OPT"
 $!
 $!  End The GNU C Check.
 $!
@@ -1128,22 +1297,24 @@ $       CC6DISABLEWARNINGS = "MIXLINKAGE"
 $     ELSE
 $       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
 $       CC6DISABLEWARNINGS = CCDISABLEWARNINGS + ",MIXLINKAGE"
-$       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$       CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
 $     ENDIF
-$     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
-$     CC6DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC6DISABLEWARNINGS + "))"
+$     CC4DISABLEWARNINGS = " /WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$     CC6DISABLEWARNINGS = " /WARNING=(DISABLE=(" + CC6DISABLEWARNINGS + "))"
 $   ELSE
 $     CCDISABLEWARNINGS = ""
 $     CC4DISABLEWARNINGS = ""
 $     CC6DISABLEWARNINGS = ""
 $   ENDIF
-$   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
-$   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$   CC3 = CC + " /DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
+$   CC = CC + " /DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $   IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P2 .NES. "DEBUG"
 $   THEN
-$     CC5 = CC + "/OPTIMIZE=NODISJOINT"
+$     CC5 = CC + " /OPTIMIZE=NODISJOINT"
+$     CC5_DIFFERENT = 1
 $   ELSE
-$     CC5 = CC + "/NOOPTIMIZE"
+$     CC5 = CC
+$     CC5_DIFFERENT = 0
 $   ENDIF
 $   CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
 $   CC6 = CC - CCDISABLEWARNINGS + CC6DISABLEWARNINGS
@@ -1196,7 +1367,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -1222,13 +1393,13 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$       TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT /OPTIONS"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-          TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+          TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT /OPTIONS"
 $     ENDIF
 $!
 $!    Done with UCX
@@ -1242,7 +1413,7 @@ $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
 $!
-$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = ",SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS"
 $!
 $!    Done with TCPIP
 $!
@@ -1263,7 +1434,7 @@ $   ENDIF
 $!
 $!  Print info
 $!
-$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
+$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB- ","
 $!
 $!  Else The User Entered An Invalid Argument.
 $!
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index 0fcd25f8b0..cb0b4538a4 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -120,7 +120,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
         BIGNUM *r0,*W,*X,*c,*test;
         BIGNUM *g=NULL,*q=NULL,*p=NULL;
         BN_MONT_CTX *mont=NULL;
-        int i, k,n=0,b,m=0, qsize = qbits >> 3;
+        int i, k, n=0, m=0, qsize = qbits >> 3;
         int counter=0;
         int r=0;
         BN_CTX *ctx=NULL;
@@ -232,7 +232,6 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
                 /* "offset = 2" */
 
                 n=(bits-1)/160;
-                b=(bits-1)-n*160;
 
                 for (;;)
                         {
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 4fead07e80..a3ddd7d281 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -148,15 +148,6 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 
         s=BN_new();
         if (s == NULL) goto err;
-
-        /* reject a excessive digest length (currently at most
-         * dsa-with-SHA256 is supported) */
-        if (dlen > SHA256_DIGEST_LENGTH)
-                {
-                reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
-                goto err;
-                }
-
         ctx=BN_CTX_new();
         if (ctx == NULL) goto err;
 
@@ -185,7 +176,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
         if (!BN_add(s, &xr, &m)) goto err;              /* s = m + xr */
         if (BN_cmp(s,dsa->q) > 0)
-                BN_sub(s,s,dsa->q);
+                if (!BN_sub(s,s,dsa->q)) goto err;
         if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
 
         ret=DSA_SIG_new();
@@ -325,15 +316,6 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                 DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
                 return -1;
                 }
-
-        /* reject a excessive digest length (currently at most
-         * dsa-with-SHA256 is supported) */
-        if (dgst_len > SHA256_DIGEST_LENGTH)
-                {
-                DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-                return -1;
-                }
-
         BN_init(&u1);
         BN_init(&u2);
         BN_init(&t1);
diff --git a/src/lib/libcrypto/dso/dso_dlfcn.c b/src/lib/libcrypto/dso/dso_dlfcn.c
index 578a20d91d..e78004903c 100644
--- a/src/lib/libcrypto/dso/dso_dlfcn.c
+++ b/src/lib/libcrypto/dso/dso_dlfcn.c
@@ -85,6 +85,7 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
 # define HAVE_DLINFO 1
 # if defined(_AIX) || defined(__CYGWIN__) || \
      defined(__SCO_VERSION__) || defined(_SCO_ELF) || \
+     (defined(__osf__) && !defined(RTLD_NEXT))     || \
      (defined(__OpenBSD__) && (!defined(__ELF__) || !defined(RTLD_SELF)))
 #  undef HAVE_DLINFO
 # endif
diff --git a/src/lib/libcrypto/dso/dso_vms.c b/src/lib/libcrypto/dso/dso_vms.c
index 321512772a..eee20d14f1 100644
--- a/src/lib/libcrypto/dso/dso_vms.c
+++ b/src/lib/libcrypto/dso/dso_vms.c
@@ -68,8 +68,20 @@
 #include <stsdef.h>
 #include <descrip.h>
 #include <starlet.h>
+#include "vms_rms.h"
 #endif
 
+/* Some compiler options may mask the declaration of "_malloc32". */
+#if __INITIAL_POINTER_SIZE && defined _ANSI_C_SOURCE
+# if __INITIAL_POINTER_SIZE == 64
+#  pragma pointer_size save
+#  pragma pointer_size 32
+    void * _malloc32  (__size_t);
+#  pragma pointer_size restore
+# endif /* __INITIAL_POINTER_SIZE == 64 */
+#endif /* __INITIAL_POINTER_SIZE && defined _ANSI_C_SOURCE */
+
+
 #ifndef OPENSSL_SYS_VMS
 DSO_METHOD *DSO_METHOD_vms(void)
         {
@@ -121,14 +133,13 @@ typedef struct dso_internal_st
         /* This should contain the name only, no directory,
          * no extension, nothing but a name. */
         struct dsc$descriptor_s filename_dsc;
-        char filename[FILENAME_MAX+1];
+        char filename[ NAMX_MAXRSS+ 1];
         /* This contains whatever is not in filename, if needed.
          * Normally not defined. */
         struct dsc$descriptor_s imagename_dsc;
-        char imagename[FILENAME_MAX+1];
+        char imagename[ NAMX_MAXRSS+ 1];
         } DSO_VMS_INTERNAL;
 
-
 DSO_METHOD *DSO_METHOD_vms(void)
         {
         return(&dso_meth_vms);
@@ -139,7 +150,22 @@ static int vms_load(DSO *dso)
         void *ptr = NULL;
         /* See applicable comments in dso_dl.c */
         char *filename = DSO_convert_filename(dso, NULL);
-        DSO_VMS_INTERNAL *p;
+
+/* Ensure 32-bit pointer for "p", and appropriate malloc() function. */
+#if __INITIAL_POINTER_SIZE == 64
+# define DSO_MALLOC _malloc32
+# pragma pointer_size save
+# pragma pointer_size 32
+#else /* __INITIAL_POINTER_SIZE == 64 */
+# define DSO_MALLOC OPENSSL_malloc
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
+        DSO_VMS_INTERNAL *p = NULL;
+
+#if __INITIAL_POINTER_SIZE == 64
+# pragma pointer_size restore
+#endif /* __INITIAL_POINTER_SIZE == 64 */
+
         const char *sp1, *sp2;  /* Search result */
 
         if(filename == NULL)
@@ -192,7 +218,7 @@ static int vms_load(DSO *dso)
                 goto err;
                 }
 
-        p = (DSO_VMS_INTERNAL *)OPENSSL_malloc(sizeof(DSO_VMS_INTERNAL));
+        p = DSO_MALLOC(sizeof(DSO_VMS_INTERNAL));
         if(p == NULL)
                 {
                 DSOerr(DSO_F_VMS_LOAD,ERR_R_MALLOC_FAILURE);
@@ -290,18 +316,38 @@ void vms_bind_sym(DSO *dso, const char *symname, void **sym)
         int flags = 0;
 #endif
         struct dsc$descriptor_s symname_dsc;
-        *sym = NULL;
 
-        symname_dsc.dsc$w_length = strlen(symname);
-        symname_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
-        symname_dsc.dsc$b_class = DSC$K_CLASS_S;
-        symname_dsc.dsc$a_pointer = (char *)symname; /* The cast is needed */
+/* Arrange 32-bit pointer to (copied) string storage, if needed. */
+#if __INITIAL_POINTER_SIZE == 64
+# define SYMNAME symname_32p
+# pragma pointer_size save
+# pragma pointer_size 32
+        char *symname_32p;
+# pragma pointer_size restore
+        char symname_32[ NAMX_MAXRSS+ 1];
+#else /* __INITIAL_POINTER_SIZE == 64 */
+# define SYMNAME ((char *) symname)
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
+        *sym = NULL;
 
         if((dso == NULL) || (symname == NULL))
                 {
                 DSOerr(DSO_F_VMS_BIND_SYM,ERR_R_PASSED_NULL_PARAMETER);
                 return;
                 }
+
+#if __INITIAL_POINTER_SIZE == 64
+        /* Copy the symbol name to storage with a 32-bit pointer. */
+        symname_32p = symname_32;
+        strcpy( symname_32p, symname);
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
+        symname_dsc.dsc$w_length = strlen(SYMNAME);
+        symname_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
+        symname_dsc.dsc$b_class = DSC$K_CLASS_S;
+        symname_dsc.dsc$a_pointer = SYMNAME;
+
         if(sk_void_num(dso->meth_data) < 1)
                 {
                 DSOerr(DSO_F_VMS_BIND_SYM,DSO_R_STACK_ERROR);
@@ -372,64 +418,60 @@ static DSO_FUNC_TYPE vms_bind_func(DSO *dso, const char *symname)
         return sym;
         }
 
+
 static char *vms_merger(DSO *dso, const char *filespec1, const char *filespec2)
         {
         int status;
         int filespec1len, filespec2len;
         struct FAB fab;
-#ifdef NAML$C_MAXRSS
-        struct NAML nam;
-        char esa[NAML$C_MAXRSS];
-#else
-        struct NAM nam;
-        char esa[NAM$C_MAXRSS];
-#endif
+        struct NAMX_STRUCT nam;
+        char esa[ NAMX_MAXRSS+ 1];
         char *merged;
 
+/* Arrange 32-bit pointer to (copied) string storage, if needed. */
+#if __INITIAL_POINTER_SIZE == 64
+# define FILESPEC1 filespec1_32p;
+# define FILESPEC2 filespec2_32p;
+# pragma pointer_size save
+# pragma pointer_size 32
+        char *filespec1_32p;
+        char *filespec2_32p;
+# pragma pointer_size restore
+        char filespec1_32[ NAMX_MAXRSS+ 1];
+        char filespec2_32[ NAMX_MAXRSS+ 1];
+#else /* __INITIAL_POINTER_SIZE == 64 */
+# define FILESPEC1 ((char *) filespec1)
+# define FILESPEC2 ((char *) filespec2)
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
         if (!filespec1) filespec1 = "";
         if (!filespec2) filespec2 = "";
         filespec1len = strlen(filespec1);
         filespec2len = strlen(filespec2);
 
+#if __INITIAL_POINTER_SIZE == 64
+        /* Copy the file names to storage with a 32-bit pointer. */
+        filespec1_32p = filespec1_32;
+        filespec2_32p = filespec2_32;
+        strcpy( filespec1_32p, filespec1);
+        strcpy( filespec2_32p, filespec2);
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
         fab = cc$rms_fab;
-#ifdef NAML$C_MAXRSS
-        nam = cc$rms_naml;
-#else
-        nam = cc$rms_nam;
-#endif
+        nam = CC_RMS_NAMX;
 
-        fab.fab$l_fna = (char *)filespec1;
-        fab.fab$b_fns = filespec1len;
-        fab.fab$l_dna = (char *)filespec2;
-        fab.fab$b_dns = filespec2len;
-#ifdef NAML$C_MAXRSS
-        if (filespec1len > NAM$C_MAXRSS)
-                {
-                fab.fab$l_fna = 0;
-                fab.fab$b_fns = 0;
-                nam.naml$l_long_filename = (char *)filespec1;
-                nam.naml$l_long_filename_size = filespec1len;
-                }
-        if (filespec2len > NAM$C_MAXRSS)
-                {
-                fab.fab$l_dna = 0;
-                fab.fab$b_dns = 0;
-                nam.naml$l_long_defname = (char *)filespec2;
-                nam.naml$l_long_defname_size = filespec2len;
-                }
-        nam.naml$l_esa = esa;
-        nam.naml$b_ess = NAM$C_MAXRSS;
-        nam.naml$l_long_expand = esa;
-        nam.naml$l_long_expand_alloc = sizeof(esa);
-        nam.naml$b_nop = NAM$M_SYNCHK | NAM$M_PWD;
-        nam.naml$v_no_short_upcase = 1;
-        fab.fab$l_naml = &nam;
-#else
-        nam.nam$l_esa = esa;
-        nam.nam$b_ess = NAM$C_MAXRSS;
-        nam.nam$b_nop = NAM$M_SYNCHK | NAM$M_PWD;
-        fab.fab$l_nam = &nam;
-#endif
+        FAB_OR_NAML( fab, nam).FAB_OR_NAML_FNA = FILESPEC1;
+        FAB_OR_NAML( fab, nam).FAB_OR_NAML_FNS = filespec1len;
+        FAB_OR_NAML( fab, nam).FAB_OR_NAML_DNA = FILESPEC2;
+        FAB_OR_NAML( fab, nam).FAB_OR_NAML_DNS = filespec2len;
+        NAMX_DNA_FNA_SET( fab)
+
+        nam.NAMX_ESA = esa;
+        nam.NAMX_ESS = NAMX_MAXRSS;
+        nam.NAMX_NOP = NAM$M_SYNCHK | NAM$M_PWD;
+        SET_NAMX_NO_SHORT_UPCASE( nam);
+
+        fab.FAB_NAMX = &nam;
 
         status = sys$parse(&fab, 0, 0);
 
@@ -460,33 +502,12 @@ static char *vms_merger(DSO *dso, const char *filespec1, const char *filespec2)
                         }
                 return(NULL);
                 }
-#ifdef NAML$C_MAXRSS
-        if (nam.naml$l_long_expand_size)
-                {
-                merged = OPENSSL_malloc(nam.naml$l_long_expand_size + 1);
-                if(!merged)
-                        goto malloc_err;
-                strncpy(merged, nam.naml$l_long_expand,
-                        nam.naml$l_long_expand_size);
-                merged[nam.naml$l_long_expand_size] = '\0';
-                }
-        else
-                {
-                merged = OPENSSL_malloc(nam.naml$b_esl + 1);
-                if(!merged)
-                        goto malloc_err;
-                strncpy(merged, nam.naml$l_esa,
-                        nam.naml$b_esl);
-                merged[nam.naml$b_esl] = '\0';
-                }
-#else
-        merged = OPENSSL_malloc(nam.nam$b_esl + 1);
+
+        merged = OPENSSL_malloc( nam.NAMX_ESL+ 1);
         if(!merged)
                 goto malloc_err;
-        strncpy(merged, nam.nam$l_esa,
-                nam.nam$b_esl);
-        merged[nam.nam$b_esl] = '\0';
-#endif
+        strncpy( merged, nam.NAMX_ESA, nam.NAMX_ESL);
+        merged[ nam.NAMX_ESL] = '\0';
         return(merged);
  malloc_err:
         DSOerr(DSO_F_VMS_MERGER,
diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c
index cf357b462a..af94458ca7 100644
--- a/src/lib/libcrypto/ec/ec2_smpl.c
+++ b/src/lib/libcrypto/ec/ec2_smpl.c
@@ -937,6 +937,9 @@ int ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT
                 {
                 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
                 }
+
+        if (EC_POINT_is_at_infinity(group, b))
+                return 1;
         
         if (a->Z_is_one && b->Z_is_one)
                 {
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index f05df5332e..19f21675fb 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -169,11 +169,13 @@ static void ec_pre_comp_clear_free(void *pre_)
                 EC_POINT **p;
 
                 for (p = pre->points; *p != NULL; p++)
+                        {
                         EC_POINT_clear_free(*p);
-                OPENSSL_cleanse(pre->points, sizeof pre->points);
+                        OPENSSL_cleanse(p, sizeof *p);
+                        }
                 OPENSSL_free(pre->points);
                 }
-        OPENSSL_cleanse(pre, sizeof pre);
+        OPENSSL_cleanse(pre, sizeof *pre);
         OPENSSL_free(pre);
         }
 
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index 4d26f8bdf6..66a92e2a90 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -1406,6 +1406,9 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *
                 {
                 return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
                 }
+
+        if (EC_POINT_is_at_infinity(group, b))
+                return 1;
         
         if (a->Z_is_one && b->Z_is_one)
                 {
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
index 8ad11b15d7..9d73abac8e 100644
--- a/src/lib/libcrypto/engine/engine.h
+++ b/src/lib/libcrypto/engine/engine.h
@@ -678,6 +678,7 @@ typedef struct st_dynamic_fns {
  * can be fully instantiated with IMPLEMENT_DYNAMIC_CHECK_FN(). */
 typedef unsigned long (*dynamic_v_check_fn)(unsigned long ossl_version);
 #define IMPLEMENT_DYNAMIC_CHECK_FN() \
+        OPENSSL_EXPORT unsigned long v_check(unsigned long v); \
         OPENSSL_EXPORT unsigned long v_check(unsigned long v) { \
                 if(v >= OSSL_DYNAMIC_OLDEST) return OSSL_DYNAMIC_VERSION; \
                 return 0; }
@@ -701,6 +702,8 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id,
                                 const dynamic_fns *fns);
 #define IMPLEMENT_DYNAMIC_BIND_FN(fn) \
         OPENSSL_EXPORT \
+        int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns); \
+        OPENSSL_EXPORT \
         int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \
                 if(ENGINE_get_static_state() == fns->static_state) goto skip_cbs; \
                 if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \
diff --git a/src/lib/libcrypto/evp/encode.c b/src/lib/libcrypto/evp/encode.c
index b42c747249..28546a84bc 100644
--- a/src/lib/libcrypto/evp/encode.c
+++ b/src/lib/libcrypto/evp/encode.c
@@ -235,7 +235,7 @@ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx)
 int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
              const unsigned char *in, int inl)
         {
-        int seof= -1,eof=0,rv= -1,ret=0,i,v,tmp,n,ln,tmp2,exp_nl;
+        int seof= -1,eof=0,rv= -1,ret=0,i,v,tmp,n,ln,exp_nl;
         unsigned char *d;
 
         n=ctx->num;
@@ -319,7 +319,6 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
                          * lines.  We process the line and then need to
                          * accept the '\n' */
                         if ((v != B64_EOF) && (n >= 64)) exp_nl=1;
-                        tmp2=v;
                         if (n > 0)
                                 {
                                 v=EVP_DecodeBlock(out,d,n);
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index bead6a2170..c268d25cb4 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -204,6 +204,7 @@ skip_to_init:
                         case EVP_CIPH_OFB_MODE:
 
                         ctx->num = 0;
+                        /* fall-through */
 
                         case EVP_CIPH_CBC_MODE:
 
diff --git a/src/lib/libcrypto/evp/evp_test.c b/src/lib/libcrypto/evp/evp_test.c
index 902efac975..55c7cdfdcc 100644
--- a/src/lib/libcrypto/evp/evp_test.c
+++ b/src/lib/libcrypto/evp/evp_test.c
@@ -435,6 +435,7 @@ int main(int argc,char **argv)
             EXIT(3);
             }
         }
+        fclose(f);
 
 #ifndef OPENSSL_NO_ENGINE
     ENGINE_cleanup();
diff --git a/src/lib/libcrypto/evp/p_lib.c b/src/lib/libcrypto/evp/p_lib.c
index 1916c61699..e26ccd0d08 100644
--- a/src/lib/libcrypto/evp/p_lib.c
+++ b/src/lib/libcrypto/evp/p_lib.c
@@ -411,7 +411,10 @@ void EVP_PKEY_free(EVP_PKEY *x)
 static void EVP_PKEY_free_it(EVP_PKEY *x)
         {
         if (x->ameth && x->ameth->pkey_free)
+                {
                 x->ameth->pkey_free(x);
+                x->pkey.ptr = NULL;
+                }
 #ifndef OPENSSL_NO_ENGINE
         if (x->engine)
                 {
diff --git a/src/lib/libcrypto/evp/p_sign.c b/src/lib/libcrypto/evp/p_sign.c
index 8df6d48a7e..bb893f5bde 100644
--- a/src/lib/libcrypto/evp/p_sign.c
+++ b/src/lib/libcrypto/evp/p_sign.c
@@ -81,7 +81,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen,
         unsigned char m[EVP_MAX_MD_SIZE];
         unsigned int m_len;
         int i,ok=0,v;
-        MS_STATIC EVP_MD_CTX tmp_ctx;
+        EVP_MD_CTX tmp_ctx;
 
         *siglen=0;
         EVP_MD_CTX_init(&tmp_ctx);
diff --git a/src/lib/libcrypto/evp/p_verify.c b/src/lib/libcrypto/evp/p_verify.c
index 8db46412f3..41d4b67130 100644
--- a/src/lib/libcrypto/evp/p_verify.c
+++ b/src/lib/libcrypto/evp/p_verify.c
@@ -68,7 +68,7 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
         unsigned char m[EVP_MAX_MD_SIZE];
         unsigned int m_len;
         int i,ok=0,v;
-        MS_STATIC EVP_MD_CTX tmp_ctx;
+        EVP_MD_CTX tmp_ctx;
 
         EVP_MD_CTX_init(&tmp_ctx);
         EVP_MD_CTX_copy_ex(&tmp_ctx,ctx);     
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index 45015fe754..6c98fc43a3 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -138,12 +138,9 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
 
 int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
         {
-        int j;
         unsigned int i;
         unsigned char buf[EVP_MAX_MD_SIZE];
 
-        j=EVP_MD_block_size(ctx->md);
-
         if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i))
                 goto err;
         if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx,&ctx->o_ctx))
diff --git a/src/lib/libcrypto/md32_common.h b/src/lib/libcrypto/md32_common.h
index 1cb783944e..bb7381952a 100644
--- a/src/lib/libcrypto/md32_common.h
+++ b/src/lib/libcrypto/md32_common.h
@@ -165,7 +165,7 @@
                                 asm (                   \
                                 "roll %1,%0"            \
                                 : "=r"(ret)             \
-                                : "I"(n), "0"(a)        \
+                                : "I"(n), "0"((unsigned int)(a))        \
                                 : "cc");                \
                            ret;                         \
                         })
@@ -383,6 +383,7 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
         }
 
 #ifndef MD32_REG_T
+#if defined(__alpha) || defined(__sparcv9) || defined(__mips)
 #define MD32_REG_T long
 /*
  * This comment was originaly written for MD5, which is why it
@@ -400,9 +401,15 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
  * Well, to be honest it should say that this *prevents* 
  * performance degradation.
  *                              <appro@fy.chalmers.se>
- * Apparently there're LP64 compilers that generate better
- * code if A-D are declared int. Most notably GCC-x86_64
- * generates better code.
+ */
+#else
+/*
+ * Above is not absolute and there are LP64 compilers that
+ * generate better code if MD32_REG_T is defined int. The above
+ * pre-processor condition reflects the circumstances under which
+ * the conclusion was made and is subject to further extension.
  *                              <appro@fy.chalmers.se>
  */
+#define MD32_REG_T int
+#endif
 #endif
diff --git a/src/lib/libcrypto/o_time.c b/src/lib/libcrypto/o_time.c
index eecbdd19f0..9030fdef7a 100644
--- a/src/lib/libcrypto/o_time.c
+++ b/src/lib/libcrypto/o_time.c
@@ -64,12 +64,18 @@
 #include "o_time.h"
 
 #ifdef OPENSSL_SYS_VMS
-# include <libdtdef.h>
-# include <lib$routines.h>
-# include <lnmdef.h>
-# include <starlet.h>
-# include <descrip.h>
-# include <stdlib.h>
+# if __CRTL_VER >= 70000000 && \
+     (defined _POSIX_C_SOURCE || !defined _ANSI_C_SOURCE)
+#  define VMS_GMTIME_OK
+# endif
+# ifndef VMS_GMTIME_OK
+#  include <libdtdef.h>
+#  include <lib$routines.h>
+#  include <lnmdef.h>
+#  include <starlet.h>
+#  include <descrip.h>
+#  include <stdlib.h>
+# endif /* ndef VMS_GMTIME_OK */
 #endif
 
 struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
@@ -81,7 +87,7 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
            so we don't even look at the return value */
         gmtime_r(timer,result);
         ts = result;
-#elif !defined(OPENSSL_SYS_VMS)
+#elif !defined(OPENSSL_SYS_VMS) || defined(VMS_GMTIME_OK)
         ts = gmtime(timer);
         if (ts == NULL)
                 return NULL;
@@ -89,7 +95,7 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
         memcpy(result, ts, sizeof(struct tm));
         ts = result;
 #endif
-#ifdef OPENSSL_SYS_VMS
+#if defined( OPENSSL_SYS_VMS) && !defined( VMS_GMTIME_OK)
         if (ts == NULL)
                 {
                 static $DESCRIPTOR(tabnam,"LNM$DCL_LOGICAL");
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
index 12bbfcffd1..af5fc16691 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ht.c
@@ -397,11 +397,12 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
 
 
                 case OHS_ASN1_HEADER:
-                /* Now reading ASN1 header: can read at least 6 bytes which
-                 * is more than enough for any valid ASN1 SEQUENCE header
+                /* Now reading ASN1 header: can read at least 2 bytes which
+                 * is enough for ASN1 SEQUENCE header and either length field
+                 * or at least the length of the length field.
                  */
                 n = BIO_get_mem_data(rctx->mem, &p);
-                if (n < 6)
+                if (n < 2)
                         goto next_io;
 
                 /* Check it is an ASN1 SEQUENCE */
@@ -414,6 +415,11 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
                 /* Check out length field */
                 if (*p & 0x80)
                         {
+                        /* If MSB set on initial length octet we can now
+                         * always read 6 octets: make sure we have them.
+                         */
+                        if (n < 6)
+                                goto next_io;
                         n = *p & 0x7F;
                         /* Not NDEF or excessive length */
                         if (!n || (n > 4))
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
index 36905d76cd..e92b86c060 100644
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ b/src/lib/libcrypto/ocsp/ocsp_lib.c
@@ -170,14 +170,14 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
 
         char *host, *port;
 
-        /* dup the buffer since we are going to mess with it */
-        buf = BUF_strdup(url);
-        if (!buf) goto mem_err;
-
         *phost = NULL;
         *pport = NULL;
         *ppath = NULL;
 
+        /* dup the buffer since we are going to mess with it */
+        buf = BUF_strdup(url);
+        if (!buf) goto mem_err;
+
         /* Check for initial colon */
         p = strchr(buf, ':');
 
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
index 1695c9c4ad..87608ff399 100644
--- a/src/lib/libcrypto/ocsp/ocsp_prn.c
+++ b/src/lib/libcrypto/ocsp/ocsp_prn.c
@@ -182,7 +182,6 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
         {
         int i, ret = 0;
         long l;
-        unsigned char *p;
         OCSP_CERTID *cid = NULL;
         OCSP_BASICRESP *br = NULL;
         OCSP_RESPID *rid = NULL;
@@ -207,7 +206,6 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
                 return 1;
                 }
 
-        p = ASN1_STRING_data(rb->response);
         i = ASN1_STRING_length(rb->response);
         if (!(br = OCSP_response_get1_basic(o))) goto err;
         rd = br->tbsResponseData;
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 2fb110fa0e..310a3387be 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x1000001fL
+#define OPENSSL_VERSION_NUMBER  0x1000005fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.0a-fips 1 Jun 2010"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.0e-fips 6 Sep 2011"
 #else
-#define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.0a 1 Jun 2010"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.0e 6 Sep 2011"
 #endif
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 42e4861bc1..cfc89a9921 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -482,7 +482,6 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
 
 int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
         {
-        int o;
         const EVP_CIPHER *enc=NULL;
         char *p,c;
         char **header_pp = &header;
@@ -522,7 +521,6 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
                 header++;
                 }
         *header='\0';
-        o=OBJ_sn2nid(p);
         cipher->cipher=enc=EVP_get_cipherbyname(p);
         *header=c;
         header++;
diff --git a/src/lib/libcrypto/perlasm/cbc.pl b/src/lib/libcrypto/perlasm/cbc.pl
index e43dc9ae15..6fc2510905 100644
--- a/src/lib/libcrypto/perlasm/cbc.pl
+++ b/src/lib/libcrypto/perlasm/cbc.pl
@@ -158,7 +158,6 @@ sub cbc
         &jmp_ptr($count);
 
 &set_label("ej7");
-        &xor("edx",             "edx") if $ppro; # ppro friendly
         &movb(&HB("edx"),       &BP(6,$in,"",0));
         &shl("edx",8);
 &set_label("ej6");
@@ -170,7 +169,6 @@ sub cbc
         &jmp(&label("ejend"));
 &set_label("ej3");
         &movb(&HB("ecx"),       &BP(2,$in,"",0));
-        &xor("ecx",             "ecx") if $ppro; # ppro friendly
         &shl("ecx",8);
 &set_label("ej2");
         &movb(&HB("ecx"),       &BP(1,$in,"",0));
diff --git a/src/lib/libcrypto/perlasm/x86_64-xlate.pl b/src/lib/libcrypto/perlasm/x86_64-xlate.pl
index d66ad24095..68b4c1ca80 100755
--- a/src/lib/libcrypto/perlasm/x86_64-xlate.pl
+++ b/src/lib/libcrypto/perlasm/x86_64-xlate.pl
@@ -167,7 +167,7 @@ my %globals;
             } elsif ($self->{op} =~ /^(pop|push)f/) {
                 $self->{op} .= $self->{sz};
             } elsif ($self->{op} eq "call" && $current_segment eq ".CRT\$XCU") {
-                $self->{op} = "ALIGN\t8\n\tDQ";
+                $self->{op} = "\tDQ";
             } 
             $self->{op};
         }
@@ -546,6 +546,8 @@ my %globals;
                                         if ($line=~/\.([px])data/) {
                                             $v.=" rdata align=";
                                             $v.=$1 eq "p"? 4 : 8;
+                                        } elsif ($line=~/\.CRT\$/i) {
+                                            $v.=" rdata align=8";
                                         }
                                     } else {
                                         $v="$current_segment\tENDS\n" if ($current_segment);
@@ -553,6 +555,8 @@ my %globals;
                                         if ($line=~/\.([px])data/) {
                                             $v.=" READONLY";
                                             $v.=" ALIGN(".($1 eq "p" ? 4 : 8).")" if ($masm>=$masmref);
+                                        } elsif ($line=~/\.CRT\$/i) {
+                                            $v.=" READONLY DWORD";
                                         }
                                     }
                                     $current_segment = $line;
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index a29794bbbc..424203f648 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -107,6 +107,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
         unsigned char *B, *D, *I, *p, *Ai;
         int Slen, Plen, Ilen, Ijlen;
         int i, j, u, v;
+        int ret = 0;
         BIGNUM *Ij, *Bpl1;      /* These hold Ij and B + 1 */
         EVP_MD_CTX ctx;
 #ifdef  DEBUG_KEYGEN
@@ -144,10 +145,8 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
         I = OPENSSL_malloc (Ilen);
         Ij = BN_new();
         Bpl1 = BN_new();
-        if (!D || !Ai || !B || !I || !Ij || !Bpl1) {
-                PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
+        if (!D || !Ai || !B || !I || !Ij || !Bpl1)
+                goto err;
         for (i = 0; i < v; i++) D[i] = id;
         p = I;
         for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen];
@@ -164,28 +163,22 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
                 }
                 memcpy (out, Ai, min (n, u));
                 if (u >= n) {
-                        OPENSSL_free (Ai);
-                        OPENSSL_free (B);
-                        OPENSSL_free (D);
-                        OPENSSL_free (I);
-                        BN_free (Ij);
-                        BN_free (Bpl1);
-                        EVP_MD_CTX_cleanup(&ctx);
 #ifdef DEBUG_KEYGEN
                         fprintf(stderr, "Output KEY (length %d)\n", tmpn);
                         h__dump(tmpout, tmpn);
 #endif
-                        return 1;       
+                        ret = 1;
+                        goto end;
                 }
                 n -= u;
                 out += u;
                 for (j = 0; j < v; j++) B[j] = Ai[j % u];
                 /* Work out B + 1 first then can use B as tmp space */
-                BN_bin2bn (B, v, Bpl1);
-                BN_add_word (Bpl1, 1);
+                if (!BN_bin2bn (B, v, Bpl1)) goto err;
+                if (!BN_add_word (Bpl1, 1)) goto err;
                 for (j = 0; j < Ilen ; j+=v) {
-                        BN_bin2bn (I + j, v, Ij);
-                        BN_add (Ij, Ij, Bpl1);
+                        if (!BN_bin2bn (I + j, v, Ij)) goto err;
+                        if (!BN_add (Ij, Ij, Bpl1)) goto err;
                         BN_bn2bin (Ij, B);
                         Ijlen = BN_num_bytes (Ij);
                         /* If more than 2^(v*8) - 1 cut off MSB */
@@ -201,6 +194,19 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
                         } else BN_bn2bin (Ij, I + j);
                 }
         }
+
+err:
+        PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE);
+
+end:
+        OPENSSL_free (Ai);
+        OPENSSL_free (B);
+        OPENSSL_free (D);
+        OPENSSL_free (I);
+        BN_free (Ij);
+        BN_free (Bpl1);
+        EVP_MD_CTX_cleanup(&ctx);
+        return ret;
 }
 #ifdef DEBUG_KEYGEN
 void h__dump (unsigned char *p, int len)
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 451de84489..3bf1a367bb 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -422,7 +422,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
         X509_ALGOR *enc_alg=NULL;
         STACK_OF(X509_ALGOR) *md_sk=NULL;
         STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
-        X509_ALGOR *xalg=NULL;
         PKCS7_RECIP_INFO *ri=NULL;
 
         i=OBJ_obj2nid(p7->type);
@@ -445,7 +444,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                         PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
                         goto err;
                         }
-                xalg=p7->d.signed_and_enveloped->enc_data->algorithm;
                 break;
         case NID_pkcs7_enveloped:
                 rsk=p7->d.enveloped->recipientinfo;
@@ -457,7 +455,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                         PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
                         goto err;
                         }
-                xalg=p7->d.enveloped->enc_data->algorithm;
                 break;
         default:
                 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
diff --git a/src/lib/libcrypto/pkcs7/pk7_lib.c b/src/lib/libcrypto/pkcs7/pk7_lib.c
index 3ca0952792..d411269b50 100644
--- a/src/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/src/lib/libcrypto/pkcs7/pk7_lib.c
@@ -591,7 +591,6 @@ X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
 int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
         {
         int i;
-        ASN1_OBJECT *objtmp;
         PKCS7_ENC_CONTENT *ec;
 
         i=OBJ_obj2nid(p7->type);
@@ -614,7 +613,6 @@ int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
                 PKCS7err(PKCS7_F_PKCS7_SET_CIPHER,PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
                 return(0);
         }
-        objtmp = OBJ_nid2obj(i);
 
         ec->cipher = cipher;
         return 1;
diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c
index 88088ce73c..b2f04ff13e 100644
--- a/src/lib/libcrypto/rand/md_rand.c
+++ b/src/lib/libcrypto/rand/md_rand.c
@@ -476,11 +476,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
                 MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
 
 #ifndef PURIFY /* purify complains */
-                /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
+                /* The following line uses the supplied buffer as a small
+                 * source of entropy: since this buffer is often uninitialised
+                 * it may cause programs such as purify or valgrind to
+                 * complain. So for those builds it is not used: the removal
+                 * of such a small source of entropy has negligible impact on
+                 * security.
+                 */
                 MD_Update(&m,buf,j);
-                /* We know that line may cause programs such as
-                   purify and valgrind to complain about use of
-                   uninitialized data.  */
 #endif
 
                 k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
diff --git a/src/lib/libcrypto/rand/rand_vms.c b/src/lib/libcrypto/rand/rand_vms.c
index 1267a3acae..0bfd8ff7e4 100644
--- a/src/lib/libcrypto/rand/rand_vms.c
+++ b/src/lib/libcrypto/rand/rand_vms.c
@@ -69,6 +69,17 @@
 # pragma message disable DOLLARID
 #endif
 
+/* Use 32-bit pointers almost everywhere.  Define the type to which to
+ * cast a pointer passed to an external function.
+ */
+#if __INITIAL_POINTER_SIZE == 64
+# define PTR_T __void_ptr64
+# pragma pointer_size save
+# pragma pointer_size 32
+#else /* __INITIAL_POINTER_SIZE == 64 */
+# define PTR_T void *
+#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
+
 static struct items_data_st
         {
         short length, code;     /* length is amount of bytes */
@@ -125,11 +136,12 @@ int RAND_poll(void)
                 {
                 if (status == SS$_NORMAL)
                         {
-                        RAND_add(data_buffer, total_length, total_length/2);
+                        RAND_add( (PTR_T)data_buffer, total_length,
+                         total_length/2);
                         }
                 }
         sys$gettim(iosb);
-        RAND_add((unsigned char *)iosb, sizeof(iosb), sizeof(iosb)/2);
+        RAND_add( (PTR_T)iosb, sizeof(iosb), sizeof(iosb)/2);
         return 1;
 }
 
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index 4ed40b7b70..bc7d9c5804 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -144,7 +144,9 @@ int RAND_load_file(const char *file, long bytes)
            * I/O because we will waste system entropy. 
            */
           bytes = (bytes == -1) ? 2048 : bytes; /* ok, is 2048 enough? */
+#ifndef OPENSSL_NO_SETVBUF_IONBF
           setvbuf(in, NULL, _IONBF, 0); /* don't do buffered reads */
+#endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
         }
 #endif
         for (;;)
@@ -269,7 +271,6 @@ err:
 const char *RAND_file_name(char *buf, size_t size)
         {
         char *s=NULL;
-        int ok = 0;
 #ifdef __OpenBSD__
         struct stat sb;
 #endif
@@ -298,7 +299,6 @@ const char *RAND_file_name(char *buf, size_t size)
                         BUF_strlcat(buf,"/",size);
 #endif
                         BUF_strlcat(buf,RFILE,size);
-                        ok = 1;
                         }
                 else
                         buf[0] = '\0'; /* no file name */
@@ -312,7 +312,7 @@ const char *RAND_file_name(char *buf, size_t size)
          * to something hopefully decent if that isn't available. 
          */
 
-        if (!ok)
+        if (!buf[0])
                 if (BUF_strlcpy(buf,"/dev/arandom",size) >= size) {
                         return(NULL);
                 }       
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index c5eaeeae6b..7c941885f0 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -675,7 +675,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                 rsa->_method_mod_n)) goto err;
 
         if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
-                BN_sub(ret, rsa->n, ret);
+                if (!BN_sub(ret, rsa->n, ret)) goto err;
 
         p=buf;
         i=BN_bn2bin(ret,p);
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index e238d10e5c..18d307ea9e 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -189,34 +189,40 @@ int PKCS1_MGF1(unsigned char *mask, long len,
         EVP_MD_CTX c;
         unsigned char md[EVP_MAX_MD_SIZE];
         int mdlen;
+        int rv = -1;
 
         EVP_MD_CTX_init(&c);
         mdlen = EVP_MD_size(dgst);
         if (mdlen < 0)
-                return -1;
+                goto err;
         for (i = 0; outlen < len; i++)
                 {
                 cnt[0] = (unsigned char)((i >> 24) & 255);
                 cnt[1] = (unsigned char)((i >> 16) & 255);
                 cnt[2] = (unsigned char)((i >> 8)) & 255;
                 cnt[3] = (unsigned char)(i & 255);
-                EVP_DigestInit_ex(&c,dgst, NULL);
-                EVP_DigestUpdate(&c, seed, seedlen);
-                EVP_DigestUpdate(&c, cnt, 4);
+                if (!EVP_DigestInit_ex(&c,dgst, NULL)
+                        || !EVP_DigestUpdate(&c, seed, seedlen)
+                        || !EVP_DigestUpdate(&c, cnt, 4))
+                        goto err;
                 if (outlen + mdlen <= len)
                         {
-                        EVP_DigestFinal_ex(&c, mask + outlen, NULL);
+                        if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
+                                goto err;
                         outlen += mdlen;
                         }
                 else
                         {
-                        EVP_DigestFinal_ex(&c, md, NULL);
+                        if (!EVP_DigestFinal_ex(&c, md, NULL))
+                                goto err;
                         memcpy(mask + outlen, md, len - outlen);
                         outlen = len;
                         }
                 }
+        rv = 0;
+        err:
         EVP_MD_CTX_cleanup(&c);
-        return 0;
+        return rv;
         }
 
 static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h
index 891cb84a51..3e76aa58f5 100644
--- a/src/lib/libcrypto/stack/safestack.h
+++ b/src/lib/libcrypto/stack/safestack.h
@@ -179,7 +179,8 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
         sk_is_sorted(CHECKED_STACK_OF(type, st))
 
 #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
-  (STACK_OF(type) *)d2i_ASN1_SET((STACK_OF(OPENSSL_BLOCK) **)CHECKED_STACK_OF(type, st), \
+  (STACK_OF(type) *)d2i_ASN1_SET( \
+                                (STACK_OF(OPENSSL_BLOCK) **)CHECKED_PTR_OF(STACK_OF(type)*, st), \
                                 pp, length, \
                                 CHECKED_D2I_OF(type, d2i_func), \
                                 CHECKED_SK_FREE_FUNC(type, free_func), \
@@ -2030,79 +2031,79 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
 #define sk_void_sort(st) SKM_sk_sort(void, (st))
 #define sk_void_is_sorted(st) SKM_sk_is_sorted(void, (st))
 
-#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
-#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null())
-#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
-#define sk_OPENSSL_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
-#define sk_OPENSSL_BLOCK_value(st, i) ((OPENSSL_BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i))
-#define sk_OPENSSL_BLOCK_num(st) SKM_sk_num(OPENSSL_BLOCK, st)
-#define sk_OPENSSL_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_FREE_FUNC2(OPENSSL_BLOCK, free_func))
-#define sk_OPENSSL_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val), i)
-#define sk_OPENSSL_BLOCK_free(st) SKM_sk_free(OPENSSL_BLOCK, st)
-#define sk_OPENSSL_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i, CHECKED_PTR_OF(void, val))
-#define sk_OPENSSL_BLOCK_zero(st) SKM_sk_zero(OPENSSL_BLOCK, (st))
-#define sk_OPENSSL_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
-#define sk_OPENSSL_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
-#define sk_OPENSSL_BLOCK_delete(st, i) SKM_sk_delete(OPENSSL_BLOCK, (st), (i))
-#define sk_OPENSSL_BLOCK_delete_ptr(st, ptr) (OPENSSL_BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, ptr))
-#define sk_OPENSSL_BLOCK_set_cmp_func(st, cmp)  \
-        ((int (*)(const void * const *,const void * const *)) \
-        sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
-#define sk_OPENSSL_BLOCK_dup(st) SKM_sk_dup(OPENSSL_BLOCK, st)
-#define sk_OPENSSL_BLOCK_shift(st) SKM_sk_shift(OPENSSL_BLOCK, (st))
-#define sk_OPENSSL_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st))
-#define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st))
-#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st))
+#define sk_OPENSSL_STRING_new(cmp) ((STACK_OF(OPENSSL_STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp)))
+#define sk_OPENSSL_STRING_new_null() ((STACK_OF(OPENSSL_STRING) *)sk_new_null())
+#define sk_OPENSSL_STRING_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_find(st, val) sk_find(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_value(st, i) ((OPENSSL_STRING)sk_value(CHECKED_STACK_OF(OPENSSL_STRING, st), i))
+#define sk_OPENSSL_STRING_num(st) SKM_sk_num(OPENSSL_STRING, st)
+#define sk_OPENSSL_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_SK_FREE_FUNC2(OPENSSL_STRING, free_func))
+#define sk_OPENSSL_STRING_insert(st, val, i) sk_insert(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_PTR_OF(char, val), i)
+#define sk_OPENSSL_STRING_free(st) SKM_sk_free(OPENSSL_STRING, st)
+#define sk_OPENSSL_STRING_set(st, i, val) sk_set(CHECKED_STACK_OF(OPENSSL_STRING, st), i, CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_zero(st) SKM_sk_zero(OPENSSL_STRING, (st))
+#define sk_OPENSSL_STRING_unshift(st, val) sk_unshift(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_CONST_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_delete(st, i) SKM_sk_delete(OPENSSL_STRING, (st), (i))
+#define sk_OPENSSL_STRING_delete_ptr(st, ptr) (OPENSSL_STRING *)sk_delete_ptr(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_PTR_OF(char, ptr))
+#define sk_OPENSSL_STRING_set_cmp_func(st, cmp)  \
+        ((int (*)(const char * const *,const char * const *)) \
+        sk_set_cmp_func(CHECKED_STACK_OF(OPENSSL_STRING, st), CHECKED_SK_CMP_FUNC(char, cmp)))
+#define sk_OPENSSL_STRING_dup(st) SKM_sk_dup(OPENSSL_STRING, st)
+#define sk_OPENSSL_STRING_shift(st) SKM_sk_shift(OPENSSL_STRING, (st))
+#define sk_OPENSSL_STRING_pop(st) (char *)sk_pop(CHECKED_STACK_OF(OPENSSL_STRING, st))
+#define sk_OPENSSL_STRING_sort(st) SKM_sk_sort(OPENSSL_STRING, (st))
+#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
 
 
 #define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
 #define sk_OPENSSL_PSTRING_new_null() ((STACK_OF(OPENSSL_PSTRING) *)sk_new_null())
-#define sk_OPENSSL_PSTRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val))
-#define sk_OPENSSL_PSTRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val))
-#define sk_OPENSSL_PSTRING_value(st, i) ((OPENSSL_PSTRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), i))
+#define sk_OPENSSL_PSTRING_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
+#define sk_OPENSSL_PSTRING_find(st, val) sk_find(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
+#define sk_OPENSSL_PSTRING_value(st, i) ((OPENSSL_PSTRING)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, st), i))
 #define sk_OPENSSL_PSTRING_num(st) SKM_sk_num(OPENSSL_PSTRING, st)
-#define sk_OPENSSL_PSTRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_PSTRING, free_func))
-#define sk_OPENSSL_PSTRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val), i)
+#define sk_OPENSSL_PSTRING_pop_free(st, free_func) sk_pop_free(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_SK_FREE_FUNC2(OPENSSL_PSTRING, free_func))
+#define sk_OPENSSL_PSTRING_insert(st, val, i) sk_insert(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val), i)
 #define sk_OPENSSL_PSTRING_free(st) SKM_sk_free(OPENSSL_PSTRING, st)
-#define sk_OPENSSL_PSTRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), i, CHECKED_PTR_OF(OPENSSL_STRING, val))
+#define sk_OPENSSL_PSTRING_set(st, i, val) sk_set(CHECKED_STACK_OF(OPENSSL_PSTRING, st), i, CHECKED_PTR_OF(OPENSSL_STRING, val))
 #define sk_OPENSSL_PSTRING_zero(st) SKM_sk_zero(OPENSSL_PSTRING, (st))
-#define sk_OPENSSL_PSTRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, val))
+#define sk_OPENSSL_PSTRING_unshift(st, val) sk_unshift(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
 #define sk_OPENSSL_PSTRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_CONST_PTR_OF(OPENSSL_STRING, val))
 #define sk_OPENSSL_PSTRING_delete(st, i) SKM_sk_delete(OPENSSL_PSTRING, (st), (i))
-#define sk_OPENSSL_PSTRING_delete_ptr(st, ptr) (OPENSSL_PSTRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_PTR_OF(OPENSSL_STRING, ptr))
+#define sk_OPENSSL_PSTRING_delete_ptr(st, ptr) (OPENSSL_PSTRING *)sk_delete_ptr(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, ptr))
 #define sk_OPENSSL_PSTRING_set_cmp_func(st, cmp)  \
         ((int (*)(const OPENSSL_STRING * const *,const OPENSSL_STRING * const *)) \
-        sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
+        sk_set_cmp_func(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
 #define sk_OPENSSL_PSTRING_dup(st) SKM_sk_dup(OPENSSL_PSTRING, st)
 #define sk_OPENSSL_PSTRING_shift(st) SKM_sk_shift(OPENSSL_PSTRING, (st))
-#define sk_OPENSSL_PSTRING_pop(st) (OPENSSL_STRING *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_PSTRING), st))
+#define sk_OPENSSL_PSTRING_pop(st) (OPENSSL_STRING *)sk_pop(CHECKED_STACK_OF(OPENSSL_PSTRING, st))
 #define sk_OPENSSL_PSTRING_sort(st) SKM_sk_sort(OPENSSL_PSTRING, (st))
 #define sk_OPENSSL_PSTRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_PSTRING, (st))
 
 
-#define sk_OPENSSL_STRING_new(cmp) ((STACK_OF(OPENSSL_STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp)))
-#define sk_OPENSSL_STRING_new_null() ((STACK_OF(OPENSSL_STRING) *)sk_new_null())
-#define sk_OPENSSL_STRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_value(st, i) ((OPENSSL_STRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i))
-#define sk_OPENSSL_STRING_num(st) SKM_sk_num(OPENSSL_STRING, st)
-#define sk_OPENSSL_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_STRING, free_func))
-#define sk_OPENSSL_STRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val), i)
-#define sk_OPENSSL_STRING_free(st) SKM_sk_free(OPENSSL_STRING, st)
-#define sk_OPENSSL_STRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i, CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_zero(st) SKM_sk_zero(OPENSSL_STRING, (st))
-#define sk_OPENSSL_STRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_CONST_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_delete(st, i) SKM_sk_delete(OPENSSL_STRING, (st), (i))
-#define sk_OPENSSL_STRING_delete_ptr(st, ptr) (OPENSSL_STRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, ptr))
-#define sk_OPENSSL_STRING_set_cmp_func(st, cmp)  \
-        ((int (*)(const char * const *,const char * const *)) \
-        sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_CMP_FUNC(char, cmp)))
-#define sk_OPENSSL_STRING_dup(st) SKM_sk_dup(OPENSSL_STRING, st)
-#define sk_OPENSSL_STRING_shift(st) SKM_sk_shift(OPENSSL_STRING, (st))
-#define sk_OPENSSL_STRING_pop(st) (char *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st))
-#define sk_OPENSSL_STRING_sort(st) SKM_sk_sort(OPENSSL_STRING, (st))
-#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
+#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
+#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null())
+#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_find(st, val) sk_find(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_value(st, i) ((OPENSSL_BLOCK)sk_value(CHECKED_STACK_OF(OPENSSL_BLOCK, st), i))
+#define sk_OPENSSL_BLOCK_num(st) SKM_sk_num(OPENSSL_BLOCK, st)
+#define sk_OPENSSL_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_SK_FREE_FUNC2(OPENSSL_BLOCK, free_func))
+#define sk_OPENSSL_BLOCK_insert(st, val, i) sk_insert(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, val), i)
+#define sk_OPENSSL_BLOCK_free(st) SKM_sk_free(OPENSSL_BLOCK, st)
+#define sk_OPENSSL_BLOCK_set(st, i, val) sk_set(CHECKED_STACK_OF(OPENSSL_BLOCK, st), i, CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_zero(st) SKM_sk_zero(OPENSSL_BLOCK, (st))
+#define sk_OPENSSL_BLOCK_unshift(st, val) sk_unshift(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_delete(st, i) SKM_sk_delete(OPENSSL_BLOCK, (st), (i))
+#define sk_OPENSSL_BLOCK_delete_ptr(st, ptr) (OPENSSL_BLOCK *)sk_delete_ptr(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, ptr))
+#define sk_OPENSSL_BLOCK_set_cmp_func(st, cmp)  \
+        ((int (*)(const void * const *,const void * const *)) \
+        sk_set_cmp_func(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_SK_CMP_FUNC(void, cmp)))
+#define sk_OPENSSL_BLOCK_dup(st) SKM_sk_dup(OPENSSL_BLOCK, st)
+#define sk_OPENSSL_BLOCK_shift(st) SKM_sk_shift(OPENSSL_BLOCK, (st))
+#define sk_OPENSSL_BLOCK_pop(st) (void *)sk_pop(CHECKED_STACK_OF(OPENSSL_BLOCK, st))
+#define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st))
+#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st))
 
 
 #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
diff --git a/src/lib/libcrypto/util/cygwin.sh b/src/lib/libcrypto/util/cygwin.sh
index a4f2e740b4..d6228521e6 100644
--- a/src/lib/libcrypto/util/cygwin.sh
+++ b/src/lib/libcrypto/util/cygwin.sh
@@ -8,7 +8,7 @@
 #set -x
 
 CONFIG_OPTIONS="--prefix=/usr shared zlib no-idea no-rc5"
-INSTALL_PREFIX=/tmp/install
+INSTALL_PREFIX=/tmp/install/INSTALL
 
 VERSION=
 SUBVERSION=$1
@@ -124,8 +124,12 @@ strip usr/bin/*.exe usr/bin/*.dll usr/lib/engines/*.so
 chmod u-w usr/lib/engines/*.so
 
 # Runtime package
-find etc usr/bin usr/lib/engines usr/share/doc usr/ssl/certs \
-     usr/ssl/man/man[157] usr/ssl/misc usr/ssl/openssl.cnf usr/ssl/private \
+tar cjf libopenssl${VERSION//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2 \
+     usr/bin/cyg*dll
+# Base package
+find etc usr/bin/openssl.exe usr/bin/c_rehash usr/lib/engines usr/share/doc \
+     usr/ssl/certs usr/ssl/man/man[157] usr/ssl/misc usr/ssl/openssl.cnf \
+     usr/ssl/private \
      -empty -o \! -type d |
 tar cjfT openssl-${VERSION}-${SUBVERSION}.tar.bz2 -
 # Development package
@@ -135,6 +139,7 @@ tar cjfT openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2 -
 
 ls -l openssl-${VERSION}-${SUBVERSION}.tar.bz2
 ls -l openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2
+ls -l libopenssl${VERSION//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2
 
 cleanup
 
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index c68047e955..1467ab6243 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -4178,4 +4178,20 @@ UI_method_get_prompt_constructr         4550	EXIST:VMS:FUNCTION:
 UI_method_set_prompt_constructor        4551    EXIST:!VMS:FUNCTION:
 UI_method_set_prompt_constructr         4551    EXIST:VMS:FUNCTION:
 EVP_read_pw_string_min                  4552    EXIST::FUNCTION:
-ENGINE_load_aesni                       4553    EXIST::FUNCTION:ENGINE
+CRYPTO_cts128_encrypt                   4553    EXIST::FUNCTION:
+CRYPTO_cts128_decrypt_block             4554    EXIST::FUNCTION:
+CRYPTO_cfb128_1_encrypt                 4555    EXIST::FUNCTION:
+CRYPTO_cbc128_encrypt                   4556    EXIST::FUNCTION:
+CRYPTO_ctr128_encrypt                   4557    EXIST::FUNCTION:
+CRYPTO_ofb128_encrypt                   4558    EXIST::FUNCTION:
+CRYPTO_cts128_decrypt                   4559    EXIST::FUNCTION:
+CRYPTO_cts128_encrypt_block             4560    EXIST::FUNCTION:
+CRYPTO_cbc128_decrypt                   4561    EXIST::FUNCTION:
+CRYPTO_cfb128_encrypt                   4562    EXIST::FUNCTION:
+CRYPTO_cfb128_8_encrypt                 4563    EXIST::FUNCTION:
+OPENSSL_strcasecmp                      4564    EXIST::FUNCTION:
+OPENSSL_memcmp                          4565    EXIST::FUNCTION:
+OPENSSL_strncasecmp                     4566    EXIST::FUNCTION:
+OPENSSL_gmtime                          4567    EXIST::FUNCTION:
+OPENSSL_gmtime_adj                      4568    EXIST::FUNCTION:
+ENGINE_load_aesni                       4569    EXIST::FUNCTION:ENGINE
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index 780029a03f..1dcef2b8a2 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -13,6 +13,7 @@ $banner="\t\@echo Building OpenSSL";
 
 my $no_static_engine = 1;
 my $engines = "";
+my $otherlibs = "";
 local $zlib_opt = 0;    # 0 = no zlib, 1 = static, 2 = dynamic
 local $zlib_lib = "";
 local $perl_asm = 0;    # 1 to autobuild asm files from perl scripts
@@ -266,6 +267,7 @@ $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
 $cflags.=" -DOPENSSL_NO_ECDSA" if $no_ecdsa;
 $cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;
+$cflags.=" -DOPENSSL_NO_GOST" if $no_gost;
 $cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
 $cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
 $cflags.=" -DOPENSSL_NO_JPAKE"    if $no_jpake;
@@ -356,6 +358,12 @@ for (;;)
                 $lib=$val;
                 $lib =~ s/^.*\/([^\/]+)$/$1/;
                 }
+        if ($key eq "LIBNAME" && $no_static_engine)
+                {
+                $lib=$val;
+                $lib =~ s/^.*\/([^\/]+)$/$1/;
+                $otherlibs .= " $lib";
+                }
 
         if ($key eq "EXHEADER")
                 { $exheader.=&var_add($dir,$val, 1); }
@@ -658,7 +666,7 @@ foreach (split(/\s+/,$test))
         $rules.=&do_link_rule("\$(TEST_D)$o$t$exep",$tt,"\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
         }
 
-$defs.=&do_defs("E_SHLIB",$engines,"\$(ENG_D)",$shlibp);
+$defs.=&do_defs("E_SHLIB",$engines . $otherlibs,"\$(ENG_D)",$shlibp);
 
 foreach (split(/\s+/,$engines))
         {
@@ -671,6 +679,14 @@ foreach (split(/\s+/,$engines))
 $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
 $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
 
+foreach (split(" ",$otherlibs))
+        {
+        my $uc = $_;
+        $uc =~ tr /a-z/A-Z/;    
+        $rules.= &do_lib_rule("\$(${uc}OBJ)","\$(ENG_D)$o$_$shlibp", "", $shlib, "");
+
+        }
+
 $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
 
 print $defs;
@@ -708,6 +724,7 @@ sub var_add
         return("") if $no_dsa  && $dir =~ /\/dsa/;
         return("") if $no_dh   && $dir =~ /\/dh/;
         return("") if $no_ec   && $dir =~ /\/ec/;
+        return("") if $no_gost   && $dir =~ /\/ccgost/;
         return("") if $no_cms  && $dir =~ /\/cms/;
         return("") if $no_jpake  && $dir =~ /\/jpake/;
         if ($no_des && $dir =~ /\/des/)
@@ -1047,6 +1064,7 @@ sub read_options
                 "no-ec" => \$no_ec,
                 "no-ecdsa" => \$no_ecdsa,
                 "no-ecdh" => \$no_ecdh,
+                "no-gost" => \$no_gost,
                 "no-engine" => \$no_engine,
                 "no-hw" => \$no_hw,
                 "just-ssl" =>
diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl
index a4a17e3ae9..ab47329097 100644
--- a/src/lib/libcrypto/util/mkdef.pl
+++ b/src/lib/libcrypto/util/mkdef.pl
@@ -257,6 +257,8 @@ $ssl.=" ssl/tls1.h";
 
 my $crypto ="crypto/crypto.h";
 $crypto.=" crypto/o_dir.h";
+$crypto.=" crypto/o_str.h";
+$crypto.=" crypto/o_time.h";
 $crypto.=" crypto/des/des.h crypto/des/des_old.h" ; # unless $no_des;
 $crypto.=" crypto/idea/idea.h" ; # unless $no_idea;
 $crypto.=" crypto/rc4/rc4.h" ; # unless $no_rc4;
@@ -316,6 +318,7 @@ $crypto.=" crypto/krb5/krb5_asn.h";
 $crypto.=" crypto/pqueue/pqueue.h";
 $crypto.=" crypto/cms/cms.h";
 $crypto.=" crypto/jpake/jpake.h";
+$crypto.=" crypto/modes/modes.h";
 
 my $symhacks="crypto/symhacks.h";
 
diff --git a/src/lib/libcrypto/util/mkerr.pl b/src/lib/libcrypto/util/mkerr.pl
index 15b774f277..2c99467d34 100644
--- a/src/lib/libcrypto/util/mkerr.pl
+++ b/src/lib/libcrypto/util/mkerr.pl
@@ -391,7 +391,7 @@ foreach $lib (keys %csrc)
         } else {
             push @out,
 "/* ====================================================================\n",
-" * Copyright (c) 2001-2010 The OpenSSL Project.  All rights reserved.\n",
+" * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.\n",
 " *\n",
 " * Redistribution and use in source and binary forms, with or without\n",
 " * modification, are permitted provided that the following conditions\n",
@@ -576,7 +576,7 @@ EOF
         print OUT <<"EOF";
 /* $cfile */
 /* ====================================================================
- * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/src/lib/libcrypto/util/mkstack.pl b/src/lib/libcrypto/util/mkstack.pl
index 6a43757c95..f708610a78 100644
--- a/src/lib/libcrypto/util/mkstack.pl
+++ b/src/lib/libcrypto/util/mkstack.pl
@@ -104,25 +104,25 @@ EOF
 
 #define sk_${t1}_new(cmp) ((STACK_OF($t1) *)sk_new(CHECKED_SK_CMP_FUNC($t2, cmp)))
 #define sk_${t1}_new_null() ((STACK_OF($t1) *)sk_new_null())
-#define sk_${t1}_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_PTR_OF($t2, val))
-#define sk_${t1}_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_PTR_OF($t2, val))
-#define sk_${t1}_value(st, i) (($t1)sk_value(CHECKED_PTR_OF(STACK_OF($t1), st), i))
+#define sk_${t1}_push(st, val) sk_push(CHECKED_STACK_OF($t1, st), CHECKED_PTR_OF($t2, val))
+#define sk_${t1}_find(st, val) sk_find(CHECKED_STACK_OF($t1, st), CHECKED_PTR_OF($t2, val))
+#define sk_${t1}_value(st, i) (($t1)sk_value(CHECKED_STACK_OF($t1, st), i))
 #define sk_${t1}_num(st) SKM_sk_num($t1, st)
-#define sk_${t1}_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_SK_FREE_FUNC2($t1, free_func))
-#define sk_${t1}_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_PTR_OF($t2, val), i)
+#define sk_${t1}_pop_free(st, free_func) sk_pop_free(CHECKED_STACK_OF($t1, st), CHECKED_SK_FREE_FUNC2($t1, free_func))
+#define sk_${t1}_insert(st, val, i) sk_insert(CHECKED_STACK_OF($t1, st), CHECKED_PTR_OF($t2, val), i)
 #define sk_${t1}_free(st) SKM_sk_free(${t1}, st)
-#define sk_${t1}_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF($t1), st), i, CHECKED_PTR_OF($t2, val))
+#define sk_${t1}_set(st, i, val) sk_set(CHECKED_STACK_OF($t1, st), i, CHECKED_PTR_OF($t2, val))
 #define sk_${t1}_zero(st) SKM_sk_zero($t1, (st))
-#define sk_${t1}_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_PTR_OF($t2, val))
+#define sk_${t1}_unshift(st, val) sk_unshift(CHECKED_STACK_OF($t1, st), CHECKED_PTR_OF($t2, val))
 #define sk_${t1}_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF($t1), st), CHECKED_CONST_PTR_OF($t2, val))
 #define sk_${t1}_delete(st, i) SKM_sk_delete($t1, (st), (i))
-#define sk_${t1}_delete_ptr(st, ptr) ($t1 *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_PTR_OF($t2, ptr))
+#define sk_${t1}_delete_ptr(st, ptr) ($t1 *)sk_delete_ptr(CHECKED_STACK_OF($t1, st), CHECKED_PTR_OF($t2, ptr))
 #define sk_${t1}_set_cmp_func(st, cmp)  \\
         ((int (*)(const $t2 * const *,const $t2 * const *)) \\
-        sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF($t1), st), CHECKED_SK_CMP_FUNC($t2, cmp)))
+        sk_set_cmp_func(CHECKED_STACK_OF($t1, st), CHECKED_SK_CMP_FUNC($t2, cmp)))
 #define sk_${t1}_dup(st) SKM_sk_dup($t1, st)
 #define sk_${t1}_shift(st) SKM_sk_shift($t1, (st))
-#define sk_${t1}_pop(st) ($t2 *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF($t1), st))
+#define sk_${t1}_pop(st) ($t2 *)sk_pop(CHECKED_STACK_OF($t1, st))
 #define sk_${t1}_sort(st) SKM_sk_sort($t1, (st))
 #define sk_${t1}_is_sorted(st) SKM_sk_is_sorted($t1, (st))
 
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index c3e29fda96..5f25fc41bf 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -138,8 +138,8 @@ else
         }
 
 # generate symbols.pdb unconditionally
-$app_cflag.=" /Zi /Fd$tmp_def/app";
-$lib_cflag.=" /Zi /Fd$tmp_def/lib";
+$app_cflag.=" /Zi /Fd\$(TMP_D)/app";
+$lib_cflag.=" /Zi /Fd\$(TMP_D)/lib";
 $lflags.=" /debug";
 
 $obj='.obj';
@@ -195,7 +195,7 @@ if ($FLAVOR =~ /WIN64A/) {
         my $ver=`nasm -v 2>NUL`;
         my $vew=`nasmw -v 2>NUL`;
         # pick newest version
-        $asm=($ver gt $vew?"nasm":"nasmw")." -f win32";
+        $asm=($ver ge $vew?"nasm":"nasmw")." -f win32";
         $asmtype="win32n";
         $afile='-o ';
 } else {
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index 604f4fb27f..e6f8a40395 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -258,6 +258,7 @@ typedef struct x509_cinf_st
         ASN1_BIT_STRING *issuerUID;             /* [ 1 ] optional in v2 */
         ASN1_BIT_STRING *subjectUID;            /* [ 2 ] optional in v2 */
         STACK_OF(X509_EXTENSION) *extensions;   /* [ 3 ] optional in v3 */
+        ASN1_ENCODING enc;
         } X509_CINF;
 
 /* This stuff is certificate "auxiliary info"
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 87ebf62525..5a0b0249b4 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -703,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx)
         x = sk_X509_value(ctx->chain, cnum);
         ctx->current_cert = x;
         ctx->current_issuer = NULL;
+        ctx->current_crl_score = 0;
         ctx->current_reasons = 0;
         while (ctx->current_reasons != CRLDP_ALL_REASONS)
                 {
@@ -2015,6 +2016,9 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
         ctx->error_depth=0;
         ctx->current_cert=NULL;
         ctx->current_issuer=NULL;
+        ctx->current_crl=NULL;
+        ctx->current_crl_score=0;
+        ctx->current_reasons=0;
         ctx->tree = NULL;
         ctx->parent = NULL;
 
@@ -2034,7 +2038,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
         if (store)
                 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
         else
-                ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
+                ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
 
         if (store)
                 {
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index ebae30b701..8ec88c215a 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -90,6 +90,7 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
         {
+        x->cert_info->enc.modified = 1;
         return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,
                 x->sig_alg, x->signature, x->cert_info,pkey,md));
         }
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
index 92f6b24556..bb9777348f 100644
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ b/src/lib/libcrypto/x509v3/pcy_tree.c
@@ -341,9 +341,8 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
                                 const X509_POLICY_CACHE *cache)
         {
         int i;
-        X509_POLICY_LEVEL *last;
         X509_POLICY_DATA *data;
-        last = curr - 1;
+
         for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
                 {
                 data = sk_X509_POLICY_DATA_value(cache->data, i);
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
index 9087d66e0a..0d70e8696d 100644
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -177,12 +177,18 @@ static int i2r_address(BIO *out,
   unsigned char addr[ADDR_RAW_BUF_LEN];
   int i, n;
 
+  if (bs->length < 0)
+    return 0;
   switch (afi) {
   case IANA_AFI_IPV4:
+    if (bs->length > 4)
+      return 0;
     addr_expand(addr, bs, 4, fill);
     BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
     break;
   case IANA_AFI_IPV6:
+    if (bs->length > 16)
+      return 0;
     addr_expand(addr, bs, 16, fill);
     for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
       ;
diff --git a/src/lib/libcrypto/x509v3/v3_asid.c b/src/lib/libcrypto/x509v3/v3_asid.c
index 56702f86b9..3f434c0603 100644
--- a/src/lib/libcrypto/x509v3/v3_asid.c
+++ b/src/lib/libcrypto/x509v3/v3_asid.c
@@ -61,7 +61,6 @@
 
 #include <stdio.h>
 #include <string.h>
-#include <assert.h>
 #include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
@@ -172,11 +171,11 @@ static int ASIdOrRange_cmp(const ASIdOrRange * const *a_,
 {
   const ASIdOrRange *a = *a_, *b = *b_;
 
-  assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
+  OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
          (a->type == ASIdOrRange_range && a->u.range != NULL &&
           a->u.range->min != NULL && a->u.range->max != NULL));
 
-  assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
+  OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
          (b->type == ASIdOrRange_range && b->u.range != NULL &&
           b->u.range->min != NULL && b->u.range->max != NULL));
 
@@ -215,7 +214,7 @@ int v3_asid_add_inherit(ASIdentifiers *asid, int which)
   if (*choice == NULL) {
     if ((*choice = ASIdentifierChoice_new()) == NULL)
       return 0;
-    assert((*choice)->u.inherit == NULL);
+    OPENSSL_assert((*choice)->u.inherit == NULL);
     if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
       return 0;
     (*choice)->type = ASIdentifierChoice_inherit;
@@ -250,7 +249,7 @@ int v3_asid_add_id_or_range(ASIdentifiers *asid,
   if (*choice == NULL) {
     if ((*choice = ASIdentifierChoice_new()) == NULL)
       return 0;
-    assert((*choice)->u.asIdsOrRanges == NULL);
+    OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL);
     (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
     if ((*choice)->u.asIdsOrRanges == NULL)
       return 0;
@@ -286,7 +285,7 @@ static void extract_min_max(ASIdOrRange *aor,
                             ASN1_INTEGER **min,
                             ASN1_INTEGER **max)
 {
-  assert(aor != NULL && min != NULL && max != NULL);
+  OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
   switch (aor->type) {
   case ASIdOrRange_id:
     *min = aor->u.id;
@@ -373,7 +372,7 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
 int v3_asid_is_canonical(ASIdentifiers *asid)
 {
   return (asid == NULL ||
-          (ASIdentifierChoice_is_canonical(asid->asnum) ||
+          (ASIdentifierChoice_is_canonical(asid->asnum) &&
            ASIdentifierChoice_is_canonical(asid->rdi)));
 }
 
@@ -395,7 +394,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
   /*
    * We have a list.  Sort it.
    */
-  assert(choice->type == ASIdentifierChoice_asIdsOrRanges);
+  OPENSSL_assert(choice->type == ASIdentifierChoice_asIdsOrRanges);
   sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
 
   /*
@@ -413,7 +412,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
     /*
      * Make sure we're properly sorted (paranoia).
      */
-    assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
+    OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
 
     /*
      * Check for overlaps.
@@ -472,7 +471,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
     }
   }
 
-  assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
+  OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
 
   ret = 1;
 
@@ -709,9 +708,9 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
   int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
   X509 *x;
 
-  assert(chain != NULL && sk_X509_num(chain) > 0);
-  assert(ctx != NULL || ext != NULL);
-  assert(ctx == NULL || ctx->verify_cb != NULL);
+  OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
+  OPENSSL_assert(ctx != NULL || ext != NULL);
+  OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
 
   /*
    * Figure out where to start.  If we don't have an extension to
@@ -724,7 +723,7 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
   } else {
     i = 0;
     x = sk_X509_value(chain, i);
-    assert(x != NULL);
+    OPENSSL_assert(x != NULL);
     if ((ext = x->rfc3779_asid) == NULL)
       goto done;
   }
@@ -757,7 +756,7 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
    */
   for (i++; i < sk_X509_num(chain); i++) {
     x = sk_X509_value(chain, i);
-    assert(x != NULL);
+    OPENSSL_assert(x != NULL);
     if (x->rfc3779_asid == NULL) {
       if (child_as != NULL || child_rdi != NULL)
         validation_err(X509_V_ERR_UNNESTED_RESOURCE);
@@ -800,7 +799,7 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
   /*
    * Trust anchor can't inherit.
    */
-  assert(x != NULL);
+  OPENSSL_assert(x != NULL);
   if (x->rfc3779_asid != NULL) {
     if (x->rfc3779_asid->asnum != NULL &&
         x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)