483 files changed, 7446 insertions, 4889 deletions

diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE
index 7b93e0dbce..dddb07842b 100644
--- a/src/lib/libssl/LICENSE
+++ b/src/lib/libssl/LICENSE
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
index 467e149947..d683ee43e1 100644
--- a/src/lib/libssl/bio_ssl.c
+++ b/src/lib/libssl/bio_ssl.c
@@ -403,6 +403,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
                         {
                         BIO_free_all(ssl->wbio);
                         }
+                if (b->next_bio != NULL)
+                        {
+                        CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO);
+                        }
                 ssl->wbio=NULL;
                 ssl->rbio=NULL;
                 break;
@@ -509,6 +513,7 @@ static int ssl_puts(BIO *bp, const char *str)
 
 BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx)
         {
+#ifndef OPENSSL_NO_SOCK
         BIO *ret=NULL,*buf=NULL,*ssl=NULL;
 
         if ((buf=BIO_new(BIO_f_buffer())) == NULL)
@@ -521,6 +526,7 @@ BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx)
 err:
         if (buf != NULL) BIO_free(buf);
         if (ssl != NULL) BIO_free(ssl);
+#endif
         return(NULL);
         }
 
diff --git a/src/lib/libssl/crypto/Makefile b/src/lib/libssl/crypto/Makefile
index a9d00105f8..038e162e4d 100644
--- a/src/lib/libssl/crypto/Makefile
+++ b/src/lib/libssl/crypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.29 2003/01/31 14:05:35 deraadt Exp $
+# $OpenBSD: Makefile,v 1.30 2003/05/12 02:18:34 markus Exp $
 
 LIB=    crypto
 
@@ -34,7 +34,8 @@ CFLAGS+= -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA
 CFLAGS+= -I${.CURDIR}/../${SSLEAYDIST}
 CFLAGS+= -I${LCRYPTO_SRC}
 SRCS+= o_time.c
-SRCS+=  cryptlib.c ex_data.c cpt_err.c mem.c mem_dbg.c tmdiff.c cversion.c uid.c
+SRCS+=  cryptlib.c ex_data.c cpt_err.c mem.c mem_dbg.c mem_clr.c
+SRCS+=  tmdiff.c cversion.c uid.c
 SRCS+=  md2_dgst.c md2_one.c                                    
 SRCS+=  md5_dgst.c md5_one.c                                    
 SRCS+=  sha_dgst.c sha1dgst.c sha_one.c sha1_one.c      
diff --git a/src/lib/libssl/crypto/shlib_version b/src/lib/libssl/crypto/shlib_version
index 1c5d96eb2a..c10074d52a 100644
--- a/src/lib/libssl/crypto/shlib_version
+++ b/src/lib/libssl/crypto/shlib_version
@@ -1,2 +1,2 @@
-major=9
+major=10
 minor=0
diff --git a/src/lib/libssl/doc/standards.txt b/src/lib/libssl/doc/standards.txt
index 596d9001e6..edbe2f3a57 100644
--- a/src/lib/libssl/doc/standards.txt
+++ b/src/lib/libssl/doc/standards.txt
@@ -42,20 +42,9 @@ whole or at least great parts) in OpenSSL.
 2268 A Description of the RC2(r) Encryption Algorithm. R. Rivest.
      January 1998. (Format: TXT=19048 bytes) (Status: INFORMATIONAL)
 
-2314 PKCS 10: Certification Request Syntax Version 1.5. B. Kaliski.
-     March 1998. (Format: TXT=15814 bytes) (Status: INFORMATIONAL)
-
 2315 PKCS 7: Cryptographic Message Syntax Version 1.5. B. Kaliski.
      March 1998. (Format: TXT=69679 bytes) (Status: INFORMATIONAL)
 
-2437 PKCS #1: RSA Cryptography Specifications Version 2.0. B. Kaliski,
-     J. Staddon. October 1998. (Format: TXT=73529 bytes) (Obsoletes
-     RFC2313) (Status: INFORMATIONAL)
-
-2459 Internet X.509 Public Key Infrastructure Certificate and CRL
-     Profile. R. Housley, W. Ford, W. Polk, D. Solo. January 1999.
-     (Format: TXT=278438 bytes) (Status: PROPOSED STANDARD)
-
 PKCS#8: Private-Key Information Syntax Standard
 
 PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
@@ -65,6 +54,40 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
      C. Adams. June 1999. (Format: TXT=43243 bytes) (Status: PROPOSED
      STANDARD)
 
+2712 Addition of Kerberos Cipher Suites to Transport Layer Security
+     (TLS). A. Medvinsky, M. Hur. October 1999. (Format: TXT=13763 bytes)
+     (Status: PROPOSED STANDARD)
+
+2898 PKCS #5: Password-Based Cryptography Specification Version 2.0.
+     B. Kaliski. September 2000. (Format: TXT=68692 bytes) (Status:
+     INFORMATIONAL)
+
+2986 PKCS #10: Certification Request Syntax Specification Version 1.7.
+     M. Nystrom, B. Kaliski. November 2000. (Format: TXT=27794 bytes)
+     (Obsoletes RFC2314) (Status: INFORMATIONAL)
+
+3174 US Secure Hash Algorithm 1 (SHA1). D. Eastlake 3rd, P. Jones.
+     September 2001. (Format: TXT=35525 bytes) (Status: INFORMATIONAL)
+
+3268 Advanced Encryption Standard (AES) Ciphersuites for Transport
+     Layer Security (TLS). P. Chown. June 2002. (Format: TXT=13530 bytes)
+     (Status: PROPOSED STANDARD)
+
+3279 Algorithms and Identifiers for the Internet X.509 Public Key
+     Infrastructure Certificate and Certificate Revocation List (CRL)
+     Profile. L. Bassham, W. Polk, R. Housley. April 2002. (Format:
+     TXT=53833 bytes) (Status: PROPOSED STANDARD)
+
+3280 Internet X.509 Public Key Infrastructure Certificate and
+     Certificate Revocation List (CRL) Profile. R. Housley, W. Polk, W.
+     Ford, D. Solo. April 2002. (Format: TXT=295556 bytes) (Obsoletes
+     RFC2459) (Status: PROPOSED STANDARD)
+
+3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
+     Specifications Version 2.1. J. Jonsson, B. Kaliski. February 2003.
+     (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status:           
+     INFORMATIONAL)                                         
+
 
 Related:
 --------
@@ -90,23 +113,60 @@ STARTTLS documents.
      Certification and Related Services. B. Kaliski. February 1993.
      (Format: TXT=17537 bytes) (Status: PROPOSED STANDARD)
 
-2256 A Summary of the X.500(96) User Schema for use with LDAPv3. M.
-     Wahl. December 1997. (Format: TXT=32377 bytes) (Status: PROPOSED
-     STANDARD)
+2025 The Simple Public-Key GSS-API Mechanism (SPKM). C. Adams. October
+     1996. (Format: TXT=101692 bytes) (Status: PROPOSED STANDARD)
+
+2510 Internet X.509 Public Key Infrastructure Certificate Management
+     Protocols. C. Adams, S. Farrell. March 1999. (Format: TXT=158178
+     bytes) (Status: PROPOSED STANDARD)
+
+2511 Internet X.509 Certificate Request Message Format. M. Myers, C.
+     Adams, D. Solo, D. Kemp. March 1999. (Format: TXT=48278 bytes)
+     (Status: PROPOSED STANDARD)
+
+2527 Internet X.509 Public Key Infrastructure Certificate Policy and
+     Certification Practices Framework. S. Chokhani, W. Ford. March 1999.
+     (Format: TXT=91860 bytes) (Status: INFORMATIONAL)
 
-2487 SMTP Service Extension for Secure SMTP over TLS. P. Hoffman.
-     January 1999. (Format: TXT=15120 bytes) (Status: PROPOSED STANDARD)
+2538 Storing Certificates in the Domain Name System (DNS). D. Eastlake
+     3rd, O. Gudmundsson. March 1999. (Format: TXT=19857 bytes) (Status:
+     PROPOSED STANDARD)
+
+2539 Storage of Diffie-Hellman Keys in the Domain Name System (DNS).
+     D. Eastlake 3rd. March 1999. (Format: TXT=21049 bytes) (Status:
+     PROPOSED STANDARD)
+
+2559 Internet X.509 Public Key Infrastructure Operational Protocols -
+     LDAPv2. S. Boeyen, T. Howes, P. Richard. April 1999. (Format:
+     TXT=22889 bytes) (Updates RFC1778) (Status: PROPOSED STANDARD)
 
 2585 Internet X.509 Public Key Infrastructure Operational Protocols:
      FTP and HTTP. R. Housley, P. Hoffman. May 1999. (Format: TXT=14813
      bytes) (Status: PROPOSED STANDARD)
 
+2587 Internet X.509 Public Key Infrastructure LDAPv2 Schema. S.
+     Boeyen, T. Howes, P. Richard. June 1999. (Format: TXT=15102 bytes)
+     (Status: PROPOSED STANDARD)
+
 2595 Using TLS with IMAP, POP3 and ACAP. C. Newman. June 1999.
      (Format: TXT=32440 bytes) (Status: PROPOSED STANDARD)
 
-2712 Addition of Kerberos Cipher Suites to Transport Layer Security
-     (TLS). A. Medvinsky, M. Hur. October 1999. (Format: TXT=13763 bytes)
-     (Status: PROPOSED STANDARD)
+2631 Diffie-Hellman Key Agreement Method. E. Rescorla. June 1999.
+     (Format: TXT=25932 bytes) (Status: PROPOSED STANDARD)
+
+2632 S/MIME Version 3 Certificate Handling. B. Ramsdell, Ed.. June
+     1999. (Format: TXT=27925 bytes) (Status: PROPOSED STANDARD)
+
+2716 PPP EAP TLS Authentication Protocol. B. Aboba, D. Simon. October
+     1999. (Format: TXT=50108 bytes) (Status: EXPERIMENTAL)
+
+2773 Encryption using KEA and SKIPJACK. R. Housley, P. Yee, W. Nace.
+     February 2000. (Format: TXT=20008 bytes) (Updates RFC0959) (Status:
+     EXPERIMENTAL)
+
+2797 Certificate Management Messages over CMS. M. Myers, X. Liu, J.
+     Schaad, J. Weinstein. April 2000. (Format: TXT=103357 bytes) (Status:
+     PROPOSED STANDARD)
 
 2817 Upgrading to TLS Within HTTP/1.1. R. Khare, S. Lawrence. May
      2000. (Format: TXT=27598 bytes) (Updates RFC2616) (Status: PROPOSED
@@ -115,6 +175,77 @@ STARTTLS documents.
 2818 HTTP Over TLS. E. Rescorla. May 2000. (Format: TXT=15170 bytes)
      (Status: INFORMATIONAL)
 
+2876 Use of the KEA and SKIPJACK Algorithms in CMS. J. Pawling. July
+     2000. (Format: TXT=29265 bytes) (Status: INFORMATIONAL)
+
+2984 Use of the CAST-128 Encryption Algorithm in CMS. C. Adams.
+     October 2000. (Format: TXT=11591 bytes) (Status: PROPOSED STANDARD)
+
+2985 PKCS #9: Selected Object Classes and Attribute Types Version 2.0.
+     M. Nystrom, B. Kaliski. November 2000. (Format: TXT=70703 bytes)
+     (Status: INFORMATIONAL)
+
+3029 Internet X.509 Public Key Infrastructure Data Validation and
+     Certification Server Protocols. C. Adams, P. Sylvester, M. Zolotarev,
+     R. Zuccherato. February 2001. (Format: TXT=107347 bytes) (Status:
+     EXPERIMENTAL)
+
+3039 Internet X.509 Public Key Infrastructure Qualified Certificates
+     Profile. S. Santesson, W. Polk, P. Barzin, M. Nystrom. January 2001.
+     (Format: TXT=67619 bytes) (Status: PROPOSED STANDARD)
+
+3058 Use of the IDEA Encryption Algorithm in CMS. S. Teiwes, P.
+     Hartmann, D. Kuenzi. February 2001. (Format: TXT=17257 bytes)
+     (Status: INFORMATIONAL)
+
+3161 Internet X.509 Public Key Infrastructure Time-Stamp Protocol
+     (TSP). C. Adams, P. Cain, D. Pinkas, R. Zuccherato. August 2001.
+     (Format: TXT=54585 bytes) (Status: PROPOSED STANDARD)
+
+3185 Reuse of CMS Content Encryption Keys. S. Farrell, S. Turner.
+     October 2001. (Format: TXT=20404 bytes) (Status: PROPOSED STANDARD)
+
+3207 SMTP Service Extension for Secure SMTP over Transport Layer
+     Security. P. Hoffman. February 2002. (Format: TXT=18679 bytes)
+     (Obsoletes RFC2487) (Status: PROPOSED STANDARD)
+
+3217 Triple-DES and RC2 Key Wrapping. R. Housley. December 2001.
+     (Format: TXT=19855 bytes) (Status: INFORMATIONAL)
+
+3274 Compressed Data Content Type for Cryptographic Message Syntax
+     (CMS). P. Gutmann. June 2002. (Format: TXT=11276 bytes) (Status:
+     PROPOSED STANDARD)
+
+3278 Use of Elliptic Curve Cryptography (ECC) Algorithms in
+     Cryptographic Message Syntax (CMS). S. Blake-Wilson, D. Brown, P.
+     Lambert. April 2002. (Format: TXT=33779 bytes) (Status:
+     INFORMATIONAL)
+
+3281 An Internet Attribute Certificate Profile for Authorization. S.
+     Farrell, R. Housley. April 2002. (Format: TXT=90580 bytes) (Status:
+     PROPOSED STANDARD)
+
+3369 Cryptographic Message Syntax (CMS). R. Housley. August 2002.
+     (Format: TXT=113975 bytes) (Obsoletes RFC2630, RFC3211) (Status:
+     PROPOSED STANDARD)
+
+3370 Cryptographic Message Syntax (CMS) Algorithms. R. Housley. August
+     2002. (Format: TXT=51001 bytes) (Obsoletes RFC2630, RFC3211) (Status:
+     PROPOSED STANDARD)
+
+3377 Lightweight Directory Access Protocol (v3): Technical
+     Specification. J. Hodges, R. Morgan. September 2002. (Format:
+     TXT=9981 bytes) (Updates RFC2251, RFC2252, RFC2253, RFC2254, RFC2255,
+     RFC2256, RFC2829, RFC2830) (Status: PROPOSED STANDARD)
+
+3394 Advanced Encryption Standard (AES) Key Wrap Algorithm. J. Schaad,
+     R. Housley. September 2002. (Format: TXT=73072 bytes) (Status:
+     INFORMATIONAL)
+
+3436 Transport Layer Security over Stream Control Transmission
+     Protocol. A. Jungmaier, E. Rescorla, M. Tuexen. December 2002.
+     (Format: TXT=16333 bytes) (Status: PROPOSED STANDARD)
+
   "Securing FTP with TLS", 01/27/2000, <draft-murray-auth-ftp-ssl-05.txt>  
  
 
@@ -124,7 +255,3 @@ To be implemented:
 These are documents that describe things that are planed to be
 implemented in the hopefully short future.
 
-2712 Addition of Kerberos Cipher Suites to Transport Layer Security
-     (TLS). A. Medvinsky, M. Hur. October 1999. (Format: TXT=13763 bytes)
-     (Status: PROPOSED STANDARD)
-
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 019e9aecee..64ee4269ec 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -87,18 +87,25 @@ SSL_METHOD *SSLv23_client_method(void)
 
         if (init)
                 {
-                memcpy((char *)&SSLv23_client_data,
-                        (char *)sslv23_base_method(),sizeof(SSL_METHOD));
-                SSLv23_client_data.ssl_connect=ssl23_connect;
-                SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&SSLv23_client_data,
+                                (char *)sslv23_base_method(),sizeof(SSL_METHOD));
+                        SSLv23_client_data.ssl_connect=ssl23_connect;
+                        SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
+                        init=0;
+                        }
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv23_client_data);
         }
 
 int ssl23_connect(SSL *s)
         {
-        BUF_MEM *buf;
+        BUF_MEM *buf=NULL;
         unsigned long Time=time(NULL);
         void (*cb)(const SSL *ssl,int type,int val)=NULL;
         int ret= -1;
@@ -152,6 +159,7 @@ int ssl23_connect(SSL *s)
                                         goto end;
                                         }
                                 s->init_buf=buf;
+                                buf=NULL;
                                 }
 
                         if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
@@ -200,6 +208,8 @@ int ssl23_connect(SSL *s)
                 }
 end:
         s->in_handshake--;
+        if (buf != NULL)
+                BUF_MEM_free(buf);
         if (cb != NULL)
                 cb(s,SSL_CB_CONNECT_EXIT,ret);
         return(ret);
@@ -363,7 +373,7 @@ static int ssl23_get_server_hello(SSL *s)
 
                 if (s->s3 != NULL) ssl3_free(s);
 
-                if (!BUF_MEM_grow(s->init_buf,
+                if (!BUF_MEM_grow_clean(s->init_buf,
                         SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
                         {
                         SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB);
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 8743b61cbb..c5404ca0bc 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -139,11 +139,18 @@ SSL_METHOD *SSLv23_server_method(void)
 
         if (init)
                 {
-                memcpy((char *)&SSLv23_server_data,
-                        (char *)sslv23_base_method(),sizeof(SSL_METHOD));
-                SSLv23_server_data.ssl_accept=ssl23_accept;
-                SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&SSLv23_server_data,
+                                (char *)sslv23_base_method(),sizeof(SSL_METHOD));
+                        SSLv23_server_data.ssl_accept=ssl23_accept;
+                        SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
+                        init=0;
+                        }
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv23_server_data);
         }
@@ -505,7 +512,7 @@ int ssl23_get_client_hello(SSL *s)
 
                 if (s->s3 != NULL) ssl3_free(s);
 
-                if (!BUF_MEM_grow(s->init_buf,
+                if (!BUF_MEM_grow_clean(s->init_buf,
                         SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
                         {
                         goto err;
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 8864366f59..64d317b7ac 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -268,16 +268,23 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
         X509_STORE_CTX xs_ctx;
         X509_OBJECT obj;
 
+        int no_chain;
+
+        if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
+                no_chain = 1;
+        else
+                no_chain = 0;
+
         /* TLSv1 sends a chain with nothing in it, instead of an alert */
         buf=s->init_buf;
-        if (!BUF_MEM_grow(buf,(int)(10)))
+        if (!BUF_MEM_grow_clean(buf,10))
                 {
                 SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
                 return(0);
                 }
         if (x != NULL)
                 {
-                if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
+                if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
                         {
                         SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
                         return(0);
@@ -286,7 +293,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                 for (;;)
                         {
                         n=i2d_X509(x,NULL);
-                        if (!BUF_MEM_grow(buf,(int)(n+l+3)))
+                        if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
                                 {
                                 SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
                                 return(0);
@@ -295,6 +302,10 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                         l2n3(n,p);
                         i2d_X509(x,&p);
                         l+=n+3;
+
+                        if (no_chain)
+                                break;
+
                         if (X509_NAME_cmp(X509_get_subject_name(x),
                                 X509_get_issuer_name(x)) == 0) break;
 
@@ -306,8 +317,8 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                          * ref count */
                         X509_free(x);
                         }
-
-                X509_STORE_CTX_cleanup(&xs_ctx);
+                if (!no_chain)
+                        X509_STORE_CTX_cleanup(&xs_ctx);
                 }
 
         /* Thawte special :-) */
@@ -316,7 +327,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                 {
                 x=sk_X509_value(s->ctx->extra_certs,i);
                 n=i2d_X509(x,NULL);
-                if (!BUF_MEM_grow(buf,(int)(n+l+3)))
+                if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
                         {
                         SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
                         return(0);
@@ -439,7 +450,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                         SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
                         goto f_err;
                         }
-                if (l && !BUF_MEM_grow(s->init_buf,(int)l+4))
+                if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4))
                         {
                         SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
                         goto err;
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 7da9363ef5..d32bb1cb9c 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -145,18 +145,25 @@ SSL_METHOD *SSLv3_client_method(void)
 
         if (init)
                 {
-                init=0;
-                memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
-                        sizeof(SSL_METHOD));
-                SSLv3_client_data.ssl_connect=ssl3_connect;
-                SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
+                                sizeof(SSL_METHOD));
+                        SSLv3_client_data.ssl_connect=ssl3_connect;
+                        SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
+                        init=0;
+                        }
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv3_client_data);
         }
 
 int ssl3_connect(SSL *s)
         {
-        BUF_MEM *buf;
+        BUF_MEM *buf=NULL;
         unsigned long Time=time(NULL),l;
         long num1;
         void (*cb)(const SSL *ssl,int type,int val)=NULL;
@@ -217,6 +224,7 @@ int ssl3_connect(SSL *s)
                                         goto end;
                                         }
                                 s->init_buf=buf;
+                                buf=NULL;
                                 }
 
                         if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
@@ -495,6 +503,8 @@ int ssl3_connect(SSL *s)
                 }
 end:
         s->in_handshake--;
+        if (buf != NULL)
+                BUF_MEM_free(buf);
         if (cb != NULL)
                 cb(s,SSL_CB_CONNECT_EXIT,ret);
         return(ret);
@@ -637,6 +647,7 @@ static int ssl3_get_server_hello(SSL *s)
                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
                 goto f_err;
                 }
+
         if (j != 0 && j == s->session->session_id_length
             && memcmp(p,s->session->session_id,j) == 0)
             {
@@ -687,7 +698,12 @@ static int ssl3_get_server_hello(SSL *s)
                 goto f_err;
                 }
 
-        if (s->hit && (s->session->cipher != c))
+        /* Depending on the session caching (internal/external), the cipher
+           and/or cipher_id values may not be set. Make sure that
+           cipher_id is set and use it for comparison. */
+        if (s->session->cipher)
+                s->session->cipher_id = s->session->cipher->id;
+        if (s->hit && (s->session->cipher_id != c->id))
                 {
                 if (!(s->options &
                         SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
@@ -1445,16 +1461,16 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                 
                         tmp_buf[0]=s->client_version>>8;
                         tmp_buf[1]=s->client_version&0xff;
-                        if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
+                        if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
                                         goto err;
 
-                        s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
+                        s->session->master_key_length=sizeof tmp_buf;
 
                         q=p;
                         /* Fix buf for TLS and beyond */
                         if (s->version > SSL3_VERSION)
                                 p+=2;
-                        n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH,
+                        n=RSA_public_encrypt(sizeof tmp_buf,
                                 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
 #ifdef PKCS1_CHECK
                         if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
@@ -1476,8 +1492,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
                         s->session->master_key_length=
                                 s->method->ssl3_enc->generate_master_secret(s,
                                         s->session->master_key,
-                                        tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
-                        memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
+                                        tmp_buf,sizeof tmp_buf);
+                        OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
                         }
 #endif
 #ifndef OPENSSL_NO_KRB5
@@ -1573,7 +1589,7 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                 n+=2;
                                 }
  
-                        if (RAND_bytes(tmp_buf,SSL_MAX_MASTER_KEY_LENGTH) <= 0)
+                        if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
                             goto err;
 
                         /*  20010420 VRS.  Tried it this way; failed.
@@ -1583,11 +1599,11 @@ static int ssl3_send_client_key_exchange(SSL *s)
                         **      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
                         */
 
-                        memset(iv, 0, EVP_MAX_IV_LENGTH);  /* per RFC 1510 */
+                        memset(iv, 0, sizeof iv);  /* per RFC 1510 */
                         EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
                                 kssl_ctx->key,iv);
                         EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
-                                SSL_MAX_MASTER_KEY_LENGTH);
+                                sizeof tmp_buf);
                         EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
                         outl += padl;
                         if (outl > sizeof epms)
@@ -1606,10 +1622,10 @@ static int ssl3_send_client_key_exchange(SSL *s)
                         s->session->master_key_length=
                                 s->method->ssl3_enc->generate_master_secret(s,
                                         s->session->master_key,
-                                        tmp_buf, SSL_MAX_MASTER_KEY_LENGTH);
+                                        tmp_buf, sizeof tmp_buf);
 
-                        memset(tmp_buf, 0, SSL_MAX_MASTER_KEY_LENGTH);
-                        memset(epms, 0, outl);
+                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
+                        OPENSSL_cleanse(epms, outl);
                         }
 #endif
 #ifndef OPENSSL_NO_DH
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index cc0aeef511..d04096016c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -514,6 +514,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_ALL_STRENGTHS,
         },
 
+#if 0
 /* Cipher 1E */
         {
         0,
@@ -527,55 +528,70 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_ALL_CIPHERS,
         SSL_ALL_STRENGTHS,
         },
+#endif
 
 #ifndef OPENSSL_NO_KRB5
 /* The Kerberos ciphers
 ** 20000107 VRS: And the first shall be last,
 ** in hopes of avoiding the lynx ssl renegotiation problem.
 */
-/* Cipher 21 VRS */
+/* Cipher 1E VRS */
         {
         1,
-        SSL3_TXT_KRB5_DES_40_CBC_SHA,
-        SSL3_CK_KRB5_DES_40_CBC_SHA,
+        SSL3_TXT_KRB5_DES_64_CBC_SHA,
+        SSL3_CK_KRB5_DES_64_CBC_SHA,
         SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_NOT_EXP|SSL_LOW,
         0,
-        40,
+        56,
         56,
         SSL_ALL_CIPHERS,
         SSL_ALL_STRENGTHS,
         },
 
-/* Cipher 22 VRS */
+/* Cipher 1F VRS */
         {
         1,
-        SSL3_TXT_KRB5_DES_40_CBC_MD5,
-        SSL3_CK_KRB5_DES_40_CBC_MD5,
-        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL3_TXT_KRB5_DES_192_CBC3_SHA,
+        SSL3_CK_KRB5_DES_192_CBC3_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
+        SSL_NOT_EXP|SSL_HIGH,
         0,
-        40,
-        56,
+        112,
+        168,
         SSL_ALL_CIPHERS,
         SSL_ALL_STRENGTHS,
         },
 
-/* Cipher 23 VRS */
+/* Cipher 20 VRS */
         {
         1,
-        SSL3_TXT_KRB5_DES_64_CBC_SHA,
-        SSL3_CK_KRB5_DES_64_CBC_SHA,
-        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL3_TXT_KRB5_RC4_128_SHA,
+        SSL3_CK_KRB5_RC4_128_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1  |SSL_SSLV3,
+        SSL_NOT_EXP|SSL_MEDIUM,
         0,
-        56,
-        56,
+        128,
+        128,
         SSL_ALL_CIPHERS,
         SSL_ALL_STRENGTHS,
         },
 
-/* Cipher 24 VRS */
+/* Cipher 21 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
+        SSL3_CK_KRB5_IDEA_128_CBC_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_SHA1  |SSL_SSLV3,
+        SSL_NOT_EXP|SSL_MEDIUM,
+        0,
+        128,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 22 VRS */
         {
         1,
         SSL3_TXT_KRB5_DES_64_CBC_MD5,
@@ -589,12 +605,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_ALL_STRENGTHS,
         },
 
-/* Cipher 25 VRS */
+/* Cipher 23 VRS */
         {
         1,
-        SSL3_TXT_KRB5_DES_192_CBC3_SHA,
-        SSL3_CK_KRB5_DES_192_CBC3_SHA,
-        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
+        SSL3_TXT_KRB5_DES_192_CBC3_MD5,
+        SSL3_CK_KRB5_DES_192_CBC3_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
         SSL_NOT_EXP|SSL_HIGH,
         0,
         112,
@@ -603,16 +619,114 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_ALL_STRENGTHS,
         },
 
+/* Cipher 24 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_RC4_128_MD5,
+        SSL3_CK_KRB5_RC4_128_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5  |SSL_SSLV3,
+        SSL_NOT_EXP|SSL_MEDIUM,
+        0,
+        128,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 25 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
+        SSL3_CK_KRB5_IDEA_128_CBC_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_MD5  |SSL_SSLV3,
+        SSL_NOT_EXP|SSL_MEDIUM,
+        0,
+        128,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
 /* Cipher 26 VRS */
         {
         1,
-        SSL3_TXT_KRB5_DES_192_CBC3_MD5,
-        SSL3_CK_KRB5_DES_192_CBC3_MD5,
-        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL3_TXT_KRB5_DES_40_CBC_SHA,
+        SSL3_CK_KRB5_DES_40_CBC_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
         0,
-        112,
-        168,
+        40,
+        56,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 27 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_RC2_40_CBC_SHA,
+        SSL3_CK_KRB5_RC2_40_CBC_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_SHA1   |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
+        0,
+        40,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 28 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_RC4_40_SHA,
+        SSL3_CK_KRB5_RC4_40_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1   |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
+        0,
+        128,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 29 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_DES_40_CBC_MD5,
+        SSL3_CK_KRB5_DES_40_CBC_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
+        0,
+        40,
+        56,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 2A VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_RC2_40_CBC_MD5,
+        SSL3_CK_KRB5_RC2_40_CBC_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_MD5    |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
+        0,
+        40,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 2B VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_RC4_40_MD5,
+        SSL3_CK_KRB5_RC4_40_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5    |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
+        0,
+        128,
+        128,
         SSL_ALL_CIPHERS,
         SSL_ALL_STRENGTHS,
         },
@@ -988,7 +1102,7 @@ void ssl3_free(SSL *s)
                 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
         EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
         EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
-        memset(s->s3,0,sizeof *s->s3);
+        OPENSSL_cleanse(s->s3,sizeof *s->s3);
         OPENSSL_free(s->s3);
         s->s3=NULL;
         }
@@ -1343,16 +1457,19 @@ SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
                 {
                 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
 
-                for (i=0; i<SSL3_NUM_CIPHERS; i++)
-                        sorted[i]= &(ssl3_ciphers[i]);
+                if (init)
+                        {
+                        for (i=0; i<SSL3_NUM_CIPHERS; i++)
+                                sorted[i]= &(ssl3_ciphers[i]);
 
-                qsort(  (char *)sorted,
-                        SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-                        FP_ICC ssl_cipher_ptr_id_cmp);
+                        qsort(sorted,
+                                SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+                                FP_ICC ssl_cipher_ptr_id_cmp);
 
+                        init=0;
+                        }
+                
                 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-
-                init=0;
                 }
 
         id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index a2c17f2950..cd7b88eeb5 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -153,11 +153,18 @@ SSL_METHOD *SSLv3_server_method(void)
 
         if (init)
                 {
-                memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
-                        sizeof(SSL_METHOD));
-                SSLv3_server_data.ssl_accept=ssl3_accept;
-                SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
+                                sizeof(SSL_METHOD));
+                        SSLv3_server_data.ssl_accept=ssl3_accept;
+                        SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
+                        init=0;
+                        }
+                        
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv3_server_data);
         }
@@ -1172,7 +1179,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
                         kn=0;
                         }
 
-                if (!BUF_MEM_grow(buf,n+4+kn))
+                if (!BUF_MEM_grow_clean(buf,n+4+kn))
                         {
                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
                         goto err;
@@ -1299,7 +1306,7 @@ static int ssl3_send_certificate_request(SSL *s)
                                 {
                                 name=sk_X509_NAME_value(sk,i);
                                 j=i2d_X509_NAME(name,NULL);
-                                if (!BUF_MEM_grow(buf,4+n+j+2))
+                                if (!BUF_MEM_grow_clean(buf,4+n+j+2))
                                         {
                                         SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
                                         goto err;
@@ -1466,7 +1473,6 @@ static int ssl3_get_client_key_exchange(SSL *s)
                                  * made up by the adversary is properly formatted except
                                  * that the version number is wrong.  To avoid such attacks,
                                  * we should treat this just like any other decryption error. */
-                                p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-20";
                                 }
                         }
 
@@ -1486,7 +1492,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                         s->method->ssl3_enc->generate_master_secret(s,
                                 s->session->master_key,
                                 p,i);
-                memset(p,0,i);
+                OPENSSL_cleanse(p,i);
                 }
         else
 #endif
@@ -1549,7 +1555,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                 s->session->master_key_length=
                         s->method->ssl3_enc->generate_master_secret(s,
                                 s->session->master_key,p,i);
-                memset(p,0,i);
+                OPENSSL_cleanse(p,i);
                 }
         else
 #endif
@@ -1652,7 +1658,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                 if (enc == NULL)
                     goto err;
 
-                memset(iv, 0, EVP_MAX_IV_LENGTH);       /* per RFC 1510 */
+                memset(iv, 0, sizeof iv);       /* per RFC 1510 */
 
                 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))
                         {
@@ -1740,7 +1746,7 @@ static int ssl3_get_cert_verify(SSL *s)
                 SSL3_ST_SR_CERT_VRFY_A,
                 SSL3_ST_SR_CERT_VRFY_B,
                 -1,
-                512, /* 512? */
+                514, /* 514? */
                 &ok);
 
         if (!ok) return((int)n);
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index 5b844bbf42..d0f0988b41 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,2 +1,2 @@
-major=7
+major=8
 minor=0
diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES
index 03b697cd7e..1e85275800 100644
--- a/src/lib/libssl/src/CHANGES
+++ b/src/lib/libssl/src/CHANGES
@@ -2,7 +2,266 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.6h and 0.9.7  [XX xxx 2002]
+ Changes between 0.9.7a and 0.9.7b  [10 Apr 2003]
+
+  *) Countermeasure against the Klima-Pokorny-Rosa extension of
+     Bleichbacher's attack on PKCS #1 v1.5 padding: treat
+     a protocol version number mismatch like a decryption error
+     in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
+     [Bodo Moeller]
+
+  *) Turn on RSA blinding by default in the default implementation
+     to avoid a timing attack. Applications that don't want it can call
+     RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
+     They would be ill-advised to do so in most cases.
+     [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
+
+  *) Change RSA blinding code so that it works when the PRNG is not
+     seeded (in this case, the secret RSA exponent is abused as
+     an unpredictable seed -- if it is not unpredictable, there
+     is no point in blinding anyway).  Make RSA blinding thread-safe
+     by remembering the creator's thread ID in rsa->blinding and
+     having all other threads use local one-time blinding factors
+     (this requires more computation than sharing rsa->blinding, but
+     avoids excessive locking; and if an RSA object is not shared
+     between threads, blinding will still be very fast).
+     [Bodo Moeller]
+
+  *) Fixed a typo bug that would cause ENGINE_set_default() to set an
+     ENGINE as defaults for all supported algorithms irrespective of
+     the 'flags' parameter. 'flags' is now honoured, so applications
+     should make sure they are passing it correctly.
+     [Geoff Thorpe]
+
+  *) Target "mingw" now allows native Windows code to be generated in
+     the Cygwin environment as well as with the MinGW compiler.
+     [Ulf Moeller] 
+
+ Changes between 0.9.7 and 0.9.7a  [19 Feb 2003]
+
+  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
+     via timing by performing a MAC computation even if incorrrect
+     block cipher padding has been found.  This is a countermeasure
+     against active attacks where the attacker has to distinguish
+     between bad padding and a MAC verification error. (CAN-2003-0078)
+
+     [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
+     Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
+     Martin Vuagnoux (EPFL, Ilion)]
+
+  *) Make the no-err option work as intended.  The intention with no-err
+     is not to have the whole error stack handling routines removed from
+     libcrypto, it's only intended to remove all the function name and
+     reason texts, thereby removing some of the footprint that may not
+     be interesting if those errors aren't displayed anyway.
+
+     NOTE: it's still possible for any application or module to have it's
+     own set of error texts inserted.  The routines are there, just not
+     used by default when no-err is given.
+     [Richard Levitte]
+
+  *) Add support for FreeBSD on IA64.
+     [dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454]
+
+  *) Adjust DES_cbc_cksum() so it returns the same value as the MIT
+     Kerberos function mit_des_cbc_cksum().  Before this change,
+     the value returned by DES_cbc_cksum() was like the one from
+     mit_des_cbc_cksum(), except the bytes were swapped.
+     [Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte]
+
+  *) Allow an application to disable the automatic SSL chain building.
+     Before this a rather primitive chain build was always performed in
+     ssl3_output_cert_chain(): an application had no way to send the 
+     correct chain if the automatic operation produced an incorrect result.
+
+     Now the chain builder is disabled if either:
+
+     1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
+
+     2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
+
+     The reasoning behind this is that an application would not want the
+     auto chain building to take place if extra chain certificates are
+     present and it might also want a means of sending no additional
+     certificates (for example the chain has two certificates and the
+     root is omitted).
+     [Steve Henson]
+
+  *) Add the possibility to build without the ENGINE framework.
+     [Steven Reddie <smr@essemer.com.au> via Richard Levitte]
+
+  *) Under Win32 gmtime() can return NULL: check return value in
+     OPENSSL_gmtime(). Add error code for case where gmtime() fails.
+     [Steve Henson]
+
+  *) DSA routines: under certain error conditions uninitialized BN objects
+     could be freed. Solution: make sure initialization is performed early
+     enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>,
+     Nils Larsch <nla@trustcenter.de> via PR#459)
+     [Lutz Jaenicke]
+
+  *) Another fix for SSLv2 session ID handling: the session ID was incorrectly
+     checked on reconnect on the client side, therefore session resumption
+     could still fail with a "ssl session id is different" error. This
+     behaviour is masked when SSL_OP_ALL is used due to
+     SSL_OP_MICROSOFT_SESS_ID_BUG being set.
+     Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
+     followup to PR #377.
+     [Lutz Jaenicke]
+
+  *) IA-32 assembler support enhancements: unified ELF targets, support
+     for SCO/Caldera platforms, fix for Cygwin shared build.
+     [Andy Polyakov]
+
+  *) Add support for FreeBSD on sparc64.  As a consequence, support for
+     FreeBSD on non-x86 processors is separate from x86 processors on
+     the config script, much like the NetBSD support.
+     [Richard Levitte & Kris Kennaway <kris@obsecurity.org>]
+
+ Changes between 0.9.6h and 0.9.7  [31 Dec 2002]
+
+  *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
+     code (06) was taken as the first octet of the session ID and the last
+     octet was ignored consequently. As a result SSLv2 client side session
+     caching could not have worked due to the session ID mismatch between
+     client and server.
+     Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
+     PR #377.
+     [Lutz Jaenicke]
+
+  *) Change the declaration of needed Kerberos libraries to use EX_LIBS
+     instead of the special (and badly supported) LIBKRB5.  LIBKRB5 is
+     removed entirely.
+     [Richard Levitte]
+
+  *) The hw_ncipher.c engine requires dynamic locks.  Unfortunately, it
+     seems that in spite of existing for more than a year, many application
+     author have done nothing to provide the necessary callbacks, which
+     means that this particular engine will not work properly anywhere.
+     This is a very unfortunate situation which forces us, in the name
+     of usability, to give the hw_ncipher.c a static lock, which is part
+     of libcrypto.
+     NOTE: This is for the 0.9.7 series ONLY.  This hack will never
+     appear in 0.9.8 or later.  We EXPECT application authors to have
+     dealt properly with this when 0.9.8 is released (unless we actually
+     make such changes in the libcrypto locking code that changes will
+     have to be made anyway).
+     [Richard Levitte]
+
+  *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content
+     octets have been read, EOF or an error occurs. Without this change
+     some truncated ASN1 structures will not produce an error.
+     [Steve Henson]
+
+  *) Disable Heimdal support, since it hasn't been fully implemented.
+     Still give the possibility to force the use of Heimdal, but with
+     warnings and a request that patches get sent to openssl-dev.
+     [Richard Levitte]
+
+  *) Add the VC-CE target, introduce the WINCE sysname, and add
+     INSTALL.WCE and appropriate conditionals to make it build.
+     [Steven Reddie <smr@essemer.com.au> via Richard Levitte]
+
+  *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
+     cygssl-x.y.z.dll, where x, y and z are the major, minor and
+     edit numbers of the version.
+     [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
+
+  *) Introduce safe string copy and catenation functions
+     (BUF_strlcpy() and BUF_strlcat()).
+     [Ben Laurie (CHATS) and Richard Levitte]
+
+  *) Avoid using fixed-size buffers for one-line DNs.
+     [Ben Laurie (CHATS)]
+
+  *) Add BUF_MEM_grow_clean() to avoid information leakage when
+     resizing buffers containing secrets, and use where appropriate.
+     [Ben Laurie (CHATS)]
+
+  *) Avoid using fixed size buffers for configuration file location.
+     [Ben Laurie (CHATS)]
+
+  *) Avoid filename truncation for various CA files.
+     [Ben Laurie (CHATS)]
+
+  *) Use sizeof in preference to magic numbers.
+     [Ben Laurie (CHATS)]
+
+  *) Avoid filename truncation in cert requests.
+     [Ben Laurie (CHATS)]
+
+  *) Add assertions to check for (supposedly impossible) buffer
+     overflows.
+     [Ben Laurie (CHATS)]
+
+  *) Don't cache truncated DNS entries in the local cache (this could
+     potentially lead to a spoofing attack).
+     [Ben Laurie (CHATS)]
+
+  *) Fix various buffers to be large enough for hex/decimal
+     representations in a platform independent manner.
+     [Ben Laurie (CHATS)]
+
+  *) Add CRYPTO_realloc_clean() to avoid information leakage when
+     resizing buffers containing secrets, and use where appropriate.
+     [Ben Laurie (CHATS)]
+
+  *) Add BIO_indent() to avoid much slightly worrying code to do
+     indents.
+     [Ben Laurie (CHATS)]
+
+  *) Convert sprintf()/BIO_puts() to BIO_printf().
+     [Ben Laurie (CHATS)]
+
+  *) buffer_gets() could terminate with the buffer only half
+     full. Fixed.
+     [Ben Laurie (CHATS)]
+
+  *) Add assertions to prevent user-supplied crypto functions from
+     overflowing internal buffers by having large block sizes, etc.
+     [Ben Laurie (CHATS)]
+
+  *) New OPENSSL_assert() macro (similar to assert(), but enabled
+     unconditionally).
+     [Ben Laurie (CHATS)]
+
+  *) Eliminate unused copy of key in RC4.
+     [Ben Laurie (CHATS)]
+
+  *) Eliminate unused and incorrectly sized buffers for IV in pem.h.
+     [Ben Laurie (CHATS)]
+
+  *) Fix off-by-one error in EGD path.
+     [Ben Laurie (CHATS)]
+
+  *) If RANDFILE path is too long, ignore instead of truncating.
+     [Ben Laurie (CHATS)]
+
+  *) Eliminate unused and incorrectly sized X.509 structure
+     CBCParameter.
+     [Ben Laurie (CHATS)]
+
+  *) Eliminate unused and dangerous function knumber().
+     [Ben Laurie (CHATS)]
+
+  *) Eliminate unused and dangerous structure, KSSL_ERR.
+     [Ben Laurie (CHATS)]
+
+  *) Protect against overlong session ID context length in an encoded
+     session object. Since these are local, this does not appear to be
+     exploitable.
+     [Ben Laurie (CHATS)]
+
+  *) Change from security patch (see 0.9.6e below) that did not affect
+     the 0.9.6 release series:
+
+     Remote buffer overflow in SSL3 protocol - an attacker could
+     supply an oversized master key in Kerberos-enabled versions.
+     (CAN-2002-0657)
+     [Ben Laurie (CHATS)]
+
+  *) Change the SSL kerb5 codes to match RFC 2712.
+     [Richard Levitte]
 
   *) Make -nameopt work fully for req and add -reqopt switch.
      [Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson]
@@ -34,7 +293,7 @@
         # is assumed to contain the absolute OpenSSL source directory.
         mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
         cd objtree/"`uname -s`-`uname -r`-`uname -m`"
-        (cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do
+        (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
                 mkdir -p `dirname $F`
                 ln -s $OPENSSL_SOURCE/$F $F
         done
@@ -1534,6 +1793,11 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      be reduced modulo  m.
      [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
 
+#if 0
+     The following entry accidentily appeared in the CHANGES file
+     distributed with OpenSSL 0.9.7.  The modifications described in
+     it do *not* apply to OpenSSL 0.9.7.
+
   *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
      was actually never needed) and in BN_mul().  The removal in BN_mul()
      required a small change in bn_mul_part_recursive() and the addition
@@ -1542,6 +1806,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      bn_sub_words() and bn_add_words() except they take arrays with
      differing sizes.
      [Richard Levitte]
+#endif
 
   *) In 'openssl passwd', verify passwords read from the terminal
      unless the '-salt' option is used (which usually means that
@@ -1673,7 +1938,76 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Clean old EAY MD5 hack from e_os.h.
      [Richard Levitte]
 
- Changes between 0.9.6g and 0.9.6h  [xx XXX xxxx]
+ Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]
+
+  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
+     via timing by performing a MAC computation even if incorrrect
+     block cipher padding has been found.  This is a countermeasure
+     against active attacks where the attacker has to distinguish
+     between bad padding and a MAC verification error. (CAN-2003-0078)
+
+     [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
+     Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
+     Martin Vuagnoux (EPFL, Ilion)]
+
+ Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
+
+  *) New function OPENSSL_cleanse(), which is used to cleanse a section of
+     memory from it's contents.  This is done with a counter that will
+     place alternating values in each byte.  This can be used to solve
+     two issues: 1) the removal of calls to memset() by highly optimizing
+     compilers, and 2) cleansing with other values than 0, since those can
+     be read through on certain media, for example a swap space on disk.
+     [Geoff Thorpe]
+
+  *) Bugfix: client side session caching did not work with external caching,
+     because the session->cipher setting was not restored when reloading
+     from the external cache. This problem was masked, when
+     SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
+     (Found by Steve Haslam <steve@araqnid.ddts.net>.)
+     [Lutz Jaenicke]
+
+  *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
+     length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
+     [Zeev Lieber <zeev-l@yahoo.com>]
+
+  *) Undo an undocumented change introduced in 0.9.6e which caused
+     repeated calls to OpenSSL_add_all_ciphers() and 
+     OpenSSL_add_all_digests() to be ignored, even after calling
+     EVP_cleanup().
+     [Richard Levitte]
+
+  *) Change the default configuration reader to deal with last line not
+     being properly terminated.
+     [Richard Levitte]
+
+  *) Change X509_NAME_cmp() so it applies the special rules on handling
+     DN values that are of type PrintableString, as well as RDNs of type
+     emailAddress where the value has the type ia5String.
+     [stefank@valicert.com via Richard Levitte]
+
+  *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
+     the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
+     doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
+     the bitwise-OR of the two for use by the majority of applications
+     wanting this behaviour, and update the docs. The documented
+     behaviour and actual behaviour were inconsistent and had been
+     changing anyway, so this is more a bug-fix than a behavioural
+     change.
+     [Geoff Thorpe, diagnosed by Nadav Har'El]
+
+  *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
+     (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
+     [Bodo Moeller]
+
+  *) Fix initialization code race conditions in
+        SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
+        SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
+        SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
+        TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
+        ssl2_get_cipher_by_char(),
+        ssl3_get_cipher_by_char().
+     [Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
 
   *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
      the cached sessions are flushed, as the remove_cb() might use ex_data
@@ -1703,7 +2037,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      overflow checks added in 0.9.6e.  This prevents DoS (the
      assertions could call abort()).
      [Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller]
-  
+
  Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
 
   *) Add various sanity checks to asn1_get_length() to reject
@@ -1755,11 +2089,6 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
 
   *) Remote buffer overflow in SSL3 protocol - an attacker could
-     supply an oversized master key in Kerberos-enabled versions.
-     (CAN-2002-0657)
-     [Ben Laurie (CHATS)]
-
-  *) Remote buffer overflow in SSL3 protocol - an attacker could
      supply an oversized session ID to a client. (CAN-2002-0656)
      [Ben Laurie (CHATS)]
 
@@ -1767,7 +2096,6 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      supply an oversized client master key. (CAN-2002-0656)
      [Ben Laurie (CHATS)]
 
-
  Changes between 0.9.6c and 0.9.6d  [9 May 2002]
 
   *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
@@ -1854,13 +2182,13 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      value is 0.
      [Richard Levitte]
 
-  *) Add the configuration target linux-s390x.
-     [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
-
   *) [In 0.9.6d-engine release:]
      Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
      [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
 
+  *) Add the configuration target linux-s390x.
+     [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
+
   *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
      ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
      variable as an indication that a ClientHello message has been
diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure
index 292ca877c6..7763dc4138 100644
--- a/src/lib/libssl/src/Configure
+++ b/src/lib/libssl/src/Configure
@@ -10,7 +10,7 @@ use strict;
 
 # see INSTALL for instructions.
 
-my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
 
 # Options:
 #
@@ -38,6 +38,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 # --test-sanity Make a number of sanity checks on the data in this file.
 #               This is a debugging tool for OpenSSL developers.
 #
+# no-engine     do not compile in any engine code.
 # no-hw-xxx     do not compile support for specific crypto hardware.
 #               Generic OpenSSL-style methods relating to this support
 #               are always compiled but return NULL if the hardware
@@ -107,7 +108,6 @@ my $tlib="-lnsl -lsocket";
 my $bits1="THIRTY_TWO_BIT ";
 my $bits2="SIXTY_FOUR_BIT ";
 
-my $x86_sol_asm="asm/bn86-sol.o asm/co86-sol.o:asm/dx86-sol.o asm/yx86-sol.o:asm/bx86-sol.o:asm/mx86-sol.o:asm/sx86-sol.o:asm/cx86-sol.o:asm/rx86-sol.o:asm/rm86-sol.o:asm/r586-sol.o";
 my $x86_elf_asm="asm/bn86-elf.o asm/co86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm/bx86-elf.o:asm/mx86-elf.o:asm/sx86-elf.o:asm/cx86-elf.o:asm/rx86-elf.o:asm/rm86-elf.o:asm/r586-elf.o";
 my $x86_out_asm="asm/bn86-out.o asm/co86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o";
 my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o";
@@ -145,8 +145,10 @@ my %table=(
 "debug-ulf",    "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-steve",  "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-steve-linux-pseudo64",   "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn",
-"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "dist",         "cc:-O::(unknown)::::::",
 
 # Basic configs that should work on any (32 and less bit) box
@@ -159,25 +161,25 @@ my %table=(
 # surrounds it with #APP #NO_APP comment pair which (at least Solaris
 # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
 # error message.
-"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### Solaris x86 with Sun C setups
 "solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Solaris with GNU C setups
-"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc
-"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
 # but keep the assembler modules.
-"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 ####
-"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Solaris with Sun C setups
 # DO NOT use /xO[34] on sparc with SC3.0.  It is broken, and will not pass the tests
@@ -201,13 +203,12 @@ my %table=(
 # it's a real mess with -mcpu=ultrasparc option under Linux, but
 # -Wa,-Av8plus should do the trick no matter what.
 "linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# !!!Folowing can't be even tested yet!!!
-#    We have to wait till 64-bit glibc for SPARC is operational!!!
-#"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
+# GCC 3.1 is a requirement
+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # Sunos configs, assuming sparc for the gcc one.
-##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):::DES_UNROLL:::",
-"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
+##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:::",
+"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
 
 #### IRIX 5.x configs
 # -mips2 flag is added by ./config when appropriate.
@@ -218,7 +219,7 @@ my %table=(
 # './Configure irix-[g]cc' manually.
 # -mips4 flag is added by ./config when appropriate.
 "irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # N64 ABI builds.
 "irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -261,22 +262,21 @@ my %table=(
 "hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # IA-64 targets
-# I have no idea if this one actually works, feedback needed. <appro>
-"hpux-ia64-cc","cc:-Ae +DD32 +O3 +ESlit -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted with
 # with debugging of the following config.
-"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
 # Chris Ruemmler <ruemmler@cup.hp.com>
 # Kevin Steves <ks@hp.se>
-"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # Isn't the line below meaningless? HP-UX cc optimizes for host by default.
 # hpux-parisc1_0-cc with +DAportable flag would make more sense. <appro>
-"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # HPUX 9.X config.
 # Don't use the bundled cc.  It is broken.  Use HP ANSI C if possible, or
@@ -383,17 +383,21 @@ my %table=(
 "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "linux-aout",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
-"linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::",
-"linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::",
+"linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::",
 "linux-s390",   "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-s390x",  "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-ecc",   "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-m68",   "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-x86",   "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"FreeBSD-sparc64","gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"FreeBSD-ia64","gcc:-DL_ENDIAN -DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64-cpp.o:::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "FreeBSD",      "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "bsdi-gcc",     "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown):::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}",
 "bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -401,7 +405,7 @@ my %table=(
 "nextstep3.3",  "cc:-O3 -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
 
 # NCR MP-RAS UNIX ver 02.03.01
-"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::",
+"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown)::-lsocket -lnsl -lc89:${x86_gcc_des} ${x86_gcc_opts}:::",
 
 # QNX 4
 "qnx4", "cc:-DL_ENDIAN -DTERMIO::(unknown):::${x86_gcc_des} ${x86_gcc_opts}:",
@@ -412,33 +416,36 @@ my %table=(
 # Linux on ARM
 "linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
+# SCO/Caldera targets.
+#
+# Originally we had like unixware-*, unixware-*-pentium, unixware-*-p6, etc.
+# Now we only have blended unixware-* as it's the only one used by ./config.
+# If you want to optimize for particular microarchitecture, bypass ./config
+# and './Configure unixware-7 -Kpentium_pro' or whatever appropriate.
+# Note that not all targets include assembler support. Mostly because of
+# lack of motivation to support out-of-date platforms with out-of-date
+# compiler drivers and assemblers. Tim Rice <tim@multitalents.net> has
+# patiently assisted to debug most of it.
+#
 # UnixWare 2.0x fails destest with -O
 "unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.0-pentium","cc:-DFILIO_H -DNO_STRINGS_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-
-# UnixWare 2.1
 "unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-
-# UnixWare 7
-"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"sco3-gcc",  "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
+# SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the SCO cc.
+"sco5-cc",  "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
-# OpenUNIX 8
-"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenUNIX-8-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenUNIX-8-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # IBM's AIX.
 "aix-cc",   "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
 "aix-gcc",  "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::",
-"aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
-"aix43-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
-"aix64-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn::::::-X 64",
+"aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::",
+"aix43-gcc",  "gcc:-O1 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
+"aix64-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
 
 #
 # Cray T90 and similar (SDSC)
@@ -471,15 +478,6 @@ my %table=(
 "dgux-R4-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lnsl -lsocket:RC4_INDEX DES_UNROLL:::",
 "dgux-R4-x86-gcc",      "gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown)::-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 
-# SCO 3 - Tim Rice <tim@multitalents.net>
-"sco3-gcc",  "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
-
-# SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the
-# SCO cc.
-"sco5-cc",  "cc:-belf::(unknown)::-lsocket -lresolv -lnsl:${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:svr3-shared:-Kpic", # des options?
-"sco5-cc-pentium",  "cc:-Kpentium::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options?
-"sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC", # the SCO assembler doesn't seem to like our assembler files ...
-
 # Sinix/ReliantUNIX RM400
 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
 "ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -498,6 +496,7 @@ my %table=(
 # Windows NT, Microsoft Visual C++ 4.0
 
 "VC-NT","cl::::WINNT::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
+"VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
 "VC-WIN32","cl::::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
 "VC-WIN16","cl:::(unknown):WIN16::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
 "VC-W31-16","cl:::(unknown):WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
@@ -505,26 +504,24 @@ my %table=(
 "VC-MSDOS","cl:::(unknown):MSDOS::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 
 # Borland C++ 4.5
-"BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX::::::::::win32",
+"BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN::::::::::win32",
 "BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 
-# Mingw32
-# (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl
-# and its library files in util/pl/*)
-"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
+# MinGW
+"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-mno-cygwin -lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32::::.dll",
 
 # UWIN 
 "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
 
 # DJGPP
-"DJGPP", "gcc:-I/dev/env/DJDIR/watt32/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/DJDIR/watt32/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
+"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
 
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
-"ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown):::::::",
+"ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
 "ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::::::",
 # K&R C is no longer supported; you need gcc on old Ultrix installations
 ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::",
@@ -543,10 +540,13 @@ my %table=(
 "OpenBSD-hppa",         "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
-"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
+"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 "darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 
+##### A/UX
+"aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
+
 ##### Sony NEWS-OS 4.x
 "newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
 
@@ -558,11 +558,16 @@ my %table=(
 
 ##### VxWorks for various targets
 "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
+"vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::",
+"vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
+
+##### Compaq Non-Stop Kernel (Tandem)
+"tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::",
 
 );
 
-my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32
-        BC-16 Mingw32 OS2-EMX);
+my @WinTargets=qw(VC-NT VC-CE VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS
+        BC-32 BC-16 Mingw32 OS2-EMX);
 
 my $idx = 0;
 my $idx_cc = $idx++;
@@ -645,6 +650,7 @@ my $openssl_thread_defines;
 my $openssl_sys_defines="";
 my $openssl_other_defines;
 my $libs;
+my $libkrb5="";
 my $target;
 my $options;
 my $symlink;
@@ -685,6 +691,11 @@ PROCESS_ARGS:
                         $flags .= "-DOPENSSL_NO_ASM ";
                         $openssl_other_defines .= "#define OPENSSL_NO_ASM\n";
                         }
+                elsif (/^no-err$/)
+                        {
+                        $flags .= "-DOPENSSL_NO_ERR ";
+                        $openssl_other_defines .= "#define OPENSSL_NO_ERR\n";
+                        }
                 elsif (/^no-hw-(.+)$/)
                         {
                         my $hw=$1;
@@ -707,7 +718,7 @@ PROCESS_ARGS:
                         { $threads=1; }
                 elsif (/^no-shared$/)
                         { $no_shared=1; }
-                elsif (/^shared$/)
+                elsif (/^shared$/ || /^-shared$/ || /^--shared$/)
                         { $no_shared=0; }
                 elsif (/^no-zlib$/)
                         { $zlib=0; }
@@ -735,6 +746,7 @@ PROCESS_ARGS:
                         $openssl_algorithm_defines .= "#define OPENSSL_NO_$algo\n";
                         if ($algo eq "RIJNDAEL")
                                 {
+                                push @skip, "aes";
                                 $flags .= "-DOPENSSL_NO_AES ";
                                 $depflags .= "-DOPENSSL_NO_AES ";
                                 $openssl_algorithm_defines .= "#define OPENSSL_NO_AES\n";
@@ -944,6 +956,8 @@ my $shared_extension = $fields[$idx_shared_extension];
 my $ranlib = $fields[$idx_ranlib];
 my $arflags = $fields[$idx_arflags];
 
+my $no_shared_warn=0;
+
 $cflags="$flags$cflags" if ($flags ne "");
 
 # Kerberos settings.  The flavor must be provided from outside, either through
@@ -961,6 +975,17 @@ else
         my ($lresolv, $lpath, $lext);
         if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/)
                 {
+                die "Sorry, Heimdal is currently not supported\n";
+                }
+        ##### HACK to force use of Heimdal.
+        ##### WARNING: Since we don't really have adequate support for Heimdal,
+        #####          using this will break the build.  You'll have to make
+        #####          changes to the source, and if you do, please send
+        #####          patches to openssl-dev@openssl.org
+        if ($withargs{"krb5-flavor"} =~ /^force-[Hh]eimdal$/)
+                {
+                warn "Heimdal isn't really supported.  Your build WILL break\n";
+                warn "If you fix the problems, please send a patch to openssl-dev\@openssl.org\n";
                 $withargs{"krb5-dir"} = "/usr/heimdal"
                         if $withargs{"krb5-dir"} eq "";
                 $withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
@@ -993,7 +1018,7 @@ else
                         }
                 }
         $withargs{"krb5-lib"} .= " -lresolv"
-                if ("$lresolv");
+                if ("$lresolv" ne "");
         $withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include"
                 if $withargs{"krb5-include"} eq "" &&
                    $withargs{"krb5-dir"} ne "";
@@ -1052,7 +1077,7 @@ else
 #               }
         }       
 
-$lflags="$libs$lflags"if ($libs ne "");
+$lflags="$libs$lflags" if ($libs ne "");
 
 if ($no_asm)
         {
@@ -1060,6 +1085,11 @@ if ($no_asm)
         $sha1_obj=$md5_obj=$rmd160_obj="";
         }
 
+if (!$no_shared)
+        {
+        $cast_obj="";   # CAST assembler is not PIC
+        }
+
 if ($threads)
         {
         $cflags=$thread_cflags;
@@ -1075,20 +1105,17 @@ if ($zlib)
 
 # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org
 my $shared_mark = "";
-if ($shared_target ne "")
+if ($shared_target eq "")
+        {
+        $no_shared_warn = 1 if !$no_shared;
+        $no_shared = 1;
+        }
+if (!$no_shared)
         {
         if ($shared_cflag ne "")
                 {
                 $cflags = "$shared_cflag $cflags";
                 }
-        if (!$no_shared)
-                {
-                #$shared_mark = "\$(SHARED_LIBS)";
-                }
-        }
-else
-        {
-        $no_shared = 1;
         }
 
 if ($sys_id ne "")
@@ -1262,8 +1289,6 @@ print "ARFLAGS       =$arflags\n";
 print "PERL          =$perl\n";
 print "KRB5_INCLUDES =",$withargs{"krb5-include"},"\n"
         if $withargs{"krb5-include"} ne "";
-print "LIBKRB5       =",$withargs{"krb5-lib"},"\n"
-        if $withargs{"krb5-lib"} ne "";
 
 my $des_ptr=0;
 my $des_risc1=0;
@@ -1490,6 +1515,16 @@ applications as the compiler options required on this system are not known.
 See file INSTALL for details if you need multi-threading.
 EOF
 
+print <<\EOF if ($no_shared_warn);
+
+You gave the option 'shared'.  Normally, that would give you shared libraries.
+Unfortunately, the OpenSSL configuration doesn't include shared library support
+for this platform yet, so it will pretend you gave the option 'no-shared'.  If
+you can inform the developpers (openssl-dev\@openssl.org) how to support shared
+libraries on this platform, they will at least look at it and try their best
+(but please first make sure you have tried with a current version of OpenSSL).
+EOF
+
 exit(0);
 
 sub usage
diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ
index 28027fdcac..7812ae88cb 100644
--- a/src/lib/libssl/src/FAQ
+++ b/src/lib/libssl/src/FAQ
@@ -9,6 +9,7 @@ OpenSSL  -  Frequently Asked Questions
 * Where can I get a compiled version of OpenSSL?
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
+* How do I check the authenticity of the OpenSSL distribution?
 
 [LEGAL] Legal questions
 
@@ -43,6 +44,8 @@ OpenSSL  -  Frequently Asked Questions
 * What is special about OpenSSL on Redhat?
 * Why does the OpenSSL compilation fail on MacOS X?
 * Why does the OpenSSL test suite fail on MacOS X?
+* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
+* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
 
 [PROG] Questions about programming with OpenSSL
 
@@ -65,7 +68,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.6g was released on August 9, 2002.
+OpenSSL 0.9.7b was released on April 10, 2003.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -136,6 +139,19 @@ hardware. This was realized in a special release '0.9.6-engine'. With
 version 0.9.7 (not yet released) the changes were merged into the main
 development line, so that the special release is no longer necessary.
 
+* How do I check the authenticity of the OpenSSL distribution?
+
+We provide MD5 digests and ASC signatures of each tarball.
+Use MD5 to check that a tarball from a mirror site is identical:
+
+   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
+
+You can check authenticity using pgp or gpg. You need the OpenSSL team
+member public key used to sign it (download it from a key server). Then
+just do:
+
+   pgp TARBALL.asc
+
 [LEGAL] =======================================================================
 
 * Do I need patent licenses to use OpenSSL?
@@ -173,18 +189,30 @@ for permission to use their software with OpenSSL.
 
 Cryptographic software needs a source of unpredictable data to work
 correctly.  Many open source operating systems provide a "randomness
-device" that serves this purpose.  On other systems, applications have
-to call the RAND_add() or RAND_seed() function with appropriate data
-before generating keys or performing public key encryption.
-(These functions initialize the pseudo-random number generator, PRNG.)
-
-Some broken applications do not do this.  As of version 0.9.5, the
-OpenSSL functions that need randomness report an error if the random
-number generator has not been seeded with at least 128 bits of
-randomness.  If this error occurs, please contact the author of the
-application you are using.  It is likely that it never worked
-correctly.  OpenSSL 0.9.5 and later make the error visible by refusing
-to perform potentially insecure encryption.
+device" (/dev/urandom or /dev/random) that serves this purpose.
+All OpenSSL versions try to use /dev/urandom by default; starting with
+version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
+available.
+
+On other systems, applications have to call the RAND_add() or
+RAND_seed() function with appropriate data before generating keys or
+performing public key encryption. (These functions initialize the
+pseudo-random number generator, PRNG.)  Some broken applications do
+not do this.  As of version 0.9.5, the OpenSSL functions that need
+randomness report an error if the random number generator has not been
+seeded with at least 128 bits of randomness.  If this error occurs and
+is not discussed in the documentation of the application you are
+using, please contact the author of that application; it is likely
+that it never worked correctly.  OpenSSL 0.9.5 and later make the
+error visible by refusing to perform potentially insecure encryption.
+
+If you are using Solaris 8, you can add /dev/urandom and /dev/random
+devices by installing patch 112438 (Sparc) or 112439 (x86), which are
+available via the Patchfinder at <URL: http://sunsolve.sun.com>
+(Solaris 9 includes these devices by default). For /dev/random support
+for earlier Solaris versions, see Sun's statement at
+<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
+(the SUNWski package is available in patch 105710).
 
 On systems without /dev/urandom and /dev/random, it is a good idea to
 use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
@@ -217,16 +245,6 @@ OpenSSL command line tools. Applications using the OpenSSL library
 provide their own configuration options to specify the entropy source,
 please check out the documentation coming the with application.
 
-For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested
-installing the SUNski package from Sun patch 105710-01 (Sparc) which
-adds a /dev/random device and make sure it gets used, usually through
-$RANDFILE.  There are probably similar patches for the other Solaris
-versions.  An official statement from Sun with respect to /dev/random
-support can be found at
-  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski
-However, be warned that /dev/random is usually a blocking device, which
-may have some effects on OpenSSL.
-
 
 * Why do I get an "unable to write 'random state'" error message?
 
@@ -472,10 +490,13 @@ and then redo the compilation.  What you should really do is make sure
 Sometimes, you may get reports from VC++ command line (cl) that it
 can't find standard include files like stdio.h and other weirdnesses.
 One possible cause is that the environment isn't correctly set up.
-To solve that problem, one should run VCVARS32.BAT which is found in
-the 'bin' subdirectory of the VC++ installation directory (somewhere
-under 'Program Files').  This needs to be done prior to running NMAKE,
-and the changes are only valid for the current DOS session.
+To solve that problem for VC++ versions up to 6, one should run
+VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++
+installation directory (somewhere under 'Program Files').  For VC++
+version 7 (and up?), which is also called VS.NET, the file is called
+VSVARS32.BAT instead.
+This needs to be done prior to running NMAKE, and the changes are only
+valid for the current DOS session.
 
 
 * What is special about OpenSSL on Redhat?
@@ -536,6 +557,37 @@ libraries you just built.
 Look in the file PROBLEMS for a more detailed explanation and for possible
 solutions.
 
+* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
+
+Failure in BN_sqr test is most likely caused by a failure to configure the
+toolkit for current platform or lack of support for the platform in question.
+Run './config -t' and './apps/openssl version -p'. Do these platform
+identifiers match? If they don't, then you most likely failed to run
+./config and you're hereby advised to do so before filing a bug report.
+If ./config itself fails to run, then it's most likely problem with your
+local environment and you should turn to your system administrator (or
+similar). If identifiers match (and/or no alternative identifier is
+suggested by ./config script), then the platform is unsupported. There might
+or might not be a workaround. Most notably on SPARC64 platforms with GNU
+C compiler you should be able to produce a working build by running
+'./config -m32'. I understand that -m32 might not be what you want/need,
+but the build should be operational. For further details turn to
+<openssl-dev@openssl.org>.
+
+* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
+
+As of 0.9.7 assembler routines were overhauled for position independence
+of the machine code, which is essential for shared library support. For
+some reason OpenBSD is equipped with an out-of-date GNU assembler which
+finds the new code offensive. To work around the problem, configure with
+no-asm (and sacrifice a great deal of performance) or patch your assembler
+according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
+For your convenience a pre-compiled replacement binary is provided at
+<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
+Reportedly elder *BSD a.out platforms also suffer from this problem and
+remedy should be same. Provided binary is statically linked and should be
+working across wider range of *BSD branches, not just OpenBSD.
+
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?
@@ -680,6 +732,7 @@ The general answer is to check the config.log file generated when running
 the OpenSSH configure script. It should contain the detailed information
 on why the OpenSSL library was not detected or considered incompatible.
 
+
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 
 Yes; make sure to read the SSL_get_error(3) manual page!
diff --git a/src/lib/libssl/src/INSTALL b/src/lib/libssl/src/INSTALL
index af86485e00..1c3f3c3fe9 100644
--- a/src/lib/libssl/src/INSTALL
+++ b/src/lib/libssl/src/INSTALL
@@ -140,8 +140,8 @@
      standard headers).  If it is a problem with OpenSSL itself, please
      report the problem to <openssl-bugs@openssl.org> (note that your
      message will be recorded in the request tracker publicly readable
-     via http://www.openssl.org/rt2.html and will be forwarded to a public
-     mailing list). Include the output of "make report" in your message.
+     via http://www.openssl.org/support/rt2.html and will be forwarded to a
+     public mailing list). Include the output of "make report" in your message.
      Please check out the request tracker. Maybe the bug was already
      reported or has already been fixed.
 
@@ -158,11 +158,11 @@
      If a test fails, look at the output.  There may be reasons for
      the failure that isn't a problem in OpenSSL itself (like a missing
      or malfunctioning bc).  If it is a problem with OpenSSL itself,
-     try removing any compiler optimization flags from the CFLAGS line
+     try removing any compiler optimization flags from the CFLAG line
      in Makefile.ssl and run "make clean; make". Please send a bug
      report to <openssl-bugs@openssl.org>, including the output of
      "make report" in order to be added to the request tracker at
-     http://www.openssl.org/rt2.html.
+     http://www.openssl.org/support/rt2.html.
 
   4. If everything tests ok, install OpenSSL with
 
@@ -296,3 +296,37 @@
  targets for shared library creation, like linux-shared.  Those targets
  can currently be used on their own just as well, but this is expected
  to change in future versions of OpenSSL.
+
+ Note on random number generation
+ --------------------------------
+
+ Availability of cryptographically secure random numbers is required for
+ secret key generation. OpenSSL provides several options to seed the
+ internal PRNG. If not properly seeded, the internal PRNG will refuse
+ to deliver random bytes and a "PRNG not seeded error" will occur.
+ On systems without /dev/urandom (or similar) device, it may be necessary
+ to install additional support software to obtain random seed.
+ Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
+ and the FAQ for more information.
+
+ Note on support for multiple builds
+ -----------------------------------
+
+ OpenSSL is usually built in it's source tree.  Unfortunately, this doesn't
+ support building for multiple platforms from the same source tree very well.
+ It is however possible to build in a separate tree through the use of lots
+ of symbolic links, which should be prepared like this:
+
+        mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
+        cd objtree/"`uname -s`-`uname -r`-`uname -m`"
+        (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
+                mkdir -p `dirname $F`
+                rm -f $F; ln -s $OPENSSL_SOURCE/$F $F
+                echo $F '->' $OPENSSL_SOURCE/$F
+        done
+        make -f Makefile.org clean
+
+ OPENSSL_SOURCE is an environment variable that contains the absolute (this
+ is important!) path to the OpenSSL source tree.
+
+ Also, operations like 'make update' should still be made in the source tree.
diff --git a/src/lib/libssl/src/INSTALL.W32 b/src/lib/libssl/src/INSTALL.W32
index 3de6544fc5..78d289e16a 100644
--- a/src/lib/libssl/src/INSTALL.W32
+++ b/src/lib/libssl/src/INSTALL.W32
@@ -2,19 +2,28 @@
  INSTALLATION ON THE WIN32 PLATFORM
  ----------------------------------
 
+ [Instructions for building for Windows CE can be found in INSTALL.WCE]
+
  Heres a few comments about building OpenSSL in Windows environments.  Most
  of this is tested on Win32 but it may also work in Win 3.1 with some
  modification.
 
  You need Perl for Win32.  Unless you will build on Cygwin, you will need
  ActiveState Perl, available from http://www.activestate.com/ActivePerl.
- For Cygwin users, there's more info in the Cygwin section.
 
  and one of the following C compilers:
 
   * Visual C++
   * Borland C
-  * GNU C (Mingw32 or Cygwin)
+  * GNU C (Cygwin or MinGW)
+
+ If you are compiling from a tarball or a CVS snapshot then the Win32 files
+ may well be not up to date. This may mean that some "tweaking" is required to
+ get it all to work. See the trouble shooting section later on for if (when?)
+ it goes wrong.
+
+ Visual C++
+ ----------
 
  If you want to compile in the assembly language routines with Visual C++ then
  you will need an assembler. This is worth doing because it will result in
@@ -24,26 +33,19 @@
   * Microsoft MASM (aka "ml")
   * Free Netwide Assembler NASM.
 
- MASM was at one point distributed with VC++. It is now distributed with some
- Microsoft DDKs, for example the Windows NT 4.0 DDK and the Windows 98 DDK. If
- you do not have either of these DDKs then you can just download the binaries
- for the Windows 98 DDK and extract and rename the two files XXXXXml.exe and
- XXXXXml.err, to ml.exe and ml.err and install somewhere on your PATH. Both
- DDKs can be downloaded from the Microsoft developers site www.msdn.com.
+ MASM is distributed with most versions of VC++. For the versions where it is
+ not included in VC++, it is also distributed with some Microsoft DDKs, for
+ example the Windows NT 4.0 DDK and the Windows 98 DDK. If you do not have
+ either of these DDKs then you can just download the binaries for the Windows
+ 98 DDK and extract and rename the two files XXXXXml.exe and XXXXXml.err, to
+ ml.exe and ml.err and install somewhere on your PATH. Both DDKs can be
+ downloaded from the Microsoft developers site www.msdn.com.
 
  NASM is freely available. Version 0.98 was used during testing: other versions
  may also work. It is available from many places, see for example:
  http://www.kernel.org/pub/software/devel/nasm/binaries/win32/
  The NASM binary nasmw.exe needs to be installed anywhere on your PATH.
 
- If you are compiling from a tarball or a CVS snapshot then the Win32 files
- may well be not up to date. This may mean that some "tweaking" is required to
- get it all to work. See the trouble shooting section later on for if (when?)
- it goes wrong.
-
- Visual C++
- ----------
-
  Firstly you should run Configure:
 
  > perl Configure VC-WIN32
@@ -82,7 +84,8 @@
  There are various changes you can make to the Win32 compile environment. By
  default the library is not compiled with debugging symbols. If you add 'debug'
  to the mk1mf.pl lines in the do_* batch file then debugging symbols will be
- compiled in.
+ compiled in. Note that mk1mf.pl expects the platform to be the last argument
+ on the command line, so 'debug' must appear before that, as all other options.
 
  The default Win32 environment is to leave out any Windows NT specific
  features.
@@ -116,62 +119,35 @@
  * Run make:
    > make -f bcb.mak
 
- GNU C (Mingw32)
- ---------------
-
- To build OpenSSL, you need the Mingw32 package and GNU make.
-
- * Compiler installation:
-
-   Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/
-   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. Extract it
-   to a directory such as C:\gcc-2.95.2 and add c:\gcc-2.95.2\bin to
-   the PATH environment variable in "System Properties"; or edit and
-   run C:\gcc-2.95.2\mingw32.bat to set the PATH.
-
- * Compile OpenSSL:
-
-   > ms\mingw32
-
-   This will create the library and binaries in out. In case any problems
-   occur, try
-   > ms\mingw32 no-asm
-   instead.
-
-   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
-   link with libeay32.a and libssl32.a instead.
-
-   See troubleshooting if you get error messages about functions not having
-   a number assigned.
-
- * You can now try the tests:
-
-   > cd out
-   > ..\ms\test
-
  GNU C (Cygwin)
  --------------
 
  Cygwin provides a bash shell and GNU tools environment running
  on NT 4.0, Windows 9x, Windows ME, Windows 2000, and Windows XP.
  Consequently, a make of OpenSSL with Cygwin is closer to a GNU
- bash environment such as Linux than to other W32 makes which are
- based on a single makefile approach. Cygwin implements Posix/Unix
- calls through cygwin1.dll, and is contrasted to Mingw32 which links
- dynamically to msvcrt.dll or crtdll.dll.
+ bash environment such as Linux than to other the other Win32
+ makes.
+
+ Cygwin implements a Posix/Unix runtime system (cygwin1.dll).
+ It is also possible to create Win32 binaries that only use the
+ Microsoft C runtime system (msvcrt.dll or crtdll.dll) using
+ MinGW. MinGW can be used in the Cygwin development environment
+ or in a standalone setup as described in the following section.
 
  To build OpenSSL using Cygwin:
 
  * Install Cygwin (see http://cygwin.com/)
 
- * Install Perl and ensure it is in the path (recent Cygwin perl 
-   (version 5.6.1-2 of the latter has been reported to work) or
-   ActivePerl)
+ * Install Perl and ensure it is in the path. Both Cygwin perl
+   (5.6.1-2 or newer) and ActivePerl work.
 
  * Run the Cygwin bash shell
 
  * $ tar zxvf openssl-x.x.x.tar.gz
    $ cd openssl-x.x.x
+
+   To build the Cygwin version of OpenSSL:
+
    $ ./config
    [...]
    $ make
@@ -179,7 +155,16 @@
    $ make test
    $ make install
 
- This will create a default install in /usr/local/ssl.
+   This will create a default install in /usr/local/ssl.
+
+   To build the MinGW version (native Windows) in Cygwin:
+
+   $ ./Configure mingw
+   [...]
+   $ make
+   [...]
+   $ make test
+   $ make install
 
  Cygwin Notes:
 
@@ -192,6 +177,35 @@
  non-fatal error in "make test" but is otherwise harmless.  If
  desired and needed, GNU bc can be built with Cygwin without change.
 
+ GNU C (MinGW)
+ -------------
+
+ * Compiler installation:
+
+   MinGW is available from http://www.mingw.org. Run the installer and
+   set the MinGW bin directory to the PATH in "System Properties" or
+   autoexec.bat.
+
+ * Compile OpenSSL:
+
+   > ms\mingw32
+
+   This will create the library and binaries in out. In case any problems
+   occur, try
+   > ms\mingw32 no-asm
+   instead.
+
+   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
+   link with libeay32.a and libssl32.a instead.
+
+   See troubleshooting if you get error messages about functions not having
+   a number assigned.
+
+ * You can now try the tests:
+
+   > cd out
+   > ..\ms\test
+
 
  Installation
  ------------
diff --git a/src/lib/libssl/src/LICENSE b/src/lib/libssl/src/LICENSE
index 7b93e0dbce..dddb07842b 100644
--- a/src/lib/libssl/src/LICENSE
+++ b/src/lib/libssl/src/LICENSE
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp
index aaf2a68ca9..c95d804d5d 100644
--- a/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp
+++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp
@@ -1287,7 +1287,7 @@ EXITPOINT:
 
 //      Send some bytes
 
-int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength)
+int MacSocket_send(const int inSocketNum,const void *inBuff,int inBuffLength)
 {
 OSErr                   errCode = noErr;
 int                             bytesSent = 0;
diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h
index 6e90a5bb44..ad59dc9e4f 100644
--- a/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h
+++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h
@@ -62,7 +62,7 @@ int MacSocket_recv(const int inSocketNum,void *outBuff,int outBuffLength,const B
 
 //      Call this to send data on a socket
 
-int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength);
+int MacSocket_send(const int inSocketNum,const void *inBuff,int inBuffLength);
 
 
 //      If zero bytes were read in a call to MacSocket_recv(), it may be that the remote end has done a half-close
diff --git a/src/lib/libssl/src/Makefile.org b/src/lib/libssl/src/Makefile.org
index d7af0815f3..4d0627bfdd 100644
--- a/src/lib/libssl/src/Makefile.org
+++ b/src/lib/libssl/src/Makefile.org
@@ -15,6 +15,11 @@ OPTIONS=
 CONFIGURE_ARGS=
 SHLIB_TARGET=
 
+# HERE indicates where this Makefile lives.  This can be used to indicate
+# where sub-Makefiles are expected to be.  Currently has very limited usage,
+# and should probably not be bothered with at all.
+HERE=.
+
 # INSTALL_PREFIX is for package builders so that they can configure
 # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
@@ -67,6 +72,14 @@ TAR= tar
 TARFLAGS= --no-recursion
 MAKEDEPPROG=makedepend
 
+# We let the C compiler driver to take care of .s files. This is done in
+# order to be excused from maintaining a separate set of architecture
+# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
+# gcc, then the driver will automatically translate it to -xarch=v8plus
+# and pass it down to assembler.
+AS=$(CC) -c
+ASFLAGS=$(CFLAG)
+
 # Set BN_ASM to bn_asm.o if you want to use the C version
 BN_ASM= bn_asm.o
 #BN_ASM= bn_asm.o
@@ -205,14 +218,14 @@ HEADER=         e_os.h
 # When we're prepared to use shared libraries in the programs we link here
 # we might remove 'clean-shared' from the targets to perform at this stage
 
-all: Makefile.ssl sub_all
+all: Makefile.ssl sub_all openssl.pc
 
 sub_all:
         @for i in $(DIRS); \
         do \
         if [ -d "$$i" ]; then \
                 (cd $$i && echo "making all in $$i..." && \
-                $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+                $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAGS='${ASFLAGS}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
         else \
                 $(MAKE) $$i; \
         fi; \
@@ -242,7 +255,7 @@ clean-shared:
                 fi; \
                 ( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
                 if [ "$(PLATFORM)" = "Cygwin" ]; then \
-                        ( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
+                        ( set -x; rm -f cyg$$i-$(SHLIB_VERSION_NUMBER)$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
                 fi; \
         done
 
@@ -265,39 +278,45 @@ do_bsd-gcc-shared: do_gnu-shared
 do_linux-shared: do_gnu-shared
 do_gnu-shared:
         libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+        if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                libs="$(LIBKRB5) $$libs"; \
+        fi; \
         ( set -x; ${CC} ${SHARED_LDFLAGS} \
                 -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                 -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                 -Wl,-Bsymbolic \
                 -Wl,--whole-archive lib$$i.a \
                 -Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \
-        libs="$$libs -l$$i"; \
+        libs="-l$$i $$libs"; \
         done
 
-DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
-        my_ld=`gcc -print-prog-name=ld 2>&1` && \
-        [ -n "$$my_ld" ] && \
-        $$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
+DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
 
 # For Darwin AKA Mac OS/X (dyld)
 do_darwin-shared: 
         libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-        ( set -x ; ${CC} --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \
+        if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                libs="$(LIBKRB5) $$libs"; \
+        fi; \
+        ( set -x; ${CC} --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \
                 lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \
                 -compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \
                 -install_name ${INSTALLTOP}/lib/lib$$i${SHLIB_EXT} ) || exit 1; \
-        libs="$$libs -l`basename $$i${SHLIB_EXT} .dylib`"; \
+        libs="-l`basename $$i${SHLIB_EXT} .dylib` $$libs"; \
         echo "" ; \
         done
 
 do_cygwin-shared:
         libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-        ( set -x; ${CC}  -shared -o cyg$$i.dll \
+        if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                libs="$(LIBKRB5) $$libs"; \
+        fi; \
+        ( set -x; ${CC}  -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \
                 -Wl,-Bsymbolic \
                 -Wl,--whole-archive lib$$i.a \
                 -Wl,--out-implib,lib$$i.dll.a \
                 -Wl,--no-whole-archive $$libs ) || exit 1; \
-        libs="$$libs -l$$i"; \
+        libs="-l$$i $$libs"; \
         done
 
 # This assumes that GNU utilities are *not* used
@@ -306,11 +325,14 @@ do_alpha-osf1-shared:
                 $(MAKE) do_gnu-shared; \
         else \
                 libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+                if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                        libs="$(LIBKRB5) $$libs"; \
+                fi; \
                 ( set -x; ${CC} ${SHARED_LDFLAGS} \
                         -shared -o lib$$i.so \
                         -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
                         -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-                libs="$$libs -l$$i"; \
+                libs="-l$$i $$libs"; \
                 done; \
         fi
 
@@ -322,11 +344,14 @@ do_tru64-shared:
                 $(MAKE) do_gnu-shared; \
         else \
                 libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+                if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                        libs="$(LIBKRB5) $$libs"; \
+                fi; \
                 ( set -x; ${CC} ${SHARED_LDFLAGS} \
                         -shared -msym -o lib$$i.so \
                         -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
                         -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-                libs="$$libs -l$$i"; \
+                libs="-l$$i $$libs"; \
                 done; \
         fi
 
@@ -338,12 +363,15 @@ do_tru64-shared-rpath:
                 $(MAKE) do_gnu-shared; \
         else \
                 libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+                if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                        libs="$(LIBKRB5) $$libs"; \
+                fi; \
                 ( set -x; ${CC} ${SHARED_LDFLAGS} \
                         -shared -msym -o lib$$i.so \
                         -rpath  ${INSTALLTOP}/lib \
                         -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
                         -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
-                libs="$$libs -l$$i"; \
+                libs="-l$$i $$libs"; \
                 done; \
         fi
 
@@ -354,12 +382,18 @@ do_solaris-shared:
                 $(MAKE) do_gnu-shared; \
         else \
                 libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+                if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                        libs="$(LIBKRB5) $$libs"; \
+                fi; \
                 ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
-                  set -x; ${CC} ${SHARED_LDFLAGS} \
-                        -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+                  MINUSZ='-z '; \
+                  (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
+                  set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \
+                        -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                         -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-                        -z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
-                libs="$$libs -l$$i"; \
+                        $${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \
+                        $$libs ${EX_LIBS} -lc ) || exit 1; \
+                libs="-l$$i $$libs"; \
                 done; \
         fi
 
@@ -369,16 +403,20 @@ do_svr3-shared:
                 $(MAKE) do_gnu-shared; \
         else \
                 libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+                if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                        libs="$(LIBKRB5) $$libs"; \
+                fi; \
                 ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
                   find . -name "*.o" -print > allobjs ; \
                   OBJS= ; export OBJS ; \
                   for obj in `ar t lib$$i.a` ; do \
                     OBJS="$${OBJS} `grep $$obj allobjs`" ; \
                   done ; \
-                  set -x; ${CC}  -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+                  set -x; ${CC} ${SHARED_LDFLAGS} \
+                        -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                         -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                         $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
-                libs="$$libs -l$$i"; \
+                libs="-l$$i $$libs"; \
                 done; \
         fi
 
@@ -388,17 +426,23 @@ do_svr5-shared:
                 $(MAKE) do_gnu-shared; \
         else \
                 libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+                if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                        libs="$(LIBKRB5) $$libs"; \
+                fi; \
                 ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
+                  SHARE_FLAG='-G'; \
+                  (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
                   find . -name "*.o" -print > allobjs ; \
                   OBJS= ; export OBJS ; \
                   for obj in `ar t lib$$i.a` ; do \
                     OBJS="$${OBJS} `grep $$obj allobjs`" ; \
                   done ; \
-                  set -x; ${CC} ${SHARED_LDFLAGS} \
-                        -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+                  set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \
+                        ${CC} ${SHARED_LDFLAGS} \
+                        $${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                         -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                         $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
-                libs="$$libs -l$$i"; \
+                libs="-l$$i $$libs"; \
                 done; \
         fi
 
@@ -408,11 +452,14 @@ do_irix-shared:
                 $(MAKE) do_gnu-shared; \
         else \
                 libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+                if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                        libs="$(LIBKRB5) $$libs"; \
+                fi; \
                 ( set -x; ${CC} ${SHARED_LDFLAGS} \
                         -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                         -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                         -all lib$$i.a $$libs ${EX_LIBS} -lc) || exit 1; \
-                libs="$$libs -l$$i"; \
+                libs="-l$$i $$libs"; \
                 done; \
         fi
 
@@ -429,6 +476,9 @@ do_irix-shared:
 #
 do_hpux-shared:
         for i in ${SHLIBDIRS}; do \
+        if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                libs="$(LIBKRB5) $$libs"; \
+        fi; \
         ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
                 +vnocompatwarnings \
                 -b -z +s \
@@ -449,6 +499,9 @@ do_hpux-shared:
 #
 do_hpux64-shared:
         for i in ${SHLIBDIRS}; do \
+        if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                libs="$(LIBKRB5) $$libs"; \
+        fi; \
         ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
                 -b -z \
                 -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
@@ -491,17 +544,24 @@ SHAREDFLAGS=${SHARED_LDFLAGS} -G -bE:lib$$i.exp -bM:SRE
 SHAREDCMD=$(CC)
 do_aix-shared:
         libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+        if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                libs="$(LIBKRB5) $$libs"; \
+        fi; \
         ( set -x; \
-          ld -r -o $$i.o $(ALLSYMSFLAG) lib$$i.a && \
+          ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \
           ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \
-            $(SHAREDCMD) $(SHAREDFLAG) -o lib$$i.so lib$$i.o \
+            $(SHAREDCMD) $(SHAREDFLAGS) \
+                -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} lib$$i.o \
                 $$libs ${EX_LIBS} ) ) \
         || exit 1; \
-        libs="$$libs -l$$i"; \
+        libs="-l$$i $$libs"; \
         done
 
 do_reliantunix-shared:
         libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+        if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+                libs="$(LIBKRB5) $$libs"; \
+        fi; \
         tmpdir=/tmp/openssl.$$$$ ; rm -rf $$tmpdir ; \
         ( set -x; \
           ( Opwd=`pwd` ; mkdir $$tmpdir || exit 1; \
@@ -511,19 +571,32 @@ do_reliantunix-shared:
           cp $$tmpdir/lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} . ; \
         ) || exit 1; \
         rm -rf $$tmpdir ; \
-        libs="$$libs -l$$i"; \
+        libs="-l$$i $$libs"; \
         done
 
+openssl.pc: Makefile.ssl
+        @ ( echo 'prefix=$(INSTALLTOP)'; \
+            echo 'exec_prefix=$${prefix}'; \
+            echo 'libdir=$${exec_prefix}/lib'; \
+            echo 'includedir=$${prefix}/include'; \
+            echo ''; \
+            echo 'Name: OpenSSL'; \
+            echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
+            echo 'Version: '$(VERSION); \
+            echo 'Requires: '; \
+            echo 'Libs: -L$${libdir} -lssl -lcrypto $(LIBKRB5) $(EX_LIBS)'; \
+            echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
+
 Makefile.ssl: Makefile.org
         @echo "Makefile.ssl is older than Makefile.org."
         @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
         @false
 
 libclean:
-        rm -f *.a */lib */*/lib
+        rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib
 
-clean:
-        rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c
+clean:  libclean
+        rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
         @for i in $(DIRS) ;\
         do \
         if [ -d "$$i" ]; then \
@@ -532,7 +605,8 @@ clean:
                 rm -f $(LIBS); \
         fi; \
         done;
-        rm -f *.a *.o speed.* *.map *.so .pure core
+        rm -f openssl.pc
+        rm -f speed.* .pure
         rm -f $(TARFILE)
         @for i in $(ONEDIRS) ;\
         do \
@@ -582,8 +656,12 @@ rehash: rehash.time
 rehash.time: certs
         @(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
                 export OPENSSL OPENSSL_DEBUG_MEMORY; \
-                LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
-                export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
+                LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+                DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+                SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
+                LIBPATH="`pwd`:$$LIBPATH"; \
+                if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
+                export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
                 $(PERL) tools/c_rehash certs)
         touch rehash.time
 
@@ -592,9 +670,13 @@ test:   tests
 tests: rehash
         @(cd test && echo "testing..." && \
         $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
-        @LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
-                export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
-                apps/openssl version -a
+        @LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+        DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+        SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
+        LIBPATH="`pwd`:$$LIBPATH"; \
+        if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
+        export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
+        apps/openssl version -a
 
 report:
         @$(PERL) util/selftest.pl
@@ -656,6 +738,9 @@ update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 tar:
+        find . -type d -print | xargs chmod 755
+        find . -type f -print | xargs chmod a+r
+        find . -type f -perm -0100 -print | xargs chmod a+x
         find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
         $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
         tardy --user_number=0  --user_name=openssl \
@@ -685,6 +770,7 @@ dist_pem_h:
 install: all install_docs
         @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
                 $(INSTALL_PREFIX)$(INSTALLTOP)/lib \
+                $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
                 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
                 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
                 $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
@@ -706,9 +792,10 @@ install: all install_docs
         do \
                 if [ -f "$$i" ]; then \
                 (       echo installing $$i; \
-                        cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-                        $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
-                        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+                        cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+                        $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+                        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+                        mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
                 fi; \
         done;
         @if [ -n "$(SHARED_LIBS)" ]; then \
@@ -718,14 +805,17 @@ install: all install_docs
                         if [ -f "$$i" -o -f "$$i.a" ]; then \
                         (       echo installing $$i; \
                                 if [ "$(PLATFORM)" != "Cygwin" ]; then \
-                                        cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-                                        chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+                                        cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+                                        chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+                                        mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
                                 else \
-                                        c=`echo $$i | sed 's/^lib/cyg/'`; \
-                                        cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-                                        chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-                                        cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
-                                        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+                                        c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
+                                        cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
+                                        chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
+                                        mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
+                                        cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
+                                        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
+                                        mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
                                 fi ); \
                         fi; \
                 done; \
@@ -733,7 +823,14 @@ install: all install_docs
                         cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
                         set $(MAKE); \
                         $$1 -f $$here/Makefile link-shared ); \
+                if [ "$(INSTALLTOP)" != "/usr" ]; then \
+                        echo 'OpenSSL shared libraries have been installed in:'; \
+                        echo '  $(INSTALLTOP)'; \
+                        echo ''; \
+                        sed -e '1,/^$$/d' doc/openssl-shared.txt; \
+                fi; \
         fi
+        cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
 
 install_docs:
         @$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -742,25 +839,42 @@ install_docs:
                 $(INSTALL_PREFIX)$(MANDIR)/man5 \
                 $(INSTALL_PREFIX)$(MANDIR)/man7
         @pod2man="`cd util; ./pod2mantest $(PERL)`"; \
+        here="`pwd`"; \
+        filecase=; \
+        if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \
+                filecase=-i; \
+        fi; \
         for i in doc/apps/*.pod; do \
                 fn=`basename $$i .pod`; \
                 if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
-                echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
+                echo "installing man$$sec/$$fn.$$sec"; \
                 (cd `$(PERL) util/dirname.pl $$i`; \
                 sh -c "$$pod2man \
                         --section=$$sec --center=OpenSSL \
                         --release=$(VERSION) `basename $$i`") \
-                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+                $(PERL) util/extract-names.pl < $$i | \
+                        grep -v $$filecase "^$$fn\$$" | \
+                        (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+                         while read n; do \
+                                $$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+                         done); \
         done; \
         for i in doc/crypto/*.pod doc/ssl/*.pod; do \
                 fn=`basename $$i .pod`; \
                 if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
-                echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
+                echo "installing man$$sec/$$fn.$$sec"; \
                 (cd `$(PERL) util/dirname.pl $$i`; \
                 sh -c "$$pod2man \
                         --section=$$sec --center=OpenSSL \
                         --release=$(VERSION) `basename $$i`") \
-                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+                        >  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+                $(PERL) util/extract-names.pl < $$i | \
+                        grep -v $$filecase "^$$fn\$$" | \
+                        (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+                         while read n; do \
+                                $$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+                         done); \
         done
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS
index 418b3b0505..dce63f0549 100644
--- a/src/lib/libssl/src/NEWS
+++ b/src/lib/libssl/src/NEWS
@@ -5,6 +5,28 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:
+
+      o Security: counter the Klima-Pokorny-Rosa extension of
+        Bleichbacher's attack 
+      o Security: make RSA blinding default.
+      o Configuration: Irix fixes, AIX fixes, better mingw support.
+      o Support for new platforms: linux-ia64-ecc.
+      o Build: shared library support fixes.
+      o ASN.1: treat domainComponent correctly.
+      o Documentation: fixes and additions.
+
+  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a:
+
+      o Security: Important security related bugfixes.
+      o Enhanced compatibility with MIT Kerberos.
+      o Can be built without the ENGINE framework.
+      o IA32 assembler enhancements.
+      o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64.
+      o Configuration: the no-err option now works properly.
+      o SSL/TLS: now handles manual certificate chain building.
+      o SSL/TLS: certain session ID malfunctions corrected.
+
   Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:
 
       o New library section OCSP.
@@ -17,6 +39,15 @@
         a separate distribution.
       o New elliptic curve library section.
       o New AES (Rijndael) library section.
+      o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
+        Linux x86_64, Linux 64-bit on Sparc v9
+      o Extended support for some platforms: VxWorks
+      o Enhanced support for shared libraries.
+      o Now only builds PIC code when shared library support is requested.
+      o Support for pkg-config.
+      o Lots of new manuals.
+      o Makes symbolic links to or copies of manuals to cover all described
+        functions.
       o Change DES API to clean up the namespace (some applications link also
         against libdes providing similar functions having the same name).
         Provide macros for backward compatibility (will be removed in the
@@ -30,16 +61,43 @@
       o Reworked parts of the BIGNUM code.
       o Support for new engines: Broadcom ubsec, Accelerated Encryption
         Processing, IBM 4758.
+      o A few new engines added in the demos area.
       o Extended and corrected OID (object identifier) table.
       o PRNG: query at more locations for a random device, automatic query for
         EGD style random sources at several locations.
       o SSL/TLS: allow optional cipher choice according to server's preference.
       o SSL/TLS: allow server to explicitly set new session ids.
       o SSL/TLS: support Kerberos cipher suites (RFC2712).
+        Only supports MIT Kerberos for now.
       o SSL/TLS: allow more precise control of renegotiations and sessions.
       o SSL/TLS: add callback to retrieve SSL/TLS messages.
       o SSL/TLS: support AES cipher suites (RFC3268).
 
+  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
+
+      o Security: counter the Klima-Pokorny-Rosa extension of
+        Bleichbacher's attack 
+      o Security: make RSA blinding default.
+      o Build: shared library support fixes.
+
+  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
+
+      o Important security related bugfixes.
+
+  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
+
+      o New configuration targets for Tandem OSS and A/UX.
+      o New OIDs for Microsoft attributes.
+      o Better handling of SSL session caching.
+      o Better comparison of distinguished names.
+      o Better handling of shared libraries in a mixed GNU/non-GNU environment.
+      o Support assembler code with Borland C.
+      o Fixes for length problems.
+      o Fixes for uninitialised variables.
+      o Fixes for memory leaks, some unusual crashes and some race conditions.
+      o Fixes for smaller building problems.
+      o Updates of manuals, FAQ and other instructive documents.
+
   Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
 
       o Important building fixes on Unix.
diff --git a/src/lib/libssl/src/README b/src/lib/libssl/src/README
index 4228e145f9..3af69bfdb5 100644
--- a/src/lib/libssl/src/README
+++ b/src/lib/libssl/src/README
@@ -1,7 +1,7 @@
 
- OpenSSL 0.9.7-beta3 30 Jul 2002
+ OpenSSL 0.9.7b 10 Apr 2003
 
- Copyright (c) 1998-2002 The OpenSSL Project
+ Copyright (c) 1998-2003 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
diff --git a/src/lib/libssl/src/apps/Makefile.ssl b/src/lib/libssl/src/apps/Makefile.ssl
index bb66ebbd60..7068286204 100644
--- a/src/lib/libssl/src/apps/Makefile.ssl
+++ b/src/lib/libssl/src/apps/Makefile.ssl
@@ -87,6 +87,7 @@ all:	exe
 exe:    $(PROGRAM)
 
 req: sreq.o $(A_OBJ) $(DLIBCRYPTO)
+        LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
         $(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
 
 sreq.o: req.c 
@@ -99,17 +100,20 @@ install:
         @for i in $(EXE); \
         do  \
         (echo installing $$i; \
-         cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-         chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+         cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+         chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+         mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
          done;
         @for i in $(SCRIPTS); \
         do  \
         (echo installing $$i; \
-         cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
-         chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+         cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+         chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+         mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
          done
-        @cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR); \
-        chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+        @cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+        chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+        mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
 
 tags:
         ctags $(SRC)
@@ -123,7 +127,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -134,21 +138,26 @@ clean:
         rm -f req
 
 $(DLIBSSL):
-        (cd ../ssl; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+        (cd ..; $(MAKE) DIRS=ssl all)
 
 $(DLIBCRYPTO):
-        (cd ../crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+        (cd ..; $(MAKE) DIRS=crypto all)
 
 $(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
         $(RM) $(PROGRAM)
-        if [ "$(SHLIB_TARGET)" = "hpux-shared" ] ; then \
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
           $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
         else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
           $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
         fi
         -(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; \
-                LIBPATH="`pwd`"; LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; \
-                export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
+                LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+                DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+                SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
+                LIBPATH="`pwd`:$$LIBPATH"; \
+                if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
+                export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
                 $(PERL) tools/c_rehash certs)
 
 progs.h: progs.pl
@@ -762,30 +771,30 @@ rand.o: ../include/openssl/sha.h ../include/openssl/stack.h
 rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
 rand.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h rand.c
-req.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-req.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-req.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-req.o: ../include/openssl/cast.h ../include/openssl/conf.h
-req.o: ../include/openssl/crypto.h ../include/openssl/des.h
-req.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-req.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-req.o: ../include/openssl/engine.h ../include/openssl/err.h
-req.o: ../include/openssl/evp.h ../include/openssl/idea.h
-req.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-req.o: ../include/openssl/md4.h ../include/openssl/md5.h
-req.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-req.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-req.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-req.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-req.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-req.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-req.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-req.o: ../include/openssl/sha.h ../include/openssl/stack.h
-req.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-req.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-req.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-req.o: ../include/openssl/x509v3.h apps.h req.c
+req.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
+req.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+req.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+req.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+req.o: ../include/openssl/des.h ../include/openssl/des_old.h
+req.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+req.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+req.o: ../include/openssl/err.h ../include/openssl/evp.h
+req.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+req.o: ../include/openssl/md2.h ../include/openssl/md4.h
+req.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+req.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+req.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+req.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+req.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+req.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+req.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+req.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+req.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h req.c
 rsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 rsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
diff --git a/src/lib/libssl/src/apps/apps.c b/src/lib/libssl/src/apps/apps.c
index 1a24b1c596..c4dfafd778 100644
--- a/src/lib/libssl/src/apps/apps.c
+++ b/src/lib/libssl/src/apps/apps.c
@@ -114,9 +114,7 @@
 #include <string.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#define NON_MAIN
-#include "apps.h"
-#undef NON_MAIN
+#include <ctype.h>
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -124,7 +122,9 @@
 #include <openssl/pkcs12.h>
 #include <openssl/ui.h>
 #include <openssl/safestack.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
@@ -136,9 +136,9 @@
 #  endif /* NO_STRINGS_H */
 #endif
 
-#ifdef OPENSSL_SYS_WINDOWS
-#  include "bss_file.c"
-#endif
+#define NON_MAIN
+#include "apps.h"
+#undef NON_MAIN
 
 typedef struct {
         char *name;
@@ -335,8 +335,7 @@ void program_name(char *in, char *out, int size)
                 p++;
         else
                 p=in;
-        strncpy(out,p,size-1);
-        out[size-1]='\0';
+        BUF_strlcpy(out,p,size);
         }
 #endif
 #endif
@@ -344,6 +343,7 @@ void program_name(char *in, char *out, int size)
 #ifdef OPENSSL_SYS_WIN32
 int WIN32_rename(char *from, char *to)
         {
+#ifndef OPENSSL_SYS_WINCE
         /* Windows rename gives an error if 'to' exists, so delete it
          * first and ignore file not found errror
          */
@@ -351,6 +351,46 @@ int WIN32_rename(char *from, char *to)
                 return -1;
 #undef rename
         return rename(from, to);
+#else
+        /* convert strings to UNICODE */
+        {
+        BOOL result = FALSE;
+        WCHAR* wfrom;
+        WCHAR* wto;
+        int i;
+        wfrom = malloc((strlen(from)+1)*2);
+        wto = malloc((strlen(to)+1)*2);
+        if (wfrom != NULL && wto != NULL)
+                {
+                for (i=0; i<(int)strlen(from)+1; i++)
+                        wfrom[i] = (short)from[i];
+                for (i=0; i<(int)strlen(to)+1; i++)
+                        wto[i] = (short)to[i];
+                result = MoveFile(wfrom, wto);
+                }
+        if (wfrom != NULL)
+                free(wfrom);
+        if (wto != NULL)
+                free(wto);
+        return result;
+        }
+#endif
+        }
+#endif
+
+#ifdef OPENSSL_SYS_VMS
+int VMS_strcasecmp(const char *str1, const char *str2)
+        {
+        while (*str1 && *str2)
+                {
+                int res = toupper(*str1) - toupper(*str2);
+                if (res) return res < 0 ? -1 : 1;
+                }
+        if (*str1)
+                return 1;
+        if (*str2)
+                return -1;
+        return 0;
         }
 #endif
 
@@ -429,16 +469,20 @@ int app_init(long mesgwin)
 
 int dump_cert_text (BIO *out, X509 *x)
 {
-        char buf[256];
-        X509_NAME_oneline(X509_get_subject_name(x),buf,256);
+        char *p;
+
+        p=X509_NAME_oneline(X509_get_subject_name(x),NULL,0);
         BIO_puts(out,"subject=");
-        BIO_puts(out,buf);
+        BIO_puts(out,p);
+        OPENSSL_free(p);
 
-        X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
-        BIO_puts(out,"\nissuer= ");
-        BIO_puts(out,buf);
+        p=X509_NAME_oneline(X509_get_issuer_name(x),NULL,0);
+        BIO_puts(out,"\nissuer=");
+        BIO_puts(out,p);
         BIO_puts(out,"\n");
-        return 0;
+        OPENSSL_free(p);
+
+        return 0;
 }
 
 static int ui_open(UI *ui)
@@ -569,7 +613,7 @@ int password_callback(char *buf, int bufsiz, int verify,
 
                 if (buff)
                         {
-                        memset(buff,0,(unsigned int)bufsiz);
+                        OPENSSL_cleanse(buff,(unsigned int)bufsiz);
                         OPENSSL_free(buff);
                         }
 
@@ -579,13 +623,13 @@ int password_callback(char *buf, int bufsiz, int verify,
                         {
                         BIO_printf(bio_err, "User interface error\n");
                         ERR_print_errors(bio_err);
-                        memset(buf,0,(unsigned int)bufsiz);
+                        OPENSSL_cleanse(buf,(unsigned int)bufsiz);
                         res = 0;
                         }
                 if (ok == -2)
                         {
                         BIO_printf(bio_err,"aborted!\n");
-                        memset(buf,0,(unsigned int)bufsiz);
+                        OPENSSL_cleanse(buf,(unsigned int)bufsiz);
                         res = 0;
                         }
                 UI_free(ui);
@@ -813,6 +857,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
                 BIO_printf(err,"no keyfile specified\n");
                 goto end;
                 }
+#ifndef OPENSSL_NO_ENGINE
         if (format == FORMAT_ENGINE)
                 {
                 if (!e)
@@ -822,6 +867,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
                                 ui_method, &cb_data);
                 goto end;
                 }
+#endif
         key=BIO_new(BIO_s_file());
         if (key == NULL)
                 {
@@ -889,6 +935,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
                 BIO_printf(err,"no keyfile specified\n");
                 goto end;
                 }
+#ifndef OPENSSL_NO_ENGINE
         if (format == FORMAT_ENGINE)
                 {
                 if (!e)
@@ -898,6 +945,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
                                 ui_method, &cb_data);
                 goto end;
                 }
+#endif
         key=BIO_new(BIO_s_file());
         if (key == NULL)
                 {
@@ -960,7 +1008,7 @@ load_netscape_key(BIO *err, BIO *key, const char *file,
                 goto error;
         for (;;)
                 {
-                if (!BUF_MEM_grow(buf,size+1024*10))
+                if (!BUF_MEM_grow_clean(buf,size+1024*10))
                         goto error;
                 i = BIO_read(key, &(buf->data[size]), 1024*10);
                 size += i;
@@ -1235,6 +1283,7 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
         char *buf;
         char mline = 0;
         int indent = 0;
+
         if(title) BIO_puts(out, title);
         if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
                 mline = 1;
@@ -1282,6 +1331,7 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath)
         return NULL;
 }
 
+#ifndef OPENSSL_NO_ENGINE
 /* Try to load an engine in a shareable library */
 static ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
         {
@@ -1338,6 +1388,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug)
                 }
         return e;
         }
+#endif
 
 int load_config(BIO *err, CONF *cnf)
         {
@@ -1356,3 +1407,20 @@ int load_config(BIO *err, CONF *cnf)
                 }
         return 1;
         }
+
+char *make_config_name()
+        {
+        const char *t=X509_get_default_cert_area();
+        size_t len;
+        char *p;
+
+        len=strlen(t)+strlen(OPENSSL_CONF)+2;
+        p=OPENSSL_malloc(len);
+        strlcpy(p,t,len);
+#ifndef OPENSSL_SYS_VMS
+        strlcat(p,"/",len);
+#endif
+        strlcat(p,OPENSSL_CONF,len);
+
+        return p;
+        }
diff --git a/src/lib/libssl/src/apps/apps.h b/src/lib/libssl/src/apps/apps.h
index 32a79605ee..c36b9d2566 100644
--- a/src/lib/libssl/src/apps/apps.h
+++ b/src/lib/libssl/src/apps/apps.h
@@ -121,7 +121,9 @@
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
 #include <openssl/txt_db.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/ossl_typ.h>
 
 int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
@@ -139,13 +141,21 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
 int WIN32_rename(char *oldname,char *newname);
 #endif
 
+/* VMS below version 7.0 doesn't have strcasecmp() */
+#ifdef OPENSSL_SYS_VMS
+#define strcasecmp(str1,str2) VMS_strcasecmp((str1),(str2))
+int VMS_strcasecmp(const char *str1, const char *str2);
+#endif
+
 #ifndef MONOLITH
 
 #define MAIN(a,v)       main(a,v)
 
 #ifndef NON_MAIN
+CONF *config=NULL;
 BIO *bio_err=NULL;
 #else
+extern CONF *config;
 extern BIO *bio_err;
 #endif
 
@@ -171,30 +181,57 @@ extern BIO *bio_err;
                 do_pipe_sig()
 #  define apps_shutdown()
 #else
-#  if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \
-   defined(OPENSSL_SYS_WIN32)
-#    ifdef _O_BINARY
-#      define apps_startup() \
-                do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
-                ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
-                ENGINE_load_builtin_engines(); setup_ui_method(); } while(0)
+#  ifndef OPENSSL_NO_ENGINE
+#    if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \
+     defined(OPENSSL_SYS_WIN32)
+#      ifdef _O_BINARY
+#        define apps_startup() \
+                        do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
+                        ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
+                        ENGINE_load_builtin_engines(); setup_ui_method(); } while(0)
+#      else
+#        define apps_startup() \
+                        do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
+                        ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
+                        ENGINE_load_builtin_engines(); setup_ui_method(); } while(0)
+#      endif
 #    else
 #      define apps_startup() \
-                do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
-                ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
-                ENGINE_load_builtin_engines(); setup_ui_method(); } while(0)
+                        do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \
+                        ERR_load_crypto_strings(); ENGINE_load_builtin_engines(); \
+                        setup_ui_method(); } while(0)
 #    endif
+#    define apps_shutdown() \
+                        do { CONF_modules_unload(1); destroy_ui_method(); \
+                        EVP_cleanup(); ENGINE_cleanup(); \
+                        CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \
+                        ERR_free_strings(); } while(0)
 #  else
-#    define apps_startup() \
-                do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \
-                ERR_load_crypto_strings(); ENGINE_load_builtin_engines(); \
-                setup_ui_method(); } while(0)
+#    if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \
+     defined(OPENSSL_SYS_WIN32)
+#      ifdef _O_BINARY
+#        define apps_startup() \
+                        do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
+                        ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
+                        setup_ui_method(); } while(0)
+#      else
+#        define apps_startup() \
+                        do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
+                        ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
+                        setup_ui_method(); } while(0)
+#      endif
+#    else
+#      define apps_startup() \
+                        do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \
+                        ERR_load_crypto_strings(); \
+                        setup_ui_method(); } while(0)
+#    endif
+#    define apps_shutdown() \
+                        do { CONF_modules_unload(1); destroy_ui_method(); \
+                        EVP_cleanup(); \
+                        CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \
+                        ERR_free_strings(); } while(0)
 #  endif
-#  define apps_shutdown() \
-                do { CONF_modules_unload(1); destroy_ui_method(); \
-                EVP_cleanup(); ENGINE_cleanup(); \
-                CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \
-                ERR_free_strings(); } while(0)
 #endif
 
 typedef struct args_st
@@ -240,9 +277,12 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
 STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
         const char *pass, ENGINE *e, const char *cert_descrip);
 X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
+#ifndef OPENSSL_NO_ENGINE
 ENGINE *setup_engine(BIO *err, const char *engine, int debug);
+#endif
 
 int load_config(BIO *err, CONF *cnf);
+char *make_config_name(void);
 
 /* Functions defined in ca.c and also used in ocsp.c */
 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
diff --git a/src/lib/libssl/src/apps/asn1pars.c b/src/lib/libssl/src/apps/asn1pars.c
index 8f178db851..8367415405 100644
--- a/src/lib/libssl/src/apps/asn1pars.c
+++ b/src/lib/libssl/src/apps/asn1pars.c
@@ -332,6 +332,6 @@ end:
         if (osk != NULL) sk_free(osk);
         OBJ_cleanup();
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
diff --git a/src/lib/libssl/src/apps/ca.c b/src/lib/libssl/src/apps/ca.c
index 60bc4e5191..6c6d3f0d26 100644
--- a/src/lib/libssl/src/apps/ca.c
+++ b/src/lib/libssl/src/apps/ca.c
@@ -64,7 +64,6 @@
 #include <ctype.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#include "apps.h"
 #include <openssl/conf.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
@@ -94,11 +93,13 @@
 #    else
 #      include <unixlib.h>
 #    endif
-#  elif !defined(OPENSSL_SYS_VXWORKS)
+#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS)
 #    include <sys/file.h>
 #  endif
 #endif
 
+#include "apps.h"
+
 #ifndef W_OK
 #  define F_OK 0
 #  define X_OK 1
@@ -195,7 +196,9 @@ static char *ca_usage[]={
 " -extensions ..  - Extension section (override value in config file)\n",
 " -extfile file   - Configuration file with X509v3 extentions to add\n",
 " -crlexts ..     - CRL extension section (override value in config file)\n",
+#ifndef OPENSSL_NO_ENGINE
 " -engine e       - use engine e, possibly a hardware device.\n",
+#endif
 " -status serial  - Shows certificate status given the serial number\n",
 " -updatedb       - Updates db for expired certificates\n",
 NULL
@@ -332,7 +335,10 @@ int MAIN(int argc, char **argv)
 #define BSIZE 256
         MS_STATIC char buf[3][BSIZE];
         char *randfile=NULL;
+#ifndef OPENSSL_NO_ENGINE
         char *engine = NULL;
+#endif
+        char *tofree=NULL;
 
 #ifdef EFENCE
 EF_PROTECT_FREE=1;
@@ -535,11 +541,13 @@ EF_ALIGNMENT=0;
                         rev_arg = *(++argv);
                         rev_type = REV_CA_COMPROMISE;
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else
                         {
 bad:
@@ -560,25 +568,31 @@ bad:
 
         ERR_load_crypto_strings();
 
-        e = setup_engine(bio_err, engine, 0);
+#ifndef OPENSSL_NO_ENGINE
+        e = setup_engine(bio_err, engine, 0);
+#endif
 
         /*****************************************************************/
+        tofree=NULL;
         if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
         if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
         if (configfile == NULL)
                 {
-                /* We will just use 'buf[0]' as a temporary buffer.  */
+                const char *s=X509_get_default_cert_area();
+                size_t len;
+
 #ifdef OPENSSL_SYS_VMS
-                strncpy(buf[0],X509_get_default_cert_area(),
-                        sizeof(buf[0])-1-sizeof(CONFIG_FILE));
+                len = strlen(s)+sizeof(CONFIG_FILE);
+                tofree=OPENSSL_malloc(len);
+                strcpy(tofree,s);
 #else
-                strncpy(buf[0],X509_get_default_cert_area(),
-                        sizeof(buf[0])-2-sizeof(CONFIG_FILE));
-                buf[0][sizeof(buf[0])-2-sizeof(CONFIG_FILE)]='\0';
-                strlcat(buf[0],"/",sizeof(buf[0]));
+                len = strlen(s)+sizeof(CONFIG_FILE)+1;
+                tofree=OPENSSL_malloc(len);
+                strlcpy(tofree,s,len);
+                strlcat(tofree,"/",len);
 #endif
-                strlcat(buf[0],CONFIG_FILE,sizeof(buf[0]));
-                configfile=buf[0];
+                strlcat(tofree,CONFIG_FILE,len);
+                configfile=tofree;
                 }
 
         BIO_printf(bio_err,"Using configuration from %s\n",configfile);
@@ -593,6 +607,11 @@ bad:
                                 ,errorline,configfile);
                 goto err;
                 }
+        if(tofree)
+                {
+                OPENSSL_free(tofree);
+                tofree = NULL;
+                }
 
         if (!load_config(bio_err, conf))
                 goto err;
@@ -701,7 +720,7 @@ bad:
                 }
         pkey = load_key(bio_err, keyfile, keyform, 0, key, e, 
                 "CA private key");
-        if (key) memset(key,0,strlen(key));
+        if (key) OPENSSL_cleanse(key,strlen(key));
         if (pkey == NULL)
                 {
                 /* load_key() has already printed an appropriate message */
@@ -1158,9 +1177,14 @@ bad:
                         }
                 if (verbose)
                         {
-                        if ((f=BN_bn2hex(serial)) == NULL) goto err;
-                        BIO_printf(bio_err,"next serial number is %s\n",f);
-                        OPENSSL_free(f);
+                        if (BN_is_zero(serial))
+                                BIO_printf(bio_err,"next serial number is 00\n");
+                        else
+                                {
+                                if ((f=BN_bn2hex(serial)) == NULL) goto err;
+                                BIO_printf(bio_err,"next serial number is %s\n",f);
+                                OPENSSL_free(f);
+                                }
                         }
 
                 if ((attribs=NCONF_get_section(conf,policy)) == NULL)
@@ -1280,8 +1304,13 @@ bad:
 
                         BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
 
-                        strncpy(buf[0],serialfile,BSIZE-4);
-                        buf[0][BSIZE-4]='\0';
+                        if(strlen(serialfile) > BSIZE-5 || strlen(dbfile) > BSIZE-5)
+                                {
+                                BIO_printf(bio_err,"file name too long\n");
+                                goto err;
+                                }
+
+                        strcpy(buf[0],serialfile);
 
 #ifdef OPENSSL_SYS_VMS
                         strcat(buf[0],"-new");
@@ -1291,8 +1320,7 @@ bad:
 
                         if (!save_serial(buf[0],serial)) goto err;
 
-                        strncpy(buf[1],dbfile,BSIZE-4);
-                        buf[1][BSIZE-4]='\0';
+                        strcpy(buf[1],dbfile);
 
 #ifdef OPENSSL_SYS_VMS
                         strcat(buf[1],"-new");
@@ -1322,8 +1350,13 @@ bad:
                         j=x->cert_info->serialNumber->length;
                         p=(char *)x->cert_info->serialNumber->data;
                         
-                        strncpy(buf[2],outdir,BSIZE-(j*2)-6);
-                        buf[2][BSIZE-(j*2)-6]='\0';
+                        if(strlen(outdir) >= (size_t)(j ? BSIZE-j*2-6 : BSIZE-8))
+                                {
+                                BIO_printf(bio_err,"certificate file name too long\n");
+                                goto err;
+                                }
+
+                        strcpy(buf[2],outdir);
 
 #ifndef OPENSSL_SYS_VMS
                         strlcat(buf[2],"/",sizeof(buf[2]));
@@ -1561,8 +1594,13 @@ bad:
                         if (j <= 0) goto err;
                         X509_free(revcert);
 
-                        strncpy(buf[0],dbfile,BSIZE-4);
-                        buf[0][BSIZE-4]='\0';
+                        if(strlen(dbfile) > BSIZE-5)
+                                {
+                                BIO_printf(bio_err,"filename too long\n");
+                                goto err;
+                                }
+
+                        strcpy(buf[0],dbfile);
 #ifndef OPENSSL_SYS_VMS
                         strlcat(buf[0],".new",sizeof(buf[0]));
 #else
@@ -1606,16 +1644,19 @@ bad:
         /*****************************************************************/
         ret=0;
 err:
+        if(tofree)
+                OPENSSL_free(tofree);
         BIO_free_all(Cout);
         BIO_free_all(Sout);
         BIO_free_all(out);
         BIO_free_all(in);
 
-        sk_X509_pop_free(cert_sk,X509_free);
+        if (cert_sk)
+                sk_X509_pop_free(cert_sk,X509_free);
 
         if (ret) ERR_print_errors(bio_err);
         app_RAND_write_file(randfile, bio_err);
-        if (free_key)
+        if (free_key && key)
                 OPENSSL_free(key);
         BN_free(serial);
         TXT_DB_free(db);
@@ -1625,7 +1666,7 @@ err:
         NCONF_free(conf);
         OBJ_cleanup();
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 static void lookup_fail(char *name, char *tag)
@@ -1690,7 +1731,7 @@ static BIGNUM *load_serial(char *serialfile)
         ret=ASN1_INTEGER_to_BN(ai,NULL);
         if (ret == NULL)
                 {
-                BIO_printf(bio_err,"error converting number from bin to BIGNUM");
+                BIO_printf(bio_err,"error converting number from bin to BIGNUM\n");
                 goto err;
                 }
 err:
@@ -2093,7 +2134,10 @@ again2:
                         }
                 }
 
-        row[DB_serial]=BN_bn2hex(serial);
+        if (BN_is_zero(serial))
+                row[DB_serial]=BUF_strdup("00");
+        else
+                row[DB_serial]=BN_bn2hex(serial);
         if (row[DB_serial] == NULL)
                 {
                 BIO_printf(bio_err,"Memory allocation failure\n");
@@ -2156,7 +2200,7 @@ again2:
 
 #ifdef X509_V3
         /* Make it an X509 v3 certificate. */
-        if (!X509_set_version(x509,2)) goto err;
+        if (!X509_set_version(ret,2)) goto err;
 #endif
 
         if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
@@ -2577,7 +2621,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
                 row[i]=NULL;
         row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
         bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
-        row[DB_serial]=BN_bn2hex(bn);
+        if (BN_is_zero(bn))
+                row[DB_serial]=BUF_strdup("00");
+        else
+                row[DB_serial]=BN_bn2hex(bn);
         BN_free(bn);
         if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
                 {
@@ -3046,55 +3093,59 @@ X509_NAME *do_subject(char *subject, long chtype)
         sp++; /* skip leading / */
 
         while (*sp)
-        {
+                {
                 /* collect type */
                 ne_types[ne_num] = bp;
                 while (*sp)
-                {
+                        {
                         if (*sp == '\\') /* is there anything to escape in the type...? */
+                                {
                                 if (*++sp)
                                         *bp++ = *sp++;
                                 else
-                                {
+                                        {
                                         BIO_printf(bio_err, "escape character at end of string\n");
                                         goto error;
+                                        }
                                 }
                         else if (*sp == '=')
-                        {
+                                {
                                 sp++;
                                 *bp++ = '\0';
                                 break;
-                        }
+                                }
                         else
                                 *bp++ = *sp++;
-                }
+                        }
                 if (!*sp)
-                {
+                        {
                         BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num);
                         goto error;
-                }
+                        }
                 ne_values[ne_num] = bp;
                 while (*sp)
-                {
+                        {
                         if (*sp == '\\')
+                                {
                                 if (*++sp)
                                         *bp++ = *sp++;
                                 else
-                                {
+                                        {
                                         BIO_printf(bio_err, "escape character at end of string\n");
                                         goto error;
+                                        }
                                 }
                         else if (*sp == '/')
-                        {
+                                {
                                 sp++;
                                 break;
-                        }
+                                }
                         else
                                 *bp++ = *sp++;
-                }
+                        }
                 *bp++ = '\0';
                 ne_num++;
-        }
+                }
 
         if (!(n = X509_NAME_new()))
                 goto error;
diff --git a/src/lib/libssl/src/apps/ciphers.c b/src/lib/libssl/src/apps/ciphers.c
index 2d6e104790..7c62fc5dc3 100644
--- a/src/lib/libssl/src/apps/ciphers.c
+++ b/src/lib/libssl/src/apps/ciphers.c
@@ -187,7 +187,7 @@ int MAIN(int argc, char **argv)
                         {
                         BIO_puts(STDout,SSL_CIPHER_description(
                                 sk_SSL_CIPHER_value(sk,i),
-                                buf,512));
+                                buf,sizeof buf));
                         }
                 }
 
@@ -203,6 +203,6 @@ end:
         if (ssl != NULL) SSL_free(ssl);
         if (STDout != NULL) BIO_free_all(STDout);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
diff --git a/src/lib/libssl/src/apps/crl.c b/src/lib/libssl/src/apps/crl.c
index 00946b4d20..81d66587c1 100644
--- a/src/lib/libssl/src/apps/crl.c
+++ b/src/lib/libssl/src/apps/crl.c
@@ -81,6 +81,7 @@ static char *crl_usage[]={
 " -in arg         - input file - default stdin\n",
 " -out arg        - output file - default stdout\n",
 " -hash           - print hash value\n",
+" -fingerprint    - print the crl fingerprint\n",
 " -issuer         - print issuer DN\n",
 " -lastupdate     - lastUpdate field\n",
 " -nextupdate     - nextUpdate field\n",
@@ -377,7 +378,7 @@ end:
                 X509_STORE_free(store);
         }
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 static X509_CRL *load_crl(char *infile, int format)
diff --git a/src/lib/libssl/src/apps/crl2p7.c b/src/lib/libssl/src/apps/crl2p7.c
index 8729068462..b2f2d121d5 100644
--- a/src/lib/libssl/src/apps/crl2p7.c
+++ b/src/lib/libssl/src/apps/crl2p7.c
@@ -280,7 +280,7 @@ end:
         if (crl != NULL) X509_CRL_free(crl);
 
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 /*
diff --git a/src/lib/libssl/src/apps/dgst.c b/src/lib/libssl/src/apps/dgst.c
index 18bdd56c62..71298b7524 100644
--- a/src/lib/libssl/src/apps/dgst.c
+++ b/src/lib/libssl/src/apps/dgst.c
@@ -100,7 +100,9 @@ int MAIN(int argc, char **argv)
         EVP_PKEY *sigkey = NULL;
         unsigned char *sigbuf = NULL;
         int siglen = 0;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
 
         apps_startup();
 
@@ -117,7 +119,7 @@ int MAIN(int argc, char **argv)
                 goto end;
 
         /* first check the program name */
-        program_name(argv[0],pname,PROG_NAME_SIZE);
+        program_name(argv[0],pname,sizeof pname);
 
         md=EVP_get_digestbyname(pname);
 
@@ -166,11 +168,13 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) break;
                         keyform=str2fmt(*(++argv));
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) break;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-hex") == 0)
                         out_bin = 0;
                 else if (strcmp(*argv,"-binary") == 0)
@@ -207,7 +211,10 @@ int MAIN(int argc, char **argv)
                 BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
                 BIO_printf(bio_err,"-keyform arg    key file format (PEM or ENGINE)\n");
                 BIO_printf(bio_err,"-signature file signature to verify\n");
+                BIO_printf(bio_err,"-binary         output in binary form\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
+#endif
 
                 BIO_printf(bio_err,"-%3s to use the %s message digest algorithm (default)\n",
                         LN_md5,LN_md5);
@@ -227,7 +234,9 @@ int MAIN(int argc, char **argv)
                 goto end;
                 }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         in=BIO_new(BIO_s_file());
         bmd=BIO_new(BIO_f_md());
@@ -356,7 +365,7 @@ int MAIN(int argc, char **argv)
 end:
         if (buf != NULL)
                 {
-                memset(buf,0,BUFSIZE);
+                OPENSSL_cleanse(buf,BUFSIZE);
                 OPENSSL_free(buf);
                 }
         if (in != NULL) BIO_free(in);
@@ -365,7 +374,7 @@ end:
         if(sigbuf) OPENSSL_free(sigbuf);
         if (bmd != NULL) BIO_free(bmd);
         apps_shutdown();
-        EXIT(err);
+        OPENSSL_EXIT(err);
         }
 
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
diff --git a/src/lib/libssl/src/apps/dh.c b/src/lib/libssl/src/apps/dh.c
index 27c3dc8df2..cd01fed139 100644
--- a/src/lib/libssl/src/apps/dh.c
+++ b/src/lib/libssl/src/apps/dh.c
@@ -87,12 +87,17 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
         {
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e = NULL;
+#endif
         DH *dh=NULL;
         int i,badops=0,text=0;
         BIO *in=NULL,*out=NULL;
         int informat,outformat,check=0,noout=0,C=0,ret=1;
-        char *infile,*outfile,*prog,*engine;
+        char *infile,*outfile,*prog;
+#ifndef OPENSSL_NO_ENGINE
+        char *engine;
+#endif
 
         apps_startup();
 
@@ -103,7 +108,9 @@ int MAIN(int argc, char **argv)
         if (!load_config(bio_err, NULL))
                 goto end;
 
+#ifndef OPENSSL_NO_ENGINE
         engine=NULL;
+#endif
         infile=NULL;
         outfile=NULL;
         informat=FORMAT_PEM;
@@ -134,11 +141,13 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         outfile= *(++argv);
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-check") == 0)
                         check=1;
                 else if (strcmp(*argv,"-text") == 0)
@@ -170,13 +179,17 @@ bad:
                 BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
                 BIO_printf(bio_err," -C            Output C code\n");
                 BIO_printf(bio_err," -noout        no output\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
+#endif
                 goto end;
                 }
 
         ERR_load_crypto_strings();
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         in=BIO_new(BIO_s_file());
         out=BIO_new(BIO_s_file());
@@ -333,6 +346,6 @@ end:
         if (out != NULL) BIO_free_all(out);
         if (dh != NULL) DH_free(dh);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 #endif
diff --git a/src/lib/libssl/src/apps/dhparam.c b/src/lib/libssl/src/apps/dhparam.c
index ea15ef3236..dc00355b95 100644
--- a/src/lib/libssl/src/apps/dhparam.c
+++ b/src/lib/libssl/src/apps/dhparam.c
@@ -148,7 +148,9 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
         {
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e = NULL;
+#endif
         DH *dh=NULL;
         int i,badops=0,text=0;
 #ifndef OPENSSL_NO_DSA
@@ -157,7 +159,10 @@ int MAIN(int argc, char **argv)
         BIO *in=NULL,*out=NULL;
         int informat,outformat,check=0,noout=0,C=0,ret=1;
         char *infile,*outfile,*prog;
-        char *inrand=NULL,*engine=NULL;
+        char *inrand=NULL;
+#ifndef OPENSSL_NO_ENGINE
+        char *engine=NULL;
+#endif
         int num = 0, g = 0;
 
         apps_startup();
@@ -199,11 +204,13 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         outfile= *(++argv);
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-check") == 0)
                         check=1;
                 else if (strcmp(*argv,"-text") == 0)
@@ -249,7 +256,9 @@ bad:
                 BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
                 BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
                 BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
+#endif
                 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
                 BIO_printf(bio_err,"               - load the file (or the files in the directory) into\n");
                 BIO_printf(bio_err,"               the random number generator\n");
@@ -259,7 +268,9 @@ bad:
 
         ERR_load_crypto_strings();
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if (g && !num)
                 num = DEFBITS;
@@ -519,7 +530,7 @@ end:
         if (out != NULL) BIO_free_all(out);
         if (dh != NULL) DH_free(dh);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 /* dh_cb is identical to dsa_cb in apps/dsaparam.c */
diff --git a/src/lib/libssl/src/apps/dsa.c b/src/lib/libssl/src/apps/dsa.c
index 9da1a41645..e9de3a3bdf 100644
--- a/src/lib/libssl/src/apps/dsa.c
+++ b/src/lib/libssl/src/apps/dsa.c
@@ -90,7 +90,9 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
         {
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e = NULL;
+#endif
         int ret=1;
         DSA *dsa=NULL;
         int i,badops=0;
@@ -98,7 +100,10 @@ int MAIN(int argc, char **argv)
         BIO *in=NULL,*out=NULL;
         int informat,outformat,text=0,noout=0;
         int pubin = 0, pubout = 0;
-        char *infile,*outfile,*prog,*engine;
+        char *infile,*outfile,*prog;
+#ifndef OPENSSL_NO_ENGINE
+        char *engine;
+#endif
         char *passargin = NULL, *passargout = NULL;
         char *passin = NULL, *passout = NULL;
         int modulus=0;
@@ -112,7 +117,9 @@ int MAIN(int argc, char **argv)
         if (!load_config(bio_err, NULL))
                 goto end;
 
+#ifndef OPENSSL_NO_ENGINE
         engine=NULL;
+#endif
         infile=NULL;
         outfile=NULL;
         informat=FORMAT_PEM;
@@ -153,11 +160,13 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         passargout= *(++argv);
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-noout") == 0)
                         noout=1;
                 else if (strcmp(*argv,"-text") == 0)
@@ -189,7 +198,9 @@ bad:
                 BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
                 BIO_printf(bio_err," -out arg        output file\n");
                 BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
+#endif
                 BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
                 BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
@@ -207,7 +218,9 @@ bad:
 
         ERR_load_crypto_strings();
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
                 BIO_printf(bio_err, "Error getting passwords\n");
@@ -314,6 +327,6 @@ end:
         if(passin) OPENSSL_free(passin);
         if(passout) OPENSSL_free(passout);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 #endif
diff --git a/src/lib/libssl/src/apps/dsaparam.c b/src/lib/libssl/src/apps/dsaparam.c
index 2f436803e3..04861e8986 100644
--- a/src/lib/libssl/src/apps/dsaparam.c
+++ b/src/lib/libssl/src/apps/dsaparam.c
@@ -90,7 +90,9 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
         {
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e = NULL;
+#endif
         DSA *dsa=NULL;
         int i,badops=0,text=0;
         BIO *in=NULL,*out=NULL;
@@ -98,7 +100,9 @@ int MAIN(int argc, char **argv)
         char *infile,*outfile,*prog,*inrand=NULL;
         int numbits= -1,num,genkey=0;
         int need_rand=0;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
 
         apps_startup();
 
@@ -139,11 +143,13 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         outfile= *(++argv);
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if(strcmp(*argv, "-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine = *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-text") == 0)
                         text=1;
                 else if (strcmp(*argv,"-C") == 0)
@@ -191,7 +197,9 @@ bad:
                 BIO_printf(bio_err," -noout        no output\n");
                 BIO_printf(bio_err," -genkey       generate a DSA key\n");
                 BIO_printf(bio_err," -rand         files to use for random number input\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
+#endif
                 BIO_printf(bio_err," number        number of bits to use for generating private key\n");
                 goto end;
                 }
@@ -235,7 +243,9 @@ bad:
                         }
                 }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if (need_rand)
                 {
@@ -372,7 +382,7 @@ end:
         if (out != NULL) BIO_free_all(out);
         if (dsa != NULL) DSA_free(dsa);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
diff --git a/src/lib/libssl/src/apps/enc.c b/src/lib/libssl/src/apps/enc.c
index cb2fa59db9..9299ab3e13 100644
--- a/src/lib/libssl/src/apps/enc.c
+++ b/src/lib/libssl/src/apps/enc.c
@@ -100,9 +100,11 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
         {
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e = NULL;
+#endif
         static const char magic[]="Salted__";
-        char mbuf[8];   /* should be 1 smaller than magic */
+        char mbuf[sizeof magic-1];
         char *strbuf=NULL;
         unsigned char *buff=NULL,*bufsize=NULL;
         int bsize=BSIZE,verbose=0;
@@ -119,7 +121,9 @@ int MAIN(int argc, char **argv)
         BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
 #define PROG_NAME_SIZE  39
         char pname[PROG_NAME_SIZE+1];
+#ifndef OPENSSL_NO_ENGINE
         char *engine = NULL;
+#endif
 
         apps_startup();
 
@@ -131,7 +135,7 @@ int MAIN(int argc, char **argv)
                 goto end;
 
         /* first check the program name */
-        program_name(argv[0],pname,PROG_NAME_SIZE);
+        program_name(argv[0],pname,sizeof pname);
         if (strcmp(pname,"base64") == 0)
                 base64=1;
 
@@ -163,11 +167,13 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         passarg= *(++argv);
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-d") == 0)
                         enc=0;
                 else if (strcmp(*argv,"-p") == 0)
@@ -216,7 +222,7 @@ int MAIN(int argc, char **argv)
                                 goto bad;
                                 }
                         buf[0]='\0';
-                        fgets(buf,128,infile);
+                        fgets(buf,sizeof buf,infile);
                         fclose(infile);
                         i=strlen(buf);
                         if ((i > 0) &&
@@ -270,7 +276,9 @@ bad:
                         BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
                         BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
                         BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
+#ifndef OPENSSL_NO_ENGINE
                         BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e");
+#endif
 
                         BIO_printf(bio_err,"Cipher Types\n");
                         OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
@@ -284,7 +292,9 @@ bad:
                 argv++;
                 }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if (bufsize != NULL)
                 {
@@ -442,12 +452,12 @@ bad:
                         else {
                                 if(enc) {
                                         if(hsalt) {
-                                                if(!set_hex(hsalt,salt,PKCS5_SALT_LEN)) {
+                                                if(!set_hex(hsalt,salt,sizeof salt)) {
                                                         BIO_printf(bio_err,
                                                                 "invalid hex salt value\n");
                                                         goto end;
                                                 }
-                                        } else if (RAND_pseudo_bytes(salt, PKCS5_SALT_LEN) < 0)
+                                        } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
                                                 goto end;
                                         /* If -P option then don't bother writing */
                                         if((printkey != 2)
@@ -455,14 +465,14 @@ bad:
                                                          sizeof magic-1) != sizeof magic-1
                                                || BIO_write(wbio,
                                                             (char *)salt,
-                                                            PKCS5_SALT_LEN) != PKCS5_SALT_LEN)) {
+                                                            sizeof salt) != sizeof salt)) {
                                                 BIO_printf(bio_err,"error writing output file\n");
                                                 goto end;
                                         }
                                 } else if(BIO_read(rbio,mbuf,sizeof mbuf) != sizeof mbuf
                                           || BIO_read(rbio,
                                                       (unsigned char *)salt,
-                                    PKCS5_SALT_LEN) != PKCS5_SALT_LEN) {
+                                    sizeof salt) != sizeof salt) {
                                         BIO_printf(bio_err,"error reading input file\n");
                                         goto end;
                                 } else if(memcmp(mbuf,magic,sizeof magic-1)) {
@@ -481,9 +491,9 @@ bad:
                          * bug picked up by
                          * Larry J. Hughes Jr. <hughes@indiana.edu> */
                         if (str == strbuf)
-                                memset(str,0,SIZE);
+                                OPENSSL_cleanse(str,SIZE);
                         else
-                                memset(str,0,strlen(str));
+                                OPENSSL_cleanse(str,strlen(str));
                         }
                 if ((hiv != NULL) && !set_hex(hiv,iv,sizeof iv))
                         {
@@ -524,7 +534,7 @@ bad:
                         if (!nosalt)
                                 {
                                 printf("salt=");
-                                for (i=0; i<PKCS5_SALT_LEN; i++)
+                                for (i=0; i<sizeof salt; i++)
                                         printf("%02X",salt[i]);
                                 printf("\n");
                                 }
@@ -586,7 +596,7 @@ end:
         if (b64 != NULL) BIO_free(b64);
         if(pass) OPENSSL_free(pass);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 int set_hex(char *in, unsigned char *out, int size)
diff --git a/src/lib/libssl/src/apps/engine.c b/src/lib/libssl/src/apps/engine.c
index 3c94c3c4ed..0e7082abb9 100644
--- a/src/lib/libssl/src/apps/engine.c
+++ b/src/lib/libssl/src/apps/engine.c
@@ -56,6 +56,8 @@
  *
  */
 
+#ifndef OPENSSL_NO_ENGINE
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -516,5 +518,12 @@ end:
         sk_pop_free(post_cmds, identity);
         if (bio_out != NULL) BIO_free_all(bio_out);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
+#else
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/src/lib/libssl/src/apps/errstr.c b/src/lib/libssl/src/apps/errstr.c
index fedb568d68..19489b0df3 100644
--- a/src/lib/libssl/src/apps/errstr.c
+++ b/src/lib/libssl/src/apps/errstr.c
@@ -122,5 +122,5 @@ int MAIN(int argc, char **argv)
                         }
                 }
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
diff --git a/src/lib/libssl/src/apps/gendh.c b/src/lib/libssl/src/apps/gendh.c
index f2542960bf..a34a862caf 100644
--- a/src/lib/libssl/src/apps/gendh.c
+++ b/src/lib/libssl/src/apps/gendh.c
@@ -81,13 +81,17 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
         {
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e = NULL;
+#endif
         DH *dh=NULL;
         int ret=1,num=DEFBITS;
         int g=2;
         char *outfile=NULL;
         char *inrand=NULL;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
         BIO *out=NULL;
 
         apps_startup();
@@ -115,11 +119,13 @@ int MAIN(int argc, char **argv)
                         g=3; */
                 else if (strcmp(*argv,"-5") == 0)
                         g=5;
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-rand") == 0)
                         {
                         if (--argc < 1) goto bad;
@@ -138,14 +144,18 @@ bad:
                 BIO_printf(bio_err," -2        - use 2 as the generator value\n");
         /*      BIO_printf(bio_err," -3        - use 3 as the generator value\n"); */
                 BIO_printf(bio_err," -5        - use 5 as the generator value\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
+#endif
                 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
                 BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
                 BIO_printf(bio_err,"             the random number generator\n");
                 goto end;
                 }
                 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         out=BIO_new(BIO_s_file());
         if (out == NULL)
@@ -198,7 +208,7 @@ end:
         if (out != NULL) BIO_free_all(out);
         if (dh != NULL) DH_free(dh);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 static void MS_CALLBACK dh_cb(int p, int n, void *arg)
diff --git a/src/lib/libssl/src/apps/gendsa.c b/src/lib/libssl/src/apps/gendsa.c
index 1e1e9f3e4c..6d2ed06c81 100644
--- a/src/lib/libssl/src/apps/gendsa.c
+++ b/src/lib/libssl/src/apps/gendsa.c
@@ -77,7 +77,9 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
         {
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e = NULL;
+#endif
         DSA *dsa=NULL;
         int ret=1;
         char *outfile=NULL;
@@ -85,7 +87,9 @@ int MAIN(int argc, char **argv)
         char *passargout = NULL, *passout = NULL;
         BIO *out=NULL,*in=NULL;
         const EVP_CIPHER *enc=NULL;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
 
         apps_startup();
 
@@ -111,11 +115,13 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         passargout= *(++argv);
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-rand") == 0)
                         {
                         if (--argc < 1) goto bad;
@@ -167,7 +173,9 @@ bad:
                 BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
                 BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
+#endif
                 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
                 BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
                 BIO_printf(bio_err,"             the random number generator\n");
@@ -176,7 +184,9 @@ bad:
                 goto end;
                 }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
                 BIO_printf(bio_err, "Error getting password\n");
@@ -246,6 +256,6 @@ end:
         if (dsa != NULL) DSA_free(dsa);
         if(passout) OPENSSL_free(passout);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 #endif
diff --git a/src/lib/libssl/src/apps/genrsa.c b/src/lib/libssl/src/apps/genrsa.c
index 515bd7c901..63be873b7b 100644
--- a/src/lib/libssl/src/apps/genrsa.c
+++ b/src/lib/libssl/src/apps/genrsa.c
@@ -81,7 +81,9 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
         {
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e = NULL;
+#endif
         int ret=1;
         RSA *rsa=NULL;
         int i,num=DEFBITS;
@@ -90,7 +92,9 @@ int MAIN(int argc, char **argv)
         unsigned long f4=RSA_F4;
         char *outfile=NULL;
         char *passargout = NULL, *passout = NULL;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
         char *inrand=NULL;
         BIO *out=NULL;
 
@@ -122,11 +126,13 @@ int MAIN(int argc, char **argv)
                         f4=3;
                 else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
                         f4=RSA_F4;
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-rand") == 0)
                         {
                         if (--argc < 1) goto bad;
@@ -177,7 +183,9 @@ bad:
                 BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
                 BIO_printf(bio_err," -f4             use F4 (0x10001) for the E value\n");
                 BIO_printf(bio_err," -3              use 3 for the E value\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
+#endif
                 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
                 BIO_printf(bio_err,"                 load the file (or the files in the directory) into\n");
                 BIO_printf(bio_err,"                 the random number generator\n");
@@ -191,7 +199,9 @@ bad:
                 goto err;
         }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if (outfile == NULL)
                 {
@@ -258,7 +268,7 @@ err:
         if (ret != 0)
                 ERR_print_errors(bio_err);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 static void MS_CALLBACK genrsa_cb(int p, int n, void *arg)
diff --git a/src/lib/libssl/src/apps/makeapps.com b/src/lib/libssl/src/apps/makeapps.com
index 148246facc..0197c8a171 100644
--- a/src/lib/libssl/src/apps/makeapps.com
+++ b/src/lib/libssl/src/apps/makeapps.com
@@ -15,22 +15,10 @@ $!
 $!  It was written so it would try to determine what "C" compiler to
 $!  use or you can specify which "C" compiler to use.
 $!
-$!  Specify RSAREF as P1 to compile with the RSAREF library instead of
-$!  the regular one.  If you specify NORSAREF it will compile with the
-$!  regular RSAREF routines.  (Note: If you are in the United States
-$!  you MUST compile with RSAREF unless you have a license from RSA).
-$!
-$!  Note: The RSAREF libraries are NOT INCLUDED and you have to
-$!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
-$!        get the ".tar-Z" file as the ".zip" file dosen't have the
-$!        directory structure stored.  You have to extract the file
-$!        into the [.RSAREF] directory under the root directory as that
-$!        is where the scripts will look for the files.
-$!
-$!  Specify DEBUG or NODEBUG as P2 to compile with or without debugger
+$!  Specify DEBUG or NODEBUG as P1 to compile with or without debugger
 $!  information.
 $!
-$!  Specify which compiler at P3 to try to compile under.
+$!  Specify which compiler at P2 to try to compile under.
 $!
 $!         VAXC  For VAX C.
 $!         DECC  For DEC C.
@@ -39,16 +27,16 @@ $!
 $!  If you don't speficy a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
-$!  P4, if defined, sets a TCP/IP library to use, through one of the following
+$!  P3, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!      UCX             for UCX
 $!      SOCKETSHR       for SOCKETSHR+NETLIB
 $!      TCPIP           for TCPIP (post UCX)
 $!
-$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!  P4, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
-$!  P6, if defined, sets a choice of programs to compile.
+$!  P5, if defined, sets a choice of programs to compile.
 $!
 $!
 $! Define A TCP/IP Library That We Will Need To Link To.
@@ -101,10 +89,6 @@ $! Define The CRYPTO Library.
 $!
 $ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
 $!
-$! Define The RSAREF Library.
-$!
-$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
-$!
 $! Define The SSL Library.
 $!
 $ SSL_LIB := SYS$DISK:[-.'ARCH'.EXE.SSL]LIBSSL.OLB
@@ -182,7 +166,7 @@ $!     TCPIP_PROGRAMS = ",S_SERVER,S_CLIENT,SESS_ID,CIPHERS,S_TIME,"
 $!
 $! Setup exceptional compilations
 $!
-$ COMPILEWITH_CC2 = ",S_SOCKET,S_SERVER,S_CLIENT,"
+$ COMPILEWITH_CC2 = ",S_SERVER,S_CLIENT,"
 $!
 $ PHASE := LIB
 $!
@@ -293,73 +277,31 @@ $   WRITE SYS$OUTPUT FILE_NAME," needs a TCP/IP library.  Can't link.  Skipping.
 $   GOTO NEXT_FILE
 $ ENDIF
 $!
-$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$! Link The Program.
+$! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
-$ IF (RSAREF.EQS."TRUE")
+$ IF (TCPIP_LIB.NES."")
 $ THEN
 $!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
-$!
-$   IF (TCPIP_LIB.NES."")
-$   THEN
-$!
-$!    Link With The RSAREF Library And A Specific TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-          'OBJECT_FILE''EXTRA_OBJ', -
-          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-          'TCPIP_LIB','OPT_FILE'/OPTION
+$! Don't Link With The RSAREF Routines And TCP/IP Library.
 $!
-$!  Else...
-$!
-$   ELSE
-$!
-$!    Link With The RSAREF Library And NO TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-          'OBJECT_FILE''EXTRA_OBJ', -
-          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-          'OPT_FILE'/OPTION
-$!
-$!  End The TCP/IP Library Check.
-$!
-$   ENDIF
+$   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+        'OBJECT_FILE''EXTRA_OBJ', -
+        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+        'TCPIP_LIB','OPT_FILE'/OPTION
 $!
 $! Else...
 $!
 $ ELSE
 $!
-$!  Don't Link With The RSAREF Routines.
-$!
+$! Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
 $!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+        'OBJECT_FILE''EXTRA_OBJ', -
+        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+        'OPT_FILE'/OPTION
 $!
-$   IF (TCPIP_LIB.NES."")
-$   THEN
-$!
-$!    Don't Link With The RSAREF Routines And TCP/IP Library.
-$!
-$       LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-            'OBJECT_FILE''EXTRA_OBJ', -
-            'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
-            'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$!  Else...
-$!
-$   ELSE
-$!
-$!    Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
-$!
-$       LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-            'OBJECT_FILE''EXTRA_OBJ', -
-            'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
-            'OPT_FILE'/OPTION
-$!
-$!  End The TCP/IP Library Check.
-$!
-$   ENDIF
-$!
-$! End The RSAREF Link Check.
+$! End The TCP/IP Library Check.
 $!
 $ ENDIF
 $!
@@ -526,32 +468,6 @@ $! End The Crypto Library Check.
 $!
 $ ENDIF
 $!
-$! See If We Need The RSAREF Library.
-$!
-$ IF (RSAREF.EQS."TRUE")
-$ THEN
-$!
-$!  Look For The Library LIBRSAGLUE.OLB.
-$!
-$   IF (F$SEARCH(RSAREF_LIB).EQS."")
-$   THEN
-$!
-$!    Tell The User We Can't Find The LIBRSAGLUE.OLB Library.
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "Can't Find The Library ",RSAREF_LIB,"."
-$     WRITE SYS$OUTPUT "We Can't Link Without It."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Since We Can't Link Without It, Exit.
-$!
-$     EXIT
-$   ENDIF
-$!
-$! End The RSAREF Library Check.
-$!
-$ ENDIF
-$!
 $! Look For The Library LIBSSL.OLB.
 $!
 $ IF (F$SEARCH(SSL_LIB).EQS."")
@@ -582,87 +498,10 @@ $ CHECK_OPTIONS:
 $!
 $! Check To See If P1 Is Blank.
 $!
-$ P1 = "NORSAREF"
-$ IF (P1.EQS."NORSAREF")
+$ IF (P1.EQS."NODEBUG")
 $ THEN
 $!
-$!   P1 Is NORSAREF, So Compile With The Regular RSA Libraries.
-$!
-$    RSAREF = "FALSE"
-$!
-$! Else...
-$!
-$ ELSE
-$!
-$!  Check To See If We Are To Use The RSAREF Library.
-$!
-$   IF (P1.EQS."RSAREF")
-$   THEN
-$!
-$!    Check To Make Sure We Have The RSAREF Source Code Directory.
-$!
-$     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
-$     THEN
-$!
-$!      We Don't Have The RSAREF Souce Code Directory, So Tell The
-$!      User This.
-$!
-$       WRITE SYS$OUTPUT ""
-$       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
-$       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
-$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
-$       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
-$       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
-$       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
-$       WRITE SYS$OUTPUT ""
-$!
-$!      Time To Exit.
-$!
-$       EXIT
-$!
-$!    Else...
-$!
-$     ELSE
-$!
-$!      Compile Using The RSAREF Library.
-$!
-$       RSAREF = "TRUE"
-$!
-$!    End The RSAREF Soure Directory Check.
-$!
-$     ENDIF
-$!
-$!  Else...
-$!
-$   ELSE 
-$!
-$!    They Entered An Invalid Option..
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
-$     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Time To EXIT.
-$!
-$     EXIT
-$!
-$!  End The Valid Arguement Check.
-$!
-$   ENDIF
-$!
-$! End P1 Check.
-$!
-$ ENDIF
-$!
-$! Check To See If P2 Is Blank.
-$!
-$ IF (P2.EQS."NODEBUG")
-$ THEN
-$!
-$!   P2 Is NODEBUG, So Compile Without Debugger Information.
+$!   P1 Is NODEBUG, So Compile Without Debugger Information.
 $!
 $    DEBUGGER  = "NODEBUG"
 $    TRACEBACK = "NOTRACEBACK" 
@@ -677,7 +516,7 @@ $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
 $!
-$   IF (P2.EQS."DEBUG")
+$   IF (P1.EQS."DEBUG")
 $   THEN
 $!
 $!    Compile With Debugger Information.
@@ -693,7 +532,7 @@ $!
 $!    Tell The User Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "    DEBUG    :  Compile With The Debugger Information."
 $     WRITE SYS$OUTPUT "    NODEBUG  :  Compile Without The Debugger Information."
@@ -707,13 +546,13 @@ $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
-$! End The P2 Check.
+$! End The P1 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P3 Is Blank.
+$! Check To See If P2 Is Blank.
 $!
-$ IF (P3.EQS."")
+$ IF (P2.EQS."")
 $ THEN
 $!
 $!  O.K., The User Didn't Specify A Compiler, Let's Try To
@@ -726,7 +565,7 @@ $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
 $!
-$     P3 = "GNUC"
+$     P2 = "GNUC"
 $!
 $!  Else...
 $!
@@ -739,7 +578,7 @@ $     THEN
 $!
 $!      Looks Like DECC, Set To Use DECC.
 $!
-$       P3 = "DECC"
+$       P2 = "DECC"
 $!
 $!    Else...
 $!
@@ -747,7 +586,7 @@ $     ELSE
 $!
 $!      Looks Like VAXC, Set To Use VAXC.
 $!
-$       P3 = "VAXC"
+$       P2 = "VAXC"
 $!
 $!    End The VAXC Compiler Check.
 $!
@@ -761,9 +600,9 @@ $!  End The Compiler Check.
 $!
 $ ENDIF
 $!
-$! Check To See If We Have A Option For P4.
+$! Check To See If We Have A Option For P3.
 $!
-$ IF (P4.EQS."")
+$ IF (P3.EQS."")
 $ THEN
 $!
 $!  Find out what socket library we have available
@@ -773,7 +612,7 @@ $   THEN
 $!
 $!    We have SOCKETSHR, and it is my opinion that it's the best to use.
 $!
-$     P4 = "SOCKETSHR"
+$     P3 = "SOCKETSHR"
 $!
 $!    Tell the user
 $!
@@ -793,7 +632,7 @@ $     THEN
 $!
 $!      Last resort: a UCX or UCX-compatible library
 $!
-$       P4 = "UCX"
+$       P3 = "UCX"
 $!
 $!      Tell the user
 $!
@@ -817,12 +656,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 $!
 $!  Check To See If The User Entered A Valid Paramter.
 $!
-$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
+$ IF (P2.EQS."VAXC").OR.(P2.EQS."DECC").OR.(P2.EQS."GNUC")
 $ THEN
 $!
 $!  Check To See If The User Wanted DECC.
 $!
-$   IF (P3.EQS."DECC")
+$   IF (P2.EQS."DECC")
 $   THEN
 $!
 $!    Looks Like DECC, Set To Use DECC.
@@ -852,7 +691,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use VAXC.
 $!
-$   IF (P3.EQS."VAXC")
+$   IF (P2.EQS."VAXC")
 $   THEN
 $!
 $!    Looks Like VAXC, Set To Use VAXC.
@@ -889,7 +728,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use GNU C.
 $!
-$   IF (P3.EQS."GNUC")
+$   IF (P2.EQS."GNUC")
 $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
@@ -918,31 +757,6 @@ $!  Set up default defines
 $!
 $   CCDEFS = """FLAT_INC=1""," + CCDEFS
 $!
-$!  Check To See If We Are To Compile With RSAREF Routines.
-$!
-$   IF (RSAREF.EQS."TRUE")
-$   THEN
-$!
-$!    Compile With RSAREF.
-$!
-$     CCDEFS = CCDEFS + ",""RSAref=1"""
-$!
-$!    Tell The User This.
-$!
-$     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
-$!
-$!    Else, We Don't Care.  Compile Without The RSAREF Library.
-$!
-$   ELSE
-$!
-$!    Tell The User We Are Compile Without The RSAREF Routines.
-$!
-$     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
-$!
-$!  End The RSAREF Check.
-$!
-$   ENDIF
-$!
 $!  Else The User Entered An Invalid Arguement.
 $!
 $ ELSE
@@ -950,7 +764,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
 $   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
@@ -964,13 +778,13 @@ $ ENDIF
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" -
-     .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE"
+$ IF P3.EQS."SOCKETSHR" .OR. P3.EQS."MULTINET" .OR. P3.EQS."UCX" -
+     .OR. P3.EQS."TCPIP" .OR. P3.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
 $!
-$   IF P4.EQS."SOCKETSHR"
+$   IF P3.EQS."SOCKETSHR"
 $   THEN
 $!
 $!    Set the library to use SOCKETSHR
@@ -983,12 +797,12 @@ $   ENDIF
 $!
 $!  Check to see if MULTINET was chosen
 $!
-$   IF P4.EQS."MULTINET"
+$   IF P3.EQS."MULTINET"
 $   THEN
 $!
 $!    Set the library to use UCX emulation.
 $!
-$     P4 = "UCX"
+$     P3 = "UCX"
 $!
 $!    Done with MULTINET
 $!
@@ -996,7 +810,7 @@ $   ENDIF
 $!
 $!  Check to see if UCX was chosen
 $!
-$   IF P4.EQS."UCX"
+$   IF P3.EQS."UCX"
 $   THEN
 $!
 $!    Set the library to use UCX.
@@ -1016,7 +830,7 @@ $   ENDIF
 $!
 $!  Check to see if TCPIP (post UCX) was chosen
 $!
-$   IF P4.EQS."TCPIP"
+$   IF P3.EQS."TCPIP"
 $   THEN
 $!
 $!    Set the library to use TCPIP.
@@ -1029,7 +843,7 @@ $   ENDIF
 $!
 $!  Check to see if NONE was chosen
 $!
-$   IF P4.EQS."NONE"
+$   IF P3.EQS."NONE"
 $   THEN
 $!
 $!    Do not use TCPIP.
@@ -1042,7 +856,7 @@ $   ENDIF
 $!
 $!  Add TCP/IP type to CC definitions.
 $!
-$   CCDEFS = CCDEFS + ",TCPIP_TYPE_''P4'"
+$   CCDEFS = CCDEFS + ",TCPIP_TYPE_''P3'"
 $!
 $!  Print info
 $!
@@ -1055,7 +869,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
@@ -1094,9 +908,9 @@ $! Written By:  Richard Levitte
 $!              richard@levitte.org
 $!
 $!
-$! Check To See If We Have A Option For P5.
+$! Check To See If We Have A Option For P4.
 $!
-$ IF (P5.EQS."")
+$ IF (P4.EQS."")
 $ THEN
 $!
 $!  Get The Version Of VMS We Are Using.
@@ -1118,15 +932,15 @@ $!  End The VMS Version Check.
 $!
 $   ENDIF
 $!
-$! End The P5 Check.
+$! End The P4 Check.
 $!
 $ ENDIF
 $!
 $! Check if the user wanted to compile just a subset of all the programs.
 $!
-$ IF P6 .NES. ""
+$ IF P5 .NES. ""
 $ THEN
-$   PROGRAMS = P6
+$   PROGRAMS = P5
 $ ENDIF
 $!
 $!  Time To RETURN...
diff --git a/src/lib/libssl/src/apps/nseq.c b/src/lib/libssl/src/apps/nseq.c
index c26f62cb61..dc71d45012 100644
--- a/src/lib/libssl/src/apps/nseq.c
+++ b/src/lib/libssl/src/apps/nseq.c
@@ -102,7 +102,7 @@ int MAIN(int argc, char **argv)
                 BIO_printf (bio_err, "-in file  input file\n");
                 BIO_printf (bio_err, "-out file output file\n");
                 BIO_printf (bio_err, "-toseq    output NS Sequence file\n");
-                EXIT(1);
+                OPENSSL_EXIT(1);
         }
 
         if (infile) {
@@ -162,6 +162,6 @@ end:
         BIO_free_all(out);
         NETSCAPE_CERT_SEQUENCE_free(seq);
 
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
 }
 
diff --git a/src/lib/libssl/src/apps/ocsp.c b/src/lib/libssl/src/apps/ocsp.c
index 59b97a634b..17e84366d9 100644
--- a/src/lib/libssl/src/apps/ocsp.c
+++ b/src/lib/libssl/src/apps/ocsp.c
@@ -55,6 +55,7 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+#ifndef OPENSSL_NO_OCSP
 
 #include <stdio.h>
 #include <string.h>
@@ -523,7 +524,7 @@ int MAIN(int argc, char **argv)
                 BIO_printf (bio_err, "-serial n          serial number to check\n");
                 BIO_printf (bio_err, "-signer file       certificate to sign OCSP request with\n");
                 BIO_printf (bio_err, "-signkey file      private key to sign OCSP request with\n");
-                BIO_printf (bio_err, "-sign_certs file   additional certificates to include in signed request\n");
+                BIO_printf (bio_err, "-sign_other file   additional certificates to include in signed request\n");
                 BIO_printf (bio_err, "-no_certs          don't include any certificates in signed request\n");
                 BIO_printf (bio_err, "-req_text          print text form of request\n");
                 BIO_printf (bio_err, "-resp_text         print text form of response\n");
@@ -543,10 +544,10 @@ int MAIN(int argc, char **argv)
                 BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
                 BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
                 BIO_printf (bio_err, "-noverify          don't verify response at all\n");
-                BIO_printf (bio_err, "-verify_certs file additional certificates to search for signer\n");
+                BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
                 BIO_printf (bio_err, "-trust_other       don't verify additional certificates\n");
                 BIO_printf (bio_err, "-no_intern         don't search certificates contained in response for signer\n");
-                BIO_printf (bio_err, "-no_sig_verify     don't check signature on response\n");
+                BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
                 BIO_printf (bio_err, "-no_cert_verify    don't check signing certificate\n");
                 BIO_printf (bio_err, "-no_chain          don't chain verify response\n");
                 BIO_printf (bio_err, "-no_cert_checks    don't do additional checks on signing certificate\n");
@@ -722,7 +723,12 @@ int MAIN(int argc, char **argv)
                 }
         else if (host)
                 {
+#ifndef OPENSSL_NO_SOCK
                 cbio = BIO_new_connect(host);
+#else
+                BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
+                goto end;
+#endif
                 if (!cbio)
                         {
                         BIO_printf(bio_err, "Error creating connect BIO\n");
@@ -732,7 +738,16 @@ int MAIN(int argc, char **argv)
                 if (use_ssl == 1)
                         {
                         BIO *sbio;
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
                         ctx = SSL_CTX_new(SSLv23_client_method());
+#elif !defined(OPENSSL_NO_SSL3)
+                        ctx = SSL_CTX_new(SSLv3_client_method());
+#elif !defined(OPENSSL_NO_SSL2)
+                        ctx = SSL_CTX_new(SSLv2_client_method());
+#else
+                        BIO_printf(bio_err, "SSL is disabled\n");
+                        goto end;
+#endif
                         SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
                         sbio = BIO_new_ssl(ctx, 1);
                         cbio = BIO_push(sbio, cbio);
@@ -899,7 +914,7 @@ end:
                 SSL_CTX_free(ctx);
                 }
 
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
 }
 
 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
@@ -1120,7 +1135,10 @@ static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser)
         char *itmp, *row[DB_NUMBER],**rrow;
         for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
         bn = ASN1_INTEGER_to_BN(ser,NULL);
-        itmp = BN_bn2hex(bn);
+        if (BN_is_zero(bn))
+                itmp = BUF_strdup("00");
+        else
+                itmp = BN_bn2hex(bn);
         row[DB_serial] = itmp;
         BN_free(bn);
         rrow=TXT_DB_get_by_index(db,DB_serial,row);
@@ -1136,7 +1154,11 @@ static BIO *init_responder(char *port)
         bufbio = BIO_new(BIO_f_buffer());
         if (!bufbio) 
                 goto err;
+#ifndef OPENSSL_NO_SOCK
         acbio = BIO_new_accept(port);
+#else
+        BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n");
+#endif
         if (!acbio)
                 goto err;
         BIO_set_accept_bios(acbio, bufbio);
@@ -1176,7 +1198,7 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port
 
         for(;;)
                 {
-                len = BIO_gets(cbio, inbuf, 1024);
+                len = BIO_gets(cbio, inbuf, sizeof inbuf);
                 if (len <= 0)
                         return 1;
                 /* Look for "POST" signalling start of query */
@@ -1223,3 +1245,4 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
         return 1;
         }
 
+#endif
diff --git a/src/lib/libssl/src/apps/openssl.c b/src/lib/libssl/src/apps/openssl.c
index 811b305622..45af2ba7f9 100644
--- a/src/lib/libssl/src/apps/openssl.c
+++ b/src/lib/libssl/src/apps/openssl.c
@@ -122,7 +122,9 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */
 #include "progs.h"
 #include "s_apps.h"
@@ -139,11 +141,11 @@ static unsigned long MS_CALLBACK hash(const void *a_void);
 static int MS_CALLBACK cmp(const void *a_void,const void *b_void);
 static LHASH *prog_init(void );
 static int do_cmd(LHASH *prog,int argc,char *argv[]);
-CONF *config=NULL;
 char *default_config_file=NULL;
 
 /* Make sure there is only one when MONOLITH is defined */
 #ifdef MONOLITH
+CONF *config=NULL;
 BIO *bio_err=NULL;
 #endif
 
@@ -218,7 +220,8 @@ int main(int Argc, char *Argv[])
 #define PROG_NAME_SIZE  39
         char pname[PROG_NAME_SIZE+1];
         FUNCTION f,*fp;
-        MS_STATIC char *prompt,buf[1024],config_name[256];
+        MS_STATIC char *prompt,buf[1024];
+        char *to_free=NULL;
         int n,i,ret=0;
         int argc;
         char **argv,*p;
@@ -228,6 +231,10 @@ int main(int Argc, char *Argv[])
         arg.data=NULL;
         arg.count=0;
 
+        if (bio_err == NULL)
+                if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+                        BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
         if (getenv("OPENSSL_DEBUG_MEMORY") != NULL) /* if not defined, use compiled-in library defaults */
                 {
                 if (!(0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))
@@ -252,23 +259,12 @@ int main(int Argc, char *Argv[])
 
         apps_startup();
 
-        if (bio_err == NULL)
-                if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-                        BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
-
         /* Lets load up our environment a little */
         p=getenv("OPENSSL_CONF");
         if (p == NULL)
                 p=getenv("SSLEAY_CONF");
         if (p == NULL)
-                {
-                strlcpy(config_name,X509_get_default_cert_area(),sizeof config_name);
-#ifndef OPENSSL_SYS_VMS
-                strlcat(config_name,"/",sizeof config_name);
-#endif
-                strlcat(config_name,OPENSSL_CONF,sizeof config_name);
-                p=config_name;
-                }
+                p=to_free=make_config_name();
 
         default_config_file=p;
 
@@ -284,7 +280,7 @@ int main(int Argc, char *Argv[])
         prog=prog_init();
 
         /* first check the program name */
-        program_name(Argv[0],pname,PROG_NAME_SIZE);
+        program_name(Argv[0],pname,sizeof pname);
 
         f.name=pname;
         fp=(FUNCTION *)lh_retrieve(prog,&f);
@@ -312,7 +308,7 @@ int main(int Argc, char *Argv[])
                 {
                 ret=0;
                 p=buf;
-                n=1024;
+                n=sizeof buf;
                 i=0;
                 for (;;)
                         {
@@ -346,6 +342,8 @@ int main(int Argc, char *Argv[])
         BIO_printf(bio_err,"bad exit\n");
         ret=1;
 end:
+        if (to_free)
+                OPENSSL_free(to_free);
         if (config != NULL)
                 {
                 NCONF_free(config);
@@ -362,7 +360,7 @@ end:
                 BIO_free(bio_err);
                 bio_err=NULL;
                 }
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 #define LIST_STANDARD_COMMANDS "list-standard-commands"
diff --git a/src/lib/libssl/src/apps/passwd.c b/src/lib/libssl/src/apps/passwd.c
index ad8e7b0349..3ad91d89d6 100644
--- a/src/lib/libssl/src/apps/passwd.c
+++ b/src/lib/libssl/src/apps/passwd.c
@@ -19,7 +19,6 @@
 # include <openssl/des.h>
 #endif
 #ifndef NO_MD5CRYPT_1
-# include <openssl/evp.h>
 # include <openssl/md5.h>
 #endif
 
@@ -293,7 +292,7 @@ err:
         if (out)
                 BIO_free_all(out);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 
@@ -506,6 +505,6 @@ err:
 int MAIN(int argc, char **argv)
         {
         fputs("Program not available.\n", stderr)
-        EXIT(1);
+        OPENSSL_EXIT(1);
         }
 #endif
diff --git a/src/lib/libssl/src/apps/pkcs12.c b/src/lib/libssl/src/apps/pkcs12.c
index a438bc6c84..bb446d6b65 100644
--- a/src/lib/libssl/src/apps/pkcs12.c
+++ b/src/lib/libssl/src/apps/pkcs12.c
@@ -120,7 +120,9 @@ int MAIN(int argc, char **argv)
     char *passin = NULL, *passout = NULL;
     char *inrand = NULL;
     char *CApath = NULL, *CAfile = NULL;
+#ifndef OPENSSL_NO_ENGINE
     char *engine=NULL;
+#endif
 
     apps_startup();
 
@@ -252,11 +254,13 @@ int MAIN(int argc, char **argv)
                         args++; 
                         CAfile = *args;
                     } else badarg = 1;
+#ifndef OPENSSL_NO_ENGINE
                 } else if (!strcmp(*args,"-engine")) {
                     if (args[1]) {
                         args++; 
                         engine = *args;
                     } else badarg = 1;
+#endif
                 } else badarg = 1;
 
         } else badarg = 1;
@@ -304,14 +308,18 @@ int MAIN(int argc, char **argv)
         BIO_printf (bio_err, "-password p   set import/export password source\n");
         BIO_printf (bio_err, "-passin p     input file pass phrase source\n");
         BIO_printf (bio_err, "-passout p    output file pass phrase source\n");
+#ifndef OPENSSL_NO_ENGINE
         BIO_printf (bio_err, "-engine e     use engine e, possibly a hardware device.\n");
+#endif
         BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
         BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");
         BIO_printf(bio_err,  "              the random number generator\n");
         goto end;
     }
 
+#ifndef OPENSSL_NO_ENGINE
     e = setup_engine(bio_err, engine, 0);
+#endif
 
     if(passarg) {
         if(export_cert) passargout = passarg;
@@ -399,7 +407,7 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
     CRYPTO_push_info("read MAC password");
 #endif
-        if(EVP_read_pw_string (macpass, 50, "Enter MAC Password:", export_cert))
+        if(EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:", export_cert))
         {
             BIO_printf (bio_err, "Can't read Password\n");
             goto end;
@@ -545,7 +553,7 @@ int MAIN(int argc, char **argv)
 #endif
 
         if(!noprompt &&
-                EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) {
+                EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) {
             BIO_printf (bio_err, "Can't read Password\n");
             goto export_end;
         }
@@ -642,7 +650,7 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
     CRYPTO_push_info("read import password");
 #endif
-    if(!noprompt && EVP_read_pw_string(pass, 50, "Enter Import Password:", 0)) {
+    if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 0)) {
         BIO_printf (bio_err, "Can't read Password\n");
         goto end;
     }
@@ -696,7 +704,7 @@ int MAIN(int argc, char **argv)
     if(passin) OPENSSL_free(passin);
     if(passout) OPENSSL_free(passout);
     apps_shutdown();
-    EXIT(ret);
+    OPENSSL_EXIT(ret);
 }
 
 int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
diff --git a/src/lib/libssl/src/apps/pkcs7.c b/src/lib/libssl/src/apps/pkcs7.c
index 0cced40f0f..6c58c67eb2 100644
--- a/src/lib/libssl/src/apps/pkcs7.c
+++ b/src/lib/libssl/src/apps/pkcs7.c
@@ -82,7 +82,9 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
         {
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e = NULL;
+#endif
         PKCS7 *p7=NULL;
         int i,badops=0;
         BIO *in=NULL,*out=NULL;
@@ -90,7 +92,9 @@ int MAIN(int argc, char **argv)
         char *infile,*outfile,*prog;
         int print_certs=0,text=0,noout=0;
         int ret=1;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
 
         apps_startup();
 
@@ -134,11 +138,13 @@ int MAIN(int argc, char **argv)
                         text=1;
                 else if (strcmp(*argv,"-print_certs") == 0)
                         print_certs=1;
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else
                         {
                         BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -161,14 +167,18 @@ bad:
                 BIO_printf(bio_err," -print_certs  print any certs or crl in the input\n");
                 BIO_printf(bio_err," -text         print full details of certificates\n");
                 BIO_printf(bio_err," -noout        don't output encoded data\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
+#endif
                 ret = 1;
                 goto end;
                 }
 
         ERR_load_crypto_strings();
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         in=BIO_new(BIO_s_file());
         out=BIO_new(BIO_s_file());
@@ -301,5 +311,5 @@ end:
         if (in != NULL) BIO_free(in);
         if (out != NULL) BIO_free_all(out);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
diff --git a/src/lib/libssl/src/apps/pkcs8.c b/src/lib/libssl/src/apps/pkcs8.c
index 912e32006b..6be27e7f44 100644
--- a/src/lib/libssl/src/apps/pkcs8.c
+++ b/src/lib/libssl/src/apps/pkcs8.c
@@ -63,7 +63,6 @@
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
 
-#include "apps.h"
 #define PROG pkcs8_main
 
 int MAIN(int, char **);
@@ -86,7 +85,9 @@ int MAIN(int argc, char **argv)
         EVP_PKEY *pkey=NULL;
         char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
         int badarg = 0;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
 
         if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 
@@ -146,11 +147,13 @@ int MAIN(int argc, char **argv)
                         if (!args[1]) goto bad;
                         passargout= *(++args);
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*args,"-engine") == 0)
                         {
                         if (!args[1]) goto bad;
                         engine= *(++args);
                         }
+#endif
                 else if (!strcmp (*args, "-in")) {
                         if (args[1]) {
                                 args++;
@@ -183,11 +186,15 @@ int MAIN(int argc, char **argv)
                 BIO_printf(bio_err, "-nocrypt        use or expect unencrypted private key\n");
                 BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
                 BIO_printf(bio_err, "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
+#endif
                 return (1);
         }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
                 BIO_printf(bio_err, "Error getting passwords\n");
@@ -245,7 +252,8 @@ int MAIN(int argc, char **argv)
                         if(passout) p8pass = passout;
                         else {
                                 p8pass = pass;
-                                EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1);
+                                if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1))
+                                        return (1);
                         }
                         app_RAND_load_file(NULL, bio_err, 0);
                         if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
@@ -302,7 +310,7 @@ int MAIN(int argc, char **argv)
                 if(passin) p8pass = passin;
                 else {
                         p8pass = pass;
-                        EVP_read_pw_string(pass, 50, "Enter Password:", 0);
+                        EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
                 }
                 p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
                 X509_SIG_free(p8);
diff --git a/src/lib/libssl/src/apps/progs.h b/src/lib/libssl/src/apps/progs.h
index 752385d3a7..70e4dbac07 100644
--- a/src/lib/libssl/src/apps/progs.h
+++ b/src/lib/libssl/src/apps/progs.h
@@ -35,7 +35,9 @@ extern int pkcs8_main(int argc,char *argv[]);
 extern int spkac_main(int argc,char *argv[]);
 extern int smime_main(int argc,char *argv[]);
 extern int rand_main(int argc,char *argv[]);
+#ifndef OPENSSL_NO_ENGINE
 extern int engine_main(int argc,char *argv[]);
+#endif
 extern int ocsp_main(int argc,char *argv[]);
 
 #define FUNC_TYPE_GENERAL       1
@@ -92,7 +94,9 @@ FUNCTION functions[] = {
 #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
         {FUNC_TYPE_GENERAL,"s_client",s_client_main},
 #endif
+#ifndef OPENSSL_NO_SPEED
         {FUNC_TYPE_GENERAL,"speed",speed_main},
+#endif
 #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
         {FUNC_TYPE_GENERAL,"s_time",s_time_main},
 #endif
@@ -111,7 +115,9 @@ FUNCTION functions[] = {
         {FUNC_TYPE_GENERAL,"spkac",spkac_main},
         {FUNC_TYPE_GENERAL,"smime",smime_main},
         {FUNC_TYPE_GENERAL,"rand",rand_main},
+#ifndef OPENSSL_NO_ENGINE
         {FUNC_TYPE_GENERAL,"engine",engine_main},
+#endif
         {FUNC_TYPE_GENERAL,"ocsp",ocsp_main},
 #ifndef OPENSSL_NO_MD2
         {FUNC_TYPE_MD,"md2",dgst_main},
diff --git a/src/lib/libssl/src/apps/rand.c b/src/lib/libssl/src/apps/rand.c
index f51f5bec35..63724bc730 100644
--- a/src/lib/libssl/src/apps/rand.c
+++ b/src/lib/libssl/src/apps/rand.c
@@ -76,7 +76,9 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
         {
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e = NULL;
+#endif
         int i, r, ret = 1;
         int badopt;
         char *outfile = NULL;
@@ -84,7 +86,9 @@ int MAIN(int argc, char **argv)
         int base64 = 0;
         BIO *out = NULL;
         int num = -1;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
 
         apps_startup();
 
@@ -106,6 +110,7 @@ int MAIN(int argc, char **argv)
                         else
                                 badopt = 1;
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(argv[i], "-engine") == 0)
                         {
                         if ((argv[i+1] != NULL) && (engine == NULL))
@@ -113,6 +118,7 @@ int MAIN(int argc, char **argv)
                         else
                                 badopt = 1;
                         }
+#endif
                 else if (strcmp(argv[i], "-rand") == 0)
                         {
                         if ((argv[i+1] != NULL) && (inrand == NULL))
@@ -150,13 +156,17 @@ int MAIN(int argc, char **argv)
                 BIO_printf(bio_err, "Usage: rand [options] num\n");
                 BIO_printf(bio_err, "where options are\n");
                 BIO_printf(bio_err, "-out file             - write to file\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err, "-engine e             - use engine e, possibly a hardware device.\n");
+#endif
                 BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
                 BIO_printf(bio_err, "-base64               - encode output\n");
                 goto err;
                 }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         app_RAND_load_file(NULL, bio_err, (inrand != NULL));
         if (inrand != NULL)
@@ -213,5 +223,5 @@ err:
         if (out)
                 BIO_free_all(out);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
diff --git a/src/lib/libssl/src/apps/req.c b/src/lib/libssl/src/apps/req.c
index c53752335b..c6464e9401 100644
--- a/src/lib/libssl/src/apps/req.c
+++ b/src/lib/libssl/src/apps/req.c
@@ -73,6 +73,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include "../crypto/cryptlib.h"
 
 #define SECTION         "req"
 
@@ -134,7 +135,6 @@ static int req_check_len(int len,int n_min,int n_max);
 static int check_end(char *str, char *end);
 #ifndef MONOLITH
 static char *default_config_file=NULL;
-static CONF *config=NULL;
 #endif
 static CONF *req_conf=NULL;
 static int batch=0;
@@ -162,7 +162,9 @@ int MAIN(int argc, char **argv)
         int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
         int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0;
         char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
         char *extensions = NULL;
         char *req_exts = NULL;
         const EVP_CIPHER *cipher=NULL;
@@ -176,7 +178,7 @@ int MAIN(int argc, char **argv)
         const EVP_MD *md_alg=NULL,*digest=EVP_md5();
         unsigned long chtype = MBSTRING_ASC;
 #ifndef MONOLITH
-        MS_STATIC char config_name[256];
+        char *to_free;
         long errline;
 #endif
 
@@ -210,11 +212,13 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         outformat=str2fmt(*(++argv));
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-key") == 0)
                         {
                         if (--argc < 1) goto bad;
@@ -428,7 +432,9 @@ bad:
                 BIO_printf(bio_err," -verify        verify signature on REQ\n");
                 BIO_printf(bio_err," -modulus       RSA modulus\n");
                 BIO_printf(bio_err," -nodes         don't encrypt the output key\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device\n");
+#endif
                 BIO_printf(bio_err," -subject       output the request's subject\n");
                 BIO_printf(bio_err," -passin        private key password source\n");
                 BIO_printf(bio_err," -key file      use the private key contained in file\n");
@@ -453,7 +459,7 @@ bad:
                 BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
                 BIO_printf(bio_err," -reqexts ..    specify request extension section (override value in config file)\n");
                 BIO_printf(bio_err," -utf8          input characters are UTF8 (default ASCII)\n");
-                BIO_printf(bio_err," -nameopt arg   - various certificate name options\n");
+                BIO_printf(bio_err," -nameopt arg    - various certificate name options\n");
                 BIO_printf(bio_err," -reqopt arg    - various request text options\n\n");
                 goto end;
                 }
@@ -470,14 +476,7 @@ bad:
         if (p == NULL)
                 p=getenv("SSLEAY_CONF");
         if (p == NULL)
-                {
-                strlcpy(config_name,X509_get_default_cert_area(),sizeof config_name);
-#ifndef OPENSSL_SYS_VMS
-                strlcat(config_name,"/",sizeof config_name);
-#endif
-                strlcat(config_name,OPENSSL_CONF,sizeof config_name);
-                p=config_name;
-                }
+                p=to_free=make_config_name();
         default_config_file=p;
         config=NCONF_new(NULL);
         i=NCONF_load(config, p, &errline);
@@ -485,7 +484,7 @@ bad:
 
         if (template != NULL)
                 {
-                long errline;
+                long errline = -1;
 
                 if( verbose )
                         BIO_printf(bio_err,"Using configuration from %s\n",template);
@@ -624,7 +623,9 @@ bad:
         if ((in == NULL) || (out == NULL))
                 goto end;
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if (keyfile != NULL)
                 {
@@ -1059,6 +1060,10 @@ loop:
                 }
         ex=0;
 end:
+#ifndef MONOLITH
+        if(to_free)
+                OPENSSL_free(to_free);
+#endif
         if (ex)
                 {
                 ERR_print_errors(bio_err);
@@ -1077,7 +1082,7 @@ end:
         if (dsa_params != NULL) DSA_free(dsa_params);
 #endif
         apps_shutdown();
-        EXIT(ex);
+        OPENSSL_EXIT(ex);
         }
 
 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs,
@@ -1218,7 +1223,13 @@ start:		for (;;)
                                 }
                         /* If OBJ not recognised ignore it */
                         if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start;
-                        snprintf(buf,sizeof buf,"%s_default",v->name);
+                        if (snprintf(buf,sizeof buf,"%s_default",v->name)
+                                >= sizeof buf)
+                           {
+                           BIO_printf(bio_err,"Name '%s' too long\n",v->name);
+                           return 0;
+                           }
+
                         if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
                                 {
                                 ERR_clear_error();
@@ -1234,11 +1245,17 @@ start:		for (;;)
 
                         snprintf(buf,sizeof buf,"%s_min",v->name);
                         if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min))
+                                {
+                                ERR_clear_error();
                                 n_min = -1;
+                                }
 
                         snprintf(buf,sizeof buf,"%s_max",v->name);
                         if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max))
+                                {
+                                ERR_clear_error();
                                 n_max = -1;
+                                }
 
                         if (!add_DN_object(subj,v->value,def,value,nid,
                                 n_min,n_max, chtype))
@@ -1271,7 +1288,13 @@ start2:			for (;;)
                                 if ((nid=OBJ_txt2nid(type)) == NID_undef)
                                         goto start2;
 
-                                snprintf(buf,sizeof buf,"%s_default",type);
+                                if (snprintf(buf,sizeof buf,"%s_default",type)
+                                        >= sizeof buf)
+                                   {
+                                   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
+                                   return 0;
+                                   }
+
                                 if ((def=NCONF_get_string(req_conf,attr_sect,buf))
                                         == NULL)
                                         {
@@ -1383,7 +1406,7 @@ start:
                 buf[0]='\0';
                 if (!batch)
                         {
-                        fgets(buf,1024,stdin);
+                        fgets(buf,sizeof buf,stdin);
                         }
                 else
                         {
@@ -1441,7 +1464,7 @@ start:
                 buf[0]='\0';
                 if (!batch)
                         {
-                        fgets(buf,1024,stdin);
+                        fgets(buf,sizeof buf,stdin);
                         }
                 else
                         {
diff --git a/src/lib/libssl/src/apps/rsa.c b/src/lib/libssl/src/apps/rsa.c
index 4e19bc16fb..0acdb08b24 100644
--- a/src/lib/libssl/src/apps/rsa.c
+++ b/src/lib/libssl/src/apps/rsa.c
@@ -104,7 +104,9 @@ int MAIN(int argc, char **argv)
         char *infile,*outfile,*prog;
         char *passargin = NULL, *passargout = NULL;
         char *passin = NULL, *passout = NULL;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
         int modulus=0;
 
         apps_startup();
@@ -156,11 +158,13 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         passargout= *(++argv);
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-sgckey") == 0)
                         sgckey=1;
                 else if (strcmp(*argv,"-pubin") == 0)
@@ -212,13 +216,17 @@ bad:
                 BIO_printf(bio_err," -check          verify key consistency\n");
                 BIO_printf(bio_err," -pubin          expect a public key in input file\n");
                 BIO_printf(bio_err," -pubout         output a public key\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
+#endif
                 goto end;
                 }
 
         ERR_load_crypto_strings();
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
                 BIO_printf(bio_err, "Error getting passwords\n");
@@ -369,7 +377,7 @@ end:
         if(passin) OPENSSL_free(passin);
         if(passout) OPENSSL_free(passout);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 #else /* !OPENSSL_NO_RSA */
 
diff --git a/src/lib/libssl/src/apps/rsautl.c b/src/lib/libssl/src/apps/rsautl.c
index 36957e5b84..5a6fd115f4 100644
--- a/src/lib/libssl/src/apps/rsautl.c
+++ b/src/lib/libssl/src/apps/rsautl.c
@@ -85,7 +85,9 @@ int MAIN(int argc, char **argv)
         ENGINE *e = NULL;
         BIO *in = NULL, *out = NULL;
         char *infile = NULL, *outfile = NULL;
+#ifndef OPENSSL_NO_ENGINE
         char *engine = NULL;
+#endif
         char *keyfile = NULL;
         char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
         int keyform = FORMAT_PEM;
@@ -125,9 +127,11 @@ int MAIN(int argc, char **argv)
                 } else if (strcmp(*argv,"-keyform") == 0) {
                         if (--argc < 1) badarg = 1;
                         keyform=str2fmt(*(++argv));
+#ifndef OPENSSL_NO_ENGINE
                 } else if(!strcmp(*argv, "-engine")) {
                         if (--argc < 1) badarg = 1;
                         engine = *(++argv);
+#endif
                 } else if(!strcmp(*argv, "-pubin")) {
                         key_type = KEY_PUBKEY;
                 } else if(!strcmp(*argv, "-certin")) {
@@ -162,7 +166,9 @@ int MAIN(int argc, char **argv)
                 goto end;
         }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
 /* FIXME: seed PRNG only if needed */
         app_RAND_load_file(NULL, bio_err, 0);
@@ -305,7 +311,9 @@ static void usage()
         BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
         BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
         BIO_printf(bio_err, "-hexdump        hex dump output\n");
+#ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
+#endif
 
 }
 
diff --git a/src/lib/libssl/src/apps/s_cb.c b/src/lib/libssl/src/apps/s_cb.c
index ca5b24548c..675527df1f 100644
--- a/src/lib/libssl/src/apps/s_cb.c
+++ b/src/lib/libssl/src/apps/s_cb.c
@@ -134,7 +134,7 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
         err=    X509_STORE_CTX_get_error(ctx);
         depth=  X509_STORE_CTX_get_error_depth(ctx);
 
-        X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
+        X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf);
         BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
         if (!ok)
                 {
@@ -154,7 +154,7 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
         switch (ctx->error)
                 {
         case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-                X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
+                X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf);
                 BIO_printf(bio_err,"issuer= %s\n",buf);
                 break;
         case X509_V_ERR_CERT_NOT_YET_VALID:
diff --git a/src/lib/libssl/src/apps/s_client.c b/src/lib/libssl/src/apps/s_client.c
index 658a79d390..2e73f34676 100644
--- a/src/lib/libssl/src/apps/s_client.c
+++ b/src/lib/libssl/src/apps/s_client.c
@@ -140,6 +140,14 @@ typedef unsigned int u_int;
 #include <conio.h>
 #endif
 
+#ifdef OPENSSL_SYS_WINCE
+/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
+#ifdef fileno
+#undef fileno
+#endif
+#define fileno(a) (int)_fileno(a)
+#endif
+
 
 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
@@ -214,7 +222,9 @@ static void sc_usage(void)
         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
         BIO_printf(bio_err,"                 only \"smtp\" is supported.\n");
+#ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
+#endif
         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 
         }
@@ -246,8 +256,10 @@ int MAIN(int argc, char **argv)
         SSL_METHOD *meth=NULL;
         BIO *sbio;
         char *inrand=NULL;
+#ifndef OPENSSL_NO_ENGINE
         char *engine_id=NULL;
         ENGINE *e=NULL;
+#endif
 #ifdef OPENSSL_SYS_WINDOWS
         struct timeval tv;
 #endif
@@ -407,11 +419,13 @@ int MAIN(int argc, char **argv)
                         else
                                 goto bad;
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine_id = *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-rand") == 0)
                         {
                         if (--argc < 1) goto bad;
@@ -436,7 +450,9 @@ bad:
         OpenSSL_add_ssl_algorithms();
         SSL_load_error_strings();
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine_id, 1);
+#endif
 
         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
                 && !RAND_status())
@@ -662,7 +678,11 @@ re_start:
                                         tv.tv_usec = 0;
                                         i=select(width,(void *)&readfds,(void *)&writefds,
                                                  NULL,&tv);
+#ifdef OPENSSL_SYS_WINCE
+                                        if(!i && (!_kbhit() || !read_tty) ) continue;
+#else
                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
+#endif
                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
                                          NULL,NULL);
                         }
@@ -746,8 +766,8 @@ re_start:
                                 goto shut;
                                 }
                         }
-#ifdef OPENSSL_SYS_WINDOWS
-                /* Assume Windows can always write */
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+                /* Assume Windows/DOS can always write */
                 else if (!ssl_pending && write_tty)
 #else
                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
@@ -828,7 +848,11 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
                         }
 
 #ifdef OPENSSL_SYS_WINDOWS
+#ifdef OPENSSL_SYS_WINCE
+                else if (_kbhit())
+#else
                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
+#endif
 #else
                 else if (FD_ISSET(fileno(stdin),&readfds))
 #endif
@@ -892,16 +916,16 @@ end:
         if (con != NULL) SSL_free(con);
         if (con2 != NULL) SSL_free(con2);
         if (ctx != NULL) SSL_CTX_free(ctx);
-        if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); OPENSSL_free(cbuf); }
-        if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); OPENSSL_free(sbuf); }
-        if (mbuf != NULL) { memset(mbuf,0,BUFSIZZ); OPENSSL_free(mbuf); }
+        if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
+        if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
+        if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
         if (bio_c_out != NULL)
                 {
                 BIO_free(bio_c_out);
                 bio_c_out=NULL;
                 }
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 
@@ -930,10 +954,10 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                         for (i=0; i<sk_X509_num(sk); i++)
                                 {
                                 X509_NAME_oneline(X509_get_subject_name(
-                                        sk_X509_value(sk,i)),buf,BUFSIZ);
+                                        sk_X509_value(sk,i)),buf,sizeof buf);
                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
                                 X509_NAME_oneline(X509_get_issuer_name(
-                                        sk_X509_value(sk,i)),buf,BUFSIZ);
+                                        sk_X509_value(sk,i)),buf,sizeof buf);
                                 BIO_printf(bio,"   i:%s\n",buf);
                                 if (c_showcerts)
                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
@@ -948,10 +972,10 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
                                 PEM_write_bio_X509(bio,peer);
                         X509_NAME_oneline(X509_get_subject_name(peer),
-                                buf,BUFSIZ);
+                                buf,sizeof buf);
                         BIO_printf(bio,"subject=%s\n",buf);
                         X509_NAME_oneline(X509_get_issuer_name(peer),
-                                buf,BUFSIZ);
+                                buf,sizeof buf);
                         BIO_printf(bio,"issuer=%s\n",buf);
                         }
                 else
@@ -973,7 +997,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                         {
                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
                         }
-                p=SSL_get_shared_ciphers(s,buf,BUFSIZ);
+                p=SSL_get_shared_ciphers(s,buf,sizeof buf);
                 if (p != NULL)
                         {
                         /* This works only for SSL 2.  In later protocol
diff --git a/src/lib/libssl/src/apps/s_server.c b/src/lib/libssl/src/apps/s_server.c
index b03231f3ba..5157aae4d1 100644
--- a/src/lib/libssl/src/apps/s_server.c
+++ b/src/lib/libssl/src/apps/s_server.c
@@ -144,6 +144,14 @@ typedef unsigned int u_int;
 #include <conio.h>
 #endif
 
+#ifdef OPENSSL_SYS_WINCE
+/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
+#ifdef fileno
+#undef fileno
+#endif
+#define fileno(a) (int)_fileno(a)
+#endif
+
 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
 #undef FIONBIO
@@ -234,7 +242,9 @@ static int s_msg=0;
 static int s_quiet=0;
 
 static int hack=0;
+#ifndef OPENSSL_NO_ENGINE
 static char *engine_id=NULL;
+#endif
 static const char *session_id_prefix=NULL;
 
 #ifdef MONOLITH
@@ -259,7 +269,9 @@ static void s_server_init(void)
         s_msg=0;
         s_quiet=0;
         hack=0;
+#ifndef OPENSSL_NO_ENGINE
         engine_id=NULL;
+#endif
         }
 #endif
 
@@ -308,7 +320,9 @@ static void sv_usage(void)
         BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
         BIO_printf(bio_err," -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
         BIO_printf(bio_err,"                 with the assumption it contains a complete HTTP response.\n");
+#ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
+#endif
         BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
         }
@@ -482,7 +496,9 @@ int MAIN(int argc, char *argv[])
         int no_tmp_rsa=0,no_dhe=0,nocert=0;
         int state=0;
         SSL_METHOD *meth=NULL;
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e=NULL;
+#endif
         char *inrand=NULL;
 
 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
@@ -657,11 +673,13 @@ int MAIN(int argc, char *argv[])
                         if (--argc < 1) goto bad;
                         session_id_prefix = *(++argv);
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine_id= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-rand") == 0)
                         {
                         if (--argc < 1) goto bad;
@@ -686,7 +704,9 @@ bad:
         SSL_load_error_strings();
         OpenSSL_add_ssl_algorithms();
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine_id, 1);
+#endif
 
         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
                 && !RAND_status())
@@ -860,7 +880,7 @@ end:
                 bio_s_out=NULL;
                 }
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
@@ -1176,7 +1196,7 @@ err:
         BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
         if (buf != NULL)
                 {
-                memset(buf,0,bufsize);
+                OPENSSL_cleanse(buf,bufsize);
                 OPENSSL_free(buf);
                 }
         if (ret >= 0)
@@ -1228,14 +1248,14 @@ static int init_ssl_connection(SSL *con)
                 {
                 BIO_printf(bio_s_out,"Client certificate\n");
                 PEM_write_bio_X509(bio_s_out,peer);
-                X509_NAME_oneline(X509_get_subject_name(peer),buf,BUFSIZ);
+                X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof buf);
                 BIO_printf(bio_s_out,"subject=%s\n",buf);
-                X509_NAME_oneline(X509_get_issuer_name(peer),buf,BUFSIZ);
+                X509_NAME_oneline(X509_get_issuer_name(peer),buf,sizeof buf);
                 BIO_printf(bio_s_out,"issuer=%s\n",buf);
                 X509_free(peer);
                 }
 
-        if (SSL_get_shared_ciphers(con,buf,BUFSIZ) != NULL)
+        if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL)
                 BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
         str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
         BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
@@ -1395,7 +1415,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
                         else
                                 {
                                 BIO_printf(bio_s_out,"read R BLOCK\n");
-#ifndef OPENSSL_SYS_MSDOS
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
                                 sleep(1);
 #endif
                                 continue;
diff --git a/src/lib/libssl/src/apps/s_socket.c b/src/lib/libssl/src/apps/s_socket.c
index 17e087d4da..02c3f640cf 100644
--- a/src/lib/libssl/src/apps/s_socket.c
+++ b/src/lib/libssl/src/apps/s_socket.c
@@ -83,9 +83,9 @@ typedef unsigned int u_int;
 
 static struct hostent *GetHostByName(char *name);
 #ifdef OPENSSL_SYS_WINDOWS
-static void sock_cleanup(void);
+static void ssl_sock_cleanup(void);
 #endif
-static int sock_init(void);
+static int ssl_sock_init(void);
 static int init_client_ip(int *sock,unsigned char ip[4], int port);
 static int init_server(int *sock, int port);
 static int init_server_long(int *sock, int port,char *ip);
@@ -118,7 +118,7 @@ static LONG FAR PASCAL topHookProc(HWND hwnd, UINT message, WPARAM wParam,
                 case WM_DESTROY:
                 case WM_CLOSE:
                         SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopWndProc);
-                        sock_cleanup();
+                        ssl_sock_cleanup();
                         break;
                         }
                 }
@@ -135,26 +135,34 @@ static BOOL CALLBACK enumproc(HWND hwnd,LPARAM lParam)
 #endif /* OPENSSL_SYS_WINDOWS */
 
 #ifdef OPENSSL_SYS_WINDOWS
-static void sock_cleanup(void)
+static void ssl_sock_cleanup(void)
         {
         if (wsa_init_done)
                 {
                 wsa_init_done=0;
+#ifndef OPENSSL_SYS_WINCE
                 WSACancelBlockingCall();
+#endif
                 WSACleanup();
                 }
         }
 #endif
 
-static int sock_init(void)
+static int ssl_sock_init(void)
         {
-#ifdef OPENSSL_SYS_WINDOWS
+#ifdef WATT32
+        extern int _watt_do_exit;
+        _watt_do_exit = 0;
+        dbug_init();
+        if (sock_init())
+                return (0);
+#elif defined(OPENSSL_SYS_WINDOWS)
         if (!wsa_init_done)
                 {
                 int err;
           
 #ifdef SIGINT
-                signal(SIGINT,(void (*)(int))sock_cleanup);
+                signal(SIGINT,(void (*)(int))ssl_sock_cleanup);
 #endif
                 wsa_init_done=1;
                 memset(&wsa_state,0,sizeof(wsa_state));
@@ -196,7 +204,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port)
         struct sockaddr_in them;
         int s,i;
 
-        if (!sock_init()) return(0);
+        if (!ssl_sock_init()) return(0);
 
         memset((char *)&them,0,sizeof(them));
         them.sin_family=AF_INET;
@@ -261,7 +269,7 @@ static int init_server_long(int *sock, int port, char *ip)
         struct sockaddr_in server;
         int s= -1,i;
 
-        if (!sock_init()) return(0);
+        if (!ssl_sock_init()) return(0);
 
         memset((char *)&server,0,sizeof(server));
         server.sin_family=AF_INET;
@@ -318,7 +326,7 @@ static int do_accept(int acc_sock, int *sock, char **host)
         int len;
 /*      struct linger ling; */
 
-        if (!sock_init()) return(0);
+        if (!ssl_sock_init()) return(0);
 
 #ifndef OPENSSL_SYS_WINDOWS
 redoit:
@@ -448,7 +456,7 @@ static int host_ip(char *str, unsigned char ip[4])
                 { /* do a gethostbyname */
                 struct hostent *he;
 
-                if (!sock_init()) return(0);
+                if (!ssl_sock_init()) return(0);
 
                 he=GetHostByName(str);
                 if (he == NULL)
@@ -529,9 +537,12 @@ static struct hostent *GetHostByName(char *name)
                 ret=gethostbyname(name);
                 if (ret == NULL) return(NULL);
                 /* else add to cache */
-                strncpy(ghbn_cache[lowi].name,name,128);
-                memcpy((char *)&(ghbn_cache[lowi].ent),ret,sizeof(struct hostent));
-                ghbn_cache[lowi].order=ghbn_miss+ghbn_hits;
+                if(strlen(name) < sizeof ghbn_cache[0].name)
+                        {
+                        strcpy(ghbn_cache[lowi].name,name);
+                        memcpy((char *)&(ghbn_cache[lowi].ent),ret,sizeof(struct hostent));
+                        ghbn_cache[lowi].order=ghbn_miss+ghbn_hits;
+                        }
                 return(ret);
                 }
         else
diff --git a/src/lib/libssl/src/apps/s_time.c b/src/lib/libssl/src/apps/s_time.c
index 7ba5b4293c..8a699de0ea 100644
--- a/src/lib/libssl/src/apps/s_time.c
+++ b/src/lib/libssl/src/apps/s_time.c
@@ -146,6 +146,8 @@
 #undef BUFSIZZ
 #define BUFSIZZ 1024*10
 
+#define MYBUFSIZ 1024*8
+
 #undef min
 #undef max
 #define min(a,b) (((a) < (b)) ? (a) : (b))
@@ -320,6 +322,11 @@ static int parseArgs(int argc, char **argv)
                 {
                 if (--argc < 1) goto bad;
                 s_www_path= *(++argv);
+                if(strlen(s_www_path) > MYBUFSIZ-100)
+                        {
+                        BIO_printf(bio_err,"-www option too long\n");
+                        badop=1;
+                        }
                 }
         else if(strcmp(*argv,"-bugs") == 0)
             st_bugs=1;
@@ -480,7 +487,7 @@ int MAIN(int argc, char **argv)
         tm_Time_F(START);
         for (;;)
                 {
-                if (finishtime < time(NULL)) break;
+                if (finishtime < (long)time(NULL)) break;
 #ifdef WIN32_STUFF
 
                 if( flushWinMsgs(0) == -1 )
@@ -531,9 +538,9 @@ int MAIN(int argc, char **argv)
                 }
         totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
 
-        i=(int)(time(NULL)-finishtime+maxTime);
+        i=(int)((long)time(NULL)-finishtime+maxTime);
         printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read);
-        printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,time(NULL)-finishtime+maxTime,bytes_read/nConn);
+        printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn);
 
         /* Now loop and time connections using the same session id over and over */
 
@@ -565,7 +572,7 @@ next:
         nConn = 0;
         totalTime = 0.0;
 
-        finishtime=time(NULL)+maxTime;
+        finishtime=(long)time(NULL)+maxTime;
 
         printf( "starting\n" );
         bytes_read=0;
@@ -573,7 +580,7 @@ next:
                 
         for (;;)
                 {
-                if (finishtime < time(NULL)) break;
+                if (finishtime < (long)time(NULL)) break;
 
 #ifdef WIN32_STUFF
                 if( flushWinMsgs(0) == -1 )
@@ -623,7 +630,7 @@ next:
 
 
         printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read);
-        printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,time(NULL)-finishtime+maxTime,bytes_read/nConn);
+        printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn);
 
         ret=0;
 end:
@@ -635,7 +642,7 @@ end:
                 tm_ctx=NULL;
                 }
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 /***********************************************************************
diff --git a/src/lib/libssl/src/apps/sess_id.c b/src/lib/libssl/src/apps/sess_id.c
index 41c3b3f4a3..d91d84d220 100644
--- a/src/lib/libssl/src/apps/sess_id.c
+++ b/src/lib/libssl/src/apps/sess_id.c
@@ -273,7 +273,7 @@ end:
         if (out != NULL) BIO_free_all(out);
         if (x != NULL) SSL_SESSION_free(x);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 static SSL_SESSION *load_sess_id(char *infile, int format)
diff --git a/src/lib/libssl/src/apps/smime.c b/src/lib/libssl/src/apps/smime.c
index ef0e477464..cc248d377b 100644
--- a/src/lib/libssl/src/apps/smime.c
+++ b/src/lib/libssl/src/apps/smime.c
@@ -104,7 +104,9 @@ int MAIN(int argc, char **argv)
         int need_rand = 0;
         int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
         int keyform = FORMAT_PEM;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
 
         args = argv + 1;
         ret = 1;
@@ -176,11 +178,13 @@ int MAIN(int argc, char **argv)
                                 inrand = *args;
                         } else badarg = 1;
                         need_rand = 1;
+#ifndef OPENSSL_NO_ENGINE
                 } else if (!strcmp(*args,"-engine")) {
                         if (args[1]) {
                                 args++;
                                 engine = *args;
                         } else badarg = 1;
+#endif
                 } else if (!strcmp(*args,"-passin")) {
                         if (args[1]) {
                                 args++;
@@ -330,7 +334,9 @@ int MAIN(int argc, char **argv)
                 BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
                 BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
                 BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf (bio_err, "-engine e      use engine e, possibly a hardware device.\n");
+#endif
                 BIO_printf (bio_err, "-passin arg    input file pass phrase source\n");
                 BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
                 BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
@@ -339,7 +345,9 @@ int MAIN(int argc, char **argv)
                 goto end;
         }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
                 BIO_printf(bio_err, "Error getting password\n");
diff --git a/src/lib/libssl/src/apps/speed.c b/src/lib/libssl/src/apps/speed.c
index b9ab4cfcb9..ec55b4188c 100644
--- a/src/lib/libssl/src/apps/speed.c
+++ b/src/lib/libssl/src/apps/speed.c
@@ -58,6 +58,8 @@
 
 /* most of this code has been pilfered from my libdes speed.c program */
 
+#ifndef OPENSSL_NO_SPEED
+
 #undef SECONDS
 #define SECONDS         3       
 #define RSA_SECONDS     10
@@ -187,7 +189,8 @@
 
 /* The following if from times(3) man page.  It may need to be changed */
 #ifndef HZ
-# ifdef _SC_CLK_TCK
+# if defined(_SC_CLK_TCK) \
+     && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000)
 #  define HZ ((double)sysconf(_SC_CLK_TCK))
 # else
 #  ifndef CLK_TCK
@@ -369,7 +372,9 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
         {
+#ifndef OPENSSL_NO_ENGINE
         ENGINE *e = NULL;
+#endif
         unsigned char *buf=NULL,*buf2=NULL;
         int mret=1;
         long count=0,save_count=0;
@@ -589,6 +594,7 @@ int MAIN(int argc, char **argv)
                         j--;    /* Otherwise, -elapsed gets confused with
                                    an algorithm. */
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if ((argc > 0) && (strcmp(*argv,"-engine") == 0))
                         {
                         argc--;
@@ -605,6 +611,7 @@ int MAIN(int argc, char **argv)
                            means all of them should be run) */
                         j--;
                         }
+#endif
 #ifdef HAVE_FORK
                 else if ((argc > 0) && (strcmp(*argv,"-multi") == 0))
                         {
@@ -864,7 +871,9 @@ int MAIN(int argc, char **argv)
 #if defined(TIMES) || defined(USE_TOD)
                         BIO_printf(bio_err,"-elapsed        measure time in real time instead of CPU user time.\n");
 #endif
+#ifndef OPENSSL_NO_ENGINE
                         BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
+#endif
                         BIO_printf(bio_err,"-evp e          use EVP e.\n");
                         BIO_printf(bio_err,"-decrypt        time decryption instead of encryption (only EVP).\n");
                         BIO_printf(bio_err,"-mr             produce machine readable output.\n");
@@ -1392,6 +1401,7 @@ int MAIN(int argc, char **argv)
                                 else
                                         EVP_EncryptFinal_ex(&ctx,buf,&outl);
                                 d=Time_F(STOP);
+                                EVP_CIPHER_CTX_cleanup(&ctx);
                                 }
                         if (evp_md)
                                 {
@@ -1728,7 +1738,7 @@ end:
                         DSA_free(dsa_key[i]);
 #endif
         apps_shutdown();
-        EXIT(mret);
+        OPENSSL_EXIT(mret);
         }
 
 static void print_message(const char *s, long num, int length)
@@ -1781,7 +1791,7 @@ static char *sstrsep(char **string, const char *delim)
     if (**string == 0)
         return NULL;
 
-    memset(isdelim, 0, 256);
+    memset(isdelim, 0, sizeof isdelim);
     isdelim[0] = 1;
 
     while (*delim)
@@ -1938,3 +1948,4 @@ static int do_multi(int multi)
         return 1;
         }
 #endif
+#endif
diff --git a/src/lib/libssl/src/apps/spkac.c b/src/lib/libssl/src/apps/spkac.c
index 4ce53e36c9..47ee53f1ee 100644
--- a/src/lib/libssl/src/apps/spkac.c
+++ b/src/lib/libssl/src/apps/spkac.c
@@ -92,7 +92,9 @@ int MAIN(int argc, char **argv)
         CONF *conf = NULL;
         NETSCAPE_SPKI *spki = NULL;
         EVP_PKEY *pkey = NULL;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
 
         apps_startup();
 
@@ -141,11 +143,13 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         spksect= *(++argv);
                         }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-noout") == 0)
                         noout=1;
                 else if (strcmp(*argv,"-pubkey") == 0)
@@ -171,7 +175,9 @@ bad:
                 BIO_printf(bio_err," -noout         don't print SPKAC\n");
                 BIO_printf(bio_err," -pubkey        output public key\n");
                 BIO_printf(bio_err," -verify        verify SPKAC signature\n");
+#ifndef OPENSSL_NO_ENGINE
                 BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device.\n");
+#endif
                 goto end;
                 }
 
@@ -181,7 +187,9 @@ bad:
                 goto end;
         }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if(keyfile) {
                 pkey = load_key(bio_err,
@@ -295,5 +303,5 @@ end:
         EVP_PKEY_free(pkey);
         if(passin) OPENSSL_free(passin);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
diff --git a/src/lib/libssl/src/apps/verify.c b/src/lib/libssl/src/apps/verify.c
index 215ef84fc7..6a93c018b8 100644
--- a/src/lib/libssl/src/apps/verify.c
+++ b/src/lib/libssl/src/apps/verify.c
@@ -86,7 +86,9 @@ int MAIN(int argc, char **argv)
         STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
         X509_STORE *cert_ctx=NULL;
         X509_LOOKUP *lookup=NULL;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
 
         cert_ctx=X509_STORE_new();
         if (cert_ctx == NULL) goto end;
@@ -142,11 +144,13 @@ int MAIN(int argc, char **argv)
                                 if (argc-- < 1) goto end;
                                 trustfile= *(++argv);
                                 }
+#ifndef OPENSSL_NO_ENGINE
                         else if (strcmp(*argv,"-engine") == 0)
                                 {
                                 if (--argc < 1) goto end;
                                 engine= *(++argv);
                                 }
+#endif
                         else if (strcmp(*argv,"-help") == 0)
                                 goto end;
                         else if (strcmp(*argv,"-ignore_critical") == 0)
@@ -170,7 +174,9 @@ int MAIN(int argc, char **argv)
                         break;
                 }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
         if (lookup == NULL) abort();
@@ -219,7 +225,11 @@ int MAIN(int argc, char **argv)
         ret=0;
 end:
         if (ret == 1) {
-                BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...\n");
+                BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
+#ifndef OPENSSL_NO_ENGINE
+                BIO_printf(bio_err," [-engine e]");
+#endif
+                BIO_printf(bio_err," cert1 cert2 ...\n");
                 BIO_printf(bio_err,"recognized usages:\n");
                 for(i = 0; i < X509_PURPOSE_get_count(); i++) {
                         X509_PURPOSE *ptmp;
@@ -232,7 +242,7 @@ end:
         sk_X509_pop_free(untrusted, X509_free);
         sk_X509_pop_free(trusted, X509_free);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e)
@@ -330,7 +340,8 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
         if (!ok)
                 {
                 X509_NAME_oneline(
-                                X509_get_subject_name(ctx->current_cert),buf,256);
+                                X509_get_subject_name(ctx->current_cert),buf,
+                                sizeof buf);
                 printf("%s\n",buf);
                 printf("error %d at %d depth lookup:%s\n",ctx->error,
                         ctx->error_depth,
diff --git a/src/lib/libssl/src/apps/version.c b/src/lib/libssl/src/apps/version.c
index 0cbcb47f88..0843b67565 100644
--- a/src/lib/libssl/src/apps/version.c
+++ b/src/lib/libssl/src/apps/version.c
@@ -200,5 +200,5 @@ int MAIN(int argc, char **argv)
         if (dir)  printf("%s\n",SSLeay_version(SSLEAY_DIR));
 end:
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
diff --git a/src/lib/libssl/src/apps/winrand.c b/src/lib/libssl/src/apps/winrand.c
index d042258b50..59bede3d70 100644
--- a/src/lib/libssl/src/apps/winrand.c
+++ b/src/lib/libssl/src/apps/winrand.c
@@ -118,7 +118,6 @@ LRESULT CALLBACK WndProc(HWND hwnd, UINT iMsg, WPARAM wParam, LPARAM lParam)
         HDC hdc;
         PAINTSTRUCT ps;
         RECT rect;
-        char buffer[200];
         static int seeded = 0;
 
         switch (iMsg)
diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c
index 7681e7e8ba..e300bb82cf 100644
--- a/src/lib/libssl/src/apps/x509.c
+++ b/src/lib/libssl/src/apps/x509.c
@@ -122,7 +122,7 @@ static char *x509_usage[]={
 " -CAkey arg      - set the CA key, must be PEM format\n",
 "                   missing, it is assumed to be in the CA file.\n",
 " -CAcreateserial - create serial number file if it does not exist\n",
-" -CAserial       - serial file\n",
+" -CAserial arg   - serial file\n",
 " -set_serial     - serial number to use\n",
 " -text           - print the certificate in text form\n",
 " -C              - print out C code forms\n",
@@ -131,7 +131,9 @@ static char *x509_usage[]={
 " -extensions     - section from config file with X509V3 extensions to add\n",
 " -clrext         - delete extensions before signing and input certificate\n",
 " -nameopt arg    - various certificate name options\n",
+#ifndef OPENSSL_NO_ENGINE
 " -engine e       - use engine e, possibly a hardware device.\n",
+#endif
 " -certopt arg    - various certificate text options\n",
 NULL
 };
@@ -183,7 +185,9 @@ int MAIN(int argc, char **argv)
         int need_rand = 0;
         int checkend=0,checkoffset=0;
         unsigned long nmflag = 0, certflag = 0;
+#ifndef OPENSSL_NO_ENGINE
         char *engine=NULL;
+#endif
 
         reqfile=0;
 
@@ -354,17 +358,13 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         if (!set_name_ex(&nmflag, *(++argv))) goto bad;
                         }
-                else if (strcmp(*argv,"-setalias") == 0)
-                        {
-                        if (--argc < 1) goto bad;
-                        alias= *(++argv);
-                        trustout = 1;
-                        }
+#ifndef OPENSSL_NO_ENGINE
                 else if (strcmp(*argv,"-engine") == 0)
                         {
                         if (--argc < 1) goto bad;
                         engine= *(++argv);
                         }
+#endif
                 else if (strcmp(*argv,"-C") == 0)
                         C= ++num;
                 else if (strcmp(*argv,"-email") == 0)
@@ -450,7 +450,9 @@ bad:
                 goto end;
                 }
 
+#ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine, 0);
+#endif
 
         if (need_rand)
                 app_RAND_load_file(NULL, bio_err, 0);
@@ -479,7 +481,7 @@ bad:
 
         if (extfile)
                 {
-                long errorline;
+                long errorline = -1;
                 X509V3_CTX ctx2;
                 extconf = NCONF_new(NULL);
                 if (!NCONF_load(extconf, extfile,&errorline))
@@ -770,10 +772,11 @@ bad:
                                 int y,z;
 
                                 X509_NAME_oneline(X509_get_subject_name(x),
-                                        buf,256);
+                                        buf,sizeof buf);
                                 BIO_printf(STDout,"/* subject:%s */\n",buf);
                                 m=X509_NAME_oneline(
-                                        X509_get_issuer_name(x),buf,256);
+                                        X509_get_issuer_name(x),buf,
+                                        sizeof buf);
                                 BIO_printf(STDout,"/* issuer :%s */\n",buf);
 
                                 z=i2d_X509(x,NULL);
@@ -1016,7 +1019,7 @@ end:
         sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
         if (passin) OPENSSL_free(passin);
         apps_shutdown();
-        EXIT(ret);
+        OPENSSL_EXIT(ret);
         }
 
 static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create)
@@ -1076,7 +1079,7 @@ static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create)
                 }
         else 
                 {
-                if (!a2i_ASN1_INTEGER(io,bs,buf2,1024))
+                if (!a2i_ASN1_INTEGER(io,bs,buf2,sizeof buf2))
                         {
                         BIO_printf(bio_err,"unable to load serial number from %s\n",buf);
                         ERR_print_errors(bio_err);
diff --git a/src/lib/libssl/src/config b/src/lib/libssl/src/config
index 3e9af7680a..b3bd96bbfc 100644
--- a/src/lib/libssl/src/config
+++ b/src/lib/libssl/src/config
@@ -74,34 +74,27 @@ if [ "x$XREL" != "x" ]; then
                 echo "whatever-whatever-sco5"; exit 0
                 ;;
             4.2MP)
-                if [ "x$VERSION" = "x2.01" ]; then
-                    echo "${MACHINE}-whatever-unixware201"; exit 0
-                elif [ "x$VERSION" = "x2.02" ]; then
-                    echo "${MACHINE}-whatever-unixware202"; exit 0
-                elif [ "x$VERSION" = "x2.03" ]; then
-                    echo "${MACHINE}-whatever-unixware203"; exit 0
-                elif [ "x$VERSION" = "x2.1.1" ]; then
-                    echo "${MACHINE}-whatever-unixware211"; exit 0
-                elif [ "x$VERSION" = "x2.1.2" ]; then
-                    echo "${MACHINE}-whatever-unixware212"; exit 0
-                elif [ "x$VERSION" = "x2.1.3" ]; then
-                    echo "${MACHINE}-whatever-unixware213"; exit 0
-                else
-                    echo "${MACHINE}-whatever-unixware2"; exit 0
-                fi
+                case "x${VERSION}" in
+                    x2.0*) echo "whatever-whatever-unixware20"; exit 0 ;;
+                    x2.1*) echo "whatever-whatever-unixware21"; exit 0 ;;
+                    x2*)   echo "whatever-whatever-unixware2";  exit 0 ;;
+                esac
                 ;;
             4.2)
-                echo "whatever-whatever-unixware1"; exit 0
-                ;;
-            OpenUNIX)
-                if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x8" ]; then
-                    echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0
-                fi
+                echo "i386-whatever-unixware1"; exit 0
                 ;;
             5)
-                if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x7" ]; then
-                    echo "${MACHINE}-sco-unixware7"; exit 0
-                fi
+                case "x${VERSION}" in
+                    # We hardcode i586 in place of ${MACHINE} for the
+                    # following reason. The catch is that even though Pentium
+                    # is minimum requirement for platforms in question,
+                    # ${MACHINE} gets always assigned to i386. Now, problem
+                    # with i386 is that it makes ./config pass 386 to
+                    # ./Configure, which in turn makes make generate
+                    # inefficient SHA-1 (for this moment) code.
+                    x7*)  echo "i586-sco-unixware7";           exit 0 ;;
+                    x8*)  echo "i586-unkn-OpenUNIX${VERSION}"; exit 0 ;;
+                esac
                 ;;
         esac
     fi
@@ -196,7 +189,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
         echo "${MACHINE}-whatever-bsdi"; exit 0
         ;;
 
-    FreeBSD:*)
+    FreeBSD:*:*:*386*)
         VERS=`echo ${RELEASE} | sed -e 's/[-(].*//'`
         MACH=`sysctl -n hw.model`
         ARCH='whatever'
@@ -205,7 +198,6 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
            *486*       ) MACH="i486"     ;;
            Pentium\ II*) MACH="i686"     ;;
            Pentium*    ) MACH="i586"     ;;
-           Alpha*      ) MACH="alpha"    ;;
            *           ) MACH="$MACHINE" ;;
         esac
         case ${MACH} in
@@ -214,6 +206,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
         echo "${MACH}-${ARCH}-freebsd${VERS}"; exit 0
         ;;
 
+    FreeBSD:*)
+        echo "${MACHINE}-whatever-freebsd"; exit 0
+        ;;
+
     NetBSD:*:*:*386*)
         echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
         ;;
@@ -351,6 +347,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
     *CRAY*)
        echo "j90-cray-unicos"; exit 0;
        ;;
+
+    NONSTOP_KERNEL*)
+       echo "nsr-tandem-nsk"; exit 0;
+       ;;
 esac
 
 #
@@ -457,6 +457,10 @@ if [ "${SYSTEM}-${MACHINE}" = "Linux-alpha" ]; then
   fi
 fi
 
+if [ "${SYSTEM}" = "AIX" ]; then        # favor vendor cc over gcc
+    (cc) 2>&1 | grep -iv "not found" > /dev/null && CC=cc
+fi
+
 CCVER=${CCVER:-0}
 
 # read the output of the embedded GuessOS 
@@ -469,7 +473,7 @@ echo Operating system: $GUESSOS
 # more time that I want to waste at the moment
 case "$GUESSOS" in
   mips2-sgi-irix)
-        CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+        CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
         CPU=${CPU:-0}
         if [ $CPU -ge 4000 ]; then
                 options="$options -mips2"
@@ -477,7 +481,7 @@ case "$GUESSOS" in
         OUT="irix-$CC"
         ;;
   mips3-sgi-irix)
-        CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+        CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
         CPU=${CPU:-0}
         if [ $CPU -ge 5000 ]; then
                 options="$options -mips4"
@@ -493,7 +497,7 @@ case "$GUESSOS" in
           echo "         You have about 5 seconds to press Ctrl-C to abort."
           (stty -icanon min 0 time 50; read waste) < /dev/tty
         fi
-        CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+        CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
         CPU=${CPU:-0}
         if [ $CPU -ge 5000 ]; then
                 options="$options -mips4"
@@ -543,12 +547,13 @@ EOF
   ppc-apple-darwin*) OUT="darwin-ppc-cc" ;;
   i386-apple-darwin*) OUT="darwin-i386-cc" ;;
   sparc64-*-linux2)
-        #Before we can uncomment following lines we have to wait at least
-        #till 64-bit glibc for SPARC is operational:-(
-        #echo "WARNING! If you wish to build 64-bit library, then you have to"
-        #echo "         invoke './Configure linux64-sparcv9' *manually*."
-        #echo "         Type return if you want to continue, Ctrl-C to abort."
-        #read waste < /dev/tty
+        echo "WARNING! If you *know* that your GNU C supports 64-bit/V9 ABI"
+        echo "         and wish to build 64-bit library, then you have to"
+        echo "         invoke './Configure linux64-sparcv9' *manually*."
+        if [ "$TEST" = "false" ]; then
+          echo "          You have about 5 seconds to press Ctrl-C to abort."
+          (stty -icanon min 0 time 50; read waste) < /dev/tty
+        fi
         OUT="linux-sparcv9" ;;
   sparc-*-linux2)
         KARCH=`awk '/^type/{print$3}' /proc/cpuinfo`
@@ -581,6 +586,7 @@ EOF
   arm*-*-linux2) OUT="linux-elf-arm" ;;
   s390-*-linux2) OUT="linux-s390" ;;
   s390x-*-linux?) OUT="linux-s390x" ;;
+  x86_64-*-linux?) OUT="linux-x86_64" ;;
   *-*-linux2) OUT="linux-elf"
         if [ "$GCCVER" -gt 28 ]; then
           if grep '^model.*Pentium' /proc/cpuinfo >/dev/null ; then
@@ -634,6 +640,8 @@ EOF
   *86*-*-solaris2) OUT="solaris-x86-$CC" ;;
   *-*-sunos4) OUT="sunos-$CC" ;;
   alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;;
+  sparc64-*-freebsd*) OUT="FreeBSD-sparc64" ;;
+  ia64-*-freebsd*) OUT="FreeBSD-ia64" ;;
   *-freebsd[3-9]*) OUT="FreeBSD-elf" ;;
   *-freebsd[1-2]*) OUT="FreeBSD" ;;
   *86*-*-netbsd) OUT="NetBSD-x86" ;;
@@ -690,9 +698,11 @@ EOF
         CPU_VERSION=${CPU_VERSION:-0}
         # See <sys/unistd.h> for further info on CPU_VERSION.
         if   [ $CPU_VERSION -ge 768 ]; then     # IA-64 CPU
-             echo "NOTICE! 64-bit is the only ABI currently operational on HP-UXi."
-             echo "        Post request to openssl-dev@openssl.org for 32-bit support."
+             echo "WARNING! 64-bit ABI is the default configured ABI on HP-UXi."
+             echo "         If you wish to build 32-bit library, the you have to"
+             echo "         invoke './Configure hpux-ia32-cc' *manually*."
              if [ "$TEST" = "false" ]; then
+                echo "         You have about 5 seconds to press Ctrl-C to abort."
                 (stty -icanon min 0 time 50; read waste) < /dev/tty
              fi
              OUT="hpux64-ia64-cc"
@@ -725,6 +735,7 @@ EOF
   *-*-cygwin) OUT="Cygwin" ;;
   t3e-cray-unicosmk) OUT="cray-t3e" ;;
   j90-cray-unicos) OUT="cray-j90" ;;
+  nsr-tandem-nsk) OUT="tandem-c89" ;;
   *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
 esac
 
@@ -759,7 +770,7 @@ case "$GUESSOS" in
   i386-*) options="$options 386" ;;
 esac
 
-for i in bf cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 rijndael ripemd rsa sha
+for i in bf cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 aes ripemd rsa sha
 do
   if [ ! -d crypto/$i ]
   then
diff --git a/src/lib/libssl/src/crypto/Makefile.ssl b/src/lib/libssl/src/crypto/Makefile.ssl
index db8baf385e..3071e3cb86 100644
--- a/src/lib/libssl/src/crypto/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/Makefile.ssl
@@ -36,8 +36,8 @@ GENERAL=Makefile README crypto-lib.com install.com
 
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
-LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o
+LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o
 
 SRC= $(LIBSRC)
 
@@ -136,12 +136,12 @@ lint:
 
 depend:
         if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
         if [ ! -s buildinf.h ]; then rm buildinf.h; fi
         @for i in $(SDIRS) ;\
         do \
         (cd $$i && echo "making depend in crypto/$$i..." && \
-        $(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ); \
+        $(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ); \
         done;
 
 clean:
@@ -193,6 +193,10 @@ mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
 mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 mem.o: ../include/openssl/symhacks.h cryptlib.h mem.c
+mem_clr.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+mem_clr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+mem_clr.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+mem_clr.o: ../include/openssl/symhacks.h mem_clr.c
 mem_dbg.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem_dbg.o: ../include/openssl/err.h ../include/openssl/lhash.h
diff --git a/src/lib/libssl/src/crypto/aes/Makefile.ssl b/src/lib/libssl/src/crypto/aes/Makefile.ssl
index 9358802a2e..f353aeb697 100644
--- a/src/lib/libssl/src/crypto/aes/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/aes/Makefile.ssl
@@ -75,7 +75,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/aes/aes.h b/src/lib/libssl/src/crypto/aes/aes.h
index e8da921ec5..8294a41a3a 100644
--- a/src/lib/libssl/src/crypto/aes/aes.h
+++ b/src/lib/libssl/src/crypto/aes/aes.h
@@ -56,8 +56,9 @@
 #error AES is disabled.
 #endif
 
-static const int AES_DECRYPT = 0;
-static const int AES_ENCRYPT = 1;
+#define AES_ENCRYPT     1
+#define AES_DECRYPT     0
+
 /* Because array size can't be a const in C, the following two are macros.
    Both sizes are in bytes. */
 #define AES_MAXNR 14
@@ -99,7 +100,9 @@ void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
         unsigned char *ivec, int *num);
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
         const unsigned long length, const AES_KEY *key,
-        unsigned char *counter, unsigned int *num);
+        unsigned char counter[AES_BLOCK_SIZE],
+        unsigned char ecount_buf[AES_BLOCK_SIZE],
+        unsigned int *num);
 
 
 #ifdef  __cplusplus
diff --git a/src/lib/libssl/src/crypto/aes/aes_cbc.c b/src/lib/libssl/src/crypto/aes/aes_cbc.c
index 3dfd7aba2a..de438306b1 100644
--- a/src/lib/libssl/src/crypto/aes/aes_cbc.c
+++ b/src/lib/libssl/src/crypto/aes/aes_cbc.c
@@ -49,7 +49,13 @@
  *
  */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
@@ -57,33 +63,49 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                      const unsigned long length, const AES_KEY *key,
                      unsigned char *ivec, const int enc) {
 
-        int n;
+        unsigned long n;
         unsigned long len = length;
-        unsigned char tmp[16];
+        unsigned char tmp[AES_BLOCK_SIZE];
 
         assert(in && out && key && ivec);
-        assert(length % AES_BLOCK_SIZE == 0);
         assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
 
-        if (AES_ENCRYPT == enc)
-                while (len > 0) {
-                        for(n=0; n < 16; ++n)
+        if (AES_ENCRYPT == enc) {
+                while (len >= AES_BLOCK_SIZE) {
+                        for(n=0; n < sizeof tmp; ++n)
                                 tmp[n] = in[n] ^ ivec[n];
                         AES_encrypt(tmp, out, key);
-                        memcpy(ivec, out, 16);
-                        len -= 16;
-                        in += 16;
-                        out += 16;
+                        memcpy(ivec, out, AES_BLOCK_SIZE);
+                        len -= AES_BLOCK_SIZE;
+                        in += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
                 }
-        else
-                while (len > 0) {
-                        memcpy(tmp, in, 16);
+                if (len) {
+                        for(n=0; n < len; ++n)
+                                tmp[n] = in[n] ^ ivec[n];
+                        for(n=len; n < AES_BLOCK_SIZE; ++n)
+                                tmp[n] = ivec[n];
+                        AES_encrypt(tmp, tmp, key);
+                        memcpy(out, tmp, len);
+                        memcpy(ivec, tmp, sizeof tmp);
+                }                       
+        } else {
+                while (len >= AES_BLOCK_SIZE) {
+                        memcpy(tmp, in, sizeof tmp);
                         AES_decrypt(in, out, key);
-                        for(n=0; n < 16; ++n)
+                        for(n=0; n < AES_BLOCK_SIZE; ++n)
                                 out[n] ^= ivec[n];
-                        memcpy(ivec, tmp, 16);
-                        len -= 16;
-                        in += 16;
-                        out += 16;
+                        memcpy(ivec, tmp, AES_BLOCK_SIZE);
+                        len -= AES_BLOCK_SIZE;
+                        in += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
                 }
+                if (len) {
+                        memcpy(tmp, in, sizeof tmp);
+                        AES_decrypt(tmp, tmp, key);
+                        for(n=0; n < len; ++n)
+                                out[n] ^= ivec[n];
+                        memcpy(ivec, tmp, sizeof tmp);
+                }                       
+        }
 }
diff --git a/src/lib/libssl/src/crypto/aes/aes_cfb.c b/src/lib/libssl/src/crypto/aes/aes_cfb.c
index 41c2a5ec3d..9b569dda90 100644
--- a/src/lib/libssl/src/crypto/aes/aes_cfb.c
+++ b/src/lib/libssl/src/crypto/aes/aes_cfb.c
@@ -105,7 +105,13 @@
  * [including the GNU Public Licence.]
  */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
diff --git a/src/lib/libssl/src/crypto/aes/aes_core.c b/src/lib/libssl/src/crypto/aes/aes_core.c
index 937988dd8c..2f41a825f8 100644
--- a/src/lib/libssl/src/crypto/aes/aes_core.c
+++ b/src/lib/libssl/src/crypto/aes/aes_core.c
@@ -28,7 +28,13 @@
 /* Note: rewritten a little bit to provide error control and an OpenSSL-
    compatible API */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <stdlib.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
@@ -744,7 +750,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
         rk[2] = GETU32(userKey +  8);
         rk[3] = GETU32(userKey + 12);
         if (bits == 128) {
-                for (;;) {
+                while (1) {
                         temp  = rk[3];
                         rk[4] = rk[0] ^
                                 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
@@ -764,7 +770,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
         rk[4] = GETU32(userKey + 16);
         rk[5] = GETU32(userKey + 20);
         if (bits == 192) {
-                for (;;) {
+                while (1) {
                         temp = rk[ 5];
                         rk[ 6] = rk[ 0] ^
                                 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
@@ -786,7 +792,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
         rk[6] = GETU32(userKey + 24);
         rk[7] = GETU32(userKey + 28);
         if (bits == 256) {
-                for (;;) {
+                while (1) {
                         temp = rk[ 7];
                         rk[ 8] = rk[ 0] ^
                                 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
diff --git a/src/lib/libssl/src/crypto/aes/aes_ctr.c b/src/lib/libssl/src/crypto/aes/aes_ctr.c
index aea3db2092..59088499a0 100644
--- a/src/lib/libssl/src/crypto/aes/aes_ctr.c
+++ b/src/lib/libssl/src/crypto/aes/aes_ctr.c
@@ -49,7 +49,13 @@
  *
  */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
@@ -90,26 +96,31 @@ static void AES_ctr128_inc(unsigned char *counter) {
 
 /* The input encrypted as though 128bit counter mode is being
  * used.  The extra state information to record how much of the
- * 128bit block we have used is contained in *num;
+ * 128bit block we have used is contained in *num, and the
+ * encrypted counter is kept in ecount_buf.  Both *num and
+ * ecount_buf must be initialised with zeros before the first
+ * call to AES_ctr128_encrypt().
  */
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
         const unsigned long length, const AES_KEY *key,
-        unsigned char *counter, unsigned int *num) {
+        unsigned char counter[AES_BLOCK_SIZE],
+        unsigned char ecount_buf[AES_BLOCK_SIZE],
+        unsigned int *num) {
 
         unsigned int n;
         unsigned long l=length;
-        unsigned char tmp[AES_BLOCK_SIZE];
 
         assert(in && out && key && counter && num);
+        assert(*num < AES_BLOCK_SIZE);
 
         n = *num;
 
         while (l--) {
                 if (n == 0) {
-                        AES_encrypt(counter, tmp, key);
+                        AES_encrypt(counter, ecount_buf, key);
                         AES_ctr128_inc(counter);
                 }
-                *(out++) = *(in++) ^ tmp[n];
+                *(out++) = *(in++) ^ ecount_buf[n];
                 n = (n+1) % AES_BLOCK_SIZE;
         }
 
diff --git a/src/lib/libssl/src/crypto/aes/aes_ecb.c b/src/lib/libssl/src/crypto/aes/aes_ecb.c
index 1cb2e07d3d..28aa561c2d 100644
--- a/src/lib/libssl/src/crypto/aes/aes_ecb.c
+++ b/src/lib/libssl/src/crypto/aes/aes_ecb.c
@@ -49,7 +49,13 @@
  *
  */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
diff --git a/src/lib/libssl/src/crypto/aes/aes_locl.h b/src/lib/libssl/src/crypto/aes/aes_locl.h
index 18fc2d0747..f290946058 100644
--- a/src/lib/libssl/src/crypto/aes/aes_locl.h
+++ b/src/lib/libssl/src/crypto/aes/aes_locl.h
@@ -62,7 +62,7 @@
 #include <stdlib.h>
 #include <string.h>
 
-#ifdef _MSC_VER
+#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
 # define GETU32(p) SWAP(*((u32 *)(p)))
 # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
diff --git a/src/lib/libssl/src/crypto/aes/aes_ofb.c b/src/lib/libssl/src/crypto/aes/aes_ofb.c
index e33bdaea28..f358bb39e2 100644
--- a/src/lib/libssl/src/crypto/aes/aes_ofb.c
+++ b/src/lib/libssl/src/crypto/aes/aes_ofb.c
@@ -105,7 +105,13 @@
  * [including the GNU Public Licence.]
  */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
+
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
diff --git a/src/lib/libssl/src/crypto/asn1/Makefile.ssl b/src/lib/libssl/src/crypto/asn1/Makefile.ssl
index b5a186c904..cb45194d48 100644
--- a/src/lib/libssl/src/crypto/asn1/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/asn1/Makefile.ssl
@@ -98,7 +98,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -286,13 +286,14 @@ a_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 a_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 a_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 a_sign.o: ../cryptlib.h a_sign.c
-a_strex.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-a_strex.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-a_strex.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_strex.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-a_strex.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-a_strex.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-a_strex.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
+a_strex.o: ../../e_os.h ../../include/openssl/aes.h
+a_strex.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_strex.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+a_strex.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+a_strex.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+a_strex.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+a_strex.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+a_strex.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 a_strex.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 a_strex.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 a_strex.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
@@ -305,7 +306,7 @@ a_strex.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 a_strex.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 a_strex.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 a_strex.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-a_strex.o: ../../include/openssl/x509_vfy.h a_strex.c charmap.h
+a_strex.o: ../../include/openssl/x509_vfy.h ../cryptlib.h a_strex.c charmap.h
 a_strnid.o: ../../e_os.h ../../include/openssl/asn1.h
 a_strnid.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 a_strnid.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
diff --git a/src/lib/libssl/src/crypto/asn1/a_bitstr.c b/src/lib/libssl/src/crypto/asn1/a_bitstr.c
index e0265f69d2..f4ea96cd54 100644
--- a/src/lib/libssl/src/crypto/asn1/a_bitstr.c
+++ b/src/lib/libssl/src/crypto/asn1/a_bitstr.c
@@ -191,7 +191,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
                 if (a->data == NULL)
                         c=(unsigned char *)OPENSSL_malloc(w+1);
                 else
-                        c=(unsigned char *)OPENSSL_realloc(a->data,w+1);
+                        c=(unsigned char *)OPENSSL_realloc_clean(a->data,
+                                                                 a->length,
+                                                                 w+1);
                 if (c == NULL) return(0);
                 if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
                 a->data=c;
diff --git a/src/lib/libssl/src/crypto/asn1/a_bytes.c b/src/lib/libssl/src/crypto/asn1/a_bytes.c
index bb88660f58..afd27b80e1 100644
--- a/src/lib/libssl/src/crypto/asn1/a_bytes.c
+++ b/src/lib/libssl/src/crypto/asn1/a_bytes.c
@@ -285,7 +285,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
                         goto err;
                         }
 
-                if (!BUF_MEM_grow(&b,num+os->length))
+                if (!BUF_MEM_grow_clean(&b,num+os->length))
                         {
                         c->error=ERR_R_BUF_LIB;
                         goto err;
diff --git a/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c b/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c
index a80fbe9ff7..b67b75e7c2 100644
--- a/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c
+++ b/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c
@@ -149,7 +149,12 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
         ASN1_CTX c;
         int want=HEADER_SIZE;
         int eos=0;
+#if defined(__GNUC__) && defined(__ia64)
+        /* pathetic compiler bug in all known versions as of Nov. 2002 */
+        long off=0;
+#else
         int off=0;
+#endif
         int len=0;
 
         b=BUF_MEM_new();
@@ -166,7 +171,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                         {
                         want-=(len-off);
 
-                        if (!BUF_MEM_grow(b,len+want))
+                        if (!BUF_MEM_grow_clean(b,len+want))
                                 {
                                 ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
                                 goto err;
@@ -221,18 +226,23 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                         if (want > (len-off))
                                 {
                                 want-=(len-off);
-                                if (!BUF_MEM_grow(b,len+want))
+                                if (!BUF_MEM_grow_clean(b,len+want))
                                         {
                                         ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
                                         goto err;
                                         }
-                                i=BIO_read(in,&(b->data[len]),want);
-                                if (i <= 0)
+                                while (want > 0)
                                         {
-                                        ASN1err(ASN1_F_ASN1_D2I_BIO,ASN1_R_NOT_ENOUGH_DATA);
-                                        goto err;
+                                        i=BIO_read(in,&(b->data[len]),want);
+                                        if (i <= 0)
+                                                {
+                                                ASN1err(ASN1_F_ASN1_D2I_BIO,
+                                                    ASN1_R_NOT_ENOUGH_DATA);
+                                                goto err;
+                                                }
+                                        len+=i;
+                                        want -= i;
                                         }
-                                len+=i;
                                 }
                         off+=(int)c.slen;
                         if (eos <= 0)
diff --git a/src/lib/libssl/src/crypto/asn1/a_object.c b/src/lib/libssl/src/crypto/asn1/a_object.c
index 71ce7c3896..0a8e6c287c 100644
--- a/src/lib/libssl/src/crypto/asn1/a_object.c
+++ b/src/lib/libssl/src/crypto/asn1/a_object.c
@@ -183,8 +183,8 @@ int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
 
         if ((a == NULL) || (a->data == NULL))
                 return(BIO_write(bp,"NULL",4));
-        i=i2t_ASN1_OBJECT(buf,80,a);
-        if (i > 80) i=80;
+        i=i2t_ASN1_OBJECT(buf,sizeof buf,a);
+        if (i > sizeof buf) i=sizeof buf;
         BIO_write(bp,buf,i);
         return(i);
         }
diff --git a/src/lib/libssl/src/crypto/asn1/a_sign.c b/src/lib/libssl/src/crypto/asn1/a_sign.c
index de53b44144..52ce7e3974 100644
--- a/src/lib/libssl/src/crypto/asn1/a_sign.c
+++ b/src/lib/libssl/src/crypto/asn1/a_sign.c
@@ -204,9 +204,9 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
         EVP_MD_CTX_cleanup(&ctx);
         if (buf_in != NULL)
-                { memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+                { OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
         if (buf_out != NULL)
-                { memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+                { OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); }
         return(outl);
         }
 
@@ -287,8 +287,8 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
         EVP_MD_CTX_cleanup(&ctx);
         if (buf_in != NULL)
-                { memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+                { OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
         if (buf_out != NULL)
-                { memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+                { OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); }
         return(outl);
         }
diff --git a/src/lib/libssl/src/crypto/asn1/a_strex.c b/src/lib/libssl/src/crypto/asn1/a_strex.c
index 7ddb7662f1..1def6c6549 100644
--- a/src/lib/libssl/src/crypto/asn1/a_strex.c
+++ b/src/lib/libssl/src/crypto/asn1/a_strex.c
@@ -63,6 +63,7 @@
 #include <openssl/asn1.h>
 
 #include "charmap.h"
+#include "cryptlib.h"
 
 /* ASN1_STRING_print_ex() and X509_NAME_print_ex().
  * Enhanced string and name printing routines handling
@@ -114,14 +115,17 @@ typedef int char_io(void *arg, const void *buf, int len);
 static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, char_io *io_ch, void *arg)
 {
         unsigned char chflgs, chtmp;
-        char tmphex[11];
+        char tmphex[HEX_SIZE(long)+3];
+
+        if(c > 0xffffffffL)
+                return -1;
         if(c > 0xffff) {
-                BIO_snprintf(tmphex, 11, "\\W%08lX", c);
+                BIO_snprintf(tmphex, sizeof tmphex, "\\W%08lX", c);
                 if(!io_ch(arg, tmphex, 10)) return -1;
                 return 10;
         }
         if(c > 0xff) {
-                BIO_snprintf(tmphex, 11, "\\U%04lX", c);
+                BIO_snprintf(tmphex, sizeof tmphex, "\\U%04lX", c);
                 if(!io_ch(arg, tmphex, 6)) return -1;
                 return 6;
         }
@@ -195,7 +199,7 @@ static int do_buf(unsigned char *buf, int buflen,
                 if(type & BUF_TYPE_CONVUTF8) {
                         unsigned char utfbuf[6];
                         int utflen;
-                        utflen = UTF8_putc(utfbuf, 6, c);
+                        utflen = UTF8_putc(utfbuf, sizeof utfbuf, c);
                         for(i = 0; i < utflen; i++) {
                                 /* We don't need to worry about setting orflags correctly
                                  * because if utflen==1 its value will be correct anyway 
@@ -461,7 +465,7 @@ static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
                 if(fn_opt != XN_FLAG_FN_NONE) {
                         int objlen, fld_len;
                         if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) {
-                                OBJ_obj2txt(objtmp, 80, fn, 1);
+                                OBJ_obj2txt(objtmp, sizeof objtmp, fn, 1);
                                 fld_len = 0; /* XXX: what should this be? */
                                 objbuf = objtmp;
                         } else {
diff --git a/src/lib/libssl/src/crypto/asn1/a_strnid.c b/src/lib/libssl/src/crypto/asn1/a_strnid.c
index 04789d1c63..aa49e9d7d0 100644
--- a/src/lib/libssl/src/crypto/asn1/a_strnid.c
+++ b/src/lib/libssl/src/crypto/asn1/a_strnid.c
@@ -173,6 +173,7 @@ static ASN1_STRING_TABLE tbl_standard[] = {
 {NID_friendlyName,              -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK},
 {NID_name,                      1, ub_name, DIRSTRING_TYPE, 0},
 {NID_dnQualifier,               -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
+{NID_domainComponent,           1, -1, B_ASN1_IA5STRING, STABLE_NO_MASK},
 {NID_ms_csp_name,               -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}
 };
 
@@ -249,4 +250,38 @@ static void st_free(ASN1_STRING_TABLE *tbl)
         if(tbl->flags & STABLE_FLAGS_MALLOC) OPENSSL_free(tbl);
 }
 
+
 IMPLEMENT_STACK_OF(ASN1_STRING_TABLE)
+
+#ifdef STRING_TABLE_TEST
+
+main()
+{
+        ASN1_STRING_TABLE *tmp;
+        int i, last_nid = -1;
+
+        for (tmp = tbl_standard, i = 0;
+                i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++)
+                {
+                        if (tmp->nid < last_nid)
+                                {
+                                last_nid = 0;
+                                break;
+                                }
+                        last_nid = tmp->nid;
+                }
+
+        if (last_nid != 0)
+                {
+                printf("Table order OK\n");
+                exit(0);
+                }
+
+        for (tmp = tbl_standard, i = 0;
+                i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++)
+                        printf("Index %d, NID %d, Name=%s\n", i, tmp->nid,
+                                                        OBJ_nid2ln(tmp->nid));
+
+}
+
+#endif
diff --git a/src/lib/libssl/src/crypto/asn1/a_time.c b/src/lib/libssl/src/crypto/asn1/a_time.c
index 8216783aa8..b8c031fc8f 100644
--- a/src/lib/libssl/src/crypto/asn1/a_time.c
+++ b/src/lib/libssl/src/crypto/asn1/a_time.c
@@ -105,7 +105,10 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
 
         ts=OPENSSL_gmtime(&t,&data);
         if (ts == NULL)
+                {
+                ASN1err(ASN1_F_ASN1_TIME_SET, ASN1_R_ERROR_GETTING_TIME);
                 return NULL;
+                }
         if((ts->tm_year >= 50) && (ts->tm_year < 150))
                                         return ASN1_UTCTIME_set(s, t);
         return ASN1_GENERALIZEDTIME_set(s,t);
diff --git a/src/lib/libssl/src/crypto/asn1/a_type.c b/src/lib/libssl/src/crypto/asn1/a_type.c
index 96e111cf23..fe3fcd40b0 100644
--- a/src/lib/libssl/src/crypto/asn1/a_type.c
+++ b/src/lib/libssl/src/crypto/asn1/a_type.c
@@ -62,7 +62,7 @@
 
 int ASN1_TYPE_get(ASN1_TYPE *a)
         {
-        if (a->value.ptr != NULL)
+        if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
                 return(a->type);
         else
                 return(0);
diff --git a/src/lib/libssl/src/crypto/asn1/a_verify.c b/src/lib/libssl/src/crypto/asn1/a_verify.c
index bf41de5146..da2a0a6d69 100644
--- a/src/lib/libssl/src/crypto/asn1/a_verify.c
+++ b/src/lib/libssl/src/crypto/asn1/a_verify.c
@@ -103,7 +103,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
         EVP_VerifyInit_ex(&ctx,type, NULL);
         EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
-        memset(buf_in,0,(unsigned int)inl);
+        OPENSSL_cleanse(buf_in,(unsigned int)inl);
         OPENSSL_free(buf_in);
 
         if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
@@ -153,7 +153,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
         EVP_VerifyInit_ex(&ctx,type, NULL);
         EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
-        memset(buf_in,0,(unsigned int)inl);
+        OPENSSL_cleanse(buf_in,(unsigned int)inl);
         OPENSSL_free(buf_in);
 
         if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
diff --git a/src/lib/libssl/src/crypto/asn1/asn1.h b/src/lib/libssl/src/crypto/asn1/asn1.h
index dbb30f4f22..3414509f1b 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1.h
+++ b/src/lib/libssl/src/crypto/asn1/asn1.h
@@ -70,7 +70,6 @@
 
 #include <openssl/symhacks.h>
 
-#include <openssl/e_os2.h>
 #include <openssl/ossl_typ.h>
 
 #ifdef OPENSSL_BUILD_SHLIBCRYPTO
@@ -133,7 +132,7 @@ extern "C" {
 #define B_ASN1_NUMERICSTRING    0x0001
 #define B_ASN1_PRINTABLESTRING  0x0002
 #define B_ASN1_T61STRING        0x0004
-#define B_ASN1_TELETEXSTRING    0x0008
+#define B_ASN1_TELETEXSTRING    0x0004
 #define B_ASN1_VIDEOTEXSTRING   0x0008
 #define B_ASN1_IA5STRING        0x0010
 #define B_ASN1_GRAPHICSTRING    0x0020
@@ -981,6 +980,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_TEMPLATE_D2I                         131
 #define ASN1_F_ASN1_TEMPLATE_EX_D2I                      132
 #define ASN1_F_ASN1_TEMPLATE_NEW                         133
+#define ASN1_F_ASN1_TIME_SET                             175
 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING             134
 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING                 135
 #define ASN1_F_ASN1_UNPACK_STRING                        136
@@ -1038,6 +1038,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_DECODE_ERROR                              110
 #define ASN1_R_DECODING_ERROR                            111
 #define ASN1_R_ENCODE_ERROR                              112
+#define ASN1_R_ERROR_GETTING_TIME                        173
 #define ASN1_R_ERROR_LOADING_SECTION                     172
 #define ASN1_R_ERROR_PARSING_SET_ELEMENT                 113
 #define ASN1_R_ERROR_SETTING_CIPHER_PARAMS               114
diff --git a/src/lib/libssl/src/crypto/asn1/asn1_err.c b/src/lib/libssl/src/crypto/asn1/asn1_err.c
index c4c3d2a91d..094ec06fda 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1_err.c
+++ b/src/lib/libssl/src/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -100,6 +100,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0),        "ASN1_TEMPLATE_D2I"},
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_EX_D2I,0),     "ASN1_TEMPLATE_EX_D2I"},
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_NEW,0),        "ASN1_TEMPLATE_NEW"},
+{ERR_PACK(0,ASN1_F_ASN1_TIME_SET,0),    "ASN1_TIME_set"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),    "ASN1_TYPE_get_int_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),        "ASN1_TYPE_get_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),       "ASN1_unpack_string"},
@@ -160,6 +161,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ASN1_R_DECODE_ERROR                     ,"decode error"},
 {ASN1_R_DECODING_ERROR                   ,"decoding error"},
 {ASN1_R_ENCODE_ERROR                     ,"encode error"},
+{ASN1_R_ERROR_GETTING_TIME               ,"error getting time"},
 {ASN1_R_ERROR_LOADING_SECTION            ,"error loading section"},
 {ASN1_R_ERROR_PARSING_SET_ELEMENT        ,"error parsing set element"},
 {ASN1_R_ERROR_SETTING_CIPHER_PARAMS      ,"error setting cipher params"},
diff --git a/src/lib/libssl/src/crypto/asn1/asn1_par.c b/src/lib/libssl/src/crypto/asn1/asn1_par.c
index 4223c9ae45..1799657141 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1_par.c
+++ b/src/lib/libssl/src/crypto/asn1/asn1_par.c
@@ -79,12 +79,7 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
         else
                 p="prim: ";
         if (BIO_write(bp,p,6) < 6) goto err;
-        if (indent)
-                {
-                if (indent > 128) indent=128;
-                memset(str,' ',indent);
-                if (BIO_write(bp,str,indent) < indent) goto err;
-                }
+        BIO_indent(bp,indent,128);
 
         p=str;
         if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
diff --git a/src/lib/libssl/src/crypto/asn1/f_int.c b/src/lib/libssl/src/crypto/asn1/f_int.c
index 48cc3bfb90..9494e597ab 100644
--- a/src/lib/libssl/src/crypto/asn1/f_int.c
+++ b/src/lib/libssl/src/crypto/asn1/f_int.c
@@ -169,8 +169,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
                                 sp=(unsigned char *)OPENSSL_malloc(
                                         (unsigned int)num+i*2);
                         else
-                                sp=(unsigned char *)OPENSSL_realloc(s,
-                                        (unsigned int)num+i*2);
+                                sp=OPENSSL_realloc_clean(s,slen,num+i*2);
                         if (sp == NULL)
                                 {
                                 ASN1err(ASN1_F_A2I_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libssl/src/crypto/asn1/n_pkey.c b/src/lib/libssl/src/crypto/asn1/n_pkey.c
index 9146ee02c9..766b51c538 100644
--- a/src/lib/libssl/src/crypto/asn1/n_pkey.c
+++ b/src/lib/libssl/src/crypto/asn1/n_pkey.c
@@ -187,7 +187,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
         i2d_NETSCAPE_PKEY(pkey,&zz);
 
         /* Wipe the private key encoding */
-        memset(pkey->private_key->data, 0, rsalen);
+        OPENSSL_cleanse(pkey->private_key->data, rsalen);
                 
         if (cb == NULL)
                 cb=EVP_read_pw_string;
@@ -206,7 +206,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
         }
 
         EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
-        memset(buf,0,256);
+        OPENSSL_cleanse(buf,256);
 
         /* Encrypt private key in place */
         zz = enckey->enckey->digest->data;
@@ -294,7 +294,7 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
         }
                 
         EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
-        memset(buf,0,256);
+        OPENSSL_cleanse(buf,256);
 
         EVP_CIPHER_CTX_init(&ctx);
         EVP_DecryptInit_ex(&ctx,EVP_rc4(),NULL, key,NULL);
diff --git a/src/lib/libssl/src/crypto/asn1/p8_pkey.c b/src/lib/libssl/src/crypto/asn1/p8_pkey.c
index b634d5bc85..24b409132f 100644
--- a/src/lib/libssl/src/crypto/asn1/p8_pkey.c
+++ b/src/lib/libssl/src/crypto/asn1/p8_pkey.c
@@ -68,8 +68,8 @@ static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
         if(operation == ASN1_OP_FREE_PRE) {
                 PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
                 if (key->pkey->value.octet_string)
-                memset(key->pkey->value.octet_string->data,
-                                 0, key->pkey->value.octet_string->length);
+                OPENSSL_cleanse(key->pkey->value.octet_string->data,
+                        key->pkey->value.octet_string->length);
         }
         return 1;
 }
diff --git a/src/lib/libssl/src/crypto/asn1/t_crl.c b/src/lib/libssl/src/crypto/asn1/t_crl.c
index 60db305756..757c148df8 100644
--- a/src/lib/libssl/src/crypto/asn1/t_crl.c
+++ b/src/lib/libssl/src/crypto/asn1/t_crl.c
@@ -84,11 +84,11 @@ int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
 
 int X509_CRL_print(BIO *out, X509_CRL *x)
 {
-        char buf[256];
         STACK_OF(X509_REVOKED) *rev;
         X509_REVOKED *r;
         long l;
         int i, n;
+        char *p;
 
         BIO_printf(out, "Certificate Revocation List (CRL):\n");
         l = X509_CRL_get_version(x);
@@ -96,8 +96,9 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
         i = OBJ_obj2nid(x->sig_alg->algorithm);
         BIO_printf(out, "%8sSignature Algorithm: %s\n", "",
                                  (i == NID_undef) ? "NONE" : OBJ_nid2ln(i));
-        X509_NAME_oneline(X509_CRL_get_issuer(x),buf,256);
-        BIO_printf(out,"%8sIssuer: %s\n","",buf);
+        p=X509_NAME_oneline(X509_CRL_get_issuer(x),NULL,0);
+        BIO_printf(out,"%8sIssuer: %s\n","",p);
+        OPENSSL_free(p);
         BIO_printf(out,"%8sLast Update: ","");
         ASN1_TIME_print(out,X509_CRL_get_lastUpdate(x));
         BIO_printf(out,"\n%8sNext Update: ","");
diff --git a/src/lib/libssl/src/crypto/asn1/t_pkey.c b/src/lib/libssl/src/crypto/asn1/t_pkey.c
index b3f8364012..e1c5e5ae13 100644
--- a/src/lib/libssl/src/crypto/asn1/t_pkey.c
+++ b/src/lib/libssl/src/crypto/asn1/t_pkey.c
@@ -130,14 +130,10 @@ int RSA_print(BIO *bp, const RSA *x, int off)
                 goto err;
                 }
 
-        if (off)
-                {
-                if (off > 128) off=128;
-                memset(str,' ',off);
-                }
         if (x->d != NULL)
                 {
-                if (off && (BIO_write(bp,str,off) <= 0)) goto err;
+                if(!BIO_indent(bp,off,128))
+                   goto err;
                 if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->n))
                         <= 0) goto err;
                 }
@@ -183,7 +179,6 @@ int DSA_print_fp(FILE *fp, const DSA *x, int off)
 
 int DSA_print(BIO *bp, const DSA *x, int off)
         {
-        char str[128];
         unsigned char *m=NULL;
         int ret=0;
         size_t buf_len=0,i;
@@ -210,14 +205,10 @@ int DSA_print(BIO *bp, const DSA *x, int off)
                 goto err;
                 }
 
-        if (off)
-                {
-                if (off > 128) off=128;
-                memset(str,' ',off);
-                }
         if (x->priv_key != NULL)
                 {
-                if (off && (BIO_write(bp,str,off) <= 0)) goto err;
+                if(!BIO_indent(bp,off,128))
+                   goto err;
                 if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->p))
                         <= 0) goto err;
                 }
@@ -240,17 +231,12 @@ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
              int off)
         {
         int n,i;
-        char str[128];
         const char *neg;
 
         if (num == NULL) return(1);
         neg=(num->neg)?"-":"";
-        if (off)
-                {
-                if (off > 128) off=128;
-                memset(str,' ',off);
-                if (BIO_write(bp,str,off) <= 0) return(0);
-                }
+        if(!BIO_indent(bp,off,128))
+                return 0;
 
         if (BN_num_bytes(num) <= BN_BYTES)
                 {
@@ -274,9 +260,9 @@ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
                         {
                         if ((i%15) == 0)
                                 {
-                                str[0]='\n';
-                                memset(&(str[1]),' ',off+4);
-                                if (BIO_write(bp,str,off+1+4) <= 0) return(0);
+                                if(BIO_puts(bp,"\n") <= 0
+                                   || !BIO_indent(bp,off+4,128))
+                                    return 0;
                                 }
                         if (BIO_printf(bp,"%02x%s",buf[i],((i+1) == n)?"":":")
                                 <= 0) return(0);
diff --git a/src/lib/libssl/src/crypto/asn1/t_req.c b/src/lib/libssl/src/crypto/asn1/t_req.c
index eca97e00cb..740cee80c0 100644
--- a/src/lib/libssl/src/crypto/asn1/t_req.c
+++ b/src/lib/libssl/src/crypto/asn1/t_req.c
@@ -91,7 +91,6 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long
         EVP_PKEY *pkey;
         STACK_OF(X509_ATTRIBUTE) *sk;
         STACK_OF(X509_EXTENSION) *exts;
-        char str[128];
         char mlch = ' ';
         int nmindent = 0;
 
@@ -116,9 +115,9 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long
                 l=0;
                 for (i=0; i<ri->version->length; i++)
                         { l<<=8; l+=ri->version->data[i]; }
-                snprintf(str,sizeof str,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,
-                         l,neg,l);
-                if (BIO_puts(bp,str) <= 0) goto err;
+                if(BIO_printf(bp,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg,
+                              l) <= 0)
+                    goto err;
                 }
         if(!(cflag & X509_FLAG_NO_SUBJECT))
                 {
@@ -169,14 +168,14 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long
         if(!(cflag & X509_FLAG_NO_ATTRIBUTES))
                 {
                 /* may not be */
-                snprintf(str,sizeof str,"%8sAttributes:\n","");
-                if (BIO_puts(bp,str) <= 0) goto err;
+                if(BIO_printf(bp,"%8sAttributes:\n","") <= 0)
+                    goto err;
 
                 sk=x->req_info->attributes;
                 if (sk_X509_ATTRIBUTE_num(sk) == 0)
                         {
-                        snprintf(str,sizeof str,"%12sa0:00\n","");
-                        if (BIO_puts(bp,str) <= 0) goto err;
+                        if(BIO_printf(bp,"%12sa0:00\n","") <= 0)
+                            goto err;
                         }
                 else
                         {
@@ -191,8 +190,8 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long
                                 a=sk_X509_ATTRIBUTE_value(sk,i);
                                 if(X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
                                                                         continue;
-                                snprintf(str,sizeof str,"%12s","");
-                                if (BIO_puts(bp,str) <= 0) goto err;
+                                if(BIO_printf(bp,"%12s","") <= 0)
+                                    goto err;
                                 if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0)
                                 {
                                 if (a->single)
diff --git a/src/lib/libssl/src/crypto/asn1/t_x509.c b/src/lib/libssl/src/crypto/asn1/t_x509.c
index 5de4833ed0..d1034c47f8 100644
--- a/src/lib/libssl/src/crypto/asn1/t_x509.c
+++ b/src/lib/libssl/src/crypto/asn1/t_x509.c
@@ -433,15 +433,17 @@ err:
 
 int X509_NAME_print(BIO *bp, X509_NAME *name, int obase)
         {
-        char *s,*c;
+        char *s,*c,*b;
         int ret=0,l,ll,i,first=1;
-        char buf[256];
 
         ll=80-2-obase;
 
-        s=X509_NAME_oneline(name,buf,256);
+        b=s=X509_NAME_oneline(name,NULL,0);
         if (!*s)
+                {
+                OPENSSL_free(b);
                 return 1;
+                }
         s++; /* skip the first slash */
 
         l=ll;
@@ -497,6 +499,7 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase)
 err:
                 X509err(X509_F_X509_NAME_PRINT,ERR_R_BUF_LIB);
                 }
+        OPENSSL_free(b);
         return(ret);
         }
 
diff --git a/src/lib/libssl/src/crypto/asn1/t_x509a.c b/src/lib/libssl/src/crypto/asn1/t_x509a.c
index 7d4a6e6084..ffbbfb51f4 100644
--- a/src/lib/libssl/src/crypto/asn1/t_x509a.c
+++ b/src/lib/libssl/src/crypto/asn1/t_x509a.c
@@ -77,7 +77,7 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
                 for(i = 0; i < sk_ASN1_OBJECT_num(aux->trust); i++) {
                         if(!first) BIO_puts(out, ", ");
                         else first = 0;
-                        OBJ_obj2txt(oidstr, 80,
+                        OBJ_obj2txt(oidstr, sizeof oidstr,
                                 sk_ASN1_OBJECT_value(aux->trust, i), 0);
                         BIO_puts(out, oidstr);
                 }
@@ -90,7 +90,7 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
                 for(i = 0; i < sk_ASN1_OBJECT_num(aux->reject); i++) {
                         if(!first) BIO_puts(out, ", ");
                         else first = 0;
-                        OBJ_obj2txt(oidstr, 80,
+                        OBJ_obj2txt(oidstr, sizeof oidstr,
                                 sk_ASN1_OBJECT_value(aux->reject, i), 0);
                         BIO_puts(out, oidstr);
                 }
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
index f87c08793a..76fc023230 100644
--- a/src/lib/libssl/src/crypto/asn1/tasn_dec.c
+++ b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
@@ -664,7 +664,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl
                 if(!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) goto err;
                 len = buf.length;
                 /* Append a final null to string */
-                if(!BUF_MEM_grow(&buf, len + 1)) {
+                if(!BUF_MEM_grow_clean(&buf, len + 1)) {
                         ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
                         return 0;
                 }
@@ -857,7 +857,7 @@ static int collect_data(BUF_MEM *buf, unsigned char **p, long plen)
                 int len;
                 if(buf) {
                         len = buf->length;
-                        if(!BUF_MEM_grow(buf, len + plen)) {
+                        if(!BUF_MEM_grow_clean(buf, len + plen)) {
                                 ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE);
                                 return 0;
                         }
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_fre.c b/src/lib/libssl/src/crypto/asn1/tasn_fre.c
index c7610776f2..2dd844159e 100644
--- a/src/lib/libssl/src/crypto/asn1/tasn_fre.c
+++ b/src/lib/libssl/src/crypto/asn1/tasn_fre.c
@@ -206,7 +206,10 @@ void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
                 break;
 
                 case V_ASN1_BOOLEAN:
-                *(ASN1_BOOLEAN *)pval = it->size;
+                if (it)
+                        *(ASN1_BOOLEAN *)pval = it->size;
+                else
+                        *(ASN1_BOOLEAN *)pval = -1;
                 return;
 
                 case V_ASN1_NULL:
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_new.c b/src/lib/libssl/src/crypto/asn1/tasn_new.c
index e33861f864..a0e3db574f 100644
--- a/src/lib/libssl/src/crypto/asn1/tasn_new.c
+++ b/src/lib/libssl/src/crypto/asn1/tasn_new.c
@@ -305,7 +305,10 @@ int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
                 return 1;
 
                 case V_ASN1_BOOLEAN:
-                *(ASN1_BOOLEAN *)pval = it->size;
+                if (it)
+                        *(ASN1_BOOLEAN *)pval = it->size;
+                else
+                        *(ASN1_BOOLEAN *)pval = -1;
                 return 1;
 
                 case V_ASN1_NULL:
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_prn.c b/src/lib/libssl/src/crypto/asn1/tasn_prn.c
index fab67ae5ac..719639b511 100644
--- a/src/lib/libssl/src/crypto/asn1/tasn_prn.c
+++ b/src/lib/libssl/src/crypto/asn1/tasn_prn.c
@@ -186,7 +186,7 @@ if(*bool == -1) printf("BOOL MISSING\n");
                         char objbuf[80], *ln;
                         ln = OBJ_nid2ln(OBJ_obj2nid(fld));
                         if(!ln) ln = "";
-                        OBJ_obj2txt(objbuf, 80, fld, 1);
+                        OBJ_obj2txt(objbuf, sizeof objbuf, fld, 1);
                         BIO_printf(out, "%*s%s:%s (%s)", indent, "", "OBJECT", ln, objbuf);
                 } else {
                         BIO_printf(out, "%*s%s:", indent, "", name);
diff --git a/src/lib/libssl/src/crypto/bf/Makefile.ssl b/src/lib/libssl/src/crypto/bf/Makefile.ssl
index 079f7e860c..7dfdf9d871 100644
--- a/src/lib/libssl/src/crypto/bf/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/bf/Makefile.ssl
@@ -49,14 +49,8 @@ lib:	$(LIBOBJ)
         @touch lib
 
 # elf
-asm/bx86-elf.o: asm/bx86unix.cpp
-        $(CPP) -DELF -x c asm/bx86unix.cpp | as -o asm/bx86-elf.o
-
-# solaris
-asm/bx86-sol.o: asm/bx86unix.cpp
-        $(CC) -E -DSOL asm/bx86unix.cpp | sed 's/^#.*//' > asm/bx86-sol.s
-        as -o asm/bx86-sol.o asm/bx86-sol.s
-        rm -f asm/bx86-sol.s
+asm/bx86-elf.s: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+        (cd asm; $(PERL) bf-586.pl elf $(CFLAGS) $(PROCESSOR) > bx86-elf.s)
 
 # a.out
 asm/bx86-out.o: asm/bx86unix.cpp
@@ -96,14 +90,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/bx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/bx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libssl/src/crypto/bf/bftest.c b/src/lib/libssl/src/crypto/bf/bftest.c
index 09895f2542..24d526b14b 100644
--- a/src/lib/libssl/src/crypto/bf/bftest.c
+++ b/src/lib/libssl/src/crypto/bf/bftest.c
@@ -63,6 +63,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_BF
 int main(int argc, char *argv[])
 {
@@ -275,7 +277,7 @@ int main(int argc, char *argv[])
         else
                 ret=test();
 
-        exit(ret);
+        EXIT(ret);
         return(0);
         }
 
@@ -454,9 +456,9 @@ static int test(void)
         len=strlen(cbc_data)+1;
 
         BF_set_key(&key,16,cbc_key);
-        memset(cbc_in,0,40);
-        memset(cbc_out,0,40);
-        memcpy(iv,cbc_iv,8);
+        memset(cbc_in,0,sizeof cbc_in);
+        memset(cbc_out,0,sizeof cbc_out);
+        memcpy(iv,cbc_iv,sizeof iv);
         BF_cbc_encrypt((unsigned char *)cbc_data,cbc_out,len,
                 &key,iv,BF_ENCRYPT);
         if (memcmp(cbc_out,cbc_ok,32) != 0)
diff --git a/src/lib/libssl/src/crypto/bio/Makefile.ssl b/src/lib/libssl/src/crypto/bio/Makefile.ssl
index dfcee03448..d0b9e297b0 100644
--- a/src/lib/libssl/src/crypto/bio/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/bio/Makefile.ssl
@@ -78,7 +78,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/bio/b_print.c b/src/lib/libssl/src/crypto/bio/b_print.c
index 80c9cb69db..a9e552f245 100644
--- a/src/lib/libssl/src/crypto/bio/b_print.c
+++ b/src/lib/libssl/src/crypto/bio/b_print.c
@@ -378,7 +378,7 @@ _dopr(
             case 'p':
                 value = (long)va_arg(args, void *);
                 fmtint(sbuffer, buffer, &currlen, maxlen,
-                    value, 16, min, max, flags);
+                    value, 16, min, max, flags|DP_F_NUM);
                 break;
             case 'n': /* XXX */
                 if (cflags == DP_C_SHORT) {
@@ -482,8 +482,9 @@ fmtint(
     int flags)
 {
     int signvalue = 0;
+    char *prefix = "";
     unsigned LLONG uvalue;
-    char convert[20];
+    char convert[DECIMAL_SIZE(value)+3];
     int place = 0;
     int spadlen = 0;
     int zpadlen = 0;
@@ -501,6 +502,10 @@ fmtint(
         else if (flags & DP_F_SPACE)
             signvalue = ' ';
     }
+    if (flags & DP_F_NUM) {
+        if (base == 8) prefix = "0";
+        if (base == 16) prefix = "0x";
+    }
     if (flags & DP_F_UP)
         caps = 1;
     do {
@@ -508,13 +513,13 @@ fmtint(
             (caps ? "0123456789ABCDEF" : "0123456789abcdef")
             [uvalue % (unsigned) base];
         uvalue = (uvalue / (unsigned) base);
-    } while (uvalue && (place < 20));
-    if (place == 20)
+    } while (uvalue && (place < sizeof convert));
+    if (place == sizeof convert)
         place--;
     convert[place] = 0;
 
     zpadlen = max - place;
-    spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0);
+    spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix);
     if (zpadlen < 0)
         zpadlen = 0;
     if (spadlen < 0)
@@ -536,6 +541,12 @@ fmtint(
     if (signvalue)
         doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
 
+    /* prefix */
+    while (*prefix) {
+        doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
+        prefix++;
+    }
+
     /* zeros */
     if (zpadlen > 0) {
         while (zpadlen > 0) {
@@ -641,8 +652,8 @@ fmtfp(
             (caps ? "0123456789ABCDEF"
               : "0123456789abcdef")[intpart % 10];
         intpart = (intpart / 10);
-    } while (intpart && (iplace < 20));
-    if (iplace == 20)
+    } while (intpart && (iplace < sizeof iplace));
+    if (iplace == sizeof iplace)
         iplace--;
     iconvert[iplace] = 0;
 
@@ -653,7 +664,7 @@ fmtfp(
               : "0123456789abcdef")[fracpart % 10];
         fracpart = (fracpart / 10);
     } while (fplace < max);
-    if (fplace == 20)
+    if (fplace == sizeof fplace)
         fplace--;
     fconvert[fplace] = 0;
 
@@ -692,7 +703,7 @@ fmtfp(
      * Decimal point. This should probably use locale to find the correct
      * char to print out.
      */
-    if (max > 0) {
+    if (max > 0 || (flags & DP_F_NUM)) {
         doapr_outch(sbuffer, buffer, currlen, maxlen, '.');
 
         while (fplace > 0)
diff --git a/src/lib/libssl/src/crypto/bio/b_sock.c b/src/lib/libssl/src/crypto/bio/b_sock.c
index 7632c2d85e..5282f8a8f7 100644
--- a/src/lib/libssl/src/crypto/bio/b_sock.c
+++ b/src/lib/libssl/src/crypto/bio/b_sock.c
@@ -83,6 +83,7 @@
 static int wsa_init_done=0;
 #endif
 
+#if 0
 static unsigned long BIO_ghbn_hits=0L;
 static unsigned long BIO_ghbn_miss=0L;
 
@@ -93,6 +94,7 @@ static struct ghbn_cache_st
         struct hostent *ent;
         unsigned long order;
         } ghbn_cache[GHBN_NUM];
+#endif
 
 static int get_ip(const char *str,unsigned char *ip);
 #if 0
@@ -230,6 +232,7 @@ int BIO_sock_error(int sock)
                 return(j);
         }
 
+#if 0
 long BIO_ghbn_ctrl(int cmd, int iarg, char *parg)
         {
         int i;
@@ -267,6 +270,7 @@ long BIO_ghbn_ctrl(int cmd, int iarg, char *parg)
                 }
         return(1);
         }
+#endif
 
 #if 0
 static struct hostent *ghbn_dup(struct hostent *a)
@@ -463,6 +467,12 @@ int BIO_sock_init(void)
                         }
                 }
 #endif /* OPENSSL_SYS_WINDOWS */
+#ifdef WATT32
+        extern int _watt_do_exit;
+        _watt_do_exit = 0;    /* don't make sock_init() call exit() */
+        if (sock_init())
+                return (-1);
+#endif
         return(1);
         }
 
@@ -472,7 +482,9 @@ void BIO_sock_cleanup(void)
         if (wsa_init_done)
                 {
                 wsa_init_done=0;
+#ifndef OPENSSL_SYS_WINCE
                 WSACancelBlockingCall();
+#endif
                 WSACleanup();
                 }
 #endif
@@ -480,7 +492,7 @@ void BIO_sock_cleanup(void)
 
 #if !defined(OPENSSL_SYS_VMS) || __VMS_VER >= 70000000
 
-int BIO_socket_ioctl(int fd, long type, unsigned long *arg)
+int BIO_socket_ioctl(int fd, long type, void *arg)
         {
         int i;
 
@@ -730,7 +742,7 @@ int BIO_set_tcp_ndelay(int s, int on)
 int BIO_socket_nbio(int s, int mode)
         {
         int ret= -1;
-        unsigned long l;
+        int l;
 
         l=mode;
 #ifdef FIONBIO
diff --git a/src/lib/libssl/src/crypto/bio/bf_buff.c b/src/lib/libssl/src/crypto/bio/bf_buff.c
index 6ccda06596..1cecd70579 100644
--- a/src/lib/libssl/src/crypto/bio/bf_buff.c
+++ b/src/lib/libssl/src/crypto/bio/bf_buff.c
@@ -482,7 +482,7 @@ static int buffer_gets(BIO *b, char *buf, int size)
                         size-=i;
                         ctx->ibuf_len-=i;
                         ctx->ibuf_off+=i;
-                        if ((flag) || (i == size))
+                        if (flag || size == 0)
                                 {
                                 *buf='\0';
                                 return(num);
diff --git a/src/lib/libssl/src/crypto/bio/bio.h b/src/lib/libssl/src/crypto/bio/bio.h
index c5caf253c9..fbbc16d00c 100644
--- a/src/lib/libssl/src/crypto/bio/bio.h
+++ b/src/lib/libssl/src/crypto/bio/bio.h
@@ -244,7 +244,7 @@ typedef struct bio_method_st
         long (_far *ctrl)();
         int (_far *create)();
         int (_far *destroy)();
-        long (_fat *callback_ctrl)();
+        long (_far *callback_ctrl)();
         } BIO_METHOD;
 #endif
 
@@ -522,6 +522,7 @@ int	BIO_read(BIO *b, void *data, int len);
 int     BIO_gets(BIO *bp,char *buf, int size);
 int     BIO_write(BIO *b, const void *data, int len);
 int     BIO_puts(BIO *bp,const char *buf);
+int     BIO_indent(BIO *b,int indent,int max);
 long    BIO_ctrl(BIO *bp,int cmd,long larg,void *parg);
 long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)(struct bio_st *, int, const char *, int, long, long));
 char *  BIO_ptr_ctrl(BIO *bp,int cmd,long larg);
@@ -584,7 +585,7 @@ struct hostent *BIO_gethostbyname(const char *name);
  * and an appropriate error code is set).
  */
 int BIO_sock_error(int sock);
-int BIO_socket_ioctl(int fd, long type, unsigned long *arg);
+int BIO_socket_ioctl(int fd, long type, void *arg);
 int BIO_socket_nbio(int fd,int mode);
 int BIO_get_port(const char *str, unsigned short *port_ptr);
 int BIO_get_host_ip(const char *str, unsigned char *ip);
@@ -608,7 +609,7 @@ int BIO_new_bio_pair(BIO **bio1, size_t writebuf1,
 
 void BIO_copy_next_retry(BIO *b);
 
-long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);
+/*long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);*/
 
 int BIO_printf(BIO *bio, const char *format, ...);
 int BIO_vprintf(BIO *bio, const char *format, va_list args);
diff --git a/src/lib/libssl/src/crypto/bio/bio_lib.c b/src/lib/libssl/src/crypto/bio/bio_lib.c
index 50df2238fa..692c8fb5c6 100644
--- a/src/lib/libssl/src/crypto/bio/bio_lib.c
+++ b/src/lib/libssl/src/crypto/bio/bio_lib.c
@@ -272,6 +272,18 @@ int BIO_gets(BIO *b, char *in, int inl)
         return(i);
         }
 
+int BIO_indent(BIO *b,int indent,int max)
+        {
+        if(indent < 0)
+                indent=0;
+        if(indent > max)
+                indent=max;
+        while(indent--)
+                if(BIO_puts(b," ") != 1)
+                        return 0;
+        return 1;
+        }
+
 long BIO_int_ctrl(BIO *b, int cmd, long larg, int iarg)
         {
         int i;
@@ -383,6 +395,8 @@ BIO *BIO_pop(BIO *b)
         if (b == NULL) return(NULL);
         ret=b->next_bio;
 
+        BIO_ctrl(b,BIO_CTRL_POP,0,NULL);
+
         if (b->prev_bio != NULL)
                 b->prev_bio->next_bio=b->next_bio;
         if (b->next_bio != NULL)
@@ -390,7 +404,6 @@ BIO *BIO_pop(BIO *b)
 
         b->next_bio=NULL;
         b->prev_bio=NULL;
-        BIO_ctrl(b,BIO_CTRL_POP,0,NULL);
         return(ret);
         }
 
diff --git a/src/lib/libssl/src/crypto/bio/bss_bio.c b/src/lib/libssl/src/crypto/bio/bss_bio.c
index 1c485a4479..aa58dab046 100644
--- a/src/lib/libssl/src/crypto/bio/bss_bio.c
+++ b/src/lib/libssl/src/crypto/bio/bss_bio.c
@@ -28,13 +28,12 @@
 
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#include <openssl/err.h>
 #include <openssl/crypto.h>
 
 #include "e_os.h"
 
 /* VxWorks defines SSIZE_MAX with an empty value causing compile errors */
-#if defined(OPENSSL_SYS_VSWORKS)
+#if defined(OPENSSL_SYS_VXWORKS)
 # undef SSIZE_MAX
 #endif
 #ifndef SSIZE_MAX
diff --git a/src/lib/libssl/src/crypto/bio/bss_conn.c b/src/lib/libssl/src/crypto/bio/bss_conn.c
index 81f27dba4c..8c694140ed 100644
--- a/src/lib/libssl/src/crypto/bio/bss_conn.c
+++ b/src/lib/libssl/src/crypto/bio/bss_conn.c
@@ -519,7 +519,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
                         else if (num == 2)
                                 {
                                 char buf[16];
-                                char *p = ptr;
+                                unsigned char *p = ptr;
 
                                 snprintf(buf,sizeof buf,"%d.%d.%d.%d",
                                          p[0],p[1],p[2],p[3]);
@@ -530,7 +530,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
                                 }
                         else if (num == 3)
                                 {
-                                char buf[16];
+                                char buf[DECIMAL_SIZE(int)+1];
 
                                 snprintf(buf,sizeof buf,"%d",*(int *)ptr);
                                 if (data->param_port != NULL)
diff --git a/src/lib/libssl/src/crypto/bio/bss_file.c b/src/lib/libssl/src/crypto/bio/bss_file.c
index 18e7bb86e6..e4e9df144c 100644
--- a/src/lib/libssl/src/crypto/bio/bss_file.c
+++ b/src/lib/libssl/src/crypto/bio/bss_file.c
@@ -247,7 +247,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                         ret=0;
                         break;
                         }
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2)
                 if (!(num & BIO_FP_TEXT))
                         strcat(p,"b");
                 else
diff --git a/src/lib/libssl/src/crypto/bio/bss_log.c b/src/lib/libssl/src/crypto/bio/bss_log.c
index a39d95297c..1eb678cac0 100644
--- a/src/lib/libssl/src/crypto/bio/bss_log.c
+++ b/src/lib/libssl/src/crypto/bio/bss_log.c
@@ -68,7 +68,8 @@
 
 #include "cryptlib.h"
 
-#if defined(OPENSSL_SYS_WIN32)
+#if defined(OPENSSL_SYS_WINCE)
+#elif defined(OPENSSL_SYS_WIN32)
 #  include <process.h>
 #elif defined(OPENSSL_SYS_VMS)
 #  include <opcdef.h>
@@ -77,7 +78,7 @@
 #  include <starlet.h>
 #elif defined(__ultrix)
 #  include <sys/syslog.h>
-#elif !defined(MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && !defined(NO_SYSLOG) /* Unix */
+#elif (!defined(MSDOS) || defined(WATT32)) && !defined(OPENSSL_SYS_VXWORKS) && !defined(NO_SYSLOG)
 #  include <syslog.h>
 #endif
 
@@ -274,7 +275,7 @@ static void xsyslog(BIO *bp, int priority, const char *string)
         LPCSTR lpszStrings[2];
         WORD evtype= EVENTLOG_ERROR_TYPE;
         int pid = _getpid();
-        char pidbuf[20];
+        char pidbuf[DECIMAL_SIZE(pid)+4];
 
         switch (priority)
                 {
@@ -373,11 +374,15 @@ static void xcloselog(BIO* bp)
 {
 }
 
-#else /* Unix */
+#else /* Unix/Watt32 */
 
 static void xopenlog(BIO* bp, char* name, int level)
 {
+#ifdef WATT32   /* djgpp/DOS */
+        openlog(name, LOG_PID|LOG_CONS|LOG_NDELAY, level);
+#else
         openlog(name, LOG_PID|LOG_CONS, level);
+#endif
 }
 
 static void xsyslog(BIO *bp, int priority, const char *string)
diff --git a/src/lib/libssl/src/crypto/bio/bss_mem.c b/src/lib/libssl/src/crypto/bio/bss_mem.c
index 28ff7582bf..a4edb711ae 100644
--- a/src/lib/libssl/src/crypto/bio/bss_mem.c
+++ b/src/lib/libssl/src/crypto/bio/bss_mem.c
@@ -190,7 +190,7 @@ static int mem_write(BIO *b, const char *in, int inl)
 
         BIO_clear_retry_flags(b);
         blen=bm->length;
-        if (BUF_MEM_grow(bm,blen+inl) != (blen+inl))
+        if (BUF_MEM_grow_clean(bm,blen+inl) != (blen+inl))
                 goto end;
         memcpy(&(bm->data[blen]),in,inl);
         ret=inl;
@@ -284,7 +284,11 @@ static int mem_gets(BIO *bp, char *buf, int size)
 
         BIO_clear_retry_flags(bp);
         j=bm->length;
-        if (j <= 0) return(0);
+        if (j <= 0)
+                {
+                *buf='\0';
+                return 0;
+                }
         p=bm->data;
         for (i=0; i<j; i++)
                 {
diff --git a/src/lib/libssl/src/crypto/bio/bss_sock.c b/src/lib/libssl/src/crypto/bio/bss_sock.c
index fdabd16d7e..2c1c405ec7 100644
--- a/src/lib/libssl/src/crypto/bio/bss_sock.c
+++ b/src/lib/libssl/src/crypto/bio/bss_sock.c
@@ -64,6 +64,12 @@
 #include "cryptlib.h"
 #include <openssl/bio.h>
 
+#ifdef WATT32
+#define sock_write SockWrite  /* Watt-32 uses same names */
+#define sock_read  SockRead
+#define sock_puts  SockPuts
+#endif
+
 static int sock_write(BIO *h, const char *buf, int num);
 static int sock_read(BIO *h, char *buf, int size);
 static int sock_puts(BIO *h, const char *str);
diff --git a/src/lib/libssl/src/crypto/bn/Makefile.ssl b/src/lib/libssl/src/crypto/bn/Makefile.ssl
index 6a479726c4..fa17d3c7d8 100644
--- a/src/lib/libssl/src/crypto/bn/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/bn/Makefile.ssl
@@ -23,14 +23,6 @@ BN_ASM=		bn_asm.o
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
-# We let the C compiler driver to take care of .s files. This is done in
-# order to be excused from maintaining a separate set of architecture
-# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
-# gcc, then the driver will automatically translate it to -xarch=v8plus
-# and pass it down to assembler.
-AS=$(CC) -c
-ASFLAGS=$(CFLAGS)
-
 GENERAL=Makefile
 TEST=bntest.c exptest.c
 APPS=
@@ -73,22 +65,11 @@ lib:	$(LIBOBJ)
         @touch lib
 
 # elf
-asm/bn86-elf.o: asm/bn86unix.cpp
-        $(CPP) -DELF -x c asm/bn86unix.cpp | as -o asm/bn86-elf.o
-
-asm/co86-elf.o: asm/co86unix.cpp
-        $(CPP) -DELF -x c asm/co86unix.cpp | as -o asm/co86-elf.o
+asm/bn86-elf.s: asm/bn-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) bn-586.pl elf $(CFLAGS) > bn86-elf.s)
 
-# solaris
-asm/bn86-sol.o: asm/bn86unix.cpp
-        $(CC) -E -DSOL asm/bn86unix.cpp | sed 's/^#.*//' > asm/bn86-sol.s
-        as -o asm/bn86-sol.o asm/bn86-sol.s
-        rm -f asm/bn86-sol.s
-
-asm/co86-sol.o: asm/co86unix.cpp
-        $(CC) -E -DSOL asm/co86unix.cpp | sed 's/^#.*//' > asm/co86-sol.s
-        as -o asm/co86-sol.o asm/co86-sol.s
-        rm -f asm/co86-sol.s
+asm/co86-elf.s: asm/co-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) co-586.pl elf $(CFLAGS) > co86-elf.s)
 
 # a.out
 asm/bn86-out.o: asm/bn86unix.cpp
@@ -136,6 +117,8 @@ asm/ia64-cpp.o:	asm/ia64.S
         $(CC) $(ASFLAGS) -c -o asm/ia64-cpp.o /tmp/ia64.$$$$.s; \
         rm -f /tmp/ia64.$$$$.s
 
+asm/x86_64-gcc.o: asm/x86_64-gcc.c
+
 files:
         $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
 
@@ -169,14 +152,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/co86unix.cpp asm/bn86unix.cpp *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bn_asm.s
+        rm -f asm/co86unix.cpp asm/bn86unix.cpp asm/*-elf.* *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bn_asm.s
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libssl/src/crypto/bn/asm/ia64.S b/src/lib/libssl/src/crypto/bn/asm/ia64.S
index ae56066310..7dfda85566 100644
--- a/src/lib/libssl/src/crypto/bn/asm/ia64.S
+++ b/src/lib/libssl/src/crypto/bn/asm/ia64.S
@@ -1,6 +1,6 @@
 .explicit
 .text
-.ident  "ia64.S, Version 1.1"
+.ident  "ia64.S, Version 2.0"
 .ident  "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
 
 //
@@ -13,6 +13,35 @@
 // disclaimed.
 // ====================================================================
 //
+// Version 2.x is Itanium2 re-tune. Few words about how Itanum2 is
+// different from Itanium to this module viewpoint. Most notably, is it
+// "wider" than Itanium? Can you experience loop scalability as
+// discussed in commentary sections? Not really:-( Itanium2 has 6
+// integer ALU ports, i.e. it's 2 ports wider, but it's not enough to
+// spin twice as fast, as I need 8 IALU ports. Amount of floating point
+// ports is the same, i.e. 2, while I need 4. In other words, to this
+// module Itanium2 remains effectively as "wide" as Itanium. Yet it's
+// essentially different in respect to this module, and a re-tune was
+// required. Well, because some intruction latencies has changed. Most
+// noticeably those intensively used:
+//
+//                      Itanium Itanium2
+//      ldf8            9       6               L2 hit
+//      ld8             2       1               L1 hit
+//      getf            2       5
+//      xma[->getf]     7[+1]   4[+0]
+//      add[->st8]      1[+1]   1[+0]
+//
+// What does it mean? You might ratiocinate that the original code
+// should run just faster... Because sum of latencies is smaller...
+// Wrong! Note that getf latency increased. This means that if a loop is
+// scheduled for lower latency (and they are), then it will suffer from
+// stall condition and the code will therefore turn anti-scalable, e.g.
+// original bn_mul_words spun at 5*n or 2.5 times slower than expected
+// on Itanium2! What to do? Reschedule loops for Itanium2? But then
+// Itanium would exhibit anti-scalability. So I've chosen to reschedule
+// for worst latency for every instruction aiming for best *all-round*
+// performance.  
 
 // Q.   How much faster does it get?
 // A.   Here is the output from 'openssl speed rsa dsa' for vanilla
@@ -149,12 +178,27 @@ bn_add_words:
         brp.loop.imp    .L_bn_add_words_ctop,.L_bn_add_words_cend-16
                                         }
         .body
-{ .mib; mov             r14=r32                 // rp
+{ .mib;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r14=0,r32               // rp
+#else
+        mov             r14=r32                 // rp
+#endif
         mov             r9=pr           };;
-{ .mii; mov             r15=r33                 // ap
+{ .mii;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r15=0,r33               // ap
+#else
+        mov             r15=r33                 // ap
+#endif
         mov             ar.lc=r10
         mov             ar.ec=6         }
-{ .mib; mov             r16=r34                 // bp
+{ .mib;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r16=0,r34               // bp
+#else
+        mov             r16=r34                 // bp
+#endif
         mov             pr.rot=1<<16    };;
 
 .L_bn_add_words_ctop:
@@ -174,7 +218,7 @@ bn_add_words:
 
 { .mii;
 (p59)   add             r8=1,r8         // return value
-        mov             pr=r9,-1
+        mov             pr=r9,0x1ffff
         mov             ar.lc=r3        }
 { .mbb; nop.b           0x0
         br.ret.sptk.many        b0      };;
@@ -202,12 +246,27 @@ bn_sub_words:
         brp.loop.imp    .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16
                                         }
         .body
-{ .mib; mov             r14=r32                 // rp
+{ .mib;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r14=0,r32               // rp
+#else
+        mov             r14=r32                 // rp
+#endif
         mov             r9=pr           };;
-{ .mii; mov             r15=r33                 // ap
+{ .mii;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r15=0,r33               // ap
+#else
+        mov             r15=r33                 // ap
+#endif
         mov             ar.lc=r10
         mov             ar.ec=6         }
-{ .mib; mov             r16=r34                 // bp
+{ .mib;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r16=0,r34               // bp
+#else
+        mov             r16=r34                 // bp
+#endif
         mov             pr.rot=1<<16    };;
 
 .L_bn_sub_words_ctop:
@@ -227,7 +286,7 @@ bn_sub_words:
 
 { .mii;
 (p59)   add             r8=1,r8         // return value
-        mov             pr=r9,-1
+        mov             pr=r9,0x1ffff
         mov             ar.lc=r3        }
 { .mbb; nop.b           0x0
         br.ret.sptk.many        b0      };;
@@ -253,7 +312,7 @@ bn_mul_words:
 #ifdef XMA_TEMPTATION
 { .mfi; alloc           r2=ar.pfs,4,0,0,0       };;
 #else
-{ .mfi; alloc           r2=ar.pfs,4,4,0,8       };;
+{ .mfi; alloc           r2=ar.pfs,4,12,0,16     };;
 #endif
 { .mib; mov             r8=r0                   // return value
         cmp4.le         p6,p0=r34,r0
@@ -266,24 +325,30 @@ bn_mul_words:
 
         .body
 { .mib; setf.sig        f8=r35  // w
-        mov             pr.rot=0x400001<<16
-                        // ------^----- serves as (p48) at first (p26)
+        mov             pr.rot=0x800001<<16
+                        // ------^----- serves as (p50) at first (p27)
         brp.loop.imp    .L_bn_mul_words_ctop,.L_bn_mul_words_cend-16
                                         }
 
 #ifndef XMA_TEMPTATION
 
-{ .mii; mov             r14=r32 // rp
-        mov             r15=r33 // ap
+{ .mii;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r14=0,r32       // rp
+        addp4           r15=0,r33       // ap
+#else
+        mov             r14=r32         // rp
+        mov             r15=r33         // ap
+#endif
         mov             ar.lc=r10       }
-{ .mii; mov             r39=0   // serves as r33 at first (p26)
-        mov             ar.ec=12        };;
+{ .mii; mov             r40=0   // serves as r35 at first (p27)
+        mov             ar.ec=13        };;
 
-// This loop spins in 2*(n+11) ticks. It's scheduled for data in L2
-// cache (i.e. 9 ticks away) as floating point load/store instructions
+// This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium
+// L2 cache (i.e. 9 ticks away) as floating point load/store instructions
 // bypass L1 cache and L2 latency is actually best-case scenario for
-// ldf8. The loop is not scalable and shall run in 2*(n+11) even on
-// "wider" IA-64 implementations. It's a trade-off here. n+22 loop
+// ldf8. The loop is not scalable and shall run in 2*(n+12) even on
+// "wider" IA-64 implementations. It's a trade-off here. n+24 loop
 // would give us ~5% in *overall* performance improvement on "wider"
 // IA-64, but would hurt Itanium for about same because of longer
 // epilogue. As it's a matter of few percents in either case I've
@@ -291,25 +356,25 @@ bn_mul_words:
 // this very instruction sequence in bn_mul_add_words loop which in
 // turn is scalable).
 .L_bn_mul_words_ctop:
-{ .mfi; (p25)   getf.sig        r36=f49                 // low
-        (p21)   xmpy.lu         f45=f37,f8
-        (p27)   cmp.ltu         p52,p48=r39,r38 }
+{ .mfi; (p25)   getf.sig        r36=f52                 // low
+        (p21)   xmpy.lu         f48=f37,f8
+        (p28)   cmp.ltu         p54,p50=r41,r39 }
 { .mfi; (p16)   ldf8            f32=[r15],8
-        (p21)   xmpy.hu         f38=f37,f8
+        (p21)   xmpy.hu         f40=f37,f8
         (p0)    nop.i           0x0             };;
-{ .mii; (p26)   getf.sig        r32=f43                 // high
-        .pred.rel       "mutex",p48,p52
-        (p48)   add             r38=r37,r33             // (p26)
-        (p52)   add             r38=r37,r33,1   }       // (p26)
-{ .mfb; (p27)   st8             [r14]=r39,8
+{ .mii; (p25)   getf.sig        r32=f44                 // high
+        .pred.rel       "mutex",p50,p54
+        (p50)   add             r40=r38,r35             // (p27)
+        (p54)   add             r40=r38,r35,1   }       // (p27)
+{ .mfb; (p28)   st8             [r14]=r41,8
         (p0)    nop.f           0x0
         br.ctop.sptk    .L_bn_mul_words_ctop    };;
 .L_bn_mul_words_cend:
 
 { .mii; nop.m           0x0
-.pred.rel       "mutex",p49,p53
-(p49)   add             r8=r34,r0
-(p53)   add             r8=r34,r0,1     }
+.pred.rel       "mutex",p51,p55
+(p51)   add             r8=r36,r0
+(p55)   add             r8=r36,r0,1     }
 { .mfb; nop.m   0x0
         nop.f   0x0
         nop.b   0x0                     }
@@ -344,7 +409,7 @@ bn_mul_words:
 #endif  // XMA_TEMPTATION
 
 { .mii; nop.m           0x0
-        mov             pr=r9,-1
+        mov             pr=r9,0x1ffff
         mov             ar.lc=r3        }
 { .mfb; rum             1<<5            // clear um.mfh
         nop.f           0x0
@@ -376,59 +441,69 @@ bn_mul_add_words:
 
         .body
 { .mib; setf.sig        f8=r35  // w
-        mov             pr.rot=0x400001<<16
-                        // ------^----- serves as (p48) at first (p26)
+        mov             pr.rot=0x800001<<16
+                        // ------^----- serves as (p50) at first (p27)
         brp.loop.imp    .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16
                                         }
-{ .mii; mov             r14=r32 // rp
-        mov             r15=r33 // ap
+{ .mii;
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r14=0,r32       // rp
+        addp4           r15=0,r33       // ap
+#else
+        mov             r14=r32         // rp
+        mov             r15=r33         // ap
+#endif
         mov             ar.lc=r10       }
-{ .mii; mov             r39=0   // serves as r33 at first (p26)
-        mov             r18=r32 // rp copy
-        mov             ar.ec=14        };;
+{ .mii; mov             r40=0   // serves as r35 at first (p27)
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        addp4           r18=0,r32       // rp copy
+#else
+        mov             r18=r32         // rp copy
+#endif
+        mov             ar.ec=15        };;
 
-// This loop spins in 3*(n+13) ticks on Itanium and should spin in
-// 2*(n+13) on "wider" IA-64 implementations (to be verified with new
+// This loop spins in 3*(n+14) ticks on Itanium and should spin in
+// 2*(n+14) on "wider" IA-64 implementations (to be verified with new
 // µ-architecture manuals as they become available). As usual it's
 // possible to compress the epilogue, down to 10 in this case, at the
 // cost of scalability. Compressed (and therefore non-scalable) loop
-// running at 3*(n+10) would buy you ~10% on Itanium but take ~35%
+// running at 3*(n+11) would buy you ~10% on Itanium but take ~35%
 // from "wider" IA-64 so let it be scalable! Special attention was
 // paid for having the loop body split at 64-byte boundary. ld8 is
 // scheduled for L1 cache as the data is more than likely there.
 // Indeed, bn_mul_words has put it there a moment ago:-)
 .L_bn_mul_add_words_ctop:
-{ .mfi; (p25)   getf.sig        r36=f49                 // low
-        (p21)   xmpy.lu         f45=f37,f8
-        (p27)   cmp.ltu         p52,p48=r39,r38 }
+{ .mfi; (p25)   getf.sig        r36=f52                 // low
+        (p21)   xmpy.lu         f48=f37,f8
+        (p28)   cmp.ltu         p54,p50=r41,r39 }
 { .mfi; (p16)   ldf8            f32=[r15],8
-        (p21)   xmpy.hu         f38=f37,f8
-        (p27)   add             r43=r43,r39     };;
-{ .mii; (p26)   getf.sig        r32=f43                 // high
-        .pred.rel       "mutex",p48,p52
-        (p48)   add             r38=r37,r33             // (p26)
-        (p52)   add             r38=r37,r33,1   }       // (p26)
-{ .mfb; (p27)   cmp.ltu.unc     p56,p0=r43,r39
+        (p21)   xmpy.hu         f40=f37,f8
+        (p28)   add             r45=r45,r41     };;
+{ .mii; (p25)   getf.sig        r32=f44                 // high
+        .pred.rel       "mutex",p50,p54
+        (p50)   add             r40=r38,r35             // (p27)
+        (p54)   add             r40=r38,r35,1   }       // (p27)
+{ .mfb; (p28)   cmp.ltu.unc     p60,p0=r45,r41
         (p0)    nop.f           0x0
         (p0)    nop.b           0x0             }
-{ .mii; (p26)   ld8             r42=[r18],8
-        (p58)   cmp.eq.or       p57,p0=-1,r44
-        (p58)   add             r44=1,r44       }
-{ .mfb; (p29)   st8             [r14]=r45,8
+{ .mii; (p27)   ld8             r44=[r18],8
+        (p62)   cmp.eq.or       p61,p0=-1,r46
+        (p62)   add             r46=1,r46       }
+{ .mfb; (p30)   st8             [r14]=r47,8
         (p0)    nop.f           0x0
         br.ctop.sptk    .L_bn_mul_add_words_ctop};;
 .L_bn_mul_add_words_cend:
 
 { .mii; nop.m           0x0
-.pred.rel       "mutex",p51,p55
-(p51)   add             r8=r36,r0
-(p55)   add             r8=r36,r0,1     }
+.pred.rel       "mutex",p53,p57
+(p53)   add             r8=r38,r0
+(p57)   add             r8=r38,r0,1     }
 { .mfb; nop.m   0x0
         nop.f   0x0
         nop.b   0x0                     };;
 { .mii;
-(p59)   add             r8=1,r8
-        mov             pr=r9,-1
+(p63)   add             r8=1,r8
+        mov             pr=r9,0x1ffff
         mov             ar.lc=r3        }
 { .mfb; rum             1<<5            // clear um.mfh
         nop.f           0x0
@@ -461,6 +536,10 @@ bn_sqr_words:
         mov     r9=pr                   };;
 
         .body
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+{ .mii; addp4           r32=0,r32
+        addp4           r33=0,r33       };;
+#endif
 { .mib;
         mov             pr.rot=1<<16
         brp.loop.imp    .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16
@@ -492,7 +571,7 @@ bn_sqr_words:
 .L_bn_sqr_words_cend:
 
 { .mii; nop.m           0x0
-        mov             pr=r9,-1
+        mov             pr=r9,0x1ffff
         mov             ar.lc=r3        }
 { .mfb; rum             1<<5            // clear um.mfh
         nop.f           0x0
@@ -526,7 +605,14 @@ bn_sqr_comba8:
         .prologue
         .fframe 0
         .save   ar.pfs,r2
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
 { .mii; alloc   r2=ar.pfs,2,1,0,0
+        addp4   r33=0,r33
+        addp4   r32=0,r32               };;
+{ .mii;
+#else
+{ .mii; alloc   r2=ar.pfs,2,1,0,0
+#endif
         mov     r34=r33
         add     r14=8,r33               };;
         .body
@@ -587,7 +673,14 @@ bn_mul_comba8:
         .prologue
         .fframe 0
         .save   ar.pfs,r2
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
 { .mii; alloc   r2=ar.pfs,3,0,0,0
+        addp4   r33=0,r33
+        addp4   r34=0,r34               };;
+{ .mii; addp4   r32=0,r32
+#else
+{ .mii; alloc   r2=ar.pfs,3,0,0,0
+#endif
         add     r14=8,r33
         add     r17=8,r34               }
         .body
@@ -1138,7 +1231,14 @@ bn_sqr_comba4:
         .prologue
         .fframe 0
         .save   ar.pfs,r2
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+{ .mii; alloc   r2=ar.pfs,2,1,0,0
+        addp4   r32=0,r32
+        addp4   r33=0,r33               };;
+{ .mii;
+#else
 { .mii; alloc   r2=ar.pfs,2,1,0,0
+#endif
         mov     r34=r33
         add     r14=8,r33               };;
         .body
@@ -1164,7 +1264,14 @@ bn_mul_comba4:
         .prologue
         .fframe 0
         .save   ar.pfs,r2
+#if defined(_HPUX_SOURCE) && defined(_ILP32)
+{ .mii; alloc   r2=ar.pfs,3,0,0,0
+        addp4   r33=0,r33
+        addp4   r34=0,r34               };;
+{ .mii; addp4   r32=0,r32
+#else
 { .mii; alloc   r2=ar.pfs,3,0,0,0
+#endif
         add     r14=8,r33
         add     r17=8,r34               }
         .body
@@ -1464,7 +1571,7 @@ bn_div_words:
         or      r8=r8,r33
         mov     ar.pfs=r2               };;
 { .mii; shr.u   r9=H,I                  // remainder if anybody wants it
-        mov     pr=r10,-1               }
+        mov     pr=r10,0x1ffff          }
 { .mfb; br.ret.sptk.many        b0      };;
 
 // Unsigned 64 by 32 (well, by 64 for the moment) bit integer division
diff --git a/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s b/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s
index af9730d062..f3b16290eb 100644
--- a/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s
+++ b/src/lib/libssl/src/crypto/bn/asm/pa-risc2.s
@@ -747,8 +747,8 @@ bn_div_words
         .PROC
         .EXPORT bn_div_words,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,RTNVAL=GR,LONG_RETURN
         .IMPORT BN_num_bits_word,CODE
-        .IMPORT __iob,DATA
-        .IMPORT fprintf,CODE
+        ;--- not PIC    .IMPORT __iob,DATA
+        ;--- not PIC    .IMPORT fprintf,CODE
         .IMPORT abort,CODE
         .IMPORT $$div2U,MILLICODE
         .CALLINFO CALLER,FRAME=144,ENTRY_GR=%r9,SAVE_RP,ARGS_SAVED,ORDERING_AWARE
@@ -844,12 +844,12 @@ $0006001A
         MOVIB,TR        2,%r8,$0006001C ;offset 0xa18
         EXTRD,U %r3,63,32,%r7   ;offset 0xa1c
 $D2
-        ADDIL   LR'__iob-$global$,%r27,%r1      ;offset 0xa20
-        LDIL    LR'C$7,%r21     ;offset 0xa24
-        LDO     RR'__iob-$global$+32(%r1),%r26  ;offset 0xa28
-        .CALL   ARGW0=GR,ARGW1=GR,ARGW2=GR,RTNVAL=GR    ;in=24,25,26;out=28;
-        B,L     fprintf,%r2     ;offset 0xa2c
-        LDO     RR'C$7(%r21),%r25       ;offset 0xa30
+        ;--- not PIC    ADDIL   LR'__iob-$global$,%r27,%r1      ;offset 0xa20
+        ;--- not PIC    LDIL    LR'C$7,%r21     ;offset 0xa24
+        ;--- not PIC    LDO     RR'__iob-$global$+32(%r1),%r26  ;offset 0xa28
+        ;--- not PIC    .CALL   ARGW0=GR,ARGW1=GR,ARGW2=GR,RTNVAL=GR    ;in=24,25,26;out=28;
+        ;--- not PIC    B,L     fprintf,%r2     ;offset 0xa2c
+        ;--- not PIC    LDO     RR'C$7(%r21),%r25       ;offset 0xa30
         .CALL           ;
         B,L     abort,%r2       ;offset 0xa34
         NOP             ;offset 0xa38
@@ -1605,14 +1605,14 @@ bn_mul_comba4
         .PROCEND        
 
 
-        .SPACE  $TEXT$
-        .SUBSPA $CODE$
-        .SPACE  $PRIVATE$,SORT=16
-        .IMPORT $global$,DATA
-        .SPACE  $TEXT$
-        .SUBSPA $CODE$
-        .SUBSPA $LIT$,ACCESS=0x2c
-C$7
-        .ALIGN  8
-        .STRINGZ        "Division would overflow (%d)\n"
+;--- not PIC    .SPACE  $TEXT$
+;--- not PIC    .SUBSPA $CODE$
+;--- not PIC    .SPACE  $PRIVATE$,SORT=16
+;--- not PIC    .IMPORT $global$,DATA
+;--- not PIC    .SPACE  $TEXT$
+;--- not PIC    .SUBSPA $CODE$
+;--- not PIC    .SUBSPA $LIT$,ACCESS=0x2c
+;--- not PIC    C$7
+;--- not PIC    .ALIGN  8
+;--- not PIC    .STRINGZ        "Division would overflow (%d)\n"
         .END
diff --git a/src/lib/libssl/src/crypto/bn/asm/vms.mar b/src/lib/libssl/src/crypto/bn/asm/vms.mar
index 465f2774b6..aefab15cdb 100644
--- a/src/lib/libssl/src/crypto/bn/asm/vms.mar
+++ b/src/lib/libssl/src/crypto/bn/asm/vms.mar
@@ -1,4 +1,4 @@
-        .title  vax_bn_mul_add_word  unsigned multiply & add, 32*32+32+32=>64
+        .title  vax_bn_mul_add_words  unsigned multiply & add, 32*32+32+32=>64
 ;
 ; w.j.m. 15-jan-1999
 ;
@@ -59,7 +59,7 @@ w=16 ;(AP)	w	by value (input)
         movl    r6,r0                   ; return c
         ret
 
-        .title  vax_bn_mul_word  unsigned multiply & add, 32*32+32=>64
+        .title  vax_bn_mul_words  unsigned multiply & add, 32*32+32=>64
 ;
 ; w.j.m. 15-jan-1999
 ;
@@ -172,147 +172,175 @@ n=12 ;(AP)	n	by value (input)
 ; }
 ;
 ; Using EDIV would be very easy, if it didn't do signed calculations.
-; Therefore, som extra things have to happen around it.  The way to
-; handle that is to shift all operands right one step (basically dividing
-; them by 2) and handle the different cases depending on what the lowest
-; bit of each operand was.
+; Any time any of the input numbers are signed, there are problems,
+; usually with integer overflow, at which point it returns useless
+; data (the quotient gets the value of l, and the remainder becomes 0).
 ;
-; To start with, let's define the following:
+; If it was just for the dividend, it would be very easy, just divide
+; it by 2 (unsigned), do the division, multiply the resulting quotient
+; and remainder by 2, add the bit that was dropped when dividing by 2
+; to the remainder, and do some adjustment so the remainder doesn't
+; end up larger than the divisor.  For some cases when the divisor is
+; negative (from EDIV's point of view, i.e. when the highest bit is set),
+; dividing the dividend by 2 isn't enough, and since some operations
+; might generate integer overflows even when the dividend is divided by
+; 4 (when the high part of the shifted down dividend ends up being exactly
+; half of the divisor, the result is the quotient 0x80000000, which is
+; negative...) it needs to be divided by 8.  Furthermore, the divisor needs
+; to be divided by 2 (unsigned) as well, to avoid more problems with the sign.
+; In this case, a little extra fiddling with the remainder is required.
 ;
-; a' = l & 1
-; a2 = <h,l> >> 1       # UNSIGNED shift!
-; b' = d & 1
-; b2 = d >> 1           # UNSIGNED shift!
+; So, the simplest way to handle this is always to divide the dividend
+; by 8, and to divide the divisor by 2 if it's highest bit is set.
+; After EDIV has been used, the quotient gets multiplied by 8 if the
+; original divisor was positive, otherwise 4.  The remainder, oddly
+; enough, is *always* multiplied by 8.
+; NOTE: in the case mentioned above, where the high part of the shifted
+; down dividend ends up being exactly half the shifted down divisor, we
+; end up with a 33 bit quotient.  That's no problem however, it usually
+; means we have ended up with a too large remainder as well, and the
+; problem is fixed by the last part of the algorithm (next paragraph).
 ;
-; Now, use EDIV to calculate a quotient and a remainder:
+; The routine ends with comparing the resulting remainder with the
+; original divisor and if the remainder is larger, subtract the
+; original divisor from it, and increase the quotient by 1.  This is
+; done until the remainder is smaller than the divisor.
 ;
-; q'' = a2/b2
-; r'' = a2 - q''*b2
+; The complete algorithm looks like this:
 ;
-; If b' is 0, the quotient is already correct, we just need to adjust the
-; remainder:
+; d'    = d
+; l'    = l & 7
+; [h,l] = [h,l] >> 3
+; [q,r] = floor([h,l] / d)      # This is the EDIV operation
+; if (q < 0) q = -q             # I doubt this is necessary any more
 ;
-; if (b' == 0)
-;   {
-;     r = 2*r'' + a'
-;     q = q''
-;   }
-;
-; If b' is 1, we need to do other adjustements.  The first thought is the
-; following (note that r' will not always have the right value, but an
-; adjustement follows further down):
-;
-; if (b' == 1)
-;   {
-;     q' = q''
-;     r' = a - q'*b
-;
-; However, one can note the folowing relationship:
-;
-;                         r'' = a2 - q''*b2
-;                  =>   2*r'' = 2*a2 - 2*q''*b2
-;                             = { a = 2*a2 + a', b = 2*b2 + b' = 2*b2 + 1,
-;                                 q' = q'' }
-;                             = a - a' - q'*(b - 1)
-;                             = a - q'*b - a' + q'
-;                             = r' - a' + q'
-;                  =>     r'  = 2*r'' - q' + a'
+; r'    = r >> 29
+; if (d' >= 0)
+;   q'  = q >> 29
+;   q   = q << 3
+; else
+;   q'  = q >> 30
+;   q   = q << 2
+; r     = (r << 3) + l'
 ;
-; This enables us to use r'' instead of discarding and calculating another
-; modulo:
-;
-; if (b' == 1)
+; if (d' < 0)
 ;   {
-;     q' = q''
-;     r' = (r'' << 1) - q' + a'
-;
-; Now, all we have to do is adjust r', because it might be < 0:
-;
-;     while (r' < 0)
+;     [r',r] = [r',r] - q
+;     while ([r',r] < 0)
 ;       {
-;         r' = r' + b
-;         q' = q' - 1
+;         [r',r] = [r',r] + d
+;         [q',q] = [q',q] - 1
 ;       }
 ;   }
 ;
-; return q'
+; while ([r',r] >= d')
+;   {
+;     [r',r] = [r',r] - d'
+;     [q',q] = [q',q] + 1
+;   }
+;
+; return q
 
 h=4 ;(AP)       h       by value (input)
 l=8 ;(AP)       l       by value (input)
 d=12 ;(AP)      d       by value (input)
 
-;aprim=r5
-;a2=r6
-;a20=r6
-;a21=r7
-;bprim=r8
-;b2=r9
-;qprim=r10      ; initially used as q''
-;rprim=r11      ; initially used as r''
-
+;r2 = l, q
+;r3 = h, r
+;r4 = d
+;r5 = l'
+;r6 = r'
+;r7 = d'
+;r8 = q'
 
         .psect  code,nowrt
 
-.entry  bn_div_words,^m<r2,r3,r4,r5,r6,r7,r8,r9,r10,r11>
+.entry  bn_div_words,^m<r2,r3,r4,r5,r6,r7,r8>
         movl    l(ap),r2
         movl    h(ap),r3
         movl    d(ap),r4
 
-        movl    #0,r5
-        movl    #0,r8
-        movl    #0,r0
-;       movl    #0,r1
+        bicl3   #^XFFFFFFF8,r2,r5 ; l' = l & 7
+        bicl3   #^X00000007,r2,r2
 
-        rotl    #-1,r2,r6       ; a20 = l >> 1 (almost)
-        rotl    #-1,r3,r7       ; a21 = h >> 1 (almost)
-        rotl    #-1,r4,r9       ; b2 = d >> 1 (almost)
+        bicl3   #^XFFFFFFF8,r3,r6
+        bicl3   #^X00000007,r3,r3
+        
+        addl    r6,r2
 
-        tstl    r6
-        bgeq    1$
-        xorl2   #^X80000000,r6  ; fixup a20 so highest bit is 0
-        incl    r5              ; a' = 1
-1$:
-        tstl    r7
-        bgeq    2$
-        xorl2   #^X80000000,r6  ; fixup a20 so highest bit is 1,
-                                ; since that's what was lowest in a21
-        xorl2   #^X80000000,r7  ; fixup a21 so highest bit is 1
-2$:
-        tstl    r9
+        rotl    #-3,r2,r2       ; l = l >> 3
+        rotl    #-3,r3,r3       ; h = h >> 3
+                
+        movl    r4,r7           ; d' = d
+
+        movl    #0,r6           ; r' = 0
+        movl    #0,r8           ; q' = 0
+
+        tstl    r4
         beql    666$            ; Uh-oh, the divisor is 0...
-        bgtr    3$
-        xorl2   #^X80000000,r9  ; fixup b2 so highest bit is 0
-        incl    r8              ; b' = 1
-3$:
-        tstl    r9
-        bneq    4$              ; if b2 is 0, we know that b' is 1
-        tstl    r3
-        bneq    666$            ; if higher half isn't 0, we overflow
-        movl    r2,r10          ; otherwise, we have our result
-        brb     42$             ; This is a success, really.
-4$:
-        ediv    r9,r6,r10,r11
-
-        tstl    r8
-        bneq    5$              ; If b' != 0, go to the other part
-;       addl3   r11,r11,r1
-;       addl2   r5,r1
-        brb     42$
-5$:
-        ashl    #1,r11,r11
-        subl2   r10,r11
-        addl2   r5,r11
-        bgeq    7$
-6$:
-        decl    r10
-        addl2   r4,r11
-        blss    6$
-7$:
-;       movl    r11,r1
+        bgtr    1$
+        rotl    #-1,r4,r4       ; If d is negative, shift it right.
+        bicl2   #^X80000000,r4  ; Since d is then a large number, the
+                                ; lowest bit is insignificant
+                                ; (contradict that, and I'll fix the problem!)
+1$:     
+        ediv    r4,r2,r2,r3     ; Do the actual division
+
+        tstl    r2
+        bgeq    3$
+        mnegl   r2,r2           ; if q < 0, negate it
+3$:     
+        tstl    r7
+        blss    4$
+        rotl    #3,r2,r2        ;   q = q << 3
+        bicl3   #^XFFFFFFF8,r2,r8 ;    q' gets the high bits from q
+        bicl3   #^X00000007,r2,r2
+        bsb     41$
+4$:                             ; else
+        rotl    #2,r2,r2        ;   q = q << 2
+        bicl3   #^XFFFFFFFC,r2,r8 ;   q' gets the high bits from q
+        bicl3   #^X00000003,r2,r2
+41$:
+        rotl    #3,r3,r3        ; r = r << 3
+        bicl3   #^XFFFFFFF8,r3,r6 ; r' gets the high bits from r
+        bicl3   #^X00000007,r3,r3
+        addl    r5,r3           ; r = r + l'
+
+        tstl    r7
+        bgeq    5$
+        bitl    #1,r7
+        beql    5$              ; if d' < 0 && d' & 1
+        subl    r2,r3           ;   [r',r] = [r',r] - [q',q]
+        sbwc    r8,r6
+45$:
+        bgeq    5$              ;   while r < 0
+        decl    r2              ;     [q',q] = [q',q] - 1
+        sbwc    #0,r8
+        addl    r7,r3           ;     [r',r] = [r',r] + d'
+        adwc    #0,r6
+        brb     45$
+
+; The return points are placed in the middle to keep a short distance from
+; all the branch points
 42$:
-        movl    r10,r0
+;       movl    r3,r1
+        movl    r2,r0
+        ret
 666$:
+        movl    #^XFFFFFFFF,r0
         ret
+
+5$:
+        tstl    r6
+        bneq    6$
+        cmpl    r3,r7
+        blssu   42$             ; while [r',r] >= d'
+6$:
+        subl    r7,r3           ;   [r',r] = [r',r] - d'
+        sbwc    #0,r6
+        incl    r2              ;   [q',q] = [q',q] + 1
+        adwc    #0,r8
+        brb     5$      
 
         .title  vax_bn_add_words  unsigned add of two arrays
 ;
diff --git a/src/lib/libssl/src/crypto/bn/bn.h b/src/lib/libssl/src/crypto/bn/bn.h
index b40682f831..3da6d8ced9 100644
--- a/src/lib/libssl/src/crypto/bn/bn.h
+++ b/src/lib/libssl/src/crypto/bn/bn.h
@@ -248,6 +248,8 @@ typedef struct bn_blinding_st
         BIGNUM *A;
         BIGNUM *Ai;
         BIGNUM *mod; /* just a reference */
+        unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
+                                  * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
         } BN_BLINDING;
 
 /* Used for montgomery multiplication */
diff --git a/src/lib/libssl/src/crypto/bn/bn_div.c b/src/lib/libssl/src/crypto/bn/bn_div.c
index f9a095e3b3..580d1201bc 100644
--- a/src/lib/libssl/src/crypto/bn/bn_div.c
+++ b/src/lib/libssl/src/crypto/bn/bn_div.c
@@ -150,6 +150,20 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
             q;                                  \
         })
 #  define REMAINDER_IS_ALREADY_CALCULATED
+#  elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
+   /*
+    * Same story here, but it's 128-bit by 64-bit division. Wow!
+    *                                   <appro@fy.chalmers.se>
+    */
+#  define bn_div_words(n0,n1,d0)                \
+        ({  asm volatile (                      \
+                "divq   %4"                     \
+                : "=a"(q), "=d"(rem)            \
+                : "a"(n1), "d"(n0), "g"(d0)     \
+                : "cc");                        \
+            q;                                  \
+        })
+#  define REMAINDER_IS_ALREADY_CALCULATED
 #  endif /* __<cpu> */
 # endif /* __GNUC__ */
 #endif /* OPENSSL_NO_ASM */
@@ -268,6 +282,11 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
                         q=(BN_ULONG)(((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0);
 #else
                         q=bn_div_words(n0,n1,d0);
+#ifdef BN_DEBUG_LEVITTE
+                        fprintf(stderr,"DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
+X) -> 0x%08X\n",
+                                n0, n1, d0, q);
+#endif
 #endif
 
 #ifndef REMAINDER_IS_ALREADY_CALCULATED
@@ -292,11 +311,18 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
                         BN_ULONG t2l,t2h,ql,qh;
 
                         q=bn_div_words(n0,n1,d0);
+#ifdef BN_DEBUG_LEVITTE
+                        fprintf(stderr,"DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
+X) -> 0x%08X\n",
+                                n0, n1, d0, q);
+#endif
 #ifndef REMAINDER_IS_ALREADY_CALCULATED
                         rem=(n1-q*d0)&BN_MASK2;
 #endif
 
-#ifdef BN_UMULT_HIGH
+#if defined(BN_UMULT_LOHI)
+                        BN_UMULT_LOHI(t2l,t2h,d1,q);
+#elif defined(BN_UMULT_HIGH)
                         t2l = d1 * q;
                         t2h = BN_UMULT_HIGH(d1,q);
 #else
diff --git a/src/lib/libssl/src/crypto/bn/bn_lcl.h b/src/lib/libssl/src/crypto/bn/bn_lcl.h
index 8a4dba375a..5614bc6164 100644
--- a/src/lib/libssl/src/crypto/bn/bn_lcl.h
+++ b/src/lib/libssl/src/crypto/bn/bn_lcl.h
@@ -230,6 +230,21 @@ struct bignum_ctx
              : "r"(a), "r"(b));         \
         ret;                    })
 #  endif        /* compiler */
+# elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG)
+#  if defined(__GNUC__)
+#   define BN_UMULT_HIGH(a,b)   ({      \
+        register BN_ULONG ret,discard;  \
+        asm ("mulq      %3"             \
+             : "=a"(discard),"=d"(ret)  \
+             : "a"(a), "g"(b)           \
+             : "cc");                   \
+        ret;                    })
+#   define BN_UMULT_LOHI(low,high,a,b)  \
+        asm ("mulq      %3"             \
+                : "=a"(low),"=d"(high)  \
+                : "a"(a),"g"(b)         \
+                : "cc");
+#  endif
 # endif         /* cpu */
 #endif          /* OPENSSL_NO_ASM */
 
@@ -337,7 +352,7 @@ struct bignum_ctx
 
 #define LBITS(a)        ((a)&BN_MASK2l)
 #define HBITS(a)        (((a)>>BN_BITS4)&BN_MASK2l)
-#define L2HBITS(a)      ((BN_ULONG)((a)&BN_MASK2l)<<BN_BITS4)
+#define L2HBITS(a)      (((a)<<BN_BITS4)&BN_MASK2)
 
 #define LLBITS(a)       ((a)&BN_MASKl)
 #define LHBITS(a)       (((a)>>BN_BITS2)&BN_MASKl)
@@ -353,7 +368,7 @@ struct bignum_ctx
         lt=(bl)*(lt); \
         m1=(bl)*(ht); \
         ht =(bh)*(ht); \
-        m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS(1L); \
+        m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \
         ht+=HBITS(m); \
         m1=L2HBITS(m); \
         lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \
@@ -418,20 +433,19 @@ void bn_sqr_comba4(BN_ULONG *r,const BN_ULONG *a);
 int bn_cmp_words(const BN_ULONG *a,const BN_ULONG *b,int n);
 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
         int cl, int dl);
+#if 0
+/* bn_mul.c rollback <appro> */
 void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
         int dna,int dnb,BN_ULONG *t);
 void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,
         int n,int tna,int tnb,BN_ULONG *t);
+#endif
 void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t);
 void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n);
 void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
         BN_ULONG *t);
 void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2,
         BN_ULONG *t);
-BN_ULONG bn_add_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
-        int cl, int dl);
-BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
-        int cl, int dl);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libssl/src/crypto/bn/bn_lib.c b/src/lib/libssl/src/crypto/bn/bn_lib.c
index ce2ae78419..463463cfcb 100644
--- a/src/lib/libssl/src/crypto/bn/bn_lib.c
+++ b/src/lib/libssl/src/crypto/bn/bn_lib.c
@@ -263,12 +263,12 @@ void BN_clear_free(BIGNUM *a)
         if (a == NULL) return;
         if (a->d != NULL)
                 {
-                memset(a->d,0,a->dmax*sizeof(a->d[0]));
+                OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0]));
                 if (!(BN_get_flags(a,BN_FLG_STATIC_DATA)))
                         OPENSSL_free(a->d);
                 }
         i=BN_get_flags(a,BN_FLG_MALLOCED);
-        memset(a,0,sizeof(BIGNUM));
+        OPENSSL_cleanse(a,sizeof(BIGNUM));
         if (i)
                 OPENSSL_free(a);
         }
diff --git a/src/lib/libssl/src/crypto/bn/bn_mul.c b/src/lib/libssl/src/crypto/bn/bn_mul.c
index b03458d002..cb93ac3356 100644
--- a/src/lib/libssl/src/crypto/bn/bn_mul.c
+++ b/src/lib/libssl/src/crypto/bn/bn_mul.c
@@ -56,325 +56,10 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef BN_DEBUG
-# undef NDEBUG /* avoid conflicting definitions */
-# define NDEBUG
-#endif
-
 #include <stdio.h>
-#include <assert.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
-#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__)) || defined(__DJGPP__) /* Assembler implementation exists only for x86 */
-/* Here follows specialised variants of bn_add_words() and
-   bn_sub_words().  They have the property performing operations on
-   arrays of different sizes.  The sizes of those arrays is expressed through
-   cl, which is the common length ( basicall, min(len(a),len(b)) ), and dl,
-   which is the delta between the two lengths, calculated as len(a)-len(b).
-   All lengths are the number of BN_ULONGs...  For the operations that require
-   a result array as parameter, it must have the length cl+abs(dl).
-   These functions should probably end up in bn_asm.c as soon as there are
-   assembler counterparts for the systems that use assembler files.  */
-
-BN_ULONG bn_sub_part_words(BN_ULONG *r,
-        const BN_ULONG *a, const BN_ULONG *b,
-        int cl, int dl)
-        {
-        BN_ULONG c, t;
-
-        assert(cl >= 0);
-        c = bn_sub_words(r, a, b, cl);
-
-        if (dl == 0)
-                return c;
-
-        r += cl;
-        a += cl;
-        b += cl;
-
-        if (dl < 0)
-                {
-#ifdef BN_COUNT
-                fprintf(stderr, "  bn_sub_part_words %d + %d (dl < 0, c = %d)\n", cl, dl, c);
-#endif
-                for (;;)
-                        {
-                        t = b[0];
-                        r[0] = (0-t-c)&BN_MASK2;
-                        if (t != 0) c=1;
-                        if (++dl >= 0) break;
-
-                        t = b[1];
-                        r[1] = (0-t-c)&BN_MASK2;
-                        if (t != 0) c=1;
-                        if (++dl >= 0) break;
-
-                        t = b[2];
-                        r[2] = (0-t-c)&BN_MASK2;
-                        if (t != 0) c=1;
-                        if (++dl >= 0) break;
-
-                        t = b[3];
-                        r[3] = (0-t-c)&BN_MASK2;
-                        if (t != 0) c=1;
-                        if (++dl >= 0) break;
-
-                        b += 4;
-                        r += 4;
-                        }
-                }
-        else
-                {
-                int save_dl = dl;
-#ifdef BN_COUNT
-                fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, c = %d)\n", cl, dl, c);
-#endif
-                while(c)
-                        {
-                        t = a[0];
-                        r[0] = (t-c)&BN_MASK2;
-                        if (t != 0) c=0;
-                        if (--dl <= 0) break;
-
-                        t = a[1];
-                        r[1] = (t-c)&BN_MASK2;
-                        if (t != 0) c=0;
-                        if (--dl <= 0) break;
-
-                        t = a[2];
-                        r[2] = (t-c)&BN_MASK2;
-                        if (t != 0) c=0;
-                        if (--dl <= 0) break;
-
-                        t = a[3];
-                        r[3] = (t-c)&BN_MASK2;
-                        if (t != 0) c=0;
-                        if (--dl <= 0) break;
-
-                        save_dl = dl;
-                        a += 4;
-                        r += 4;
-                        }
-                if (dl > 0)
-                        {
-#ifdef BN_COUNT
-                        fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, c == 0)\n", cl, dl);
-#endif
-                        if (save_dl > dl)
-                                {
-                                switch (save_dl - dl)
-                                        {
-                                case 1:
-                                        r[1] = a[1];
-                                        if (--dl <= 0) break;
-                                case 2:
-                                        r[2] = a[2];
-                                        if (--dl <= 0) break;
-                                case 3:
-                                        r[3] = a[3];
-                                        if (--dl <= 0) break;
-                                        }
-                                a += 4;
-                                r += 4;
-                                }
-                        }
-                if (dl > 0)
-                        {
-#ifdef BN_COUNT
-                        fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, copy)\n", cl, dl);
-#endif
-                        for(;;)
-                                {
-                                r[0] = a[0];
-                                if (--dl <= 0) break;
-                                r[1] = a[1];
-                                if (--dl <= 0) break;
-                                r[2] = a[2];
-                                if (--dl <= 0) break;
-                                r[3] = a[3];
-                                if (--dl <= 0) break;
-
-                                a += 4;
-                                r += 4;
-                                }
-                        }
-                }
-        return c;
-        }
-#endif
-
-BN_ULONG bn_add_part_words(BN_ULONG *r,
-        const BN_ULONG *a, const BN_ULONG *b,
-        int cl, int dl)
-        {
-        BN_ULONG c, l, t;
-
-        assert(cl >= 0);
-        c = bn_add_words(r, a, b, cl);
-
-        if (dl == 0)
-                return c;
-
-        r += cl;
-        a += cl;
-        b += cl;
-
-        if (dl < 0)
-                {
-                int save_dl = dl;
-#ifdef BN_COUNT
-                fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, c = %d)\n", cl, dl, c);
-#endif
-                while (c)
-                        {
-                        l=(c+b[0])&BN_MASK2;
-                        c=(l < c);
-                        r[0]=l;
-                        if (++dl >= 0) break;
-
-                        l=(c+b[1])&BN_MASK2;
-                        c=(l < c);
-                        r[1]=l;
-                        if (++dl >= 0) break;
-
-                        l=(c+b[2])&BN_MASK2;
-                        c=(l < c);
-                        r[2]=l;
-                        if (++dl >= 0) break;
-
-                        l=(c+b[3])&BN_MASK2;
-                        c=(l < c);
-                        r[3]=l;
-                        if (++dl >= 0) break;
-
-                        save_dl = dl;
-                        b+=4;
-                        r+=4;
-                        }
-                if (dl < 0)
-                        {
-#ifdef BN_COUNT
-                        fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, c == 0)\n", cl, dl);
-#endif
-                        if (save_dl < dl)
-                                {
-                                switch (dl - save_dl)
-                                        {
-                                case 1:
-                                        r[1] = b[1];
-                                        if (++dl >= 0) break;
-                                case 2:
-                                        r[2] = b[2];
-                                        if (++dl >= 0) break;
-                                case 3:
-                                        r[3] = b[3];
-                                        if (++dl >= 0) break;
-                                        }
-                                b += 4;
-                                r += 4;
-                                }
-                        }
-                if (dl < 0)
-                        {
-#ifdef BN_COUNT
-                        fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, copy)\n", cl, dl);
-#endif
-                        for(;;)
-                                {
-                                r[0] = b[0];
-                                if (++dl >= 0) break;
-                                r[1] = b[1];
-                                if (++dl >= 0) break;
-                                r[2] = b[2];
-                                if (++dl >= 0) break;
-                                r[3] = b[3];
-                                if (++dl >= 0) break;
-
-                                b += 4;
-                                r += 4;
-                                }
-                        }
-                }
-        else
-                {
-                int save_dl = dl;
-#ifdef BN_COUNT
-                fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0)\n", cl, dl);
-#endif
-                while (c)
-                        {
-                        t=(a[0]+c)&BN_MASK2;
-                        c=(t < c);
-                        r[0]=t;
-                        if (--dl <= 0) break;
-
-                        t=(a[1]+c)&BN_MASK2;
-                        c=(t < c);
-                        r[1]=t;
-                        if (--dl <= 0) break;
-
-                        t=(a[2]+c)&BN_MASK2;
-                        c=(t < c);
-                        r[2]=t;
-                        if (--dl <= 0) break;
-
-                        t=(a[3]+c)&BN_MASK2;
-                        c=(t < c);
-                        r[3]=t;
-                        if (--dl <= 0) break;
-
-                        save_dl = dl;
-                        a+=4;
-                        r+=4;
-                        }
-#ifdef BN_COUNT
-                fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0, c == 0)\n", cl, dl);
-#endif
-                if (dl > 0)
-                        {
-                        if (save_dl > dl)
-                                {
-                                switch (save_dl - dl)
-                                        {
-                                case 1:
-                                        r[1] = a[1];
-                                        if (--dl <= 0) break;
-                                case 2:
-                                        r[2] = a[2];
-                                        if (--dl <= 0) break;
-                                case 3:
-                                        r[3] = a[3];
-                                        if (--dl <= 0) break;
-                                        }
-                                a += 4;
-                                r += 4;
-                                }
-                        }
-                if (dl > 0)
-                        {
-#ifdef BN_COUNT
-                        fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0, copy)\n", cl, dl);
-#endif
-                        for(;;)
-                                {
-                                r[0] = a[0];
-                                if (--dl <= 0) break;
-                                r[1] = a[1];
-                                if (--dl <= 0) break;
-                                r[2] = a[2];
-                                if (--dl <= 0) break;
-                                r[3] = a[3];
-                                if (--dl <= 0) break;
-
-                                a += 4;
-                                r += 4;
-                                }
-                        }
-                }
-        return c;
-        }
-
 #ifdef BN_RECURSION
 /* Karatsuba recursive multiplication algorithm
  * (cf. Knuth, The Art of Computer Programming, Vol. 2) */
@@ -390,15 +75,14 @@ BN_ULONG bn_add_part_words(BN_ULONG *r,
  * a[1]*b[1]
  */
 void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
-        int dna, int dnb, BN_ULONG *t)
+             BN_ULONG *t)
         {
         int n=n2/2,c1,c2;
-        int tna=n+dna, tnb=n+dnb;
         unsigned int neg,zero;
         BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
-        fprintf(stderr," bn_mul_recursive %d * %d\n",n2,n2);
+        printf(" bn_mul_recursive %d * %d\n",n2,n2);
 # endif
 # ifdef BN_MUL_COMBA
 #  if 0
@@ -408,40 +92,34 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 return;
                 }
 #  endif
-        /* Only call bn_mul_comba 8 if n2 == 8 and the
-         * two arrays are complete [steve]
-         */
-        if (n2 == 8 && dna == 0 && dnb == 0)
+        if (n2 == 8)
                 {
                 bn_mul_comba8(r,a,b);
                 return; 
                 }
 # endif /* BN_MUL_COMBA */
-        /* Else do normal multiply */
         if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL)
                 {
-                bn_mul_normal(r,a,n2+dna,b,n2+dnb);
-                if ((dna + dnb) < 0)
-                        memset(&r[2*n2 + dna + dnb], 0,
-                                sizeof(BN_ULONG) * -(dna + dnb));
+                /* This should not happen */
+                bn_mul_normal(r,a,n2,b,n2);
                 return;
                 }
         /* r=(a[0]-a[1])*(b[1]-b[0]) */
-        c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna);
-        c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n);
+        c1=bn_cmp_words(a,&(a[n]),n);
+        c2=bn_cmp_words(&(b[n]),b,n);
         zero=neg=0;
         switch (c1*3+c2)
                 {
         case -4:
-                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
-                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
+                bn_sub_words(t,      &(a[n]),a,      n); /* - */
+                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
                 break;
         case -3:
                 zero=1;
                 break;
         case -2:
-                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
-                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n); /* + */
+                bn_sub_words(t,      &(a[n]),a,      n); /* - */
+                bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
                 neg=1;
                 break;
         case -1:
@@ -450,22 +128,21 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 zero=1;
                 break;
         case 2:
-                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna); /* + */
-                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
+                bn_sub_words(t,      a,      &(a[n]),n); /* + */
+                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
                 neg=1;
                 break;
         case 3:
                 zero=1;
                 break;
         case 4:
-                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna);
-                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n);
+                bn_sub_words(t,      a,      &(a[n]),n);
+                bn_sub_words(&(t[n]),&(b[n]),b,      n);
                 break;
                 }
 
 # ifdef BN_MUL_COMBA
-        if (n == 4 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba4 could take
-                                               extra args to do this well */
+        if (n == 4)
                 {
                 if (!zero)
                         bn_mul_comba4(&(t[n2]),t,&(t[n]));
@@ -475,9 +152,7 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 bn_mul_comba4(r,a,b);
                 bn_mul_comba4(&(r[n2]),&(a[n]),&(b[n]));
                 }
-        else if (n == 8 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba8 could
-                                                    take extra args to do this
-                                                    well */
+        else if (n == 8)
                 {
                 if (!zero)
                         bn_mul_comba8(&(t[n2]),t,&(t[n]));
@@ -492,11 +167,11 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 {
                 p= &(t[n2*2]);
                 if (!zero)
-                        bn_mul_recursive(&(t[n2]),t,&(t[n]),n,0,0,p);
+                        bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
                 else
                         memset(&(t[n2]),0,n2*sizeof(BN_ULONG));
-                bn_mul_recursive(r,a,b,n,0,0,p);
-                bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,dna,dnb,p);
+                bn_mul_recursive(r,a,b,n,p);
+                bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,p);
                 }
 
         /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
@@ -545,39 +220,39 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 
 /* n+tn is the word length
  * t needs to be n*4 is size, as does r */
-void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
-             int tna, int tnb, BN_ULONG *t)
+void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
+             int n, BN_ULONG *t)
         {
         int i,j,n2=n*2;
         unsigned int c1,c2,neg,zero;
         BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
-        fprintf(stderr," bn_mul_part_recursive (%d+%d) * (%d+%d)\n",
-                tna, n, tnb, n);
+        printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n);
 # endif
         if (n < 8)
                 {
-                bn_mul_normal(r,a,n+tna,b,n+tnb);
+                i=tn+n;
+                bn_mul_normal(r,a,i,b,i);
                 return;
                 }
 
         /* r=(a[0]-a[1])*(b[1]-b[0]) */
-        c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna);
-        c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n);
+        c1=bn_cmp_words(a,&(a[n]),n);
+        c2=bn_cmp_words(&(b[n]),b,n);
         zero=neg=0;
         switch (c1*3+c2)
                 {
         case -4:
-                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
-                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
+                bn_sub_words(t,      &(a[n]),a,      n); /* - */
+                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
                 break;
         case -3:
                 zero=1;
                 /* break; */
         case -2:
-                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
-                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n); /* + */
+                bn_sub_words(t,      &(a[n]),a,      n); /* - */
+                bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
                 neg=1;
                 break;
         case -1:
@@ -586,16 +261,16 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
                 zero=1;
                 /* break; */
         case 2:
-                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna); /* + */
-                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
+                bn_sub_words(t,      a,      &(a[n]),n); /* + */
+                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
                 neg=1;
                 break;
         case 3:
                 zero=1;
                 /* break; */
         case 4:
-                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna);
-                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n);
+                bn_sub_words(t,      a,      &(a[n]),n);
+                bn_sub_words(&(t[n]),&(b[n]),b,      n);
                 break;
                 }
                 /* The zero case isn't yet implemented here. The speedup
@@ -614,59 +289,54 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
                 {
                 bn_mul_comba8(&(t[n2]),t,&(t[n]));
                 bn_mul_comba8(r,a,b);
-                bn_mul_normal(&(r[n2]),&(a[n]),tna,&(b[n]),tnb);
-                memset(&(r[n2+tna+tnb]),0,sizeof(BN_ULONG)*(n2-tna-tnb));
+                bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
+                memset(&(r[n2+tn*2]),0,sizeof(BN_ULONG)*(n2-tn*2));
                 }
         else
                 {
                 p= &(t[n2*2]);
-                bn_mul_recursive(&(t[n2]),t,&(t[n]),n,0,0,p);
-                bn_mul_recursive(r,a,b,n,0,0,p);
+                bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
+                bn_mul_recursive(r,a,b,n,p);
                 i=n/2;
                 /* If there is only a bottom half to the number,
                  * just do it */
-                if (tna > tnb)
-                        j = tna - i;
-                else
-                        j = tnb - i;
+                j=tn-i;
                 if (j == 0)
                         {
-                        bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),
-                                i,tna-i,tnb-i,p);
+                        bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),i,p);
                         memset(&(r[n2+i*2]),0,sizeof(BN_ULONG)*(n2-i*2));
                         }
                 else if (j > 0) /* eg, n == 16, i == 8 and tn == 11 */
                                 {
                                 bn_mul_part_recursive(&(r[n2]),&(a[n]),&(b[n]),
-                                        i,tna-i,tnb-i,p);
-                                memset(&(r[n2+tna+tnb]),0,
-                                        sizeof(BN_ULONG)*(n2-tna-tnb));
+                                        j,i,p);
+                                memset(&(r[n2+tn*2]),0,
+                                        sizeof(BN_ULONG)*(n2-tn*2));
                                 }
                 else /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
                         {
                         memset(&(r[n2]),0,sizeof(BN_ULONG)*n2);
-                        if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL
-                                && tnb < BN_MUL_RECURSIVE_SIZE_NORMAL)
+                        if (tn < BN_MUL_RECURSIVE_SIZE_NORMAL)
                                 {
-                                bn_mul_normal(&(r[n2]),&(a[n]),tna,&(b[n]),tnb);
+                                bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
                                 }
                         else
                                 {
                                 for (;;)
                                         {
                                         i/=2;
-                                        if (i < tna && i < tnb)
+                                        if (i < tn)
                                                 {
                                                 bn_mul_part_recursive(&(r[n2]),
                                                         &(a[n]),&(b[n]),
-                                                        i,tna-i,tnb-i,p);
+                                                        tn-i,i,p);
                                                 break;
                                                 }
-                                        else if (i <= tna && i <= tnb)
+                                        else if (i == tn)
                                                 {
                                                 bn_mul_recursive(&(r[n2]),
                                                         &(a[n]),&(b[n]),
-                                                        i,tna-i,tnb-i,p);
+                                                        i,p);
                                                 break;
                                                 }
                                         }
@@ -727,10 +397,10 @@ void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
         int n=n2/2;
 
 # ifdef BN_COUNT
-        fprintf(stderr," bn_mul_low_recursive %d * %d\n",n2,n2);
+        printf(" bn_mul_low_recursive %d * %d\n",n2,n2);
 # endif
 
-        bn_mul_recursive(r,a,b,n,0,0,&(t[0]));
+        bn_mul_recursive(r,a,b,n,&(t[0]));
         if (n >= BN_MUL_LOW_RECURSIVE_SIZE_NORMAL)
                 {
                 bn_mul_low_recursive(&(t[0]),&(a[0]),&(b[n]),n,&(t[n2]));
@@ -761,7 +431,7 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
         BN_ULONG ll,lc,*lp,*mp;
 
 # ifdef BN_COUNT
-        fprintf(stderr," bn_mul_high %d * %d\n",n2,n2);
+        printf(" bn_mul_high %d * %d\n",n2,n2);
 # endif
         n=n2/2;
 
@@ -814,8 +484,8 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
         else
 # endif
                 {
-                bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,0,0,&(t[n2]));
-                bn_mul_recursive(r,&(a[n]),&(b[n]),n,0,0,&(t[n2]));
+                bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,&(t[n2]));
+                bn_mul_recursive(r,&(a[n]),&(b[n]),n,&(t[n2]));
                 }
 
         /* s0 == low(al*bl)
@@ -940,19 +610,19 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
 
 int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
         {
-        int ret=0;
         int top,al,bl;
         BIGNUM *rr;
+        int ret = 0;
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
         int i;
 #endif
 #ifdef BN_RECURSION
-        BIGNUM *t=NULL;
-        int j=0,k;
+        BIGNUM *t;
+        int j,k;
 #endif
 
 #ifdef BN_COUNT
-        fprintf(stderr,"BN_mul %d * %d\n",a->top,b->top);
+        printf("BN_mul %d * %d\n",a->top,b->top);
 #endif
 
         bn_check_top(a);
@@ -1005,55 +675,21 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 #ifdef BN_RECURSION
         if ((al >= BN_MULL_SIZE_NORMAL) && (bl >= BN_MULL_SIZE_NORMAL))
                 {
-                if (i >= -1 && i <= 1)
+                if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA) && bl<b->dmax)
                         {
-                        int sav_j =0;
-                        /* Find out the power of two lower or equal
-                           to the longest of the two numbers */
-                        if (i >= 0)
-                                {
-                                j = BN_num_bits_word((BN_ULONG)al);
-                                }
-                        if (i == -1)
-                                {
-                                j = BN_num_bits_word((BN_ULONG)bl);
-                                }
-                        sav_j = j;
-                        j = 1<<(j-1);
-                        assert(j <= al || j <= bl);
-                        k = j+j;
-                        t = BN_CTX_get(ctx);
-                        if (al > j || bl > j)
-                                {
-                                bn_wexpand(t,k*4);
-                                bn_wexpand(rr,k*4);
-                                bn_mul_part_recursive(rr->d,a->d,b->d,
-                                        j,al-j,bl-j,t->d);
-                                }
-                        else    /* al <= j || bl <= j */
-                                {
-                                bn_wexpand(t,k*2);
-                                bn_wexpand(rr,k*2);
-                                bn_mul_recursive(rr->d,a->d,b->d,
-                                        j,al-j,bl-j,t->d);
-                                }
-                        rr->top=top;
-                        goto end;
-                        }
-#if 0
-                if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA))
-                        {
-                        BIGNUM *tmp_bn = (BIGNUM *)b;
-                        if (bn_wexpand(tmp_bn,al) == NULL) goto err;
-                        tmp_bn->d[bl]=0;
+#if 0   /* tribute to const-ification, bl<b->dmax above covers for this */
+                        if (bn_wexpand(b,al) == NULL) goto err;
+#endif
+                        b->d[bl]=0;
                         bl++;
                         i--;
                         }
-                else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA))
+                else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA) && al<a->dmax)
                         {
-                        BIGNUM *tmp_bn = (BIGNUM *)a;
-                        if (bn_wexpand(tmp_bn,bl) == NULL) goto err;
-                        tmp_bn->d[al]=0;
+#if 0   /* tribute to const-ification, al<a->dmax above covers for this */
+                        if (bn_wexpand(a,bl) == NULL) goto err;
+#endif
+                        a->d[al]=0;
                         al++;
                         i++;
                         }
@@ -1070,17 +706,26 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
                                 if (bn_wexpand(t,k*2) == NULL) goto err;
                                 if (bn_wexpand(rr,k*2) == NULL) goto err;
                                 bn_mul_recursive(rr->d,a->d,b->d,al,t->d);
+                                rr->top=top;
+                                goto end;
                                 }
+#if 0   /* tribute to const-ification, rsa/dsa performance is not affected */
                         else
                                 {
-                                if (bn_wexpand(t,k*4) == NULL) goto err;
-                                if (bn_wexpand(rr,k*4) == NULL) goto err;
+                                if (bn_wexpand(a,k) == NULL ) goto err;
+                                if (bn_wexpand(b,k) == NULL ) goto err;
+                                if (bn_wexpand(t,k*4) == NULL ) goto err;
+                                if (bn_wexpand(rr,k*4) == NULL ) goto err;
+                                for (i=a->top; i<k; i++)
+                                        a->d[i]=0;
+                                for (i=b->top; i<k; i++)
+                                        b->d[i]=0;
                                 bn_mul_part_recursive(rr->d,a->d,b->d,al-j,j,t->d);
                                 }
                         rr->top=top;
                         goto end;
-                        }
 #endif
+                        }
                 }
 #endif /* BN_RECURSION */
         if (bn_wexpand(rr,top) == NULL) goto err;
@@ -1103,7 +748,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
         BN_ULONG *rr;
 
 #ifdef BN_COUNT
-        fprintf(stderr," bn_mul_normal %d * %d\n",na,nb);
+        printf(" bn_mul_normal %d * %d\n",na,nb);
 #endif
 
         if (na < nb)
@@ -1116,13 +761,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 
                 }
         rr= &(r[na]);
-        if (nb <= 0)
-                {
-                (void)bn_mul_words(r,a,na,0);
-                return;
-                }
-        else
-                rr[0]=bn_mul_words(r,a,na,b[0]);
+        rr[0]=bn_mul_words(r,a,na,b[0]);
 
         for (;;)
                 {
@@ -1143,7 +782,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
         {
 #ifdef BN_COUNT
-        fprintf(stderr," bn_mul_low_normal %d * %d\n",n,n);
+        printf(" bn_mul_low_normal %d * %d\n",n,n);
 #endif
         bn_mul_words(r,a,n,b[0]);
 
diff --git a/src/lib/libssl/src/crypto/bn/bn_prime.c b/src/lib/libssl/src/crypto/bn/bn_prime.c
index 918b9237c6..e072d9255c 100644
--- a/src/lib/libssl/src/crypto/bn/bn_prime.c
+++ b/src/lib/libssl/src/crypto/bn/bn_prime.c
@@ -140,6 +140,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
         BN_CTX *ctx;
         int checks = BN_prime_checks_for_size(bits);
 
+        BN_init(&t);
         ctx=BN_CTX_new();
         if (ctx == NULL) goto err;
         if (ret == NULL)
@@ -148,7 +149,6 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
                 }
         else
                 rnd=ret;
-        BN_init(&t);
 loop: 
         /* make a random number and set the top and bottom bits */
         if (add == NULL)
diff --git a/src/lib/libssl/src/crypto/bn/bn_rand.c b/src/lib/libssl/src/crypto/bn/bn_rand.c
index 9e08ccd22e..893c9d2af9 100644
--- a/src/lib/libssl/src/crypto/bn/bn_rand.c
+++ b/src/lib/libssl/src/crypto/bn/bn_rand.c
@@ -201,7 +201,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 err:
         if (buf != NULL)
                 {
-                memset(buf,0,bytes);
+                OPENSSL_cleanse(buf,bytes);
                 OPENSSL_free(buf);
                 }
         return(ret);
diff --git a/src/lib/libssl/src/crypto/bn/bn_word.c b/src/lib/libssl/src/crypto/bn/bn_word.c
index cd59baa2c4..988e0ca7b3 100644
--- a/src/lib/libssl/src/crypto/bn/bn_word.c
+++ b/src/lib/libssl/src/crypto/bn/bn_word.c
@@ -123,7 +123,10 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
         i=0;
         for (;;)
                 {
-                l=(a->d[i]+(BN_ULONG)w)&BN_MASK2;
+                if (i >= a->top)
+                        l=w;
+                else
+                        l=(a->d[i]+(BN_ULONG)w)&BN_MASK2;
                 a->d[i]=l;
                 if (w > l)
                         w=1;
diff --git a/src/lib/libssl/src/crypto/bn/bntest.c b/src/lib/libssl/src/crypto/bn/bntest.c
index 8158a67374..3c8c540387 100644
--- a/src/lib/libssl/src/crypto/bn/bntest.c
+++ b/src/lib/libssl/src/crypto/bn/bntest.c
@@ -68,10 +68,6 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
 
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
-
 const int num0 = 100; /* number of tests */
 const int num1 = 50;  /* additional tests for some functions */
 const int num2 = 5;   /* number of tests for slow functions */
@@ -96,11 +92,6 @@ int test_sqrt(BIO *bp,BN_CTX *ctx);
 int rand_neg(void);
 static int results=0;
 
-#ifdef OPENSSL_NO_STDIO
-#define APPS_WIN16
-#include "bss_file.c"
-#endif
-
 static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
 "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
 
@@ -141,10 +132,10 @@ int main(int argc, char *argv[])
 
 
         ctx=BN_CTX_new();
-        if (ctx == NULL) exit(1);
+        if (ctx == NULL) EXIT(1);
 
         out=BIO_new(BIO_s_file());
-        if (out == NULL) exit(1);
+        if (out == NULL) EXIT(1);
         if (outfile == NULL)
                 {
                 BIO_set_fp(out,stdout,BIO_NOCLOSE);
@@ -154,7 +145,7 @@ int main(int argc, char *argv[])
                 if (!BIO_write_filename(out,outfile))
                         {
                         perror(outfile);
-                        exit(1);
+                        EXIT(1);
                         }
                 }
 
@@ -238,14 +229,14 @@ int main(int argc, char *argv[])
         BIO_free(out);
 
 /**/
-        exit(0);
+        EXIT(0);
 err:
         BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
                               * the failure, see test_bn in test/Makefile.ssl*/
         BIO_flush(out);
         ERR_load_crypto_strings();
         ERR_print_errors_fp(stderr);
-        exit(1);
+        EXIT(1);
         return(1);
         }
 
@@ -488,7 +479,7 @@ int test_mul(BIO *bp)
         BN_CTX *ctx;
 
         ctx = BN_CTX_new();
-        if (ctx == NULL) exit(1);
+        if (ctx == NULL) EXIT(1);
         
         BN_init(&a);
         BN_init(&b);
@@ -726,7 +717,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
                         while ((l=ERR_get_error()))
                                 fprintf(stderr,"ERROR:%s\n",
                                         ERR_error_string(l,NULL));
-                        exit(1);
+                        EXIT(1);
                         }
                 if (bp != NULL)
                         {
diff --git a/src/lib/libssl/src/crypto/bn/divtest.c b/src/lib/libssl/src/crypto/bn/divtest.c
index 13ba86e3c4..d3fc688f33 100644
--- a/src/lib/libssl/src/crypto/bn/divtest.c
+++ b/src/lib/libssl/src/crypto/bn/divtest.c
@@ -1,7 +1,7 @@
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 
-static int rand(n)
+static int Rand(n)
 {
     unsigned char x[2];
     RAND_pseudo_bytes(x,2);
@@ -26,8 +26,8 @@ main()
     BN_CTX *ctx=BN_CTX_new();
 
     for(;;) {
-        BN_pseudo_rand(a,rand(),0,0);
-        BN_pseudo_rand(b,rand(),0,0);
+        BN_pseudo_rand(a,Rand(),0,0);
+        BN_pseudo_rand(b,Rand(),0,0);
         if (BN_is_zero(b)) continue;
 
         BN_RECP_CTX_set(recp,b,ctx);
diff --git a/src/lib/libssl/src/crypto/bn/exptest.c b/src/lib/libssl/src/crypto/bn/exptest.c
index 5ca570d1a8..b09cf88705 100644
--- a/src/lib/libssl/src/crypto/bn/exptest.c
+++ b/src/lib/libssl/src/crypto/bn/exptest.c
@@ -59,13 +59,13 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+
+#include "../e_os.h"
+
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
 
 #define NUM_BITS        (BN_BITS*2)
 
@@ -86,7 +86,7 @@ int main(int argc, char *argv[])
         ERR_load_BN_strings();
 
         ctx=BN_CTX_new();
-        if (ctx == NULL) exit(1);
+        if (ctx == NULL) EXIT(1);
         r_mont=BN_new();
         r_recp=BN_new();
         r_simple=BN_new();
@@ -99,7 +99,7 @@ int main(int argc, char *argv[])
 
         out=BIO_new(BIO_s_file());
 
-        if (out == NULL) exit(1);
+        if (out == NULL) EXIT(1);
         BIO_set_fp(out,stdout,BIO_NOCLOSE);
 
         for (i=0; i<200; i++)
@@ -124,7 +124,7 @@ int main(int argc, char *argv[])
                         {
                         printf("BN_mod_exp_mont() problems\n");
                         ERR_print_errors(out);
-                        exit(1);
+                        EXIT(1);
                         }
 
                 ret=BN_mod_exp_recp(r_recp,a,b,m,ctx);
@@ -132,7 +132,7 @@ int main(int argc, char *argv[])
                         {
                         printf("BN_mod_exp_recp() problems\n");
                         ERR_print_errors(out);
-                        exit(1);
+                        EXIT(1);
                         }
 
                 ret=BN_mod_exp_simple(r_simple,a,b,m,ctx);
@@ -140,7 +140,7 @@ int main(int argc, char *argv[])
                         {
                         printf("BN_mod_exp_simple() problems\n");
                         ERR_print_errors(out);
-                        exit(1);
+                        EXIT(1);
                         }
 
                 if (BN_cmp(r_simple, r_mont) == 0
@@ -163,7 +163,7 @@ int main(int argc, char *argv[])
                         printf("\nrecp     ="); BN_print(out,r_recp);
                         printf("\nmont     ="); BN_print(out,r_mont);
                         printf("\n");
-                        exit(1);
+                        EXIT(1);
                         }
                 }
         BN_free(r_mont);
@@ -177,11 +177,11 @@ int main(int argc, char *argv[])
         CRYPTO_mem_leaks(out);
         BIO_free(out);
         printf(" done\n");
-        exit(0);
+        EXIT(0);
 err:
         ERR_load_crypto_strings();
         ERR_print_errors(out);
-        exit(1);
+        EXIT(1);
         return(1);
         }
 
diff --git a/src/lib/libssl/src/crypto/buffer/Makefile.ssl b/src/lib/libssl/src/crypto/buffer/Makefile.ssl
index 240a6b9a89..b131ca3078 100644
--- a/src/lib/libssl/src/crypto/buffer/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/buffer/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/buffer/buffer.c b/src/lib/libssl/src/crypto/buffer/buffer.c
index 9299baba9e..d96487e7db 100644
--- a/src/lib/libssl/src/crypto/buffer/buffer.c
+++ b/src/lib/libssl/src/crypto/buffer/buffer.c
@@ -125,6 +125,43 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
         return(len);
         }
 
+int BUF_MEM_grow_clean(BUF_MEM *str, int len)
+        {
+        char *ret;
+        unsigned int n;
+
+        if (str->length >= len)
+                {
+                memset(&str->data[len],0,str->length-len);
+                str->length=len;
+                return(len);
+                }
+        if (str->max >= len)
+                {
+                memset(&str->data[str->length],0,len-str->length);
+                str->length=len;
+                return(len);
+                }
+        n=(len+3)/3*4;
+        if (str->data == NULL)
+                ret=OPENSSL_malloc(n);
+        else
+                ret=OPENSSL_realloc_clean(str->data,str->max,n);
+        if (ret == NULL)
+                {
+                BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+                len=0;
+                }
+        else
+                {
+                str->data=ret;
+                str->max=n;
+                memset(&str->data[str->length],0,len-str->length);
+                str->length=len;
+                }
+        return(len);
+        }
+
 char *BUF_strdup(const char *str)
         {
         char *ret;
@@ -143,3 +180,23 @@ char *BUF_strdup(const char *str)
         return(ret);
         }
 
+size_t BUF_strlcpy(char *dst, const char *src, size_t size)
+        {
+        size_t l = 0;
+        for(; size > 1 && *src; size--)
+                {
+                *dst++ = *src++;
+                l++;
+                }
+        if (size)
+                *dst = '\0';
+        return l + strlen(src);
+        }
+
+size_t BUF_strlcat(char *dst, const char *src, size_t size)
+        {
+        size_t l = 0;
+        for(; size > 0 && *dst; size--, dst++)
+                l++;
+        return l + BUF_strlcpy(dst, src, size);
+        }
diff --git a/src/lib/libssl/src/crypto/buffer/buffer.h b/src/lib/libssl/src/crypto/buffer/buffer.h
index 11e2d0359a..465dc34f3f 100644
--- a/src/lib/libssl/src/crypto/buffer/buffer.h
+++ b/src/lib/libssl/src/crypto/buffer/buffer.h
@@ -63,6 +63,9 @@
 extern "C" {
 #endif
 
+#include <stddef.h>
+#include <sys/types.h>
+
 typedef struct buf_mem_st
         {
         int length;     /* current number of bytes */
@@ -73,8 +76,14 @@ typedef struct buf_mem_st
 BUF_MEM *BUF_MEM_new(void);
 void    BUF_MEM_free(BUF_MEM *a);
 int     BUF_MEM_grow(BUF_MEM *str, int len);
+int     BUF_MEM_grow_clean(BUF_MEM *str, int len);
 char *  BUF_strdup(const char *str);
 
+/* safe string functions */
+size_t BUF_strlcpy(char *dst,const char *src,size_t siz);
+size_t BUF_strlcat(char *dst,const char *src,size_t siz);
+
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
diff --git a/src/lib/libssl/src/crypto/cast/Makefile.ssl b/src/lib/libssl/src/crypto/cast/Makefile.ssl
index 2defbdd68a..2dc1c855ad 100644
--- a/src/lib/libssl/src/crypto/cast/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/cast/Makefile.ssl
@@ -52,14 +52,8 @@ lib:	$(LIBOBJ)
         @touch lib
 
 # elf
-asm/cx86-elf.o: asm/cx86unix.cpp
-        $(CPP) -DELF -x c asm/cx86unix.cpp | as -o asm/cx86-elf.o
-
-# solaris
-asm/cx86-sol.o: asm/cx86unix.cpp
-        $(CC) -E -DSOL asm/cx86unix.cpp | sed 's/^#.*//' > asm/cx86-sol.s
-        as -o asm/cx86-sol.o asm/cx86-sol.s
-        rm -f asm/cx86-sol.s
+asm/cx86-elf.s: asm/cast-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+        (cd asm; $(PERL) cast-586.pl elf $(CLAGS) $(PROCESSOR) > cx86-elf.s)
 
 # a.out
 asm/cx86-out.o: asm/cx86unix.cpp
@@ -97,14 +91,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/cx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/cx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libssl/src/crypto/cast/casttest.c b/src/lib/libssl/src/crypto/cast/casttest.c
index 099e790886..83e5a16c73 100644
--- a/src/lib/libssl/src/crypto/cast/casttest.c
+++ b/src/lib/libssl/src/crypto/cast/casttest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_CAST
 int main(int argc, char *argv[])
 {
@@ -224,7 +226,7 @@ int main(int argc, char *argv[])
       }
 #endif
 
-    exit(err);
+    EXIT(err);
     return(err);
     }
 #endif
diff --git a/src/lib/libssl/src/crypto/comp/Makefile.ssl b/src/lib/libssl/src/crypto/comp/Makefile.ssl
index 7c1ec81229..f70ba1b285 100644
--- a/src/lib/libssl/src/crypto/comp/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/comp/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/comp/c_zlib.c b/src/lib/libssl/src/crypto/comp/c_zlib.c
index cd2f8a491b..8c0876151a 100644
--- a/src/lib/libssl/src/crypto/comp/c_zlib.c
+++ b/src/lib/libssl/src/crypto/comp/c_zlib.c
@@ -208,11 +208,11 @@ COMP_METHOD *COMP_zlib(void)
                                 = (inflateInit__ft) DSO_bind_func(zlib_dso,
                                         "inflateInit_");
                         zlib_loaded++;
-                        meth = &zlib_method;
                         }
                 }
 
-#elif defined(ZLIB)
+#endif
+#if defined(ZLIB) || defined(ZLIB_SHARED)
         meth = &zlib_method;
 #endif
 
diff --git a/src/lib/libssl/src/crypto/conf/Makefile.ssl b/src/lib/libssl/src/crypto/conf/Makefile.ssl
index 133c2329e6..c5873bc6e7 100644
--- a/src/lib/libssl/src/crypto/conf/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/conf/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/conf/conf_def.c b/src/lib/libssl/src/crypto/conf/conf_def.c
index 48ff6f1120..b52ee01a3c 100644
--- a/src/lib/libssl/src/crypto/conf/conf_def.c
+++ b/src/lib/libssl/src/crypto/conf/conf_def.c
@@ -208,7 +208,8 @@ static int def_load(CONF *conf, const char *name, long *line)
 
 static int def_load_bio(CONF *conf, BIO *in, long *line)
         {
-#define BUFSIZE 512
+/* The macro BUFSIZE conflicts with a system macro in VxWorks */
+#define CONFBUFSIZE     512
         int bufnum=0,i,ii;
         BUF_MEM *buff=NULL;
         char *s,*p,*end;
@@ -252,20 +253,21 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
         section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
 
         bufnum=0;
+        again=0;
         for (;;)
                 {
-                again=0;
-                if (!BUF_MEM_grow(buff,bufnum+BUFSIZE))
+                if (!BUF_MEM_grow(buff,bufnum+CONFBUFSIZE))
                         {
                         CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
                         goto err;
                         }
                 p= &(buff->data[bufnum]);
                 *p='\0';
-                BIO_gets(in, p, BUFSIZE-1);
-                p[BUFSIZE-1]='\0';
+                BIO_gets(in, p, CONFBUFSIZE-1);
+                p[CONFBUFSIZE-1]='\0';
                 ii=i=strlen(p);
-                if (i == 0) break;
+                if (i == 0 && !again) break;
+                again=0;
                 while (i > 0)
                         {
                         if ((p[i-1] != '\r') && (p[i-1] != '\n'))
@@ -275,7 +277,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
                         }
                 /* we removed some trailing stuff so there is a new
                  * line on the end. */
-                if (i == ii)
+                if (ii && i == ii)
                         again=1; /* long line */
                 else
                         {
@@ -627,7 +629,7 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
                                 CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE);
                                 goto err;
                                 }
-                        BUF_MEM_grow(buf,(strlen(p)+len-(e-from)));
+                        BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from)));
                         while (*p)
                                 buf->data[to++]= *(p++);
                         from=e;
diff --git a/src/lib/libssl/src/crypto/conf/conf_mall.c b/src/lib/libssl/src/crypto/conf/conf_mall.c
index d702af689b..4ba40cf44c 100644
--- a/src/lib/libssl/src/crypto/conf/conf_mall.c
+++ b/src/lib/libssl/src/crypto/conf/conf_mall.c
@@ -63,7 +63,9 @@
 #include <openssl/dso.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 /* Load all OpenSSL builtin modules */
 
@@ -71,6 +73,8 @@ void OPENSSL_load_builtin_modules(void)
         {
         /* Add builtin modules here */
         ASN1_add_oid_module();
+#ifndef OPENSSL_NO_ENGINE
         ENGINE_add_conf_module();
+#endif
         }
 
diff --git a/src/lib/libssl/src/crypto/conf/conf_sap.c b/src/lib/libssl/src/crypto/conf/conf_sap.c
index 97fb174303..e15c2e5546 100644
--- a/src/lib/libssl/src/crypto/conf/conf_sap.c
+++ b/src/lib/libssl/src/crypto/conf/conf_sap.c
@@ -63,7 +63,9 @@
 #include <openssl/dso.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 /* This is the automatic configuration loader: it is called automatically by
  * OpenSSL when any of a number of standard initialisation functions are called,
@@ -78,8 +80,10 @@ void OPENSSL_config(const char *config_name)
                 return;
 
         OPENSSL_load_builtin_modules();
+#ifndef OPENSSL_NO_ENGINE
         /* Need to load ENGINEs */
         ENGINE_load_builtin_engines();
+#endif
         /* Add others here? */
 
 
diff --git a/src/lib/libssl/src/crypto/cryptlib.c b/src/lib/libssl/src/crypto/cryptlib.c
index 612b3b93b4..2924def2bb 100644
--- a/src/lib/libssl/src/crypto/cryptlib.c
+++ b/src/lib/libssl/src/crypto/cryptlib.c
@@ -89,6 +89,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
         "ssl_session",
         "ssl_sess_cert",
         "ssl",
+        "ssl_method",
         "rand",
         "rand2",
         "debug_malloc",
@@ -103,7 +104,8 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
         "dynlock",
         "engine",
         "ui",
-#if CRYPTO_NUM_LOCKS != 31
+        "hwcrhk",               /* This is a HACK which will disappear in 0.9.8 */
+#if CRYPTO_NUM_LOCKS != 33
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
         };
@@ -206,10 +208,18 @@ int CRYPTO_get_new_dynlockid(void)
         i=sk_CRYPTO_dynlock_find(dyn_locks,NULL);
         /* If there was none, push, thereby creating a new one */
         if (i == -1)
-                i=sk_CRYPTO_dynlock_push(dyn_locks,pointer);
+                /* Since sk_push() returns the number of items on the
+                   stack, not the location of the pushed item, we need
+                   to transform the returned number into a position,
+                   by decreasing it.  */
+                i=sk_CRYPTO_dynlock_push(dyn_locks,pointer) - 1;
+        else
+                /* If we found a place with a NULL pointer, put our pointer
+                   in it.  */
+                sk_CRYPTO_dynlock_set(dyn_locks,i,pointer);
         CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
 
-        if (!i)
+        if (i == -1)
                 {
                 dynlock_destroy_callback(pointer->data,__FILE__,__LINE__);
                 OPENSSL_free(pointer);
@@ -401,15 +411,17 @@ void CRYPTO_lock(int mode, int type, const char *file, int line)
 #endif
         if (type < 0)
                 {
-                struct CRYPTO_dynlock_value *pointer
-                        = CRYPTO_get_dynlock_value(type);
-
-                if (pointer && dynlock_lock_callback)
+                if (dynlock_lock_callback != NULL)
                         {
+                        struct CRYPTO_dynlock_value *pointer
+                                = CRYPTO_get_dynlock_value(type);
+
+                        OPENSSL_assert(pointer != NULL);
+
                         dynlock_lock_callback(mode, pointer, file, line);
-                        }
 
-                CRYPTO_destroy_dynlockid(type);
+                        CRYPTO_destroy_dynlockid(type);
+                        }
                 }
         else
                 if (locking_callback != NULL)
@@ -460,7 +472,7 @@ const char *CRYPTO_get_lock_name(int type)
                 return("dynamic");
         else if (type < CRYPTO_NUM_LOCKS)
                 return(lock_names[type]);
-        else if (type-CRYPTO_NUM_LOCKS >= sk_num(app_locks))
+        else if (type-CRYPTO_NUM_LOCKS > sk_num(app_locks))
                 return("ERROR");
         else
                 return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
@@ -492,3 +504,11 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
 #endif
 
 #endif
+
+void OpenSSLDie(const char *file,int line,const char *assertion)
+        {
+        fprintf(stderr,
+                "%s(%d): OpenSSL internal error, assertion failed: %s\n",
+                file,line,assertion);
+        abort();
+        }
diff --git a/src/lib/libssl/src/crypto/cryptlib.h b/src/lib/libssl/src/crypto/cryptlib.h
index 88e4ae509f..0d6b9d59f0 100644
--- a/src/lib/libssl/src/crypto/cryptlib.h
+++ b/src/lib/libssl/src/crypto/cryptlib.h
@@ -89,9 +89,9 @@ extern "C" {
 #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
 #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
 
-/* size of string represenations */
-#define DECIMAL_SIZE(type)     ((sizeof(type)*8+2)/3+1)
-#define HEX_SIZE(type)         ((sizeof(type)*2)
+/* size of string representations */
+#define DECIMAL_SIZE(type)      ((sizeof(type)*8+2)/3+1)
+#define HEX_SIZE(type)          (sizeof(type)*2)
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libssl/src/crypto/crypto-lib.com b/src/lib/libssl/src/crypto/crypto-lib.com
index dfcff11860..39e78c69e5 100644
--- a/src/lib/libssl/src/crypto/crypto-lib.com
+++ b/src/lib/libssl/src/crypto/crypto-lib.com
@@ -21,22 +21,10 @@ $!    		LIBRARY    To just compile the [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library.
 $!              APPS       To just compile the [.xxx.EXE.CRYPTO]*.EXE
 $!              ALL        To do both LIBRARY and APPS
 $!
-$!  Specify RSAREF as P2 to compile with the RSAREF library instead of
-$!  the regular one.  If you specify NORSAREF it will compile with the
-$!  regular RSAREF routines.  (Note: If you are in the United States
-$!  you MUST compile with RSAREF unless you have a license from RSA).
-$!
-$!  Note: The RSAREF libraries are NOT INCLUDED and you have to
-$!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
-$!        get the ".tar-Z" file as the ".zip" file dosen't have the
-$!        directory structure stored.  You have to extract the file
-$!        into the [.RSAREF] directory under the root directory as that
-$!        is where the scripts will look for the files.
-$!
-$!  Specify DEBUG or NODEBUG as P3 to compile with or without debugger
+$!  Specify DEBUG or NODEBUG as P2 to compile with or without debugger
 $!  information.
 $!
-$!  Specify which compiler at P4 to try to compile under.
+$!  Specify which compiler at P3 to try to compile under.
 $!
 $!         VAXC  For VAX C.
 $!         DECC  For DEC C.
@@ -45,16 +33,16 @@ $!
 $!  If you don't speficy a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
-$!  P5, if defined, sets a TCP/IP library to use, through one of the following
+$!  P4, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!      UCX             for UCX
 $!      TCPIP           for TCPIP (post UCX)
 $!      SOCKETSHR       for SOCKETSHR+NETLIB
 $!
-$!  P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
-$!  P7, if defined, sets a choice of crypto methods to compile.
+$!  P6, if defined, sets a choice of crypto methods to compile.
 $!  WARNING: this should only be done to recompile some part of an already
 $!  fully compiled library.
 $!
@@ -93,7 +81,6 @@ $ ENCRYPT_TYPES = "Basic,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,"+ -
                   "BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,"+ -
                   "EVP,EVP_2,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
                   "CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5"
-$ ENCRYPT_PROGRAMS = "DES,PKCS7"
 $!
 $! Check To Make Sure We Have Valid Command Line Parameters.
 $!
@@ -149,10 +136,6 @@ $! Define The CRYPTO-LIB We Are To Use.
 $!
 $ CRYPTO_LIB := 'EXE_DIR'LIBCRYPTO.OLB
 $!
-$! Define The RSAREF-LIB We Are To Use.
-$!
-$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
-$!
 $! Check To See If We Already Have A "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" Library...
 $!
 $ IF (F$SEARCH(LIB_NAME).EQS."")
@@ -175,7 +158,7 @@ $!
 $ APPS_DES = "DES/DES,CBC3_ENC"
 $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
 $
-$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time"
+$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time"
 $ LIB_MD2 = "md2_dgst,md2_one"
 $ LIB_MD4 = "md4_dgst,md4_one"
 $ LIB_MD5 = "md5_dgst,md5_one"
@@ -216,7 +199,7 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ -
         "tb_rsa,tb_dsa,tb_dh,tb_rand,tb_cipher,tb_digest,"+ -
         "eng_openssl,eng_dyn,eng_cnf,"+ -
         "hw_atalla,hw_cswift,hw_ncipher,hw_nuron,hw_ubsec,"+ -
-        "hw_openbsd_dev_crypto,hw_aep,hw_sureware,hw_4758_cca"
+        "hw_cryptodev,hw_aep,hw_sureware,hw_4758_cca"
 $ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,aes_ctr"
 $ LIB_BUFFER = "buffer,buf_err"
 $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
@@ -287,86 +270,6 @@ $ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time,"
 $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + -
                     "sha_dgst,sha1dgst,rmd_dgst,bf_enc,"
 $!
-$! Check To See If We Are Going To Use RSAREF.
-$!
-$ IF (RSAREF.EQS."TRUE" .AND. ENCRYPT_TYPES - "RSA".NES.ENCRYPT_TYPES -
-      .AND. (BUILDALL .EQS. "TRUE" .OR. BUILDALL .EQS. "LIBRARY"))
-$ THEN
-$!
-$!  Check To See If The File [-.RSAREF]RSAREF.C Is Actually There.
-$!
-$   IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAREF.C").EQS."")
-$   THEN
-$!
-$!    Tell The User That The File Doesn't Exist.
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAREF.C Doesn't Exist."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Exit The Build.
-$!
-$     GOTO EXIT
-$!
-$!  End The [-.RSAREF]RSAREF.C Check.
-$!
-$   ENDIF
-$!
-$!  Tell The User We Are Compiling The [-.RSAREF]RSAREF File.
-$!
-$   WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAREF File."
-$!
-$!  Compile [-.RSAREF]RSAREF.C
-$!
-$   CC/OBJECT='OBJ_DIR'RSAREF.OBJ SYS$DISK:[-.RSAREF]RSAREF.C
-$!
-$!  Add It To The Library.
-$!
-$   LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAREF.OBJ
-$!
-$!  Delete The Object File.
-$!
-$   DELETE 'OBJ_DIR'RSAREF.OBJ;*
-$!
-$!  Check To See If The File [-.RSAREF]RSAR_ERR.C Is Actually There.
-$!
-$   IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAR_ERR.C").EQS."")
-$   THEN
-$!
-$!    Tell The User That The File Doesn't Exist.
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAR_ERR.C Doesn't Exist."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Exit The Build.
-$!
-$     GOTO EXIT
-$!
-$!  End The [-.RSAREF]RSAR_ERR.C File Check.
-$!
-$   ENDIF
-$!
-$!  Tell The User We Are Compiling The [-.RSAREF]RSAR_ERR File.
-$!
-$   WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAR_ERR File."
-$!
-$!  Compile [-.RSAREF]RSAR_ERR.C
-$!
-$   CC/OBJECT='OBJ_DIR'RSAR_ERR.OBJ SYS$DISK:[-.RSAREF]RSAR_ERR.C
-$!
-$!  Add It To The Library.
-$!
-$   LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAR_ERR.OBJ
-$!
-$!  Delete The Object File.
-$!
-$   DELETE 'OBJ_DIR'RSAR_ERR.OBJ;*
-$!
-$! End The RSAREF Check.
-$!
-$ ENDIF
-$!
 $! Figure Out What Other Modules We Are To Build.
 $!
 $ BUILD_SET:
@@ -639,74 +542,34 @@ $! Tell the user what happens
 $!
 $   WRITE SYS$OUTPUT "  ",APPLICATION,".exe"
 $!
-$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$! Link The Program.
 $!
 $   ON ERROR THEN GOTO NEXT_APPLICATION
-$   IF (RSAREF.EQS."TRUE")
-$   THEN
 $!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
-$     IF (TCPIP_LIB.NES."")
-$     THEN
-$!
-$!    Link With The RSAREF Library And A Specific TCP/IP Library.
-$!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS', -
-            'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-            'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$!    Else...
-$!
-$     ELSE
-$!
-$!      Link With The RSAREF Library And NO TCP/IP Library.
+$   IF (TCPIP_LIB.NES."")
+$   THEN
 $!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS', -
-            'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-            'OPT_FILE'/OPTION
+$!    Link With A TCP/IP Library.
 $!
-$!    End The TCP/IP Library Check.
+$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
+          'OBJ_DIR''APPLICATION_OBJECTS', -
+          'CRYPTO_LIB'/LIBRARY, -
+          'TCPIP_LIB','OPT_FILE'/OPTION
 $!
-$     ENDIF
-$!
-$!   Else...
+$! Else...
 $!
 $   ELSE
 $!
-$!    Don't Link With The RSAREF Routines.
-$!
-$!
-$!    Check To See If We Are To Link With A Specific TCP/IP Library.
-$!
-$     IF (TCPIP_LIB.NES."")
-$     THEN
-$!
-$!      Don't Link With The RSAREF Routines And TCP/IP Library.
-$!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS', -
-            'CRYPTO_LIB'/LIBRARY, -
-            'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$!    Else...
-$!
-$     ELSE
-$!
-$!      Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
-$!
-$       LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
-            'OBJ_DIR''APPLICATION_OBJECTS',-
-            'CRYPTO_LIB'/LIBRARY, -
-            'OPT_FILE'/OPTION
+$!    Don't Link With A TCP/IP Library.
 $!
-$!    End The TCP/IP Library Check.
+$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR''APPLICATION'.EXE -
+          'OBJ_DIR''APPLICATION_OBJECTS',-
+          'CRYPTO_LIB'/LIBRARY, -
+          'OPT_FILE'/OPTION
 $!
-$     ENDIF
-$!
-$!   End The RSAREF Link Check.
+$! End The TCP/IP Library Check.
 $!
 $   ENDIF
 $   GOTO NEXT_APPLICATION
@@ -912,75 +775,10 @@ $ ENDIF
 $!
 $! Check To See If P2 Is Blank.
 $!
-$ P2 = "NORSAREF"
-$ IF (P2.EQS."NORSAREF")
+$ IF (P2.EQS."NODEBUG")
 $ THEN
 $!
-$!   P2 Is NORSAREF, So Compile With The Regular RSA Libraries.
-$!
-$    RSAREF = "FALSE"
-$ ELSE
-$!
-$!  Check To See If We Are To Use The RSAREF Library.
-$!
-$   IF (P2.EQS."RSAREF")
-$   THEN
-$!
-$!    Check To Make Sure We Have The RSAREF Source Code Directory.
-$!
-$     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
-$     THEN
-$!
-$!      We Don't Have The RSAREF Souce Code Directory, So Tell The
-$!      User This.
-$!
-$       WRITE SYS$OUTPUT ""
-$       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
-$       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
-$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file doesn't have the"
-$       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
-$       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
-$       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
-$       WRITE SYS$OUTPUT ""
-$!
-$!      Time To Exit.
-$!
-$       EXIT
-$!
-$!    Else, Compile Using The RSAREF Library.
-$!
-$     ELSE
-$       RSAREF = "TRUE"
-$     ENDIF
-$   ELSE 
-$!
-$!    They Entered An Invalid Option..
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
-$     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Time To EXIT.
-$!
-$     EXIT
-$!
-$!  End The Valid Arguement Check.
-$!
-$   ENDIF
-$!
-$! End The P2 Check.
-$!
-$ ENDIF
-$!
-$! Check To See If P3 Is Blank.
-$!
-$ IF (P3.EQS."NODEBUG")
-$ THEN
-$!
-$!   P3 Is NODEBUG, So Compile Without The Debugger Information.
+$!   P2 Is NODEBUG, So Compile Without The Debugger Information.
 $!
 $    DEBUGGER = "NODEBUG"
 $    TRACEBACK = "NOTRACEBACK" 
@@ -993,7 +791,7 @@ $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
 $!
-$   IF (P3.EQS."DEBUG")
+$   IF (P2.EQS."DEBUG")
 $   THEN
 $!
 $!    Compile With Debugger Information.
@@ -1010,7 +808,7 @@ $!
 $!    They Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "     DEBUG   :  Compile With The Debugger Information."
 $     WRITE SYS$OUTPUT "     NODEBUG :  Compile Without The Debugger Information."
@@ -1024,7 +822,7 @@ $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
-$! End The P3 Check.
+$! End The P2 Check.
 $!
 $ ENDIF
 $!
@@ -1034,9 +832,9 @@ $! Written By:  Richard Levitte
 $!              richard@levitte.org
 $!
 $!
-$! Check To See If We Have A Option For P6.
+$! Check To See If We Have A Option For P5.
 $!
-$ IF (P6.EQS."")
+$ IF (P5.EQS."")
 $ THEN
 $!
 $!  Get The Version Of VMS We Are Using.
@@ -1058,13 +856,13 @@ $!  End The VMS Version Check.
 $!
 $   ENDIF
 $!
-$! End The P6 Check.
+$! End The P5 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P4 Is Blank.
+$! Check To See If P3 Is Blank.
 $!
-$ IF (P4.EQS."")
+$ IF (P3.EQS."")
 $ THEN
 $!
 $!  O.K., The User Didn't Specify A Compiler, Let's Try To
@@ -1077,7 +875,7 @@ $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
 $!
-$     P4 = "GNUC"
+$     P3 = "GNUC"
 $!
 $!  Else...
 $!
@@ -1090,7 +888,7 @@ $     THEN
 $!
 $!      Looks Like DECC, Set To Use DECC.
 $!
-$       P4 = "DECC"
+$       P3 = "DECC"
 $!
 $!    Else...
 $!
@@ -1098,7 +896,7 @@ $     ELSE
 $!
 $!      Looks Like VAXC, Set To Use VAXC.
 $!
-$       P4 = "VAXC"
+$       P3 = "VAXC"
 $!
 $!    End The VAXC Compiler Check.
 $!
@@ -1112,9 +910,9 @@ $!  End The Compiler Check.
 $!
 $ ENDIF
 $!
-$! Check To See If We Have A Option For P5.
+$! Check To See If We Have A Option For P4.
 $!
-$ IF (P5.EQS."")
+$ IF (P4.EQS."")
 $ THEN
 $!
 $!  Find out what socket library we have available
@@ -1124,7 +922,7 @@ $   THEN
 $!
 $!    We have SOCKETSHR, and it is my opinion that it's the best to use.
 $!
-$     P5 = "SOCKETSHR"
+$     P4 = "SOCKETSHR"
 $!
 $!    Tell the user
 $!
@@ -1144,7 +942,7 @@ $     THEN
 $!
 $!      Last resort: a UCX or UCX-compatible library
 $!
-$       P5 = "UCX"
+$       P4 = "UCX"
 $!
 $!      Tell the user
 $!
@@ -1158,7 +956,7 @@ $ ENDIF
 $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
-$ CCDEFS = "TCPIP_TYPE_''P5',DSO_VMS"
+$ CCDEFS = "TCPIP_TYPE_''P4',DSO_VMS"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
@@ -1168,12 +966,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 $!
 $!  Check To See If The User Entered A Valid Paramter.
 $!
-$ IF (P4.EQS."VAXC").OR.(P4.EQS."DECC").OR.(P4.EQS."GNUC")
+$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
 $ THEN
 $!
 $!    Check To See If The User Wanted DECC.
 $!
-$   IF (P4.EQS."DECC")
+$   IF (P3.EQS."DECC")
 $   THEN
 $!
 $!    Looks Like DECC, Set To Use DECC.
@@ -1204,7 +1002,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use VAXC.
 $!
-$   IF (P4.EQS."VAXC")
+$   IF (P3.EQS."VAXC")
 $   THEN
 $!
 $!    Looks Like VAXC, Set To Use VAXC.
@@ -1243,7 +1041,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use GNU C.
 $!
-$   IF (P4.EQS."GNUC")
+$   IF (P3.EQS."GNUC")
 $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
@@ -1272,31 +1070,6 @@ $!  Set up default defines
 $!
 $   CCDEFS = """FLAT_INC=1""," + CCDEFS
 $!
-$!  Check To See If We Are To Compile With RSAREF Routines.
-$!
-$   IF (RSAREF.EQS."TRUE")
-$   THEN
-$!
-$!    Compile With RSAREF.
-$!
-$     CCDEFS = CCDEFS + ",""RSAref=1"""
-$!
-$!    Tell The User This.
-$!
-$     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
-$!
-$!    Else, We Don't Care.  Compile Without The RSAREF Library.
-$!
-$   ELSE
-$!
-$!    Tell The User We Are Compile Without The RSAREF Routines.
-$!
-$     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
-$!
-$!  End The RSAREF Check.
-$!
-$   ENDIF
-$!
 $!  Finish up the definition of CC.
 $!
 $   IF COMPILER .EQS. "DECC"
@@ -1315,7 +1088,7 @@ $     CC4DISABLEWARNINGS = ""
 $   ENDIF
 $   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
 $   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
-$   IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P3 .NES. "DEBUG"
+$   IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P2 .NES. "DEBUG"
 $   THEN
 $     CC5 = CC + "/OPTIMIZE=NODISJOINT"
 $   ELSE
@@ -1334,7 +1107,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
 $   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
@@ -1360,13 +1133,13 @@ $   WRITE/SYMBOL SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX" -
-     .OR. P5.EQS."TCPIP" .OR. P5.EQS."NONE"
+$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" -
+     .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
 $!
-$   IF P5.EQS."SOCKETSHR"
+$   IF P4.EQS."SOCKETSHR"
 $   THEN
 $!
 $!    Set the library to use SOCKETSHR
@@ -1379,12 +1152,12 @@ $   ENDIF
 $!
 $!  Check to see if MULTINET was chosen
 $!
-$   IF P5.EQS."MULTINET"
+$   IF P4.EQS."MULTINET"
 $   THEN
 $!
 $!    Set the library to use UCX emulation.
 $!
-$     P5 = "UCX"
+$     P4 = "UCX"
 $!
 $!    Done with MULTINET
 $!
@@ -1392,7 +1165,7 @@ $   ENDIF
 $!
 $!  Check to see if UCX was chosen
 $!
-$   IF P5.EQS."UCX"
+$   IF P4.EQS."UCX"
 $   THEN
 $!
 $!    Set the library to use UCX.
@@ -1412,7 +1185,7 @@ $   ENDIF
 $!
 $!  Check to see if TCPIP was chosen
 $!
-$   IF P5.EQS."TCPIP"
+$   IF P4.EQS."TCPIP"
 $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
@@ -1425,7 +1198,7 @@ $   ENDIF
 $!
 $!  Check to see if NONE was chosen
 $!
-$   IF P5.EQS."NONE"
+$   IF P4.EQS."NONE"
 $   THEN
 $!
 $!    Do not use a TCPIP library.
@@ -1447,7 +1220,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P5," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
@@ -1465,10 +1238,9 @@ $!
 $! Check if the user wanted to compile just a subset of all the encryption
 $! methods.
 $!
-$ IF P7 .NES. ""
+$ IF P6 .NES. ""
 $ THEN
-$   ENCRYPT_TYPES = P7
-$! NYI:   ENCRYPT_PROGRAMS = P7
+$   ENCRYPT_TYPES = P6
 $ ENDIF
 $!
 $!  Time To RETURN...
diff --git a/src/lib/libssl/src/crypto/crypto.h b/src/lib/libssl/src/crypto/crypto.h
index fc6ff860af..273bc5e3f8 100644
--- a/src/lib/libssl/src/crypto/crypto.h
+++ b/src/lib/libssl/src/crypto/crypto.h
@@ -96,37 +96,39 @@ extern "C" {
  * names in cryptlib.c
  */
 
-#define CRYPTO_LOCK_ERR                 1
-#define CRYPTO_LOCK_EX_DATA             2
-#define CRYPTO_LOCK_X509                3
-#define CRYPTO_LOCK_X509_INFO           4
-#define CRYPTO_LOCK_X509_PKEY           5
+#define CRYPTO_LOCK_ERR                 1
+#define CRYPTO_LOCK_EX_DATA             2
+#define CRYPTO_LOCK_X509                3
+#define CRYPTO_LOCK_X509_INFO           4
+#define CRYPTO_LOCK_X509_PKEY           5
 #define CRYPTO_LOCK_X509_CRL            6
 #define CRYPTO_LOCK_X509_REQ            7
 #define CRYPTO_LOCK_DSA                 8
 #define CRYPTO_LOCK_RSA                 9
 #define CRYPTO_LOCK_EVP_PKEY            10
-#define CRYPTO_LOCK_X509_STORE          11
-#define CRYPTO_LOCK_SSL_CTX             12
-#define CRYPTO_LOCK_SSL_CERT            13
-#define CRYPTO_LOCK_SSL_SESSION         14
-#define CRYPTO_LOCK_SSL_SESS_CERT       15
-#define CRYPTO_LOCK_SSL                 16
-#define CRYPTO_LOCK_RAND                17
-#define CRYPTO_LOCK_RAND2               18
-#define CRYPTO_LOCK_MALLOC              19
-#define CRYPTO_LOCK_BIO                 20
-#define CRYPTO_LOCK_GETHOSTBYNAME       21
-#define CRYPTO_LOCK_GETSERVBYNAME       22
-#define CRYPTO_LOCK_READDIR             23
-#define CRYPTO_LOCK_RSA_BLINDING        24
-#define CRYPTO_LOCK_DH                  25
-#define CRYPTO_LOCK_MALLOC2             26
-#define CRYPTO_LOCK_DSO                 27
-#define CRYPTO_LOCK_DYNLOCK             28
-#define CRYPTO_LOCK_ENGINE              29
-#define CRYPTO_LOCK_UI                  30
-#define CRYPTO_NUM_LOCKS                31
+#define CRYPTO_LOCK_X509_STORE          11
+#define CRYPTO_LOCK_SSL_CTX             12
+#define CRYPTO_LOCK_SSL_CERT            13
+#define CRYPTO_LOCK_SSL_SESSION         14
+#define CRYPTO_LOCK_SSL_SESS_CERT       15
+#define CRYPTO_LOCK_SSL                 16
+#define CRYPTO_LOCK_SSL_METHOD          17
+#define CRYPTO_LOCK_RAND                18
+#define CRYPTO_LOCK_RAND2               19
+#define CRYPTO_LOCK_MALLOC              20
+#define CRYPTO_LOCK_BIO                 21
+#define CRYPTO_LOCK_GETHOSTBYNAME       22
+#define CRYPTO_LOCK_GETSERVBYNAME       23
+#define CRYPTO_LOCK_READDIR             24
+#define CRYPTO_LOCK_RSA_BLINDING        25
+#define CRYPTO_LOCK_DH                  26
+#define CRYPTO_LOCK_MALLOC2             27
+#define CRYPTO_LOCK_DSO                 28
+#define CRYPTO_LOCK_DYNLOCK             29
+#define CRYPTO_LOCK_ENGINE              30
+#define CRYPTO_LOCK_UI                  31
+#define CRYPTO_LOCK_HWCRHK              32 /* This is a HACK which will disappear in 0.9.8 */
+#define CRYPTO_NUM_LOCKS                33
 
 #define CRYPTO_LOCK             1
 #define CRYPTO_UNLOCK           2
@@ -148,7 +150,7 @@ extern "C" {
 #endif
 #else
 #define CRYPTO_w_lock(a)
-#define CRYPTO_w_unlock(a)
+#define CRYPTO_w_unlock(a)
 #define CRYPTO_r_lock(a)
 #define CRYPTO_r_unlock(a)
 #define CRYPTO_add(a,b,c)       ((*(a))+=(b))
@@ -278,6 +280,8 @@ int CRYPTO_is_mem_check_on(void);
 #define OPENSSL_malloc(num)     CRYPTO_malloc((int)num,__FILE__,__LINE__)
 #define OPENSSL_realloc(addr,num) \
         CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
+#define OPENSSL_realloc_clean(addr,old_num,num) \
+        CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__)
 #define OPENSSL_remalloc(addr,num) \
         CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)
 #define OPENSSL_freeFunc        CRYPTO_free
@@ -380,8 +384,12 @@ void CRYPTO_free_locked(void *);
 void *CRYPTO_malloc(int num, const char *file, int line);
 void CRYPTO_free(void *);
 void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
+void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
+                           int line);
 void *CRYPTO_remalloc(void *addr,int num, const char *file, int line);
 
+void OPENSSL_cleanse(void *ptr, size_t len);
+
 void CRYPTO_set_mem_debug_options(long bits);
 long CRYPTO_get_mem_debug_options(void);
 
@@ -422,6 +430,9 @@ void CRYPTO_mem_leaks(struct bio_st *bio);
 typedef void *CRYPTO_MEM_LEAK_CB(unsigned long, const char *, int, int, void *);
 void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);
 
+/* die if we have to */
+void OpenSSLDie(const char *file,int line,const char *assertion);
+#define OPENSSL_assert(e)       ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
diff --git a/src/lib/libssl/src/crypto/des/Makefile.ssl b/src/lib/libssl/src/crypto/des/Makefile.ssl
index 826ffcc58c..45eba0b3c9 100644
--- a/src/lib/libssl/src/crypto/des/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/des/Makefile.ssl
@@ -66,22 +66,11 @@ des: des.o cbc3_enc.o lib
         $(CC) $(CFLAGS) -o des des.o cbc3_enc.o $(LIB)
 
 # elf
-asm/dx86-elf.o: asm/dx86unix.cpp
-        $(CPP) -DELF -x c asm/dx86unix.cpp | as -o asm/dx86-elf.o
+asm/dx86-elf.s: asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+        (cd asm; $(PERL) des-586.pl elf $(CFLAGS) > dx86-elf.s)
 
-asm/yx86-elf.o: asm/yx86unix.cpp
-        $(CPP) -DELF -x c asm/yx86unix.cpp | as -o asm/yx86-elf.o
-
-# solaris
-asm/dx86-sol.o: asm/dx86unix.cpp
-        $(CC) -E -DSOL asm/dx86unix.cpp | sed 's/^#.*//' > asm/dx86-sol.s
-        as -o asm/dx86-sol.o asm/dx86-sol.s
-        rm -f asm/dx86-sol.s
-
-asm/yx86-sol.o: asm/yx86unix.cpp
-        $(CC) -E -DSOL asm/yx86unix.cpp | sed 's/^#.*//' > asm/yx86-sol.s
-        as -o asm/yx86-sol.o asm/yx86-sol.s
-        rm -f asm/yx86-sol.s
+asm/yx86-elf.s: asm/crypt586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+        (cd asm; $(PERL) crypt586.pl elf $(CFLAGS) > yx86-elf.s)
 
 # a.out
 asm/dx86-out.o: asm/dx86unix.cpp
@@ -130,14 +119,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/dx86unix.cpp asm/yx86unix.cpp *.o asm/*.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/dx86unix.cpp asm/yx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libssl/src/crypto/des/asm/crypt586.pl b/src/lib/libssl/src/crypto/des/asm/crypt586.pl
index 3d41d82f69..1d04ed6def 100644
--- a/src/lib/libssl/src/crypto/des/asm/crypt586.pl
+++ b/src/lib/libssl/src/crypto/des/asm/crypt586.pl
@@ -26,11 +26,18 @@ sub fcrypt_body
 
         &comment("");
         &comment("Load the 2 words");
-        $ks="ebp";
+        $trans="ebp";
 
         &xor(   $L,     $L);
         &xor(   $R,     $R);
-        &mov($ks,&wparam(1));
+
+        # PIC-ification:-)
+        &picmeup("edx","DES_SPtrans");
+        #if ($cpp)      { &picmeup("edx","DES_SPtrans");   }
+        #else           { &lea("edx",&DWP("DES_SPtrans")); }
+        &push("edx");   # becomes &swtmp(1)
+        #
+        &mov($trans,&wparam(1)); # reloaded with DES_SPtrans in D_ENCRYPT
 
         &push(&DWC(25)); # add a variable
 
@@ -39,11 +46,11 @@ sub fcrypt_body
                 {
                 &comment("");
                 &comment("Round $i");
-                &D_ENCRYPT($i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i,$L,$R,$i*2,$trans,"eax","ebx","ecx","edx");
 
                 &comment("");
                 &comment("Round ".sprintf("%d",$i+1));
-                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$trans,"eax","ebx","ecx","edx");
                 }
          &mov("ebx",    &swtmp(0));
         &mov("eax",     $L);
@@ -61,14 +68,14 @@ sub fcrypt_body
         &mov(&DWP(0,"edx","",0),"eax");
         &mov(&DWP(4,"edx","",0),$L);
 
-        &pop("ecx");    # remove variable
+        &add("esp",8);  # remove variables
 
         &function_end($name);
         }
 
 sub D_ENCRYPT
         {
-        local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_;
+        local($r,$L,$R,$S,$trans,$u,$tmp1,$tmp2,$t)=@_;
 
         &mov(   $u,             &wparam(2));                    # 2
         &mov(   $t,             $R);
@@ -85,9 +92,9 @@ sub D_ENCRYPT
         &shl(   $tmp2,          16);                            # 1
         &xor(   $u,             $tmp1);                         # 2
         &xor(   $t,             $tmp2);                         # 2
-        &mov(   $tmp1,          &DWP(&n2a($S*4),$ks,"",0));     # 2
+        &mov(   $tmp1,          &DWP(&n2a($S*4),$trans,"",0));  # 2
         &xor(   $u,             $tmp1);
-        &mov(   $tmp2,          &DWP(&n2a(($S+1)*4),$ks,"",0)); # 2
+        &mov(   $tmp2,          &DWP(&n2a(($S+1)*4),$trans,"",0));      # 2
         &xor(   $u,             $R);
         &xor(   $t,             $R);
         &xor(   $t,             $tmp2);
@@ -99,31 +106,28 @@ sub D_ENCRYPT
         &movb(  &LB($tmp1),     &LB($u) );
         &movb(  &LB($tmp2),     &HB($u) );
         &rotr(  $t,             4               );
-        &mov(   $ks,            &DWP("      $desSP",$tmp1,"",0));
+        &mov(   $trans,         &swtmp(1));
+        &xor(   $L,             &DWP("     ",$trans,$tmp1,0));
         &movb(  &LB($tmp1),     &LB($t) );
-        &xor(   $L,             $ks);
-        &mov(   $ks,            &DWP("0x200+$desSP",$tmp2,"",0));
-        &xor(   $L,             $ks);
+        &xor(   $L,             &DWP("0x200",$trans,$tmp2,0));
         &movb(  &LB($tmp2),     &HB($t) );
         &shr(   $u,             16);
-        &mov(   $ks,            &DWP("0x100+$desSP",$tmp1,"",0));
-        &xor(   $L,             $ks); 
+        &xor(   $L,             &DWP("0x100",$trans,$tmp1,0));
         &movb(  &LB($tmp1),     &HB($u) );
         &shr(   $t,             16);
-        &mov(   $ks,            &DWP("0x300+$desSP",$tmp2,"",0));
-        &xor(   $L,             $ks);
-        &mov(   $ks,            &wparam(1));
+        &xor(   $L,             &DWP("0x300",$trans,$tmp2,0));
         &movb(  &LB($tmp2),     &HB($t) );
         &and(   $u,             "0xff"  );
         &and(   $t,             "0xff"  );
-        &mov(   $tmp1,          &DWP("0x600+$desSP",$tmp1,"",0));
+        &mov(   $tmp1,          &DWP("0x600",$trans,$tmp1,0));
         &xor(   $L,             $tmp1);
-        &mov(   $tmp1,          &DWP("0x700+$desSP",$tmp2,"",0));
+        &mov(   $tmp1,          &DWP("0x700",$trans,$tmp2,0));
         &xor(   $L,             $tmp1);
-        &mov(   $tmp1,          &DWP("0x400+$desSP",$u,"",0));
+        &mov(   $tmp1,          &DWP("0x400",$trans,$u,0));
         &xor(   $L,             $tmp1);
-        &mov(   $tmp1,          &DWP("0x500+$desSP",$t,"",0));
+        &mov(   $tmp1,          &DWP("0x500",$trans,$t,0));
         &xor(   $L,             $tmp1);
+        &mov(   $trans,         &wparam(1));
         }
 
 sub n2a
diff --git a/src/lib/libssl/src/crypto/des/asm/des-586.pl b/src/lib/libssl/src/crypto/des/asm/des-586.pl
index 0d08e8a3a9..b75d3c6b3a 100644
--- a/src/lib/libssl/src/crypto/des/asm/des-586.pl
+++ b/src/lib/libssl/src/crypto/des/asm/des-586.pl
@@ -40,7 +40,7 @@ sub DES_encrypt
 
         &comment("");
         &comment("Load the 2 words");
-        $ks="ebp";
+        $trans="ebp";
 
         if ($do_ip)
                 {
@@ -72,7 +72,12 @@ sub DES_encrypt
                 &rotl($L,3);
                 }
 
-        &mov(   $ks,            &wparam(1)      );
+        # PIC-ification:-)
+        &picmeup($trans,"DES_SPtrans");
+        #if ($cpp)      { &picmeup($trans,"DES_SPtrans");   }
+        #else           { &lea($trans,&DWP("DES_SPtrans")); }
+
+        &mov(   "ecx",  &wparam(1)      );
         &cmp("ebx","0");
         &je(&label("start_decrypt"));
 
@@ -80,11 +85,11 @@ sub DES_encrypt
                 {
                 &comment("");
                 &comment("Round $i");
-                &D_ENCRYPT($i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i,$L,$R,$i*2,$trans,"eax","ebx","ecx","edx");
 
                 &comment("");
                 &comment("Round ".sprintf("%d",$i+1));
-                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$trans,"eax","ebx","ecx","edx");
                 }
         &jmp(&label("end"));
 
@@ -94,10 +99,10 @@ sub DES_encrypt
                 {
                 &comment("");
                 &comment("Round $i");
-                &D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT(15-$i,$L,$R,$i*2,$trans,"eax","ebx","ecx","edx");
                 &comment("");
                 &comment("Round ".sprintf("%d",$i-1));
-                &D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$trans,"eax","ebx","ecx","edx");
                 }
 
         &set_label("end");
@@ -134,43 +139,36 @@ sub DES_encrypt
 
 sub D_ENCRYPT
         {
-        local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_;
+        local($r,$L,$R,$S,$trans,$u,$tmp1,$tmp2,$t)=@_;
 
-         &mov(  $u,             &DWP(&n2a($S*4),$ks,"",0));
+         &mov(  $u,             &DWP(&n2a($S*4),$tmp2,"",0));
         &xor(   $tmp1,          $tmp1);
-         &mov(  $t,             &DWP(&n2a(($S+1)*4),$ks,"",0));
+         &mov(  $t,             &DWP(&n2a(($S+1)*4),$tmp2,"",0));
         &xor(   $u,             $R);
+        &xor(   $tmp2,          $tmp2);
          &xor(  $t,             $R);
         &and(   $u,             "0xfcfcfcfc"    );
          &and(  $t,             "0xcfcfcfcf"    );
         &movb(  &LB($tmp1),     &LB($u) );
          &movb( &LB($tmp2),     &HB($u) );
         &rotr(  $t,             4               );
-        &mov(   $ks,            &DWP("      $desSP",$tmp1,"",0));
+        &xor(   $L,             &DWP("     ",$trans,$tmp1,0));
          &movb( &LB($tmp1),     &LB($t) );
-        &xor(   $L,             $ks);
-         &mov(  $ks,            &DWP("0x200+$desSP",$tmp2,"",0));
-        &xor(   $L,             $ks); ######
+         &xor(  $L,             &DWP("0x200",$trans,$tmp2,0));
          &movb( &LB($tmp2),     &HB($t) );
         &shr(   $u,             16);
-         &mov(  $ks,            &DWP("0x100+$desSP",$tmp1,"",0));
-        &xor(   $L,             $ks); ######
+         &xor(  $L,             &DWP("0x100",$trans,$tmp1,0));
          &movb( &LB($tmp1),     &HB($u) );
         &shr(   $t,             16);
-         &mov(  $ks,            &DWP("0x300+$desSP",$tmp2,"",0));
-        &xor(   $L,             $ks);
-         &mov(  $ks,            &wparam(1)      );
+         &xor(  $L,             &DWP("0x300",$trans,$tmp2,0));
         &movb(  &LB($tmp2),     &HB($t) );
          &and(  $u,             "0xff"  );
         &and(   $t,             "0xff"  );
-         &mov(  $tmp1,          &DWP("0x600+$desSP",$tmp1,"",0));
-        &xor(   $L,             $tmp1);
-         &mov(  $tmp1,          &DWP("0x700+$desSP",$tmp2,"",0));
-        &xor(   $L,             $tmp1);
-         &mov(  $tmp1,          &DWP("0x400+$desSP",$u,"",0));
-        &xor(   $L,             $tmp1);
-         &mov(  $tmp1,          &DWP("0x500+$desSP",$t,"",0));
-        &xor(   $L,             $tmp1);
+         &xor(  $L,             &DWP("0x600",$trans,$tmp1,0));
+         &xor(  $L,             &DWP("0x700",$trans,$tmp2,0));
+        &mov(   $tmp2,          &wparam(1)      );
+         &xor(  $L,             &DWP("0x400",$trans,$u,0));
+         &xor(  $L,             &DWP("0x500",$trans,$t,0));
         }
 
 sub n2a
diff --git a/src/lib/libssl/src/crypto/des/cbc_cksm.c b/src/lib/libssl/src/crypto/des/cbc_cksm.c
index 6c5305b99d..09a7ba56aa 100644
--- a/src/lib/libssl/src/crypto/des/cbc_cksm.c
+++ b/src/lib/libssl/src/crypto/des/cbc_cksm.c
@@ -93,5 +93,14 @@ DES_LONG DES_cbc_cksum(const unsigned char *in, DES_cblock *output,
                 l2c(tout1,out);
                 }
         tout0=tin0=tin1=tin[0]=tin[1]=0;
+        /*
+          Transform the data in tout1 so that it will
+          match the return value that the MIT Kerberos
+          mit_des_cbc_cksum API returns.
+        */
+        tout1 = ((tout1 >> 24L) & 0x000000FF)
+              | ((tout1 >> 8L)  & 0x0000FF00)
+              | ((tout1 << 8L)  & 0x00FF0000)
+              | ((tout1 << 24L) & 0xFF000000);
         return(tout1);
         }
diff --git a/src/lib/libssl/src/crypto/des/des.c b/src/lib/libssl/src/crypto/des/des.c
index d8c846b23d..343135ff9e 100644
--- a/src/lib/libssl/src/crypto/des/des.c
+++ b/src/lib/libssl/src/crypto/des/des.c
@@ -427,7 +427,7 @@ void doencryption(void)
                                 k2[i-8]=k;
                         }
                 DES_set_key_unchecked(&k2,&ks2);
-                memset(k2,0,sizeof(k2));
+                OPENSSL_cleanse(k2,sizeof(k2));
                 }
         else if (longk || flag3)
                 {
@@ -435,7 +435,7 @@ void doencryption(void)
                         {
                         DES_string_to_2keys(key,&kk,&k2);
                         DES_set_key_unchecked(&k2,&ks2);
-                        memset(k2,0,sizeof(k2));
+                        OPENSSL_cleanse(k2,sizeof(k2));
                         }
                 else
                         DES_string_to_key(key,&kk);
@@ -457,8 +457,8 @@ void doencryption(void)
                         }
 
         DES_set_key_unchecked(&kk,&ks);
-        memset(key,0,sizeof(key));
-        memset(kk,0,sizeof(kk));
+        OPENSSL_cleanse(key,sizeof(key));
+        OPENSSL_cleanse(kk,sizeof(kk));
         /* woops - A bug that does not showup under unix :-( */
         memset(iv,0,sizeof(iv));
         memset(iv2,0,sizeof(iv2));
@@ -666,18 +666,18 @@ void doencryption(void)
                 if (l) fclose(CKSUM_OUT);
                 }
 problems:
-        memset(buf,0,sizeof(buf));
-        memset(obuf,0,sizeof(obuf));
-        memset(&ks,0,sizeof(ks));
-        memset(&ks2,0,sizeof(ks2));
-        memset(iv,0,sizeof(iv));
-        memset(iv2,0,sizeof(iv2));
-        memset(kk,0,sizeof(kk));
-        memset(k2,0,sizeof(k2));
-        memset(uubuf,0,sizeof(uubuf));
-        memset(b,0,sizeof(b));
-        memset(bb,0,sizeof(bb));
-        memset(cksum,0,sizeof(cksum));
+        OPENSSL_cleanse(buf,sizeof(buf));
+        OPENSSL_cleanse(obuf,sizeof(obuf));
+        OPENSSL_cleanse(&ks,sizeof(ks));
+        OPENSSL_cleanse(&ks2,sizeof(ks2));
+        OPENSSL_cleanse(iv,sizeof(iv));
+        OPENSSL_cleanse(iv2,sizeof(iv2));
+        OPENSSL_cleanse(kk,sizeof(kk));
+        OPENSSL_cleanse(k2,sizeof(k2));
+        OPENSSL_cleanse(uubuf,sizeof(uubuf));
+        OPENSSL_cleanse(b,sizeof(b));
+        OPENSSL_cleanse(bb,sizeof(bb));
+        OPENSSL_cleanse(cksum,sizeof(cksum));
         if (Exit) EXIT(Exit);
         }
 
diff --git a/src/lib/libssl/src/crypto/des/des_locl.h b/src/lib/libssl/src/crypto/des/des_locl.h
index 70e833be3f..e44e8e98b2 100644
--- a/src/lib/libssl/src/crypto/des/des_locl.h
+++ b/src/lib/libssl/src/crypto/des/des_locl.h
@@ -162,7 +162,18 @@
 
 #if defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER)
 #define ROTATE(a,n)     (_lrotr(a,n))
-#else
+#elif defined(__GNUC__) && __GNUC__>=2 && !defined(__STRICT_ANSI__) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
+# if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
+#  define ROTATE(a,n)   ({ register unsigned int ret;   \
+                                asm ("rorl %1,%0"       \
+                                        : "=r"(ret)     \
+                                        : "I"(n),"0"(a) \
+                                        : "cc");        \
+                           ret;                         \
+                        })
+# endif
+#endif
+#ifndef ROTATE
 #define ROTATE(a,n)     (((a)>>(n))+((a)<<(32-(n))))
 #endif
 
diff --git a/src/lib/libssl/src/crypto/des/des_old.h b/src/lib/libssl/src/crypto/des/des_old.h
index fe32f21f61..1d8bf65101 100644
--- a/src/lib/libssl/src/crypto/des/des_old.h
+++ b/src/lib/libssl/src/crypto/des/des_old.h
@@ -173,10 +173,12 @@ typedef struct _ossl_old_des_ks_struct
         DES_fcrypt((b),(s),(r))
 #define des_crypt(b,s)\
         DES_crypt((b),(s))
+#if 0
 #if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(__OpenBSD__)
 #define crypt(b,s)\
         DES_crypt((b),(s))
 #endif
+#endif
 #define des_ofb_encrypt(i,o,n,l,k,iv)\
         DES_ofb_encrypt((i),(o),(n),(l),&(k),(iv))
 #define des_pcbc_encrypt(i,o,l,k,iv,e)\
diff --git a/src/lib/libssl/src/crypto/des/des_ver.h b/src/lib/libssl/src/crypto/des/des_ver.h
index ec9cc736e3..379bbadda2 100644
--- a/src/lib/libssl/src/crypto/des/des_ver.h
+++ b/src/lib/libssl/src/crypto/des/des_ver.h
@@ -63,5 +63,9 @@
 # define OPENSSL_EXTERN OPENSSL_EXPORT
 #endif
 
-OPENSSL_EXTERN const char *DES_version; /* SSLeay version string */
-OPENSSL_EXTERN const char *libdes_version;      /* old libdes version string */
+/* The following macros make sure the names are different from libdes names */
+#define DES_version OSSL_DES_version
+#define libdes_version OSSL_libdes_version
+
+OPENSSL_EXTERN const char *OSSL_DES_version;    /* SSLeay version string */
+OPENSSL_EXTERN const char *OSSL_libdes_version; /* old libdes version string */
diff --git a/src/lib/libssl/src/crypto/des/destest.c b/src/lib/libssl/src/crypto/des/destest.c
index 58e8c35dcb..687c00c792 100644
--- a/src/lib/libssl/src/crypto/des/destest.c
+++ b/src/lib/libssl/src/crypto/des/destest.c
@@ -84,9 +84,7 @@ int main(int argc, char *argv[])
 #else
 #include <openssl/des.h>
 
-#if defined(PERL5) || defined(__FreeBSD__) || defined(NeXT)
 #define crypt(c,s) (des_crypt((c),(s)))
-#endif
 
 /* tisk tisk - the test keys don't all have odd parity :-( */
 /* test data */
@@ -322,7 +320,11 @@ static unsigned char ofb_cipher[24]=
         0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3
         };
 
+#if 0
 static DES_LONG cbc_cksum_ret=0xB462FEF7L;
+#else
+static DES_LONG cbc_cksum_ret=0xF7FE62B4L;
+#endif
 static unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4};
 
 static char *pt(unsigned char *p);
diff --git a/src/lib/libssl/src/crypto/des/read2pwd.c b/src/lib/libssl/src/crypto/des/read2pwd.c
index b4720c3a98..3a63c4016c 100644
--- a/src/lib/libssl/src/crypto/des/read2pwd.c
+++ b/src/lib/libssl/src/crypto/des/read2pwd.c
@@ -120,8 +120,8 @@ int DES_read_password(DES_cblock *key, const char *prompt, int verify)
 
         if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
                 DES_string_to_key(buf,key);
-        memset(buf,0,BUFSIZ);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buf,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return(ok);
         }
 
@@ -133,7 +133,7 @@ int DES_read_2passwords(DES_cblock *key1, DES_cblock *key2, const char *prompt,
 
         if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
                 DES_string_to_2keys(buf,key1,key2);
-        memset(buf,0,BUFSIZ);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buf,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return(ok);
         }
diff --git a/src/lib/libssl/src/crypto/des/read_pwd.c b/src/lib/libssl/src/crypto/des/read_pwd.c
index 9061935f21..ce5fa00a37 100644
--- a/src/lib/libssl/src/crypto/des/read_pwd.c
+++ b/src/lib/libssl/src/crypto/des/read_pwd.c
@@ -101,8 +101,10 @@
 
 #ifdef WIN_CONSOLE_BUG
 #include <windows.h>
+#ifndef OPENSSL_SYS_WINCE
 #include <wincon.h>
 #endif
+#endif
 
 
 /* There are 5 types of terminal interface supported,
@@ -133,7 +135,7 @@
 #define SGTTY
 #endif
 
-#if defined(OPENSSL_SYS_VSWORKS)
+#if defined(OPENSSL_SYS_VXWORKS)
 #undef TERMIOS
 #undef TERMIO
 #undef SGTTY
@@ -167,7 +169,7 @@
 #include <sys/ioctl.h>
 #endif
 
-#if defined(OPENSSL_SYS_MSDOS) && !defined(__CYGWIN32__)
+#if defined(OPENSSL_SYS_MSDOS) && !defined(__CYGWIN32__) && !defined(OPENSSL_SYS_WINCE)
 #include <conio.h>
 #define fgets(a,b,c) noecho_fgets(a,b,c)
 #endif
@@ -218,11 +220,29 @@ int des_read_pw_string(char *buf, int length, const char *prompt,
         int ret;
 
         ret=des_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return(ret);
         }
 
-#ifndef OPENSSL_SYS_WIN16
+#ifdef OPENSSL_SYS_WINCE
+
+int des_read_pw(char *buf, char *buff, int size, const char *prompt, int verify)
+        { 
+        memset(buf,0,size);
+        memset(buff,0,size);
+        return(0);
+        }
+
+#elif defined(OPENSSL_SYS_WIN16)
+
+int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify)
+        { 
+        memset(buf,0,size);
+        memset(buff,0,size);
+        return(0);
+        }
+
+#else /* !OPENSSL_SYS_WINCE && !OPENSSL_SYS_WIN16 */
 
 static void read_till_nl(FILE *in)
         {
@@ -274,7 +294,7 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,
 #ifdef OPENSSL_SYS_MSDOS
         if ((tty=fopen("con","r")) == NULL)
                 tty=stdin;
-#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VSWORKS)
+#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VXWORKS)
         tty=stdin;
 #else
 #ifndef OPENSSL_SYS_MPE
@@ -393,17 +413,6 @@ error:
         return(!ok);
         }
 
-#else /* OPENSSL_SYS_WIN16 */
-
-int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify)
-        { 
-        memset(buf,0,size);
-        memset(buff,0,size);
-        return(0);
-        }
-
-#endif
-
 static void pushsig(void)
         {
         int i;
@@ -466,7 +475,7 @@ static void recsig(int i)
 #endif
         }
 
-#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
+#ifdef OPENSSL_SYS_MSDOS
 static int noecho_fgets(char *buf, int size, FILE *tty)
         {
         int i;
@@ -509,3 +518,4 @@ static int noecho_fgets(char *buf, int size, FILE *tty)
         return(strlen(buf));
         }
 #endif
+#endif /* !OPENSSL_SYS_WINCE && !WIN16 */
diff --git a/src/lib/libssl/src/crypto/des/str2key.c b/src/lib/libssl/src/crypto/des/str2key.c
index 36c3f81d99..0373db469c 100644
--- a/src/lib/libssl/src/crypto/des/str2key.c
+++ b/src/lib/libssl/src/crypto/des/str2key.c
@@ -94,7 +94,7 @@ void DES_string_to_key(const char *str, DES_cblock *key)
         DES_set_key_unchecked(key,&ks);
 #endif
         DES_cbc_cksum((const unsigned char*)str,key,length,&ks,key);
-        memset(&ks,0,sizeof(ks));
+        OPENSSL_cleanse(&ks,sizeof(ks));
         DES_set_odd_parity(key);
         }
 
@@ -167,7 +167,7 @@ void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2)
         DES_set_key_unchecked(key2,&ks);
 #endif
         DES_cbc_cksum((const unsigned char*)str,key2,length,&ks,key2);
-        memset(&ks,0,sizeof(ks));
+        OPENSSL_cleanse(&ks,sizeof(ks));
         DES_set_odd_parity(key1);
         DES_set_odd_parity(key2);
         }
diff --git a/src/lib/libssl/src/crypto/dh/Makefile.ssl b/src/lib/libssl/src/crypto/dh/Makefile.ssl
index 5e1aaae160..e05fc01a12 100644
--- a/src/lib/libssl/src/crypto/dh/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/dh/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -112,17 +112,14 @@ dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dh_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dh_gen.o: ../cryptlib.h dh_gen.c
-dh_key.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dh_key.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dh_key.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dh_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-dh_key.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dh_key.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dh_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dh_key.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+dh_key.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_key.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
+dh_key.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dh_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-dh_key.o: ../cryptlib.h dh_key.c
+dh_key.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_key.c
 dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
diff --git a/src/lib/libssl/src/crypto/dh/dh_key.c b/src/lib/libssl/src/crypto/dh/dh_key.c
index 1a0efca2c4..77f2f50b51 100644
--- a/src/lib/libssl/src/crypto/dh/dh_key.c
+++ b/src/lib/libssl/src/crypto/dh/dh_key.c
@@ -61,7 +61,6 @@
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 #include <openssl/dh.h>
-#include <openssl/engine.h>
 
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
diff --git a/src/lib/libssl/src/crypto/dh/dh_lib.c b/src/lib/libssl/src/crypto/dh/dh_lib.c
index ba5fd41057..09965ee2ea 100644
--- a/src/lib/libssl/src/crypto/dh/dh_lib.c
+++ b/src/lib/libssl/src/crypto/dh/dh_lib.c
@@ -60,7 +60,9 @@
 #include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/dh.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
 
@@ -85,11 +87,13 @@ int DH_set_method(DH *dh, const DH_METHOD *meth)
         const DH_METHOD *mtmp;
         mtmp = dh->meth;
         if (mtmp->finish) mtmp->finish(dh);
+#ifndef OPENSSL_NO_ENGINE
         if (dh->engine)
                 {
                 ENGINE_finish(dh->engine);
                 dh->engine = NULL;
                 }
+#endif
         dh->meth = meth;
         if (meth->init) meth->init(dh);
         return 1;
@@ -112,6 +116,7 @@ DH *DH_new_method(ENGINE *engine)
                 }
 
         ret->meth = DH_get_default_method();
+#ifndef OPENSSL_NO_ENGINE
         if (engine)
                 {
                 if (!ENGINE_init(engine))
@@ -135,6 +140,7 @@ DH *DH_new_method(ENGINE *engine)
                         return NULL;
                         }
                 }
+#endif
 
         ret->pad=0;
         ret->version=0;
@@ -154,8 +160,10 @@ DH *DH_new_method(ENGINE *engine)
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
         if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                 {
+#ifndef OPENSSL_NO_ENGINE
                 if (ret->engine)
                         ENGINE_finish(ret->engine);
+#endif
                 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
                 OPENSSL_free(ret);
                 ret=NULL;
@@ -182,8 +190,10 @@ void DH_free(DH *r)
 
         if (r->meth->finish)
                 r->meth->finish(r);
+#ifndef OPENSSL_NO_ENGINE
         if (r->engine)
                 ENGINE_finish(r->engine);
+#endif
 
         CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, r, &r->ex_data);
 
diff --git a/src/lib/libssl/src/crypto/dh/dhtest.c b/src/lib/libssl/src/crypto/dh/dhtest.c
index 34894ced73..d75077f9fa 100644
--- a/src/lib/libssl/src/crypto/dh/dhtest.c
+++ b/src/lib/libssl/src/crypto/dh/dhtest.c
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c" 
-#endif
+
+#include "../e_os.h"
+
 #include <openssl/crypto.h>
 #include <openssl/bio.h>
 #include <openssl/bn.h>
@@ -84,10 +84,6 @@ int main(int argc, char *argv[])
 #endif
 
 static void MS_CALLBACK cb(int p, int n, void *arg);
-#ifdef OPENSSL_NO_STDIO
-#define APPS_WIN16
-#include "bss_file.c"
-#endif
 
 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
 
@@ -111,7 +107,7 @@ int main(int argc, char *argv[])
         RAND_seed(rnd_seed, sizeof rnd_seed);
 
         out=BIO_new(BIO_s_file());
-        if (out == NULL) exit(1);
+        if (out == NULL) EXIT(1);
         BIO_set_fp(out,stdout,BIO_NOCLOSE);
 
         a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out);
@@ -195,7 +191,7 @@ err:
         CRYPTO_cleanup_all_ex_data();
         ERR_remove_state(0);
         CRYPTO_mem_leaks_fp(stderr);
-        exit(ret);
+        EXIT(ret);
         return(ret);
         }
 
diff --git a/src/lib/libssl/src/crypto/dsa/Makefile.ssl b/src/lib/libssl/src/crypto/dsa/Makefile.ssl
index d308caafca..e5f8a8cf51 100644
--- a/src/lib/libssl/src/crypto/dsa/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/dsa/Makefile.ssl
@@ -70,7 +70,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -143,35 +143,29 @@ dsa_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_ossl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-dsa_ossl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-dsa_ossl.o: ../../include/openssl/opensslconf.h
+dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-dsa_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dsa_ossl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dsa_ossl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dsa_ossl.o: ../cryptlib.h dsa_ossl.c
 dsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-dsa_sign.o: ../../include/openssl/opensslconf.h
+dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dsa_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dsa_sign.o: ../cryptlib.h dsa_sign.c
 dsa_vrf.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_vrf.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
 dsa_vrf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 dsa_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-dsa_vrf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dsa_vrf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dsa_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_vrf.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_vrf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dsa_vrf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-dsa_vrf.o: ../cryptlib.h dsa_vrf.c
+dsa_vrf.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_vrf.c
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_lib.c b/src/lib/libssl/src/crypto/dsa/dsa_lib.c
index da2cdfa3d6..4171af24c6 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_lib.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_lib.c
@@ -63,7 +63,9 @@
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT;
 
@@ -93,11 +95,13 @@ int DSA_set_method(DSA *dsa, const DSA_METHOD *meth)
         const DSA_METHOD *mtmp;
         mtmp = dsa->meth;
         if (mtmp->finish) mtmp->finish(dsa);
+#ifndef OPENSSL_NO_ENGINE
         if (dsa->engine)
                 {
                 ENGINE_finish(dsa->engine);
                 dsa->engine = NULL;
                 }
+#endif
         dsa->meth = meth;
         if (meth->init) meth->init(dsa);
         return 1;
@@ -114,6 +118,7 @@ DSA *DSA_new_method(ENGINE *engine)
                 return(NULL);
                 }
         ret->meth = DSA_get_default_method();
+#ifndef OPENSSL_NO_ENGINE
         if (engine)
                 {
                 if (!ENGINE_init(engine))
@@ -138,6 +143,7 @@ DSA *DSA_new_method(ENGINE *engine)
                         return NULL;
                         }
                 }
+#endif
 
         ret->pad=0;
         ret->version=0;
@@ -158,8 +164,10 @@ DSA *DSA_new_method(ENGINE *engine)
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
         if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                 {
+#ifndef OPENSSL_NO_ENGINE
                 if (ret->engine)
                         ENGINE_finish(ret->engine);
+#endif
                 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
                 OPENSSL_free(ret);
                 ret=NULL;
@@ -189,8 +197,10 @@ void DSA_free(DSA *r)
 
         if(r->meth->finish)
                 r->meth->finish(r);
+#ifndef OPENSSL_NO_ENGINE
         if(r->engine)
                 ENGINE_finish(r->engine);
+#endif
 
         CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, r, &r->ex_data);
 
@@ -224,7 +234,10 @@ int DSA_size(const DSA *r)
         {
         int ret,i;
         ASN1_INTEGER bs;
-        unsigned char buf[4];
+        unsigned char buf[4];   /* 4 bytes looks really small.
+                                   However, i2d_ASN1_INTEGER() will not look
+                                   beyond the first byte, as long as the second
+                                   parameter is NULL. */
 
         i=BN_num_bits(r->q);
         bs.length=(i+7)/8;
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
index 37dd5fc994..b9e7f3ea5c 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
@@ -64,7 +64,6 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
-#include <openssl/engine.h>
 
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
@@ -106,13 +105,15 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         int i,reason=ERR_R_BN_LIB;
         DSA_SIG *ret=NULL;
 
+        BN_init(&m);
+        BN_init(&xr);
+
         if (!dsa->p || !dsa->q || !dsa->g)
                 {
                 reason=DSA_R_MISSING_PARAMETERS;
                 goto err;
                 }
-        BN_init(&m);
-        BN_init(&xr);
+
         s=BN_new();
         if (s == NULL) goto err;
 
@@ -178,6 +179,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                 DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS);
                 return 0;
                 }
+
+        BN_init(&k);
+
         if (ctx_in == NULL)
                 {
                 if ((ctx=BN_CTX_new()) == NULL) goto err;
@@ -185,7 +189,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
         else
                 ctx=ctx_in;
 
-        BN_init(&k);
         if ((r=BN_new()) == NULL) goto err;
         kinv=NULL;
 
@@ -241,11 +244,12 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                 return -1;
                 }
 
-        if ((ctx=BN_CTX_new()) == NULL) goto err;
         BN_init(&u1);
         BN_init(&u2);
         BN_init(&t1);
 
+        if ((ctx=BN_CTX_new()) == NULL) goto err;
+
         if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0)
                 {
                 ret = 0;
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_sign.c b/src/lib/libssl/src/crypto/dsa/dsa_sign.c
index e9469ca62f..89205026f0 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_sign.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_sign.c
@@ -64,7 +64,6 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
-#include <openssl/engine.h>
 
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         {
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_vrf.c b/src/lib/libssl/src/crypto/dsa/dsa_vrf.c
index 066c6b5b28..c4aeddd056 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_vrf.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_vrf.c
@@ -65,7 +65,6 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
-#include <openssl/engine.h>
 
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                   DSA *dsa)
diff --git a/src/lib/libssl/src/crypto/dsa/dsagen.c b/src/lib/libssl/src/crypto/dsa/dsagen.c
index a0b0976640..1b6a1cca0f 100644
--- a/src/lib/libssl/src/crypto/dsa/dsagen.c
+++ b/src/lib/libssl/src/crypto/dsa/dsagen.c
@@ -103,7 +103,7 @@ main()
                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 
         memcpy(seed_buf,seed,20);
-        dsa=DSA_generate_parameters(1024,seed,20,&counter,&h,cb);
+        dsa=DSA_generate_parameters(1024,seed,20,&counter,&h,cb,bio_err);
 
         if (dsa == NULL)
                 DSA_print(bio_err,dsa,0);
diff --git a/src/lib/libssl/src/crypto/dsa/dsatest.c b/src/lib/libssl/src/crypto/dsa/dsatest.c
index 12da64f9f4..4734ce4af8 100644
--- a/src/lib/libssl/src/crypto/dsa/dsatest.c
+++ b/src/lib/libssl/src/crypto/dsa/dsatest.c
@@ -61,14 +61,13 @@
 #include <string.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+
+#include "../e_os.h"
+
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#include <openssl/engine.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
 
 #ifdef OPENSSL_NO_DSA
 int main(int argc, char *argv[])
@@ -212,10 +211,16 @@ end:
                 BIO_free(bio_err);
                 bio_err = NULL;
                 }
-        exit(!ret);
+        EXIT(!ret);
         return(0);
         }
 
+static int cb_exit(int ec)
+        {
+        EXIT(ec);
+        return(0);              /* To keep some compilers quiet */
+        }
+
 static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
         {
         char c='*';
@@ -231,7 +236,7 @@ static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
         if (!ok && (p == 0) && (num > 1))
                 {
                 BIO_printf((BIO *)arg,"error in dsatest\n");
-                exit(1);
+                cb_exit(1);
                 }
         }
 #endif
diff --git a/src/lib/libssl/src/crypto/dso/Makefile.ssl b/src/lib/libssl/src/crypto/dso/Makefile.ssl
index 5a55125824..c0449d184e 100644
--- a/src/lib/libssl/src/crypto/dso/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/dso/Makefile.ssl
@@ -70,7 +70,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/dso/dso_dl.c b/src/lib/libssl/src/crypto/dso/dso_dl.c
index 195717e993..79d2cb4d8c 100644
--- a/src/lib/libssl/src/crypto/dso/dso_dl.c
+++ b/src/lib/libssl/src/crypto/dso/dso_dl.c
@@ -126,7 +126,7 @@ static int dl_load(DSO *dso)
                 DSOerr(DSO_F_DL_LOAD,DSO_R_NO_FILENAME);
                 goto err;
                 }
-        ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, NULL);
+        ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, 0L);
         if(ptr == NULL)
                 {
                 DSOerr(DSO_F_DL_LOAD,DSO_R_LOAD_FAILED);
diff --git a/src/lib/libssl/src/crypto/dso/dso_win32.c b/src/lib/libssl/src/crypto/dso/dso_win32.c
index af8586d754..6c30deb250 100644
--- a/src/lib/libssl/src/crypto/dso/dso_win32.c
+++ b/src/lib/libssl/src/crypto/dso/dso_win32.c
@@ -61,7 +61,7 @@
 #include "cryptlib.h"
 #include <openssl/dso.h>
 
-#ifndef OPENSSL_SYS_WIN32
+#if !defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
 DSO_METHOD *DSO_METHOD_win32(void)
         {
         return NULL;
diff --git a/src/lib/libssl/src/crypto/ec/Makefile.ssl b/src/lib/libssl/src/crypto/ec/Makefile.ssl
index ed602b4a7f..a2805c47a2 100644
--- a/src/lib/libssl/src/crypto/ec/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/ec/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/ec/ec.h b/src/lib/libssl/src/crypto/ec/ec.h
index a52d4edf14..6d6a9b7127 100644
--- a/src/lib/libssl/src/crypto/ec/ec.h
+++ b/src/lib/libssl/src/crypto/ec/ec.h
@@ -195,7 +195,6 @@ void ERR_load_EC_strings(void);
 #define EC_F_EC_GROUP_GET0_GENERATOR                     139
 #define EC_F_EC_GROUP_GET_COFACTOR                       140
 #define EC_F_EC_GROUP_GET_CURVE_GFP                      130
-#define EC_F_EC_GROUP_GET_EXTRA_DATA                     107
 #define EC_F_EC_GROUP_GET_ORDER                          141
 #define EC_F_EC_GROUP_NEW                                108
 #define EC_F_EC_GROUP_PRECOMPUTE_MULT                    142
@@ -232,7 +231,6 @@ void ERR_load_EC_strings(void);
 #define EC_R_INVALID_FIELD                               103
 #define EC_R_INVALID_FORM                                104
 #define EC_R_NOT_INITIALIZED                             111
-#define EC_R_NO_SUCH_EXTRA_DATA                          105
 #define EC_R_POINT_AT_INFINITY                           106
 #define EC_R_POINT_IS_NOT_ON_CURVE                       107
 #define EC_R_SLOT_FULL                                   108
diff --git a/src/lib/libssl/src/crypto/ec/ec_err.c b/src/lib/libssl/src/crypto/ec/ec_err.c
index 394cdc021f..d37b6aba87 100644
--- a/src/lib/libssl/src/crypto/ec/ec_err.c
+++ b/src/lib/libssl/src/crypto/ec/ec_err.c
@@ -84,7 +84,6 @@ static ERR_STRING_DATA EC_str_functs[]=
 {ERR_PACK(0,EC_F_EC_GROUP_GET0_GENERATOR,0),    "EC_GROUP_get0_generator"},
 {ERR_PACK(0,EC_F_EC_GROUP_GET_COFACTOR,0),      "EC_GROUP_get_cofactor"},
 {ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GFP,0),     "EC_GROUP_get_curve_GFp"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET_EXTRA_DATA,0),    "EC_GROUP_get_extra_data"},
 {ERR_PACK(0,EC_F_EC_GROUP_GET_ORDER,0), "EC_GROUP_get_order"},
 {ERR_PACK(0,EC_F_EC_GROUP_NEW,0),       "EC_GROUP_new"},
 {ERR_PACK(0,EC_F_EC_GROUP_PRECOMPUTE_MULT,0),   "EC_GROUP_precompute_mult"},
@@ -124,7 +123,6 @@ static ERR_STRING_DATA EC_str_reasons[]=
 {EC_R_INVALID_FIELD                      ,"invalid field"},
 {EC_R_INVALID_FORM                       ,"invalid form"},
 {EC_R_NOT_INITIALIZED                    ,"not initialized"},
-{EC_R_NO_SUCH_EXTRA_DATA                 ,"no such extra data"},
 {EC_R_POINT_AT_INFINITY                  ,"point at infinity"},
 {EC_R_POINT_IS_NOT_ON_CURVE              ,"point is not on curve"},
 {EC_R_SLOT_FULL                          ,"slot full"},
diff --git a/src/lib/libssl/src/crypto/ec/ec_lib.c b/src/lib/libssl/src/crypto/ec/ec_lib.c
index 0cf485de60..deb522060f 100644
--- a/src/lib/libssl/src/crypto/ec/ec_lib.c
+++ b/src/lib/libssl/src/crypto/ec/ec_lib.c
@@ -128,7 +128,7 @@ void EC_GROUP_clear_free(EC_GROUP *group)
 
         EC_GROUP_clear_free_extra_data(group);
 
-        memset(group, 0, sizeof *group);
+        OPENSSL_cleanse(group, sizeof *group);
         OPENSSL_free(group);
         }
 
@@ -268,7 +268,9 @@ void *EC_GROUP_get_extra_data(const EC_GROUP *group, void *(*extra_data_dup_func
                 || (group->extra_data_free_func != extra_data_free_func)
                 || (group->extra_data_clear_free_func != extra_data_clear_free_func))
                 {
-                ECerr(EC_F_EC_GROUP_GET_EXTRA_DATA, EC_R_NO_SUCH_EXTRA_DATA);
+#if 0 /* this was an error in 0.9.7, but that does not make a lot of sense */
+                ECerr(..._F_EC_GROUP_GET_EXTRA_DATA, ..._R_NO_SUCH_EXTRA_DATA);
+#endif
                 return NULL;
                 }
 
@@ -357,7 +359,7 @@ void EC_POINT_clear_free(EC_POINT *point)
                 point->meth->point_clear_finish(point);
         else if (point->meth != NULL && point->meth->point_finish != 0)
                 point->meth->point_finish(point);
-        memset(point, 0, sizeof *point);
+        OPENSSL_cleanse(point, sizeof *point);
         OPENSSL_free(point);
         }
 
diff --git a/src/lib/libssl/src/crypto/ec/ec_mult.c b/src/lib/libssl/src/crypto/ec/ec_mult.c
index 603ba31b81..4dbc931120 100644
--- a/src/lib/libssl/src/crypto/ec/ec_mult.c
+++ b/src/lib/libssl/src/crypto/ec/ec_mult.c
@@ -209,6 +209,17 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
         EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' */
         int ret = 0;
         
+        if (group->meth != r->meth)
+                {
+                ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+
+        if ((scalar == NULL) && (num == 0))
+                {
+                return EC_POINT_set_to_infinity(group, r);
+                }
+
         if (scalar != NULL)
                 {
                 generator = EC_GROUP_get0_generator(group);
diff --git a/src/lib/libssl/src/crypto/ec/ectest.c b/src/lib/libssl/src/crypto/ec/ectest.c
index eab46cc080..345d3e4289 100644
--- a/src/lib/libssl/src/crypto/ec/ectest.c
+++ b/src/lib/libssl/src/crypto/ec/ectest.c
@@ -55,6 +55,11 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#ifdef FLAT_INC
+#include "e_os.h"
+#else
+#include "../e_os.h"
+#endif
 #include <string.h>
 #include <time.h>
 
@@ -65,14 +70,16 @@ int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); retur
 
 
 #include <openssl/ec.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/err.h>
 
 #define ABORT do { \
         fflush(stdout); \
         fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
         ERR_print_errors_fp(stderr); \
-        exit(1); \
+        EXIT(1); \
 } while (0)
 
 #if 0
@@ -623,7 +630,9 @@ int main(int argc, char *argv[])
         if (P_384) EC_GROUP_free(P_384);
         if (P_521) EC_GROUP_free(P_521);
 
+#ifndef OPENSSL_NO_ENGINE
         ENGINE_cleanup();
+#endif
         CRYPTO_cleanup_all_ex_data();
         ERR_free_strings();
         ERR_remove_state(0);
diff --git a/src/lib/libssl/src/crypto/engine/Makefile.ssl b/src/lib/libssl/src/crypto/engine/Makefile.ssl
index 8bc8985e02..30a4446ff9 100644
--- a/src/lib/libssl/src/crypto/engine/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/engine/Makefile.ssl
@@ -50,7 +50,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -82,7 +82,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -304,6 +304,27 @@ hw_atalla.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 hw_atalla.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 hw_atalla.o: ../cryptlib.h hw_atalla.c hw_atalla_err.c hw_atalla_err.h
 hw_atalla.o: vendor_defns/atalla.h
+hw_cryptodev.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+hw_cryptodev.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+hw_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
+hw_cryptodev.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+hw_cryptodev.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+hw_cryptodev.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+hw_cryptodev.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+hw_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+hw_cryptodev.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+hw_cryptodev.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+hw_cryptodev.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+hw_cryptodev.o: ../../include/openssl/objects.h
+hw_cryptodev.o: ../../include/openssl/opensslconf.h
+hw_cryptodev.o: ../../include/openssl/opensslv.h
+hw_cryptodev.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+hw_cryptodev.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+hw_cryptodev.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+hw_cryptodev.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+hw_cryptodev.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+hw_cryptodev.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+hw_cryptodev.o: ../../include/openssl/ui_compat.h hw_cryptodev.c
 hw_cswift.o: ../../e_os.h ../../include/openssl/asn1.h
 hw_cswift.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 hw_cswift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -354,45 +375,6 @@ hw_nuron.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 hw_nuron.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 hw_nuron.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 hw_nuron.o: ../cryptlib.h hw_nuron.c hw_nuron_err.c hw_nuron_err.h
-hw_cryptodev.o: ../../include/openssl/aes.h
-hw_cryptodev.o: ../../include/openssl/asn1.h
-hw_cryptodev.o: ../../include/openssl/bio.h
-hw_cryptodev.o: ../../include/openssl/blowfish.h
-hw_cryptodev.o: ../../include/openssl/bn.h
-hw_cryptodev.o: ../../include/openssl/cast.h
-hw_cryptodev.o: ../../include/openssl/conf.h
-hw_cryptodev.o: ../../include/openssl/crypto.h
-hw_cryptodev.o: ../../include/openssl/des.h
-hw_cryptodev.o: ../../include/openssl/des_old.h
-hw_cryptodev.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-hw_cryptodev.o: ../../include/openssl/e_os2.h
-hw_cryptodev.o: ../../include/openssl/engine.h
-hw_cryptodev.o: ../../include/openssl/err.h
-hw_cryptodev.o: ../../include/openssl/evp.h
-hw_cryptodev.o: ../../include/openssl/idea.h
-hw_cryptodev.o: ../../include/openssl/lhash.h
-hw_cryptodev.o: ../../include/openssl/md2.h
-hw_cryptodev.o: ../../include/openssl/md4.h
-hw_cryptodev.o: ../../include/openssl/md5.h
-hw_cryptodev.o: ../../include/openssl/mdc2.h
-hw_cryptodev.o: ../../include/openssl/obj_mac.h
-hw_cryptodev.o: ../../include/openssl/objects.h
-hw_cryptodev.o: ../../include/openssl/opensslconf.h
-hw_cryptodev.o: ../../include/openssl/opensslv.h
-hw_cryptodev.o: ../../include/openssl/ossl_typ.h
-hw_cryptodev.o: ../../include/openssl/rand.h
-hw_cryptodev.o: ../../include/openssl/rc2.h
-hw_cryptodev.o: ../../include/openssl/rc4.h
-hw_cryptodev.o: ../../include/openssl/rc5.h
-hw_cryptodev.o: ../../include/openssl/ripemd.h
-hw_cryptodev.o: ../../include/openssl/rsa.h
-hw_cryptodev.o: ../../include/openssl/safestack.h
-hw_cryptodev.o: ../../include/openssl/sha.h
-hw_cryptodev.o: ../../include/openssl/stack.h
-hw_cryptodev.o: ../../include/openssl/symhacks.h
-hw_cryptodev.o: ../../include/openssl/ui.h
-hw_cryptodev.o: ../../include/openssl/ui_compat.h ../evp/evp_locl.h
-hw_cryptodev.o: eng_int.h hw_cryptodev.c
 hw_sureware.o: ../../e_os.h ../../include/openssl/aes.h
 hw_sureware.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 hw_sureware.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
diff --git a/src/lib/libssl/src/crypto/engine/eng_all.c b/src/lib/libssl/src/crypto/engine/eng_all.c
index bc50465422..0f6992a40d 100644
--- a/src/lib/libssl/src/crypto/engine/eng_all.c
+++ b/src/lib/libssl/src/crypto/engine/eng_all.c
@@ -60,10 +60,6 @@
 #include <openssl/engine.h>
 #include "eng_int.h"
 
-#ifdef __OpenBSD__
-static int openbsd_default_loaded = 0;
-#endif
-
 void ENGINE_load_builtin_engines(void)
         {
         /* There's no longer any need for an "openssl" ENGINE unless, one day,
@@ -99,21 +95,19 @@ void ENGINE_load_builtin_engines(void)
 #ifndef OPENSSL_NO_HW_4758_CCA
         ENGINE_load_4758cca();
 #endif
-#ifdef OPENSSL_OPENBSD_DEV_CRYPTO
-        ENGINE_load_openbsd_dev_crypto();
-#endif
-#ifdef __OpenBSD__
+#if defined(__OpenBSD__) || defined(__FreeBSD__)
         ENGINE_load_cryptodev();
 #endif
 #endif
         }
 
-#ifdef __OpenBSD__
-void ENGINE_setup_openbsd(void) {
-        if (!openbsd_default_loaded) {
+#if defined(__OpenBSD__) || defined(__FreeBSD__)
+void ENGINE_setup_bsd_cryptodev(void) {
+        static int bsd_cryptodev_default_loaded = 0;
+        if (!bsd_cryptodev_default_loaded) {
                 ENGINE_load_cryptodev();
                 ENGINE_register_all_complete();
         }
-        openbsd_default_loaded=1;
+        bsd_cryptodev_default_loaded=1;
 }
 #endif
diff --git a/src/lib/libssl/src/crypto/engine/eng_err.c b/src/lib/libssl/src/crypto/engine/eng_err.c
index f6c5630395..814d95ee32 100644
--- a/src/lib/libssl/src/crypto/engine/eng_err.c
+++ b/src/lib/libssl/src/crypto/engine/eng_err.c
@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -96,6 +96,7 @@ static ERR_STRING_DATA ENGINE_str_functs[]=
 {ERR_PACK(0,ENGINE_F_ENGINE_SET_NAME,0),        "ENGINE_set_name"},
 {ERR_PACK(0,ENGINE_F_ENGINE_TABLE_REGISTER,0),  "ENGINE_TABLE_REGISTER"},
 {ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0),      "ENGINE_UNLOAD_KEY"},
+{ERR_PACK(0,ENGINE_F_ENGINE_UP_REF,0),  "ENGINE_up_ref"},
 {ERR_PACK(0,ENGINE_F_INT_CTRL_HELPER,0),        "INT_CTRL_HELPER"},
 {ERR_PACK(0,ENGINE_F_INT_ENGINE_CONFIGURE,0),   "INT_ENGINE_CONFIGURE"},
 {ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0),    "LOG_MESSAGE"},
diff --git a/src/lib/libssl/src/crypto/engine/eng_fat.c b/src/lib/libssl/src/crypto/engine/eng_fat.c
index f7edb5ad32..0d7dae00b2 100644
--- a/src/lib/libssl/src/crypto/engine/eng_fat.c
+++ b/src/lib/libssl/src/crypto/engine/eng_fat.c
@@ -66,18 +66,18 @@ int ENGINE_set_default(ENGINE *e, unsigned int flags)
         if((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e))
                 return 0;
 #ifndef OPENSSL_NO_RSA
-        if((flags & ENGINE_METHOD_RSA) & !ENGINE_set_default_RSA(e))
+        if((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e))
                 return 0;
 #endif
 #ifndef OPENSSL_NO_DSA
-        if((flags & ENGINE_METHOD_DSA) & !ENGINE_set_default_DSA(e))
+        if((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e))
                 return 0;
 #endif
 #ifndef OPENSSL_NO_DH
-        if((flags & ENGINE_METHOD_DH) & !ENGINE_set_default_DH(e))
+        if((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e))
                 return 0;
 #endif
-        if((flags & ENGINE_METHOD_RAND) & !ENGINE_set_default_RAND(e))
+        if((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e))
                 return 0;
         return 1;
         }
diff --git a/src/lib/libssl/src/crypto/engine/eng_list.c b/src/lib/libssl/src/crypto/engine/eng_list.c
index 0c220558e7..1cc3217f4c 100644
--- a/src/lib/libssl/src/crypto/engine/eng_list.c
+++ b/src/lib/libssl/src/crypto/engine/eng_list.c
@@ -191,14 +191,14 @@ ENGINE *ENGINE_get_first(void)
         {
         ENGINE *ret;
 
-        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
         ret = engine_list_head;
         if(ret)
                 {
                 ret->struct_ref++;
                 engine_ref_debug(ret, 0, 1)
                 }
-        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
         return ret;
         }
 
@@ -206,14 +206,14 @@ ENGINE *ENGINE_get_last(void)
         {
         ENGINE *ret;
 
-        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
-                ret = engine_list_tail;
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        ret = engine_list_tail;
         if(ret)
                 {
                 ret->struct_ref++;
                 engine_ref_debug(ret, 0, 1)
                 }
-        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
         return ret;
         }
 
@@ -227,7 +227,7 @@ ENGINE *ENGINE_get_next(ENGINE *e)
                         ERR_R_PASSED_NULL_PARAMETER);
                 return 0;
                 }
-        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
         ret = e->next;
         if(ret)
                 {
@@ -235,7 +235,7 @@ ENGINE *ENGINE_get_next(ENGINE *e)
                 ret->struct_ref++;
                 engine_ref_debug(ret, 0, 1)
                 }
-        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
         /* Release the structural reference to the previous ENGINE */
         ENGINE_free(e);
         return ret;
@@ -250,7 +250,7 @@ ENGINE *ENGINE_get_prev(ENGINE *e)
                         ERR_R_PASSED_NULL_PARAMETER);
                 return 0;
                 }
-        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
         ret = e->prev;
         if(ret)
                 {
@@ -258,7 +258,7 @@ ENGINE *ENGINE_get_prev(ENGINE *e)
                 ret->struct_ref++;
                 engine_ref_debug(ret, 0, 1)
                 }
-        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
         /* Release the structural reference to the previous ENGINE */
         ENGINE_free(e);
         return ret;
@@ -346,7 +346,7 @@ ENGINE *ENGINE_by_id(const char *id)
                         ERR_R_PASSED_NULL_PARAMETER);
                 return NULL;
                 }
-        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
         iterator = engine_list_head;
         while(iterator && (strcmp(id, iterator->id) != 0))
                 iterator = iterator->next;
@@ -372,7 +372,7 @@ ENGINE *ENGINE_by_id(const char *id)
                         engine_ref_debug(iterator, 0, 1)
                         }
                 }
-        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
         if(iterator == NULL)
                 {
                 ENGINEerr(ENGINE_F_ENGINE_BY_ID,
@@ -381,3 +381,14 @@ ENGINE *ENGINE_by_id(const char *id)
                 }
         return iterator;
         }
+
+int ENGINE_up_ref(ENGINE *e)
+        {
+        if (e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_UP_REF,ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_add(&e->struct_ref,1,CRYPTO_LOCK_ENGINE);
+        return 1;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/eng_openssl.c b/src/lib/libssl/src/crypto/engine/eng_openssl.c
index e9d976f46b..54579eea2e 100644
--- a/src/lib/libssl/src/crypto/engine/eng_openssl.c
+++ b/src/lib/libssl/src/crypto/engine/eng_openssl.c
@@ -63,6 +63,7 @@
 #include <openssl/engine.h>
 #include <openssl/dso.h>
 #include <openssl/pem.h>
+#include <openssl/evp.h>
 
 /* This testing gunk is implemented (and explained) lower down. It also assumes
  * the application explicitly calls "ENGINE_load_openssl()" because this is no
@@ -78,6 +79,21 @@
 /* #define TEST_ENG_OPENSSL_SHA_P_UPDATE */
 /* #define TEST_ENG_OPENSSL_SHA_P_FINAL */
 
+/* Now check what of those algorithms are actually enabled */
+#ifdef OPENSSL_NO_RC4
+#undef TEST_ENG_OPENSSL_RC4
+#undef TEST_ENG_OPENSSL_RC4_OTHERS
+#undef TEST_ENG_OPENSSL_RC4_P_INIT
+#undef TEST_ENG_OPENSSL_RC4_P_CIPHER
+#endif
+#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA0) || defined(OPENSSL_NO_SHA1)
+#undef TEST_ENG_OPENSSL_SHA
+#undef TEST_ENG_OPENSSL_SHA_OTHERS
+#undef TEST_ENG_OPENSSL_SHA_P_INIT
+#undef TEST_ENG_OPENSSL_SHA_P_UPDATE
+#undef TEST_ENG_OPENSSL_SHA_P_FINAL 
+#endif
+
 #ifdef TEST_ENG_OPENSSL_RC4
 static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
                                 const int **nids, int nid);
@@ -180,7 +196,6 @@ IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
  *        the "init_key" handler is called.
  *    TEST_ENG_OPENSSL_RC4_P_CIPHER - ditto for the "cipher" handler.
  */
-#include <openssl/evp.h>
 #include <openssl/rc4.h>
 #define TEST_RC4_KEY_SIZE               16
 static int test_cipher_nids[] = {NID_rc4,NID_rc4_40};
@@ -265,7 +280,6 @@ static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
 
 #ifdef TEST_ENG_OPENSSL_SHA
 /* Much the same sort of comment as for TEST_ENG_OPENSSL_RC4 */
-#include <openssl/evp.h>
 #include <openssl/sha.h>
 static int test_digest_nids[] = {NID_sha1};
 static int test_digest_nids_number = 1;
diff --git a/src/lib/libssl/src/crypto/engine/engine.h b/src/lib/libssl/src/crypto/engine/engine.h
index fd17ff616d..8686879e1a 100644
--- a/src/lib/libssl/src/crypto/engine/engine.h
+++ b/src/lib/libssl/src/crypto/engine/engine.h
@@ -59,6 +59,12 @@
 #ifndef HEADER_ENGINE_H
 #define HEADER_ENGINE_H
 
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_NO_ENGINE
+#error ENGINE is disabled.
+#endif
+
 #include <openssl/ossl_typ.h>
 #include <openssl/bn.h>
 #ifndef OPENSSL_NO_RSA
@@ -307,11 +313,8 @@ void ENGINE_load_ubsec(void);
 void ENGINE_load_aep(void);
 void ENGINE_load_sureware(void);
 void ENGINE_load_4758cca(void);
-void ENGINE_load_openbsd_dev_crypto(void);
-void ENGINE_load_builtin_engines(void);
-#ifdef __OpenBSD__
 void ENGINE_load_cryptodev(void);
-#endif  
+void ENGINE_load_builtin_engines(void);
 
 /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
  * "registry" handling. */
@@ -409,6 +412,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
  * compatibility! */
 ENGINE *ENGINE_new(void);
 int ENGINE_free(ENGINE *e);
+int ENGINE_up_ref(ENGINE *e);
 int ENGINE_set_id(ENGINE *e, const char *id);
 int ENGINE_set_name(ENGINE *e, const char *name);
 int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth);
@@ -665,6 +669,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_SET_NAME                         130
 #define ENGINE_F_ENGINE_TABLE_REGISTER                   184
 #define ENGINE_F_ENGINE_UNLOAD_KEY                       152
+#define ENGINE_F_ENGINE_UP_REF                           190
 #define ENGINE_F_INT_CTRL_HELPER                         172
 #define ENGINE_F_INT_ENGINE_CONFIGURE                    188
 #define ENGINE_F_LOG_MESSAGE                             141
diff --git a/src/lib/libssl/src/crypto/engine/enginetest.c b/src/lib/libssl/src/crypto/engine/enginetest.c
index 87fa8c57b7..c2d0297392 100644
--- a/src/lib/libssl/src/crypto/engine/enginetest.c
+++ b/src/lib/libssl/src/crypto/engine/enginetest.c
@@ -56,9 +56,17 @@
  *
  */
 
-#include <openssl/e_os2.h>
 #include <stdio.h>
 #include <string.h>
+
+#ifdef OPENSSL_NO_ENGINE
+int main(int argc, char *argv[])
+{
+    printf("No ENGINE support\n");
+    return(0);
+}
+#else
+#include <openssl/e_os2.h>
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
 #include <openssl/engine.h>
@@ -272,3 +280,4 @@ end:
         CRYPTO_mem_leaks_fp(stderr);
         return to_return;
         }
+#endif
diff --git a/src/lib/libssl/src/crypto/engine/hw_4758_cca.c b/src/lib/libssl/src/crypto/engine/hw_4758_cca.c
index 6d41b9ed2a..4f5ae8a46d 100644
--- a/src/lib/libssl/src/crypto/engine/hw_4758_cca.c
+++ b/src/lib/libssl/src/crypto/engine/hw_4758_cca.c
@@ -223,6 +223,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_4758_cca(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -244,6 +245,7 @@ void ENGINE_load_4758cca(void)
         ENGINE_free(e_4758);
         ERR_clear_error();   
         }
+#endif
 
 static int ibm_4758_cca_destroy(ENGINE *e)
         {
@@ -715,7 +717,7 @@ static int cca_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
 
         if (type == NID_sha1 || type == NID_md5)
                 {
-                memset(hashBuffer, 0, keyLength+1);
+                OPENSSL_cleanse(hashBuffer, keyLength+1);
                 OPENSSL_free(hashBuffer);
                 }
 
@@ -838,7 +840,7 @@ static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
 
         if (type == NID_sha1 || type == NID_md5)
                 {
-                memset(hashBuffer, 0, keyLength+1);
+                OPENSSL_cleanse(hashBuffer, keyLength+1);
                 OPENSSL_free(hashBuffer);
                 }
 
diff --git a/src/lib/libssl/src/crypto/engine/hw_atalla.c b/src/lib/libssl/src/crypto/engine/hw_atalla.c
index 6151c46902..e9eff9fad1 100644
--- a/src/lib/libssl/src/crypto/engine/hw_atalla.c
+++ b/src/lib/libssl/src/crypto/engine/hw_atalla.c
@@ -242,6 +242,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_atalla(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -264,6 +265,7 @@ void ENGINE_load_atalla(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the Atalla library. NB: This is only set (or unset) during an
diff --git a/src/lib/libssl/src/crypto/engine/hw_cryptodev.c b/src/lib/libssl/src/crypto/engine/hw_cryptodev.c
index 034c7ca213..139119b80c 100644
--- a/src/lib/libssl/src/crypto/engine/hw_cryptodev.c
+++ b/src/lib/libssl/src/crypto/engine/hw_cryptodev.c
@@ -29,8 +29,32 @@
  *
  */
 
-#include <sys/types.h>
+#include <openssl/objects.h>
+#include <openssl/engine.h>
+#include <openssl/evp.h>
+
+#if (defined(__unix__) || defined(unix)) && !defined(USG)
 #include <sys/param.h>
+# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
+# define HAVE_CRYPTODEV
+# endif
+# if (OpenBSD >= 200110)
+# define HAVE_SYSLOG_R
+# endif
+#endif
+
+#ifndef HAVE_CRYPTODEV
+
+void
+ENGINE_load_cryptodev(void)
+{
+        /* This is a NOP on platforms without /dev/crypto */
+        return;
+}
+
+#else 
+
+#include <sys/types.h>
 #include <crypto/cryptodev.h>
 #include <sys/ioctl.h>
 #include <errno.h>
@@ -39,9 +63,6 @@
 #include <fcntl.h>
 #include <stdarg.h>
 #include <syslog.h>
-#include <ssl/objects.h>
-#include <ssl/engine.h>
-#include <ssl/evp.h>
 #include <errno.h>
 #include <string.h>
 
@@ -101,10 +122,6 @@ static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
 void ENGINE_load_cryptodev(void);
 
 static const ENGINE_CMD_DEFN cryptodev_defns[] = {
-        {ENGINE_CMD_BASE,
-                "SO_PATH",
-                "Specifies the path to the some stupid shared library",
-                ENGINE_CMD_FLAG_STRING},
         { 0, NULL, NULL, 0 }
 };
 
@@ -1011,12 +1028,18 @@ static DH_METHOD cryptodev_dh = {
 static int
 cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
 {
+#ifdef HAVE_SYSLOG_R
         struct syslog_data sd = SYSLOG_DATA_INIT;
+#endif
 
         switch (cmd) {
         default:
+#ifdef HAVE_SYSLOG_R
                 syslog_r(LOG_ERR, &sd,
                     "cryptodev_ctrl: unknown command %d", cmd);
+#else
+                syslog(LOG_ERR, "cryptodev_ctrl: unknown command %d", cmd);
+#endif
                 break;
         }
         return (1);
@@ -1043,7 +1066,7 @@ ENGINE_load_cryptodev(void)
         close(fd);
 
         if (!ENGINE_set_id(engine, "cryptodev") ||
-            !ENGINE_set_name(engine, "OpenBSD cryptodev engine") ||
+            !ENGINE_set_name(engine, "BSD cryptodev engine") ||
             !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
             !ENGINE_set_digests(engine, cryptodev_engine_digests) ||
             !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
@@ -1104,3 +1127,5 @@ ENGINE_load_cryptodev(void)
         ENGINE_free(engine);
         ERR_clear_error();
 }
+
+#endif /* HAVE_CRYPTODEV */
diff --git a/src/lib/libssl/src/crypto/engine/hw_cswift.c b/src/lib/libssl/src/crypto/engine/hw_cswift.c
index f5c897bdbb..f128ee5a68 100644
--- a/src/lib/libssl/src/crypto/engine/hw_cswift.c
+++ b/src/lib/libssl/src/crypto/engine/hw_cswift.c
@@ -121,6 +121,10 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 #endif
 
+/* RAND stuff */
+static int cswift_rand_bytes(unsigned char *buf, int num);
+static int cswift_rand_status(void);
+
 /* The definitions for control commands specific to this engine */
 #define CSWIFT_CMD_SO_PATH              ENGINE_CMD_BASE
 static const ENGINE_CMD_DEFN cswift_cmd_defns[] = {
@@ -183,6 +187,18 @@ static DH_METHOD cswift_dh =
         };
 #endif
 
+static RAND_METHOD cswift_random =
+    {
+    /* "CryptoSwift RAND method", */
+    NULL,
+    cswift_rand_bytes,
+    NULL,
+    NULL,
+    cswift_rand_bytes,
+    cswift_rand_status,
+    };
+
+
 /* Constants used when creating the ENGINE */
 static const char *engine_cswift_id = "cswift";
 static const char *engine_cswift_name = "CryptoSwift hardware engine support";
@@ -208,6 +224,7 @@ static int bind_helper(ENGINE *e)
 #ifndef OPENSSL_NO_DH
                         !ENGINE_set_DH(e, &cswift_dh) ||
 #endif
+                        !ENGINE_set_RAND(e, &cswift_random) ||
                         !ENGINE_set_destroy_function(e, cswift_destroy) ||
                         !ENGINE_set_init_function(e, cswift_init) ||
                         !ENGINE_set_finish_function(e, cswift_finish) ||
@@ -242,6 +259,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_cswift(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -264,6 +282,7 @@ void ENGINE_load_cswift(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the CryptoSwift library. NB: This is only set (or unset) during an
@@ -905,6 +924,60 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
         }
 #endif
 
+/* Random bytes are good */
+static int cswift_rand_bytes(unsigned char *buf, int num)
+{
+        SW_CONTEXT_HANDLE hac;
+        SW_STATUS swrc;
+        SW_LARGENUMBER largenum;
+        size_t nbytes = 0;
+        int acquired = 0;
+        int to_return = 0; /* assume failure */
+
+        if (!get_context(&hac))
+        {
+                CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_UNIT_FAILURE);
+                goto err;
+        }
+        acquired = 1;
+
+        while (nbytes < (size_t)num)
+        {
+                /* tell CryptoSwift how many bytes we want and where we want it.
+                 * Note: - CryptoSwift cannot do more than 4096 bytes at a time.
+                 *       - CryptoSwift can only do multiple of 32-bits. */
+                largenum.value = (SW_BYTE *) buf + nbytes;
+                if (4096 > num - nbytes)
+                        largenum.nbytes = num - nbytes;
+                else
+                        largenum.nbytes = 4096;
+
+                swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
+                if (swrc != SW_OK)
+                {
+                        char tmpbuf[20];
+                        CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_REQUEST_FAILED);
+                        sprintf(tmpbuf, "%ld", swrc);
+                        ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf);
+                        goto err;
+                }
+
+                nbytes += largenum.nbytes;
+        }
+        to_return = 1;  /* success */
+
+err:
+        if (acquired)
+                release_context(hac);
+        return to_return;
+}
+
+static int cswift_rand_status(void)
+{
+        return 1;
+}
+
+
 /* This stuff is needed if this ENGINE is being compiled into a self-contained
  * shared-library. */
 #ifdef ENGINE_DYNAMIC_SUPPORT
diff --git a/src/lib/libssl/src/crypto/engine/hw_ncipher.c b/src/lib/libssl/src/crypto/engine/hw_ncipher.c
index a43d4360f2..0d1c6b8df0 100644
--- a/src/lib/libssl/src/crypto/engine/hw_ncipher.c
+++ b/src/lib/libssl/src/crypto/engine/hw_ncipher.c
@@ -91,11 +91,19 @@ static int hwcrhk_init(ENGINE *e);
 static int hwcrhk_finish(ENGINE *e);
 static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); 
 
-/* Functions to handle mutexes */
+/* Functions to handle mutexes if have dynamic locks */
 static int hwcrhk_mutex_init(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext*);
 static int hwcrhk_mutex_lock(HWCryptoHook_Mutex*);
 static void hwcrhk_mutex_unlock(HWCryptoHook_Mutex*);
 static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex*);
+#if 1 /* This is a HACK which will disappear in 0.9.8 */
+/* Functions to handle mutexes if only have static locks */
+static int hwcrhk_static_mutex_init(HWCryptoHook_Mutex *m,
+                                    HWCryptoHook_CallerContext *c);
+static int hwcrhk_static_mutex_lock(HWCryptoHook_Mutex *m);
+static void hwcrhk_static_mutex_unlock(HWCryptoHook_Mutex *m);
+static void hwcrhk_static_mutex_destroy(HWCryptoHook_Mutex *m);
+#endif
 
 /* BIGNUM stuff */
 static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -373,6 +381,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_ncipher(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -395,6 +404,7 @@ void ENGINE_load_chil(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the HWCryptoHook library. NB: This is only set (or unset) during an
@@ -558,15 +568,31 @@ static int hwcrhk_init(ENGINE *e)
 
         /* Check if the application decided to support dynamic locks,
            and if it does, use them. */
-        if (disable_mutex_callbacks == 0 &&
-                CRYPTO_get_dynlock_create_callback() != NULL &&
-                CRYPTO_get_dynlock_lock_callback() != NULL &&
-                CRYPTO_get_dynlock_destroy_callback() != NULL)
+        if (disable_mutex_callbacks == 0)
                 {
-                hwcrhk_globals.mutex_init = hwcrhk_mutex_init;
-                hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock;
-                hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock;
-                hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy;
+                if (CRYPTO_get_dynlock_create_callback() != NULL &&
+                        CRYPTO_get_dynlock_lock_callback() != NULL &&
+                        CRYPTO_get_dynlock_destroy_callback() != NULL)
+                        {
+                        hwcrhk_globals.mutex_init = hwcrhk_mutex_init;
+                        hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock;
+                        hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock;
+                        hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy;
+                        }
+                else if (CRYPTO_get_locking_callback() != NULL)
+                        {
+                        HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_DYNAMIC_LOCKING_MISSING);
+                        ERR_add_error_data(1,"You HAVE to add dynamic locking callbacks via CRYPTO_set_dynlock_{create,lock,destroy}_callback()");
+#if 1 /* This is a HACK which will disappear in 0.9.8 */
+                        hwcrhk_globals.maxmutexes    = 1; /* Only have one lock */
+                        hwcrhk_globals.mutex_init    = hwcrhk_static_mutex_init;
+                        hwcrhk_globals.mutex_acquire = hwcrhk_static_mutex_lock;
+                        hwcrhk_globals.mutex_release = hwcrhk_static_mutex_unlock;
+                        hwcrhk_globals.mutex_destroy = hwcrhk_static_mutex_destroy;
+#else
+                        goto err;
+#endif
+                        }
                 }
 
         /* Try and get a context - if not, we may have a DSO but no
@@ -1020,7 +1046,7 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
 
                 /* Perform the operation */
                 ret = p_hwcrhk_ModExpCRT(hwcrhk_context, m_a, m_p, m_q,
-                        m_dmp1, m_dmq1, m_iqmp, &m_r, NULL);
+                        m_dmp1, m_dmq1, m_iqmp, &m_r, &rmsg);
 
                 /* Convert the response */
                 r->top = m_r.size / sizeof(BN_ULONG);
@@ -1171,6 +1197,26 @@ static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex *mt)
         CRYPTO_destroy_dynlockid(mt->lockid);
         }
 
+/* Mutex upcalls to use if the application does not support dynamic locks */
+
+static int hwcrhk_static_mutex_init(HWCryptoHook_Mutex *m,
+        HWCryptoHook_CallerContext *c)
+        {
+        return 0;
+        }
+static int hwcrhk_static_mutex_lock(HWCryptoHook_Mutex *m)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_HWCRHK);
+        return 0;
+        }
+static void hwcrhk_static_mutex_unlock(HWCryptoHook_Mutex *m)
+        {
+        CRYPTO_w_unlock(CRYPTO_LOCK_HWCRHK);
+        }
+static void hwcrhk_static_mutex_destroy(HWCryptoHook_Mutex *m)
+        {
+        }
+
 static int hwcrhk_get_pass(const char *prompt_info,
         int *len_io, char *buf,
         HWCryptoHook_PassphraseContext *ppctx,
@@ -1318,7 +1364,7 @@ static void hwcrhk_log_message(void *logstr, const char *message)
                 lstream=*(BIO **)logstr;
         if (lstream)
                 {
-                BIO_write(lstream, message, strlen(message));
+                BIO_printf(lstream, "%s\n", message);
                 }
         CRYPTO_w_unlock(CRYPTO_LOCK_BIO);
         }
diff --git a/src/lib/libssl/src/crypto/engine/hw_ncipher_err.c b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.c
index 24024cfc6f..5bc94581b7 100644
--- a/src/lib/libssl/src/crypto/engine/hw_ncipher_err.c
+++ b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.c
@@ -1,6 +1,6 @@
 /* hw_ncipher_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -86,6 +86,7 @@ static ERR_STRING_DATA HWCRHK_str_reasons[]=
 {HWCRHK_R_CHIL_ERROR                     ,"chil error"},
 {HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
 {HWCRHK_R_DSO_FAILURE                    ,"dso failure"},
+{HWCRHK_R_DYNAMIC_LOCKING_MISSING        ,"dynamic locking missing"},
 {HWCRHK_R_MISSING_KEY_COMPONENTS         ,"missing key components"},
 {HWCRHK_R_NOT_INITIALISED                ,"not initialised"},
 {HWCRHK_R_NOT_LOADED                     ,"not loaded"},
diff --git a/src/lib/libssl/src/crypto/engine/hw_ncipher_err.h b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.h
index 4d65b1d470..d232d02319 100644
--- a/src/lib/libssl/src/crypto/engine/hw_ncipher_err.h
+++ b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.h
@@ -84,6 +84,7 @@ static void ERR_HWCRHK_error(int function, int reason, char *file, int line);
 #define HWCRHK_R_CHIL_ERROR                              102
 #define HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED            103
 #define HWCRHK_R_DSO_FAILURE                             104
+#define HWCRHK_R_DYNAMIC_LOCKING_MISSING                 114
 #define HWCRHK_R_MISSING_KEY_COMPONENTS                  105
 #define HWCRHK_R_NOT_INITIALISED                         106
 #define HWCRHK_R_NOT_LOADED                              107
diff --git a/src/lib/libssl/src/crypto/engine/hw_nuron.c b/src/lib/libssl/src/crypto/engine/hw_nuron.c
index 130b6d8b40..fb9188bfe5 100644
--- a/src/lib/libssl/src/crypto/engine/hw_nuron.c
+++ b/src/lib/libssl/src/crypto/engine/hw_nuron.c
@@ -374,6 +374,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_nuron(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -396,6 +397,7 @@ void ENGINE_load_nuron(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This stuff is needed if this ENGINE is being compiled into a self-contained
  * shared-library. */      
diff --git a/src/lib/libssl/src/crypto/engine/hw_ubsec.c b/src/lib/libssl/src/crypto/engine/hw_ubsec.c
index ed8401ec16..6286dd851c 100644
--- a/src/lib/libssl/src/crypto/engine/hw_ubsec.c
+++ b/src/lib/libssl/src/crypto/engine/hw_ubsec.c
@@ -242,6 +242,7 @@ static int bind_helper(ENGINE *e)
         return 1;
         }
 
+#ifndef ENGINE_DYNAMIC_SUPPORT
 static ENGINE *engine_ubsec(void)
         {
         ENGINE *ret = ENGINE_new();
@@ -264,6 +265,7 @@ void ENGINE_load_ubsec(void)
         ENGINE_free(toadd);
         ERR_clear_error();
         }
+#endif
 
 /* This is a process-global DSO handle used for loading and unloading
  * the UBSEC library. NB: This is only set (or unset) during an
diff --git a/src/lib/libssl/src/crypto/engine/tb_cipher.c b/src/lib/libssl/src/crypto/engine/tb_cipher.c
index c5a50fc910..50b3cec1fa 100644
--- a/src/lib/libssl/src/crypto/engine/tb_cipher.c
+++ b/src/lib/libssl/src/crypto/engine/tb_cipher.c
@@ -81,7 +81,7 @@ int ENGINE_register_ciphers(ENGINE *e)
                 int num_nids = e->ciphers(e, NULL, &nids, 0);
                 if(num_nids > 0)
                         return engine_table_register(&cipher_table,
-                                        &engine_unregister_all_ciphers, e, nids,
+                                        engine_unregister_all_ciphers, e, nids,
                                         num_nids, 0);
                 }
         return 1;
@@ -103,7 +103,7 @@ int ENGINE_set_default_ciphers(ENGINE *e)
                 int num_nids = e->ciphers(e, NULL, &nids, 0);
                 if(num_nids > 0)
                         return engine_table_register(&cipher_table,
-                                        &engine_unregister_all_ciphers, e, nids,
+                                        engine_unregister_all_ciphers, e, nids,
                                         num_nids, 1);
                 }
         return 1;
diff --git a/src/lib/libssl/src/crypto/engine/tb_dh.c b/src/lib/libssl/src/crypto/engine/tb_dh.c
index c9347235ea..e290e1702b 100644
--- a/src/lib/libssl/src/crypto/engine/tb_dh.c
+++ b/src/lib/libssl/src/crypto/engine/tb_dh.c
@@ -78,7 +78,7 @@ int ENGINE_register_DH(ENGINE *e)
         {
         if(e->dh_meth)
                 return engine_table_register(&dh_table,
-                                &engine_unregister_all_DH, e, &dummy_nid, 1, 0);
+                                engine_unregister_all_DH, e, &dummy_nid, 1, 0);
         return 1;
         }
 
@@ -94,7 +94,7 @@ int ENGINE_set_default_DH(ENGINE *e)
         {
         if(e->dh_meth)
                 return engine_table_register(&dh_table,
-                                &engine_unregister_all_DH, e, &dummy_nid, 1, 1);
+                                engine_unregister_all_DH, e, &dummy_nid, 1, 1);
         return 1;
         }
 
diff --git a/src/lib/libssl/src/crypto/engine/tb_digest.c b/src/lib/libssl/src/crypto/engine/tb_digest.c
index 2c4dd6f796..e82d2a17c9 100644
--- a/src/lib/libssl/src/crypto/engine/tb_digest.c
+++ b/src/lib/libssl/src/crypto/engine/tb_digest.c
@@ -81,7 +81,7 @@ int ENGINE_register_digests(ENGINE *e)
                 int num_nids = e->digests(e, NULL, &nids, 0);
                 if(num_nids > 0)
                         return engine_table_register(&digest_table,
-                                        &engine_unregister_all_digests, e, nids,
+                                        engine_unregister_all_digests, e, nids,
                                         num_nids, 0);
                 }
         return 1;
@@ -103,7 +103,7 @@ int ENGINE_set_default_digests(ENGINE *e)
                 int num_nids = e->digests(e, NULL, &nids, 0);
                 if(num_nids > 0)
                         return engine_table_register(&digest_table,
-                                        &engine_unregister_all_digests, e, nids,
+                                        engine_unregister_all_digests, e, nids,
                                         num_nids, 1);
                 }
         return 1;
diff --git a/src/lib/libssl/src/crypto/engine/tb_dsa.c b/src/lib/libssl/src/crypto/engine/tb_dsa.c
index e9209476b8..80170591f2 100644
--- a/src/lib/libssl/src/crypto/engine/tb_dsa.c
+++ b/src/lib/libssl/src/crypto/engine/tb_dsa.c
@@ -78,7 +78,7 @@ int ENGINE_register_DSA(ENGINE *e)
         {
         if(e->dsa_meth)
                 return engine_table_register(&dsa_table,
-                                &engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+                                engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
         return 1;
         }
 
@@ -94,7 +94,7 @@ int ENGINE_set_default_DSA(ENGINE *e)
         {
         if(e->dsa_meth)
                 return engine_table_register(&dsa_table,
-                                &engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+                                engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
         return 1;
         }
 
diff --git a/src/lib/libssl/src/crypto/engine/tb_rand.c b/src/lib/libssl/src/crypto/engine/tb_rand.c
index 0b1d031f1e..69b67111bc 100644
--- a/src/lib/libssl/src/crypto/engine/tb_rand.c
+++ b/src/lib/libssl/src/crypto/engine/tb_rand.c
@@ -78,7 +78,7 @@ int ENGINE_register_RAND(ENGINE *e)
         {
         if(e->rand_meth)
                 return engine_table_register(&rand_table,
-                                &engine_unregister_all_RAND, e, &dummy_nid, 1, 0);
+                                engine_unregister_all_RAND, e, &dummy_nid, 1, 0);
         return 1;
         }
 
@@ -94,7 +94,7 @@ int ENGINE_set_default_RAND(ENGINE *e)
         {
         if(e->rand_meth)
                 return engine_table_register(&rand_table,
-                                &engine_unregister_all_RAND, e, &dummy_nid, 1, 1);
+                                engine_unregister_all_RAND, e, &dummy_nid, 1, 1);
         return 1;
         }
 
diff --git a/src/lib/libssl/src/crypto/engine/tb_rsa.c b/src/lib/libssl/src/crypto/engine/tb_rsa.c
index f84fea3968..fee4867f52 100644
--- a/src/lib/libssl/src/crypto/engine/tb_rsa.c
+++ b/src/lib/libssl/src/crypto/engine/tb_rsa.c
@@ -78,7 +78,7 @@ int ENGINE_register_RSA(ENGINE *e)
         {
         if(e->rsa_meth)
                 return engine_table_register(&rsa_table,
-                                &engine_unregister_all_RSA, e, &dummy_nid, 1, 0);
+                                engine_unregister_all_RSA, e, &dummy_nid, 1, 0);
         return 1;
         }
 
@@ -94,7 +94,7 @@ int ENGINE_set_default_RSA(ENGINE *e)
         {
         if(e->rsa_meth)
                 return engine_table_register(&rsa_table,
-                                &engine_unregister_all_RSA, e, &dummy_nid, 1, 1);
+                                engine_unregister_all_RSA, e, &dummy_nid, 1, 1);
         return 1;
         }
 
diff --git a/src/lib/libssl/src/crypto/err/Makefile.ssl b/src/lib/libssl/src/crypto/err/Makefile.ssl
index f0c95e2ef2..b253061d07 100644
--- a/src/lib/libssl/src/crypto/err/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/err/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/err/err.c b/src/lib/libssl/src/crypto/err/err.c
index 9b532d1f4c..a4f4a260af 100644
--- a/src/lib/libssl/src/crypto/err/err.c
+++ b/src/lib/libssl/src/crypto/err/err.c
@@ -211,6 +211,7 @@ static ERR_STRING_DATA ERR_str_reasons[]=
 
 {0,NULL},
         };
+#endif
 
 
 /* Define the predeclared (but externally opaque) "ERR_FNS" type */
@@ -491,6 +492,7 @@ static int int_err_get_next_lib(void)
         }
 
 
+#ifndef OPENSSL_NO_ERR
 #define NUM_SYS_STR_REASONS 127
 #define LEN_SYS_STR_REASON 32
 
diff --git a/src/lib/libssl/src/crypto/err/err_all.c b/src/lib/libssl/src/crypto/err/err_all.c
index 90029fd159..dc505d9d9d 100644
--- a/src/lib/libssl/src/crypto/err/err_all.c
+++ b/src/lib/libssl/src/crypto/err/err_all.c
@@ -82,7 +82,9 @@
 #include <openssl/pkcs12.h>
 #include <openssl/rand.h>
 #include <openssl/dso.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
 
@@ -122,7 +124,9 @@ void ERR_load_crypto_strings(void)
         ERR_load_PKCS12_strings();
         ERR_load_RAND_strings();
         ERR_load_DSO_strings();
+#ifndef OPENSSL_NO_ENGINE
         ERR_load_ENGINE_strings();
+#endif
         ERR_load_OCSP_strings();
         ERR_load_UI_strings();
 #endif
diff --git a/src/lib/libssl/src/crypto/err/err_prn.c b/src/lib/libssl/src/crypto/err/err_prn.c
index c156663f0e..81e34bd6ce 100644
--- a/src/lib/libssl/src/crypto/err/err_prn.c
+++ b/src/lib/libssl/src/crypto/err/err_prn.c
@@ -62,7 +62,6 @@
 #include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/err.h>
-#include <openssl/crypto.h>
 
 void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u),
                          void *u)
diff --git a/src/lib/libssl/src/crypto/evp/Makefile.ssl b/src/lib/libssl/src/crypto/evp/Makefile.ssl
index 58843f61a9..b4172406ae 100644
--- a/src/lib/libssl/src/crypto/evp/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/evp/Makefile.ssl
@@ -70,7 +70,7 @@ links:
         @sh $(TOP)/util/point.sh Makefile.ssl Makefile
         @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
         @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TESTDATA)
+        cp $(TESTDATA) ../../test
         @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
@@ -89,7 +89,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -496,21 +496,19 @@ evp_acnf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 evp_acnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 evp_acnf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 evp_acnf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-evp_acnf.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-evp_acnf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_acnf.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_acnf.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_acnf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-evp_acnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_acnf.o: ../../include/openssl/opensslconf.h
+evp_acnf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+evp_acnf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+evp_acnf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+evp_acnf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+evp_acnf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+evp_acnf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-evp_acnf.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-evp_acnf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-evp_acnf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-evp_acnf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_acnf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_acnf.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-evp_acnf.o: ../cryptlib.h evp_acnf.c
+evp_acnf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+evp_acnf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+evp_acnf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+evp_acnf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_acnf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+evp_acnf.o: ../../include/openssl/ui_compat.h ../cryptlib.h evp_acnf.c
 evp_enc.o: ../../e_os.h ../../include/openssl/aes.h
 evp_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
diff --git a/src/lib/libssl/src/crypto/evp/bio_b64.c b/src/lib/libssl/src/crypto/evp/bio_b64.c
index f12eac1b55..6e550f6a43 100644
--- a/src/lib/libssl/src/crypto/evp/bio_b64.c
+++ b/src/lib/libssl/src/crypto/evp/bio_b64.c
@@ -165,6 +165,7 @@ static int b64_read(BIO *b, char *out, int outl)
                 {
                 i=ctx->buf_len-ctx->buf_off;
                 if (i > outl) i=outl;
+                OPENSSL_assert(ctx->buf_off+i < sizeof ctx->buf);
                 memcpy(out,&(ctx->buf[ctx->buf_off]),i);
                 ret=i;
                 out+=i;
diff --git a/src/lib/libssl/src/crypto/evp/bio_enc.c b/src/lib/libssl/src/crypto/evp/bio_enc.c
index 64fb2353af..ab81851503 100644
--- a/src/lib/libssl/src/crypto/evp/bio_enc.c
+++ b/src/lib/libssl/src/crypto/evp/bio_enc.c
@@ -132,7 +132,7 @@ static int enc_free(BIO *a)
         if (a == NULL) return(0);
         b=(BIO_ENC_CTX *)a->ptr;
         EVP_CIPHER_CTX_cleanup(&(b->cipher));
-        memset(a->ptr,0,sizeof(BIO_ENC_CTX));
+        OPENSSL_cleanse(a->ptr,sizeof(BIO_ENC_CTX));
         OPENSSL_free(a->ptr);
         a->ptr=NULL;
         a->init=0;
@@ -271,7 +271,7 @@ static int enc_write(BIO *b, const char *in, int inl)
                         if (i <= 0)
                                 {
                                 BIO_copy_next_retry(b);
-                                return(i);
+                                return (ret == inl) ? i : ret - inl;
                                 }
                         n-=i;
                         ctx->buf_off+=i;
@@ -325,10 +325,7 @@ again:
                         {
                         i=enc_write(b,NULL,0);
                         if (i < 0)
-                                {
-                                ret=i;
-                                break;
-                                }
+                                return i;
                         }
 
                 if (!ctx->finished)
diff --git a/src/lib/libssl/src/crypto/evp/bio_ok.c b/src/lib/libssl/src/crypto/evp/bio_ok.c
index d2be03be82..4e3f10141b 100644
--- a/src/lib/libssl/src/crypto/evp/bio_ok.c
+++ b/src/lib/libssl/src/crypto/evp/bio_ok.c
@@ -211,7 +211,7 @@ static int ok_free(BIO *a)
         {
         if (a == NULL) return(0);
         EVP_MD_CTX_cleanup(&((BIO_OK_CTX *)a->ptr)->md);
-        memset(a->ptr,0,sizeof(BIO_OK_CTX));
+        OPENSSL_cleanse(a->ptr,sizeof(BIO_OK_CTX));
         OPENSSL_free(a->ptr);
         a->ptr=NULL;
         a->init=0;
diff --git a/src/lib/libssl/src/crypto/evp/c_all.c b/src/lib/libssl/src/crypto/evp/c_all.c
index 3d59812e20..1b31a14e37 100644
--- a/src/lib/libssl/src/crypto/evp/c_all.c
+++ b/src/lib/libssl/src/crypto/evp/c_all.c
@@ -73,5 +73,9 @@ void OPENSSL_add_all_algorithms_noconf(void)
         {
         OpenSSL_add_all_ciphers();
         OpenSSL_add_all_digests();
-        ENGINE_setup_openbsd();
+#ifndef OPENSSL_NO_ENGINE
+# if defined(__OpenBSD__) || defined(__FreeBSD__)
+        ENGINE_setup_bsd_cryptodev();
+# endif
+#endif
         }
diff --git a/src/lib/libssl/src/crypto/evp/digest.c b/src/lib/libssl/src/crypto/evp/digest.c
index a969ac69ed..b22eed4421 100644
--- a/src/lib/libssl/src/crypto/evp/digest.c
+++ b/src/lib/libssl/src/crypto/evp/digest.c
@@ -113,7 +113,9 @@
 #include "cryptlib.h"
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
         {
@@ -138,6 +140,7 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
         {
         EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
+#ifndef OPENSSL_NO_ENGINE
         /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
          * so this context may already have an ENGINE! Try to avoid releasing
          * the previous handle, re-querying for an ENGINE, and having a
@@ -183,11 +186,13 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
                 else
                         ctx->engine = NULL;
                 }
-        else if(!ctx->digest)
+        else
+        if(!ctx->digest)
                 {
                 EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_NO_DIGEST_SET);
                 return 0;
                 }
+#endif
         if (ctx->digest != type)
                 {
                 if (ctx->digest && ctx->digest->ctx_size)
@@ -196,7 +201,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
                 if (type->ctx_size)
                         ctx->md_data=OPENSSL_malloc(type->ctx_size);
                 }
+#ifndef OPENSSL_NO_ENGINE
 skip_to_init:
+#endif
         return ctx->digest->init(ctx);
         }
 
@@ -219,6 +226,8 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
 int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
         {
         int ret;
+
+        OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
         ret=ctx->digest->final(ctx,md);
         if (size != NULL)
                 *size=ctx->digest->md_size;
@@ -244,12 +253,14 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
                 EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED);
                 return 0;
                 }
+#ifndef OPENSSL_NO_ENGINE
         /* Make sure it's safe to copy a digest context using an ENGINE */
         if (in->engine && !ENGINE_init(in->engine))
                 {
                 EVPerr(EVP_F_EVP_MD_CTX_COPY,ERR_R_ENGINE_LIB);
                 return 0;
                 }
+#endif
 
         EVP_MD_CTX_cleanup(out);
         memcpy(out,in,sizeof *out);
@@ -299,13 +310,15 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
                 ctx->digest->cleanup(ctx);
         if (ctx->digest && ctx->digest->ctx_size && ctx->md_data)
                 {
-                memset(ctx->md_data,0,ctx->digest->ctx_size);
+                OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
                 OPENSSL_free(ctx->md_data);
                 }
+#ifndef OPENSSL_NO_ENGINE
         if(ctx->engine)
                 /* The EVP_MD we used belongs to an ENGINE, release the
                  * functional reference we held for this reason. */
                 ENGINE_finish(ctx->engine);
+#endif
         memset(ctx,'\0',sizeof *ctx);
 
         return 1;
diff --git a/src/lib/libssl/src/crypto/evp/e_aes.c b/src/lib/libssl/src/crypto/evp/e_aes.c
index c323fa2892..fe8bcda631 100644
--- a/src/lib/libssl/src/crypto/evp/e_aes.c
+++ b/src/lib/libssl/src/crypto/evp/e_aes.c
@@ -52,7 +52,6 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <string.h>
-#include <assert.h>
 #include <openssl/aes.h>
 #include "evp_locl.h"
 
diff --git a/src/lib/libssl/src/crypto/evp/e_idea.c b/src/lib/libssl/src/crypto/evp/e_idea.c
index ed838d3e62..b9efa75ae7 100644
--- a/src/lib/libssl/src/crypto/evp/e_idea.c
+++ b/src/lib/libssl/src/crypto/evp/e_idea.c
@@ -109,7 +109,7 @@ static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 
                 idea_set_encrypt_key(key,&tmp);
                 idea_set_decrypt_key(&tmp,ctx->cipher_data);
-                memset((unsigned char *)&tmp,0,
+                OPENSSL_cleanse((unsigned char *)&tmp,
                                 sizeof(IDEA_KEY_SCHEDULE));
                 }
         return 1;
diff --git a/src/lib/libssl/src/crypto/evp/e_rc2.c b/src/lib/libssl/src/crypto/evp/e_rc2.c
index 4685198e2e..d42cbfd17e 100644
--- a/src/lib/libssl/src/crypto/evp/e_rc2.c
+++ b/src/lib/libssl/src/crypto/evp/e_rc2.c
@@ -174,6 +174,7 @@ static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         if (type != NULL)
                 {
                 l=EVP_CIPHER_CTX_iv_length(c);
+                OPENSSL_assert(l <= sizeof iv);
                 i=ASN1_TYPE_get_int_octetstring(type,&num,iv,l);
                 if (i != l)
                         return(-1);
diff --git a/src/lib/libssl/src/crypto/evp/e_rc4.c b/src/lib/libssl/src/crypto/evp/e_rc4.c
index 4064cc5fa0..d58f507837 100644
--- a/src/lib/libssl/src/crypto/evp/e_rc4.c
+++ b/src/lib/libssl/src/crypto/evp/e_rc4.c
@@ -69,8 +69,6 @@
 
 typedef struct
     {
-    /* FIXME: what is the key for? */
-    unsigned char key[EVP_RC4_KEY_SIZE];
     RC4_KEY ks; /* working key */
     } EVP_RC4_KEY;
 
@@ -121,9 +119,8 @@ const EVP_CIPHER *EVP_rc4_40(void)
 static int rc4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv, int enc)
         {
-        memcpy(&data(ctx)->key[0],key,EVP_CIPHER_CTX_key_length(ctx));
         RC4_set_key(&data(ctx)->ks,EVP_CIPHER_CTX_key_length(ctx),
-                data(ctx)->key);
+                    key);
         return 1;
         }
 
diff --git a/src/lib/libssl/src/crypto/evp/encode.c b/src/lib/libssl/src/crypto/evp/encode.c
index 12c6379df1..08209357ce 100644
--- a/src/lib/libssl/src/crypto/evp/encode.c
+++ b/src/lib/libssl/src/crypto/evp/encode.c
@@ -136,6 +136,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 
         *outl=0;
         if (inl == 0) return;
+        OPENSSL_assert(ctx->length <= sizeof ctx->enc_data);
         if ((ctx->num+inl) < ctx->length)
                 {
                 memcpy(&(ctx->enc_data[ctx->num]),in,inl);
@@ -258,6 +259,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
                 /* only save the good data :-) */
                 if (!B64_NOT_BASE64(v))
                         {
+                        OPENSSL_assert(n < sizeof ctx->enc_data);
                         d[n++]=tmp;
                         ln++;
                         }
diff --git a/src/lib/libssl/src/crypto/evp/evp_acnf.c b/src/lib/libssl/src/crypto/evp/evp_acnf.c
index a68b979bdb..ff3e311cc5 100644
--- a/src/lib/libssl/src/crypto/evp/evp_acnf.c
+++ b/src/lib/libssl/src/crypto/evp/evp_acnf.c
@@ -59,7 +59,6 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/conf.h>
-#include <openssl/engine.h>
 
 
 /* Load all algorithms and configure OpenSSL.
diff --git a/src/lib/libssl/src/crypto/evp/evp_enc.c b/src/lib/libssl/src/crypto/evp/evp_enc.c
index 32a1c7a2e9..be0758a879 100644
--- a/src/lib/libssl/src/crypto/evp/evp_enc.c
+++ b/src/lib/libssl/src/crypto/evp/evp_enc.c
@@ -60,11 +60,11 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/err.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include "evp_locl.h"
 
-#include <assert.h>
-
 const char *EVP_version="EVP" OPENSSL_VERSION_PTEXT;
 
 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
@@ -93,6 +93,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                         enc = 1;
                 ctx->encrypt = enc;
                 }
+#ifndef OPENSSL_NO_ENGINE
         /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
          * so this context may already have an ENGINE! Try to avoid releasing
          * the previous handle, re-querying for an ENGINE, and having a
@@ -100,6 +101,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
         if (ctx->engine && ctx->cipher && (!cipher ||
                         (cipher && (cipher->nid == ctx->cipher->nid))))
                 goto skip_to_init;
+#endif
         if (cipher)
                 {
                 /* Ensure a context left lying around from last time is cleared
@@ -109,6 +111,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 
                 /* Restore encrypt field: it is zeroed by cleanup */
                 ctx->encrypt = enc;
+#ifndef OPENSSL_NO_ENGINE
                 if(impl)
                         {
                         if (!ENGINE_init(impl))
@@ -142,6 +145,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                         }
                 else
                         ctx->engine = NULL;
+#endif
 
                 ctx->cipher=cipher;
                 ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size);
@@ -161,11 +165,13 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                 EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_NO_CIPHER_SET);
                 return 0;
                 }
+#ifndef OPENSSL_NO_ENGINE
 skip_to_init:
+#endif
         /* we assume block size is a power of 2 in *cryptUpdate */
-        assert(ctx->cipher->block_size == 1
-               || ctx->cipher->block_size == 8
-               || ctx->cipher->block_size == 16);
+        OPENSSL_assert(ctx->cipher->block_size == 1
+            || ctx->cipher->block_size == 8
+            || ctx->cipher->block_size == 16);
 
         if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
                 switch(EVP_CIPHER_CTX_mode(ctx)) {
@@ -181,6 +187,7 @@ skip_to_init:
 
                         case EVP_CIPH_CBC_MODE:
 
+                        OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof ctx->iv);
                         if(iv) memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx));
                         memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));
                         break;
@@ -237,7 +244,7 @@ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *imp
 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
              const unsigned char *key, const unsigned char *iv)
         {
-        return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0);
+        return EVP_CipherInit(ctx, cipher, key, iv, 0);
         }
 
 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
@@ -251,6 +258,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         {
         int i,j,bl;
 
+        OPENSSL_assert(inl > 0);
         if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
                 {
                 if(ctx->cipher->do_cipher(ctx,out,in,inl))
@@ -266,6 +274,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
                 }
         i=ctx->buf_len;
         bl=ctx->cipher->block_size;
+        OPENSSL_assert(bl <= sizeof ctx->buf);
         if (i != 0)
                 {
                 if (i+inl < bl)
@@ -314,6 +323,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
         int i,n,b,bl,ret;
 
         b=ctx->cipher->block_size;
+        OPENSSL_assert(b <= sizeof ctx->buf);
         if (b == 1)
                 {
                 *outl=0;
@@ -358,6 +368,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
                 return EVP_EncryptUpdate(ctx, out, outl, in, inl);
 
         b=ctx->cipher->block_size;
+        OPENSSL_assert(b <= sizeof ctx->final);
 
         if(ctx->final_used)
                 {
@@ -420,6 +431,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
                         EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
                         return(0);
                         }
+                OPENSSL_assert(b <= sizeof ctx->final);
                 n=ctx->final[b-1];
                 if (n > b)
                         {
@@ -450,16 +462,18 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
                 {
                 if(c->cipher->cleanup && !c->cipher->cleanup(c))
                         return 0;
-                /* Zero cipher context data */
+                /* Cleanse cipher context data */
                 if (c->cipher_data)
-                        memset(c->cipher_data, 0, c->cipher->ctx_size);
+                        OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
                 }
         if (c->cipher_data)
                 OPENSSL_free(c->cipher_data);
+#ifndef OPENSSL_NO_ENGINE
         if (c->engine)
                 /* The EVP_CIPHER we used belongs to an ENGINE, release the
                  * functional reference we held for this reason. */
                 ENGINE_finish(c->engine);
+#endif
         memset(c,0,sizeof(EVP_CIPHER_CTX));
         return 1;
         }
diff --git a/src/lib/libssl/src/crypto/evp/evp_key.c b/src/lib/libssl/src/crypto/evp/evp_key.c
index 4271393069..5f387a94d3 100644
--- a/src/lib/libssl/src/crypto/evp/evp_key.c
+++ b/src/lib/libssl/src/crypto/evp/evp_key.c
@@ -103,7 +103,7 @@ int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify)
                         buff,0,(len>=BUFSIZ)?BUFSIZ-1:len,buf);
         ret = UI_process(ui);
         UI_free(ui);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return ret;
         }
 
@@ -118,6 +118,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
 
         nkey=type->key_len;
         niv=type->iv_len;
+        OPENSSL_assert(nkey <= EVP_MAX_KEY_LENGTH);
+        OPENSSL_assert(niv <= EVP_MAX_IV_LENGTH);
 
         if (data == NULL) return(nkey);
 
@@ -166,7 +168,7 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
                 if ((nkey == 0) && (niv == 0)) break;
                 }
         EVP_MD_CTX_cleanup(&c);
-        memset(&(md_buf[0]),0,EVP_MAX_MD_SIZE);
+        OPENSSL_cleanse(&(md_buf[0]),EVP_MAX_MD_SIZE);
         return(type->key_len);
         }
 
diff --git a/src/lib/libssl/src/crypto/evp/evp_lib.c b/src/lib/libssl/src/crypto/evp/evp_lib.c
index a431945ef5..52a3b287be 100644
--- a/src/lib/libssl/src/crypto/evp/evp_lib.c
+++ b/src/lib/libssl/src/crypto/evp/evp_lib.c
@@ -90,6 +90,7 @@ int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         if (type != NULL) 
                 {
                 l=EVP_CIPHER_CTX_iv_length(c);
+                OPENSSL_assert(l <= sizeof c->iv);
                 i=ASN1_TYPE_get_octetstring(type,c->oiv,l);
                 if (i != l)
                         return(-1);
@@ -106,6 +107,7 @@ int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         if (type != NULL)
                 {
                 j=EVP_CIPHER_CTX_iv_length(c);
+                OPENSSL_assert(j <= sizeof c->iv);
                 i=ASN1_TYPE_set_octetstring(type,c->oiv,j);
                 }
         return(i);
diff --git a/src/lib/libssl/src/crypto/evp/evp_pbe.c b/src/lib/libssl/src/crypto/evp/evp_pbe.c
index 4234cd7684..bc98e63363 100644
--- a/src/lib/libssl/src/crypto/evp/evp_pbe.c
+++ b/src/lib/libssl/src/crypto/evp/evp_pbe.c
@@ -88,7 +88,7 @@ int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
                 char obj_tmp[80];
                 EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM);
                 if (!pbe_obj) strlcpy (obj_tmp, "NULL", sizeof obj_tmp);
-                else i2t_ASN1_OBJECT(obj_tmp, 80, pbe_obj);
+                else i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, pbe_obj);
                 ERR_add_error_data(2, "TYPE=", obj_tmp);
                 return 0;
         }
diff --git a/src/lib/libssl/src/crypto/evp/evp_test.c b/src/lib/libssl/src/crypto/evp/evp_test.c
index 90294ef686..28460173f7 100644
--- a/src/lib/libssl/src/crypto/evp/evp_test.c
+++ b/src/lib/libssl/src/crypto/evp/evp_test.c
@@ -49,8 +49,14 @@
 
 #include <stdio.h>
 #include <string.h>
+
+#include "../e_os.h"
+
 #include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
+#include <openssl/err.h>
 #include <openssl/conf.h>
 
 static void hexdump(FILE *f,const char *title,const unsigned char *s,int l)
@@ -78,7 +84,7 @@ static int convert(unsigned char *s)
         if(!s[1])
             {
             fprintf(stderr,"Odd number of hex digits!");
-            exit(4);
+            EXIT(4);
             }
         sscanf((char *)s,"%2x",&n);
         *d=(unsigned char)n;
@@ -120,6 +126,12 @@ static char *sstrsep(char **string, const char *delim)
 static unsigned char *ustrsep(char **p,const char *sep)
     { return (unsigned char *)sstrsep(p,sep); }
 
+static int test1_exit(int ec)
+        {
+        EXIT(ec);
+        return(0);              /* To keep some compilers quiet */
+        }
+
 static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
                   const unsigned char *iv,int in,
                   const unsigned char *plaintext,int pn,
@@ -142,7 +154,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
         {
         fprintf(stderr,"Key length doesn't match, got %d expected %d\n",kn,
                 c->key_len);
-        exit(5);
+        test1_exit(5);
         }
     EVP_CIPHER_CTX_init(&ctx);
     if (encdec != 0)
@@ -150,26 +162,26 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
         if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
             {
             fprintf(stderr,"EncryptInit failed\n");
-            exit(10);
+            test1_exit(10);
             }
         EVP_CIPHER_CTX_set_padding(&ctx,0);
 
         if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn))
             {
             fprintf(stderr,"Encrypt failed\n");
-            exit(6);
+            test1_exit(6);
             }
         if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2))
             {
             fprintf(stderr,"EncryptFinal failed\n");
-            exit(7);
+            test1_exit(7);
             }
 
         if(outl+outl2 != cn)
             {
             fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n",
                     outl+outl2,cn);
-            exit(8);
+            test1_exit(8);
             }
 
         if(memcmp(out,ciphertext,cn))
@@ -177,7 +189,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
             fprintf(stderr,"Ciphertext mismatch\n");
             hexdump(stderr,"Got",out,cn);
             hexdump(stderr,"Expected",ciphertext,cn);
-            exit(9);
+            test1_exit(9);
             }
         }
 
@@ -186,26 +198,26 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
         if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
             {
             fprintf(stderr,"DecryptInit failed\n");
-            exit(11);
+            test1_exit(11);
             }
         EVP_CIPHER_CTX_set_padding(&ctx,0);
 
         if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn))
             {
             fprintf(stderr,"Decrypt failed\n");
-            exit(6);
+            test1_exit(6);
             }
         if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2))
             {
             fprintf(stderr,"DecryptFinal failed\n");
-            exit(7);
+            test1_exit(7);
             }
 
         if(outl+outl2 != cn)
             {
             fprintf(stderr,"Plaintext length mismatch got %d expected %d\n",
                     outl+outl2,cn);
-            exit(8);
+            test1_exit(8);
             }
 
         if(memcmp(out,plaintext,cn))
@@ -213,7 +225,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
             fprintf(stderr,"Plaintext mismatch\n");
             hexdump(stderr,"Got",out,cn);
             hexdump(stderr,"Expected",plaintext,cn);
-            exit(9);
+            test1_exit(9);
             }
         }
 
@@ -260,24 +272,24 @@ static int test_digest(const char *digest,
     if(!EVP_DigestInit_ex(&ctx,d, NULL))
         {
         fprintf(stderr,"DigestInit failed\n");
-        exit(100);
+        EXIT(100);
         }
     if(!EVP_DigestUpdate(&ctx,plaintext,pn))
         {
         fprintf(stderr,"DigestUpdate failed\n");
-        exit(101);
+        EXIT(101);
         }
     if(!EVP_DigestFinal_ex(&ctx,md,&mdn))
         {
         fprintf(stderr,"DigestFinal failed\n");
-        exit(101);
+        EXIT(101);
         }
     EVP_MD_CTX_cleanup(&ctx);
 
     if(mdn != cn)
         {
         fprintf(stderr,"Digest length mismatch, got %d expected %d\n",mdn,cn);
-        exit(102);
+        EXIT(102);
         }
 
     if(memcmp(md,ciphertext,cn))
@@ -285,7 +297,7 @@ static int test_digest(const char *digest,
         fprintf(stderr,"Digest mismatch\n");
         hexdump(stderr,"Got",md,cn);
         hexdump(stderr,"Expected",ciphertext,cn);
-        exit(103);
+        EXIT(103);
         }
 
     printf("\n");
@@ -303,7 +315,7 @@ int main(int argc,char **argv)
     if(argc != 2)
         {
         fprintf(stderr,"%s <test file>\n",argv[0]);
-        exit(1);
+        EXIT(1);
         }
     CRYPTO_malloc_debug_init();
     CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
@@ -315,17 +327,20 @@ int main(int argc,char **argv)
     if(!f)
         {
         perror(szTestFile);
-        exit(2);
+        EXIT(2);
         }
 
     /* Load up the software EVP_CIPHER and EVP_MD definitions */
     OpenSSL_add_all_ciphers();
     OpenSSL_add_all_digests();
+#ifndef OPENSSL_NO_ENGINE
     /* Load all compiled-in ENGINEs */
     ENGINE_load_builtin_engines();
+#endif
 #if 0
     OPENSSL_config();
 #endif
+#ifndef OPENSSL_NO_ENGINE
     /* Register all available ENGINE implementations of ciphers and digests.
      * This could perhaps be changed to "ENGINE_register_all_complete()"? */
     ENGINE_register_all_ciphers();
@@ -334,6 +349,7 @@ int main(int argc,char **argv)
      * It'll prevent ENGINEs being ENGINE_init()ialised for cipher/digest use if
      * they weren't already initialised. */
     /* ENGINE_set_cipher_flags(ENGINE_CIPHER_FLAG_NOINIT); */
+#endif
 
     for( ; ; )
         {
@@ -371,11 +387,13 @@ int main(int argc,char **argv)
            && !test_digest(cipher,plaintext,pn,ciphertext,cn))
             {
             fprintf(stderr,"Can't find %s\n",cipher);
-            exit(3);
+            EXIT(3);
             }
         }
 
+#ifndef OPENSSL_NO_ENGINE
     ENGINE_cleanup();
+#endif
     EVP_cleanup();
     CRYPTO_cleanup_all_ex_data();
     ERR_remove_state(0);
diff --git a/src/lib/libssl/src/crypto/evp/p5_crpt.c b/src/lib/libssl/src/crypto/evp/p5_crpt.c
index 27a8286489..a1874e83b2 100644
--- a/src/lib/libssl/src/crypto/evp/p5_crpt.c
+++ b/src/lib/libssl/src/crypto/evp/p5_crpt.c
@@ -140,12 +140,14 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
                 EVP_DigestFinal_ex (&ctx, md_tmp, NULL);
         }
         EVP_MD_CTX_cleanup(&ctx);
+        OPENSSL_assert(EVP_CIPHER_key_length(cipher) <= sizeof md_tmp);
         memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
+        OPENSSL_assert(EVP_CIPHER_iv_length(cipher) <= 16);
         memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
                                                  EVP_CIPHER_iv_length(cipher));
         EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de);
-        memset(md_tmp, 0, EVP_MAX_MD_SIZE);
-        memset(key, 0, EVP_MAX_KEY_LENGTH);
-        memset(iv, 0, EVP_MAX_IV_LENGTH);
+        OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE);
+        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+        OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
         return 1;
 }
diff --git a/src/lib/libssl/src/crypto/evp/p5_crpt2.c b/src/lib/libssl/src/crypto/evp/p5_crpt2.c
index 7485d6a278..1f94e1ef88 100644
--- a/src/lib/libssl/src/crypto/evp/p5_crpt2.c
+++ b/src/lib/libssl/src/crypto/evp/p5_crpt2.c
@@ -190,6 +190,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                 goto err;
         }
         keylen = EVP_CIPHER_CTX_key_length(ctx);
+        OPENSSL_assert(keylen <= sizeof key);
 
         /* Now decode key derivation function */
 
@@ -230,7 +231,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
         iter = ASN1_INTEGER_get(kdf->iter);
         PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
         EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
-        memset(key, 0, keylen);
+        OPENSSL_cleanse(key, keylen);
         PBKDF2PARAM_free(kdf);
         return 1;
 
diff --git a/src/lib/libssl/src/crypto/evp/p_open.c b/src/lib/libssl/src/crypto/evp/p_open.c
index 6976f2a867..5a933d1cda 100644
--- a/src/lib/libssl/src/crypto/evp/p_open.c
+++ b/src/lib/libssl/src/crypto/evp/p_open.c
@@ -101,7 +101,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char *ek,
 
         ret=1;
 err:
-        if (key != NULL) memset(key,0,size);
+        if (key != NULL) OPENSSL_cleanse(key,size);
         OPENSSL_free(key);
         return(ret);
         }
diff --git a/src/lib/libssl/src/crypto/hmac/Makefile.ssl b/src/lib/libssl/src/crypto/hmac/Makefile.ssl
index 2bb3264f0e..f1c07322c4 100644
--- a/src/lib/libssl/src/crypto/hmac/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/hmac/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -79,21 +79,23 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-hmac.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+hmac.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
 hmac.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-hmac.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-hmac.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-hmac.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-hmac.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+hmac.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+hmac.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+hmac.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+hmac.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 hmac.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h
-hmac.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
-hmac.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-hmac.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-hmac.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-hmac.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-hmac.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-hmac.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-hmac.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-hmac.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-hmac.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-hmac.o: ../../include/openssl/ui_compat.h hmac.c
+hmac.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+hmac.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hmac.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+hmac.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+hmac.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
+hmac.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+hmac.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+hmac.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+hmac.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+hmac.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+hmac.o: ../cryptlib.h hmac.c
diff --git a/src/lib/libssl/src/crypto/hmac/hmac.c b/src/lib/libssl/src/crypto/hmac/hmac.c
index da363b7950..4c91f919d5 100644
--- a/src/lib/libssl/src/crypto/hmac/hmac.c
+++ b/src/lib/libssl/src/crypto/hmac/hmac.c
@@ -59,6 +59,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/hmac.h>
+#include "cryptlib.h"
 
 void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
                   const EVP_MD *md, ENGINE *impl)
@@ -78,6 +79,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
                 {
                 reset=1;
                 j=EVP_MD_block_size(md);
+                OPENSSL_assert(j <= sizeof ctx->key);
                 if (j < len)
                         {
                         EVP_DigestInit_ex(&ctx->md_ctx,md, impl);
@@ -87,6 +89,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
                         }
                 else
                         {
+                        OPENSSL_assert(len <= sizeof ctx->key);
                         memcpy(ctx->key,key,len);
                         ctx->key_length=len;
                         }
diff --git a/src/lib/libssl/src/crypto/hmac/hmactest.c b/src/lib/libssl/src/crypto/hmac/hmactest.c
index 96d3beb8e6..1b906b81af 100644
--- a/src/lib/libssl/src/crypto/hmac/hmactest.c
+++ b/src/lib/libssl/src/crypto/hmac/hmactest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_HMAC
 int main(int argc, char *argv[])
 {
@@ -68,12 +70,15 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/hmac.h>
+#ifndef OPENSSL_NO_MD5
 #include <openssl/md5.h>
+#endif
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
 #endif
 
+#ifndef OPENSSL_NO_MD5
 static struct test_st
         {
         unsigned char key[16];
@@ -113,13 +118,20 @@ static struct test_st
                 (unsigned char *)"56be34521d144c88dbb8c733f0e8b3f6",
         },
         };
-
+#endif
 
 static char *pt(unsigned char *md);
 int main(int argc, char *argv[])
         {
-        int i,err=0;
+#ifndef OPENSSL_NO_MD5
+        int i;
         char *p;
+#endif
+        int err=0;
+
+#ifdef OPENSSL_NO_MD5
+        printf("test skipped: MD5 disabled\n");
+#else
 
 #ifdef CHARSET_EBCDIC
         ebcdic2ascii(test[0].data, test[0].data, test[0].data_len);
@@ -144,10 +156,12 @@ int main(int argc, char *argv[])
                 else
                         printf("test %d ok\n",i);
                 }
-        exit(err);
+#endif /* OPENSSL_NO_MD5 */
+        EXIT(err);
         return(0);
         }
 
+#ifndef OPENSSL_NO_MD5
 static char *pt(unsigned char *md)
         {
         int i;
@@ -158,3 +172,4 @@ static char *pt(unsigned char *md)
         return(buf);
         }
 #endif
+#endif
diff --git a/src/lib/libssl/src/crypto/idea/Makefile.ssl b/src/lib/libssl/src/crypto/idea/Makefile.ssl
index 87c9aa484b..fa016ea399 100644
--- a/src/lib/libssl/src/crypto/idea/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/idea/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/krb5/Makefile.ssl b/src/lib/libssl/src/crypto/krb5/Makefile.ssl
index 7ad0cbb0bc..d9224c0f09 100644
--- a/src/lib/libssl/src/crypto/krb5/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/krb5/Makefile.ssl
@@ -41,7 +41,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -69,7 +69,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/lhash/Makefile.ssl b/src/lib/libssl/src/crypto/lhash/Makefile.ssl
index b3ad272cf7..60e7ee3393 100644
--- a/src/lib/libssl/src/crypto/lhash/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/lhash/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/lhash/lh_stats.c b/src/lib/libssl/src/crypto/lhash/lh_stats.c
index 8e6f57c741..5aa7766aa6 100644
--- a/src/lib/libssl/src/crypto/lhash/lh_stats.c
+++ b/src/lib/libssl/src/crypto/lhash/lh_stats.c
@@ -179,63 +179,29 @@ end:;
 
 void lh_stats_bio(const LHASH *lh, BIO *out)
         {
-        char buf[128];
-
-        snprintf(buf,sizeof buf,"num_items             = %lu\n",lh->num_items);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_nodes             = %u\n",lh->num_nodes);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_alloc_nodes       = %u\n",
-                 lh->num_alloc_nodes);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_expands           = %lu\n",
-                 lh->num_expands);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_expand_reallocs   = %lu\n",
-                 lh->num_expand_reallocs);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_contracts         = %lu\n",
-                 lh->num_contracts);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_contract_reallocs = %lu\n",
-                 lh->num_contract_reallocs);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_hash_calls        = %lu\n",
-                 lh->num_hash_calls);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_comp_calls        = %lu\n",
-                 lh->num_comp_calls);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_insert            = %lu\n",
-                 lh->num_insert);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_replace           = %lu\n",
-                 lh->num_replace);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_delete            = %lu\n",
-                 lh->num_delete);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_no_delete         = %lu\n",
-                 lh->num_no_delete);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_retrieve          = %lu\n",
-                 lh->num_retrieve);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_retrieve_miss     = %lu\n",
-                 lh->num_retrieve_miss);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"num_hash_comps        = %lu\n",
-                 lh->num_hash_comps);
-        BIO_puts(out,buf);
+        BIO_printf(out,"num_items             = %lu\n",lh->num_items);
+        BIO_printf(out,"num_nodes             = %u\n",lh->num_nodes);
+        BIO_printf(out,"num_alloc_nodes       = %u\n",lh->num_alloc_nodes);
+        BIO_printf(out,"num_expands           = %lu\n",lh->num_expands);
+        BIO_printf(out,"num_expand_reallocs   = %lu\n",
+                   lh->num_expand_reallocs);
+        BIO_printf(out,"num_contracts         = %lu\n",lh->num_contracts);
+        BIO_printf(out,"num_contract_reallocs = %lu\n",
+                   lh->num_contract_reallocs);
+        BIO_printf(out,"num_hash_calls        = %lu\n",lh->num_hash_calls);
+        BIO_printf(out,"num_comp_calls        = %lu\n",lh->num_comp_calls);
+        BIO_printf(out,"num_insert            = %lu\n",lh->num_insert);
+        BIO_printf(out,"num_replace           = %lu\n",lh->num_replace);
+        BIO_printf(out,"num_delete            = %lu\n",lh->num_delete);
+        BIO_printf(out,"num_no_delete         = %lu\n",lh->num_no_delete);
+        BIO_printf(out,"num_retrieve          = %lu\n",lh->num_retrieve);
+        BIO_printf(out,"num_retrieve_miss     = %lu\n",lh->num_retrieve_miss);
+        BIO_printf(out,"num_hash_comps        = %lu\n",lh->num_hash_comps);
 #if 0
-        snprintf(buf,sizeof buf,"p                     = %u\n",lh->p);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"pmax                  = %u\n",lh->pmax);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"up_load               = %lu\n",lh->up_load);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"down_load             = %lu\n",lh->down_load);
-        BIO_puts(out,buf);
+        BIO_printf(out,"p                     = %u\n",lh->p);
+        BIO_printf(out,"pmax                  = %u\n",lh->pmax);
+        BIO_printf(out,"up_load               = %lu\n",lh->up_load);
+        BIO_printf(out,"down_load             = %lu\n",lh->down_load);
 #endif
         }
 
@@ -243,14 +209,12 @@ void lh_node_stats_bio(const LHASH *lh, BIO *out)
         {
         LHASH_NODE *n;
         unsigned int i,num;
-        char buf[128];
 
         for (i=0; i<lh->num_nodes; i++)
                 {
                 for (n=lh->b[i],num=0; n != NULL; n=n->next)
                         num++;
-                snprintf(buf,sizeof buf,"node %6u -> %3u\n",i,num);
-                BIO_puts(out,buf);
+                BIO_printf(out,"node %6u -> %3u\n",i,num);
                 }
         }
 
@@ -260,7 +224,6 @@ void lh_node_usage_stats_bio(const LHASH *lh, BIO *out)
         unsigned long num;
         unsigned int i;
         unsigned long total=0,n_used=0;
-        char buf[128];
 
         for (i=0; i<lh->num_nodes; i++)
                 {
@@ -272,18 +235,14 @@ void lh_node_usage_stats_bio(const LHASH *lh, BIO *out)
                         total+=num;
                         }
                 }
-        snprintf(buf,sizeof buf,"%lu nodes used out of %u\n",n_used,
-                 lh->num_nodes);
-        BIO_puts(out,buf);
-        snprintf(buf,sizeof buf,"%lu items\n",total);
-        BIO_puts(out,buf);
+        BIO_printf(out,"%lu nodes used out of %u\n",n_used,lh->num_nodes);
+        BIO_printf(out,"%lu items\n",total);
         if (n_used == 0) return;
-        snprintf(buf,sizeof buf,"load %d.%02d  actual load %d.%02d\n",
-                (int)(total/lh->num_nodes),
-                (int)((total%lh->num_nodes)*100/lh->num_nodes),
-                (int)(total/n_used),
-                (int)((total%n_used)*100/n_used));
-        BIO_puts(out,buf);
+        BIO_printf(out,"load %d.%02d  actual load %d.%02d\n",
+                   (int)(total/lh->num_nodes),
+                   (int)((total%lh->num_nodes)*100/lh->num_nodes),
+                   (int)(total/n_used),
+                   (int)((total%n_used)*100/n_used));
         }
 
 #endif
diff --git a/src/lib/libssl/src/crypto/md2/Makefile.ssl b/src/lib/libssl/src/crypto/md2/Makefile.ssl
index e89a17f3a4..3206924c90 100644
--- a/src/lib/libssl/src/crypto/md2/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/md2/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -79,8 +79,11 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
+md2_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 md2_dgst.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h
-md2_dgst.o: ../../include/openssl/opensslv.h md2_dgst.c
+md2_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md2_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+md2_dgst.o: md2_dgst.c
 md2_one.o: ../../e_os.h ../../include/openssl/bio.h
 md2_one.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 md2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
diff --git a/src/lib/libssl/src/crypto/md2/md2_dgst.c b/src/lib/libssl/src/crypto/md2/md2_dgst.c
index e25dd00e02..ecb64f0ec4 100644
--- a/src/lib/libssl/src/crypto/md2/md2_dgst.c
+++ b/src/lib/libssl/src/crypto/md2/md2_dgst.c
@@ -61,6 +61,7 @@
 #include <string.h>
 #include <openssl/md2.h>
 #include <openssl/opensslv.h>
+#include <openssl/crypto.h>
 
 const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT;
 
@@ -118,9 +119,9 @@ const char *MD2_options(void)
 int MD2_Init(MD2_CTX *c)
         {
         c->num=0;
-        memset(c->state,0,MD2_BLOCK*sizeof(MD2_INT));
-        memset(c->cksm,0,MD2_BLOCK*sizeof(MD2_INT));
-        memset(c->data,0,MD2_BLOCK);
+        memset(c->state,0,sizeof c->state);
+        memset(c->cksm,0,sizeof c->cksm);
+        memset(c->data,0,sizeof c->data);
         return 1;
         }
 
@@ -196,7 +197,7 @@ static void md2_block(MD2_CTX *c, const unsigned char *d)
                 t=(t+i)&0xff;
                 }
         memcpy(sp1,state,16*sizeof(MD2_INT));
-        memset(state,0,48*sizeof(MD2_INT));
+        OPENSSL_cleanse(state,48*sizeof(MD2_INT));
         }
 
 int MD2_Final(unsigned char *md, MD2_CTX *c)
diff --git a/src/lib/libssl/src/crypto/md2/md2_one.c b/src/lib/libssl/src/crypto/md2/md2_one.c
index b12c37ce4d..835160ef56 100644
--- a/src/lib/libssl/src/crypto/md2/md2_one.c
+++ b/src/lib/libssl/src/crypto/md2/md2_one.c
@@ -88,6 +88,6 @@ unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md)
         }
 #endif
         MD2_Final(md,&c);
-        memset(&c,0,sizeof(c)); /* Security consideration */
+        OPENSSL_cleanse(&c,sizeof(c));  /* Security consideration */
         return(md);
         }
diff --git a/src/lib/libssl/src/crypto/md2/md2test.c b/src/lib/libssl/src/crypto/md2/md2test.c
index 7d3664faf5..901d0a7d8e 100644
--- a/src/lib/libssl/src/crypto/md2/md2test.c
+++ b/src/lib/libssl/src/crypto/md2/md2test.c
@@ -61,6 +61,8 @@
 #include <string.h>
 #include <openssl/md2.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_MD2
 int main(int argc, char *argv[])
 {
@@ -122,8 +124,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
-        return(0);
+        EXIT(err);
         }
 
 static char *pt(unsigned char *md)
diff --git a/src/lib/libssl/src/crypto/md32_common.h b/src/lib/libssl/src/crypto/md32_common.h
index 353d2b96ad..573850b122 100644
--- a/src/lib/libssl/src/crypto/md32_common.h
+++ b/src/lib/libssl/src/crypto/md32_common.h
@@ -1,6 +1,6 @@
 /* crypto/md32_common.h */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -198,7 +198,7 @@
    *
    *                                    <appro@fy.chalmers.se>
    */
-#  if defined(__i386) || defined(__i386__)
+#  if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
 #   define ROTATE(a,n)  ({ register unsigned int ret;   \
                                 asm (                   \
                                 "roll %1,%0"            \
@@ -224,7 +224,7 @@
  */
 # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
   /* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
-#  if (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)
+#  if (defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)) && !defined(I386_ONLY)
 #   define BE_FETCH32(a)        ({ register unsigned int l=(a);\
                                 asm (                   \
                                 "bswapl %0"             \
@@ -456,7 +456,10 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
                                 {
                                 ew=(c->num>>2);
                                 ec=(c->num&0x03);
-                                l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
+                                if (sc)
+                                        l=p[sw];
+                                HOST_p_c2l(data,l,sc);
+                                p[sw++]=l;
                                 for (; sw < ew; sw++)
                                         {
                                         HOST_c2l(data,l); p[sw]=l;
@@ -603,7 +606,32 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
         c->num=0;
         /* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
          * but I'm not worried :-)
-        memset((void *)c,0,sizeof(HASH_CTX));
+        OPENSSL_cleanse((void *)c,sizeof(HASH_CTX));
          */
         return 1;
         }
+
+#ifndef MD32_REG_T
+#define MD32_REG_T long
+/*
+ * This comment was originaly written for MD5, which is why it
+ * discusses A-D. But it basically applies to all 32-bit digests,
+ * which is why it was moved to common header file.
+ *
+ * In case you wonder why A-D are declared as long and not
+ * as MD5_LONG. Doing so results in slight performance
+ * boost on LP64 architectures. The catch is we don't
+ * really care if 32 MSBs of a 64-bit register get polluted
+ * with eventual overflows as we *save* only 32 LSBs in
+ * *either* case. Now declaring 'em long excuses the compiler
+ * from keeping 32 MSBs zeroed resulting in 13% performance
+ * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
+ * Well, to be honest it should say that this *prevents* 
+ * performance degradation.
+ *                              <appro@fy.chalmers.se>
+ * Apparently there're LP64 compilers that generate better
+ * code if A-D are declared int. Most notably GCC-x86_64
+ * generates better code.
+ *                              <appro@fy.chalmers.se>
+ */
+#endif
diff --git a/src/lib/libssl/src/crypto/md4/Makefile.ssl b/src/lib/libssl/src/crypto/md4/Makefile.ssl
index 1de72571d8..7d2e8d8d3b 100644
--- a/src/lib/libssl/src/crypto/md4/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/md4/Makefile.ssl
@@ -69,7 +69,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -84,5 +84,8 @@ md4_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md4.h
 md4_dgst.o: ../../include/openssl/opensslconf.h
 md4_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md4_dgst.c
 md4_dgst.o: md4_locl.h
-md4_one.o: ../../include/openssl/e_os2.h ../../include/openssl/md4.h
-md4_one.o: ../../include/openssl/opensslconf.h md4_one.c
+md4_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+md4_one.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h
+md4_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md4_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+md4_one.o: md4_one.c
diff --git a/src/lib/libssl/src/crypto/md4/md4.c b/src/lib/libssl/src/crypto/md4/md4.c
index e4b0aac011..141415ad4d 100644
--- a/src/lib/libssl/src/crypto/md4/md4.c
+++ b/src/lib/libssl/src/crypto/md4/md4.c
@@ -64,7 +64,7 @@
 
 void do_fp(FILE *f);
 void pt(unsigned char *md);
-#ifndef _OSD_POSIX
+#if !defined(_OSD_POSIX) && !defined(__DJGPP__)
 int read(int, void *, unsigned int);
 #endif
 
@@ -108,7 +108,7 @@ void do_fp(FILE *f)
         MD4_Init(&c);
         for (;;)
                 {
-                i=read(fd,buf,BUFSIZE);
+                i=read(fd,buf,sizeof buf);
                 if (i <= 0) break;
                 MD4_Update(&c,buf,(unsigned long)i);
                 }
diff --git a/src/lib/libssl/src/crypto/md4/md4_dgst.c b/src/lib/libssl/src/crypto/md4/md4_dgst.c
index 6446f5f5e7..7afb7185b6 100644
--- a/src/lib/libssl/src/crypto/md4/md4_dgst.c
+++ b/src/lib/libssl/src/crypto/md4/md4_dgst.c
@@ -86,21 +86,7 @@ int MD4_Init(MD4_CTX *c)
 void md4_block_host_order (MD4_CTX *c, const void *data, int num)
         {
         const MD4_LONG *X=data;
-        register unsigned long A,B,C,D;
-        /*
-         * In case you wonder why A-D are declared as long and not
-         * as MD4_LONG. Doing so results in slight performance
-         * boost on LP64 architectures. The catch is we don't
-         * really care if 32 MSBs of a 64-bit register get polluted
-         * with eventual overflows as we *save* only 32 LSBs in
-         * *either* case. Now declaring 'em long excuses the compiler
-         * from keeping 32 MSBs zeroed resulting in 13% performance
-         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
-         * Well, to be honest it should say that this *prevents* 
-         * performance degradation.
-         *
-         *                              <appro@fy.chalmers.se>
-         */
+        register unsigned MD32_REG_T A,B,C,D;
 
         A=c->A;
         B=c->B;
@@ -176,25 +162,11 @@ void md4_block_host_order (MD4_CTX *c, const void *data, int num)
 void md4_block_data_order (MD4_CTX *c, const void *data_, int num)
         {
         const unsigned char *data=data_;
-        register unsigned long A,B,C,D,l;
-        /*
-         * In case you wonder why A-D are declared as long and not
-         * as MD4_LONG. Doing so results in slight performance
-         * boost on LP64 architectures. The catch is we don't
-         * really care if 32 MSBs of a 64-bit register get polluted
-         * with eventual overflows as we *save* only 32 LSBs in
-         * *either* case. Now declaring 'em long excuses the compiler
-         * from keeping 32 MSBs zeroed resulting in 13% performance
-         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
-         * Well, to be honest it should say that this *prevents* 
-         * performance degradation.
-         *
-         *                              <appro@fy.chalmers.se>
-         */
+        register unsigned MD32_REG_T A,B,C,D,l;
 #ifndef MD32_XARRAY
         /* See comment in crypto/sha/sha_locl.h for details. */
-        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
-                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+        unsigned MD32_REG_T     XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                                XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
 # define X(i)   XX##i
 #else
         MD4_LONG XX[MD4_LBLOCK];
diff --git a/src/lib/libssl/src/crypto/md4/md4_one.c b/src/lib/libssl/src/crypto/md4/md4_one.c
index 87a995d38d..00565507e4 100644
--- a/src/lib/libssl/src/crypto/md4/md4_one.c
+++ b/src/lib/libssl/src/crypto/md4/md4_one.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/md4.h>
+#include <openssl/crypto.h>
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
@@ -89,7 +90,7 @@ unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md)
         }
 #endif
         MD4_Final(md,&c);
-        memset(&c,0,sizeof(c)); /* security consideration */
+        OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
         return(md);
         }
 
diff --git a/src/lib/libssl/src/crypto/md4/md4test.c b/src/lib/libssl/src/crypto/md4/md4test.c
index e0fdc42282..21a77d96f7 100644
--- a/src/lib/libssl/src/crypto/md4/md4test.c
+++ b/src/lib/libssl/src/crypto/md4/md4test.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_MD4
 int main(int argc, char *argv[])
 {
@@ -118,7 +120,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libssl/src/crypto/md5/Makefile.ssl b/src/lib/libssl/src/crypto/md5/Makefile.ssl
index 5f1bbfb8ff..b11ab476d6 100644
--- a/src/lib/libssl/src/crypto/md5/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/md5/Makefile.ssl
@@ -21,14 +21,6 @@ MD5_ASM_OBJ=
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
-# We let the C compiler driver to take care of .s files. This is done in
-# order to be excused from maintaining a separate set of architecture
-# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
-# gcc, then the driver will automatically translate it to -xarch=v8plus
-# and pass it down to assembler.
-AS=$(CC) -c
-ASFLAGS=$(CFLAGS)
-
 GENERAL=Makefile
 TEST=md5test.c
 APPS=
@@ -55,14 +47,8 @@ lib:    $(LIBOBJ)
         @touch lib
 
 # elf
-asm/mx86-elf.o: asm/mx86unix.cpp
-        $(CPP) -DELF -x c asm/mx86unix.cpp | as -o asm/mx86-elf.o
-
-# solaris
-asm/mx86-sol.o: asm/mx86unix.cpp
-        $(CC) -E -DSOL asm/mx86unix.cpp | sed 's/^#.*//' > asm/mx86-sol.s
-        as -o asm/mx86-sol.o asm/mx86-sol.s
-        rm -f asm/mx86-sol.s
+asm/mx86-elf.s: asm/md5-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) md5-586.pl elf $(CFLAGS) > mx86-elf.s)
 
 # a.out
 asm/mx86-out.o: asm/mx86unix.cpp
@@ -118,18 +104,23 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/mx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/mx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
+md5_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md5.h
+md5_dgst.o: ../../include/openssl/opensslconf.h
 md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_dgst.c
 md5_dgst.o: md5_locl.h
-md5_one.o: ../../include/openssl/md5.h md5_one.c
+md5_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+md5_one.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
+md5_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md5_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+md5_one.o: md5_one.c
diff --git a/src/lib/libssl/src/crypto/md5/md5.c b/src/lib/libssl/src/crypto/md5/md5.c
index 7ed0024ae1..563733abc5 100644
--- a/src/lib/libssl/src/crypto/md5/md5.c
+++ b/src/lib/libssl/src/crypto/md5/md5.c
@@ -64,7 +64,7 @@
 
 void do_fp(FILE *f);
 void pt(unsigned char *md);
-#ifndef _OSD_POSIX
+#if !defined(_OSD_POSIX) && !defined(__DJGPP__)
 int read(int, void *, unsigned int);
 #endif
 
diff --git a/src/lib/libssl/src/crypto/md5/md5.h b/src/lib/libssl/src/crypto/md5/md5.h
index 52cb753e6a..a252e02115 100644
--- a/src/lib/libssl/src/crypto/md5/md5.h
+++ b/src/lib/libssl/src/crypto/md5/md5.h
@@ -59,6 +59,8 @@
 #ifndef HEADER_MD5_H
 #define HEADER_MD5_H
 
+#include <openssl/e_os2.h>
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -76,7 +78,7 @@ extern "C" {
 
 #if defined(OPENSSL_SYS_WIN16) || defined(__LP32__)
 #define MD5_LONG unsigned long
-#elif defined(OENSSL_SYS_CRAY) || defined(__ILP64__)
+#elif defined(OPENSSL_SYS_CRAY) || defined(__ILP64__)
 #define MD5_LONG unsigned long
 #define MD5_LONG_LOG2 3
 /*
diff --git a/src/lib/libssl/src/crypto/md5/md5_dgst.c b/src/lib/libssl/src/crypto/md5/md5_dgst.c
index c38a3f021e..9c7abc3697 100644
--- a/src/lib/libssl/src/crypto/md5/md5_dgst.c
+++ b/src/lib/libssl/src/crypto/md5/md5_dgst.c
@@ -86,21 +86,7 @@ int MD5_Init(MD5_CTX *c)
 void md5_block_host_order (MD5_CTX *c, const void *data, int num)
         {
         const MD5_LONG *X=data;
-        register unsigned long A,B,C,D;
-        /*
-         * In case you wonder why A-D are declared as long and not
-         * as MD5_LONG. Doing so results in slight performance
-         * boost on LP64 architectures. The catch is we don't
-         * really care if 32 MSBs of a 64-bit register get polluted
-         * with eventual overflows as we *save* only 32 LSBs in
-         * *either* case. Now declaring 'em long excuses the compiler
-         * from keeping 32 MSBs zeroed resulting in 13% performance
-         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
-         * Well, to be honest it should say that this *prevents* 
-         * performance degradation.
-         *
-         *                              <appro@fy.chalmers.se>
-         */
+        register unsigned MD32_REG_T A,B,C,D;
 
         A=c->A;
         B=c->B;
@@ -193,25 +179,11 @@ void md5_block_host_order (MD5_CTX *c, const void *data, int num)
 void md5_block_data_order (MD5_CTX *c, const void *data_, int num)
         {
         const unsigned char *data=data_;
-        register unsigned long A,B,C,D,l;
-        /*
-         * In case you wonder why A-D are declared as long and not
-         * as MD5_LONG. Doing so results in slight performance
-         * boost on LP64 architectures. The catch is we don't
-         * really care if 32 MSBs of a 64-bit register get polluted
-         * with eventual overflows as we *save* only 32 LSBs in
-         * *either* case. Now declaring 'em long excuses the compiler
-         * from keeping 32 MSBs zeroed resulting in 13% performance
-         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
-         * Well, to be honest it should say that this *prevents* 
-         * performance degradation.
-         *
-         *                              <appro@fy.chalmers.se>
-         */
+        register unsigned MD32_REG_T A,B,C,D,l;
 #ifndef MD32_XARRAY
         /* See comment in crypto/sha/sha_locl.h for details. */
-        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
-                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+        unsigned MD32_REG_T     XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                                XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
 # define X(i)   XX##i
 #else
         MD5_LONG XX[MD5_LBLOCK];
diff --git a/src/lib/libssl/src/crypto/md5/md5_locl.h b/src/lib/libssl/src/crypto/md5/md5_locl.h
index 34c5257306..9e360da732 100644
--- a/src/lib/libssl/src/crypto/md5/md5_locl.h
+++ b/src/lib/libssl/src/crypto/md5/md5_locl.h
@@ -58,7 +58,7 @@
 
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/opensslconf.h>
+#include <openssl/e_os2.h>
 #include <openssl/md5.h>
 
 #ifndef MD5_LONG_LOG2
diff --git a/src/lib/libssl/src/crypto/md5/md5_one.c b/src/lib/libssl/src/crypto/md5/md5_one.c
index b89dec850d..c5dd2d81db 100644
--- a/src/lib/libssl/src/crypto/md5/md5_one.c
+++ b/src/lib/libssl/src/crypto/md5/md5_one.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/md5.h>
+#include <openssl/crypto.h>
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
@@ -89,7 +90,7 @@ unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md)
         }
 #endif
         MD5_Final(md,&c);
-        memset(&c,0,sizeof(c)); /* security consideration */
+        OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
         return(md);
         }
 
diff --git a/src/lib/libssl/src/crypto/md5/md5test.c b/src/lib/libssl/src/crypto/md5/md5test.c
index 862b89658a..bfd62629ed 100644
--- a/src/lib/libssl/src/crypto/md5/md5test.c
+++ b/src/lib/libssl/src/crypto/md5/md5test.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_MD5
 int main(int argc, char *argv[])
 {
@@ -118,7 +120,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libssl/src/crypto/mdc2/Makefile.ssl b/src/lib/libssl/src/crypto/mdc2/Makefile.ssl
index 087b8eb9ee..33f366fb08 100644
--- a/src/lib/libssl/src/crypto/mdc2/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/mdc2/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/mem.c b/src/lib/libssl/src/crypto/mem.c
index 87d0ebc714..29df7d35b2 100644
--- a/src/lib/libssl/src/crypto/mem.c
+++ b/src/lib/libssl/src/crypto/mem.c
@@ -250,6 +250,7 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
 void *CRYPTO_malloc_locked(int num, const char *file, int line)
         {
         void *ret = NULL;
+        extern unsigned char cleanse_ctr;
 
         if (num < 0) return NULL;
 
@@ -266,6 +267,12 @@ void *CRYPTO_malloc_locked(int num, const char *file, int line)
         if (malloc_debug_func != NULL)
                 malloc_debug_func(ret, num, file, line, 1);
 
+        /* Create a dependency on the value of 'cleanse_ctr' so our memory
+         * sanitisation function can't be optimised out. NB: We only do
+         * this for >2Kb so the overhead doesn't bother us. */
+        if(ret && (num > 2048))
+                ((unsigned char *)ret)[0] = cleanse_ctr;
+
         return ret;
         }
 
@@ -284,6 +291,7 @@ void CRYPTO_free_locked(void *str)
 void *CRYPTO_malloc(int num, const char *file, int line)
         {
         void *ret = NULL;
+        extern unsigned char cleanse_ctr;
 
         if (num < 0) return NULL;
 
@@ -300,6 +308,12 @@ void *CRYPTO_malloc(int num, const char *file, int line)
         if (malloc_debug_func != NULL)
                 malloc_debug_func(ret, num, file, line, 1);
 
+        /* Create a dependency on the value of 'cleanse_ctr' so our memory
+         * sanitisation function can't be optimised out. NB: We only do
+         * this for >2Kb so the overhead doesn't bother us. */
+        if(ret && (num > 2048))
+                ((unsigned char *)ret)[0] = cleanse_ctr;
+
         return ret;
         }
 
@@ -310,8 +324,8 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line)
         if (str == NULL)
                 return CRYPTO_malloc(num, file, line);
 
-        if (num < 0) return NULL;
-
+        if (num < 0) return NULL;
+ 
         if (realloc_debug_func != NULL)
                 realloc_debug_func(str, NULL, num, file, line, 0);
         ret = realloc_ex_func(str,num,file,line);
@@ -324,6 +338,32 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line)
         return ret;
         }
 
+void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file,
+                           int line)
+        {
+        void *ret = NULL;
+
+        if (str == NULL)
+                return CRYPTO_malloc(num, file, line);
+ 
+        if (num < 0) return NULL;
+ 
+        if (realloc_debug_func != NULL)
+                realloc_debug_func(str, NULL, num, file, line, 0);
+        ret=malloc_ex_func(num,file,line);
+        if(ret)
+                memcpy(ret,str,old_len);
+        OPENSSL_cleanse(str,old_len);
+        free_func(str);
+#ifdef LEVITTE_DEBUG_MEM
+        fprintf(stderr, "LEVITTE_DEBUG_MEM:         | 0x%p -> 0x%p (%d)\n", str, ret, num);
+#endif
+        if (realloc_debug_func != NULL)
+                realloc_debug_func(str, ret, num, file, line, 1);
+
+        return ret;
+        }
+
 void CRYPTO_free(void *str)
         {
         if (free_debug_func != NULL)
@@ -343,7 +383,6 @@ void *CRYPTO_remalloc(void *a, int num, const char *file, int line)
         return(a);
         }
 
-
 void CRYPTO_set_mem_debug_options(long bits)
         {
         if (set_debug_options_func != NULL)
diff --git a/src/lib/libssl/src/crypto/mem_dbg.c b/src/lib/libssl/src/crypto/mem_dbg.c
index ea94eee6f4..9221df00bd 100644
--- a/src/lib/libssl/src/crypto/mem_dbg.c
+++ b/src/lib/libssl/src/crypto/mem_dbg.c
@@ -102,6 +102,8 @@ typedef struct app_mem_info_st
         int references;
         } APP_INFO;
 
+static void app_info_free(APP_INFO *);
+
 static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's
                           * that are at the top of their thread's stack
                           * (with `thread' as key);
@@ -140,6 +142,18 @@ static unsigned long disabling_thread = 0; /* Valid iff num_disable > 0.
                                             * thread named in disabling_thread).
                                             */
 
+static void app_info_free(APP_INFO *inf)
+        {
+        if (--(inf->references) <= 0)
+                {
+                if (inf->next != NULL)
+                        {
+                        app_info_free(inf->next);
+                        }
+                OPENSSL_free(inf);
+                }
+        }
+
 int CRYPTO_mem_ctrl(int mode)
         {
         int ret=mh_mode;
@@ -502,9 +516,7 @@ void CRYPTO_dbg_free(void *addr, int before_p)
                                 mp->order, mp->addr, mp->num);
 #endif
                                 if (mp->app_info != NULL)
-                                        {
-                                        mp->app_info->references--;
-                                        }
+                                        app_info_free(mp->app_info);
                                 OPENSSL_free(mp);
                                 }
 
@@ -669,7 +681,6 @@ static IMPLEMENT_LHASH_DOALL_ARG_FN(print_leak, const MEM *, MEM_LEAK *)
 void CRYPTO_mem_leaks(BIO *b)
         {
         MEM_LEAK ml;
-        char buf[80];
 
         if (mh == NULL && amih == NULL)
                 return;
@@ -684,9 +695,8 @@ void CRYPTO_mem_leaks(BIO *b)
                                 (char *)&ml);
         if (ml.chunks != 0)
                 {
-                snprintf(buf,sizeof buf,"%ld bytes leaked in %d chunks\n",
-                        ml.bytes,ml.chunks);
-                BIO_puts(b,buf);
+                BIO_printf(b,"%ld bytes leaked in %d chunks\n",
+                           ml.bytes,ml.chunks);
                 }
         else
                 {
diff --git a/src/lib/libssl/src/crypto/o_time.c b/src/lib/libssl/src/crypto/o_time.c
index 1bc0297b36..723eb1b5af 100644
--- a/src/lib/libssl/src/crypto/o_time.c
+++ b/src/lib/libssl/src/crypto/o_time.c
@@ -80,6 +80,9 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
         ts = result;
 #elif !defined(OPENSSL_SYS_VMS)
         ts = gmtime(timer);
+        if (ts == NULL)
+                return NULL;
+
         memcpy(result, ts, sizeof(struct tm));
         ts = result;
 #endif
diff --git a/src/lib/libssl/src/crypto/objects/Makefile.ssl b/src/lib/libssl/src/crypto/objects/Makefile.ssl
index cd5cbc95ce..3e7a194cf9 100644
--- a/src/lib/libssl/src/crypto/objects/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/objects/Makefile.ssl
@@ -76,7 +76,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/objects/obj_dat.c b/src/lib/libssl/src/crypto/objects/obj_dat.c
index 202bd168ac..ae97108e93 100644
--- a/src/lib/libssl/src/crypto/objects/obj_dat.c
+++ b/src/lib/libssl/src/crypto/objects/obj_dat.c
@@ -464,7 +464,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
 
                 snprintf(tbuf,sizeof tbuf,"%d.%lu",i,l);
                 i=strlen(tbuf);
-                strncpy(buf,tbuf,buf_len);
+                BUF_strlcpy(buf,tbuf,buf_len);
                 buf_len-=i;
                 buf+=i;
                 n+=i;
@@ -476,7 +476,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
                                 snprintf(tbuf,sizeof tbuf,".%lu",l);
                                 i=strlen(tbuf);
                                 if (buf_len > 0)
-                                        strncpy(buf,tbuf,buf_len);
+                                        BUF_strlcpy(buf,tbuf,buf_len);
                                 buf_len-=i;
                                 buf+=i;
                                 n+=i;
@@ -488,10 +488,9 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
                 s=OBJ_nid2ln(nid);
                 if (s == NULL)
                         s=OBJ_nid2sn(nid);
-                strncpy(buf,s,buf_len);
+                BUF_strlcpy(buf,s,buf_len);
                 n=strlen(s);
         }
-        buf[buf_len-1]='\0';
         return(n);
 }
 
diff --git a/src/lib/libssl/src/crypto/objects/obj_mac.num b/src/lib/libssl/src/crypto/objects/obj_mac.num
index 1486199661..9838072b65 100644
--- a/src/lib/libssl/src/crypto/objects/obj_mac.num
+++ b/src/lib/libssl/src/crypto/objects/obj_mac.num
@@ -645,3 +645,5 @@ rsaOAEPEncryptionSET		644
 itu_t           645
 joint_iso_itu_t         646
 international_organizations             647
+ms_smartcard_login              648
+ms_upn          649
diff --git a/src/lib/libssl/src/crypto/objects/objects.txt b/src/lib/libssl/src/crypto/objects/objects.txt
index 71a4908485..3ba11f65cc 100644
--- a/src/lib/libssl/src/crypto/objects/objects.txt
+++ b/src/lib/libssl/src/crypto/objects/objects.txt
@@ -276,6 +276,10 @@ rsadsi 3 8		: RC5-CBC		: rc5-cbc
 1 3 6 1 4 1 311 10 3 3  : msSGC                 : Microsoft Server Gated Crypto
 !Cname ms-efs
 1 3 6 1 4 1 311 10 3 4  : msEFS                 : Microsoft Encrypted File System
+!Cname ms-smartcard-login
+1 3 6 1 4 1 311 20 2 2  : msSmartcardLogin      : Microsoft Smartcardlogin
+!Cname ms-upn
+1 3 6 1 4 1 311 20 2 3  : msUPN                 : Microsoft Universal Principal Name
 
 1 3 6 1 4 1 188 7 1 1 2 : IDEA-CBC              : idea-cbc
                         : IDEA-ECB              : idea-ecb
@@ -537,7 +541,7 @@ X509 11			: OU			: organizationalUnitName
 X509 12                 :                       : title
 X509 13                 :                       : description
 X509 41                 : name                  : name
-X509 42                 : gn                    : givenName
+X509 42                 : GN                    : givenName
 X509 43                 :                       : initials
 X509 44                 :                       : generationQualifier
 X509 45                 :                       : x500UniqueIdentifier
diff --git a/src/lib/libssl/src/crypto/ocsp/Makefile.ssl b/src/lib/libssl/src/crypto/ocsp/Makefile.ssl
index 2be98179ae..02477be538 100644
--- a/src/lib/libssl/src/crypto/ocsp/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/ocsp/Makefile.ssl
@@ -43,7 +43,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -71,7 +71,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c b/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c
index 8c148cda6a..6a3a360d54 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c
@@ -117,7 +117,7 @@ IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPONSE)
 
 ASN1_CHOICE(OCSP_RESPID) = {
            ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1),
-           ASN1_IMP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
+           ASN1_EXP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
 } ASN1_CHOICE_END(OCSP_RESPID)
 
 IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPID)
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c b/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c
index b78cd37092..9213e58ae4 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c
@@ -64,6 +64,9 @@
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
 #include <openssl/buffer.h>
+#ifdef OPENSSL_SYS_SUNOS
+#define strtoul (unsigned long)strtol
+#endif /* OPENSSL_SYS_SUNOS */
 
 /* Quick and dirty HTTP OCSP request handler.
  * Could make this a bit cleverer by adding
@@ -94,7 +97,7 @@ Content-Length: %d\r\n\r\n";
         }
         if(!(mem = BIO_new(BIO_s_mem()))) goto err;
         /* Copy response to a memory BIO: socket bios can't do gets! */
-        while ((len = BIO_read(b, tmpbuf, 1024))) {
+        while ((len = BIO_read(b, tmpbuf, sizeof tmpbuf))) {
                 if(len < 0) {
                         OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_READ_ERROR);
                         goto err;
@@ -107,7 +110,7 @@ Content-Length: %d\r\n\r\n";
         }
         /* Parse the HTTP response. This will look like this:
          * "HTTP/1.0 200 OK". We need to obtain the numeric code and
-         * informational message.
+         * (optional) informational message.
          */
 
         /* Skip to first white space (passed protocol info) */
@@ -135,13 +138,19 @@ Content-Length: %d\r\n\r\n";
         if(*r) goto err;
         /* Skip over any leading white space in message */
         while(*q && isspace((unsigned char)*q))  q++;
-        if(!*q) goto err;
+        if(*q) {
         /* Finally zap any trailing white space in message (include CRLF) */
         /* We know q has a non white space character so this is OK */
-        for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0;
+                for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0;
+        }
         if(retcode != 200) {
                 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR);
-                ERR_add_error_data(4, "Code=", p, ",Reason=", q);
+                if(!*q) { 
+                        ERR_add_error_data(2, "Code=", p);
+                }
+                else {
+                        ERR_add_error_data(4, "Code=", p, ",Reason=", q);
+                }
                 goto err;
         }
         /* Find blank line marking beginning of content */      
diff --git a/src/lib/libssl/src/crypto/opensslconf.h.in b/src/lib/libssl/src/crypto/opensslconf.h.in
index 9082a16c46..685e83b7a3 100644
--- a/src/lib/libssl/src/crypto/opensslconf.h.in
+++ b/src/lib/libssl/src/crypto/opensslconf.h.in
@@ -47,7 +47,7 @@
 #endif
 #endif
 
-#if (defined(HEADER_DES_H) || defined(HEADER_DES_OLD_H)) && !defined(DES_LONG)
+#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
 /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
  * %20 speed up (longs are 8 bytes, int's are 4). */
 #ifndef DES_LONG
diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h
index 9689b49c5b..08cb1d5018 100644
--- a/src/lib/libssl/src/crypto/opensslv.h
+++ b/src/lib/libssl/src/crypto/opensslv.h
@@ -25,8 +25,8 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x00907003L
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7-beta3 30 Jul 2002"
+#define OPENSSL_VERSION_NUMBER  0x0090702fL
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7b 10 Apr 2003"
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
 
diff --git a/src/lib/libssl/src/crypto/ossl_typ.h b/src/lib/libssl/src/crypto/ossl_typ.h
index 6bd42aee4d..285fd0b1d9 100644
--- a/src/lib/libssl/src/crypto/ossl_typ.h
+++ b/src/lib/libssl/src/crypto/ossl_typ.h
@@ -55,6 +55,8 @@
 #ifndef HEADER_OPENSSL_TYPES_H
 #define HEADER_OPENSSL_TYPES_H
 
+#include <openssl/e_os2.h>
+
 #ifdef NO_ASN1_TYPEDEFS
 #define ASN1_INTEGER            ASN1_STRING
 #define ASN1_ENUMERATED         ASN1_STRING
diff --git a/src/lib/libssl/src/crypto/pem/Makefile.ssl b/src/lib/libssl/src/crypto/pem/Makefile.ssl
index 5075d9107b..d3043eb401 100644
--- a/src/lib/libssl/src/crypto/pem/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/pem/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/pem/pem.h b/src/lib/libssl/src/crypto/pem/pem.h
index 3785fca77d..d330cbf9a3 100644
--- a/src/lib/libssl/src/crypto/pem/pem.h
+++ b/src/lib/libssl/src/crypto/pem/pem.h
@@ -149,7 +149,7 @@ typedef struct pem_recip_st
 
         int cipher;
         int key_enc;
-        char iv[8];
+        /*      char iv[8]; unused and wrong size */
         } PEM_USER;
 
 typedef struct pem_ctx_st
@@ -165,7 +165,8 @@ typedef struct pem_ctx_st
 
         struct  {
                 int cipher;
-                unsigned char iv[8];
+        /* unused, and wrong size
+           unsigned char iv[8]; */
                 } DEK_info;
                 
         PEM_USER *originator;
@@ -187,7 +188,8 @@ typedef struct pem_ctx_st
         EVP_CIPHER *dec;        /* date encryption cipher */
         int key_len;            /* key length */
         unsigned char *key;     /* key */
-        unsigned char iv[8];    /* the iv */
+        /* unused, and wrong size
+           unsigned char iv[8]; */
 
         
         int  data_enc;          /* is the data encrypted */
diff --git a/src/lib/libssl/src/crypto/pem/pem_info.c b/src/lib/libssl/src/crypto/pem/pem_info.c
index 9a6dffb45c..9e4af29c95 100644
--- a/src/lib/libssl/src/crypto/pem/pem_info.c
+++ b/src/lib/libssl/src/crypto/pem/pem_info.c
@@ -324,6 +324,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
                                 }
 
                         /* create the right magic header stuff */
+                        OPENSSL_assert(strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf);
                         buf[0]='\0';
                         PEM_proc_type(buf,PEM_TYPE_ENCRYPTED);
                         PEM_dek_info(buf,objstr,enc->iv_len,(char *)iv);
@@ -358,7 +359,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
         ret=1;
 
 err:
-        memset((char *)&ctx,0,sizeof(ctx));
-        memset(buf,0,PEM_BUFSIZE);
+        OPENSSL_cleanse((char *)&ctx,sizeof(ctx));
+        OPENSSL_cleanse(buf,PEM_BUFSIZE);
         return(ret);
         }
diff --git a/src/lib/libssl/src/crypto/pem/pem_lib.c b/src/lib/libssl/src/crypto/pem/pem_lib.c
index 50f5733654..3bec2d7e9f 100644
--- a/src/lib/libssl/src/crypto/pem/pem_lib.c
+++ b/src/lib/libssl/src/crypto/pem/pem_lib.c
@@ -138,7 +138,7 @@ void PEM_proc_type(char *buf, int type)
 
 void PEM_dek_info(char *buf, const char *type, int len, char *str)
         {
-        static unsigned char map[17]="0123456789ABCDEF";
+        static const unsigned char map[17]="0123456789ABCDEF";
         long i;
         int j;
 
@@ -251,7 +251,7 @@ int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, const char
         ret = 1;
 
 err:
-        if (!pnm) OPENSSL_free(nm);
+        if (!ret || !pnm) OPENSSL_free(nm);
         OPENSSL_free(header);
         if (!ret) OPENSSL_free(data);
         return ret;
@@ -306,6 +306,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
                 goto err;
                 }
         /* dzise + 8 bytes are needed */
+        /* actually it needs the cipher block size extra... */
         data=(unsigned char *)OPENSSL_malloc((unsigned int)dsize+20);
         if (data == NULL)
                 {
@@ -335,13 +336,16 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
                         kstr=(unsigned char *)buf;
                         }
                 RAND_add(data,i,0);/* put in the RSA key. */
+                OPENSSL_assert(enc->iv_len <= sizeof iv);
                 if (RAND_pseudo_bytes(iv,enc->iv_len) < 0) /* Generate a salt */
                         goto err;
                 /* The 'iv' is used as the iv and as a salt.  It is
                  * NOT taken from the BytesToKey function */
                 EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
 
-                if (kstr == (unsigned char *)buf) memset(buf,0,PEM_BUFSIZE);
+                if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE);
+
+                OPENSSL_assert(strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf);
 
                 buf[0]='\0';
                 PEM_proc_type(buf,PEM_TYPE_ENCRYPTED);
@@ -364,13 +368,13 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
         i=PEM_write_bio(bp,name,buf,data,i);
         if (i <= 0) ret=0;
 err:
-        memset(key,0,sizeof(key));
-        memset(iv,0,sizeof(iv));
-        memset((char *)&ctx,0,sizeof(ctx));
-        memset(buf,0,PEM_BUFSIZE);
+        OPENSSL_cleanse(key,sizeof(key));
+        OPENSSL_cleanse(iv,sizeof(iv));
+        OPENSSL_cleanse((char *)&ctx,sizeof(ctx));
+        OPENSSL_cleanse(buf,PEM_BUFSIZE);
         if (data != NULL)
                 {
-                memset(data,0,(unsigned int)dsize);
+                OPENSSL_cleanse(data,(unsigned int)dsize);
                 OPENSSL_free(data);
                 }
         return(ret);
@@ -411,8 +415,8 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
         EVP_DecryptUpdate(&ctx,data,&i,data,j);
         o=EVP_DecryptFinal_ex(&ctx,&(data[i]),&j);
         EVP_CIPHER_CTX_cleanup(&ctx);
-        memset((char *)buf,0,sizeof(buf));
-        memset((char *)key,0,sizeof(key));
+        OPENSSL_cleanse((char *)buf,sizeof(buf));
+        OPENSSL_cleanse((char *)key,sizeof(key));
         j+=i;
         if (!o)
                 {
@@ -693,7 +697,7 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
                         if (strncmp(buf,"-----END ",9) == 0)
                                 break;
                         if (i > 65) break;
-                        if (!BUF_MEM_grow(dataB,i+bl+9))
+                        if (!BUF_MEM_grow_clean(dataB,i+bl+9))
                                 {
                                 PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE);
                                 goto err;
diff --git a/src/lib/libssl/src/crypto/pem/pem_pk8.c b/src/lib/libssl/src/crypto/pem/pem_pk8.c
index f44182ffb5..db38a2a79d 100644
--- a/src/lib/libssl/src/crypto/pem/pem_pk8.c
+++ b/src/lib/libssl/src/crypto/pem/pem_pk8.c
@@ -136,7 +136,7 @@ static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER
                         kstr = buf;
                 }
                 p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf);
-                if(kstr == buf) memset(buf, 0, klen);
+                if(kstr == buf) OPENSSL_cleanse(buf, klen);
                 PKCS8_PRIV_KEY_INFO_free(p8inf);
                 if(isder) ret = i2d_PKCS8_bio(bp, p8);
                 else ret = PEM_write_bio_PKCS8(bp, p8);
diff --git a/src/lib/libssl/src/crypto/pem/pem_seal.c b/src/lib/libssl/src/crypto/pem/pem_seal.c
index ae463a301d..56e08abd70 100644
--- a/src/lib/libssl/src/crypto/pem/pem_seal.c
+++ b/src/lib/libssl/src/crypto/pem/pem_seal.c
@@ -112,7 +112,7 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
         ret=npubk;
 err:
         if (s != NULL) OPENSSL_free(s);
-        memset(key,0,EVP_MAX_KEY_LENGTH);
+        OPENSSL_cleanse(key,EVP_MAX_KEY_LENGTH);
         return(ret);
         }
 
diff --git a/src/lib/libssl/src/crypto/perlasm/cbc.pl b/src/lib/libssl/src/crypto/perlasm/cbc.pl
index 0145c4f0cc..22149c680e 100644
--- a/src/lib/libssl/src/crypto/perlasm/cbc.pl
+++ b/src/lib/libssl/src/crypto/perlasm/cbc.pl
@@ -146,9 +146,15 @@ sub cbc
         &mov($count,    &wparam(2));    # length
         &and($count,    7);
         &jz(&label("finish"));
+        &call(&label("PIC_point"));
+&set_label("PIC_point");
+        &blindpop("edx");
+        &lea("ecx",&DWP(&label("cbc_enc_jmp_table")."-".&label("PIC_point"),"edx"));
+        &mov($count,&DWP(0,"ecx",$count,4))
+        &add($count,"edx");
         &xor("ecx","ecx");
         &xor("edx","edx");
-        &mov($count,&DWP(&label("cbc_enc_jmp_table"),"",$count,4));
+        #&mov($count,&DWP(&label("cbc_enc_jmp_table"),"",$count,4));
         &jmp_ptr($count);
 
 &set_label("ej7");
@@ -318,22 +324,23 @@ sub cbc
 
         &set_label("cbc_enc_jmp_table",1);
         &data_word("0");
-        &data_word(&label("ej1"));
-        &data_word(&label("ej2"));
-        &data_word(&label("ej3"));
-        &data_word(&label("ej4"));
-        &data_word(&label("ej5"));
-        &data_word(&label("ej6"));
-        &data_word(&label("ej7"));
-        &set_label("cbc_dec_jmp_table",1);
-        &data_word("0");
-        &data_word(&label("dj1"));
-        &data_word(&label("dj2"));
-        &data_word(&label("dj3"));
-        &data_word(&label("dj4"));
-        &data_word(&label("dj5"));
-        &data_word(&label("dj6"));
-        &data_word(&label("dj7"));
+        &data_word(&label("ej1")."-".&label("PIC_point"));
+        &data_word(&label("ej2")."-".&label("PIC_point"));
+        &data_word(&label("ej3")."-".&label("PIC_point"));
+        &data_word(&label("ej4")."-".&label("PIC_point"));
+        &data_word(&label("ej5")."-".&label("PIC_point"));
+        &data_word(&label("ej6")."-".&label("PIC_point"));
+        &data_word(&label("ej7")."-".&label("PIC_point"));
+        # not used
+        #&set_label("cbc_dec_jmp_table",1);
+        #&data_word("0");
+        #&data_word(&label("dj1")."-".&label("PIC_point"));
+        #&data_word(&label("dj2")."-".&label("PIC_point"));
+        #&data_word(&label("dj3")."-".&label("PIC_point"));
+        #&data_word(&label("dj4")."-".&label("PIC_point"));
+        #&data_word(&label("dj5")."-".&label("PIC_point"));
+        #&data_word(&label("dj6")."-".&label("PIC_point"));
+        #&data_word(&label("dj7")."-".&label("PIC_point"));
 
         &function_end_B($name);
         
diff --git a/src/lib/libssl/src/crypto/perlasm/x86asm.pl b/src/lib/libssl/src/crypto/perlasm/x86asm.pl
index 9a3d85b098..1cb96e914a 100644
--- a/src/lib/libssl/src/crypto/perlasm/x86asm.pl
+++ b/src/lib/libssl/src/crypto/perlasm/x86asm.pl
@@ -18,9 +18,9 @@ sub main'asm_init
         ($type,$fn,$i386)=@_;
         $filename=$fn;
 
-        $cpp=$sol=$aout=$win32=$gaswin=0;
+        $elf=$cpp=$sol=$aout=$win32=$gaswin=0;
         if (    ($type eq "elf"))
-                { require "x86unix.pl"; }
+                { $elf=1; require "x86unix.pl"; }
         elsif ( ($type eq "a.out"))
                 { $aout=1; require "x86unix.pl"; }
         elsif ( ($type eq "gaswin"))
@@ -47,6 +47,9 @@ EOF
                 exit(1);
                 }
 
+        $pic=0;
+        for (@ARGV) {   $pic=1 if (/\-[fK]PIC/i);       }
+
         &asm_init_output();
 
 &comment("Don't even think of reading this code");
@@ -91,7 +94,7 @@ $tmp
 #undef SIZE
 #undef TYPE
 #define SIZE(a,b)
-#define TYPE(a,b)
+#define TYPE(a,b)       .def a; .scl 2; .type 32; .endef
 #endif /* __CYGWIN || __DJGPP */
 #endif
 
diff --git a/src/lib/libssl/src/crypto/perlasm/x86ms.pl b/src/lib/libssl/src/crypto/perlasm/x86ms.pl
index 206452341d..35f1a4ddb9 100644
--- a/src/lib/libssl/src/crypto/perlasm/x86ms.pl
+++ b/src/lib/libssl/src/crypto/perlasm/x86ms.pl
@@ -92,6 +92,8 @@ sub get_mem
                 $addr="_$addr";
                 }
 
+        if ($addr =~ /^.+\-.+$/) { $addr="($addr)"; }
+
         $reg1="$regs{$reg1}" if defined($regs{$reg1});
         $reg2="$regs{$reg2}" if defined($regs{$reg2});
         if (($addr ne "") && ($addr ne 0))
@@ -111,6 +113,7 @@ sub get_mem
                 {
                 $ret.="[$reg1$post]"
                 }
+        $ret =~ s/\[\]//;       # in case $addr was the only argument
         return($ret);
         }
 
@@ -151,7 +154,7 @@ sub main'push	{ &out1("push",@_); $stack+=4; }
 sub main'pop    { &out1("pop",@_); $stack-=4; }
 sub main'bswap  { &out1("bswap",@_); &using486(); }
 sub main'not    { &out1("not",@_); }
-sub main'call   { &out1("call",'_'.$_[0]); }
+sub main'call   { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
 
@@ -338,7 +341,7 @@ sub main'set_label
         {
         if (!defined($label{$_[0]}))
                 {
-                $label{$_[0]}="${label}${_[0]}";
+                $label{$_[0]}="\$${label}${_[0]}";
                 $label++;
                 }
         if((defined $_[2]) && ($_[2] == 1))
@@ -363,3 +366,11 @@ sub out1p
 
         push(@out,"\t$name\t ".&conv($p1)."\n");
         }
+
+sub main'picmeup
+        {
+        local($dst,$sym)=@_;
+        &main'lea($dst,&main'DWP($sym));
+        }
+
+sub main'blindpop { &out1("pop",@_); }
diff --git a/src/lib/libssl/src/crypto/perlasm/x86nasm.pl b/src/lib/libssl/src/crypto/perlasm/x86nasm.pl
index 519d8a5867..f30b7466d4 100644
--- a/src/lib/libssl/src/crypto/perlasm/x86nasm.pl
+++ b/src/lib/libssl/src/crypto/perlasm/x86nasm.pl
@@ -98,6 +98,8 @@ sub get_mem
                 $addr="_$addr";
                 }
 
+        if ($addr =~ /^.+\-.+$/) { $addr="($addr)"; }
+
         $reg1="$regs{$reg1}" if defined($regs{$reg1});
         $reg2="$regs{$reg2}" if defined($regs{$reg2});
         if (($addr ne "") && ($addr ne 0))
@@ -117,6 +119,7 @@ sub get_mem
                 {
                 $ret.="$reg1$post]"
                 }
+        $ret =~ s/\+\]/]/; # in case $addr was the only argument
         return($ret);
         }
 
@@ -160,7 +163,7 @@ sub main'push	{ &out1("push",@_); $stack+=4; }
 sub main'pop    { &out1("pop",@_); $stack-=4; }
 sub main'bswap  { &out1("bswap",@_); &using486(); }
 sub main'not    { &out1("not",@_); }
-sub main'call   { &out1("call",'_'.$_[0]); }
+sub main'call   { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
 
@@ -322,7 +325,7 @@ sub main'set_label
         {
         if (!defined($label{$_[0]}))
                 {
-                $label{$_[0]}="${label}${_[0]}";
+                $label{$_[0]}="\$${label}${_[0]}";
                 $label++;
                 }
         push(@out,"$label{$_[0]}:\n");
@@ -340,3 +343,11 @@ sub out1p
 
         push(@out,"\t$name\t ".&conv($p1)."\n");
         }
+
+sub main'picmeup
+        {
+        local($dst,$sym)=@_;
+        &main'lea($dst,&main'DWP($sym));
+        }
+
+sub main'blindpop { &out1("pop",@_); }
diff --git a/src/lib/libssl/src/crypto/perlasm/x86unix.pl b/src/lib/libssl/src/crypto/perlasm/x86unix.pl
index 9ceabf0705..72bde061c5 100644
--- a/src/lib/libssl/src/crypto/perlasm/x86unix.pl
+++ b/src/lib/libssl/src/crypto/perlasm/x86unix.pl
@@ -87,12 +87,12 @@ sub main'DWP
         $ret.=$addr if ($addr ne "") && ($addr ne 0);
         if ($reg2 ne "")
                 {
-                if($idx ne "")
+                if($idx ne "" && $idx != 0)
                     { $ret.="($reg1,$reg2,$idx)"; }
                 else
                     { $ret.="($reg1,$reg2)"; }
                 }
-        else
+        elsif ($reg1 ne "")
                 { $ret.="($reg1)" }
         return($ret);
         }
@@ -167,7 +167,7 @@ sub main'pop	{ &out1("popl",@_); $stack-=4; }
 sub main'pushf  { &out0("pushf"); $stack+=4; }
 sub main'popf   { &out0("popf"); $stack-=4; }
 sub main'not    { &out1("notl",@_); }
-sub main'call   { &out1("call",$under.$_[0]); }
+sub main'call   { &out1("call",($_[0]=~/^\.L/?'':$under).$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
 
@@ -345,15 +345,15 @@ sub main'function_end
         popl    %ebx
         popl    %ebp
         ret
-.${func}_end:
+.L_${func}_end:
 EOF
         push(@out,$tmp);
 
         if ($main'cpp)
-                { push(@out,"\tSIZE($func,.${func}_end-$func)\n"); }
+                { push(@out,"\tSIZE($func,.L_${func}_end-$func)\n"); }
         elsif ($main'gaswin)
                 { $tmp=push(@out,"\t.align 4\n"); }
-        else    { push(@out,"\t.size\t$func,.${func}_end-$func\n"); }
+        else    { push(@out,"\t.size\t$func,.L_${func}_end-$func\n"); }
         push(@out,".ident       \"$func\"\n");
         $stack=0;
         %label=();
@@ -426,6 +426,11 @@ sub main'swtmp
 
 sub main'comment
         {
+        if ($main'elf)  # GNU and SVR4 as'es use different comment delimiters,
+                {       # so we just skip comments...
+                push(@out,"\n");
+                return;
+                }
         foreach (@_)
                 {
                 if (/^\s*$/)
@@ -542,3 +547,39 @@ sub popvars
         &main'pop("edx");
         &main'popf();
         }
+
+sub main'picmeup
+        {
+        local($dst,$sym)=@_;
+        if ($main'cpp)
+                {
+                local($tmp)=<<___;
+#if (defined(ELF) || defined(SOL)) && defined(PIC)
+        .align  8
+        call    1f
+1:      popl    $regs{$dst}
+        addl    \$_GLOBAL_OFFSET_TABLE_+[.-1b],$regs{$dst}
+        movl    $sym\@GOT($regs{$dst}),$regs{$dst}
+#else
+        leal    $sym,$regs{$dst}
+#endif
+___
+                push(@out,$tmp);
+                }
+        elsif ($main'pic && ($main'elf || $main'aout))
+                {
+                push(@out,"\t.align\t8\n");
+                &main'call(&main'label("PIC_me_up"));
+                &main'set_label("PIC_me_up");
+                &main'blindpop($dst);
+                &main'add($dst,"\$$under"."_GLOBAL_OFFSET_TABLE_+[.-".
+                                &main'label("PIC_me_up") . "]");
+                &main'mov($dst,&main'DWP($sym."\@GOT",$dst));
+                }
+        else
+                {
+                &main'lea($dst,&main'DWP($sym));
+                }
+        }
+
+sub main'blindpop { &out1("popl",@_); }
diff --git a/src/lib/libssl/src/crypto/pkcs12/Makefile.ssl b/src/lib/libssl/src/crypto/pkcs12/Makefile.ssl
index 2b1d175157..a6e47b4085 100644
--- a/src/lib/libssl/src/crypto/pkcs12/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/pkcs12/Makefile.ssl
@@ -74,7 +74,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
index 97be6a5fb5..5e8958612b 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
@@ -118,7 +118,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
         }
         PBEPARAM_free(pbe);
         EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
-        memset(key, 0, EVP_MAX_KEY_LENGTH);
-        memset(iv, 0, EVP_MAX_IV_LENGTH);
+        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+        OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
         return 1;
 }
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_decr.c b/src/lib/libssl/src/crypto/pkcs12/p12_decr.c
index 394af368f4..b5684a83ba 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_decr.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_decr.c
@@ -136,7 +136,7 @@ void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
         }
 #endif
         ret = ASN1_item_d2i(NULL, &p, outlen, it);
-        if (zbuf) memset(out, 0, outlen);
+        if (zbuf) OPENSSL_cleanse(out, outlen);
         if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
         OPENSSL_free(out);
         return ret;
@@ -168,7 +168,7 @@ ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *i
                 OPENSSL_free(in);
                 return NULL;
         }
-        if (zbuf) memset(in, 0, inlen);
+        if (zbuf) OPENSSL_cleanse(in, inlen);
         OPENSSL_free(in);
         return oct;
 }
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_key.c b/src/lib/libssl/src/crypto/pkcs12/p12_key.c
index 0d39ebde8c..9196a34b4a 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_key.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_key.c
@@ -91,7 +91,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
         ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen,
                                                  id, iter, n, out, md_type);
         if(unipass) {
-                memset(unipass, 0, uniplen);    /* Clear password from memory */
+                OPENSSL_cleanse(unipass, uniplen);      /* Clear password from memory */
                 OPENSSL_free(unipass);
         }
         return ret;
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_npas.c b/src/lib/libssl/src/crypto/pkcs12/p12_npas.c
index a549433eeb..af708a2743 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_npas.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_npas.c
@@ -107,7 +107,7 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
 {
         STACK_OF(PKCS7) *asafes, *newsafes;
         STACK_OF(PKCS12_SAFEBAG) *bags;
-        int i, bagnid, pbe_nid, pbe_iter, pbe_saltlen;
+        int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0;
         PKCS7 *p7, *p7new;
         ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;
         unsigned char mac[EVP_MAX_MD_SIZE];
diff --git a/src/lib/libssl/src/crypto/pkcs7/Makefile.ssl b/src/lib/libssl/src/crypto/pkcs7/Makefile.ssl
index 1302469def..c3bfc7d560 100644
--- a/src/lib/libssl/src/crypto/pkcs7/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/pkcs7/Makefile.ssl
@@ -89,7 +89,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/pkcs7/bio_ber.c b/src/lib/libssl/src/crypto/pkcs7/bio_ber.c
index 42331f7ab0..895a91177b 100644
--- a/src/lib/libssl/src/crypto/pkcs7/bio_ber.c
+++ b/src/lib/libssl/src/crypto/pkcs7/bio_ber.c
@@ -145,7 +145,7 @@ static int ber_free(BIO *a)
 
         if (a == NULL) return(0);
         b=(BIO_BER_CTX *)a->ptr;
-        memset(a->ptr,0,sizeof(BIO_BER_CTX));
+        OPENSSL_cleanse(a->ptr,sizeof(BIO_BER_CTX));
         OPENSSL_free(a->ptr);
         a->ptr=NULL;
         a->init=0;
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
index 4a4ff340ce..0060a2ea3d 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
@@ -241,7 +241,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                         M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
                         }
                 OPENSSL_free(tmp);
-                memset(key, 0, keylen);
+                OPENSSL_cleanse(key, keylen);
 
                 if (out == NULL)
                         out=btmp;
@@ -448,7 +448,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                 } 
                 EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0);
 
-                memset(tmp,0,jj);
+                OPENSSL_cleanse(tmp,jj);
 
                 if (out == NULL)
                         out=etmp;
@@ -578,7 +578,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                         /* We now have the EVP_MD_CTX, lets do the
                          * signing. */
                         EVP_MD_CTX_copy_ex(&ctx_tmp,mdc);
-                        if (!BUF_MEM_grow(buf,EVP_PKEY_size(si->pkey)))
+                        if (!BUF_MEM_grow_clean(buf,EVP_PKEY_size(si->pkey)))
                                 {
                                 PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
                                 goto err;
diff --git a/src/lib/libssl/src/crypto/rand/Makefile.ssl b/src/lib/libssl/src/crypto/rand/Makefile.ssl
index 73b5f568e8..df80702373 100644
--- a/src/lib/libssl/src/crypto/rand/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/rand/Makefile.ssl
@@ -70,7 +70,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/rand/md_rand.c b/src/lib/libssl/src/crypto/rand/md_rand.c
index a00ed70718..eeffc0df4c 100644
--- a/src/lib/libssl/src/crypto/rand/md_rand.c
+++ b/src/lib/libssl/src/crypto/rand/md_rand.c
@@ -177,10 +177,10 @@ RAND_METHOD *RAND_SSLeay(void)
 
 static void ssleay_rand_cleanup(void)
         {
-        memset(state,0,sizeof(state));
+        OPENSSL_cleanse(state,sizeof(state));
         state_num=0;
         state_index=0;
-        memset(md,0,MD_DIGEST_LENGTH);
+        OPENSSL_cleanse(md,MD_DIGEST_LENGTH);
         md_count[0]=0;
         md_count[1]=0;
         entropy=0;
diff --git a/src/lib/libssl/src/crypto/rand/rand.h b/src/lib/libssl/src/crypto/rand/rand.h
index 66e39991ec..606382dd21 100644
--- a/src/lib/libssl/src/crypto/rand/rand.h
+++ b/src/lib/libssl/src/crypto/rand/rand.h
@@ -87,7 +87,9 @@ extern int rand_predictable;
 
 int RAND_set_rand_method(const RAND_METHOD *meth);
 const RAND_METHOD *RAND_get_rand_method(void);
+#ifndef OPENSSL_NO_ENGINE
 int RAND_set_rand_engine(ENGINE *engine);
+#endif
 RAND_METHOD *RAND_SSLeay(void);
 void RAND_cleanup(void );
 int  RAND_bytes(unsigned char *buf,int num);
diff --git a/src/lib/libssl/src/crypto/rand/rand_egd.c b/src/lib/libssl/src/crypto/rand/rand_egd.c
index 96019c07a6..895967476e 100644
--- a/src/lib/libssl/src/crypto/rand/rand_egd.c
+++ b/src/lib/libssl/src/crypto/rand/rand_egd.c
@@ -94,7 +94,7 @@
  *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
  */
 
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(__DJGPP__)
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS)
 int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
         {
         return(-1);
@@ -114,7 +114,7 @@ int RAND_egd_bytes(const char *path,int bytes)
 #include <sys/types.h>
 #include <sys/socket.h>
 #ifndef NO_SYS_UN_H
-# ifdef OPENSSL_SYS_VSWORKS
+# ifdef OPENSSL_SYS_VXWORKS
 #   include <streams/un.h>
 # else
 #   include <sys/un.h>
@@ -143,7 +143,7 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
 
         memset(&addr, 0, sizeof(addr));
         addr.sun_family = AF_UNIX;
-        if (strlen(path) > sizeof(addr.sun_path))
+        if (strlen(path) >= sizeof(addr.sun_path))
                 return (-1);
         strlcpy(addr.sun_path,path,sizeof addr.sun_path);
         len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
diff --git a/src/lib/libssl/src/crypto/rand/rand_lib.c b/src/lib/libssl/src/crypto/rand/rand_lib.c
index 5cf5dc1188..513e338985 100644
--- a/src/lib/libssl/src/crypto/rand/rand_lib.c
+++ b/src/lib/libssl/src/crypto/rand/rand_lib.c
@@ -60,19 +60,25 @@
 #include <time.h>
 #include "cryptlib.h"
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
+#ifndef OPENSSL_NO_ENGINE
 /* non-NULL if default_RAND_meth is ENGINE-provided */
 static ENGINE *funct_ref =NULL;
+#endif
 static const RAND_METHOD *default_RAND_meth = NULL;
 
 int RAND_set_rand_method(const RAND_METHOD *meth)
         {
+#ifndef OPENSSL_NO_ENGINE
         if(funct_ref)
                 {
                 ENGINE_finish(funct_ref);
                 funct_ref = NULL;
                 }
+#endif
         default_RAND_meth = meth;
         return 1;
         }
@@ -81,6 +87,7 @@ const RAND_METHOD *RAND_get_rand_method(void)
         {
         if (!default_RAND_meth)
                 {
+#ifndef OPENSSL_NO_ENGINE
                 ENGINE *e = ENGINE_get_default_RAND();
                 if(e)
                         {
@@ -94,11 +101,13 @@ const RAND_METHOD *RAND_get_rand_method(void)
                 if(e)
                         funct_ref = e;
                 else
+#endif
                         default_RAND_meth = RAND_SSLeay();
                 }
         return default_RAND_meth;
         }
 
+#ifndef OPENSSL_NO_ENGINE
 int RAND_set_rand_engine(ENGINE *engine)
         {
         const RAND_METHOD *tmp_meth = NULL;
@@ -118,6 +127,7 @@ int RAND_set_rand_engine(ENGINE *engine)
         funct_ref = engine;
         return 1;
         }
+#endif
 
 void RAND_cleanup(void)
         {
diff --git a/src/lib/libssl/src/crypto/rand/rand_unix.c b/src/lib/libssl/src/crypto/rand/rand_unix.c
index fa2bab57c6..0599719dd1 100644
--- a/src/lib/libssl/src/crypto/rand/rand_unix.c
+++ b/src/lib/libssl/src/crypto/rand/rand_unix.c
@@ -115,7 +115,7 @@
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2))
+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS))
 
 #include <sys/types.h>
 #include <sys/time.h>
@@ -233,7 +233,7 @@ int RAND_poll(void)
         if (n > 0)
                 {
                 RAND_add(tmpbuf,sizeof tmpbuf,n);
-                memset(tmpbuf,0,n);
+                OPENSSL_cleanse(tmpbuf,n);
                 }
 #endif
 
@@ -255,3 +255,10 @@ int RAND_poll(void)
 
 #endif
 #endif
+
+#if defined(OPENSSL_SYS_VXWORKS)
+int RAND_poll(void)
+{
+    return 0;
+}
+#endif
diff --git a/src/lib/libssl/src/crypto/rand/rand_win.c b/src/lib/libssl/src/crypto/rand/rand_win.c
index c1b955b06f..113b58678f 100644
--- a/src/lib/libssl/src/crypto/rand/rand_win.c
+++ b/src/lib/libssl/src/crypto/rand/rand_win.c
@@ -125,7 +125,7 @@
  * http://developer.intel.com/design/security/rng/redist_license.htm
  */
 #define PROV_INTEL_SEC 22
-#define INTEL_DEF_PROV "Intel Hardware Cryptographic Service Provider"
+#define INTEL_DEF_PROV TEXT("Intel Hardware Cryptographic Service Provider")
 
 static void readtimer(void);
 static void readscreen(void);
@@ -170,7 +170,9 @@ typedef BOOL (WINAPI *THREAD32)(HANDLE, LPTHREADENTRY32);
 typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32);
 
 #include <lmcons.h>
+#ifndef OPENSSL_SYS_WINCE
 #include <lmstats.h>
+#endif
 #if 1 /* The NET API is Unicode only.  It requires the use of the UNICODE
        * macro.  When UNICODE is defined LPTSTR becomes LPWSTR.  LMSTR was
        * was added to the Platform SDK to allow the NET API to be used in
@@ -209,20 +211,32 @@ int RAND_poll(void)
         osverinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO) ;
         GetVersionEx( &osverinfo ) ;
 
+#if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO
+        /* poll the CryptoAPI PRNG */
+        /* The CryptoAPI returns sizeof(buf) bytes of randomness */
+        if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
+                {
+                if (CryptGenRandom(hProvider, sizeof(buf), buf))
+                        RAND_add(buf, sizeof(buf), sizeof(buf));
+                CryptReleaseContext(hProvider, 0); 
+                }
+#endif
+
         /* load functions dynamically - not available on all systems */
-        advapi = LoadLibrary("ADVAPI32.DLL");
-        kernel = LoadLibrary("KERNEL32.DLL");
-        user = LoadLibrary("USER32.DLL");
-        netapi = LoadLibrary("NETAPI32.DLL");
+        advapi = LoadLibrary(TEXT("ADVAPI32.DLL"));
+        kernel = LoadLibrary(TEXT("KERNEL32.DLL"));
+        user = LoadLibrary(TEXT("USER32.DLL"));
+        netapi = LoadLibrary(TEXT("NETAPI32.DLL"));
 
+#ifndef OPENSSL_SYS_WINCE
 #if 1 /* There was previously a problem with NETSTATGET.  Currently, this
        * section is still experimental, but if all goes well, this conditional
        * will be removed
        */
         if (netapi)
                 {
-                netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet");
-                netfree = (NETFREE) GetProcAddress(netapi,"NetApiBufferFree");
+                netstatget = (NETSTATGET) GetProcAddress(netapi,TEXT("NetStatisticsGet"));
+                netfree = (NETFREE) GetProcAddress(netapi,TEXT("NetApiBufferFree"));
                 }
 
         if (netstatget && netfree)
@@ -249,7 +263,9 @@ int RAND_poll(void)
         if (netapi)
                 FreeLibrary(netapi);
 #endif /* 1 */
+#endif /* !OPENSSL_SYS_WINCE */
  
+#ifndef OPENSSL_SYS_WINCE
         /* It appears like this can cause an exception deep within ADVAPI32.DLL
          * at random times on Windows 2000.  Reported by Jeffrey Altman.  
          * Only use it on NT.
@@ -280,30 +296,40 @@ int RAND_poll(void)
                         bufsz += 8192;
 
                         length = bufsz;
-                        rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, "Global",
+                        rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, TEXT("Global"),
                                 NULL, NULL, buf, &length);
                         }
                 if (rc == ERROR_SUCCESS)
                         {
                         /* For entropy count assume only least significant
                          * byte of each DWORD is random.
-                         */
+                         */
                         RAND_add(&length, sizeof(length), 0);
                         RAND_add(buf, length, length / 4.0);
+
+                        /* Close the Registry Key to allow Windows to cleanup/close
+                         * the open handle
+                         * Note: The 'HKEY_PERFORMANCE_DATA' key is implicitly opened
+                         *       when the RegQueryValueEx above is done.  However, if
+                         *       it is not explicitly closed, it can cause disk
+                         *       partition manipulation problems.
+                         */
+                        RegCloseKey(HKEY_PERFORMANCE_DATA);
                         }
                 if (buf)
                         free(buf);
                 }
 #endif
+#endif /* !OPENSSL_SYS_WINCE */
 
         if (advapi)
                 {
                 acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi,
-                        "CryptAcquireContextA");
+                        TEXT("CryptAcquireContextA"));
                 gen = (CRYPTGENRANDOM) GetProcAddress(advapi,
-                        "CryptGenRandom");
+                        TEXT("CryptGenRandom"));
                 release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi,
-                        "CryptReleaseContext");
+                        TEXT("CryptReleaseContext"));
                 }
 
         if (acquire && gen && release)
@@ -357,9 +383,9 @@ int RAND_poll(void)
                 GETFOREGROUNDWINDOW win;
                 GETQUEUESTATUS queue;
 
-                win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow");
-                cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo");
-                queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus");
+                win = (GETFOREGROUNDWINDOW) GetProcAddress(user, TEXT("GetForegroundWindow"));
+                cursor = (GETCURSORINFO) GetProcAddress(user, TEXT("GetCursorInfo"));
+                queue = (GETQUEUESTATUS) GetProcAddress(user, TEXT("GetQueueStatus"));
 
                 if (win)
                         {
@@ -430,17 +456,17 @@ int RAND_poll(void)
                 MODULEENTRY32 m;
 
                 snap = (CREATETOOLHELP32SNAPSHOT)
-                        GetProcAddress(kernel, "CreateToolhelp32Snapshot");
-                heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First");
-                heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next");
-                heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst");
-                heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext");
-                process_first = (PROCESS32) GetProcAddress(kernel, "Process32First");
-                process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next");
-                thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First");
-                thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next");
-                module_first = (MODULE32) GetProcAddress(kernel, "Module32First");
-                module_next = (MODULE32) GetProcAddress(kernel, "Module32Next");
+                        GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot"));
+                heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First"));
+                heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next"));
+                heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst"));
+                heaplist_next = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListNext"));
+                process_first = (PROCESS32) GetProcAddress(kernel, TEXT("Process32First"));
+                process_next = (PROCESS32) GetProcAddress(kernel, TEXT("Process32Next"));
+                thread_first = (THREAD32) GetProcAddress(kernel, TEXT("Thread32First"));
+                thread_next = (THREAD32) GetProcAddress(kernel, TEXT("Thread32Next"));
+                module_first = (MODULE32) GetProcAddress(kernel, TEXT("Module32First"));
+                module_next = (MODULE32) GetProcAddress(kernel, TEXT("Module32Next"));
 
                 if (snap && heap_first && heap_next && heaplist_first &&
                         heaplist_next && process_first && process_next &&
@@ -575,7 +601,7 @@ static void readtimer(void)
         DWORD w;
         LARGE_INTEGER l;
         static int have_perfc = 1;
-#ifdef _MSC_VER
+#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
         static int have_tsc = 1;
         DWORD cyclecount;
 
@@ -628,6 +654,7 @@ static void readtimer(void)
 
 static void readscreen(void)
 {
+#ifndef OPENSSL_SYS_WINCE
   HDC           hScrDC;         /* screen DC */
   HDC           hMemDC;         /* memory DC */
   HBITMAP       hBitmap;        /* handle for our bitmap */
@@ -641,7 +668,7 @@ static void readscreen(void)
   int           n = 16;         /* number of screen lines to grab at a time */
 
   /* Create a screen DC and a memory DC compatible to screen DC */
-  hScrDC = CreateDC("DISPLAY", NULL, NULL, NULL);
+  hScrDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL);
   hMemDC = CreateCompatibleDC(hScrDC);
 
   /* Get screen resolution */
@@ -688,6 +715,7 @@ static void readscreen(void)
   DeleteObject(hBitmap);
   DeleteDC(hMemDC);
   DeleteDC(hScrDC);
+#endif /* !OPENSSL_SYS_WINCE */
 }
 
 #endif
diff --git a/src/lib/libssl/src/crypto/rand/randfile.c b/src/lib/libssl/src/crypto/rand/randfile.c
index 311dd27a7b..cfbec2ac1f 100644
--- a/src/lib/libssl/src/crypto/rand/randfile.c
+++ b/src/lib/libssl/src/crypto/rand/randfile.c
@@ -132,7 +132,7 @@ int RAND_load_file(const char *file, long bytes)
                         }
                 }
         fclose(in);
-        memset(buf,0,BUFSIZE);
+        OPENSSL_cleanse(buf,BUFSIZE);
 err:
         return(ret);
         }
@@ -210,7 +210,7 @@ int RAND_write_file(const char *file)
 #endif /* OPENSSL_SYS_VMS */
 
         fclose(out);
-        memset(buf,0,BUFSIZE);
+        OPENSSL_cleanse(buf,BUFSIZE);
 err:
         return (rand_err ? -1 : ret);
         }
@@ -225,8 +225,8 @@ const char *RAND_file_name(char *buf, size_t size)
                 s=getenv("RANDFILE");
         if (s != NULL && *s && strlen(s) + 1 < size)
                 {
-                strlcpy(buf,s,size);
-                ok = 1;
+                if (strlcpy(buf,s,size) >= size)
+                        return NULL;
                 }
         else
                 {
diff --git a/src/lib/libssl/src/crypto/rand/randtest.c b/src/lib/libssl/src/crypto/rand/randtest.c
index b64de616db..701932e6ee 100644
--- a/src/lib/libssl/src/crypto/rand/randtest.c
+++ b/src/lib/libssl/src/crypto/rand/randtest.c
@@ -60,6 +60,8 @@
 #include <stdlib.h>
 #include <openssl/rand.h>
 
+#include "../e_os.h"
+
 /* some FIPS 140-1 random number test */
 /* some simple tests */
 
@@ -209,6 +211,6 @@ int main()
         printf("test 4 done\n");
  err:
         err=((err)?1:0);
-        exit(err);
+        EXIT(err);
         return(err);
         }
diff --git a/src/lib/libssl/src/crypto/rc2/Makefile.ssl b/src/lib/libssl/src/crypto/rc2/Makefile.ssl
index 88e41bb98e..98d5960d5d 100644
--- a/src/lib/libssl/src/crypto/rc2/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/rc2/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/rc2/rc2test.c b/src/lib/libssl/src/crypto/rc2/rc2test.c
index d9a2a0a1cb..b67bafb49f 100644
--- a/src/lib/libssl/src/crypto/rc2/rc2test.c
+++ b/src/lib/libssl/src/crypto/rc2/rc2test.c
@@ -63,6 +63,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_RC2
 int main(int argc, char *argv[])
 {
@@ -203,7 +205,7 @@ int main(int argc, char *argv[])
                 printf("ok\n");
 #endif
 
-        exit(err);
+        EXIT(err);
         return(err);
         }
 
diff --git a/src/lib/libssl/src/crypto/rc4/Makefile.ssl b/src/lib/libssl/src/crypto/rc4/Makefile.ssl
index 6e5bbf9894..9f9e16068f 100644
--- a/src/lib/libssl/src/crypto/rc4/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/rc4/Makefile.ssl
@@ -52,14 +52,8 @@ lib:	$(LIBOBJ)
         @touch lib
 
 # elf
-asm/rx86-elf.o: asm/rx86unix.cpp
-        $(CPP) -DELF -x c asm/rx86unix.cpp | as -o asm/rx86-elf.o
-
-# solaris
-asm/rx86-sol.o: asm/rx86unix.cpp
-        $(CC) -E -DSOL asm/rx86unix.cpp | sed 's/^#.*//' > asm/rx86-sol.s
-        as -o asm/rx86-sol.o asm/rx86-sol.s
-        rm -f asm/rx86-sol.s
+asm/rx86-elf.s: asm/rc4-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) rc4-586.pl elf $(CFLAGS) > rx86-elf.s)
 
 # a.out
 asm/rx86-out.o: asm/rx86unix.cpp
@@ -97,14 +91,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/rx86unix.cpp *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
+        rm -f asm/rx86unix.cpp asm/*-elf.* *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libssl/src/crypto/rc4/rc4.c b/src/lib/libssl/src/crypto/rc4/rc4.c
index c2165b0b75..b39c070292 100644
--- a/src/lib/libssl/src/crypto/rc4/rc4.c
+++ b/src/lib/libssl/src/crypto/rc4/rc4.c
@@ -155,7 +155,7 @@ bad:
                 i=EVP_read_pw_string(buf,BUFSIZ,"Enter RC4 password:",0);
                 if (i != 0)
                         {
-                        memset(buf,0,BUFSIZ);
+                        OPENSSL_cleanse(buf,BUFSIZ);
                         fprintf(stderr,"bad password read\n");
                         exit(1);
                         }
@@ -163,7 +163,7 @@ bad:
                 }
 
         EVP_Digest((unsigned char *)keystr,(unsigned long)strlen(keystr),md,NULL,EVP_md5());
-        memset(keystr,0,strlen(keystr));
+        OPENSSL_cleanse(keystr,strlen(keystr));
         RC4_set_key(&key,MD5_DIGEST_LENGTH,md);
         
         for(;;)
diff --git a/src/lib/libssl/src/crypto/rc4/rc4test.c b/src/lib/libssl/src/crypto/rc4/rc4test.c
index a28d457c8d..b9d8f20975 100644
--- a/src/lib/libssl/src/crypto/rc4/rc4test.c
+++ b/src/lib/libssl/src/crypto/rc4/rc4test.c
@@ -60,6 +60,8 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_RC4
 int main(int argc, char *argv[])
 {
@@ -195,7 +197,7 @@ int main(int argc, char *argv[])
                         }
                 }
         printf("done\n");
-        exit(err);
+        EXIT(err);
         return(0);
         }
 #endif
diff --git a/src/lib/libssl/src/crypto/rc5/Makefile.ssl b/src/lib/libssl/src/crypto/rc5/Makefile.ssl
index ff31ab47a9..a86f202f7b 100644
--- a/src/lib/libssl/src/crypto/rc5/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/rc5/Makefile.ssl
@@ -49,14 +49,8 @@ lib:	$(LIBOBJ)
         @touch lib
 
 # elf
-asm/r586-elf.o: asm/r586unix.cpp
-        $(CPP) -DELF -x c asm/r586unix.cpp | as -o asm/r586-elf.o
-
-# solaris
-asm/r586-sol.o: asm/r586unix.cpp
-        $(CC) -E -DSOL asm/r586unix.cpp | sed 's/^#.*//' > asm/r586-sol.s
-        as -o asm/r586-sol.o asm/r586-sol.s
-        rm -f asm/r586-sol.s
+asm/r586-elf.s: asm/rc5-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
+        (cd asm; $(PERL) rc5-586.pl elf $(CFLAGS) > r586-elf.s)
 
 # a.out
 asm/r586-out.o: asm/r586unix.cpp
@@ -94,14 +88,14 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/r586unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/r586unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
diff --git a/src/lib/libssl/src/crypto/ripemd/Makefile.ssl b/src/lib/libssl/src/crypto/ripemd/Makefile.ssl
index 7ab5d2fc9e..d85515353b 100644
--- a/src/lib/libssl/src/crypto/ripemd/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/ripemd/Makefile.ssl
@@ -47,14 +47,8 @@ lib:    $(LIBOBJ)
         @touch lib
 
 # elf
-asm/rm86-elf.o: asm/rm86unix.cpp
-        $(CPP) -DELF -x c asm/rm86unix.cpp | as -o asm/rm86-elf.o
-
-# solaris
-asm/rm86-sol.o: asm/rm86unix.cpp
-        $(CC) -E -DSOL asm/rm86unix.cpp | sed 's/^#.*//' > asm/rm86-sol.s
-        as -o asm/rm86-sol.o asm/rm86-sol.s
-        rm -f asm/rm86-sol.s
+asm/rm86-elf.s: asm/rmd-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) rmd-586.pl elf $(CFLAGS) > rm86-elf.s)
 
 # a.out
 asm/rm86-out.o: asm/rm86unix.cpp
@@ -92,19 +86,22 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/rm86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+        rm -f asm/rm86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 rmd_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h
 rmd_dgst.o: ../md32_common.h rmd_dgst.c rmd_locl.h rmdconst.h
-rmd_one.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-rmd_one.o: ../../include/openssl/ripemd.h rmd_one.c
+rmd_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+rmd_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rmd_one.o: ../../include/openssl/ripemd.h ../../include/openssl/safestack.h
+rmd_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rmd_one.o: rmd_one.c
diff --git a/src/lib/libssl/src/crypto/ripemd/rmd160.c b/src/lib/libssl/src/crypto/ripemd/rmd160.c
index 4f8b88a18a..b0ec574498 100644
--- a/src/lib/libssl/src/crypto/ripemd/rmd160.c
+++ b/src/lib/libssl/src/crypto/ripemd/rmd160.c
@@ -64,7 +64,7 @@
 
 void do_fp(FILE *f);
 void pt(unsigned char *md);
-#ifndef _OSD_POSIX
+#if !defined(_OSD_POSIX) && !defined(__DJGPP__)
 int read(int, void *, unsigned int);
 #endif
 
diff --git a/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c b/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c
index a3170f7c8a..f351f00eea 100644
--- a/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c
+++ b/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c
@@ -90,8 +90,8 @@ int RIPEMD160_Init(RIPEMD160_CTX *c)
 void ripemd160_block_host_order (RIPEMD160_CTX *ctx, const void *p, int num)
         {
         const RIPEMD160_LONG *XX=p;
-        register unsigned long A,B,C,D,E;
-        register unsigned long a,b,c,d,e;
+        register unsigned MD32_REG_T A,B,C,D,E;
+        register unsigned MD32_REG_T a,b,c,d,e;
 
         for (;num--;XX+=HASH_LBLOCK)
                 {
@@ -290,12 +290,12 @@ void ripemd160_block_host_order (RIPEMD160_CTX *ctx, const void *p, int num)
 void ripemd160_block_data_order (RIPEMD160_CTX *ctx, const void *p, int num)
         {
         const unsigned char *data=p;
-        register unsigned long A,B,C,D,E;
-        unsigned long a,b,c,d,e,l;
+        register unsigned MD32_REG_T A,B,C,D,E;
+        unsigned MD32_REG_T a,b,c,d,e,l;
 #ifndef MD32_XARRAY
         /* See comment in crypto/sha/sha_locl.h for details. */
-        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
-                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+        unsigned MD32_REG_T     XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                                XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
 # define X(i)   XX##i
 #else
         RIPEMD160_LONG  XX[16];
diff --git a/src/lib/libssl/src/crypto/ripemd/rmd_one.c b/src/lib/libssl/src/crypto/ripemd/rmd_one.c
index efdf2dd6ef..f8b580c33a 100644
--- a/src/lib/libssl/src/crypto/ripemd/rmd_one.c
+++ b/src/lib/libssl/src/crypto/ripemd/rmd_one.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/ripemd.h>
+#include <openssl/crypto.h>
 
 unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
              unsigned char *md)
@@ -70,7 +71,7 @@ unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
         RIPEMD160_Init(&c);
         RIPEMD160_Update(&c,d,n);
         RIPEMD160_Final(md,&c);
-        memset(&c,0,sizeof(c)); /* security consideration */
+        OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
         return(md);
         }
 
diff --git a/src/lib/libssl/src/crypto/ripemd/rmdtest.c b/src/lib/libssl/src/crypto/ripemd/rmdtest.c
index be1fb8b1f6..d4c709e646 100644
--- a/src/lib/libssl/src/crypto/ripemd/rmdtest.c
+++ b/src/lib/libssl/src/crypto/ripemd/rmdtest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_RIPEMD
 int main(int argc, char *argv[])
 {
@@ -127,7 +129,7 @@ int main(int argc, char *argv[])
                 R++;
                 P++;
                 }
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libssl/src/crypto/rsa/Makefile.ssl b/src/lib/libssl/src/crypto/rsa/Makefile.ssl
index 8c44b7f142..8089344a04 100644
--- a/src/lib/libssl/src/crypto/rsa/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/rsa/Makefile.ssl
@@ -72,7 +72,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -104,14 +104,12 @@ rsa_chk.o: rsa_chk.c
 rsa_eay.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_eay.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_eay.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_eay.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-rsa_eay.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-rsa_eay.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rsa_eay.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rsa_eay.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-rsa_eay.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_eay.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_eay.o: ../../include/openssl/ui.h ../cryptlib.h rsa_eay.c
+rsa_eay.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_eay.c
 rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 rsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 rsa_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -217,21 +215,21 @@ rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 rsa_sign.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 rsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-rsa_sign.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-rsa_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-rsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-rsa_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-rsa_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-rsa_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rsa_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+rsa_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+rsa_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+rsa_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rsa_sign.o: ../../include/openssl/opensslconf.h
 rsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-rsa_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-rsa_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-rsa_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-rsa_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-rsa_sign.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-rsa_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h rsa_sign.c
+rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+rsa_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+rsa_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+rsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+rsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+rsa_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+rsa_sign.o: ../cryptlib.h rsa_sign.c
 rsa_ssl.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_ssl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_ssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
diff --git a/src/lib/libssl/src/crypto/rsa/rsa.h b/src/lib/libssl/src/crypto/rsa/rsa.h
index 98b3bd7cc5..e26a68b482 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa.h
+++ b/src/lib/libssl/src/crypto/rsa/rsa.h
@@ -158,6 +158,11 @@ struct rsa_st
 #define RSA_FLAG_CACHE_PUBLIC           0x02
 #define RSA_FLAG_CACHE_PRIVATE          0x04
 #define RSA_FLAG_BLINDING               0x08
+#define RSA_FLAG_NO_BLINDING            0x80 /* new with 0.9.6j and 0.9.7b; the built-in
+                                              * RSA implementation now uses blinding by
+                                              * default (ignoring RSA_FLAG_BLINDING),
+                                              * but other engines might not need it
+                                              */
 #define RSA_FLAG_THREAD_SAFE            0x10
 /* This flag means the private key operations will be handled by rsa_mod_exp
  * and that they do not depend on the private key components being present:
@@ -170,11 +175,15 @@ struct rsa_st
  */
 #define RSA_FLAG_SIGN_VER               0x40
 
+#define RSA_FLAG_NO_BLINDING            0x80
+
 #define RSA_PKCS1_PADDING       1
 #define RSA_SSLV23_PADDING      2
 #define RSA_NO_PADDING          3
 #define RSA_PKCS1_OAEP_PADDING  4
 
+#define RSA_PKCS1_PADDING_SIZE  11
+
 #define RSA_set_app_data(s,arg)         RSA_set_ex_data(s,0,arg)
 #define RSA_get_app_data(s)             RSA_get_ex_data(s,0)
 
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
index a3f549d8e6..027b4dc754 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -61,7 +61,6 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
-#include <openssl/engine.h>
 
 #ifndef RSA_NULL
 
@@ -187,7 +186,7 @@ err:
         BN_clear_free(&ret);
         if (buf != NULL) 
                 {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                 OPENSSL_free(buf);
                 }
         return(r);
@@ -206,12 +205,46 @@ static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
 
 #define BLINDING_HELPER(rsa, ctx, err_instr) \
         do { \
-                if(((rsa)->flags & RSA_FLAG_BLINDING) && \
-                                ((rsa)->blinding == NULL) && \
-                                !rsa_eay_blinding(rsa, ctx)) \
-                        err_instr \
+                if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
+                    ((rsa)->blinding == NULL) && \
+                    !rsa_eay_blinding(rsa, ctx)) \
+                    err_instr \
         } while(0)
 
+static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx)
+        {
+        BIGNUM *A, *Ai;
+        BN_BLINDING *ret = NULL;
+
+        /* added in OpenSSL 0.9.6j and 0.9.7b */
+
+        /* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
+         * this should be placed in a new function of its own, but for reasons
+         * of binary compatibility can't */
+
+        BN_CTX_start(ctx);
+        A = BN_CTX_get(ctx);
+        if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+                {
+                /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+                RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+                if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+                }
+        else
+                {
+                if (!BN_rand_range(A,rsa->n)) goto err;
+                }
+        if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
+
+        if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
+                goto err;
+        ret = BN_BLINDING_new(A,Ai,rsa->n);
+        BN_free(Ai);
+err:
+        BN_CTX_end(ctx);
+        return ret;
+        }
+
 /* signing */
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
@@ -220,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
         int i,j,k,num=0,r= -1;
         unsigned char *buf=NULL;
         BN_CTX *ctx=NULL;
+        int local_blinding = 0;
+        BN_BLINDING *blinding = NULL;
 
         BN_init(&f);
         BN_init(&ret);
@@ -257,9 +292,38 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                 }
 
         BLINDING_HELPER(rsa, ctx, goto err;);
+        blinding = rsa->blinding;
+        
+        /* Now unless blinding is disabled, 'blinding' is non-NULL.
+         * But the BN_BLINDING object may be owned by some other thread
+         * (we don't want to keep it constant and we don't want to use
+         * lots of locking to avoid race conditions, so only a single
+         * thread can use it; other threads have to use local blinding
+         * factors) */
+        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+                {
+                if (blinding == NULL)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (blinding != NULL)
+                {
+                if (blinding->thread_id != CRYPTO_thread_id())
+                        {
+                        /* we need a local one-time blinding factor */
+
+                        blinding = setup_blinding(rsa, ctx);
+                        if (blinding == NULL)
+                                goto err;
+                        local_blinding = 1;
+                        }
+                }
 
-        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+        if (blinding)
+                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
 
         if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
                 ((rsa->p != NULL) &&
@@ -273,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
                 }
 
-        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+        if (blinding)
+                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
 
         /* put in leading 0 bytes if the number is less than the
          * length of the modulus */
@@ -288,9 +352,11 @@ err:
         if (ctx != NULL) BN_CTX_free(ctx);
         BN_clear_free(&ret);
         BN_clear_free(&f);
+        if (local_blinding)
+                BN_BLINDING_free(blinding);
         if (buf != NULL)
                 {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                 OPENSSL_free(buf);
                 }
         return(r);
@@ -304,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
         unsigned char *p;
         unsigned char *buf=NULL;
         BN_CTX *ctx=NULL;
+        int local_blinding = 0;
+        BN_BLINDING *blinding = NULL;
 
         BN_init(&f);
         BN_init(&ret);
@@ -336,9 +404,38 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                 }
 
         BLINDING_HELPER(rsa, ctx, goto err;);
+        blinding = rsa->blinding;
+        
+        /* Now unless blinding is disabled, 'blinding' is non-NULL.
+         * But the BN_BLINDING object may be owned by some other thread
+         * (we don't want to keep it constant and we don't want to use
+         * lots of locking to avoid race conditions, so only a single
+         * thread can use it; other threads have to use local blinding
+         * factors) */
+        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+                {
+                if (blinding == NULL)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (blinding != NULL)
+                {
+                if (blinding->thread_id != CRYPTO_thread_id())
+                        {
+                        /* we need a local one-time blinding factor */
+
+                        blinding = setup_blinding(rsa, ctx);
+                        if (blinding == NULL)
+                                goto err;
+                        local_blinding = 1;
+                        }
+                }
 
-        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+        if (blinding)
+                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
 
         /* do the decrypt */
         if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -354,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                         goto err;
                 }
 
-        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+        if (blinding)
+                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
 
         p=buf;
         j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
@@ -389,7 +486,7 @@ err:
         BN_clear_free(&ret);
         if (buf != NULL)
                 {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                 OPENSSL_free(buf);
                 }
         return(r);
@@ -486,7 +583,7 @@ err:
         BN_clear_free(&ret);
         if (buf != NULL)
                 {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                 OPENSSL_free(buf);
                 }
         return(r);
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_lib.c b/src/lib/libssl/src/crypto/rsa/rsa_lib.c
index 37fff8bce3..53c5092014 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_lib.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_lib.c
@@ -62,7 +62,10 @@
 #include <openssl/lhash.h>
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
+#include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;
 
@@ -72,10 +75,6 @@ RSA *RSA_new(void)
         {
         RSA *r=RSA_new_method(NULL);
 
-#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
-        r->flags|=RSA_FLAG_BLINDING;
-#endif
-
         return r;
         }
 
@@ -114,11 +113,13 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
         const RSA_METHOD *mtmp;
         mtmp = rsa->meth;
         if (mtmp->finish) mtmp->finish(rsa);
+#ifndef OPENSSL_NO_ENGINE
         if (rsa->engine)
                 {
                 ENGINE_finish(rsa->engine);
                 rsa->engine = NULL;
                 }
+#endif
         rsa->meth = meth;
         if (meth->init) meth->init(rsa);
         return 1;
@@ -136,6 +137,7 @@ RSA *RSA_new_method(ENGINE *engine)
                 }
 
         ret->meth = RSA_get_default_method();
+#ifndef OPENSSL_NO_ENGINE
         if (engine)
                 {
                 if (!ENGINE_init(engine))
@@ -160,6 +162,7 @@ RSA *RSA_new_method(ENGINE *engine)
                         return NULL;
                         }
                 }
+#endif
 
         ret->pad=0;
         ret->version=0;
@@ -181,8 +184,10 @@ RSA *RSA_new_method(ENGINE *engine)
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
         if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                 {
+#ifndef OPENSSL_NO_ENGINE
                 if (ret->engine)
                         ENGINE_finish(ret->engine);
+#endif
                 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
                 OPENSSL_free(ret);
                 ret=NULL;
@@ -211,8 +216,10 @@ void RSA_free(RSA *r)
 
         if (r->meth->finish)
                 r->meth->finish(r);
+#ifndef OPENSSL_NO_ENGINE
         if (r->engine)
                 ENGINE_finish(r->engine);
+#endif
 
         CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
 
@@ -303,7 +310,8 @@ void RSA_blinding_off(RSA *rsa)
                 BN_BLINDING_free(rsa->blinding);
                 rsa->blinding=NULL;
                 }
-        rsa->flags&= ~RSA_FLAG_BLINDING;
+        rsa->flags &= ~RSA_FLAG_BLINDING;
+        rsa->flags |= RSA_FLAG_NO_BLINDING;
         }
 
 int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
@@ -322,15 +330,32 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
         if (rsa->blinding != NULL)
                 BN_BLINDING_free(rsa->blinding);
 
+        /* NB: similar code appears in setup_blinding (rsa_eay.c);
+         * this should be placed in a new function of its own, but for reasons
+         * of binary compatibility can't */
+
         BN_CTX_start(ctx);
         A = BN_CTX_get(ctx);
-        if (!BN_rand_range(A,rsa->n)) goto err;
+        if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+                {
+                /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+                RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+                if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+                }
+        else
+                {
+                if (!BN_rand_range(A,rsa->n)) goto err;
+                }
         if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
 
         if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
-            goto err;
-        rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);
-        rsa->flags|=RSA_FLAG_BLINDING;
+                goto err;
+        if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err;
+        /* to make things thread-safe without excessive locking,
+         * rsa->blinding will be used just by the current thread: */
+        rsa->blinding->thread_id = CRYPTO_thread_id();
+        rsa->flags |= RSA_FLAG_BLINDING;
+        rsa->flags &= ~RSA_FLAG_NO_BLINDING;
         BN_free(Ai);
         ret=1;
 err:
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_pk1.c b/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
index c1edd6764f..8560755f1d 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
@@ -68,7 +68,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
         int j;
         unsigned char *p;
 
-        if (flen > (tlen-11))
+        if (flen > (tlen-RSA_PKCS1_PADDING_SIZE))
                 {
                 RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
                 return(0);
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_saos.c b/src/lib/libssl/src/crypto/rsa/rsa_saos.c
index 85adacc08f..f462716a57 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_saos.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_saos.c
@@ -77,7 +77,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type,
 
         i=i2d_ASN1_OCTET_STRING(&sig,NULL);
         j=RSA_size(rsa);
-        if ((i-RSA_PKCS1_PADDING) > j)
+        if (i > (j-RSA_PKCS1_PADDING_SIZE))
                 {
                 RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
                 return(0);
@@ -96,7 +96,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type,
         else
                 *siglen=i;
 
-        memset(s,0,(unsigned int)j+1);
+        OPENSSL_cleanse(s,(unsigned int)j+1);
         OPENSSL_free(s);
         return(ret);
         }
@@ -139,7 +139,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
                 ret=1;
 err:
         if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
-        memset(s,0,(unsigned int)siglen);
+        OPENSSL_cleanse(s,(unsigned int)siglen);
         OPENSSL_free(s);
         return(ret);
         }
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_sign.c b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
index 2a440901de..8a1e642183 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_sign.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
@@ -62,7 +62,6 @@
 #include <openssl/rsa.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#include <openssl/engine.h>
 
 /* Size of an SSL signature: MD5+SHA1 */
 #define SSL_SIG_LENGTH  36
@@ -77,10 +76,11 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
         const unsigned char *s = NULL;
         X509_ALGOR algor;
         ASN1_OCTET_STRING digest;
-        if((rsa->flags & RSA_FLAG_SIGN_VER)
-              && ENGINE_get_RSA(rsa->engine)->rsa_sign)
-              return ENGINE_get_RSA(rsa->engine)->rsa_sign(type,
-                        m, m_len, sigret, siglen, rsa);
+        if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
+                {
+                return rsa->meth->rsa_sign(type, m, m_len,
+                        sigret, siglen, rsa);
+                }
         /* Special case: SSL signature, just check the length */
         if(type == NID_md5_sha1) {
                 if(m_len != SSL_SIG_LENGTH) {
@@ -113,7 +113,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                 i=i2d_X509_SIG(&sig,NULL);
         }
         j=RSA_size(rsa);
-        if ((i-RSA_PKCS1_PADDING) > j)
+        if (i > (j-RSA_PKCS1_PADDING_SIZE))
                 {
                 RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
                 return(0);
@@ -136,7 +136,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                 *siglen=i;
 
         if(type != NID_md5_sha1) {
-                memset(tmps,0,(unsigned int)j+1);
+                OPENSSL_cleanse(tmps,(unsigned int)j+1);
                 OPENSSL_free(tmps);
         }
         return(ret);
@@ -155,10 +155,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
                 return(0);
                 }
 
-        if((rsa->flags & RSA_FLAG_SIGN_VER)
-            && ENGINE_get_RSA(rsa->engine)->rsa_verify)
-            return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype,
-                        m, m_len, sigbuf, siglen, rsa);
+        if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
+                {
+                return rsa->meth->rsa_verify(dtype, m, m_len,
+                        sigbuf, siglen, rsa);
+                }
 
         s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
         if (s == NULL)
@@ -221,7 +222,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
         }
 err:
         if (sig != NULL) X509_SIG_free(sig);
-        memset(s,0,(unsigned int)siglen);
+        OPENSSL_cleanse(s,(unsigned int)siglen);
         OPENSSL_free(s);
         return(ret);
         }
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_test.c b/src/lib/libssl/src/crypto/rsa/rsa_test.c
index b8b462d33b..924e9ad1f6 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_test.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_test.c
@@ -16,7 +16,6 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/rsa.h>
-#include <openssl/engine.h>
 
 #define SetKey \
   key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \
diff --git a/src/lib/libssl/src/crypto/sha/Makefile.ssl b/src/lib/libssl/src/crypto/sha/Makefile.ssl
index 0aa678d6f4..d52fb62b4f 100644
--- a/src/lib/libssl/src/crypto/sha/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/sha/Makefile.ssl
@@ -47,14 +47,8 @@ lib:    $(LIBOBJ)
         @touch lib
 
 # elf
-asm/sx86-elf.o: asm/sx86unix.cpp
-        $(CPP) -DELF -x c asm/sx86unix.cpp | as -o asm/sx86-elf.o
-
-# solaris
-asm/sx86-sol.o: asm/sx86unix.cpp
-        $(CC) -E -DSOL asm/sx86unix.cpp | sed 's/^#.*//' > asm/sx86-sol.s
-        as -o asm/sx86-sol.o asm/sx86-sol.s
-        rm -f asm/sx86-sol.s
+asm/sx86-elf.s: asm/sha1-586.pl ../perlasm/x86asm.pl
+        (cd asm; $(PERL) sha1-586.pl elf $(CFLAGS) $(PROCESSOR) > sx86-elf.s)
 
 # a.out
 asm/sx86-out.o: asm/sx86unix.cpp
@@ -92,24 +86,30 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
         mv -f Makefile.new $(MAKEFILE)
 
 clean:
-        rm -f asm/sx86unix.cpp *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
+        rm -f asm/sx86unix.cpp asm/*-elf.* *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-sha1_one.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-sha1_one.o: ../../include/openssl/sha.h sha1_one.c
+sha1_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+sha1_one.o: ../../include/openssl/opensslconf.h
+sha1_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+sha1_one.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+sha1_one.o: ../../include/openssl/symhacks.h sha1_one.c
 sha1dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
 sha1dgst.o: ../md32_common.h sha1dgst.c sha_locl.h
 sha_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
 sha_dgst.o: ../md32_common.h sha_dgst.c sha_locl.h
-sha_one.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-sha_one.o: ../../include/openssl/sha.h sha_one.c
+sha_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+sha_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+sha_one.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+sha_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+sha_one.o: sha_one.c
diff --git a/src/lib/libssl/src/crypto/sha/sha1_one.c b/src/lib/libssl/src/crypto/sha/sha1_one.c
index e6a24888ed..20e660c71d 100644
--- a/src/lib/libssl/src/crypto/sha/sha1_one.c
+++ b/src/lib/libssl/src/crypto/sha/sha1_one.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/sha.h>
+#include <openssl/crypto.h>
 
 #ifndef OPENSSL_NO_SHA1
 unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
@@ -70,7 +71,7 @@ unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
         SHA1_Init(&c);
         SHA1_Update(&c,d,n);
         SHA1_Final(md,&c);
-        memset(&c,0,sizeof(c));
+        OPENSSL_cleanse(&c,sizeof(c));
         return(md);
         }
 #endif
diff --git a/src/lib/libssl/src/crypto/sha/sha1test.c b/src/lib/libssl/src/crypto/sha/sha1test.c
index 499a1cf5af..4f2e4ada2d 100644
--- a/src/lib/libssl/src/crypto/sha/sha1test.c
+++ b/src/lib/libssl/src/crypto/sha/sha1test.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_SHA
 int main(int argc, char *argv[])
 {
@@ -155,7 +157,7 @@ int main(int argc, char *argv[])
                 }
         else
                 printf("test 3 ok\n");
-        exit(err);
+        EXIT(err);
         EVP_MD_CTX_cleanup(&c);
         return(0);
         }
diff --git a/src/lib/libssl/src/crypto/sha/sha_locl.h b/src/lib/libssl/src/crypto/sha/sha_locl.h
index 471dfb9f8f..2dd63a62a6 100644
--- a/src/lib/libssl/src/crypto/sha/sha_locl.h
+++ b/src/lib/libssl/src/crypto/sha/sha_locl.h
@@ -224,10 +224,10 @@ int HASH_INIT (SHA_CTX *c)
 void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num)
         {
         const SHA_LONG *W=d;
-        register unsigned long A,B,C,D,E,T;
+        register unsigned MD32_REG_T A,B,C,D,E,T;
 #ifndef MD32_XARRAY
-        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
-                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+        unsigned MD32_REG_T     XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                                XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
 #else
         SHA_LONG        XX[16];
 #endif
@@ -349,10 +349,10 @@ void HASH_BLOCK_HOST_ORDER (SHA_CTX *c, const void *d, int num)
 void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, int num)
         {
         const unsigned char *data=p;
-        register unsigned long A,B,C,D,E,T,l;
+        register unsigned MD32_REG_T A,B,C,D,E,T,l;
 #ifndef MD32_XARRAY
-        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
-                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+        unsigned MD32_REG_T     XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                                XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
 #else
         SHA_LONG        XX[16];
 #endif
diff --git a/src/lib/libssl/src/crypto/sha/sha_one.c b/src/lib/libssl/src/crypto/sha/sha_one.c
index 5426faae4a..e61c63f3e9 100644
--- a/src/lib/libssl/src/crypto/sha/sha_one.c
+++ b/src/lib/libssl/src/crypto/sha/sha_one.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/sha.h>
+#include <openssl/crypto.h>
 
 #ifndef OPENSSL_NO_SHA0
 unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
@@ -70,7 +71,7 @@ unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
         SHA_Init(&c);
         SHA_Update(&c,d,n);
         SHA_Final(md,&c);
-        memset(&c,0,sizeof(c));
+        OPENSSL_cleanse(&c,sizeof(c));
         return(md);
         }
 #endif
diff --git a/src/lib/libssl/src/crypto/sha/shatest.c b/src/lib/libssl/src/crypto/sha/shatest.c
index 331294a74f..5d2b1d3b1a 100644
--- a/src/lib/libssl/src/crypto/sha/shatest.c
+++ b/src/lib/libssl/src/crypto/sha/shatest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "../e_os.h"
+
 #ifdef OPENSSL_NO_SHA
 int main(int argc, char *argv[])
 {
@@ -156,7 +158,7 @@ int main(int argc, char *argv[])
         else
                 printf("test 3 ok\n");
         EVP_MD_CTX_cleanup(&c);
-        exit(err);
+        EXIT(err);
         return(0);
         }
 
diff --git a/src/lib/libssl/src/crypto/stack/Makefile.ssl b/src/lib/libssl/src/crypto/stack/Makefile.ssl
index 8574739c76..7120fb804a 100644
--- a/src/lib/libssl/src/crypto/stack/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/stack/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/threads/mttest.c b/src/lib/libssl/src/crypto/threads/mttest.c
index c474a63c74..8973921778 100644
--- a/src/lib/libssl/src/crypto/threads/mttest.c
+++ b/src/lib/libssl/src/crypto/threads/mttest.c
@@ -86,11 +86,6 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
-#ifdef OPENSSL_NO_FP_API
-#define APPS_WIN16
-#include "../buffer/bss_file.c"
-#endif
-
 #define TEST_SERVER_CERT "../../apps/server.pem"
 #define TEST_CLIENT_CERT "../../apps/client.pem"
 
diff --git a/src/lib/libssl/src/crypto/tmdiff.c b/src/lib/libssl/src/crypto/tmdiff.c
index 7ebf2b202a..307523ebba 100644
--- a/src/lib/libssl/src/crypto/tmdiff.c
+++ b/src/lib/libssl/src/crypto/tmdiff.c
@@ -59,13 +59,16 @@
 #include <stdlib.h>
 #include "cryptlib.h"
 #include <openssl/tmdiff.h>
+#if !defined(OPENSSL_SYS_MSDOS)
+#include OPENSSL_UNISTD
+#endif
 
 #ifdef TIMEB
 #undef OPENSSL_SYS_WIN32
 #undef TIMES
 #endif
 
-#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) || defined(__DECC) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_VXWORKS)
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !(defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX_RHAPSODY) && !defined(OPENSSL_SYS_VXWORKS)
 # define TIMES
 #endif
 
@@ -101,14 +104,19 @@
 
 /* The following if from times(3) man page.  It may need to be changed */
 #ifndef HZ
-# ifndef CLK_TCK
-#  ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
-#   define HZ  100.0
-#  else /* _BSD_CLK_TCK_ */
-#   define HZ ((double)_BSD_CLK_TCK_)
+# if defined(_SC_CLK_TCK) \
+     && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000)
+#  define HZ ((double)sysconf(_SC_CLK_TCK))
+# else
+#  ifndef CLK_TCK
+#   ifndef _BSD_CLK_TCK_ /* FreeBSD hack */
+#    define HZ  100.0
+#   else /* _BSD_CLK_TCK_ */
+#    define HZ ((double)_BSD_CLK_TCK_)
+#   endif
+#  else /* CLK_TCK */
+#   define HZ ((double)CLK_TCK)
 #  endif
-# else /* CLK_TCK */
-#  define HZ ((double)CLK_TCK)
 # endif
 #endif
 
@@ -121,7 +129,7 @@ typedef struct ms_tm
         HANDLE thread_id;
         FILETIME ms_win32;
 #  else
-#    ifdef OPENSSL_SYS_VSWORKS
+#    ifdef OPENSSL_SYS_VXWORKS
           unsigned long ticks;
 #    else
         struct timeb ms_timeb;
@@ -163,7 +171,7 @@ void ms_time_get(char *a)
 #  ifdef OPENSSL_SYS_WIN32
         GetThreadTimes(tm->thread_id,&tmpa,&tmpb,&tmpc,&(tm->ms_win32));
 #  else
-#    ifdef OPENSSL_SYS_VSWORKS
+#    ifdef OPENSSL_SYS_VXWORKS
         tm->ticks = tickGet();
 #    else
         ftime(&tm->ms_timeb);
@@ -197,7 +205,7 @@ double ms_time_diff(char *ap, char *bp)
         ret=((double)(lb-la))/1e7;
         }
 # else
-#  ifdef OPENSSL_SYS_VSWORKS
+#  ifdef OPENSSL_SYS_VXWORKS
         ret = (double)(b->ticks - a->ticks) / (double)sysClkRateGet();
 #  else
         ret=     (double)(b->ms_timeb.time-a->ms_timeb.time)+
@@ -222,7 +230,7 @@ int ms_time_cmp(char *ap, char *bp)
         d =(b->ms_win32.dwHighDateTime&0x000fffff)*10+b->ms_win32.dwLowDateTime/1e7;
         d-=(a->ms_win32.dwHighDateTime&0x000fffff)*10+a->ms_win32.dwLowDateTime/1e7;
 # else
-#  ifdef OPENSSL_SYS_VSWORKS
+#  ifdef OPENSSL_SYS_VXWORKS
         d = (b->ticks - a->ticks);
 #  else
         d=       (double)(b->ms_timeb.time-a->ms_timeb.time)+
diff --git a/src/lib/libssl/src/crypto/txt_db/Makefile.ssl b/src/lib/libssl/src/crypto/txt_db/Makefile.ssl
index 61ff361348..6221dfae4d 100644
--- a/src/lib/libssl/src/crypto/txt_db/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/txt_db/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/txt_db/txt_db.c b/src/lib/libssl/src/crypto/txt_db/txt_db.c
index 9b186f2da5..58b300b00b 100644
--- a/src/lib/libssl/src/crypto/txt_db/txt_db.c
+++ b/src/lib/libssl/src/crypto/txt_db/txt_db.c
@@ -108,7 +108,7 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
                 if (offset != 0)
                         {
                         size+=BUFSIZE;
-                        if (!BUF_MEM_grow(buf,size)) goto err;
+                        if (!BUF_MEM_grow_clean(buf,size)) goto err;
                         }
                 buf->data[offset]='\0';
                 BIO_gets(in,&(buf->data[offset]),size-offset);
@@ -268,7 +268,7 @@ long TXT_DB_write(BIO *out, TXT_DB *db)
                         if (pp[j] != NULL)
                                 l+=strlen(pp[j]);
                         }
-                if (!BUF_MEM_grow(buf,(int)(l*2+nn))) goto err;
+                if (!BUF_MEM_grow_clean(buf,(int)(l*2+nn))) goto err;
 
                 p=buf->data;
                 for (j=0; j<nn; j++)
diff --git a/src/lib/libssl/src/crypto/ui/Makefile.ssl b/src/lib/libssl/src/crypto/ui/Makefile.ssl
index 57b2e38335..ba46951d1c 100644
--- a/src/lib/libssl/src/crypto/ui/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/ui/Makefile.ssl
@@ -44,7 +44,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -72,7 +72,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -95,13 +95,13 @@ ui_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 ui_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 ui_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 ui_err.o: ../../include/openssl/ui.h ui_err.c
-ui_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-ui_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-ui_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-ui_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-ui_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-ui_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ui_lib.c
-ui_lib.o: ui_locl.h
+ui_lib.o: ../../e_os.h ../../include/openssl/bio.h
+ui_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ui_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+ui_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+ui_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ui_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ui_lib.o: ../../include/openssl/ui.h ../cryptlib.h ui_lib.c ui_locl.h
 ui_openssl.o: ../../e_os.h ../../include/openssl/bio.h
 ui_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 ui_openssl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
diff --git a/src/lib/libssl/src/crypto/ui/ui_lib.c b/src/lib/libssl/src/crypto/ui/ui_lib.c
index cce9075ac1..33c86d76ef 100644
--- a/src/lib/libssl/src/crypto/ui/ui_lib.c
+++ b/src/lib/libssl/src/crypto/ui/ui_lib.c
@@ -62,6 +62,7 @@
 #include <openssl/ui.h>
 #include <openssl/err.h>
 #include "ui_locl.h"
+#include "cryptlib.h"
 
 IMPLEMENT_STACK_OF(UI_STRING_ST)
 
@@ -144,7 +145,8 @@ static UI_STRING *general_allocate_prompt(UI *ui, const char *prompt,
                 {
                 UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,ERR_R_PASSED_NULL_PARAMETER);
                 }
-        else if (result_buf == NULL)
+        else if ((type == UIT_PROMPT || type == UIT_VERIFY
+                         || type == UIT_BOOLEAN) && result_buf == NULL)
                 {
                 UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,UI_R_NO_RESULT_BUFFER);
                 }
@@ -235,7 +237,7 @@ static int general_allocate_boolean(UI *ui,
         return ret;
         }
 
-/* Returns the index to the place in the stack or 0 for error.  Uses a
+/* Returns the index to the place in the stack or -1 for error.  Uses a
    direct reference to the prompt.  */
 int UI_add_input_string(UI *ui, const char *prompt, int flags,
         char *result_buf, int minsize, int maxsize)
@@ -831,8 +833,8 @@ int UI_set_result(UI *ui, UI_STRING *uis, const char *result)
         case UIT_PROMPT:
         case UIT_VERIFY:
                 {
-                char number1[20];
-                char number2[20];
+                char number1[DECIMAL_SIZE(uis->_.string_data.result_minsize)+1];
+                char number2[DECIMAL_SIZE(uis->_.string_data.result_maxsize)+1];
 
                 BIO_snprintf(number1, sizeof(number1), "%d",
                         uis->_.string_data.result_minsize);
diff --git a/src/lib/libssl/src/crypto/ui/ui_openssl.c b/src/lib/libssl/src/crypto/ui/ui_openssl.c
index f47ed31cb0..75318d48a1 100644
--- a/src/lib/libssl/src/crypto/ui/ui_openssl.c
+++ b/src/lib/libssl/src/crypto/ui/ui_openssl.c
@@ -159,8 +159,10 @@
 
 #ifdef WIN_CONSOLE_BUG
 # include <windows.h>
+#ifndef OPENSSL_SYS_WINCE
 # include <wincon.h>
 #endif
+#endif
 
 
 /* There are 5 types of terminal interface supported,
@@ -191,7 +193,7 @@
 # define SGTTY
 #endif
 
-#if defined(OPENSSL_SYS_VSWORKS)
+#if defined(OPENSSL_SYS_VXWORKS)
 #undef TERMIOS
 #undef TERMIO
 #undef SGTTY
@@ -221,7 +223,7 @@
 # define TTY_set(tty,data)      ioctl(tty,TIOCSETP,data)
 #endif
 
-#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC)
+#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(OPENSSL_SYS_SUNOS)
 # include <sys/ioctl.h>
 #endif
 
@@ -241,6 +243,10 @@ struct IOSB {
         };
 #endif
 
+#ifdef OPENSSL_SYS_SUNOS
+        typedef int sig_atomic_t;
+#endif
+
 #if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(MAC_OS_GUSI_SOURCE)
 /*
  * This one needs work. As a matter of fact the code is unoperational
@@ -277,10 +283,12 @@ static FILE *tty_in, *tty_out;
 static int is_a_tty;
 
 /* Declare static functions */
+#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
 static void read_till_nl(FILE *);
 static void recsig(int);
 static void pushsig(void);
 static void popsig(void);
+#endif
 #if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
 static int noecho_fgets(char *buf, int size, FILE *tty);
 #endif
@@ -367,6 +375,7 @@ static int read_string(UI *ui, UI_STRING *uis)
         }
 
 
+#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
 /* Internal functions to read a string without echoing */
 static void read_till_nl(FILE *in)
         {
@@ -379,6 +388,7 @@ static void read_till_nl(FILE *in)
         }
 
 static volatile sig_atomic_t intr_signal;
+#endif
 
 static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl)
         {
@@ -386,9 +396,9 @@ static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl)
         int ok;
         char result[BUFSIZ];
         int maxsize = BUFSIZ-1;
+#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
         char *p;
 
-#ifndef OPENSSL_SYS_WIN16
         intr_signal=0;
         ok=0;
         ps=0;
@@ -439,7 +449,7 @@ error:
         ok=1;
 #endif
 
-        memset(result,0,BUFSIZ);
+        OPENSSL_cleanse(result,BUFSIZ);
         return ok;
         }
 
@@ -450,7 +460,7 @@ static int open_console(UI *ui)
         CRYPTO_w_lock(CRYPTO_LOCK_UI);
         is_a_tty = 1;
 
-#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VSWORKS)
+#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VXWORKS)
         tty_in=stdin;
         tty_out=stderr;
 #else
@@ -540,7 +550,7 @@ static int echo_console(UI *ui)
 
 static int close_console(UI *ui)
         {
-        if (tty_in != stderr) fclose(tty_in);
+        if (tty_in != stdin) fclose(tty_in);
         if (tty_out != stderr) fclose(tty_out);
 #ifdef OPENSSL_SYS_VMS
         status = sys$dassgn(channel);
@@ -551,6 +561,7 @@ static int close_console(UI *ui)
         }
 
 
+#if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
 /* Internal functions to handle signals and act on them */
 static void pushsig(void)
         {
@@ -614,9 +625,10 @@ static void recsig(int i)
         {
         intr_signal=i;
         }
+#endif
 
 /* Internal functions specific for Windows */
-#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
+#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
 static int noecho_fgets(char *buf, int size, FILE *tty)
         {
         int i;
diff --git a/src/lib/libssl/src/crypto/ui/ui_util.c b/src/lib/libssl/src/crypto/ui/ui_util.c
index f05573df33..46bc8c1a9a 100644
--- a/src/lib/libssl/src/crypto/ui/ui_util.c
+++ b/src/lib/libssl/src/crypto/ui/ui_util.c
@@ -62,7 +62,7 @@ int UI_UTIL_read_pw_string(char *buf,int length,const char *prompt,int verify)
         int ret;
 
         ret=UI_UTIL_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify);
-        memset(buff,0,BUFSIZ);
+        OPENSSL_cleanse(buff,BUFSIZ);
         return(ret);
         }
 
@@ -78,12 +78,14 @@ int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify)
         if (ui)
                 {
                 ok = UI_add_input_string(ui,prompt,0,buf,0,size-1);
-                if (ok == 0 && verify)
+                if (ok >= 0 && verify)
                         ok = UI_add_verify_string(ui,prompt,0,buff,0,size-1,
                                 buf);
-                if (ok == 0)
+                if (ok >= 0)
                         ok=UI_process(ui);
                 UI_free(ui);
                 }
+        if (ok > 0)
+                ok = 0;
         return(ok);
         }
diff --git a/src/lib/libssl/src/crypto/uid.c b/src/lib/libssl/src/crypto/uid.c
index d3d249c36f..73205a4baa 100644
--- a/src/lib/libssl/src/crypto/uid.c
+++ b/src/lib/libssl/src/crypto/uid.c
@@ -65,7 +65,7 @@ int OPENSSL_issetugid(void)
         return issetugid();
         }
 
-#elif defined(OPENSSL_SYS_WIN32)
+#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)
 
 int OPENSSL_issetugid(void)
         {
diff --git a/src/lib/libssl/src/crypto/x509/Makefile.ssl b/src/lib/libssl/src/crypto/x509/Makefile.ssl
index ee53294699..3a3452536c 100644
--- a/src/lib/libssl/src/crypto/x509/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/x509/Makefile.ssl
@@ -78,7 +78,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/x509/by_file.c b/src/lib/libssl/src/crypto/x509/by_file.c
index 92e00d2d73..b4b04183d0 100644
--- a/src/lib/libssl/src/crypto/x509/by_file.c
+++ b/src/lib/libssl/src/crypto/x509/by_file.c
@@ -100,18 +100,19 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
         case X509_L_FILE_LOAD:
                 if (argl == X509_FILETYPE_DEFAULT)
                         {
-                        ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
-                                X509_FILETYPE_PEM) != 0);
+                        file = (char *)Getenv(X509_get_default_cert_file_env());
+                        if (file)
+                                ok = (X509_load_cert_crl_file(ctx,file,
+                                              X509_FILETYPE_PEM) != 0);
+
+                        else
+                                ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
+                                              X509_FILETYPE_PEM) != 0);
+
                         if (!ok)
                                 {
                                 X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
                                 }
-                        else
-                                {
-                                file=(char *)Getenv(X509_get_default_cert_file_env());
-                                ok = (X509_load_cert_crl_file(ctx,file,
-                                        X509_FILETYPE_PEM) != 0);
-                                }
                         }
                 else
                         {
@@ -284,7 +285,8 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
                 if(itmp->x509) {
                         X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
                         count++;
-                } else if(itmp->crl) {
+                }
+                if(itmp->crl) {
                         X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
                         count++;
                 }
diff --git a/src/lib/libssl/src/crypto/x509/x509.h b/src/lib/libssl/src/crypto/x509/x509.h
index 7095440d36..eaad5685a8 100644
--- a/src/lib/libssl/src/crypto/x509/x509.h
+++ b/src/lib/libssl/src/crypto/x509/x509.h
@@ -87,7 +87,6 @@
 #ifndef OPENSSL_NO_SHA
 #include <openssl/sha.h>
 #endif
-#include <openssl/evp.h>
 #include <openssl/e_os2.h>
 #include <openssl/ossl_typ.h>
 
@@ -487,10 +486,12 @@ typedef struct Netscape_certificate_sequence
         STACK_OF(X509) *certs;
         } NETSCAPE_CERT_SEQUENCE;
 
+/* Unused (and iv length is wrong)
 typedef struct CBCParameter_st
         {
         unsigned char iv[8];
         } CBC_PARAM;
+*/
 
 /* Password based encryption structure */
 
diff --git a/src/lib/libssl/src/crypto/x509/x509_cmp.c b/src/lib/libssl/src/crypto/x509/x509_cmp.c
index cd20b6d66f..f460102f49 100644
--- a/src/lib/libssl/src/crypto/x509/x509_cmp.c
+++ b/src/lib/libssl/src/crypto/x509/x509_cmp.c
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <ctype.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
@@ -81,13 +82,14 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
         unsigned long ret=0;
         EVP_MD_CTX ctx;
         unsigned char md[16];
-        char str[256];
+        char *f;
 
         EVP_MD_CTX_init(&ctx);
-        X509_NAME_oneline(a->cert_info->issuer,str,256);
-        ret=strlen(str);
+        f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
+        ret=strlen(f);
         EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
-        EVP_DigestUpdate(&ctx,(unsigned char *)str,ret);
+        EVP_DigestUpdate(&ctx,(unsigned char *)f,ret);
+        OPENSSL_free(f);
         EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
                 (unsigned long)a->cert_info->serialNumber->length);
         EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);
@@ -159,6 +161,99 @@ int X509_cmp(const X509 *a, const X509 *b)
 }
 #endif
 
+
+/* Case insensitive string comparision */
+static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
+{
+        int i;
+
+        if (a->length != b->length)
+                return (a->length - b->length);
+
+        for (i=0; i<a->length; i++)
+        {
+                int ca, cb;
+
+                ca = tolower(a->data[i]);
+                cb = tolower(b->data[i]);
+
+                if (ca != cb)
+                        return(ca-cb);
+        }
+        return 0;
+}
+
+/* Case insensitive string comparision with space normalization 
+ * Space normalization - ignore leading, trailing spaces, 
+ *       multiple spaces between characters are replaced by single space  
+ */
+static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
+{
+        unsigned char *pa = NULL, *pb = NULL;
+        int la, lb;
+        
+        la = a->length;
+        lb = b->length;
+        pa = a->data;
+        pb = b->data;
+
+        /* skip leading spaces */
+        while (la > 0 && isspace(*pa))
+        {
+                la--;
+                pa++;
+        }
+        while (lb > 0 && isspace(*pb))
+        {
+                lb--;
+                pb++;
+        }
+
+        /* skip trailing spaces */
+        while (la > 0 && isspace(pa[la-1]))
+                la--;
+        while (lb > 0 && isspace(pb[lb-1]))
+                lb--;
+
+        /* compare strings with space normalization */
+        while (la > 0 && lb > 0)
+        {
+                int ca, cb;
+
+                /* compare character */
+                ca = tolower(*pa);
+                cb = tolower(*pb);
+                if (ca != cb)
+                        return (ca - cb);
+
+                pa++; pb++;
+                la--; lb--;
+
+                if (la <= 0 || lb <= 0)
+                        break;
+
+                /* is white space next character ? */
+                if (isspace(*pa) && isspace(*pb))
+                {
+                        /* skip remaining white spaces */
+                        while (la > 0 && isspace(*pa))
+                        {
+                                la--;
+                                pa++;
+                        }
+                        while (lb > 0 && isspace(*pb))
+                        {
+                                lb--;
+                                pb++;
+                        }
+                }
+        }
+        if (la > 0 || lb > 0)
+                return la - lb;
+
+        return 0;
+}
+
 int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
         {
         int i,j;
@@ -172,10 +267,20 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
                 {
                 na=sk_X509_NAME_ENTRY_value(a->entries,i);
                 nb=sk_X509_NAME_ENTRY_value(b->entries,i);
-                j=na->value->length-nb->value->length;
+                j=na->value->type-nb->value->type;
                 if (j) return(j);
-                j=memcmp(na->value->data,nb->value->data,
-                        na->value->length);
+                if (na->value->type == V_ASN1_PRINTABLESTRING)
+                        j=nocase_spacenorm_cmp(na->value, nb->value);
+                else if (na->value->type == V_ASN1_IA5STRING
+                        && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
+                        j=nocase_cmp(na->value, nb->value);
+                else
+                        {
+                        j=na->value->length-nb->value->length;
+                        if (j) return(j);
+                        j=memcmp(na->value->data,nb->value->data,
+                                na->value->length);
+                        }
                 if (j) return(j);
                 j=na->set-nb->set;
                 if (j) return(j);
diff --git a/src/lib/libssl/src/crypto/x509/x509_v3.c b/src/lib/libssl/src/crypto/x509/x509_v3.c
index b5f7daa2e5..67b1796a92 100644
--- a/src/lib/libssl/src/crypto/x509/x509_v3.c
+++ b/src/lib/libssl/src/crypto/x509/x509_v3.c
@@ -116,7 +116,7 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
                 {
                 ex=sk_X509_EXTENSION_value(sk,lastpos);
                 if (    ((ex->critical > 0) && crit) ||
-                        (!(ex->critical <= 0) && !crit))
+                        ((ex->critical <= 0) && !crit))
                         return(lastpos);
                 }
         return(-1);
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index db12f7bd35..552d1e7251 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -756,7 +756,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
         {
         char *str;
         ASN1_TIME atm;
-        time_t offset;
+        long offset;
         char buff1[24],buff2[24],*p;
         int i,j;
 
diff --git a/src/lib/libssl/src/crypto/x509v3/Makefile.ssl b/src/lib/libssl/src/crypto/x509v3/Makefile.ssl
index 3534e8b236..66df90c346 100644
--- a/src/lib/libssl/src/crypto/x509v3/Makefile.ssl
+++ b/src/lib/libssl/src/crypto/x509v3/Makefile.ssl
@@ -74,7 +74,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/src/lib/libssl/src/crypto/x509v3/ext_dat.h b/src/lib/libssl/src/crypto/x509v3/ext_dat.h
index 2fb97d8925..5442480595 100644
--- a/src/lib/libssl/src/crypto/x509v3/ext_dat.h
+++ b/src/lib/libssl/src/crypto/x509v3/ext_dat.h
@@ -90,17 +90,23 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_crld,
 &v3_ext_ku,
 &v3_crl_reason,
+#ifndef OPENSSL_NO_OCSP
 &v3_crl_invdate,
+#endif
 &v3_sxnet,
 &v3_info,
+#ifndef OPENSSL_NO_OCSP
 &v3_ocsp_nonce,
 &v3_ocsp_crlid,
 &v3_ocsp_accresp,
 &v3_ocsp_nocheck,
 &v3_ocsp_acutoff,
 &v3_ocsp_serviceloc,
+#endif
 &v3_sinfo,
+#ifndef OPENSSL_NO_OCSP
 &v3_crl_hold
+#endif
 };
 
 /* Number of standard extensions */
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_info.c b/src/lib/libssl/src/crypto/x509v3/v3_info.c
index 92b9316b02..28cc00686a 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_info.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_info.c
@@ -113,8 +113,8 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method
                 ret = i2v_GENERAL_NAME(method, desc->location, ret);
                 if(!ret) break;
                 vtmp = sk_CONF_VALUE_value(ret, i);
-                i2t_ASN1_OBJECT(objtmp, 80, desc->method);
-                nlen = strlen(objtmp) + strlen(vtmp->name) + 4;
+                i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);
+                nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
                 ntmp = OPENSSL_malloc(nlen);
                 if(!ntmp) {
                         X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c b/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c
index 083112314e..21badc13f9 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c
@@ -56,6 +56,8 @@
  *
  */
 
+#ifndef OPENSSL_NO_OCSP
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/conf.h>
@@ -270,3 +272,4 @@ static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int
 err:
         return 0;
         }
+#endif
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_prn.c b/src/lib/libssl/src/crypto/x509v3/v3_prn.c
index aeaf6170fe..754808b625 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_prn.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_prn.c
@@ -178,7 +178,7 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts
                 ASN1_OBJECT *obj;
                 X509_EXTENSION *ex;
                 ex=sk_X509_EXTENSION_value(exts, i);
-                if (BIO_printf(bp,"%*s",indent, "") <= 0) return 0;
+                if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0;
                 obj=X509_EXTENSION_get_object(ex);
                 i2a_ASN1_OBJECT(bp,obj);
                 j=X509_EXTENSION_get_critical(ex);
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_purp.c b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
index b739e4fd83..4d145f71fd 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_purp.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
@@ -378,6 +378,10 @@ static void x509v3_cache_extensions(X509 *x)
                                 case NID_time_stamp:
                                 x->ex_xkusage |= XKU_TIMESTAMP;
                                 break;
+
+                                case NID_dvcs:
+                                x->ex_xkusage |= XKU_DVCS;
+                                break;
                         }
                 }
                 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_utl.c b/src/lib/libssl/src/crypto/x509v3/v3_utl.c
index 283e943e46..34ac2998de 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_utl.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_utl.c
@@ -491,7 +491,7 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens)
         i = -1;
         /* First supplied X509_NAME */
         while((i = X509_NAME_get_index_by_NID(name,
-                                         NID_pkcs9_emailAddress, i)) > 0) {
+                                         NID_pkcs9_emailAddress, i)) >= 0) {
                 ne = X509_NAME_get_entry(name, i);
                 email = X509_NAME_ENTRY_get_data(ne);
                 if(!append_ia5(&ret, email)) return NULL;
diff --git a/src/lib/libssl/src/crypto/x509v3/v3conf.c b/src/lib/libssl/src/crypto/x509v3/v3conf.c
index 67ee14f334..00cf5b4a5b 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3conf.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3conf.c
@@ -118,7 +118,7 @@ int main(int argc, char **argv)
                 printf("%s", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
                 if(ext->critical) printf(",critical:\n");
                 else printf(":\n");
-                X509V3_EXT_print_fp(stdout, ext, 0);
+                X509V3_EXT_print_fp(stdout, ext, 0, 0);
                 printf("\n");
                 
         }
diff --git a/src/lib/libssl/src/crypto/x509v3/x509v3.h b/src/lib/libssl/src/crypto/x509v3/x509v3.h
index daecc55271..fb07a19016 100644
--- a/src/lib/libssl/src/crypto/x509v3/x509v3.h
+++ b/src/lib/libssl/src/crypto/x509v3/x509v3.h
@@ -352,6 +352,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 #define XKU_SGC                 0x10
 #define XKU_OCSP_SIGN           0x20
 #define XKU_TIMESTAMP           0x40
+#define XKU_DVCS                0x80
 
 #define X509_PURPOSE_DYNAMIC    0x1
 #define X509_PURPOSE_DYNAMIC_NAME       0x2
diff --git a/src/lib/libssl/src/demos/b64.c b/src/lib/libssl/src/demos/b64.c
index 113da89baf..efdd44457d 100644
--- a/src/lib/libssl/src/demos/b64.c
+++ b/src/lib/libssl/src/demos/b64.c
@@ -83,7 +83,6 @@ char **argv;
         unsigned char *buff=NULL,*bufsize=NULL;
         int bsize=BSIZE,verbose=0;
         int ret=1,inl;
-        unsigned char key[24],iv[MD5_DIGEST_LENGTH];
         char *str=NULL;
         char *hkey=NULL,*hiv=NULL;
         int enc=1,printkey=0,i,base64=0;
@@ -92,7 +91,6 @@ char **argv;
         char *inf=NULL,*outf=NULL;
         BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
 #define PROG_NAME_SIZE  39
-        char pname[PROG_NAME_SIZE+1];
 
 
         apps_startup();
diff --git a/src/lib/libssl/src/demos/bio/saccept.c b/src/lib/libssl/src/demos/bio/saccept.c
index 933d6699ee..40cd4daad2 100644
--- a/src/lib/libssl/src/demos/bio/saccept.c
+++ b/src/lib/libssl/src/demos/bio/saccept.c
@@ -45,6 +45,11 @@ char *argv[];
 
         SSL_load_error_strings();
 
+#ifdef WATT32
+        dbug_init();
+        sock_init();
+#endif
+
         /* Add ciphers and message digests */
         OpenSSL_add_ssl_algorithms();
 
diff --git a/src/lib/libssl/src/demos/bio/sconnect.c b/src/lib/libssl/src/demos/bio/sconnect.c
index 87b380b258..880344eb78 100644
--- a/src/lib/libssl/src/demos/bio/sconnect.c
+++ b/src/lib/libssl/src/demos/bio/sconnect.c
@@ -32,6 +32,11 @@ char *argv[];
         else
                 host=argv[1];
 
+#ifdef WATT32
+        dbug_init();
+        sock_init();
+#endif
+
         /* Lets get nice error messages */
         SSL_load_error_strings();
 
diff --git a/src/lib/libssl/src/demos/spkigen.c b/src/lib/libssl/src/demos/spkigen.c
index d87881197c..2cd5dfea97 100644
--- a/src/lib/libssl/src/demos/spkigen.c
+++ b/src/lib/libssl/src/demos/spkigen.c
@@ -65,7 +65,8 @@ char *argv[];
 
         fprintf(stderr,"please enter challenge string:");
         fflush(stderr);
-        fgets(buf,120,stdin);
+        buf[0]='\0';
+        fgets(buf,sizeof buf,stdin);
         i=strlen(buf);
         if (i > 0) buf[--i]='\0';
         if (!ASN1_STRING_set((ASN1_STRING *)spki->spkac->challenge,
diff --git a/src/lib/libssl/src/demos/x509/mkcert.c b/src/lib/libssl/src/demos/x509/mkcert.c
index 4709e18e7c..c5e67b8e28 100644
--- a/src/lib/libssl/src/demos/x509/mkcert.c
+++ b/src/lib/libssl/src/demos/x509/mkcert.c
@@ -9,7 +9,9 @@
 #include <openssl/pem.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days);
 int add_ext(X509 *cert, int nid, char *value);
@@ -35,7 +37,9 @@ int main(int argc, char **argv)
         X509_free(x509);
         EVP_PKEY_free(pkey);
 
+#ifndef OPENSSL_NO_ENGINE
         ENGINE_cleanup();
+#endif
         CRYPTO_cleanup_all_ex_data();
 
         CRYPTO_mem_leaks(bio_err);
@@ -88,7 +92,7 @@ int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days)
                 }
         rsa=NULL;
 
-        X509_set_version(x,3);
+        X509_set_version(x,2);
         ASN1_INTEGER_set(X509_get_serialNumber(x),serial);
         X509_gmtime_adj(X509_get_notBefore(x),0);
         X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
diff --git a/src/lib/libssl/src/demos/x509/mkreq.c b/src/lib/libssl/src/demos/x509/mkreq.c
index d69dcc392b..3dfc65f164 100644
--- a/src/lib/libssl/src/demos/x509/mkreq.c
+++ b/src/lib/libssl/src/demos/x509/mkreq.c
@@ -8,7 +8,9 @@
 #include <openssl/pem.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 int mkreq(X509_REQ **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days);
 int add_ext(STACK_OF(X509_REQUEST) *sk, int nid, char *value);
@@ -33,7 +35,9 @@ int main(int argc, char **argv)
         X509_REQ_free(req);
         EVP_PKEY_free(pkey);
 
+#ifndef OPENSSL_NO_ENGINE
         ENGINE_cleanup();
+#endif
         CRYPTO_cleanup_all_ex_data();
 
         CRYPTO_mem_leaks(bio_err);
diff --git a/src/lib/libssl/src/doc/HOWTO/certificates.txt b/src/lib/libssl/src/doc/HOWTO/certificates.txt
index 88048645db..d3a62545ad 100644
--- a/src/lib/libssl/src/doc/HOWTO/certificates.txt
+++ b/src/lib/libssl/src/doc/HOWTO/certificates.txt
@@ -1,6 +1,8 @@
 <DRAFT!>
                         HOWTO certificates
 
+1. Introduction
+
 How you handle certificates depend a great deal on what your role is.
 Your role can be one or several of:
 
@@ -13,12 +15,14 @@ Certificate authorities should read ca.txt.
 
 In all the cases shown below, the standard configuration file, as
 compiled into openssl, will be used.  You may find it in /etc/,
-/usr/local/ssr/ or somewhere else.  The name is openssl.cnf, and
+/usr/local/ssl/ or somewhere else.  The name is openssl.cnf, and
 is better described in another HOWTO <config.txt?>.  If you want to
 use a different configuration file, use the argument '-config {file}'
 with the command shown below.
 
 
+2. Relationship with keys
+
 Certificates are related to public key cryptography by containing a
 public key.  To be useful, there must be a corresponding private key
 somewhere.  With OpenSSL, public keys are easily derived from private
@@ -26,22 +30,25 @@ keys, so before you create a certificate or a certificate request, you
 need to create a private key.
 
 Private keys are generated with 'openssl genrsa' if you want a RSA
-private key, or 'openssl gendsa' if you want a DSA private key.  More
-info on how to handle these commands are found in the manual pages for
-those commands or by running them with the argument '-h'.  For the
-sake of the description in this file, let's assume that the private
-key ended up in the file privkey.pem (which is the default in some
-cases).
-
-
-Let's start with the most normal way of getting a certificate.  Most
-often, you want or need to get a certificate from a certificate
-authority.  To handle that, the certificate authority needs a
-certificate request (or, as some certificate authorities like to put
+private key, or 'openssl gendsa' if you want a DSA private key.
+Further information on how to create private keys can be found in
+another HOWTO <keys.txt?>.  The rest of this text assumes you have
+a private key in the file privkey.pem.
+
+
+3. Creating a certificate request
+
+To create a certificate, you need to start with a certificate
+request (or, as some certificate authorities like to put
 it, "certificate signing request", since that's exactly what they do,
 they sign it and give you the result back, thus making it authentic
-according to their policies) from you.  To generate a request, use the
-command 'openssl req' like this:
+according to their policies).  A certificate request can then be sent
+to a certificate authority to get it signed into a certificate, or if
+you have your own certificate authority, you may sign it yourself, or
+if you need a self-signed certificate (because you just want a test
+certificate or because you are setting up your own CA).
+
+The certificate request is created like this:
 
   openssl req -new -key privkey.pem -out cert.csr
 
@@ -55,9 +62,23 @@ When the certificate authority has then done the checks the need to
 do (and probably gotten payment from you), they will hand over your
 new certificate to you.
 
+Section 5 will tell you more on how to handle the certificate you
+received.
+
+
+4. Creating a self-signed certificate
+
+If you don't want to deal with another certificate authority, or just
+want to create a test certificate for yourself, or are setting up a
+certificate authority of your own, you may want to make the requested
+certificate a self-signed one.  This is similar to creating a
+certificate request, but creates a certificate instead of a
+certificate request (1095 is 3 years):
+
+  openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
 
-[fill in on how to create a self-signed certificate]
 
+5. What to do with the certificate
 
 If you created everything yourself, or if the certificate authority
 was kind enough, your certificate is a raw DER thing in PEM format.
diff --git a/src/lib/libssl/src/doc/apps/ca.pod b/src/lib/libssl/src/doc/apps/ca.pod
index c2ca8f2400..de66c534b5 100644
--- a/src/lib/libssl/src/doc/apps/ca.pod
+++ b/src/lib/libssl/src/doc/apps/ca.pod
@@ -13,6 +13,10 @@ B<openssl> B<ca>
 [B<-name section>]
 [B<-gencrl>]
 [B<-revoke file>]
+[B<-crl_reason reason>]
+[B<-crl_hold instruction>]
+[B<-crl_compromise time>]
+[B<-crl_CA_compromise time>]
 [B<-subj arg>]
 [B<-crldays days>]
 [B<-crlhours hours>]
@@ -39,6 +43,7 @@ B<openssl> B<ca>
 [B<-msie_hack>]
 [B<-extensions section>]
 [B<-extfile section>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -74,7 +79,7 @@ a single self signed certificate to be signed by the CA.
 =item B<-spkac filename>
 
 a file containing a single Netscape signed public key and challenge
-and additional field values to be signed by the CA. See the B<NOTES>
+and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
 section for information on the required format.
 
 =item B<-infiles>
@@ -191,6 +196,13 @@ an additional configuration file to read certificate extensions from
 (using the default section unless the B<-extensions> option is also
 used).
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =back
 
 =head1 CRL OPTIONS
@@ -214,6 +226,33 @@ the number of hours before the next CRL is due.
 
 a filename containing a certificate to revoke.
 
+=item B<-crl_reason reason>
+
+revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
+B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
+B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
+insensitive. Setting any revocation reason will make the CRL v2.
+
+In practive B<removeFromCRL> is not particularly useful because it is only used
+in delta CRLs which are not currently implemented.
+
+=item B<-crl_hold instruction>
+
+This sets the CRL revocation reason code to B<certificateHold> and the hold
+instruction to B<instruction> which must be an OID. Although any OID can be
+used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
+B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
+
+=item B<-crl_compromise time>
+
+This sets the revocation reason to B<keyCompromise> and the compromise time to
+B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
+
+=item B<-crl_CA_compromise time>
+
+This is the same as B<crl_compromise> except the revocation reason is set to
+B<CACompromise>.
+
 =item B<-subj arg>
 
 supersedes subject name given in the request.
@@ -486,18 +525,6 @@ A sample configuration file with the relevant sections for B<ca>:
  commonName             = supplied
  emailAddress           = optional
 
-=head1 WARNINGS
-
-The B<ca> command is quirky and at times downright unfriendly.
-
-The B<ca> utility was originally meant as an example of how to do things
-in a CA. It was not supposed to be used as a full blown CA itself:
-nevertheless some people are using it for this purpose.
-
-The B<ca> command is effectively a single user command: no locking is
-done on the various files and attempts to run more than one B<ca> command
-on the same database can have unpredictable results.
-
 =head1 FILES
 
 Note: the location of all files can change either by compile time options,
@@ -527,9 +554,6 @@ if corrupted it can be difficult to fix. It is theoretically possible
 to rebuild the index file from all the issued certificates and a current
 CRL: however there is no option to do this.
 
-CRL entry extensions cannot currently be created: only CRL extensions
-can be added.
-
 V2 CRL features like delta CRL support and CRL numbers are not currently
 supported.
 
@@ -565,6 +589,16 @@ create an empty file.
 
 =head1 WARNINGS
 
+The B<ca> command is quirky and at times downright unfriendly.
+
+The B<ca> utility was originally meant as an example of how to do things
+in a CA. It was not supposed to be used as a full blown CA itself:
+nevertheless some people are using it for this purpose.
+
+The B<ca> command is effectively a single user command: no locking is
+done on the various files and attempts to run more than one B<ca> command
+on the same database can have unpredictable results.
+
 The B<copy_extensions> option should be used with caution. If care is
 not taken then it can be a security risk. For example if a certificate
 request contains a basicConstraints extension with CA:TRUE and the
diff --git a/src/lib/libssl/src/doc/apps/ciphers.pod b/src/lib/libssl/src/doc/apps/ciphers.pod
index b7e577b24f..81a2c43893 100644
--- a/src/lib/libssl/src/doc/apps/ciphers.pod
+++ b/src/lib/libssl/src/doc/apps/ciphers.pod
@@ -203,6 +203,10 @@ cipher suites using DH, including anonymous DH.
 
 anonymous DH cipher suites.
 
+=item B<AES>
+
+cipher suites using AES.
+
 =item B<3DES>
 
 cipher suites using triple DES.
@@ -236,7 +240,9 @@ cipher suites using SHA1.
 =head1 CIPHER SUITE NAMES
 
 The following lists give the SSL or TLS cipher suites names from the
-relevant specification and their OpenSSL equivalents.
+relevant specification and their OpenSSL equivalents. It should be noted,
+that several cipher suite names do not include the authentication used,
+e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
 
 =head2 SSL v3.0 cipher suites.
 
@@ -306,6 +312,24 @@ relevant specification and their OpenSSL equivalents.
  TLS_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
  TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
 
+=head2 AES ciphersuites from RFC3268, extending TLS v1.0
+
+ TLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
+ TLS_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
+
+ TLS_DH_DSS_WITH_AES_128_CBC_SHA         DH-DSS-AES128-SHA
+ TLS_DH_DSS_WITH_AES_256_CBC_SHA         DH-DSS-AES256-SHA
+ TLS_DH_RSA_WITH_AES_128_CBC_SHA         DH-RSA-AES128-SHA
+ TLS_DH_RSA_WITH_AES_256_CBC_SHA         DH-RSA-AES256-SHA
+
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS-AES128-SHA
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS-AES256-SHA
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA        DHE-RSA-AES128-SHA
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA        DHE-RSA-AES256-SHA
+
+ TLS_DH_anon_WITH_AES_128_CBC_SHA        ADH-AES128-SHA
+ TLS_DH_anon_WITH_AES_256_CBC_SHA        ADH-AES256-SHA
+
 =head2 Additional Export 1024 and other cipher suites
 
 Note: these ciphers can also be used in SSL v3.
diff --git a/src/lib/libssl/src/doc/apps/dhparam.pod b/src/lib/libssl/src/doc/apps/dhparam.pod
index ff8a6e5e5b..c31db95a47 100644
--- a/src/lib/libssl/src/doc/apps/dhparam.pod
+++ b/src/lib/libssl/src/doc/apps/dhparam.pod
@@ -18,6 +18,7 @@ B<openssl dhparam>
 [B<-2>]
 [B<-5>]
 [B<-rand> I<file(s)>]
+[B<-engine id>]
 [I<numbits>]
 
 =head1 DESCRIPTION
@@ -96,6 +97,13 @@ this option prints out the DH parameters in human readable form.
 this option converts the parameters into C code. The parameters can then
 be loaded by calling the B<get_dh>I<numbits>B<()> function.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =back
 
 =head1 WARNINGS
diff --git a/src/lib/libssl/src/doc/apps/dsa.pod b/src/lib/libssl/src/doc/apps/dsa.pod
index 28e534bb95..ed06b8806d 100644
--- a/src/lib/libssl/src/doc/apps/dsa.pod
+++ b/src/lib/libssl/src/doc/apps/dsa.pod
@@ -21,6 +21,7 @@ B<openssl> B<dsa>
 [B<-modulus>]
 [B<-pubin>]
 [B<-pubout>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -106,6 +107,13 @@ by default a private key is output. With this option a public
 key will be output instead. This option is automatically set if the input is
 a public key.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =back
 
 =head1 NOTES
diff --git a/src/lib/libssl/src/doc/apps/dsaparam.pod b/src/lib/libssl/src/doc/apps/dsaparam.pod
index 50c2f61242..b9b1b93b42 100644
--- a/src/lib/libssl/src/doc/apps/dsaparam.pod
+++ b/src/lib/libssl/src/doc/apps/dsaparam.pod
@@ -16,6 +16,7 @@ B<openssl dsaparam>
 [B<-C>]
 [B<-rand file(s)>]
 [B<-genkey>]
+[B<-engine id>]
 [B<numbits>]
 
 =head1 DESCRIPTION
@@ -82,6 +83,13 @@ this option specifies that a parameter set should be generated of size
 B<numbits>. It must be the last option. If this option is included then
 the input file (if any) is ignored.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =back
 
 =head1 NOTES
diff --git a/src/lib/libssl/src/doc/apps/gendsa.pod b/src/lib/libssl/src/doc/apps/gendsa.pod
index 74318fe7fb..2c56cc7888 100644
--- a/src/lib/libssl/src/doc/apps/gendsa.pod
+++ b/src/lib/libssl/src/doc/apps/gendsa.pod
@@ -12,6 +12,7 @@ B<openssl> B<gendsa>
 [B<-des3>]
 [B<-idea>]
 [B<-rand file(s)>]
+[B<-engine id>]
 [B<paramfile>]
 
 =head1 DESCRIPTION
@@ -37,6 +38,13 @@ Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =item B<paramfile>
 
 This option specifies the DSA parameter file to use. The parameters in this
diff --git a/src/lib/libssl/src/doc/apps/genrsa.pod b/src/lib/libssl/src/doc/apps/genrsa.pod
index cdcc03c123..25af4d1475 100644
--- a/src/lib/libssl/src/doc/apps/genrsa.pod
+++ b/src/lib/libssl/src/doc/apps/genrsa.pod
@@ -15,6 +15,7 @@ B<openssl> B<genrsa>
 [B<-f4>]
 [B<-3>]
 [B<-rand file(s)>]
+[B<-engine id>]
 [B<numbits>]
 
 =head1 DESCRIPTION
@@ -54,6 +55,13 @@ Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =item B<numbits>
 
 the size of the private key to generate in bits. This must be the last option
diff --git a/src/lib/libssl/src/doc/apps/ocsp.pod b/src/lib/libssl/src/doc/apps/ocsp.pod
index da201b95e6..4f266058e5 100644
--- a/src/lib/libssl/src/doc/apps/ocsp.pod
+++ b/src/lib/libssl/src/doc/apps/ocsp.pod
@@ -11,6 +11,10 @@ B<openssl> B<ocsp>
 [B<-issuer file>]
 [B<-cert file>]
 [B<-serial n>]
+[B<-signer file>]
+[B<-signkey file>]
+[B<-sign_other file>]
+[B<-no_certs>]
 [B<-req_text>]
 [B<-resp_text>]
 [B<-text>]
@@ -20,27 +24,36 @@ B<openssl> B<ocsp>
 [B<-respin file>]
 [B<-nonce>]
 [B<-no_nonce>]
-[B<-url responder_url>]
+[B<-url URL>]
 [B<-host host:n>]
 [B<-path>]
-[B<-CApath file>]
+[B<-CApath dir>]
 [B<-CAfile file>]
 [B<-VAfile file>]
-[B<-verify_certs file>]
+[B<-validity_period n>]
+[B<-status_age n>]
 [B<-noverify>]
+[B<-verify_other file>]
 [B<-trust_other>]
 [B<-no_intern>]
-[B<-no_sig_verify>]
+[B<-no_signature_verify>]
 [B<-no_cert_verify>]
 [B<-no_chain>]
 [B<-no_cert_checks>]
-[B<-validity_period nsec>]
-[B<-status_age nsec>]
+[B<-port num>]
+[B<-index file>]
+[B<-CA file>]
+[B<-rsigner file>]
+[B<-rkey file>]
+[B<-rother file>]
+[B<-resp_no_certs>]
+[B<-nmin n>]
+[B<-ndays n>]
+[B<-resp_key_id>]
+[B<-nrequest n>]
 
 =head1 DESCRIPTION
 
-B<WARNING: this documentation is preliminary and subject to change.>
-
 The Online Certificate Status Protocol (OCSP) enables applications to
 determine the (revocation) state of an identified certificate (RFC 2560).
 
@@ -83,6 +96,10 @@ the B<signkey> option is not present then the private key is read
 from the same file as the certificate. If neither option is specified then
 the OCSP request is not signed.
 
+=item B<-sign_other filename>
+
+Additional certificates to include in the signed request.
+
 =item B<-nonce>, B<-no_nonce>
 
 Add an OCSP nonce extension to a request or disable OCSP nonce addition.
@@ -120,7 +137,7 @@ or "/" by default.
 file or pathname containing trusted CA certificates. These are used to verify
 the signature on the OCSP response.
 
-=item B<-verify_certs file>
+=item B<-verify_other file>
 
 file containing additional certificates to search when attempting to locate
 the OCSP response signing certificate. Some responders omit the actual signer's
@@ -151,7 +168,7 @@ ignore certificates contained in the OCSP response when searching for the
 signers certificate. With this option the signers certificate must be specified
 with either the B<-verify_certs> or B<-VAfile> options.
 
-=item B<-no_sig_verify>
+=item B<-no_signature_verify>
 
 don't check the signature on the OCSP response. Since this option tolerates invalid
 signatures on OCSP responses it will normally only be used for testing purposes.
diff --git a/src/lib/libssl/src/doc/apps/passwd.pod b/src/lib/libssl/src/doc/apps/passwd.pod
index 07d849c824..f44982549b 100644
--- a/src/lib/libssl/src/doc/apps/passwd.pod
+++ b/src/lib/libssl/src/doc/apps/passwd.pod
@@ -75,7 +75,7 @@ to each password hash.
 
 B<openssl passwd -crypt -salt xx password> prints B<xxj31ZMTZzkVA>.
 
-B<openssl passwd -1 -salt xxxxxxxx password> prints B<$1$xxxxxxxx$8XJIcl6ZXqBMCK0qFevqT1>.
+B<openssl passwd -1 -salt xxxxxxxx password> prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>.
 
 B<openssl passwd -apr1 -salt xxxxxxxx password> prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>.
 
diff --git a/src/lib/libssl/src/doc/apps/pkcs7.pod b/src/lib/libssl/src/doc/apps/pkcs7.pod
index 9871c0e0cd..a0a636328b 100644
--- a/src/lib/libssl/src/doc/apps/pkcs7.pod
+++ b/src/lib/libssl/src/doc/apps/pkcs7.pod
@@ -14,6 +14,7 @@ B<openssl> B<pkcs7>
 [B<-print_certs>]
 [B<-text>]
 [B<-noout>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -59,6 +60,13 @@ issuer names.
 don't output the encoded version of the PKCS#7 structure (or certificates
 is B<-print_certs> is set).
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =back
 
 =head1 EXAMPLES
diff --git a/src/lib/libssl/src/doc/apps/pkcs8.pod b/src/lib/libssl/src/doc/apps/pkcs8.pod
index a56b2dd002..68ecd65b10 100644
--- a/src/lib/libssl/src/doc/apps/pkcs8.pod
+++ b/src/lib/libssl/src/doc/apps/pkcs8.pod
@@ -21,6 +21,7 @@ B<openssl> B<pkcs8>
 [B<-nsdb>]
 [B<-v2 alg>]
 [B<-v1 alg>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -122,6 +123,13 @@ B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.
 This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
 list of possible algorithms is included below.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =back
 
 =head1 NOTES
diff --git a/src/lib/libssl/src/doc/apps/req.pod b/src/lib/libssl/src/doc/apps/req.pod
index 10e4e12a5c..e2b5d0d8ec 100644
--- a/src/lib/libssl/src/doc/apps/req.pod
+++ b/src/lib/libssl/src/doc/apps/req.pod
@@ -41,6 +41,7 @@ B<openssl> B<req>
 [B<-nameopt>]
 [B<-batch>]
 [B<-verbose>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -244,6 +245,13 @@ non-interactive mode.
 
 print extra details about the operations being performed.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =back
 
 =head1 CONFIGURATION FILE FORMAT
@@ -406,7 +414,7 @@ be input by calling it "1.organizationName".
 The actual permitted field names are any object identifier short or
 long names. These are compiled into OpenSSL and include the usual
 values such as commonName, countryName, localityName, organizationName,
-organizationUnitName, stateOrPrivinceName. Additionally emailAddress
+organizationUnitName, stateOrProvinceName. Additionally emailAddress
 is include as well as name, surname, givenName initials and dnQualifier.
 
 Additional object identifiers can be defined with the B<oid_file> or
@@ -512,13 +520,13 @@ Sample configuration containing all field values:
 
 The header and footer lines in the B<PEM> format are normally:
 
- -----BEGIN CERTIFICATE REQUEST----
- -----END CERTIFICATE REQUEST----
+ -----BEGIN CERTIFICATE REQUEST-----
+ -----END CERTIFICATE REQUEST-----
 
 some software (some versions of Netscape certificate server) instead needs:
 
- -----BEGIN NEW CERTIFICATE REQUEST----
- -----END NEW CERTIFICATE REQUEST----
+ -----BEGIN NEW CERTIFICATE REQUEST-----
+ -----END NEW CERTIFICATE REQUEST-----
 
 which is produced with the B<-newhdr> option but is otherwise compatible.
 Either form is accepted transparently on input.
diff --git a/src/lib/libssl/src/doc/apps/rsa.pod b/src/lib/libssl/src/doc/apps/rsa.pod
index ef74f1adff..4d7640995e 100644
--- a/src/lib/libssl/src/doc/apps/rsa.pod
+++ b/src/lib/libssl/src/doc/apps/rsa.pod
@@ -24,6 +24,7 @@ B<openssl> B<rsa>
 [B<-check>]
 [B<-pubin>]
 [B<-pubout>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -117,6 +118,13 @@ by default a private key is output: with this option a public
 key will be output instead. This option is automatically set if
 the input is a public key.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =back
 
 =head1 NOTES
diff --git a/src/lib/libssl/src/doc/apps/s_client.pod b/src/lib/libssl/src/doc/apps/s_client.pod
index 7fca9cbdbd..47dc93cb3f 100644
--- a/src/lib/libssl/src/doc/apps/s_client.pod
+++ b/src/lib/libssl/src/doc/apps/s_client.pod
@@ -33,6 +33,7 @@ B<openssl> B<s_client>
 [B<-no_tls1>]
 [B<-bugs>]
 [B<-cipher cipherlist>]
+[B<-starttls protocol>]
 [B<-engine id>]
 [B<-rand file(s)>]
 
@@ -163,6 +164,12 @@ the server determines which cipher suite is used it should take the first
 supported cipher in the list sent by the client. See the B<ciphers>
 command for more information.
 
+=item B<-starttls protocol>
+
+send the protocol-specific message(s) to switch to TLS for communication.
+B<protocol> is a keyword for the intended protocol.  Currently, the only
+supported keyword is "smtp".
+
 =item B<-engine id>
 
 specifying an engine (by it's unique B<id> string) will cause B<s_client>
diff --git a/src/lib/libssl/src/doc/apps/s_server.pod b/src/lib/libssl/src/doc/apps/s_server.pod
index 4b1e4260ef..1d21921e47 100644
--- a/src/lib/libssl/src/doc/apps/s_server.pod
+++ b/src/lib/libssl/src/doc/apps/s_server.pod
@@ -42,6 +42,7 @@ B<openssl> B<s_server>
 [B<-WWW>]
 [B<-HTTP>]
 [B<-engine id>]
+[B<-id_prefix arg>]
 [B<-rand file(s)>]
 
 =head1 DESCRIPTION
@@ -209,6 +210,13 @@ to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
+=item B<-id_prefix arg>
+
+generate SSL/TLS session IDs prefixed by B<arg>. This is mostly useful
+for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
+servers, when each of which might be generating a unique range of session
+IDs (eg. with a certain prefix).
+
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
diff --git a/src/lib/libssl/src/doc/apps/smime.pod b/src/lib/libssl/src/doc/apps/smime.pod
index fa5d23e8dc..2453dd2738 100644
--- a/src/lib/libssl/src/doc/apps/smime.pod
+++ b/src/lib/libssl/src/doc/apps/smime.pod
@@ -340,8 +340,8 @@ detached signature format. You can use this program to verify the
 signature by line wrapping the base64 encoded structure and surrounding
 it with:
 
- -----BEGIN PKCS7----
- -----END PKCS7----
+ -----BEGIN PKCS7-----
+ -----END PKCS7-----
 
 and using the command, 
 
diff --git a/src/lib/libssl/src/doc/apps/speed.pod b/src/lib/libssl/src/doc/apps/speed.pod
index 8101851ec6..0dcdba873e 100644
--- a/src/lib/libssl/src/doc/apps/speed.pod
+++ b/src/lib/libssl/src/doc/apps/speed.pod
@@ -54,4 +54,6 @@ for all available algorithms.
 If any options are given, B<speed> tests those algorithms, otherwise all of
 the above are tested.
 
+=back
+
 =cut
diff --git a/src/lib/libssl/src/doc/apps/spkac.pod b/src/lib/libssl/src/doc/apps/spkac.pod
index bb84dfbe33..c3f1ff9c64 100644
--- a/src/lib/libssl/src/doc/apps/spkac.pod
+++ b/src/lib/libssl/src/doc/apps/spkac.pod
@@ -17,7 +17,7 @@ B<openssl> B<spkac>
 [B<-spksect section>]
 [B<-noout>]
 [B<-verify>]
-
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -79,6 +79,12 @@ being created).
 
 verifies the digital signature on the supplied SPKAC.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
 
 =back
 
diff --git a/src/lib/libssl/src/doc/apps/x509.pod b/src/lib/libssl/src/doc/apps/x509.pod
index 4a17e338dd..50343cd685 100644
--- a/src/lib/libssl/src/doc/apps/x509.pod
+++ b/src/lib/libssl/src/doc/apps/x509.pod
@@ -50,6 +50,7 @@ B<openssl> B<x509>
 [B<-clrext>]
 [B<-extfile filename>]
 [B<-extensions section>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -61,8 +62,9 @@ certificate trust settings.
 Since there are a large number of options they will split up into
 various sections.
 
+=head1 OPTIONS
 
-=head1 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
+=head2 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
 
 =over 4
 
@@ -97,13 +99,19 @@ digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
 specified then MD5 is used. If the key being used to sign with is a DSA key then
 this option has no effect: SHA1 is always used with DSA keys.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
 
 =back
 
-=head1 DISPLAY OPTIONS
+=head2 DISPLAY OPTIONS
 
 Note: the B<-alias> and B<-purpose> options are also display options
-but are described in the B<TRUST OPTIONS> section.
+but are described in the B<TRUST SETTINGS> section.
 
 =over 4
 
@@ -181,7 +189,7 @@ this outputs the certificate in the form of a C source file.
 
 =back
 
-=head1 TRUST SETTINGS
+=head2 TRUST SETTINGS
 
 Please note these options are currently experimental and may well change.
 
@@ -252,7 +260,7 @@ EXTENSIONS> section.
 
 =back
 
-=head1 SIGNING OPTIONS
+=head2 SIGNING OPTIONS
 
 The B<x509> utility can be used to sign certificates and requests: it
 can thus behave like a "mini CA".
@@ -341,7 +349,7 @@ The default filename consists of the CA certificate file base name with
 ".srl" appended. For example if the CA certificate file is called 
 "mycacert.pem" it expects to find a serial number file called "mycacert.srl".
 
-=item B<-CAcreateserial filename>
+=item B<-CAcreateserial>
 
 with this option the CA serial number file is created if it does not exist:
 it will contain the serial number "02" and the certificate being signed will
@@ -362,7 +370,7 @@ specified then the extensions should either be contained in the unnamed
 
 =back
 
-=head1 NAME OPTIONS
+=head2 NAME OPTIONS
 
 The B<nameopt> command line switch determines how the subject and issuer
 names are displayed. If no B<nameopt> switch is present the default "oneline"
@@ -499,7 +507,7 @@ name.
 
 =back
 
-=head1 TEXT OPTIONS
+=head2 TEXT OPTIONS
 
 As well as customising the name output format, it is also possible to
 customise the actual fields printed using the B<certopt> options when
@@ -636,25 +644,25 @@ certificate extensions:
 Set a certificate to be trusted for SSL client use and change set its alias to
 "Steve's Class 1 CA"
 
- openssl x509 -in cert.pem -addtrust sslclient \
-        -alias "Steve's Class 1 CA" -out trust.pem
+ openssl x509 -in cert.pem -addtrust clientAuth \
+        -setalias "Steve's Class 1 CA" -out trust.pem
 
 =head1 NOTES
 
 The PEM format uses the header and footer lines:
 
- -----BEGIN CERTIFICATE----
- -----END CERTIFICATE----
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
 
 it will also handle files containing:
 
- -----BEGIN X509 CERTIFICATE----
- -----END X509 CERTIFICATE----
+ -----BEGIN X509 CERTIFICATE-----
+ -----END X509 CERTIFICATE-----
 
 Trusted certificates have the lines
 
- -----BEGIN TRUSTED CERTIFICATE----
- -----END TRUSTED CERTIFICATE----
+ -----BEGIN TRUSTED CERTIFICATE-----
+ -----END TRUSTED CERTIFICATE-----
 
 The conversion to UTF8 format used with the name options assumes that
 T61Strings use the ISO8859-1 character set. This is wrong but Netscape
diff --git a/src/lib/libssl/src/doc/c-indentation.el b/src/lib/libssl/src/doc/c-indentation.el
index 48ca3cf69b..cbf01cb172 100644
--- a/src/lib/libssl/src/doc/c-indentation.el
+++ b/src/lib/libssl/src/doc/c-indentation.el
@@ -13,12 +13,10 @@
 ;
 ; Apparently statement blocks that are not introduced by a statement
 ; such as "if" and that are not the body of a function cannot
-; be handled too well by CC mode with this indentation style.
-; The style defined below does not indent them at all.
-; To insert tabs manually, prefix them with ^Q (the "quoted-insert"
-; command of Emacs).  If you know a solution to this problem
-; or find other problems with this indentation style definition,
-; please send e-mail to bodo@openssl.org.
+; be handled too well by CC mode with this indentation style,
+; so you have to indent them manually (you can use C-q tab).
+; 
+; For suggesting improvements, please send e-mail to bodo@openssl.org.
 
 (c-add-style "eay"
              '((c-basic-offset . 8)
diff --git a/src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod b/src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod
index 4182f2c309..02439cea94 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod
@@ -28,7 +28,7 @@ BIO_flush() on an encryption BIO that is being written through is
 used to signal that no more data is to be encrypted: this is used
 to flush and possibly pad the final block through the BIO.
 
-BIO_set_cipher() sets the cipher of BIO <b> to B<cipher> using key B<key>
+BIO_set_cipher() sets the cipher of BIO B<b> to B<cipher> using key B<key>
 and IV B<iv>. B<enc> should be set to 1 for encryption and zero for
 decryption.
 
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_accept.pod b/src/lib/libssl/src/doc/crypto/BIO_s_accept.pod
index 55e4b730b9..7b63e4621b 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_s_accept.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_accept.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-BIO_s_accept, BIO_set_nbio, BIO_set_accept_port, BIO_get_accept_port,
+BIO_s_accept, BIO_set_accept_port, BIO_get_accept_port,
 BIO_set_nbio_accept, BIO_set_accept_bios, BIO_set_bind_mode,
 BIO_get_bind_mode, BIO_do_accept - accept BIO
 
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_bio.pod b/src/lib/libssl/src/doc/crypto/BIO_s_bio.pod
index 95ae802e47..8d0a55a025 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_s_bio.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_bio.pod
@@ -76,7 +76,9 @@ BIO_get_write_buf_size() returns the size of the write buffer.
 BIO_new_bio_pair() combines the calls to BIO_new(), BIO_make_bio_pair() and
 BIO_set_write_buf_size() to create a connected pair of BIOs B<bio1>, B<bio2>
 with write buffer sizes B<writebuf1> and B<writebuf2>. If either size is
-zero then the default size is used.
+zero then the default size is used.  BIO_new_bio_pair() does not check whether
+B<bio1> or B<bio2> do point to some other BIO, the values are overwritten,
+BIO_free() is not called.
 
 BIO_get_write_guarantee() and BIO_ctrl_get_write_guarantee() return the maximum
 length of data that can be currently written to the BIO. Writes larger than this
@@ -118,9 +120,59 @@ the application then waits for data to be available on the underlying transport
 before flushing the write buffer it will never succeed because the request was
 never sent!
 
+=head1 RETURN VALUES
+
+BIO_new_bio_pair() returns 1 on success, with the new BIOs available in
+B<bio1> and B<bio2>, or 0 on failure, with NULL pointers stored into the
+locations for B<bio1> and B<bio2>. Check the error stack for more information.
+
+[XXXXX: More return values need to be added here]
+
 =head1 EXAMPLE
 
-TBA
+The BIO pair can be used to have full control over the network access of an
+application. The application can call select() on the socket as required
+without having to go through the SSL-interface.
+
+ BIO *internal_bio, *network_bio;
+ ...
+ BIO_new_bio_pair(internal_bio, 0, network_bio, 0);
+ SSL_set_bio(ssl, internal_bio, internal_bio);
+ SSL_operations();
+ ...
+
+ application |   TLS-engine
+    |        |
+    +----------> SSL_operations()
+             |     /\    ||
+             |     ||    \/
+             |   BIO-pair (internal_bio)
+    +----------< BIO-pair (network_bio)
+    |        |
+  socket     |
+
+  ...
+  SSL_free(ssl);                /* implicitly frees internal_bio */
+  BIO_free(network_bio);
+  ...
+
+As the BIO pair will only buffer the data and never directly access the
+connection, it behaves non-blocking and will return as soon as the write
+buffer is full or the read buffer is drained. Then the application has to
+flush the write buffer and/or fill the read buffer.
+
+Use the BIO_ctrl_pending(), to find out whether data is buffered in the BIO
+and must be transfered to the network. Use BIO_ctrl_get_read_request() to
+find out, how many bytes must be written into the buffer before the
+SSL_operation() can successfully be continued.
+
+=head1 WARNING
+
+As the data is buffered, SSL_operation() may return with a ERROR_SSL_WANT_READ
+condition, but there is still data in the write buffer. An application must
+not rely on the error value of SSL_operation() but must assure that the
+write buffer is always flushed first. Otherwise a deadlock may occur as
+the peer might be waiting for the data before being able to continue.
 
 =head1 SEE ALSO
 
diff --git a/src/lib/libssl/src/doc/crypto/BN_generate_prime.pod b/src/lib/libssl/src/doc/crypto/BN_generate_prime.pod
index 6ea23791d1..7dccacbc1e 100644
--- a/src/lib/libssl/src/doc/crypto/BN_generate_prime.pod
+++ b/src/lib/libssl/src/doc/crypto/BN_generate_prime.pod
@@ -70,7 +70,7 @@ If B<do_trial_division == 0>, this test is skipped.
 
 Both BN_is_prime() and BN_is_prime_fasttest() perform a Miller-Rabin
 probabilistic primality test with B<checks> iterations. If
-B<checks == BN_prime_check>, a number of iterations is used that
+B<checks == BN_prime_checks>, a number of iterations is used that
 yields a false positive rate of at most 2^-80 for random input.
 
 If B<callback> is not B<NULL>, B<callback(1, j, cb_arg)> is called
diff --git a/src/lib/libssl/src/doc/crypto/DH_generate_parameters.pod b/src/lib/libssl/src/doc/crypto/DH_generate_parameters.pod
index 4a2d653758..9081e9ea7c 100644
--- a/src/lib/libssl/src/doc/crypto/DH_generate_parameters.pod
+++ b/src/lib/libssl/src/doc/crypto/DH_generate_parameters.pod
@@ -59,7 +59,8 @@ a usable generator.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DH_free(3)|DH_free(3)>
+L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
+L<DH_free(3)|DH_free(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libssl/src/doc/crypto/DSA_SIG_new.pod b/src/lib/libssl/src/doc/crypto/DSA_SIG_new.pod
index 45df4c0661..3ac6140038 100644
--- a/src/lib/libssl/src/doc/crypto/DSA_SIG_new.pod
+++ b/src/lib/libssl/src/doc/crypto/DSA_SIG_new.pod
@@ -30,7 +30,8 @@ DSA_SIG_free() returns no value.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<DSA_do_sign(3)|DSA_do_sign(3)>
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
+L<DSA_do_sign(3)|DSA_do_sign(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libssl/src/doc/crypto/DSA_generate_key.pod b/src/lib/libssl/src/doc/crypto/DSA_generate_key.pod
index 9906a2d7e0..af83ccfaa1 100644
--- a/src/lib/libssl/src/doc/crypto/DSA_generate_key.pod
+++ b/src/lib/libssl/src/doc/crypto/DSA_generate_key.pod
@@ -24,7 +24,8 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libssl/src/doc/crypto/ERR_get_error.pod b/src/lib/libssl/src/doc/crypto/ERR_get_error.pod
index 9fdedbcb91..34443045fc 100644
--- a/src/lib/libssl/src/doc/crypto/ERR_get_error.pod
+++ b/src/lib/libssl/src/doc/crypto/ERR_get_error.pod
@@ -5,7 +5,7 @@
 ERR_get_error, ERR_peek_error, ERR_peek_last_error,
 ERR_get_error_line, ERR_peek_error_line, ERR_peek_last_error_line,
 ERR_get_error_line_data, ERR_peek_error_line_data,
-ERR_peek_error_line_data - obtain error code and data
+ERR_peek_last_error_line_data - obtain error code and data
 
 =head1 SYNOPSIS
 
diff --git a/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod b/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod
index 75cceb1ca2..daf57e5895 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod
@@ -419,7 +419,7 @@ Encrypt a string using blowfish:
         EVP_CIPHER_CTX ctx;
         FILE *out;
         EVP_CIPHER_CTX_init(&ctx);
-        EVP_EncryptInit_ex(&ctx, NULL, EVP_bf_cbc(), key, iv);
+        EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv);
 
         if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext)))
                 {
diff --git a/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod b/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod
index 25ef07f7c7..b5e477e294 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod
@@ -18,22 +18,28 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
 =head1 DESCRIPTION
 
 The EVP envelope routines are a high level interface to envelope
-encryption. They generate a random key and then "envelope" it by
-using public key encryption. Data can then be encrypted using this
-key.
+encryption. They generate a random key and IV (if required) then
+"envelope" it by using public key encryption. Data can then be
+encrypted using this key.
 
 EVP_SealInit() initializes a cipher context B<ctx> for encryption
-with cipher B<type> using a random secret key and IV supplied in
-the B<iv> parameter. B<type> is normally supplied by a function such
-as EVP_des_cbc(). The secret key is encrypted using one or more public
-keys, this allows the same encrypted data to be decrypted using any
-of the corresponding private keys. B<ek> is an array of buffers where
-the public key encrypted secret key will be written, each buffer must
-contain enough room for the corresponding encrypted key: that is
+with cipher B<type> using a random secret key and IV. B<type> is normally
+supplied by a function such as EVP_des_cbc(). The secret key is encrypted
+using one or more public keys, this allows the same encrypted data to be
+decrypted using any of the corresponding private keys. B<ek> is an array of
+buffers where the public key encrypted secret key will be written, each buffer
+must contain enough room for the corresponding encrypted key: that is
 B<ek[i]> must have room for B<EVP_PKEY_size(pubk[i])> bytes. The actual
 size of each encrypted secret key is written to the array B<ekl>. B<pubk> is
 an array of B<npubk> public keys.
 
+The B<iv> parameter is a buffer where the generated IV is written to. It must
+contain enough room for the corresponding cipher's IV, as determined by (for
+example) EVP_CIPHER_iv_length(type).
+
+If the cipher does not require an IV then the B<iv> parameter is ignored
+and can be B<NULL>.
+
 EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties
 as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as 
 documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
diff --git a/src/lib/libssl/src/doc/crypto/RAND_bytes.pod b/src/lib/libssl/src/doc/crypto/RAND_bytes.pod
index b03748b918..ce6329ce54 100644
--- a/src/lib/libssl/src/doc/crypto/RAND_bytes.pod
+++ b/src/lib/libssl/src/doc/crypto/RAND_bytes.pod
@@ -35,7 +35,8 @@ method.
 
 =head1 SEE ALSO
 
-L<rand(3)|rand(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<RAND_add(3)|RAND_add(3)>
+L<rand(3)|rand(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
+L<RAND_add(3)|RAND_add(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libssl/src/doc/crypto/RSA_generate_key.pod b/src/lib/libssl/src/doc/crypto/RSA_generate_key.pod
index 11bc0b3459..52dbb14a53 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_generate_key.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_generate_key.pod
@@ -59,7 +59,8 @@ RSA_generate_key() goes into an infinite loop for illegal input values.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_free(3)|RSA_free(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_free(3)|RSA_free(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libssl/src/doc/crypto/RSA_print.pod b/src/lib/libssl/src/doc/crypto/RSA_print.pod
index ff2d353d1a..c971e91f4d 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_print.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_print.pod
@@ -2,9 +2,9 @@
 
 =head1 NAME
 
-RSA_print, RSA_print_fp, DHparams_print, DHparams_print_fp, DSA_print,
-DSA_print_fp, DHparams_print, DHparams_print_fp - print cryptographic
-parameters
+RSA_print, RSA_print_fp,
+DSAparams_print, DSAparams_print_fp, DSA_print, DSA_print_fp,
+DHparams_print, DHparams_print_fp - print cryptographic parameters
 
 =head1 SYNOPSIS
 
diff --git a/src/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod b/src/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod
index 0d1b2bd541..746a80c79e 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod
@@ -59,8 +59,8 @@ obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
-L<RSA_verify(3)|RSA_verify(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod b/src/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod
index 8022a23f99..d53e19d2b7 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod
@@ -72,7 +72,8 @@ SSL, PKCS #1 v2.0
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_size(3)|RSA_size(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_size(3)|RSA_size(3)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libssl/src/doc/crypto/RSA_set_method.pod b/src/lib/libssl/src/doc/crypto/RSA_set_method.pod
index 0687c2242a..0a305f6b14 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_set_method.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_set_method.pod
@@ -3,13 +3,12 @@
 =head1 NAME
 
 RSA_set_default_method, RSA_get_default_method, RSA_set_method,
-RSA_get_method, RSA_PKCS1_SSLeay,
-RSA_null_method, RSA_flags, RSA_new_method - select RSA method
+RSA_get_method, RSA_PKCS1_SSLeay, RSA_null_method, RSA_flags,
+RSA_new_method - select RSA method
 
 =head1 SYNOPSIS
 
  #include <openssl/rsa.h>
- #include <openssl/engine.h>
 
  void RSA_set_default_method(const RSA_METHOD *meth);
 
@@ -25,7 +24,7 @@ RSA_null_method, RSA_flags, RSA_new_method - select RSA method
 
  int RSA_flags(const RSA *rsa);
 
- RSA *RSA_new_method(ENGINE *engine);
+ RSA *RSA_new_method(RSA_METHOD *method);
 
 =head1 DESCRIPTION
 
@@ -70,6 +69,12 @@ B<engine> will be used for the RSA operations. If B<engine> is NULL, the
 default ENGINE for RSA operations is used, and if no default ENGINE is set,
 the RSA_METHOD controlled by RSA_set_default_method() is used.
 
+RSA_flags() returns the B<flags> that are set for B<rsa>'s current method.
+
+RSA_new_method() allocates and initializes an B<RSA> structure so that
+B<method> will be used for the RSA operations. If B<method> is B<NULL>,
+the default method is used.
+
 =head1 THE RSA_METHOD STRUCTURE
 
  typedef struct rsa_meth_st
diff --git a/src/lib/libssl/src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod b/src/lib/libssl/src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
index b8c7bbb7e3..e70380bbfc 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
@@ -47,8 +47,8 @@ These functions serve no recognizable purpose.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>, L<rand(3)|rand(3)>,
-L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
+L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
 L<RSA_verify(3)|RSA_verify(3)>
 
 =head1 HISTORY
diff --git a/src/lib/libssl/src/doc/crypto/crypto.pod b/src/lib/libssl/src/doc/crypto/crypto.pod
index c12eec1409..7a527992bb 100644
--- a/src/lib/libssl/src/doc/crypto/crypto.pod
+++ b/src/lib/libssl/src/doc/crypto/crypto.pod
@@ -62,6 +62,22 @@ L<txt_db(3)|txt_db(3)>
 
 =back
 
+=head1 NOTES
+
+Some of the newer functions follow a naming convention using the numbers
+B<0> and B<1>. For example the functions:
+
+ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
+ int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
+
+The B<0> version uses the supplied structure pointer directly
+in the parent and it will be freed up when the parent is freed.
+In the above example B<crl> would be freed but B<rev> would not.
+
+The B<1> function uses a copy of the supplied structure pointer
+(or in some cases increases its link count) in the parent and
+so both (B<x> and B<obj> above) should be freed up.
+
 =head1 SEE ALSO
 
 L<openssl(1)|openssl(1)>, L<ssl(3)|ssl(3)>
diff --git a/src/lib/libssl/src/doc/crypto/d2i_DHparams.pod b/src/lib/libssl/src/doc/crypto/d2i_DHparams.pod
index a6d1743d39..1e98aebeca 100644
--- a/src/lib/libssl/src/doc/crypto/d2i_DHparams.pod
+++ b/src/lib/libssl/src/doc/crypto/d2i_DHparams.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-d2i_DHparams, i2d_DHparams - ...
+d2i_DHparams, i2d_DHparams - PKCS#3 DH parameter functions.
 
 =head1 SYNOPSIS
 
@@ -13,18 +13,18 @@ d2i_DHparams, i2d_DHparams - ...
 
 =head1 DESCRIPTION
 
-...
+These functions decode and encode PKCS#3 DH parameters using the
+DHparameter structure described in PKCS#3.
 
-=head1 RETURN VALUES
-
-...
+Othewise these behave in a similar way to d2i_X509() and i2d_X509()
+described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
 
 =head1 SEE ALSO
 
-...
+L<d2i_X509(3)|d2i_X509(3)>
 
 =head1 HISTORY
 
-...
+TBA
 
 =cut
diff --git a/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod b/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod
index ff4d0d57db..7c71bcbf3d 100644
--- a/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod
+++ b/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod
@@ -2,7 +2,9 @@
 
 =head1 NAME
 
-d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Netscape_RSA, d2i_Netscape_RSA - ...
+d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey,
+d2i_RSA_PUBKEY, i2d_RSA_PUBKEY, i2d_Netscape_RSA,
+d2i_Netscape_RSA - RSA public and private key encoding functions.
 
 =head1 SYNOPSIS
 
@@ -12,6 +14,10 @@ d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Ne
 
  int i2d_RSAPublicKey(RSA *a, unsigned char **pp);
 
+ RSA * d2i_RSA_PUBKEY(RSA **a, unsigned char **pp, long length);
+
+ int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp);
+
  RSA * d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);
 
  int i2d_RSAPrivateKey(RSA *a, unsigned char **pp);
@@ -22,18 +28,39 @@ d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Ne
 
 =head1 DESCRIPTION
 
-...
+d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1 RSAPublicKey
+structure.
+
+d2i_RSA_PUKEY() and i2d_RSA_PUKEY() decode and encode an RSA public key using a
+SubjectPublicKeyInfo (certificate public key) structure.
+
+d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1 RSAPrivateKey
+structure.
+
+d2i_Netscape_RSA(), i2d_Netscape_RSA() decode and encode an RSA private key in
+NET format.
+
+The usage of all of these functions is similar to the d2i_X509() and
+i2d_X509() described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+
+=head1 NOTES
+
+The B<RSA> structure passed to the private key encoding functions should have
+all the PKCS#1 private key components present.
 
-=head1 RETURN VALUES
+The data encoded by the private key functions is unencrypted and therefore 
+offers no private key security. 
 
-...
+The NET format functions are present to provide compatibility with certain very
+old software. This format has some severe security weaknesses and should be
+avoided if possible.
 
 =head1 SEE ALSO
 
-...
+L<d2i_X509(3)|d2i_X509(3)>
 
 =head1 HISTORY
 
-...
+TBA
 
 =cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod
index af326c2f73..82676b26b2 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod
@@ -37,6 +37,14 @@ removed and replaced by the new session. If the session is actually
 identical (the SSL_SESSION object is identical), SSL_CTX_add_session()
 is a no-op, and the return value is 0.
 
+If a server SSL_CTX is configured with the SSL_SESS_CACHE_NO_INTERNAL_STORE
+flag then the internal cache will not be populated automatically by new
+sessions negotiated by the SSL/TLS implementation, even though the internal
+cache will be searched automatically for session-resume requests (the
+latter can be surpressed by SSL_SESS_CACHE_NO_INTERNAL_LOOKUP). So the
+application can use SSL_CTX_add_session() directly to have full control
+over the sessions that can be resumed if desired.
+
 
 =head1 RETURN VALUES
 
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod
index 55e592f5f8..51d8676968 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod
@@ -20,12 +20,22 @@ It also calls the free()ing procedures for indirectly affected items, if
 applicable: the session cache, the list of ciphers, the list of Client CAs,
 the certificates and keys.
 
+=head1 WARNINGS
+
+If a session-remove callback is set (SSL_CTX_sess_set_remove_cb()), this
+callback will be called for each session being freed from B<ctx>'s
+session cache. This implies, that all corresponding sessions from an
+external session cache are removed as well. If this is not desired, the user
+should explicitly unset the callback by calling
+SSL_CTX_sess_set_remove_cb(B<ctx>, NULL) prior to calling SSL_CTX_free().
+
 =head1 RETURN VALUES
 
 SSL_CTX_free() does not provide diagnostic information.
 
 =head1 SEE ALSO
 
-L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)>
+L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)>,
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>
 
 =cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod
index 7c0b2baf6c..b9d54a40a1 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod
@@ -60,10 +60,11 @@ B<sess>. If the callback returns B<0>, the session will be immediately
 removed again.
 
 The remove_session_cb() is called, whenever the SSL engine removes a session
-from the internal cache. This happens if the session is removed because
-it is expired or when a connection was not shutdown cleanly. The
-remove_session_cb() is passed the B<ctx> and the ssl session B<sess>.
-It does not provide any feedback.
+from the internal cache. This happens when the session is removed because
+it is expired or when a connection was not shutdown cleanly. It also happens
+for all sessions in the internal session cache when
+L<SSL_CTX_free(3)|SSL_CTX_free(3)> is called. The remove_session_cb() is passed
+the B<ctx> and the ssl session B<sess>. It does not provide any feedback.
 
 The get_session_cb() is only called on SSL/TLS servers with the session id
 proposed by the client. The get_session_cb() is always called, also when
@@ -80,6 +81,7 @@ L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>.
 L<ssl(3)|ssl(3)>, L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>,
 L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
 L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
+L<SSL_CTX_free(3)|SSL_CTX_free(3)>
 
 =cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
index f5e2ec3555..766f0c9200 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
@@ -176,7 +176,7 @@ will send his list of preferences to the client and the client chooses.
 =item SSL_OP_NETSCAPE_CA_DN_BUG
 
 If we accept a netscape connection, demand a client cert, have a
-non-self-sighed CA which does not have it's CA in netscape, and the
+non-self-signed CA which does not have its CA in netscape, and the
 browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta 
 
 =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod
index 9aa6c6b2e3..c5d2f43dff 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod
@@ -26,12 +26,14 @@ SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX
 object.
 
 In order to reuse a session, a client must send the session's id to the
-server. It can only send exactly one id.  The server then decides whether it
-agrees in reusing the session or starts the handshake for a new session.
+server. It can only send exactly one id.  The server then either 
+agrees to reuse the session or it starts a full handshake (to create a new
+session).
 
-A server will lookup up the session in its internal session storage. If
-the session is not found in internal storage or internal storage is
-deactivated, the server will try the external storage if available.
+A server will lookup up the session in its internal session storage. If the
+session is not found in internal storage or lookups for the internal storage
+have been deactivated (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP), the server will try
+the external storage if available.
 
 Since a client may try to reuse a session intended for use in a different
 context, the session id context must be set by the server (see
@@ -57,9 +59,10 @@ function. This option is not activated by default.
 =item SSL_SESS_CACHE_SERVER
 
 Server sessions are added to the session cache. When a client proposes a
-session to be reused, the session is looked up in the internal session cache.
-If the session is found, the server will try to reuse the session.
-This is the default.
+session to be reused, the server looks for the corresponding session in (first)
+the internal session cache (unless SSL_SESS_CACHE_NO_INTERNAL_LOOKUP is set),
+then (second) in the external cache if available. If the session is found, the
+server will try to reuse the session.  This is the default.
 
 =item SSL_SESS_CACHE_BOTH
 
@@ -77,12 +80,32 @@ explicitly by the application.
 
 =item SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
 
-By setting this flag sessions are cached in the internal storage but
-they are not looked up automatically. If an external session cache
-is enabled, sessions are looked up in the external cache. As automatic
-lookup only applies for SSL/TLS servers, the flag has no effect on
+By setting this flag, session-resume operations in an SSL/TLS server will not
+automatically look up sessions in the internal cache, even if sessions are
+automatically stored there. If external session caching callbacks are in use,
+this flag guarantees that all lookups are directed to the external cache.
+As automatic lookup only applies for SSL/TLS servers, the flag has no effect on
 clients.
 
+=item SSL_SESS_CACHE_NO_INTERNAL_STORE
+
+Depending on the presence of SSL_SESS_CACHE_CLIENT and/or SSL_SESS_CACHE_SERVER,
+sessions negotiated in an SSL/TLS handshake may be cached for possible reuse.
+Normally a new session is added to the internal cache as well as any external
+session caching (callback) that is configured for the SSL_CTX. This flag will
+prevent sessions being stored in the internal cache (though the application can
+add them manually using L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>). Note:
+in any SSL/TLS servers where external caching is configured, any successful
+session lookups in the external cache (ie. for session-resume requests) would
+normally be copied into the local cache before processing continues - this flag
+prevents these additions to the internal cache as well.
+
+=item SSL_SESS_CACHE_NO_INTERNAL
+
+Enable both SSL_SESS_CACHE_NO_INTERNAL_LOOKUP and
+SSL_SESS_CACHE_NO_INTERNAL_STORE at the same time.
+
+
 =back
 
 The default mode is SSL_SESS_CACHE_SERVER.
@@ -98,6 +121,7 @@ SSL_CTX_get_session_cache_mode() returns the currently set cache mode.
 
 L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
 L<SSL_session_reused(3)|SSL_session_reused(3)>,
+L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
 L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
 L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
 L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
@@ -105,4 +129,9 @@ L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
 L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
 L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>
 
+=head1 HISTORY
+
+SSL_SESS_CACHE_NO_INTERNAL_STORE and SSL_SESS_CACHE_NO_INTERNAL
+were introduced in OpenSSL 0.9.6h.
+
 =cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
index 5bb21ca535..d15b2a3a1a 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
@@ -235,7 +235,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
      * At this point, err contains the last verification error. We can use
      * it for something special
      */
-    if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)
+    if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT))
     {
       X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
       printf("issuer= %s\n", buf);
diff --git a/src/lib/libssl/src/doc/ssl/ssl.pod b/src/lib/libssl/src/doc/ssl/ssl.pod
index ac4b573a7a..4d7a6b7e2b 100644
--- a/src/lib/libssl/src/doc/ssl/ssl.pod
+++ b/src/lib/libssl/src/doc/ssl/ssl.pod
@@ -351,7 +351,7 @@ appropriate size (using ???) and return it.
 
 long B<SSL_set_tmp_rsa_callback>(SSL *ssl, RSA *(*cb)(SSL *ssl, int export, int keylength));
 
-The same as L<"SSL_CTX_set_tmp_rsa_callback">, except it operates on an SSL
+The same as B<SSL_CTX_set_tmp_rsa_callback>, except it operates on an SSL
 session instead of a context.
 
 =item void B<SSL_CTX_set_verify>(SSL_CTX *ctx, int mode, int (*cb);(void))
diff --git a/src/lib/libssl/src/doc/standards.txt b/src/lib/libssl/src/doc/standards.txt
index 596d9001e6..edbe2f3a57 100644
--- a/src/lib/libssl/src/doc/standards.txt
+++ b/src/lib/libssl/src/doc/standards.txt
@@ -42,20 +42,9 @@ whole or at least great parts) in OpenSSL.
 2268 A Description of the RC2(r) Encryption Algorithm. R. Rivest.
      January 1998. (Format: TXT=19048 bytes) (Status: INFORMATIONAL)
 
-2314 PKCS 10: Certification Request Syntax Version 1.5. B. Kaliski.
-     March 1998. (Format: TXT=15814 bytes) (Status: INFORMATIONAL)
-
 2315 PKCS 7: Cryptographic Message Syntax Version 1.5. B. Kaliski.
      March 1998. (Format: TXT=69679 bytes) (Status: INFORMATIONAL)
 
-2437 PKCS #1: RSA Cryptography Specifications Version 2.0. B. Kaliski,
-     J. Staddon. October 1998. (Format: TXT=73529 bytes) (Obsoletes
-     RFC2313) (Status: INFORMATIONAL)
-
-2459 Internet X.509 Public Key Infrastructure Certificate and CRL
-     Profile. R. Housley, W. Ford, W. Polk, D. Solo. January 1999.
-     (Format: TXT=278438 bytes) (Status: PROPOSED STANDARD)
-
 PKCS#8: Private-Key Information Syntax Standard
 
 PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
@@ -65,6 +54,40 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
      C. Adams. June 1999. (Format: TXT=43243 bytes) (Status: PROPOSED
      STANDARD)
 
+2712 Addition of Kerberos Cipher Suites to Transport Layer Security
+     (TLS). A. Medvinsky, M. Hur. October 1999. (Format: TXT=13763 bytes)
+     (Status: PROPOSED STANDARD)
+
+2898 PKCS #5: Password-Based Cryptography Specification Version 2.0.
+     B. Kaliski. September 2000. (Format: TXT=68692 bytes) (Status:
+     INFORMATIONAL)
+
+2986 PKCS #10: Certification Request Syntax Specification Version 1.7.
+     M. Nystrom, B. Kaliski. November 2000. (Format: TXT=27794 bytes)
+     (Obsoletes RFC2314) (Status: INFORMATIONAL)
+
+3174 US Secure Hash Algorithm 1 (SHA1). D. Eastlake 3rd, P. Jones.
+     September 2001. (Format: TXT=35525 bytes) (Status: INFORMATIONAL)
+
+3268 Advanced Encryption Standard (AES) Ciphersuites for Transport
+     Layer Security (TLS). P. Chown. June 2002. (Format: TXT=13530 bytes)
+     (Status: PROPOSED STANDARD)
+
+3279 Algorithms and Identifiers for the Internet X.509 Public Key
+     Infrastructure Certificate and Certificate Revocation List (CRL)
+     Profile. L. Bassham, W. Polk, R. Housley. April 2002. (Format:
+     TXT=53833 bytes) (Status: PROPOSED STANDARD)
+
+3280 Internet X.509 Public Key Infrastructure Certificate and
+     Certificate Revocation List (CRL) Profile. R. Housley, W. Polk, W.
+     Ford, D. Solo. April 2002. (Format: TXT=295556 bytes) (Obsoletes
+     RFC2459) (Status: PROPOSED STANDARD)
+
+3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
+     Specifications Version 2.1. J. Jonsson, B. Kaliski. February 2003.
+     (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status:           
+     INFORMATIONAL)                                         
+
 
 Related:
 --------
@@ -90,23 +113,60 @@ STARTTLS documents.
      Certification and Related Services. B. Kaliski. February 1993.
      (Format: TXT=17537 bytes) (Status: PROPOSED STANDARD)
 
-2256 A Summary of the X.500(96) User Schema for use with LDAPv3. M.
-     Wahl. December 1997. (Format: TXT=32377 bytes) (Status: PROPOSED
-     STANDARD)
+2025 The Simple Public-Key GSS-API Mechanism (SPKM). C. Adams. October
+     1996. (Format: TXT=101692 bytes) (Status: PROPOSED STANDARD)
+
+2510 Internet X.509 Public Key Infrastructure Certificate Management
+     Protocols. C. Adams, S. Farrell. March 1999. (Format: TXT=158178
+     bytes) (Status: PROPOSED STANDARD)
+
+2511 Internet X.509 Certificate Request Message Format. M. Myers, C.
+     Adams, D. Solo, D. Kemp. March 1999. (Format: TXT=48278 bytes)
+     (Status: PROPOSED STANDARD)
+
+2527 Internet X.509 Public Key Infrastructure Certificate Policy and
+     Certification Practices Framework. S. Chokhani, W. Ford. March 1999.
+     (Format: TXT=91860 bytes) (Status: INFORMATIONAL)
 
-2487 SMTP Service Extension for Secure SMTP over TLS. P. Hoffman.
-     January 1999. (Format: TXT=15120 bytes) (Status: PROPOSED STANDARD)
+2538 Storing Certificates in the Domain Name System (DNS). D. Eastlake
+     3rd, O. Gudmundsson. March 1999. (Format: TXT=19857 bytes) (Status:
+     PROPOSED STANDARD)
+
+2539 Storage of Diffie-Hellman Keys in the Domain Name System (DNS).
+     D. Eastlake 3rd. March 1999. (Format: TXT=21049 bytes) (Status:
+     PROPOSED STANDARD)
+
+2559 Internet X.509 Public Key Infrastructure Operational Protocols -
+     LDAPv2. S. Boeyen, T. Howes, P. Richard. April 1999. (Format:
+     TXT=22889 bytes) (Updates RFC1778) (Status: PROPOSED STANDARD)
 
 2585 Internet X.509 Public Key Infrastructure Operational Protocols:
      FTP and HTTP. R. Housley, P. Hoffman. May 1999. (Format: TXT=14813
      bytes) (Status: PROPOSED STANDARD)
 
+2587 Internet X.509 Public Key Infrastructure LDAPv2 Schema. S.
+     Boeyen, T. Howes, P. Richard. June 1999. (Format: TXT=15102 bytes)
+     (Status: PROPOSED STANDARD)
+
 2595 Using TLS with IMAP, POP3 and ACAP. C. Newman. June 1999.
      (Format: TXT=32440 bytes) (Status: PROPOSED STANDARD)
 
-2712 Addition of Kerberos Cipher Suites to Transport Layer Security
-     (TLS). A. Medvinsky, M. Hur. October 1999. (Format: TXT=13763 bytes)
-     (Status: PROPOSED STANDARD)
+2631 Diffie-Hellman Key Agreement Method. E. Rescorla. June 1999.
+     (Format: TXT=25932 bytes) (Status: PROPOSED STANDARD)
+
+2632 S/MIME Version 3 Certificate Handling. B. Ramsdell, Ed.. June
+     1999. (Format: TXT=27925 bytes) (Status: PROPOSED STANDARD)
+
+2716 PPP EAP TLS Authentication Protocol. B. Aboba, D. Simon. October
+     1999. (Format: TXT=50108 bytes) (Status: EXPERIMENTAL)
+
+2773 Encryption using KEA and SKIPJACK. R. Housley, P. Yee, W. Nace.
+     February 2000. (Format: TXT=20008 bytes) (Updates RFC0959) (Status:
+     EXPERIMENTAL)
+
+2797 Certificate Management Messages over CMS. M. Myers, X. Liu, J.
+     Schaad, J. Weinstein. April 2000. (Format: TXT=103357 bytes) (Status:
+     PROPOSED STANDARD)
 
 2817 Upgrading to TLS Within HTTP/1.1. R. Khare, S. Lawrence. May
      2000. (Format: TXT=27598 bytes) (Updates RFC2616) (Status: PROPOSED
@@ -115,6 +175,77 @@ STARTTLS documents.
 2818 HTTP Over TLS. E. Rescorla. May 2000. (Format: TXT=15170 bytes)
      (Status: INFORMATIONAL)
 
+2876 Use of the KEA and SKIPJACK Algorithms in CMS. J. Pawling. July
+     2000. (Format: TXT=29265 bytes) (Status: INFORMATIONAL)
+
+2984 Use of the CAST-128 Encryption Algorithm in CMS. C. Adams.
+     October 2000. (Format: TXT=11591 bytes) (Status: PROPOSED STANDARD)
+
+2985 PKCS #9: Selected Object Classes and Attribute Types Version 2.0.
+     M. Nystrom, B. Kaliski. November 2000. (Format: TXT=70703 bytes)
+     (Status: INFORMATIONAL)
+
+3029 Internet X.509 Public Key Infrastructure Data Validation and
+     Certification Server Protocols. C. Adams, P. Sylvester, M. Zolotarev,
+     R. Zuccherato. February 2001. (Format: TXT=107347 bytes) (Status:
+     EXPERIMENTAL)
+
+3039 Internet X.509 Public Key Infrastructure Qualified Certificates
+     Profile. S. Santesson, W. Polk, P. Barzin, M. Nystrom. January 2001.
+     (Format: TXT=67619 bytes) (Status: PROPOSED STANDARD)
+
+3058 Use of the IDEA Encryption Algorithm in CMS. S. Teiwes, P.
+     Hartmann, D. Kuenzi. February 2001. (Format: TXT=17257 bytes)
+     (Status: INFORMATIONAL)
+
+3161 Internet X.509 Public Key Infrastructure Time-Stamp Protocol
+     (TSP). C. Adams, P. Cain, D. Pinkas, R. Zuccherato. August 2001.
+     (Format: TXT=54585 bytes) (Status: PROPOSED STANDARD)
+
+3185 Reuse of CMS Content Encryption Keys. S. Farrell, S. Turner.
+     October 2001. (Format: TXT=20404 bytes) (Status: PROPOSED STANDARD)
+
+3207 SMTP Service Extension for Secure SMTP over Transport Layer
+     Security. P. Hoffman. February 2002. (Format: TXT=18679 bytes)
+     (Obsoletes RFC2487) (Status: PROPOSED STANDARD)
+
+3217 Triple-DES and RC2 Key Wrapping. R. Housley. December 2001.
+     (Format: TXT=19855 bytes) (Status: INFORMATIONAL)
+
+3274 Compressed Data Content Type for Cryptographic Message Syntax
+     (CMS). P. Gutmann. June 2002. (Format: TXT=11276 bytes) (Status:
+     PROPOSED STANDARD)
+
+3278 Use of Elliptic Curve Cryptography (ECC) Algorithms in
+     Cryptographic Message Syntax (CMS). S. Blake-Wilson, D. Brown, P.
+     Lambert. April 2002. (Format: TXT=33779 bytes) (Status:
+     INFORMATIONAL)
+
+3281 An Internet Attribute Certificate Profile for Authorization. S.
+     Farrell, R. Housley. April 2002. (Format: TXT=90580 bytes) (Status:
+     PROPOSED STANDARD)
+
+3369 Cryptographic Message Syntax (CMS). R. Housley. August 2002.
+     (Format: TXT=113975 bytes) (Obsoletes RFC2630, RFC3211) (Status:
+     PROPOSED STANDARD)
+
+3370 Cryptographic Message Syntax (CMS) Algorithms. R. Housley. August
+     2002. (Format: TXT=51001 bytes) (Obsoletes RFC2630, RFC3211) (Status:
+     PROPOSED STANDARD)
+
+3377 Lightweight Directory Access Protocol (v3): Technical
+     Specification. J. Hodges, R. Morgan. September 2002. (Format:
+     TXT=9981 bytes) (Updates RFC2251, RFC2252, RFC2253, RFC2254, RFC2255,
+     RFC2256, RFC2829, RFC2830) (Status: PROPOSED STANDARD)
+
+3394 Advanced Encryption Standard (AES) Key Wrap Algorithm. J. Schaad,
+     R. Housley. September 2002. (Format: TXT=73072 bytes) (Status:
+     INFORMATIONAL)
+
+3436 Transport Layer Security over Stream Control Transmission
+     Protocol. A. Jungmaier, E. Rescorla, M. Tuexen. December 2002.
+     (Format: TXT=16333 bytes) (Status: PROPOSED STANDARD)
+
   "Securing FTP with TLS", 01/27/2000, <draft-murray-auth-ftp-ssl-05.txt>  
  
 
@@ -124,7 +255,3 @@ To be implemented:
 These are documents that describe things that are planed to be
 implemented in the hopefully short future.
 
-2712 Addition of Kerberos Cipher Suites to Transport Layer Security
-     (TLS). A. Medvinsky, M. Hur. October 1999. (Format: TXT=13763 bytes)
-     (Status: PROPOSED STANDARD)
-
diff --git a/src/lib/libssl/src/e_os.h b/src/lib/libssl/src/e_os.h
index 00edebe6d4..f7d09c5295 100644
--- a/src/lib/libssl/src/e_os.h
+++ b/src/lib/libssl/src/e_os.h
@@ -154,6 +154,13 @@ extern "C" {
 #define readsocket(s,b,n)       recv((s),(b),(n),0)
 #define writesocket(s,b,n)      send((s),(b),(n),0)
 #define EADDRINUSE              WSAEADDRINUSE
+#elif defined(__DJGPP__)
+#define WATT32
+#define get_last_socket_error() errno
+#define clear_socket_error()    errno=0
+#define closesocket(s)          close_s(s)
+#define readsocket(s,b,n)       read_s(s,b,n)
+#define writesocket(s,b,n)      send(s,b,n,0)
 #elif defined(MAC_OS_pre_X)
 #define get_last_socket_error() errno
 #define clear_socket_error()    errno=0
@@ -194,6 +201,9 @@ extern "C" {
 #  ifdef __DJGPP__
 #    include <unistd.h>
 #    include <sys/stat.h>
+#    include <sys/socket.h>
+#    include <tcp.h>
+#    include <netdb.h>
 #    define _setmode setmode
 #    define _O_TEXT O_TEXT
 #    define _O_BINARY O_BINARY
@@ -207,7 +217,7 @@ extern "C" {
 #    define S_IFMT      _S_IFMT
 #  endif
 
-#  if !defined(WINNT)
+#  if !defined(WINNT) && !defined(__DJGPP__)
 #    define NO_SYSLOG
 #  endif
 #  define NO_DIRENT
@@ -222,6 +232,10 @@ extern "C" {
 #  include <io.h>
 #  include <fcntl.h>
 
+#  ifdef OPENSSL_SYS_WINCE
+#    include <winsock_extras.h>
+#  endif
+
 #  define ssize_t long
 
 #  if defined (__BORLANDC__)
@@ -232,10 +246,11 @@ extern "C" {
 #    define _kbhit kbhit
 #  endif
 
-#  if defined(WIN16) && !defined(MONOLITH) && defined(SSLEAY) && defined(_WINEXITNOPERSIST)
-#    define EXIT(n) { if (n == 0) _wsetexit(_WINEXITNOPERSIST); return(n); }
+#  if defined(WIN16) && defined(SSLEAY) && defined(_WINEXITNOPERSIST)
+#    define EXIT(n) _wsetexit(_WINEXITNOPERSIST)
+#    define OPENSSL_EXIT(n) do { if (n == 0) EXIT(n); return(n); } while(0)
 #  else
-#    define EXIT(n)             return(n);
+#    define EXIT(n) return(n)
 #  endif
 #  define LIST_SEPARATOR_CHAR ';'
 #  ifndef X_OK
@@ -251,7 +266,11 @@ extern "C" {
 #  define SSLEAY_CONF   OPENSSL_CONF
 #  define NUL_DEV       "nul"
 #  define RFILE         ".rnd"
-#  define DEFAULT_HOME  "C:"
+#  ifdef OPENSSL_SYS_WINCE
+#    define DEFAULT_HOME  ""
+#  else
+#    define DEFAULT_HOME  "C:"
+#  endif
 
 #else /* The non-microsoft world world */
 
@@ -287,18 +306,13 @@ extern "C" {
      the status is tagged as an error, which I believe is what is wanted here.
      -- Richard Levitte
   */
-#    if !defined(MONOLITH) || defined(OPENSSL_C)
-#      define EXIT(n)           do { int __VMS_EXIT = n; \
+#    define EXIT(n)             do { int __VMS_EXIT = n; \
                                      if (__VMS_EXIT == 0) \
                                        __VMS_EXIT = 1; \
                                      else \
                                        __VMS_EXIT = (n << 3) | 2; \
                                      __VMS_EXIT |= 0x10000000; \
-                                     exit(__VMS_EXIT); \
-                                     return(__VMS_EXIT); } while(0)
-#    else
-#      define EXIT(n)           return(n)
-#    endif
+                                     exit(__VMS_EXIT); } while(0)
 #    define NO_SYS_PARAM_H
 #  else
      /* !defined VMS */
@@ -329,11 +343,7 @@ extern "C" {
 #    define RFILE               ".rnd"
 #    define LIST_SEPARATOR_CHAR ':'
 #    define NUL_DEV             "/dev/null"
-#    ifndef MONOLITH
-#      define EXIT(n)           exit(n); return(n)
-#    else
-#      define EXIT(n)           return(n)
-#    endif
+#    define EXIT(n)             exit(n)
 #  endif
 
 #  define SSLeay_getpid()       getpid()
@@ -344,7 +354,7 @@ extern "C" {
 /*************/
 
 #ifdef USE_SOCKETS
-#  if (defined(WINDOWS) || defined(MSDOS)) && !defined(__DJGPP__)
+#  if defined(WINDOWS) || defined(MSDOS)
       /* windows world */
 
 #    ifdef OPENSSL_NO_SOCK
@@ -352,13 +362,18 @@ extern "C" {
 #      define SSLeay_Read(a,b,c)        (-1)
 #      define SHUTDOWN(fd)              close(fd)
 #      define SHUTDOWN2(fd)             close(fd)
-#    else
+#    elif !defined(__DJGPP__)
 #      include <winsock.h>
 extern HINSTANCE _hInstance;
 #      define SSLeay_Write(a,b,c)       send((a),(b),(c),0)
 #      define SSLeay_Read(a,b,c)        recv((a),(b),(c),0)
 #      define SHUTDOWN(fd)              { shutdown((fd),0); closesocket(fd); }
 #      define SHUTDOWN2(fd)             { shutdown((fd),2); closesocket(fd); }
+#    else
+#      define SSLeay_Write(a,b,c)       write_s(a,b,c,0)
+#      define SSLeay_Read(a,b,c)        read_s(a,b,c)
+#      define SHUTDOWN(fd)              close_s(fd)
+#      define SHUTDOWN2(fd)             close_s(fd)
 #    endif
 
 #  elif defined(MAC_OS_pre_X)
@@ -455,6 +470,14 @@ extern char *sys_errlist[]; extern int sys_nerr;
         (((errnum)<0 || (errnum)>=sys_nerr) ? NULL : sys_errlist[errnum])
 #endif
 
+#ifndef OPENSSL_EXIT
+# if defined(MONOLITH) && !defined(OPENSSL_C)
+#  define OPENSSL_EXIT(n) return(n)
+# else
+#  define OPENSSL_EXIT(n) do { EXIT(n); return(n); } while(0)
+# endif
+#endif
+
 /***********************************************/
 
 /* do we need to do this for getenv.
@@ -485,6 +508,36 @@ extern char *sys_errlist[]; extern int sys_nerr;
 # define strcasecmp stricmp
 #endif
 
+/* vxworks */
+#if defined(OPENSSL_SYS_VXWORKS)
+#include <ioLib.h>
+#include <tickLib.h>
+#include <sysLib.h>
+
+#define TTY_STRUCT int
+
+#define sleep(a) taskDelay((a) * sysClkRateGet())
+#if defined(ioctlsocket)
+#undef ioctlsocket
+#endif
+#define ioctlsocket(a,b,c) ioctl((a),(b),*(c))
+
+#include <vxWorks.h>
+#include <sockLib.h>
+#include <taskLib.h>
+
+#define getpid taskIdSelf
+
+/* NOTE: these are implemented by helpers in database app!
+ * if the database is not linked, we need to implement them
+ * elswhere */
+struct hostent *gethostbyname(const char *name);
+struct hostent *gethostbyaddr(const char *addr, int length, int type);
+struct servent *getservbyname(const char *name, const char *proto);
+
+#endif
+/* end vxworks */
+
 #ifdef  __cplusplus
 }
 #endif
diff --git a/src/lib/libssl/src/e_os2.h b/src/lib/libssl/src/e_os2.h
index ff68d5b94a..81be3025f6 100644
--- a/src/lib/libssl/src/e_os2.h
+++ b/src/lib/libssl/src/e_os2.h
@@ -106,11 +106,15 @@ extern "C" {
 #   undef OPENSSL_SYS_UNIX
 #   define OPENSSL_SYS_WINNT
 #  endif
+#  if defined(OPENSSL_SYSNAME_WINCE)
+#   undef OPENSSL_SYS_UNIX
+#   define OPENSSL_SYS_WINCE
+#  endif
 # endif
 #endif
 
 /* Anything that tries to look like Microsoft is "Windows" */
-#if defined(OPENSSL_SYS_WIN16) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINNT)
+#if defined(OPENSSL_SYS_WIN16) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINNT) || defined(OPENSSL_SYS_WINCE)
 # undef OPENSSL_SYS_UNIX
 # define OPENSSL_SYS_WINDOWS
 # ifndef OPENSSL_SYS_MSDOS
@@ -170,6 +174,13 @@ extern "C" {
 # ifdef OPENSSL_SYSNAME_MACOSX
 #  define OPENSSL_SYS_MACOSX
 # endif
+# ifdef OPENSSL_SYSNAME_MACOSX_RHAPSODY
+#  define OPENSSL_SYS_MACOSX_RHAPSODY
+#  define OPENSSL_SYS_MACOSX
+# endif
+# ifdef OPENSSL_SYSNAME_SUNOS
+#  define OPENSSL_SYS_SUNOS
+#endif
 # if defined(_CRAY) || defined(OPENSSL_SYSNAME_CRAY)
 #  define OPENSSL_SYS_CRAY
 # endif
@@ -178,6 +189,11 @@ extern "C" {
 # endif
 #endif
 
+/* ------------------------------- VxWorks --------------------------------- */
+#ifdef OPENSSL_SYSNAME_VXWORKS
+# define OPENSSL_SYS_VXWORKS
+#endif
+
 /**
  * That's it for OS-specific stuff
  *****************************************************************************/
diff --git a/src/lib/libssl/src/makevms.com b/src/lib/libssl/src/makevms.com
index e5c1edbe0e..443f3c15c5 100644
--- a/src/lib/libssl/src/makevms.com
+++ b/src/lib/libssl/src/makevms.com
@@ -9,7 +9,7 @@ $!
 $! Changes by Richard Levitte <richard@levitte.org>
 $!
 $! This procedure creates the SSL libraries of "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB"
-$! "[.xxx.EXE.SSL]LIBSSL.OLB" and if specified "[.xxx.EXE.RSAREF]LIBRSAGLUE.OLB".
+$! "[.xxx.EXE.SSL]LIBSSL.OLB"
 $! The "xxx" denotes the machine architecture of AXP or VAX.
 $!
 $! This procedures accepts two command line options listed below.
@@ -21,7 +21,6 @@ $!      CONFIG    Just build the "[.CRYPTO]OPENSSLCONF.H" file.
 $!      BUILDINF  Just build the "[.CRYPTO]BUILDINF.H" file.
 $!      SOFTLINKS Just fix the Unix soft links.
 $!      BUILDALL  Same as ALL, except CONFIG, BUILDINF and SOFTILNKS aren't done.
-$!      RSAREF    Just build the "[.xxx.EXE.RSAREF]LIBRSAGLUE.OLB" library.
 $!      CRYPTO    Just build the "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" library.
 $!      CRYPTO/x  Just build the x part of the
 $!                "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" library.
@@ -31,16 +30,8 @@ $!      TEST      Just build the "[.xxx.EXE.TEST]" test programs for OpenSSL.
 $!      APPS      Just build the "[.xxx.EXE.APPS]" application programs for OpenSSL.
 $!
 $!
-$! Specify RSAREF as P2 to compile using the RSAREF Library.
-$! If you specify NORSAREF, it will compile without using RSAREF.
-$! (If in the United States, You Must Compile Using RSAREF).
-$!
-$! Note: The RSAREF libraries are NOT INCLUDED and you have to
-$!       download it from "ftp://ftp.rsa.com/rsaref".  You have to
-$!       get the ".tar-Z" file as the ".zip" file dosen't have the
-$!       directory structure stored.  You have to extract the file
-$!       into the [.RSAREF] directory as that is where the scripts
-$!       will look for the files.
+$! P2 is ignored (it was used to denote if RSAref should be used or not,
+$! and is simply kept so surrounding scripts don't get confused)
 $!
 $! Speficy DEBUG or NODEBUG as P3 to compile with or without debugging
 $! information.
@@ -127,20 +118,6 @@ $!
 $ IF (BUILDCOMMAND.EQS."ALL".OR.BUILDCOMMAND.EQS."BUILDALL")
 $ THEN
 $!
-$!  Check To See If We Are Going To Be Building The 
-$!  [.xxx.EXE.RSAREF]LIBRSAGLUE.OLB Library.
-$!
-$   IF (RSAREF.EQS."RSAREF")
-$   THEN
-$!
-$!    Build The [.xxx.EXE.RSAREF]LIBRSAGLUE.OLB Library.
-$!
-$     GOSUB RSAREF
-$!
-$!  End The RSAREF Check.
-$!
-$   ENDIF
-$!
 $!  Build The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library.
 $!
 $   GOSUB CRYPTO
@@ -498,11 +475,6 @@ $ ENDIF
 $ GOTO LOOP_SDIRS
 $ LOOP_SDIRS_END:
 $!
-$! Copy All The ".H" Files From The [.RSAREF] Directory.
-$!
-$! EXHEADER := rsaref.h
-$! COPY SYS$DISK:[.RSAREF]'EXHEADER' SYS$DISK:[.INCLUDE.OPENSSL]
-$!
 $! Copy All The ".H" Files From The [.SSL] Directory.
 $!
 $ EXHEADER := ssl.h,ssl2.h,ssl3.h,ssl23.h,tls1.h,kssl.h
@@ -531,11 +503,11 @@ $ SET DEFAULT SYS$DISK:[.CRYPTO]
 $!
 $! Build The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library.
 $!  
-$ @CRYPTO-LIB LIBRARY 'RSAREF' 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" "''ISSEVEN'" "''BUILDPART'"
+$ @CRYPTO-LIB LIBRARY 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" "''ISSEVEN'" "''BUILDPART'"
 $!
 $! Build The [.xxx.EXE.CRYPTO]*.EXE Test Applications.
 $!  
-$ @CRYPTO-LIB APPS 'RSAREF' 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
+$ @CRYPTO-LIB APPS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
 $!
 $! Go Back To The Main Directory.
 $!
@@ -545,34 +517,6 @@ $! Time To RETURN.
 $!
 $ RETURN
 $!
-$! Build The [.xxx.EXE.RSAREF]LIBRSAGLUE Library.
-$!
-$ RSAREF:
-$ WRITE SYS$OUTPUT ""
-$ WRITE SYS$OUTPUT "RSAref glue library not built, since it's no longer needed"
-$ RETURN
-$!
-$! Tell The User What We Are Doing.
-$!
-$ WRITE SYS$OUTPUT ""
-$ WRITE SYS$OUTPUT "Building The [.",ARCH,".EXE.RSAREF]LIBRSAGLUE.OLB Library."
-$!
-$! Go To The [.RSAREF] Directory.
-$!
-$ SET DEFAULT SYS$DISK:[.RSAREF]
-$!
-$! Build The [.xxx.EXE.RSAREF]LIBRSAGLUE.OLB Library.
-$!
-$ @RSAREF-LIB LIBRARY 'DEBUGGER' "''COMPILER'" 'ISSEVEN'
-$!
-$! Go Back To The Main Directory.
-$!
-$ SET DEFAULT [-]
-$!
-$! Time To Return.
-$!
-$ RETURN
-$!
 $! Build The "[.xxx.EXE.SSL]LIBSSL.OLB" Library.
 $!
 $ SSL:
@@ -588,7 +532,7 @@ $ SET DEFAULT SYS$DISK:[.SSL]
 $!
 $! Build The [.xxx.EXE.SSL]LIBSSL.OLB Library.
 $!
-$ @SSL-LIB LIBRARY 'RSAREF' 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
+$ @SSL-LIB LIBRARY 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
 $!
 $! Go Back To The Main Directory.
 $!
@@ -613,7 +557,7 @@ $ SET DEFAULT SYS$DISK:[.SSL]
 $!
 $! Build The [.xxx.EXE.SSL]SSL_TASK.EXE
 $!
-$ @SSL-LIB SSL_TASK 'RSAREF' 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
+$ @SSL-LIB SSL_TASK 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
 $!
 $! Go Back To The Main Directory.
 $!
@@ -638,7 +582,7 @@ $ SET DEFAULT SYS$DISK:[.TEST]
 $!
 $! Build The Test Programs.
 $!
-$ @MAKETESTS 'RSAREF' 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
+$ @MAKETESTS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
 $!
 $! Go Back To The Main Directory.
 $!
@@ -663,7 +607,7 @@ $ SET DEFAULT SYS$DISK:[.APPS]
 $!
 $! Build The Application Programs.
 $!
-$ @MAKEAPPS 'RSAREF' 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
+$ @MAKEAPPS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
 $!
 $! Go Back To The Main Directory.
 $!
@@ -704,7 +648,7 @@ $!  Else, Check To See If P1 Has A Valid Arguement.
 $!
 $   IF (P1.EQS."CONFIG").OR.(P1.EQS."BUILDINF").OR.(P1.EQS."SOFTLINKS") -
        .OR.(P1.EQS."BUILDALL") -
-       .OR.(P1.EQS."CRYPTO").OR.(P1.EQS."SSL").OR.(P1.EQS."RSAREF") -
+       .OR.(P1.EQS."CRYPTO").OR.(P1.EQS."SSL") -
        .OR.(P1.EQS."SSL_TASK").OR.(P1.EQS."TEST").OR.(P1.EQS."APPS")
 $   THEN
 $!
@@ -752,54 +696,6 @@ $! End The P1 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P2 Is Blank.
-$!
-$ P2 = "NORSAREF"
-$ IF (P2.EQS."NORSAREF")
-$ THEN
-$!
-$!   P2 Is NORSAREF, So Compile Without RSAREF.
-$!
-$    RSAREF = "NORSAREF"
-$!
-$! Else...
-$!
-$ ELSE
-$!
-$!  Check To See If We Are To Compile Using The RSAREF Library.
-$!
-$   IF (P2.EQS."RSAREF")
-$   THEN
-$!
-$!    Compile With RSAREF Library.
-$!
-$     RSAREF = "RSAREF"
-$!
-$!  Else...
-$!
-$   ELSE
-$!
-$!    Tell The User Entered An Invalid Option..
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "    RSAREF   :  To Compile With The RSAREF Library."
-$     WRITE SYS$OUTPUT "    NORSAREF :  To Compile With The Regular RSA Library."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Time To EXIT.
-$!
-$     EXIT
-$!
-$!  End The Valid Arguemnt Check.
-$!
-$   ENDIF
-$!
-$! End The P2 Check.
-$!
-$ ENDIF
-$!
 $! Check To See If P3 Is Blank.
 $!
 $ IF (P3.EQS."NODEBUG")
diff --git a/src/lib/libssl/src/ms/do_ms.bat b/src/lib/libssl/src/ms/do_ms.bat
index 5cbc6f7d5f..a8cf515bac 100644
--- a/src/lib/libssl/src/ms/do_ms.bat
+++ b/src/lib/libssl/src/ms/do_ms.bat
@@ -5,6 +5,8 @@ rem perl util\mk1mf.pl VC-W31-32 >ms\w31.mak
 perl util\mk1mf.pl dll VC-W31-32 >ms\w31dll.mak

 perl util\mk1mf.pl no-asm VC-WIN32 >ms\nt.mak

 perl util\mk1mf.pl dll no-asm VC-WIN32 >ms\ntdll.mak

+perl util\mk1mf.pl no-asm VC-CE >ms\ce.mak

+perl util\mk1mf.pl dll no-asm VC-CE >ms\cedll.mak

 

 perl util\mkdef.pl 16 libeay > ms\libeay16.def

 perl util\mkdef.pl 32 libeay > ms\libeay32.def

diff --git a/src/lib/libssl/src/ms/mingw32.bat b/src/lib/libssl/src/ms/mingw32.bat
index 1968f4150b..8c7c63e0f2 100644
--- a/src/lib/libssl/src/ms/mingw32.bat
+++ b/src/lib/libssl/src/ms/mingw32.bat
@@ -1,7 +1,7 @@
 @rem OpenSSL with Mingw32+GNU as

 @rem ---------------------------

 

-perl Configure Mingw32 %1 %2 %3 %4 %5 %6 %7 %8

+perl Configure mingw %1 %2 %3 %4 %5 %6 %7 %8

 

 @echo off

 

@@ -66,21 +66,16 @@ cd ..\..\..
 echo Generating makefile

 perl util\mkfiles.pl >MINFO

 perl util\mk1mf.pl gaswin Mingw32 >ms\mingw32a.mak

-perl util\mk1mf.pl gaswin Mingw32-files >ms\mingw32f.mak

 echo Generating DLL definition files

 perl util\mkdef.pl 32 libeay >ms\libeay32.def

 if errorlevel 1 goto end

 perl util\mkdef.pl 32 ssleay >ms\ssleay32.def

 if errorlevel 1 goto end

 

-rem Create files -- this can be skipped if using the GNU file utilities

-make -f ms/mingw32f.mak

-echo You can ignore the error messages above

-

-copy ms\tlhelp32.h outinc

+rem copy ms\tlhelp32.h outinc

 

 echo Building the libraries

-make -f ms/mingw32a.mak

+mingw32-make -f ms/mingw32a.mak

 if errorlevel 1 goto end

 

 echo Generating the DLLs and input libraries

diff --git a/src/lib/libssl/src/ms/mw.bat b/src/lib/libssl/src/ms/mw.bat
index dc37913b71..c5ccd693e3 100644
--- a/src/lib/libssl/src/ms/mw.bat
+++ b/src/lib/libssl/src/ms/mw.bat
@@ -4,17 +4,12 @@
 @rem Makefile

 perl util\mkfiles.pl >MINFO

 perl util\mk1mf.pl Mingw32 >ms\mingw32.mak

-perl util\mk1mf.pl Mingw32-files >ms\mingw32f.mak

 @rem DLL definition files

 perl util\mkdef.pl 32 libeay >ms\libeay32.def

 if errorlevel 1 goto end

 perl util\mkdef.pl 32 ssleay >ms\ssleay32.def

 if errorlevel 1 goto end

 

-@rem Create files -- this can be skipped if using the GNU file utilities

-make -f ms/mingw32f.mak

-echo You can ignore the error messages above

-

 @rem Build the libraries

 make -f ms/mingw32.mak

 if errorlevel 1 goto end

diff --git a/src/lib/libssl/src/ms/test.bat b/src/lib/libssl/src/ms/test.bat
index 8f69194283..c3a1b0c28d 100644
--- a/src/lib/libssl/src/ms/test.bat
+++ b/src/lib/libssl/src/ms/test.bat
@@ -67,6 +67,10 @@ echo dsatest
 dsatest

 if errorlevel 1 goto done

 

+echo ectest

+ectest

+if errorlevel 1 goto done

+

 echo testenc

 call %test%\testenc openssl

 if errorlevel 1 goto done

diff --git a/src/lib/libssl/src/ms/testenc.bat b/src/lib/libssl/src/ms/testenc.bat
index e8917eeee2..4b99bd5895 100644
--- a/src/lib/libssl/src/ms/testenc.bat
+++ b/src/lib/libssl/src/ms/testenc.bat
@@ -1,6 +1,6 @@
-

+@echo off

 echo start testenc

-echo=off

+

 path=..\ms;%path%

 set ssleay=%1%

 set input=..\ms\testenc.bat

diff --git a/src/lib/libssl/src/ms/testpem.bat b/src/lib/libssl/src/ms/testpem.bat
index 81e566b69b..005f13b67e 100644
--- a/src/lib/libssl/src/ms/testpem.bat
+++ b/src/lib/libssl/src/ms/testpem.bat
@@ -1,4 +1,4 @@
-echo=off

+@echo off

 set ssleay=%1%

 set tmp1=pem.out

 set cmp=fc.exe

diff --git a/src/lib/libssl/src/ms/testss.bat b/src/lib/libssl/src/ms/testss.bat
index d9ae625439..f7e58e2756 100644
--- a/src/lib/libssl/src/ms/testss.bat
+++ b/src/lib/libssl/src/ms/testss.bat
@@ -1,4 +1,4 @@
-echo on

+@echo off

 

 rem set ssleay=..\out\ssleay

 set ssleay=%1

diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec
index 4d68d705ae..9bd9c8375e 100644
--- a/src/lib/libssl/src/openssl.spec
+++ b/src/lib/libssl/src/openssl.spec
@@ -1,15 +1,15 @@
 %define libmaj 0
 %define libmin 9
 %define librel 7
-#%define librev a
+%define librev b
 Release: 1
 
 %define openssldir /var/ssl
 
 Summary: Secure Sockets Layer and cryptography libraries and tools
 Name: openssl
-Version: %{libmaj}.%{libmin}.%{librel}
-#Version: %{libmaj}.%{libmin}.%{librel}%{librev}
+#Version: %{libmaj}.%{libmin}.%{librel}
+Version: %{libmaj}.%{libmin}.%{librel}%{librev}
 Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
 Copyright: Freely distributable
 Group: System Environment/Libraries
diff --git a/src/lib/libssl/src/shlib/svr5-shared-gcc.sh b/src/lib/libssl/src/shlib/svr5-shared-gcc.sh
index 76957df947..c5d0cc56ac 100644
--- a/src/lib/libssl/src/shlib/svr5-shared-gcc.sh
+++ b/src/lib/libssl/src/shlib/svr5-shared-gcc.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/sh
 
 major="0"
-minor="9.7"
+minor="9.7b"
 
 slib=libssl
 sh_slib=$slib.so.$major.$minor
diff --git a/src/lib/libssl/src/shlib/svr5-shared-installed b/src/lib/libssl/src/shlib/svr5-shared-installed
index 544f5a9417..b1def35d5c 100644
--- a/src/lib/libssl/src/shlib/svr5-shared-installed
+++ b/src/lib/libssl/src/shlib/svr5-shared-installed
@@ -1,7 +1,7 @@
 #!/usr/bin/sh
 
 major="0"
-minor="9.7"
+minor="9.7b"
 
 slib=libssl
 sh_slib=$slib.so.$major.$minor
@@ -25,4 +25,3 @@ rm -f $INSTALLTOP/$slib.so
 ln -s $INSTALLTOP/$sh_slib $slib.so
 
 cd $PWD
-
diff --git a/src/lib/libssl/src/shlib/svr5-shared.sh b/src/lib/libssl/src/shlib/svr5-shared.sh
index a70bb65baa..9edf26e9a7 100644
--- a/src/lib/libssl/src/shlib/svr5-shared.sh
+++ b/src/lib/libssl/src/shlib/svr5-shared.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/sh
 
 major="0"
-minor="9.7"
+minor="9.7b"
 
 slib=libssl
 sh_slib=$slib.so.$major.$minor
diff --git a/src/lib/libssl/src/ssl/Makefile.ssl b/src/lib/libssl/src/ssl/Makefile.ssl
index 23fcab1a3a..e48b5cedfb 100644
--- a/src/lib/libssl/src/ssl/Makefile.ssl
+++ b/src/lib/libssl/src/ssl/Makefile.ssl
@@ -17,7 +17,6 @@ MAKEFILE=	Makefile.ssl
 AR=             ar r
 # KRB5 stuff
 KRB5_INCLUDES=
-LIBKRB5=
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
@@ -93,7 +92,7 @@ lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -307,31 +306,32 @@ s2_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
 s2_clnt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
 s2_clnt.o: ../include/openssl/x509_vfy.h s2_clnt.c ssl_locl.h
-s2_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s2_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-s2_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s2_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s2_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s2_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s2_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-s2_enc.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_enc.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s2_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_enc.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s2_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s2_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s2_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s2_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s2_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s2_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s2_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s2_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_enc.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s2_enc.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s2_enc.o: ../include/openssl/x509_vfy.h s2_enc.c ssl_locl.h
+s2_enc.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
+s2_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_enc.o: ../include/openssl/des.h ../include/openssl/des_old.h
+s2_enc.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_enc.o: ../include/openssl/md2.h ../include/openssl/md4.h
+s2_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s2_enc.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_enc.c
+s2_enc.o: ssl_locl.h
 s2_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
 s2_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
@@ -383,31 +383,32 @@ s2_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 s2_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h
 s2_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
 s2_meth.o: ../include/openssl/x509_vfy.h s2_meth.c ssl_locl.h
-s2_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-s2_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-s2_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s2_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s2_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h
-s2_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
-s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-s2_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h
-s2_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s2_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s2_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s2_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s2_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s2_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s2_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s2_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s2_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
-s2_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-s2_pkt.o: ../include/openssl/x509_vfy.h s2_pkt.c ssl_locl.h
+s2_pkt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
+s2_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_pkt.o: ../include/openssl/des.h ../include/openssl/des_old.h
+s2_pkt.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_pkt.o: ../include/openssl/md2.h ../include/openssl/md4.h
+s2_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s2_pkt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c
+s2_pkt.o: ssl_locl.h
 s2_srvr.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
 s2_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 s2_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
@@ -765,32 +766,33 @@ ssl_err2.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/ui.h
 ssl_err2.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
 ssl_err2.o: ../include/openssl/x509_vfy.h ssl_err2.c
-ssl_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-ssl_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-ssl_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssl_lib.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ssl_lib.o: ../include/openssl/des.h ../include/openssl/des_old.h
-ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ssl_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-ssl_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
-ssl_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-ssl_lib.o: ../include/openssl/md2.h ../include/openssl/md4.h
-ssl_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-ssl_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ssl_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ssl_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ssl_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-ssl_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_lib.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-ssl_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_lib.o: ../include/openssl/x509v3.h kssl_lcl.h ssl_lib.c ssl_locl.h
+ssl_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
+ssl_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+ssl_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+ssl_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h
+ssl_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ssl_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+ssl_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h kssl_lcl.h
+ssl_lib.o: ssl_lib.c ssl_locl.h
 ssl_rsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 ssl_rsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 ssl_rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
diff --git a/src/lib/libssl/src/ssl/bio_ssl.c b/src/lib/libssl/src/ssl/bio_ssl.c
index 467e149947..d683ee43e1 100644
--- a/src/lib/libssl/src/ssl/bio_ssl.c
+++ b/src/lib/libssl/src/ssl/bio_ssl.c
@@ -403,6 +403,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
                         {
                         BIO_free_all(ssl->wbio);
                         }
+                if (b->next_bio != NULL)
+                        {
+                        CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO);
+                        }
                 ssl->wbio=NULL;
                 ssl->rbio=NULL;
                 break;
@@ -509,6 +513,7 @@ static int ssl_puts(BIO *bp, const char *str)
 
 BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx)
         {
+#ifndef OPENSSL_NO_SOCK
         BIO *ret=NULL,*buf=NULL,*ssl=NULL;
 
         if ((buf=BIO_new(BIO_f_buffer())) == NULL)
@@ -521,6 +526,7 @@ BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx)
 err:
         if (buf != NULL) BIO_free(buf);
         if (ssl != NULL) BIO_free(ssl);
+#endif
         return(NULL);
         }
 
diff --git a/src/lib/libssl/src/ssl/kssl.c b/src/lib/libssl/src/ssl/kssl.c
index d3c7be7581..a80f5b2f74 100644
--- a/src/lib/libssl/src/ssl/kssl.c
+++ b/src/lib/libssl/src/ssl/kssl.c
@@ -70,6 +70,7 @@
 
 #define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */
 #include <time.h>
+#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */
 #include <string.h>
 
 #include <openssl/ssl.h>
@@ -783,24 +784,6 @@ char
         return ((string == NULL)? null: string);
         }
 
-#define MAXKNUM 255
-char
-*knumber(int len, krb5_octet *contents)
-        {
-        static char     buf[MAXKNUM+1];
-        int             i;
-
-        BIO_snprintf(buf, MAXKNUM, "[%d] ", len);
-
-        for (i=0; i < len  &&  MAXKNUM > strlen(buf)+3; i++)
-                {
-                BIO_snprintf(&buf[strlen(buf)], 3, "%02x", contents[i]);
-                }
-
-        return (buf);
-        }
-
-
 /*      Given KRB5 enctype (basically DES or 3DES),
 **      return closest match openssl EVP_ encryption algorithm.
 **      Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
@@ -1568,7 +1551,7 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
         {
         if (kssl_ctx == NULL)  return kssl_ctx;
 
-        if (kssl_ctx->key)              memset(kssl_ctx->key, 0,
+        if (kssl_ctx->key)              OPENSSL_cleanse(kssl_ctx->key,
                                                               kssl_ctx->length);
         if (kssl_ctx->key)              free(kssl_ctx->key);
         if (kssl_ctx->client_princ)     free(kssl_ctx->client_princ);
@@ -1672,7 +1655,7 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
 
         if (kssl_ctx->key)
                 {
-                memset(kssl_ctx->key, 0, kssl_ctx->length);
+                OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
                 free(kssl_ctx->key);
                 }
 
@@ -1979,7 +1962,7 @@ krb5_error_code  kssl_check_authent(
         const EVP_CIPHER        *enc = NULL;
         unsigned char           iv[EVP_MAX_IV_LENGTH];
         unsigned char           *p, *unenc_authent;
-        int                     padl, outl, unencbufsize;
+        int                     outl, unencbufsize;
         struct tm               tm_time, *tm_l, *tm_g;
         time_t                  now, tl, tg, tr, tz_offset;
 
@@ -2037,7 +2020,7 @@ krb5_error_code  kssl_check_authent(
             }
 #endif
         enc = kssl_map_enc(enctype);
-        memset(iv, 0, EVP_MAX_IV_LENGTH);       /* per RFC 1510 */
+        memset(iv, 0, sizeof iv);       /* per RFC 1510 */
 
         if (enc == NULL)
                 {
@@ -2047,44 +2030,23 @@ krb5_error_code  kssl_check_authent(
                 */
                 goto err;
                 }
-        if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv))
-                {
-                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                        "EVP_DecryptInit_ex error decrypting authenticator.\n");
-                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-                goto err;
-                }
-        if (!EVP_DecryptUpdate(&ciph_ctx, unenc_authent, &outl,
-                        dec_authent->cipher->data, dec_authent->cipher->length))
-                {
-                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                        "EVP_DecryptUpdate error decrypting authenticator.\n");
-                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-                goto err;
-                }
-        if (outl > unencbufsize)
-                {
-                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                        "Buffer overflow decrypting authenticator.\n");
-                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-                goto err;
-                }
-        if (!EVP_DecryptFinal_ex(&ciph_ctx, &(unenc_authent[outl]), &padl))
-                {
-                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                        "EVP_DecryptFinal_ex error decrypting authenticator.\n");
-                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-                goto err;
-                }
-        outl += padl;
-        if (outl > unencbufsize)
-                {
-                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                        "Buffer overflow decrypting authenticator.\n");
-                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-                goto err;
-                }
-        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+        if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "EVP_CipherInit error decrypting authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        outl = dec_authent->cipher->length;
+        if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "EVP_Cipher error decrypting authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
 #ifdef KSSL_DEBUG
         printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
@@ -2133,6 +2095,7 @@ krb5_error_code  kssl_check_authent(
         if (auth)               KRB5_AUTHENT_free((KRB5_AUTHENT *) auth);
         if (dec_authent)        KRB5_ENCDATA_free(dec_authent);
         if (unenc_authent)      free(unenc_authent);
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
         return krb5rc;
         }
 
diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c
index 019e9aecee..64ee4269ec 100644
--- a/src/lib/libssl/src/ssl/s23_clnt.c
+++ b/src/lib/libssl/src/ssl/s23_clnt.c
@@ -87,18 +87,25 @@ SSL_METHOD *SSLv23_client_method(void)
 
         if (init)
                 {
-                memcpy((char *)&SSLv23_client_data,
-                        (char *)sslv23_base_method(),sizeof(SSL_METHOD));
-                SSLv23_client_data.ssl_connect=ssl23_connect;
-                SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&SSLv23_client_data,
+                                (char *)sslv23_base_method(),sizeof(SSL_METHOD));
+                        SSLv23_client_data.ssl_connect=ssl23_connect;
+                        SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
+                        init=0;
+                        }
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv23_client_data);
         }
 
 int ssl23_connect(SSL *s)
         {
-        BUF_MEM *buf;
+        BUF_MEM *buf=NULL;
         unsigned long Time=time(NULL);
         void (*cb)(const SSL *ssl,int type,int val)=NULL;
         int ret= -1;
@@ -152,6 +159,7 @@ int ssl23_connect(SSL *s)
                                         goto end;
                                         }
                                 s->init_buf=buf;
+                                buf=NULL;
                                 }
 
                         if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
@@ -200,6 +208,8 @@ int ssl23_connect(SSL *s)
                 }
 end:
         s->in_handshake--;
+        if (buf != NULL)
+                BUF_MEM_free(buf);
         if (cb != NULL)
                 cb(s,SSL_CB_CONNECT_EXIT,ret);
         return(ret);
@@ -363,7 +373,7 @@ static int ssl23_get_server_hello(SSL *s)
 
                 if (s->s3 != NULL) ssl3_free(s);
 
-                if (!BUF_MEM_grow(s->init_buf,
+                if (!BUF_MEM_grow_clean(s->init_buf,
                         SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
                         {
                         SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB);
diff --git a/src/lib/libssl/src/ssl/s23_meth.c b/src/lib/libssl/src/ssl/s23_meth.c
index 40684311db..f207140835 100644
--- a/src/lib/libssl/src/ssl/s23_meth.c
+++ b/src/lib/libssl/src/ssl/s23_meth.c
@@ -80,12 +80,19 @@ SSL_METHOD *SSLv23_method(void)
 
         if (init)
                 {
-                memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(),
-                        sizeof(SSL_METHOD));
-                SSLv23_data.ssl_connect=ssl23_connect;
-                SSLv23_data.ssl_accept=ssl23_accept;
-                SSLv23_data.get_ssl_method=ssl23_get_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+                
+                if (init)
+                        {
+                        memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(),
+                                sizeof(SSL_METHOD));
+                        SSLv23_data.ssl_connect=ssl23_connect;
+                        SSLv23_data.ssl_accept=ssl23_accept;
+                        SSLv23_data.get_ssl_method=ssl23_get_method;
+                        init=0;
+                        }
+                
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv23_data);
         }
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c
index 8743b61cbb..c5404ca0bc 100644
--- a/src/lib/libssl/src/ssl/s23_srvr.c
+++ b/src/lib/libssl/src/ssl/s23_srvr.c
@@ -139,11 +139,18 @@ SSL_METHOD *SSLv23_server_method(void)
 
         if (init)
                 {
-                memcpy((char *)&SSLv23_server_data,
-                        (char *)sslv23_base_method(),sizeof(SSL_METHOD));
-                SSLv23_server_data.ssl_accept=ssl23_accept;
-                SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&SSLv23_server_data,
+                                (char *)sslv23_base_method(),sizeof(SSL_METHOD));
+                        SSLv23_server_data.ssl_accept=ssl23_accept;
+                        SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
+                        init=0;
+                        }
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv23_server_data);
         }
@@ -505,7 +512,7 @@ int ssl23_get_client_hello(SSL *s)
 
                 if (s->s3 != NULL) ssl3_free(s);
 
-                if (!BUF_MEM_grow(s->init_buf,
+                if (!BUF_MEM_grow_clean(s->init_buf,
                         SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
                         {
                         goto err;
diff --git a/src/lib/libssl/src/ssl/s2_clnt.c b/src/lib/libssl/src/ssl/s2_clnt.c
index b4ee0bfc31..43b32eb415 100644
--- a/src/lib/libssl/src/ssl/s2_clnt.c
+++ b/src/lib/libssl/src/ssl/s2_clnt.c
@@ -144,11 +144,18 @@ SSL_METHOD *SSLv2_client_method(void)
 
         if (init)
                 {
-                memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
-                        sizeof(SSL_METHOD));
-                SSLv2_client_data.ssl_connect=ssl2_connect;
-                SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
+                                sizeof(SSL_METHOD));
+                        SSLv2_client_data.ssl_connect=ssl2_connect;
+                        SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
+                        init=0;
+                        }
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv2_client_data);
         }
@@ -200,10 +207,13 @@ int ssl2_connect(SSL *s)
                         if (!BUF_MEM_grow(buf,
                                 SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
                                 {
+                                if (buf == s->init_buf)
+                                        buf=NULL;
                                 ret= -1;
                                 goto end;
                                 }
                         s->init_buf=buf;
+                        buf=NULL;
                         s->init_num=0;
                         s->state=SSL2_ST_SEND_CLIENT_HELLO_A;
                         s->ctx->stats.sess_connect++;
@@ -330,6 +340,8 @@ int ssl2_connect(SSL *s)
                 }
 end:
         s->in_handshake--;
+        if (buf != NULL)
+                BUF_MEM_free(buf);
         if (cb != NULL) 
                 cb(s,SSL_CB_CONNECT_EXIT,ret);
         return(ret);
@@ -762,8 +774,8 @@ static int client_certificate(SSL *s)
         if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A)
                 {
                 i=ssl2_read(s,(char *)&(buf[s->init_num]),
-                        SSL2_MAX_CERT_CHALLENGE_LENGTH+1-s->init_num);
-                if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+1-s->init_num))
+                        SSL2_MAX_CERT_CHALLENGE_LENGTH+2-s->init_num);
+                if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+2-s->init_num))
                         return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i));
                 s->init_num += i;
                 if (s->msg_callback)
@@ -863,7 +875,7 @@ static int client_certificate(SSL *s)
                 EVP_MD_CTX_init(&ctx);
                 EVP_SignInit_ex(&ctx,s->ctx->rsa_md5, NULL);
                 EVP_SignUpdate(&ctx,s->s2->key_material,
-                        (unsigned int)s->s2->key_material_length);
+                               s->s2->key_material_length);
                 EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len);
                 n=i2d_X509(s->session->sess_cert->peer_key->x509,&p);
                 EVP_SignUpdate(&ctx,buf,(unsigned int)n);
@@ -937,7 +949,7 @@ static int get_server_verify(SSL *s)
                 s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
         p += 1;
 
-        if (memcmp(p,s->s2->challenge,(unsigned int)s->s2->challenge_length) != 0)
+        if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
                 {
                 ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
                 SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);
@@ -1001,14 +1013,14 @@ static int get_server_finished(SSL *s)
                  * or bad things can happen */
                 /* ZZZZZZZZZZZZZ */
                 s->session->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
-                memcpy(s->session->session_id,p,SSL2_SSL_SESSION_ID_LENGTH);
+                memcpy(s->session->session_id,p+1,SSL2_SSL_SESSION_ID_LENGTH);
                 }
         else
                 {
                 if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG))
                         {
                         if ((s->session->session_id_length > sizeof s->session->session_id)
-                            || (0 != memcmp(buf, s->session->session_id,
+                            || (0 != memcmp(buf + 1, s->session->session_id,
                                             (unsigned int)s->session->session_id_length)))
                                 {
                                 ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
diff --git a/src/lib/libssl/src/ssl/s2_enc.c b/src/lib/libssl/src/ssl/s2_enc.c
index 690252e3d3..21a06f76cb 100644
--- a/src/lib/libssl/src/ssl/s2_enc.c
+++ b/src/lib/libssl/src/ssl/s2_enc.c
@@ -95,10 +95,12 @@ int ssl2_enc_init(SSL *s, int client)
 
         num=c->key_len;
         s->s2->key_material_length=num*2;
+        OPENSSL_assert(s->s2->key_material_length <= sizeof s->s2->key_material);
 
         if (ssl2_generate_key_material(s) <= 0)
                 return 0;
 
+        OPENSSL_assert(c->iv_len <= sizeof s->session->key_arg);
         EVP_EncryptInit_ex(ws,c,NULL,&(s->s2->key_material[(client)?num:0]),
                 s->session->key_arg);
         EVP_DecryptInit_ex(rs,c,NULL,&(s->s2->key_material[(client)?0:num]),
diff --git a/src/lib/libssl/src/ssl/s2_lib.c b/src/lib/libssl/src/ssl/s2_lib.c
index df2ea875de..edcef4dda2 100644
--- a/src/lib/libssl/src/ssl/s2_lib.c
+++ b/src/lib/libssl/src/ssl/s2_lib.c
@@ -309,7 +309,7 @@ void ssl2_free(SSL *s)
         s2=s->s2;
         if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
         if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
-        memset(s2,0,sizeof *s2);
+        OPENSSL_cleanse(s2,sizeof *s2);
         OPENSSL_free(s2);
         s->s2=NULL;
         }
@@ -378,15 +378,19 @@ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
                 {
                 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
 
-                for (i=0; i<SSL2_NUM_CIPHERS; i++)
-                        sorted[i]= &(ssl2_ciphers[i]);
+                if (init)
+                        {
+                        for (i=0; i<SSL2_NUM_CIPHERS; i++)
+                                sorted[i]= &(ssl2_ciphers[i]);
 
-                qsort(  (char *)sorted,
-                        SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-                        FP_ICC ssl_cipher_ptr_id_cmp);
+                        qsort((char *)sorted,
+                                SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+                                FP_ICC ssl_cipher_ptr_id_cmp);
 
+                        init=0;
+                        }
+                        
                 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-                init=0;
                 }
 
         id=0x02000000L|((unsigned long)p[0]<<16L)|
@@ -451,6 +455,9 @@ int ssl2_generate_key_material(SSL *s)
 
                 EVP_DigestInit_ex(&ctx, md5, NULL);
 
+                OPENSSL_assert(s->session->master_key_length >= 0
+                    && s->session->master_key_length
+                    < sizeof s->session->master_key);
                 EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
                 EVP_DigestUpdate(&ctx,&c,1);
                 c++;
@@ -489,9 +496,7 @@ void ssl2_write_error(SSL *s)
 
         error=s->error; /* number of bytes left to write */
         s->error=0;
-        if (error < 0 || error > sizeof buf) /* can't happen */
-                return;
-  
+        OPENSSL_assert(error >= 0 && error <= sizeof buf);
         i=ssl2_write(s,&(buf[3-error]),error);
 
 /*      if (i == error) s->rwstate=state; */
diff --git a/src/lib/libssl/src/ssl/s2_meth.c b/src/lib/libssl/src/ssl/s2_meth.c
index d30b7179f7..8b6cbd086e 100644
--- a/src/lib/libssl/src/ssl/s2_meth.c
+++ b/src/lib/libssl/src/ssl/s2_meth.c
@@ -77,12 +77,19 @@ SSL_METHOD *SSLv2_method(void)
 
         if (init)
                 {
-                memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(),
-                        sizeof(SSL_METHOD));
-                SSLv2_data.ssl_connect=ssl2_connect;
-                SSLv2_data.ssl_accept=ssl2_accept;
-                SSLv2_data.get_ssl_method=ssl2_get_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+                
+                if (init)
+                        {
+                        memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(),
+                                sizeof(SSL_METHOD));
+                        SSLv2_data.ssl_connect=ssl2_connect;
+                        SSLv2_data.ssl_accept=ssl2_accept;
+                        SSLv2_data.get_ssl_method=ssl2_get_method;
+                        init=0;
+                        }
+                
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv2_data);
         }
diff --git a/src/lib/libssl/src/ssl/s2_pkt.c b/src/lib/libssl/src/ssl/s2_pkt.c
index cf0aee2bd6..a10929a757 100644
--- a/src/lib/libssl/src/ssl/s2_pkt.c
+++ b/src/lib/libssl/src/ssl/s2_pkt.c
@@ -247,6 +247,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
                 else
                         {
                         mac_size=EVP_MD_size(s->read_hash);
+                        OPENSSL_assert(mac_size <= MAX_MAC_SIZE);
                         s->s2->mac_data=p;
                         s->s2->ract_data= &p[mac_size];
                         if (s->s2->padding + mac_size > s->s2->rlength)
diff --git a/src/lib/libssl/src/ssl/s2_srvr.c b/src/lib/libssl/src/ssl/s2_srvr.c
index f79c9a1651..5da2a54af3 100644
--- a/src/lib/libssl/src/ssl/s2_srvr.c
+++ b/src/lib/libssl/src/ssl/s2_srvr.c
@@ -144,11 +144,18 @@ SSL_METHOD *SSLv2_server_method(void)
 
         if (init)
                 {
-                memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
-                        sizeof(SSL_METHOD));
-                SSLv2_server_data.ssl_accept=ssl2_accept;
-                SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
+                                sizeof(SSL_METHOD));
+                        SSLv2_server_data.ssl_accept=ssl2_accept;
+                        SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
+                        init=0;
+                        }
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv2_server_data);
         }
@@ -868,7 +875,7 @@ static int get_client_finished(SSL *s)
         if (s->msg_callback)
                 s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-FINISHED */
         p += 1;
-        if (memcmp(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length) != 0)
+        if (memcmp(p,s->s2->conn_id,s->s2->conn_id_length) != 0)
                 {
                 ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
                 SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT);
@@ -1068,7 +1075,7 @@ static int request_certificate(SSL *s)
                 EVP_MD_CTX_init(&ctx);
                 EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL);
                 EVP_VerifyUpdate(&ctx,s->s2->key_material,
-                        (unsigned int)s->s2->key_material_length);
+                                 s->s2->key_material_length);
                 EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
 
                 i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
diff --git a/src/lib/libssl/src/ssl/s3_both.c b/src/lib/libssl/src/ssl/s3_both.c
index 8864366f59..64d317b7ac 100644
--- a/src/lib/libssl/src/ssl/s3_both.c
+++ b/src/lib/libssl/src/ssl/s3_both.c
@@ -268,16 +268,23 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
         X509_STORE_CTX xs_ctx;
         X509_OBJECT obj;
 
+        int no_chain;
+
+        if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
+                no_chain = 1;
+        else
+                no_chain = 0;
+
         /* TLSv1 sends a chain with nothing in it, instead of an alert */
         buf=s->init_buf;
-        if (!BUF_MEM_grow(buf,(int)(10)))
+        if (!BUF_MEM_grow_clean(buf,10))
                 {
                 SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
                 return(0);
                 }
         if (x != NULL)
                 {
-                if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
+                if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
                         {
                         SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
                         return(0);
@@ -286,7 +293,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                 for (;;)
                         {
                         n=i2d_X509(x,NULL);
-                        if (!BUF_MEM_grow(buf,(int)(n+l+3)))
+                        if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
                                 {
                                 SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
                                 return(0);
@@ -295,6 +302,10 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                         l2n3(n,p);
                         i2d_X509(x,&p);
                         l+=n+3;
+
+                        if (no_chain)
+                                break;
+
                         if (X509_NAME_cmp(X509_get_subject_name(x),
                                 X509_get_issuer_name(x)) == 0) break;
 
@@ -306,8 +317,8 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                          * ref count */
                         X509_free(x);
                         }
-
-                X509_STORE_CTX_cleanup(&xs_ctx);
+                if (!no_chain)
+                        X509_STORE_CTX_cleanup(&xs_ctx);
                 }
 
         /* Thawte special :-) */
@@ -316,7 +327,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
                 {
                 x=sk_X509_value(s->ctx->extra_certs,i);
                 n=i2d_X509(x,NULL);
-                if (!BUF_MEM_grow(buf,(int)(n+l+3)))
+                if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
                         {
                         SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
                         return(0);
@@ -439,7 +450,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                         SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
                         goto f_err;
                         }
-                if (l && !BUF_MEM_grow(s->init_buf,(int)l+4))
+                if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4))
                         {
                         SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
                         goto err;
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 7da9363ef5..d32bb1cb9c 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -145,18 +145,25 @@ SSL_METHOD *SSLv3_client_method(void)
 
         if (init)
                 {
-                init=0;
-                memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
-                        sizeof(SSL_METHOD));
-                SSLv3_client_data.ssl_connect=ssl3_connect;
-                SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
+                                sizeof(SSL_METHOD));
+                        SSLv3_client_data.ssl_connect=ssl3_connect;
+                        SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
+                        init=0;
+                        }
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv3_client_data);
         }
 
 int ssl3_connect(SSL *s)
         {
-        BUF_MEM *buf;
+        BUF_MEM *buf=NULL;
         unsigned long Time=time(NULL),l;
         long num1;
         void (*cb)(const SSL *ssl,int type,int val)=NULL;
@@ -217,6 +224,7 @@ int ssl3_connect(SSL *s)
                                         goto end;
                                         }
                                 s->init_buf=buf;
+                                buf=NULL;
                                 }
 
                         if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
@@ -495,6 +503,8 @@ int ssl3_connect(SSL *s)
                 }
 end:
         s->in_handshake--;
+        if (buf != NULL)
+                BUF_MEM_free(buf);
         if (cb != NULL)
                 cb(s,SSL_CB_CONNECT_EXIT,ret);
         return(ret);
@@ -637,6 +647,7 @@ static int ssl3_get_server_hello(SSL *s)
                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
                 goto f_err;
                 }
+
         if (j != 0 && j == s->session->session_id_length
             && memcmp(p,s->session->session_id,j) == 0)
             {
@@ -687,7 +698,12 @@ static int ssl3_get_server_hello(SSL *s)
                 goto f_err;
                 }
 
-        if (s->hit && (s->session->cipher != c))
+        /* Depending on the session caching (internal/external), the cipher
+           and/or cipher_id values may not be set. Make sure that
+           cipher_id is set and use it for comparison. */
+        if (s->session->cipher)
+                s->session->cipher_id = s->session->cipher->id;
+        if (s->hit && (s->session->cipher_id != c->id))
                 {
                 if (!(s->options &
                         SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
@@ -1445,16 +1461,16 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                 
                         tmp_buf[0]=s->client_version>>8;
                         tmp_buf[1]=s->client_version&0xff;
-                        if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
+                        if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
                                         goto err;
 
-                        s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
+                        s->session->master_key_length=sizeof tmp_buf;
 
                         q=p;
                         /* Fix buf for TLS and beyond */
                         if (s->version > SSL3_VERSION)
                                 p+=2;
-                        n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH,
+                        n=RSA_public_encrypt(sizeof tmp_buf,
                                 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
 #ifdef PKCS1_CHECK
                         if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
@@ -1476,8 +1492,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
                         s->session->master_key_length=
                                 s->method->ssl3_enc->generate_master_secret(s,
                                         s->session->master_key,
-                                        tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
-                        memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
+                                        tmp_buf,sizeof tmp_buf);
+                        OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
                         }
 #endif
 #ifndef OPENSSL_NO_KRB5
@@ -1573,7 +1589,7 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                 n+=2;
                                 }
  
-                        if (RAND_bytes(tmp_buf,SSL_MAX_MASTER_KEY_LENGTH) <= 0)
+                        if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
                             goto err;
 
                         /*  20010420 VRS.  Tried it this way; failed.
@@ -1583,11 +1599,11 @@ static int ssl3_send_client_key_exchange(SSL *s)
                         **      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
                         */
 
-                        memset(iv, 0, EVP_MAX_IV_LENGTH);  /* per RFC 1510 */
+                        memset(iv, 0, sizeof iv);  /* per RFC 1510 */
                         EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
                                 kssl_ctx->key,iv);
                         EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
-                                SSL_MAX_MASTER_KEY_LENGTH);
+                                sizeof tmp_buf);
                         EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
                         outl += padl;
                         if (outl > sizeof epms)
@@ -1606,10 +1622,10 @@ static int ssl3_send_client_key_exchange(SSL *s)
                         s->session->master_key_length=
                                 s->method->ssl3_enc->generate_master_secret(s,
                                         s->session->master_key,
-                                        tmp_buf, SSL_MAX_MASTER_KEY_LENGTH);
+                                        tmp_buf, sizeof tmp_buf);
 
-                        memset(tmp_buf, 0, SSL_MAX_MASTER_KEY_LENGTH);
-                        memset(epms, 0, outl);
+                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
+                        OPENSSL_cleanse(epms, outl);
                         }
 #endif
 #ifndef OPENSSL_NO_DH
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index 888a9a2868..559924d368 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -182,7 +182,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 
                 km+=MD5_DIGEST_LENGTH;
                 }
-        memset(smd,0,SHA_DIGEST_LENGTH);
+        OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH);
         EVP_MD_CTX_cleanup(&m5);
         EVP_MD_CTX_cleanup(&s1);
         return 1;
@@ -192,7 +192,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
         {
         unsigned char *p,*key_block,*mac_secret;
         unsigned char exp_key[EVP_MAX_KEY_LENGTH];
-        unsigned char exp_iv[EVP_MAX_KEY_LENGTH];
+        unsigned char exp_iv[EVP_MAX_IV_LENGTH];
         unsigned char *ms,*key,*iv,*er1,*er2;
         EVP_CIPHER_CTX *dd;
         const EVP_CIPHER *c;
@@ -333,8 +333,8 @@ int ssl3_change_cipher_state(SSL *s, int which)
 
         EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
 
-        memset(&(exp_key[0]),0,sizeof(exp_key));
-        memset(&(exp_iv[0]),0,sizeof(exp_iv));
+        OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key));
+        OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv));
         EVP_MD_CTX_cleanup(&md);
         return(1);
 err:
@@ -408,7 +408,7 @@ void ssl3_cleanup_key_block(SSL *s)
         {
         if (s->s3->tmp.key_block != NULL)
                 {
-                memset(s->s3->tmp.key_block,0,
+                OPENSSL_cleanse(s->s3->tmp.key_block,
                         s->s3->tmp.key_block_length);
                 OPENSSL_free(s->s3->tmp.key_block);
                 s->s3->tmp.key_block=NULL;
@@ -474,6 +474,7 @@ int ssl3_enc(SSL *s, int send)
                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
                                 return 0;
                                 }
+                        /* otherwise, rec->length >= bs */
                         }
                 
                 EVP_Cipher(ds,rec->data,rec->input,l);
@@ -482,7 +483,7 @@ int ssl3_enc(SSL *s, int send)
                         {
                         i=rec->data[l-1]+1;
                         /* SSL 3.0 bounds the number of padding bytes by the block size;
-                         * padding bytes (except that last) are arbitrary */
+                         * padding bytes (except the last one) are arbitrary */
                         if (i > bs)
                                 {
                                 /* Incorrect padding. SSLerr() and ssl3_alert are done
@@ -491,6 +492,7 @@ int ssl3_enc(SSL *s, int send)
                                  * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
                                 return -1;
                                 }
+                        /* now i <= bs <= rec->length */
                         rec->length-=i;
                         }
                 }
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index cc0aeef511..d04096016c 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -514,6 +514,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_ALL_STRENGTHS,
         },
 
+#if 0
 /* Cipher 1E */
         {
         0,
@@ -527,55 +528,70 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_ALL_CIPHERS,
         SSL_ALL_STRENGTHS,
         },
+#endif
 
 #ifndef OPENSSL_NO_KRB5
 /* The Kerberos ciphers
 ** 20000107 VRS: And the first shall be last,
 ** in hopes of avoiding the lynx ssl renegotiation problem.
 */
-/* Cipher 21 VRS */
+/* Cipher 1E VRS */
         {
         1,
-        SSL3_TXT_KRB5_DES_40_CBC_SHA,
-        SSL3_CK_KRB5_DES_40_CBC_SHA,
+        SSL3_TXT_KRB5_DES_64_CBC_SHA,
+        SSL3_CK_KRB5_DES_64_CBC_SHA,
         SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_NOT_EXP|SSL_LOW,
         0,
-        40,
+        56,
         56,
         SSL_ALL_CIPHERS,
         SSL_ALL_STRENGTHS,
         },
 
-/* Cipher 22 VRS */
+/* Cipher 1F VRS */
         {
         1,
-        SSL3_TXT_KRB5_DES_40_CBC_MD5,
-        SSL3_CK_KRB5_DES_40_CBC_MD5,
-        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL3_TXT_KRB5_DES_192_CBC3_SHA,
+        SSL3_CK_KRB5_DES_192_CBC3_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
+        SSL_NOT_EXP|SSL_HIGH,
         0,
-        40,
-        56,
+        112,
+        168,
         SSL_ALL_CIPHERS,
         SSL_ALL_STRENGTHS,
         },
 
-/* Cipher 23 VRS */
+/* Cipher 20 VRS */
         {
         1,
-        SSL3_TXT_KRB5_DES_64_CBC_SHA,
-        SSL3_CK_KRB5_DES_64_CBC_SHA,
-        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL3_TXT_KRB5_RC4_128_SHA,
+        SSL3_CK_KRB5_RC4_128_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1  |SSL_SSLV3,
+        SSL_NOT_EXP|SSL_MEDIUM,
         0,
-        56,
-        56,
+        128,
+        128,
         SSL_ALL_CIPHERS,
         SSL_ALL_STRENGTHS,
         },
 
-/* Cipher 24 VRS */
+/* Cipher 21 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
+        SSL3_CK_KRB5_IDEA_128_CBC_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_SHA1  |SSL_SSLV3,
+        SSL_NOT_EXP|SSL_MEDIUM,
+        0,
+        128,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 22 VRS */
         {
         1,
         SSL3_TXT_KRB5_DES_64_CBC_MD5,
@@ -589,12 +605,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_ALL_STRENGTHS,
         },
 
-/* Cipher 25 VRS */
+/* Cipher 23 VRS */
         {
         1,
-        SSL3_TXT_KRB5_DES_192_CBC3_SHA,
-        SSL3_CK_KRB5_DES_192_CBC3_SHA,
-        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
+        SSL3_TXT_KRB5_DES_192_CBC3_MD5,
+        SSL3_CK_KRB5_DES_192_CBC3_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
         SSL_NOT_EXP|SSL_HIGH,
         0,
         112,
@@ -603,16 +619,114 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
         SSL_ALL_STRENGTHS,
         },
 
+/* Cipher 24 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_RC4_128_MD5,
+        SSL3_CK_KRB5_RC4_128_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5  |SSL_SSLV3,
+        SSL_NOT_EXP|SSL_MEDIUM,
+        0,
+        128,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 25 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
+        SSL3_CK_KRB5_IDEA_128_CBC_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_MD5  |SSL_SSLV3,
+        SSL_NOT_EXP|SSL_MEDIUM,
+        0,
+        128,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
 /* Cipher 26 VRS */
         {
         1,
-        SSL3_TXT_KRB5_DES_192_CBC3_MD5,
-        SSL3_CK_KRB5_DES_192_CBC3_MD5,
-        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL3_TXT_KRB5_DES_40_CBC_SHA,
+        SSL3_CK_KRB5_DES_40_CBC_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
         0,
-        112,
-        168,
+        40,
+        56,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 27 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_RC2_40_CBC_SHA,
+        SSL3_CK_KRB5_RC2_40_CBC_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_SHA1   |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
+        0,
+        40,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 28 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_RC4_40_SHA,
+        SSL3_CK_KRB5_RC4_40_SHA,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1   |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
+        0,
+        128,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 29 VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_DES_40_CBC_MD5,
+        SSL3_CK_KRB5_DES_40_CBC_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
+        0,
+        40,
+        56,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 2A VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_RC2_40_CBC_MD5,
+        SSL3_CK_KRB5_RC2_40_CBC_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_MD5    |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
+        0,
+        40,
+        128,
+        SSL_ALL_CIPHERS,
+        SSL_ALL_STRENGTHS,
+        },
+
+/* Cipher 2B VRS */
+        {
+        1,
+        SSL3_TXT_KRB5_RC4_40_MD5,
+        SSL3_CK_KRB5_RC4_40_MD5,
+        SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5    |SSL_SSLV3,
+        SSL_EXPORT|SSL_EXP40,
+        0,
+        128,
+        128,
         SSL_ALL_CIPHERS,
         SSL_ALL_STRENGTHS,
         },
@@ -988,7 +1102,7 @@ void ssl3_free(SSL *s)
                 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
         EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
         EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
-        memset(s->s3,0,sizeof *s->s3);
+        OPENSSL_cleanse(s->s3,sizeof *s->s3);
         OPENSSL_free(s->s3);
         s->s3=NULL;
         }
@@ -1343,16 +1457,19 @@ SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
                 {
                 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
 
-                for (i=0; i<SSL3_NUM_CIPHERS; i++)
-                        sorted[i]= &(ssl3_ciphers[i]);
+                if (init)
+                        {
+                        for (i=0; i<SSL3_NUM_CIPHERS; i++)
+                                sorted[i]= &(ssl3_ciphers[i]);
 
-                qsort(  (char *)sorted,
-                        SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-                        FP_ICC ssl_cipher_ptr_id_cmp);
+                        qsort(sorted,
+                                SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+                                FP_ICC ssl_cipher_ptr_id_cmp);
 
+                        init=0;
+                        }
+                
                 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-
-                init=0;
                 }
 
         id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
diff --git a/src/lib/libssl/src/ssl/s3_meth.c b/src/lib/libssl/src/ssl/s3_meth.c
index 81bcad89c5..1fd7a96f87 100644
--- a/src/lib/libssl/src/ssl/s3_meth.c
+++ b/src/lib/libssl/src/ssl/s3_meth.c
@@ -76,12 +76,19 @@ SSL_METHOD *SSLv3_method(void)
 
         if (init)
                 {
-                memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(),
-                        sizeof(SSL_METHOD));
-                SSLv3_data.ssl_connect=ssl3_connect;
-                SSLv3_data.ssl_accept=ssl3_accept;
-                SSLv3_data.get_ssl_method=ssl3_get_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+                
+                if (init)
+                        {
+                        memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(),
+                                sizeof(SSL_METHOD));
+                        SSLv3_data.ssl_connect=ssl3_connect;
+                        SSLv3_data.ssl_accept=ssl3_accept;
+                        SSLv3_data.get_ssl_method=ssl3_get_method;
+                        init=0;
+                        }
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv3_data);
         }
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index a2c17f2950..cd7b88eeb5 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -153,11 +153,18 @@ SSL_METHOD *SSLv3_server_method(void)
 
         if (init)
                 {
-                memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
-                        sizeof(SSL_METHOD));
-                SSLv3_server_data.ssl_accept=ssl3_accept;
-                SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
+                                sizeof(SSL_METHOD));
+                        SSLv3_server_data.ssl_accept=ssl3_accept;
+                        SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
+                        init=0;
+                        }
+                        
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&SSLv3_server_data);
         }
@@ -1172,7 +1179,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
                         kn=0;
                         }
 
-                if (!BUF_MEM_grow(buf,n+4+kn))
+                if (!BUF_MEM_grow_clean(buf,n+4+kn))
                         {
                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
                         goto err;
@@ -1299,7 +1306,7 @@ static int ssl3_send_certificate_request(SSL *s)
                                 {
                                 name=sk_X509_NAME_value(sk,i);
                                 j=i2d_X509_NAME(name,NULL);
-                                if (!BUF_MEM_grow(buf,4+n+j+2))
+                                if (!BUF_MEM_grow_clean(buf,4+n+j+2))
                                         {
                                         SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
                                         goto err;
@@ -1466,7 +1473,6 @@ static int ssl3_get_client_key_exchange(SSL *s)
                                  * made up by the adversary is properly formatted except
                                  * that the version number is wrong.  To avoid such attacks,
                                  * we should treat this just like any other decryption error. */
-                                p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-20";
                                 }
                         }
 
@@ -1486,7 +1492,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                         s->method->ssl3_enc->generate_master_secret(s,
                                 s->session->master_key,
                                 p,i);
-                memset(p,0,i);
+                OPENSSL_cleanse(p,i);
                 }
         else
 #endif
@@ -1549,7 +1555,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                 s->session->master_key_length=
                         s->method->ssl3_enc->generate_master_secret(s,
                                 s->session->master_key,p,i);
-                memset(p,0,i);
+                OPENSSL_cleanse(p,i);
                 }
         else
 #endif
@@ -1652,7 +1658,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                 if (enc == NULL)
                     goto err;
 
-                memset(iv, 0, EVP_MAX_IV_LENGTH);       /* per RFC 1510 */
+                memset(iv, 0, sizeof iv);       /* per RFC 1510 */
 
                 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))
                         {
@@ -1740,7 +1746,7 @@ static int ssl3_get_cert_verify(SSL *s)
                 SSL3_ST_SR_CERT_VRFY_A,
                 SSL3_ST_SR_CERT_VRFY_B,
                 -1,
-                512, /* 512? */
+                514, /* 514? */
                 &ok);
 
         if (!ok) return((int)n);
diff --git a/src/lib/libssl/src/ssl/ssl-lib.com b/src/lib/libssl/src/ssl/ssl-lib.com
index d6829a8d64..163ade9f7a 100644
--- a/src/lib/libssl/src/ssl/ssl-lib.com
+++ b/src/lib/libssl/src/ssl/ssl-lib.com
@@ -21,22 +21,10 @@ $!
 $!              LIBRARY    To just compile the [.xxx.EXE.SSL]LIBSSL.OLB Library.
 $!              SSL_TASK   To just compile the [.xxx.EXE.SSL]SSL_TASK.EXE
 $!
-$!  Specify RSAREF as P2 to compile with the RSAREF library instead of
-$!  the regular one.  If you specify NORSAREF it will compile with the
-$!  regular RSAREF routines.  (Note: If you are in the United States
-$!  you MUST compile with RSAREF unless you have a license from RSA).
-$!
-$!  Note: The RSAREF libraries are NOT INCLUDED and you have to
-$!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
-$!        get the ".tar-Z" file as the ".zip" file dosen't have the
-$!        directory structure stored.  You have to extract the file
-$!        into the [.RSAREF] directory under the root directory as that
-$!        is where the scripts will look for the files.
-$!
-$!  Specify DEBUG or NODEBUG as P3 to compile with or without debugger
+$!  Specify DEBUG or NODEBUG as P2 to compile with or without debugger
 $!  information.
 $!
-$!  Specify which compiler at P4 to try to compile under.
+$!  Specify which compiler at P3 to try to compile under.
 $!
 $!         VAXC  For VAX C.
 $!         DECC  For DEC C.
@@ -45,14 +33,14 @@ $!
 $!  If you don't speficy a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
-$!  P5, if defined, sets a TCP/IP library to use, through one of the following
+$!  P4, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!      UCX             for UCX
 $!      TCPIP           for TCPIP (post UCX)
 $!      SOCKETSHR       for SOCKETSHR+NETLIB
 $!
-$!  P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
 $!
 $! Define A TCP/IP Library That We Will Need To Link To.
@@ -135,10 +123,6 @@ $! Define The CRYPTO-LIB We Are To Use.
 $!
 $ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
 $!
-$! Define The RSAREF-LIB We Are To Use.
-$!
-$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
-$!
 $! Check To See What We Are To Do.
 $!
 $ IF (BUILDALL.EQS."TRUE")
@@ -317,73 +301,31 @@ $!
 $ ON ERROR THEN GOTO SSL_TASK_END
 $ CC5/OBJECT='OBJ_DIR'SSL_TASK.OBJ SYS$DISK:[]SSL_TASK.C
 $!
-$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$! Link The Program.
+$! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
-$ IF (RSAREF.EQS."TRUE")
+$ IF (TCPIP_LIB.NES."")
 $ THEN
 $!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
-$!
-$   IF (TCPIP_LIB.NES."")
-$   THEN
-$!
-$!    Link With The RSAREF Library And A Specific TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
-          'OBJ_DIR'SSL_TASK.OBJ, -
-          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-          'TCPIP_LIB','OPT_FILE'/OPTION
+$!  Link With TCP/IP Library.
 $!
-$!  Else...
-$!
-$   ELSE
-$!
-$!    Link With The RSAREF Library And NO TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
-          'OBJ_DIR'SSL_TASK.OBJ, -
-          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-          'OPT_FILE'/OPTION
-$!
-$!  End The TCP/IP Library Check.
-$!
-$   ENDIF
+$   LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
+        'OBJ_DIR'SSL_TASK.OBJ, -
+        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+        'TCPIP_LIB','OPT_FILE'/OPTION
 $!
 $! Else...
 $!
 $ ELSE
 $!
-$!  Don't Link With The RSAREF Routines.
+$!  Don't Link With TCP/IP Library.
 $!
+$   LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
+        'OBJ_DIR'SSL_TASK.OBJ,-
+        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+        'OPT_FILE'/OPTION
 $!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
-$!
-$   IF (TCPIP_LIB.NES."")
-$   THEN
-$!
-$!    Don't Link With The RSAREF Routines And TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
-          'OBJ_DIR'SSL_TASK.OBJ, -
-          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
-          'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$!  Else...
-$!
-$   ELSE
-$!
-$!    Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
-          'OBJ_DIR'SSL_TASK.OBJ,-
-          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
-          'OPT_FILE'/OPTION
-$!
-$!  End The TCP/IP Library Check.
-$!
-$   ENDIF
-$!
-$! End The RSAREF Link Check.
+$! End The TCP/IP Library Check.
 $!
 $ ENDIF
 $!
@@ -558,35 +500,6 @@ $! End The LIBCRYPTO.OLB Library Check.
 $!
 $ ENDIF
 $!
-$! Check To See If We Need The RSAREF Library.
-$!
-$ IF (RSAREF.EQS."TRUE")
-$ THEN
-$!
-$!  Look For The Library LIBRSAGLUE.OLB.
-$!
-$   IF (F$SEARCH(RSAREF_LIB).EQS."")
-$   THEN
-$!
-$!    Tell The User We Can't Find The LIBRSAGLUE.OLB Library.
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "Can't Find The Library ",RSAREF_LIB,"."
-$     WRITE SYS$OUTPUT "We Can't Link Without It."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Since We Can't Link Without It, Exit.
-$!
-$     EXIT
-$!
-$!   End The LIBRSAGLUE.OLB Library Check.
-$!
-$   ENDIF
-$!
-$! End The RSAREF Library Check.
-$!
-$ ENDIF
-$!
 $! Time To Return.
 $!
 $ RETURN
@@ -650,78 +563,10 @@ $ ENDIF
 $!
 $! Check To See If P2 Is Blank.
 $!
-$ p2 = "NORSAREF"
-$ IF (P2.EQS."NORSAREF")
+$ IF (P2.EQS."NODEBUG")
 $ THEN
 $!
-$!   P2 Is NORSAREF, So Compile With The Regular RSA Libraries.
-$!
-$    RSAREF = "FALSE"
-$!
-$! Else...
-$!
-$ ELSE
-$!
-$!  Check To See If We Are To Use The RSAREF Library.
-$!
-$   IF (P2.EQS."RSAREF")
-$   THEN
-$!
-$!    Check To Make Sure We Have The RSAREF Source Code Directory.
-$!
-$     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
-$     THEN
-$!
-$!      We Don't Have The RSAREF Souce Code Directory, So Tell The
-$!      User This.
-$!
-$       WRITE SYS$OUTPUT ""
-$       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
-$       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
-$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
-$       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
-$       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
-$       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
-$       WRITE SYS$OUTPUT ""
-$!
-$!      Time To Exit.
-$!
-$       EXIT
-$!
-$!    Else, Compile Using The RSAREF Library.
-$!
-$     ELSE
-$       RSAREF = "TRUE"
-$     ENDIF
-$   ELSE 
-$!
-$!    They Entered An Invalid Option..
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
-$     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Time To EXIT.
-$!
-$     EXIT
-$!
-$!  End The Valid Arguement Check.
-$!
-$   ENDIF
-$!
-$! End The P2 Check.
-$!
-$ ENDIF
-$!
-$! Check To See If P3 Is Blank.
-$!
-$ IF (P3.EQS."NODEBUG")
-$ THEN
-$!
-$!   P3 Is NODEBUG, So Compile Without Debugger Information.
+$!   P2 Is NODEBUG, So Compile Without Debugger Information.
 $!
 $    DEBUGGER  = "NODEBUG"
 $    TRACEBACK = "NOTRACEBACK" 
@@ -736,7 +581,7 @@ $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
 $!
-$   IF (P3.EQS."DEBUG")
+$   IF (P2.EQS."DEBUG")
 $   THEN
 $!
 $!    Compile With Debugger Information.
@@ -752,7 +597,7 @@ $!
 $!    Tell The User Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "    DEBUG    :  Compile With The Debugger Information."
 $     WRITE SYS$OUTPUT "    NODEBUG  :  Compile Without The Debugger Information."
@@ -766,7 +611,7 @@ $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
-$! End The P3 Check.
+$! End The P2 Check.
 $!
 $ ENDIF
 $!
@@ -776,9 +621,9 @@ $! Written By:  Richard Levitte
 $!              richard@levitte.org
 $!
 $!
-$! Check To See If We Have A Option For P6.
+$! Check To See If We Have A Option For P5.
 $!
-$ IF (P6.EQS."")
+$ IF (P5.EQS."")
 $ THEN
 $!
 $!  Get The Version Of VMS We Are Using.
@@ -800,13 +645,13 @@ $!  End The VMS Version Check.
 $!
 $   ENDIF
 $!
-$! End The P6 Check.
+$! End The P5 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P4 Is Blank.
+$! Check To See If P3 Is Blank.
 $!
-$ IF (P4.EQS."")
+$ IF (P3.EQS."")
 $ THEN
 $!
 $!  O.K., The User Didn't Specify A Compiler, Let's Try To
@@ -819,7 +664,7 @@ $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
 $!
-$     P4 = "GNUC"
+$     P3 = "GNUC"
 $!
 $!  End The GNU C Compiler Check.
 $!
@@ -832,7 +677,7 @@ $     THEN
 $!
 $!      Looks Like DECC, Set To Use DECC.
 $!
-$       P4 = "DECC"
+$       P3 = "DECC"
 $!
 $!      Else...
 $!
@@ -840,7 +685,7 @@ $     ELSE
 $!
 $!      Looks Like VAXC, Set To Use VAXC.
 $!
-$       P4 = "VAXC"
+$       P3 = "VAXC"
 $!
 $!    End The VAXC Compiler Check.
 $!
@@ -854,9 +699,9 @@ $!  End The Compiler Check.
 $!
 $ ENDIF
 $!
-$! Check To See If We Have A Option For P5.
+$! Check To See If We Have A Option For P4.
 $!
-$ IF (P5.EQS."")
+$ IF (P4.EQS."")
 $ THEN
 $!
 $!  Find out what socket library we have available
@@ -866,7 +711,7 @@ $   THEN
 $!
 $!    We have SOCKETSHR, and it is my opinion that it's the best to use.
 $!
-$     P5 = "SOCKETSHR"
+$     P4 = "SOCKETSHR"
 $!
 $!    Tell the user
 $!
@@ -886,7 +731,7 @@ $     THEN
 $!
 $!      Last resort: a UCX or UCX-compatible library
 $!
-$       P5 = "UCX"
+$       P4 = "UCX"
 $!
 $!      Tell the user
 $!
@@ -900,7 +745,7 @@ $ ENDIF
 $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
-$ CCDEFS = "TCPIP_TYPE_''P5'"
+$ CCDEFS = "TCPIP_TYPE_''P4'"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
@@ -910,12 +755,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 $!
 $!  Check To See If The User Entered A Valid Paramter.
 $!
-$ IF (P4.EQS."VAXC").OR.(P4.EQS."DECC").OR.(P4.EQS."GNUC")
+$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
 $ THEN
 $!
 $!  Check To See If The User Wanted DECC.
 $!
-$   IF (P4.EQS."DECC")
+$   IF (P3.EQS."DECC")
 $   THEN
 $!
 $!    Looks Like DECC, Set To Use DECC.
@@ -945,7 +790,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use VAXC.
 $!
-$   IF (P4.EQS."VAXC")
+$   IF (P3.EQS."VAXC")
 $   THEN
 $!
 $!    Looks Like VAXC, Set To Use VAXC.
@@ -983,7 +828,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use GNU C.
 $!
-$   IF (P4.EQS."GNUC")
+$   IF (P3.EQS."GNUC")
 $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
@@ -1012,31 +857,6 @@ $!  Set up default defines
 $!
 $   CCDEFS = """FLAT_INC=1""," + CCDEFS
 $!
-$!  Check To See If We Are To Compile With RSAREF Routines.
-$!
-$   IF (RSAREF.EQS."TRUE")
-$   THEN
-$!
-$!    Compile With RSAREF.
-$!
-$     CCDEFS = CCDEFS + ",""RSAref=1"""
-$!
-$!    Tell The User This.
-$!
-$     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
-$!
-$!    Else, We Don't Care.  Compile Without The RSAREF Library.
-$!
-$   ELSE
-$!
-$!    Tell The User We Are Compile Without The RSAREF Routines.
-$!
-$     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
-$!
-$!  End The RSAREF Check.
-$!
-$   ENDIF
-$!
 $!  Finish up the definition of CC.
 $!
 $   IF COMPILER .EQS. "DECC"
@@ -1076,7 +896,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
 $   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
@@ -1090,13 +910,13 @@ $ ENDIF
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX" -
-     .OR. P5.EQS."TCPIP" .OR. P5.EQS."NONE"
+$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" -
+     .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
 $!
-$   IF P5.EQS."SOCKETSHR"
+$   IF P4.EQS."SOCKETSHR"
 $   THEN
 $!
 $!    Set the library to use SOCKETSHR
@@ -1109,12 +929,12 @@ $   ENDIF
 $!
 $!  Check to see if MULTINET was chosen
 $!
-$   IF P5.EQS."MULTINET"
+$   IF P4.EQS."MULTINET"
 $   THEN
 $!
 $!    Set the library to use UCX emulation.
 $!
-$     P5 = "UCX"
+$     P4 = "UCX"
 $!
 $!    Done with MULTINET
 $!
@@ -1122,7 +942,7 @@ $   ENDIF
 $!
 $!  Check to see if UCX was chosen
 $!
-$   IF P5.EQS."UCX"
+$   IF P4.EQS."UCX"
 $   THEN
 $!
 $!    Set the library to use UCX.
@@ -1142,7 +962,7 @@ $   ENDIF
 $!
 $!  Check to see if TCPIP was chosen
 $!
-$   IF P5.EQS."TCPIP"
+$   IF P4.EQS."TCPIP"
 $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
@@ -1155,7 +975,7 @@ $   ENDIF
 $!
 $!  Check to see if NONE was chosen
 $!
-$   IF P5.EQS."NONE"
+$   IF P4.EQS."NONE"
 $   THEN
 $!
 $!    Do not use a TCPIP library.
@@ -1177,7 +997,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P5," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index e9d1e896d7..4ae8458259 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -204,6 +204,22 @@ extern "C" {
 
 /*    VRS Additional Kerberos5 entries
  */
+#define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
+#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
+#define SSL_TXT_KRB5_RC4_128_SHA      SSL3_TXT_KRB5_RC4_128_SHA
+#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
+#define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5       
+#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5       
+#define SSL_TXT_KRB5_RC4_128_MD5      SSL3_TXT_KRB5_RC4_128_MD5
+#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5 
+
+#define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA 
+#define SSL_TXT_KRB5_RC2_40_CBC_SHA   SSL3_TXT_KRB5_RC2_40_CBC_SHA 
+#define SSL_TXT_KRB5_RC4_40_SHA       SSL3_TXT_KRB5_RC4_40_SHA
+#define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5 
+#define SSL_TXT_KRB5_RC2_40_CBC_MD5   SSL3_TXT_KRB5_RC2_40_CBC_MD5 
+#define SSL_TXT_KRB5_RC4_40_MD5       SSL3_TXT_KRB5_RC4_40_MD5
+
 #define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA
 #define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5
 #define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
@@ -299,9 +315,7 @@ extern "C" {
 #include <openssl/crypto.h>
 #include <openssl/lhash.h>
 #include <openssl/buffer.h>
-#include <openssl/bio.h>
 #include <openssl/pem.h>
-#include <openssl/x509.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -507,6 +521,8 @@ typedef struct ssl_session_st
 /* Never bother the application with retries if the transport
  * is blocking: */
 #define SSL_MODE_AUTO_RETRY 0x00000004L
+/* Don't attempt to automatically build certificate chain */
+#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
 
 
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
@@ -704,10 +720,11 @@ struct ssl_ctx_st
 #define SSL_SESS_CACHE_SERVER                   0x0002
 #define SSL_SESS_CACHE_BOTH     (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
 #define SSL_SESS_CACHE_NO_AUTO_CLEAR            0x0080
-/* This one, when set, makes the server session-id lookup not look
- * in the cache.  If there is an application get_session callback
- * defined, this will still get called. */
+/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
 #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP       0x0100
+#define SSL_SESS_CACHE_NO_INTERNAL_STORE        0x0200
+#define SSL_SESS_CACHE_NO_INTERNAL \
+        (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
 
   struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
 #define SSL_CTX_sess_number(ctx) \
@@ -1212,14 +1229,12 @@ int	SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM t
 STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
 int     SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
                                             const char *file);
-#ifndef OPENSSL_SYS_WIN32
 #ifndef OPENSSL_SYS_VMS
 #ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */
 int     SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
                                            const char *dir);
 #endif
 #endif
-#endif
 
 #endif
 
@@ -1688,6 +1703,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_LENGTH_TOO_SHORT                           160
 #define SSL_R_LIBRARY_BUG                                274
 #define SSL_R_LIBRARY_HAS_NO_CIPHERS                     161
+#define SSL_R_MASTER_KEY_TOO_LONG                        1112
 #define SSL_R_MESSAGE_TOO_LONG                           1111
 #define SSL_R_MISSING_DH_DSA_CERT                        162
 #define SSL_R_MISSING_DH_KEY                             163
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h
index 8fd6951d77..1153aeda74 100644
--- a/src/lib/libssl/src/ssl/ssl3.h
+++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -156,23 +156,29 @@ extern "C" {
 
 #define SSL3_CK_FZA_DMS_NULL_SHA                0x0300001C
 #define SSL3_CK_FZA_DMS_FZA_SHA                 0x0300001D
+#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
+         to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
+         of the ietf-tls list */
 #define SSL3_CK_FZA_DMS_RC4_SHA                 0x0300001E
+#endif
 
 /*    VRS Additional Kerberos5 entries
  */
-#define SSL3_CK_KRB5_DES_40_CBC_SHA             0x03000021
-#define SSL3_CK_KRB5_DES_40_CBC_MD5             0x03000022
-#define SSL3_CK_KRB5_DES_64_CBC_SHA             0x03000023
-#define SSL3_CK_KRB5_DES_64_CBC_MD5             0x03000024
-#define SSL3_CK_KRB5_DES_192_CBC3_SHA           0x03000025
-#define SSL3_CK_KRB5_DES_192_CBC3_MD5           0x03000026
-
-#define SSL3_TXT_KRB5_DES_40_CBC_SHA            "EXP-KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_40_CBC_MD5            "EXP-KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_64_CBC_SHA            "KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_64_CBC_MD5            "KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_192_CBC3_SHA          "KRB5-DES-CBC3-SHA"
-#define SSL3_TXT_KRB5_DES_192_CBC3_MD5          "KRB5-DES-CBC3-MD5"
+#define SSL3_CK_KRB5_DES_64_CBC_SHA             0x0300001E
+#define SSL3_CK_KRB5_DES_192_CBC3_SHA           0x0300001F
+#define SSL3_CK_KRB5_RC4_128_SHA                0x03000020
+#define SSL3_CK_KRB5_IDEA_128_CBC_SHA           0x03000021
+#define SSL3_CK_KRB5_DES_64_CBC_MD5             0x03000022
+#define SSL3_CK_KRB5_DES_192_CBC3_MD5           0x03000023
+#define SSL3_CK_KRB5_RC4_128_MD5                0x03000024
+#define SSL3_CK_KRB5_IDEA_128_CBC_MD5           0x03000025
+
+#define SSL3_CK_KRB5_DES_40_CBC_SHA             0x03000026
+#define SSL3_CK_KRB5_RC2_40_CBC_SHA             0x03000027
+#define SSL3_CK_KRB5_RC4_40_SHA                 0x03000028
+#define SSL3_CK_KRB5_DES_40_CBC_MD5             0x03000029
+#define SSL3_CK_KRB5_RC2_40_CBC_MD5             0x0300002A
+#define SSL3_CK_KRB5_RC4_40_MD5                 0x0300002B
 
 #define SSL3_TXT_RSA_NULL_MD5                   "NULL-MD5"
 #define SSL3_TXT_RSA_NULL_SHA                   "NULL-SHA"
@@ -209,6 +215,22 @@ extern "C" {
 #define SSL3_TXT_FZA_DMS_FZA_SHA                "FZA-FZA-CBC-SHA"
 #define SSL3_TXT_FZA_DMS_RC4_SHA                "FZA-RC4-SHA"
 
+#define SSL3_TXT_KRB5_DES_64_CBC_SHA            "KRB5-DES-CBC-SHA"
+#define SSL3_TXT_KRB5_DES_192_CBC3_SHA          "KRB5-DES-CBC3-SHA"
+#define SSL3_TXT_KRB5_RC4_128_SHA               "KRB5-RC4-SHA"
+#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA          "KRB5-IDEA-CBC-SHA"
+#define SSL3_TXT_KRB5_DES_64_CBC_MD5            "KRB5-DES-CBC-MD5"
+#define SSL3_TXT_KRB5_DES_192_CBC3_MD5          "KRB5-DES-CBC3-MD5"
+#define SSL3_TXT_KRB5_RC4_128_MD5               "KRB5-RC4-MD5"
+#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5          "KRB5-IDEA-CBC-MD5"
+
+#define SSL3_TXT_KRB5_DES_40_CBC_SHA            "EXP-KRB5-DES-CBC-SHA"
+#define SSL3_TXT_KRB5_RC2_40_CBC_SHA            "EXP-KRB5-RC2-CBC-SHA"
+#define SSL3_TXT_KRB5_RC4_40_SHA                "EXP-KRB5-RC4-SHA"
+#define SSL3_TXT_KRB5_DES_40_CBC_MD5            "EXP-KRB5-DES-CBC-MD5"
+#define SSL3_TXT_KRB5_RC2_40_CBC_MD5            "EXP-KRB5-RC2-CBC-MD5"
+#define SSL3_TXT_KRB5_RC4_40_MD5                "EXP-KRB5-RC4-MD5"
+
 #define SSL3_SSL_SESSION_ID_LENGTH              32
 #define SSL3_MAX_SSL_SESSION_ID_LENGTH          32
 
diff --git a/src/lib/libssl/src/ssl/ssl_asn1.c b/src/lib/libssl/src/ssl/ssl_asn1.c
index 23bfe44e21..d8ff8fc4a3 100644
--- a/src/lib/libssl/src/ssl/ssl_asn1.c
+++ b/src/lib/libssl/src/ssl/ssl_asn1.c
@@ -298,6 +298,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
                 os.length = sizeof ret->session_id;
 
         ret->session_id_length=os.length;
+        OPENSSL_assert(os.length <= sizeof ret->session_id);
         memcpy(ret->session_id,os.data,os.length);
 
         M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
@@ -369,9 +370,15 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
         if(os.data != NULL)
             {
             if (os.length > SSL_MAX_SID_CTX_LENGTH)
+                {
+                ret->sid_ctx_length=os.length;
                 SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
-            ret->sid_ctx_length=os.length;
-            memcpy(ret->sid_ctx,os.data,os.length);
+                }
+            else
+                {
+                ret->sid_ctx_length=os.length;
+                memcpy(ret->sid_ctx,os.data,os.length);
+                }
             OPENSSL_free(os.data); os.data=NULL; os.length=0;
             }
         else
diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c
index 3d31bbf05f..da90078a37 100644
--- a/src/lib/libssl/src/ssl/ssl_cert.c
+++ b/src/lib/libssl/src/ssl/ssl_cert.c
@@ -781,7 +781,7 @@ err:
 #endif
 #endif
 
-#else
+#else /* OPENSSL_SYS_WIN32 */
 
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                                        const char *dir)
@@ -789,10 +789,30 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
         WIN32_FIND_DATA FindFileData;
         HANDLE hFind;
         int ret = 0;
+#ifdef OPENSSL_SYS_WINCE
+        WCHAR* wdir = NULL;
+#endif
 
         CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
         
+#ifdef OPENSSL_SYS_WINCE
+        /* convert strings to UNICODE */
+        {
+                BOOL result = FALSE;
+                int i;
+                wdir = malloc((strlen(dir)+1)*2);
+                if (wdir == NULL)
+                        goto err_noclose;
+                for (i=0; i<(int)strlen(dir)+1; i++)
+                        wdir[i] = (short)dir[i];
+        }
+#endif
+
+#ifdef OPENSSL_SYS_WINCE
+        hFind = FindFirstFile(wdir, &FindFileData);
+#else
         hFind = FindFirstFile(dir, &FindFileData);
+#endif
         /* Note that a side effect is that the CAs will be sorted by name */
         if(hFind == INVALID_HANDLE_VALUE)
                 {
@@ -807,7 +827,11 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                 char buf[1024];
                 int r;
                 
+#ifdef OPENSSL_SYS_WINCE
+                if(strlen(dir)+_tcslen(FindFileData.cFileName)+2 > sizeof buf)
+#else
                 if(strlen(dir)+strlen(FindFileData.cFileName)+2 > sizeof buf)
+#endif
                         {
                         SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
                         goto err;
@@ -825,6 +849,10 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 err:    
         FindClose(hFind);
 err_noclose:
+#ifdef OPENSSL_SYS_WINCE
+        if (wdir != NULL)
+                free(wdir);
+#endif
         CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
         return ret;
         }
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index df48245b2c..438d9eacbb 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -674,13 +674,14 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                          * So additionally check whether the cipher name found
                          * has the correct length. We can save a strlen() call:
                          * just checking for the '\0' at the right place is
-                         * sufficient, we have to strncmp() anyway.
+                         * sufficient, we have to strncmp() anyway. (We cannot
+                         * use strcmp(), because buf is not '\0' terminated.)
                          */
                          j = found = 0;
                          while (ca_list[j])
                                 {
-                                if ((ca_list[j]->name[buflen] == '\0') &&
-                                    !strncmp(buf, ca_list[j]->name, buflen))
+                                if (!strncmp(buf, ca_list[j]->name, buflen) &&
+                                    (ca_list[j]->name[buflen] == '\0'))
                                         {
                                         found = 1;
                                         break;
@@ -757,7 +758,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
          */
         if (rule_str == NULL) return(NULL);
 
-        if (init_ciphers) load_ciphers();
+        if (init_ciphers)
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL);
+                if (init_ciphers) load_ciphers();
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
+                }
 
         /*
          * To reduce the work to do we only want to process the compiled
diff --git a/src/lib/libssl/src/ssl/ssl_err.c b/src/lib/libssl/src/ssl/ssl_err.c
index 7067a745f3..d2cb181503 100644
--- a/src/lib/libssl/src/ssl/ssl_err.c
+++ b/src/lib/libssl/src/ssl/ssl_err.c
@@ -296,6 +296,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_LENGTH_TOO_SHORT                  ,"length too short"},
 {SSL_R_LIBRARY_BUG                       ,"library bug"},
 {SSL_R_LIBRARY_HAS_NO_CIPHERS            ,"library has no ciphers"},
+{SSL_R_MASTER_KEY_TOO_LONG               ,"master key too long"},
 {SSL_R_MESSAGE_TOO_LONG                  ,"message too long"},
 {SSL_R_MISSING_DH_DSA_CERT               ,"missing dh dsa cert"},
 {SSL_R_MISSING_DH_KEY                    ,"missing dh key"},
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 4bc4ce5b3a..8701fb33ca 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -273,6 +273,7 @@ SSL *SSL_new(SSL_CTX *ctx)
         s->verify_mode=ctx->verify_mode;
         s->verify_depth=ctx->verify_depth;
         s->sid_ctx_length=ctx->sid_ctx_length;
+        OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
         memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
         s->verify_callback=ctx->default_verify_callback;
         s->generate_session_id=ctx->generate_session_id;
@@ -314,7 +315,7 @@ err:
 int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
                                    unsigned int sid_ctx_len)
     {
-    if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
+    if(sid_ctx_len > sizeof ctx->sid_ctx)
         {
         SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
         return 0;
@@ -364,6 +365,10 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
          * any new session built out of this id/id_len and the ssl_version in
          * use by this SSL. */
         SSL_SESSION r, *p;
+
+        if(id_len > sizeof r.session_id)
+                return 0;
+
         r.ssl_version = ssl->version;
         r.session_id_length = id_len;
         memcpy(r.session_id, id, id_len);
@@ -1063,14 +1068,17 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
  * preference */
 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
         {
-        if ((s != NULL) && (s->cipher_list != NULL))
-                {
-                return(s->cipher_list);
-                }
-        else if ((s->ctx != NULL) &&
-                (s->ctx->cipher_list != NULL))
+        if (s != NULL)
                 {
-                return(s->ctx->cipher_list);
+                if (s->cipher_list != NULL)
+                        {
+                        return(s->cipher_list);
+                        }
+                else if ((s->ctx != NULL) &&
+                        (s->ctx->cipher_list != NULL))
+                        {
+                        return(s->ctx->cipher_list);
+                        }
                 }
         return(NULL);
         }
@@ -1079,14 +1087,17 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
  * algorithm id */
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
         {
-        if ((s != NULL) && (s->cipher_list_by_id != NULL))
-                {
-                return(s->cipher_list_by_id);
-                }
-        else if ((s != NULL) && (s->ctx != NULL) &&
-                (s->ctx->cipher_list_by_id != NULL))
+        if (s != NULL)
                 {
-                return(s->ctx->cipher_list_by_id);
+                if (s->cipher_list_by_id != NULL)
+                        {
+                        return(s->cipher_list_by_id);
+                        }
+                else if ((s->ctx != NULL) &&
+                        (s->ctx->cipher_list_by_id != NULL))
+                        {
+                        return(s->ctx->cipher_list_by_id);
+                        }
                 }
         return(NULL);
         }
@@ -1652,7 +1663,7 @@ void ssl_update_cache(SSL *s,int mode)
 
         i=s->ctx->session_cache_mode;
         if ((i & mode) && (!s->hit)
-                && ((i & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)
+                && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
                     || SSL_CTX_add_session(s->ctx,s->session))
                 && (s->ctx->new_session_cb != NULL))
                 {
@@ -1884,6 +1895,7 @@ SSL *SSL_dup(SSL *s)
                  * they should not both point to the same object,
                  * and thus we can't use SSL_copy_session_id. */
 
+                ret->method->ssl_free(ret);
                 ret->method = s->method;
                 ret->method->ssl_new(ret);
 
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index 664f8c2230..a505e388fb 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -308,9 +308,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
                         if (copy)
                                 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
 
-                        /* The following should not return 1, otherwise,
-                         * things are very strange */
-                        SSL_CTX_add_session(s->ctx,ret);
+                        /* Add the externally cached session to the internal
+                         * cache as well if and only if we are supposed to. */
+                        if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
+                                /* The following should not return 1, otherwise,
+                                 * things are very strange */
+                                SSL_CTX_add_session(s->ctx,ret);
                         }
                 if (ret == NULL)
                         goto err;
@@ -524,13 +527,13 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 
         CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
 
-        memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
-        memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
-        memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH);
+        OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
+        OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
+        OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
         if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
         if (ss->peer != NULL) X509_free(ss->peer);
         if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
-        memset(ss,0,sizeof(*ss));
+        OPENSSL_cleanse(ss,sizeof(*ss));
         OPENSSL_free(ss);
         }
 
diff --git a/src/lib/libssl/src/ssl/ssl_task.c b/src/lib/libssl/src/ssl/ssl_task.c
index e36af0eb94..b5ce44b47c 100644
--- a/src/lib/libssl/src/ssl/ssl_task.c
+++ b/src/lib/libssl/src/ssl/ssl_task.c
@@ -258,7 +258,7 @@ int doit(io_channel chan, SSL_CTX *s_ctx )
 {
     int status, length, link_state;
      struct rpc_msg msg;
-        static char cbuf[200],sbuf[200];
+
         SSL *s_ssl=NULL;
         BIO *c_to_s=NULL;
         BIO *s_to_c=NULL;
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index 342c59e659..5fccc48b71 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -109,11 +109,8 @@
  *
  */
 
-#define _XOPEN_SOURCE 600       /* Or gethostname won't be declared properly
+#define _BSD_SOURCE 1           /* Or gethostname won't be declared properly
                                    on Linux and GNU platforms. */
-#define _XOPEN_SOURCE_EXTENDED  1 /* Or gethostname won't be declared properly
-                                   on Compaq platforms (at least with DEC C).
-                                */
 
 #include <assert.h>
 #include <errno.h>
@@ -124,6 +121,7 @@
 #include <time.h>
 #include <inttypes.h>
 
+#define USE_SOCKETS
 #include "e_os.h"
 
 #include <openssl/bio.h>
@@ -131,12 +129,20 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/err.h>
 #include <openssl/rand.h>
+
+#define _XOPEN_SOURCE_EXTENDED  1 /* Or gethostname won't be declared properly
+                                     on Compaq platforms (at least with DEC C).
+                                     Do not try to put it earlier, or IPv6 includes
+                                     get screwed...
+                                  */
+
 #ifdef OPENSSL_SYS_WINDOWS
 #include <winsock.h>
-#include "../crypto/bio/bss_file.c"
 #else
 #include OPENSSL_UNISTD
 #endif
@@ -144,6 +150,9 @@
 #ifdef OPENSSL_SYS_VMS
 #  define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
 #  define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
+#elif defined(OPENSSL_SYS_WINCE)
+#  define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
+#  define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
 #else
 #  define TEST_SERVER_CERT "../apps/server.pem"
 #  define TEST_CLIENT_CERT "../apps/client.pem"
@@ -365,7 +374,9 @@ int main(int argc, char *argv[])
         verbose = 0;
         debug = 0;
         cipher = 0;
-        
+
+        bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 
+
         CRYPTO_set_locking_callback(lock_dbg_cb);
 
         /* enable memory leak checking unless explicitly disabled */
@@ -383,7 +394,6 @@ int main(int argc, char *argv[])
 
         RAND_seed(rnd_seed, sizeof rnd_seed);
 
-        bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
         bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
 
         argc--;
@@ -406,7 +416,7 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_DH
                         dhe1024=1;
 #else
-                        fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n";
+                        fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
 #endif
                         }
                 else if (strcmp(*argv,"-dhe1024dsa") == 0)
@@ -414,7 +424,7 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_DH
                         dhe1024dsa=1;
 #else
-                        fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n";
+                        fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
 #endif
                         }
                 else if (strcmp(*argv,"-no_dhe") == 0)
@@ -531,7 +541,7 @@ bad:
                         "the test anyway (and\n-d to see what happens), "
                         "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
                         "to avoid protocol mismatch.\n");
-                exit(1);
+                EXIT(1);
                 }
 
         if (print_time)
@@ -687,10 +697,16 @@ bad:
 #ifndef OPENSSL_NO_KRB5
         if (c_ssl  &&  c_ssl->kssl_ctx)
                 {
-                char    localhost[257];
+                char    localhost[MAXHOSTNAMELEN+2];
 
-                if (gethostname(localhost, 256) == 0)
+                if (gethostname(localhost, sizeof localhost-1) == 0)
                         {
+                        localhost[sizeof localhost-1]='\0';
+                        if(strlen(localhost) == sizeof localhost-1)
+                                {
+                                BIO_printf(bio_err,"localhost name too long\n");
+                                goto end;
+                                }
                         kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
                                 localhost);
                         }
@@ -746,7 +762,9 @@ end:
 #ifndef OPENSSL_NO_RSA
         free_tmp_rsa();
 #endif
+#ifndef OPENSSL_NO_ENGINE
         ENGINE_cleanup();
+#endif
         CRYPTO_cleanup_all_ex_data();
         ERR_free_strings();
         ERR_remove_state(0);
@@ -836,6 +854,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
                         int i, r;
                         clock_t c_clock = clock();
 
+                        memset(cbuf, 0, sizeof(cbuf));
+
                         if (debug)
                                 if (SSL_in_init(c_ssl))
                                         printf("client waiting in SSL_connect - %s\n",
@@ -920,6 +940,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
                         int i, r;
                         clock_t s_clock = clock();
 
+                        memset(sbuf, 0, sizeof(sbuf));
+
                         if (debug)
                                 if (SSL_in_init(s_ssl))
                                         printf("server waiting in SSL_accept - %s\n",
@@ -1163,6 +1185,9 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
         int c_write,s_write;
         int do_server=0,do_client=0;
 
+        memset(cbuf,0,sizeof(cbuf));
+        memset(sbuf,0,sizeof(sbuf));
+
         c_to_s=BIO_new(BIO_s_mem());
         s_to_c=BIO_new(BIO_s_mem());
         if ((s_to_c == NULL) || (c_to_s == NULL))
@@ -1444,7 +1469,8 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
         {
         char *s,buf[256];
 
-        s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,256);
+        s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
+                            sizeof buf);
         if (s != NULL)
                 {
                 if (ok)
diff --git a/src/lib/libssl/src/ssl/t1_clnt.c b/src/lib/libssl/src/ssl/t1_clnt.c
index 9ad518f9f4..57205fb429 100644
--- a/src/lib/libssl/src/ssl/t1_clnt.c
+++ b/src/lib/libssl/src/ssl/t1_clnt.c
@@ -79,11 +79,18 @@ SSL_METHOD *TLSv1_client_method(void)
 
         if (init)
                 {
-                memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
-                        sizeof(SSL_METHOD));
-                TLSv1_client_data.ssl_connect=ssl3_connect;
-                TLSv1_client_data.get_ssl_method=tls1_get_client_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
+                                sizeof(SSL_METHOD));
+                        TLSv1_client_data.ssl_connect=ssl3_connect;
+                        TLSv1_client_data.get_ssl_method=tls1_get_client_method;
+                        init=0;
+                        }
+                
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&TLSv1_client_data);
         }
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index 5290bf6665..271e247eea 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -124,7 +124,7 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
         unsigned int j;
         HMAC_CTX ctx;
         HMAC_CTX ctx_tmp;
-        unsigned char A1[HMAC_MAX_MD_CBLOCK];
+        unsigned char A1[EVP_MAX_MD_SIZE];
         unsigned int A1_len;
         
         chunk=EVP_MD_size(md);
@@ -161,7 +161,7 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
                 }
         HMAC_CTX_cleanup(&ctx);
         HMAC_CTX_cleanup(&ctx_tmp);
-        memset(A1,0,sizeof(A1));
+        OPENSSL_cleanse(A1,sizeof(A1));
         }
 
 static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
@@ -418,10 +418,10 @@ printf("\niv=");
 printf("\n");
 #endif
 
-        memset(tmp1,0,sizeof(tmp1));
-        memset(tmp2,0,sizeof(tmp1));
-        memset(iv1,0,sizeof(iv1));
-        memset(iv2,0,sizeof(iv2));
+        OPENSSL_cleanse(tmp1,sizeof(tmp1));
+        OPENSSL_cleanse(tmp2,sizeof(tmp1));
+        OPENSSL_cleanse(iv1,sizeof(iv1));
+        OPENSSL_cleanse(iv2,sizeof(iv2));
         return(1);
 err:
         SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
@@ -476,7 +476,7 @@ printf("pre-master\n");
 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
 #endif
         tls1_generate_key_block(s,p1,p2,num);
-        memset(p2,0,num);
+        OPENSSL_cleanse(p2,num);
         OPENSSL_free(p2);
 #ifdef TLS_DEBUG
 printf("\nkey block\n");
@@ -683,10 +683,10 @@ int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
 
         tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
                 s->session->master_key,s->session->master_key_length,
-                out,buf2,12);
+                out,buf2,sizeof buf2);
         EVP_MD_CTX_cleanup(&ctx);
 
-        return((int)12);
+        return sizeof buf2;
         }
 
 int tls1_mac(SSL *ssl, unsigned char *md, int send)
@@ -773,7 +773,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
                 s->s3->server_random,SSL3_RANDOM_SIZE);
         tls1_PRF(s->ctx->md5,s->ctx->sha1,
                 buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
-                s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE);
+                s->session->master_key,buff,sizeof buff);
 #ifdef KSSL_DEBUG
         printf ("tls1_generate_master_secret() complete\n");
 #endif  /* KSSL_DEBUG */
diff --git a/src/lib/libssl/src/ssl/t1_meth.c b/src/lib/libssl/src/ssl/t1_meth.c
index 9bb36a7d1c..fcc243f782 100644
--- a/src/lib/libssl/src/ssl/t1_meth.c
+++ b/src/lib/libssl/src/ssl/t1_meth.c
@@ -76,13 +76,21 @@ SSL_METHOD *TLSv1_method(void)
 
         if (init)
                 {
-                memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
-                        sizeof(SSL_METHOD));
-                TLSv1_data.ssl_connect=ssl3_connect;
-                TLSv1_data.ssl_accept=ssl3_accept;
-                TLSv1_data.get_ssl_method=tls1_get_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+                
+                if (init)
+                        {
+                        memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
+                                sizeof(SSL_METHOD));
+                        TLSv1_data.ssl_connect=ssl3_connect;
+                        TLSv1_data.ssl_accept=ssl3_accept;
+                        TLSv1_data.get_ssl_method=tls1_get_method;
+                        init=0;
+                        }
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
+        
         return(&TLSv1_data);
         }
 
diff --git a/src/lib/libssl/src/ssl/t1_srvr.c b/src/lib/libssl/src/ssl/t1_srvr.c
index 6e765e587f..1c1149e49f 100644
--- a/src/lib/libssl/src/ssl/t1_srvr.c
+++ b/src/lib/libssl/src/ssl/t1_srvr.c
@@ -80,11 +80,18 @@ SSL_METHOD *TLSv1_server_method(void)
 
         if (init)
                 {
-                memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
-                        sizeof(SSL_METHOD));
-                TLSv1_server_data.ssl_accept=ssl3_accept;
-                TLSv1_server_data.get_ssl_method=tls1_get_server_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
+                                sizeof(SSL_METHOD));
+                        TLSv1_server_data.ssl_accept=ssl3_accept;
+                        TLSv1_server_data.get_ssl_method=tls1_get_server_method;
+                        init=0;
+                        }
+                        
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&TLSv1_server_data);
         }
diff --git a/src/lib/libssl/src/test/Makefile.ssl b/src/lib/libssl/src/test/Makefile.ssl
index f489332a65..373f17a929 100644
--- a/src/lib/libssl/src/test/Makefile.ssl
+++ b/src/lib/libssl/src/test/Makefile.ssl
@@ -15,6 +15,9 @@ MAKE=		make -f $(MAKEFILE)
 MAKEDEPPROG=    makedepend
 MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 PERL=           perl
+# KRB5 stuff
+KRB5_INCLUDES=
+LIBKRB5=
 
 PEX_LIBS=
 EX_LIBS= #-lnsl -lsocket
@@ -116,158 +119,162 @@ tags:
 tests:  exe apps $(TESTS)
 
 apps:
-        @(cd ../apps; $(MAKE)  CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all)
+        @(cd ..; $(MAKE) DIRS=apps all)
 
-alltests:
-        (LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH=$$LIBPATH; DYLD_LIBRARY_PATH=$$LIBPATH; SHLIB_PATH=$$LIBPATH; \
-                export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
-                $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' alltests.chooser)
-alltests.chooser: \
+SET_SO_PATHS=OSSL_LIBPATH="`cd ..; pwd`"; \
+                LD_LIBRARY_PATH="$$OSSL_LIBPATH:$$LD_LIBRARY_PATH"; \
+                DYLD_LIBRARY_PATH="$$OSSL_LIBPATH:$$DYLD_LIBRARY_PATH"; \
+                SHLIB_PATH="$$OSSL_LIBPATH:$$SHLIB_PATH"; \
+                LIBPATH="$$OSSL_LIBPATH:$$LIBPATH"; \
+                if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="$${LIBPATH}:$$PATH"; fi; \
+                export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH
+
+alltests: \
         test_des test_idea test_sha test_md4 test_md5 test_hmac \
         test_md2 test_mdc2 \
-        test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_rd \
+        test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_aes \
         test_rand test_bn test_ec test_enc test_x509 test_rsa test_crl test_sid \
         test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
         test_ss test_ca test_engine test_evp test_ssl
 
 test_evp:
-        ./$(EVPTEST) evptests.txt
+        $(SET_SO_PATHS); ./$(EVPTEST) evptests.txt
 
 test_des:
-        ./$(DESTEST)
+        $(SET_SO_PATHS); ./$(DESTEST)
 
 test_idea:
-        ./$(IDEATEST)
+        $(SET_SO_PATHS); ./$(IDEATEST)
 
 test_sha:
-        ./$(SHATEST)
-        ./$(SHA1TEST)
+        $(SET_SO_PATHS); ./$(SHATEST)
+        $(SET_SO_PATHS); ./$(SHA1TEST)
 
 test_mdc2:
-        ./$(MDC2TEST)
+        $(SET_SO_PATHS); ./$(MDC2TEST)
 
 test_md5:
-        ./$(MD5TEST)
+        $(SET_SO_PATHS); ./$(MD5TEST)
 
 test_md4:
-        ./$(MD4TEST)
+        $(SET_SO_PATHS); ./$(MD4TEST)
 
 test_hmac:
-        ./$(HMACTEST)
+        $(SET_SO_PATHS); ./$(HMACTEST)
 
 test_md2:
-        ./$(MD2TEST)
+        $(SET_SO_PATHS); ./$(MD2TEST)
 
 test_rmd:
-        ./$(RMDTEST)
+        $(SET_SO_PATHS); ./$(RMDTEST)
 
 test_bf:
-        ./$(BFTEST)
+        $(SET_SO_PATHS); ./$(BFTEST)
 
 test_cast:
-        ./$(CASTTEST)
+        $(SET_SO_PATHS); ./$(CASTTEST)
 
 test_rc2:
-        ./$(RC2TEST)
+        $(SET_SO_PATHS); ./$(RC2TEST)
 
 test_rc4:
-        ./$(RC4TEST)
+        $(SET_SO_PATHS); ./$(RC4TEST)
 
 test_rc5:
-        ./$(RC5TEST)
+        $(SET_SO_PATHS); ./$(RC5TEST)
 
 test_rand:
-        ./$(RANDTEST)
+        $(SET_SO_PATHS); ./$(RANDTEST)
 
 test_enc:
-        @sh ./testenc
+        @$(SET_SO_PATHS); sh ./testenc
 
 test_x509:
         echo test normal x509v1 certificate
-        sh ./tx509 2>/dev/null
+        $(SET_SO_PATHS); sh ./tx509 2>/dev/null
         echo test first x509v3 certificate
-        sh ./tx509 v3-cert1.pem 2>/dev/null
+        $(SET_SO_PATHS); sh ./tx509 v3-cert1.pem 2>/dev/null
         echo test second x509v3 certificate
-        sh ./tx509 v3-cert2.pem 2>/dev/null
+        $(SET_SO_PATHS); sh ./tx509 v3-cert2.pem 2>/dev/null
 
 test_rsa:
-        @sh ./trsa 2>/dev/null
-        ./$(RSATEST)
+        @$(SET_SO_PATHS); sh ./trsa 2>/dev/null
+        $(SET_SO_PATHS); ./$(RSATEST)
 
 test_crl:
-        @sh ./tcrl 2>/dev/null
+        @$(SET_SO_PATHS); sh ./tcrl 2>/dev/null
 
 test_sid:
-        @sh ./tsid 2>/dev/null
+        @$(SET_SO_PATHS); sh ./tsid 2>/dev/null
 
 test_req:
-        @sh ./treq 2>/dev/null
-        @sh ./treq testreq2.pem 2>/dev/null
+        @$(SET_SO_PATHS); sh ./treq 2>/dev/null
+        @$(SET_SO_PATHS); sh ./treq testreq2.pem 2>/dev/null
 
 test_pkcs7:
-        @sh ./tpkcs7 2>/dev/null
-        @sh ./tpkcs7d 2>/dev/null
+        @$(SET_SO_PATHS); sh ./tpkcs7 2>/dev/null
+        @$(SET_SO_PATHS); sh ./tpkcs7d 2>/dev/null
 
 test_bn:
         @echo starting big number library test, could take a while...
-        @./$(BNTEST) >tmp.bntest
+        @$(SET_SO_PATHS); ./$(BNTEST) >tmp.bntest
         @echo quit >>tmp.bntest
         @echo "running bc"
         @<tmp.bntest sh -c "`sh ./bctest ignore`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"'
         @echo 'test a^b%c implementations'
-        ./$(EXPTEST)
+        $(SET_SO_PATHS); ./$(EXPTEST)
 
 test_ec:
         @echo 'test elliptic curves'
-        ./$(ECTEST)
+        $(SET_SO_PATHS); ./$(ECTEST)
 
 test_verify:
         @echo "The following command should have some OK's and some failures"
         @echo "There are definitly a few expired certificates"
-        -../apps/openssl verify -CApath ../certs ../certs/*.pem
+        -$(SET_SO_PATHS); ../apps/openssl verify -CApath ../certs ../certs/*.pem
 
 test_dh:
         @echo "Generate a set of DH parameters"
-        ./$(DHTEST)
+        $(SET_SO_PATHS); ./$(DHTEST)
 
 test_dsa:
         @echo "Generate a set of DSA parameters"
-        ./$(DSATEST)
-        ./$(DSATEST) -app2_1
+        $(SET_SO_PATHS); ./$(DSATEST)
+        $(SET_SO_PATHS); ./$(DSATEST) -app2_1
 
 test_gen:
         @echo "Generate and verify a certificate request"
-        @sh ./testgen
+        @$(SET_SO_PATHS); sh ./testgen
 
 test_ss keyU.ss certU.ss certCA.ss: testss
         @echo "Generate and certify a test certificate"
-        @sh ./testss
+        @$(SET_SO_PATHS); sh ./testss
 
 test_engine: 
         @echo "Manipulate the ENGINE structures"
-        ./$(ENGINETEST)
+        $(SET_SO_PATHS); ./$(ENGINETEST)
 
 test_ssl: keyU.ss certU.ss certCA.ss
         @echo "test SSL protocol"
-        @sh ./testssl keyU.ss certU.ss certCA.ss
+        @$(SET_SO_PATHS); sh ./testssl keyU.ss certU.ss certCA.ss
 
 test_ca:
-        @if ../apps/openssl no-rsa; then \
+        @$(SET_SO_PATHS); if ../apps/openssl no-rsa; then \
           echo "skipping CA.sh test -- requires RSA"; \
         else \
           echo "Generate and certify a test certificate via the 'ca' program"; \
           sh ./testca; \
         fi
 
-test_rd: #$(RDTEST)
+test_aes: #$(AESTEST)
 #       @echo "test Rijndael"
-#       ./$(RDTEST)
+#       $(SET_SO_PATHS); ./$(AESTEST)
 
 lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -277,101 +284,241 @@ clean:
         rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss *.srl log
 
 $(DLIBSSL):
-        (cd ../ssl; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+        (cd ..; $(MAKE) DIRS=ssl all)
 
 $(DLIBCRYPTO):
-        (cd ../crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+        (cd ..; $(MAKE) DIRS=crypto all)
 
 $(RSATEST): $(RSATEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(BNTEST): $(BNTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(ECTEST): $(ECTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(EXPTEST): $(EXPTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(IDEATEST): $(IDEATEST).o $(DLIBCRYPTO)
-        $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(MD2TEST): $(MD2TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(SHATEST): $(SHATEST).o $(DLIBCRYPTO)
-        $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(SHA1TEST): $(SHA1TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(RMDTEST): $(RMDTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(MDC2TEST): $(MDC2TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(MD4TEST): $(MD4TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(MD5TEST): $(MD5TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(HMACTEST): $(HMACTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(RC2TEST): $(RC2TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(BFTEST): $(BFTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(CASTTEST): $(CASTTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(RC4TEST): $(RC4TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(RC5TEST): $(RC5TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(DESTEST): $(DESTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(RANDTEST): $(RANDTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(DHTEST): $(DHTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(DSATEST): $(DSATEST).o $(DLIBCRYPTO)
-        $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(METHTEST): $(METHTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
-        $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(ENGINETEST): $(ENGINETEST).o $(DLIBCRYPTO)
-        $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(EVPTEST): $(EVPTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
         
-#$(RDTEST).o: $(RDTEST).c
-#       $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(RDTEST).c
+#$(AESTEST).o: $(AESTEST).c
+#       $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
 
-#$(RDTEST): $(RDTEST).o $(DLIBCRYPTO)
-#       $(CC) -o $(RDTEST) $(CFLAGS) $(RDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+#$(AESTEST): $(AESTEST).o $(DLIBCRYPTO)
+#       if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+#         $(CC) -o $(AESTEST) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+#       else \
+#         LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+#         $(CC) -o $(AESTEST) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+#       fi
 
 dummytest: dummytest.o $(DLIBCRYPTO)
-        $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-bftest.o: ../include/openssl/blowfish.h ../include/openssl/e_os2.h
+bftest.o: ../e_os.h ../include/openssl/blowfish.h ../include/openssl/e_os2.h
 bftest.o: ../include/openssl/opensslconf.h bftest.c
 bntest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 bntest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
@@ -394,31 +541,30 @@ bntest.o: ../include/openssl/sha.h ../include/openssl/stack.h
 bntest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 bntest.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
 bntest.o: ../include/openssl/x509_vfy.h bntest.c
-casttest.o: ../include/openssl/cast.h casttest.c
+casttest.o: ../e_os.h ../include/openssl/cast.h ../include/openssl/e_os2.h
+casttest.o: ../include/openssl/opensslconf.h casttest.c
 destest.o: ../include/openssl/crypto.h ../include/openssl/des.h
 destest.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h
 destest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 destest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 destest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 destest.o: ../include/openssl/ui_compat.h destest.c
-dhtest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+dhtest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
 dhtest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 dhtest.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 dhtest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
 dhtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
 dhtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h dhtest.c
-dsatest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-dsatest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-dsatest.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-dsatest.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+dsatest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
+dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+dsatest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
 dsatest.o: ../include/openssl/err.h ../include/openssl/lhash.h
 dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 dsatest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-dsatest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-dsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-dsatest.o: ../include/openssl/ui.h dsatest.c
-ectest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+dsatest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+dsatest.o: ../include/openssl/symhacks.h dsatest.c
+ectest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ectest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
 ectest.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 ectest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
@@ -439,7 +585,7 @@ enginetest.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 enginetest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 enginetest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 enginetest.o: enginetest.c
-evp_test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+evp_test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 evp_test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 evp_test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 evp_test.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -459,14 +605,14 @@ evp_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 evp_test.o: ../include/openssl/sha.h ../include/openssl/stack.h
 evp_test.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 evp_test.o: ../include/openssl/ui_compat.h evp_test.c
-exptest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+exptest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
 exptest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 exptest.o: ../include/openssl/err.h ../include/openssl/lhash.h
 exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 exptest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
 exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 exptest.o: ../include/openssl/symhacks.h exptest.c
-hmactest.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+hmactest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 hmactest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 hmactest.o: ../include/openssl/bn.h ../include/openssl/cast.h
 hmactest.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -484,9 +630,9 @@ hmactest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 hmactest.o: ../include/openssl/sha.h ../include/openssl/stack.h
 hmactest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 hmactest.o: ../include/openssl/ui_compat.h hmactest.c
-ideatest.o: ../include/openssl/idea.h ../include/openssl/opensslconf.h
-ideatest.o: ideatest.c
-md2test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+ideatest.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/idea.h
+ideatest.o: ../include/openssl/opensslconf.h ideatest.c
+md2test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 md2test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 md2test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 md2test.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -503,7 +649,7 @@ md2test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 md2test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 md2test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 md2test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md2test.c
-md4test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+md4test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 md4test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 md4test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 md4test.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -520,7 +666,7 @@ md4test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 md4test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 md4test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 md4test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md4test.c
-md5test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+md5test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 md5test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 md5test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 md5test.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -537,7 +683,7 @@ md5test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 md5test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 md5test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 md5test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md5test.c
-mdc2test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+mdc2test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 mdc2test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 mdc2test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 mdc2test.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -554,12 +700,16 @@ mdc2test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 mdc2test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 mdc2test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 mdc2test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h mdc2test.c
-randtest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
-randtest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h randtest.c
+randtest.o: ../e_os.h ../include/openssl/e_os2.h
+randtest.o: ../include/openssl/opensslconf.h ../include/openssl/ossl_typ.h
+randtest.o: ../include/openssl/rand.h randtest.c
+rc2test.o: ../e_os.h ../include/openssl/e_os2.h
 rc2test.o: ../include/openssl/opensslconf.h ../include/openssl/rc2.h rc2test.c
+rc4test.o: ../e_os.h ../include/openssl/e_os2.h
 rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h rc4test.c
-rc5test.o: ../include/openssl/rc5.h rc5test.c
-rmdtest.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+rc5test.o: ../e_os.h ../include/openssl/e_os2.h
+rc5test.o: ../include/openssl/opensslconf.h ../include/openssl/rc5.h rc5test.c
+rmdtest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 rmdtest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 rmdtest.o: ../include/openssl/bn.h ../include/openssl/cast.h
 rmdtest.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -578,15 +728,13 @@ rmdtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 rmdtest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h rmdtest.c
 rsa_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 rsa_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-rsa_test.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-rsa_test.o: ../include/openssl/err.h ../include/openssl/lhash.h
-rsa_test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-rsa_test.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-rsa_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-rsa_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rsa_test.o: ../include/openssl/ui.h rsa_test.c
-sha1test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+rsa_test.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+rsa_test.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+rsa_test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+rsa_test.o: ../include/openssl/symhacks.h rsa_test.c
+sha1test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 sha1test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 sha1test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 sha1test.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -603,7 +751,7 @@ sha1test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 sha1test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 sha1test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 sha1test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h sha1test.c
-shatest.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+shatest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 shatest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 shatest.o: ../include/openssl/bn.h ../include/openssl/cast.h
 shatest.o: ../include/openssl/crypto.h ../include/openssl/des.h
diff --git a/src/lib/libssl/src/test/maketests.com b/src/lib/libssl/src/test/maketests.com
index 91e859deab..7c44e4545a 100644
--- a/src/lib/libssl/src/test/maketests.com
+++ b/src/lib/libssl/src/test/maketests.com
@@ -16,22 +16,10 @@ $!  The test "executeables" will be placed in a directory called
 $!  [.xxx.EXE.TEST] where "xxx" denotes AXP or VAX depending on your machines
 $!  architecture.
 $!
-$!  Specify RSAREF as P1 to compile with the RSAREF library instead of
-$!  the regular one.  If you specify NORSAREF it will compile with the
-$!  regular RSAREF routines.  (Note: If you are in the United States
-$!  you MUST compile with RSAREF unless you have a license from RSA).
-$!
-$!  Note: The RSAREF libraries are NOT INCLUDED and you have to
-$!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
-$!        get the ".tar-Z" file as the ".zip" file dosen't have the
-$!        directory structure stored.  You have to extract the file
-$!        into the [.RSAREF] directory under the root directory as that
-$!        is where the scripts will look for the files.
-$!
-$!  Specify DEBUG or NODEBUG P2 to compile with or without debugger
+$!  Specify DEBUG or NODEBUG P1 to compile with or without debugger
 $!  information.
 $!
-$!  Specify which compiler at P3 to try to compile under.
+$!  Specify which compiler at P2 to try to compile under.
 $!
 $!         VAXC  For VAX C.
 $!         DECC  For DEC C.
@@ -40,13 +28,13 @@ $!
 $!  If you don't speficy a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
-$!  P4, if defined, sets a TCP/IP library to use, through one of the following
+$!  P3, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!      UCX             for UCX
 $!      SOCKETSHR       for SOCKETSHR+NETLIB
 $!
-$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!  P4, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
 $!
 $! Define A TCP/IP Library That We Will Need To Link To.
@@ -91,10 +79,6 @@ $! Define The CRYPTO-LIB We Are To Use.
 $!
 $ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
 $!
-$! Define The RSAREF-LIB We Are To Use.
-$!
-$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
-$!
 $! Define The SSL We Are To Use.
 $!
 $ SSL_LIB := SYS$DISK:[-.'ARCH'.EXE.SSL]LIBSSL.OLB
@@ -227,74 +211,32 @@ $!
 $ ENDIF
 $!
 $! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
-$ IF (RSAREF.EQS."TRUE")
+$ IF (TCPIP_LIB.NES."")
 $ THEN
 $!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
-$!
-$   IF (TCPIP_LIB.NES."")
-$   THEN
-$!
-$!    Link With The RSAREF Library And A Specific TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-          'OBJECT_FILE',-
-          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-          'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$!  Else...
-$!
-$   ELSE
-$!
-$!    Link With The RSAREF Library And NO TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-          'OBJECT_FILE', -
-          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-          'OPT_FILE'/OPTION
-$!
-$!  End The TCP/IP Library Check.
-$!
-$   ENDIF
-$!
-$! Else...
-$!
-$ ELSE
-$!
-$!  Don't Link With The RSAREF Routines.
-$!
-$!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
-$!
-$   IF (TCPIP_LIB.NES."")
-$   THEN
-$!
-$!    Don't Link With The RSAREF Routines And TCP/IP Library.
+$!  Don't Link With The RSAREF Routines And TCP/IP Library.
 $!
 $   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
         'OBJECT_FILE', -
         'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
         'TCPIP_LIB','OPT_FILE'/OPTION
 $!
-$!  Else...
+$! Else...
 $!
-$   ELSE
+$ ELSE
 $!
-$!    Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
+$!  Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
 $!
 $   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
         'OBJECT_FILE', -
         'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
         'OPT_FILE'/OPTION
 $!
-$!  End The TCP/IP Library Check.
-$!
-$   ENDIF
-$!
-$! End The RSAREF Link Check.
+$! End The TCP/IP Library Check.
 $!
-$ ENDIF 
+$ ENDIF
 $!
 $! Go Back And Do It Again.
 $!
@@ -459,32 +401,6 @@ $! End The Crypto Library Check.
 $!
 $ ENDIF
 $!
-$! See If We Need The RSAREF Library...
-$!
-$ IF (RSAREF.EQS."TRUE")
-$ THEN
-$!
-$!  Look For The Library LIBRSAGLUE.OLB.
-$!
-$   IF (F$SEARCH(RSAREF_LIB).EQS."")
-$   THEN
-$!
-$!    Tell The User We Can't Find The LIBRSAGLUE.OLB Library.
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "Can't Find The Library ",RSAREF_LIB,"."
-$     WRITE SYS$OUTPUT "We Can't Link Without It."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Since We Can't Link Without It, Exit.
-$!
-$     EXIT
-$   ENDIF
-$!
-$! End The RSAREF Library Check.
-$!
-$ ENDIF
-$!
 $! Look For The Library LIBSSL.OLB.
 $!
 $ IF (F$SEARCH(SSL_LIB).EQS."")
@@ -515,75 +431,10 @@ $ CHECK_OPTIONS:
 $!
 $! Check To See If P1 Is Blank.
 $!
-$ P1 = "NORSAREF"
-$ IF (P1.EQS."NORSAREF")
-$ THEN
-$!
-$!   P1 Is NORSAREF, So Compile With The Regular RSA Libraries.
-$!
-$    RSAREF = "FALSE"
-$ ELSE
-$!
-$!  Check To See If We Are To Use The RSAREF Library.
-$!
-$   IF (P1.EQS."RSAREF")
-$   THEN
-$!
-$!    Check To Make Sure We Have The RSAREF Source Code Directory.
-$!
-$     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
-$     THEN
-$!
-$!      We Don't Have The RSAREF Souce Code Directory, So Tell The
-$!      User This.
-$!
-$       WRITE SYS$OUTPUT ""
-$       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
-$       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
-$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
-$       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
-$       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
-$       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
-$       WRITE SYS$OUTPUT ""
-$!
-$!      Time To Exit.
-$!
-$       EXIT
-$!
-$!    Else, Compile Using The RSAREF Library.
-$!
-$     ELSE
-$       RSAREF = "TRUE"
-$     ENDIF
-$   ELSE 
-$!
-$!    They Entered An Invalid Option..
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
-$     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Time To EXIT.
-$!
-$     EXIT
-$!
-$!  End The Valid Arguement Check.
-$!
-$   ENDIF
-$!
-$! End The P1 Check.
-$!
-$ ENDIF
-$!
-$! Check To See If P2 Is Blank.
-$!
-$ IF (P2.EQS."NODEBUG")
+$ IF (P1.EQS."NODEBUG")
 $ THEN
 $!
-$!   P2 Is NODEBUG, So Compile Without Debugger Information.
+$!   P1 Is NODEBUG, So Compile Without Debugger Information.
 $!
 $    DEBUGGER  = "NODEBUG"
 $    TRACEBACK = "NOTRACEBACK" 
@@ -598,7 +449,7 @@ $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
 $!
-$   IF (P2.EQS."DEBUG")
+$   IF (P1.EQS."DEBUG")
 $   THEN
 $!
 $!    Compile With Debugger Information.
@@ -617,7 +468,7 @@ $!
 $!    Tell The User Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "    DEBUG    :  Compile With The Debugger Information."
 $     WRITE SYS$OUTPUT "    NODEBUG  :  Compile Without The Debugger Information."
@@ -631,13 +482,13 @@ $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
-$! End The P3 Check.
+$! End The P2 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P3 Is Blank.
+$! Check To See If P2 Is Blank.
 $!
-$ IF (P3.EQS."")
+$ IF (P2.EQS."")
 $ THEN
 $!
 $!  O.K., The User Didn't Specify A Compiler, Let's Try To
@@ -650,7 +501,7 @@ $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
 $!
-$     P3 = "GNUC"
+$     P2 = "GNUC"
 $!
 $!  End The GNU C Compiler Check.
 $!
@@ -663,7 +514,7 @@ $     THEN
 $!
 $!      Looks Like DECC, Set To Use DECC.
 $!
-$       P3 = "DECC"
+$       P2 = "DECC"
 $!
 $!      Else...
 $!
@@ -671,7 +522,7 @@ $     ELSE
 $!
 $!      Looks Like VAXC, Set To Use VAXC.
 $!
-$       P3 = "VAXC"
+$       P2 = "VAXC"
 $!
 $!    End The VAXC Compiler Check.
 $!
@@ -685,9 +536,9 @@ $!  End The Compiler Check.
 $!
 $ ENDIF
 $!
-$! Check To See If We Have A Option For P4.
+$! Check To See If We Have A Option For P3.
 $!
-$ IF (P4.EQS."")
+$ IF (P3.EQS."")
 $ THEN
 $!
 $!  Find out what socket library we have available
@@ -697,7 +548,7 @@ $   THEN
 $!
 $!    We have SOCKETSHR, and it is my opinion that it's the best to use.
 $!
-$     P4 = "SOCKETSHR"
+$     P3 = "SOCKETSHR"
 $!
 $!    Tell the user
 $!
@@ -717,7 +568,7 @@ $     THEN
 $!
 $!      Last resort: a UCX or UCX-compatible library
 $!
-$       P4 = "UCX"
+$       P3 = "UCX"
 $!
 $!      Tell the user
 $!
@@ -731,7 +582,7 @@ $ ENDIF
 $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
-$ CCDEFS = "TCPIP_TYPE_''P4'"
+$ CCDEFS = "TCPIP_TYPE_''P3'"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
@@ -741,12 +592,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 $!
 $!  Check To See If The User Entered A Valid Paramter.
 $!
-$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
+$ IF (P2.EQS."VAXC").OR.(P2.EQS."DECC").OR.(P2.EQS."GNUC")
 $ THEN
 $!
 $!  Check To See If The User Wanted DECC.
 $!
-$   IF (P3.EQS."DECC")
+$   IF (P2.EQS."DECC")
 $   THEN
 $!
 $!    Looks Like DECC, Set To Use DECC.
@@ -776,7 +627,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use VAXC.
 $!
-$   IF (P3.EQS."VAXC")
+$   IF (P2.EQS."VAXC")
 $   THEN
 $!
 $!    Looks Like VAXC, Set To Use VAXC.
@@ -814,7 +665,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use GNU C.
 $!
-$   IF (P3.EQS."GNUC")
+$   IF (P2.EQS."GNUC")
 $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
@@ -842,31 +693,6 @@ $!  Set up default defines
 $!
 $   CCDEFS = """FLAT_INC=1""," + CCDEFS
 $!
-$!  Check To See If We Are To Compile With RSAREF Routines.
-$!
-$   IF (RSAREF.EQS."TRUE")
-$   THEN
-$!
-$!    Compile With RSAREF.
-$!
-$     CCDEFS = CCDEFS + ",""RSAref=1"""
-$!
-$!    Tell The User This.
-$!
-$     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
-$!
-$!    Else, We Don't Care.  Compile Without The RSAREF Library.
-$!
-$   ELSE
-$!
-$!    Tell The User We Are Compile Without The RSAREF Routines.
-$!
-$     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
-$!
-$!  End The RSAREF Check.
-$!
-$   ENDIF
-$!
 $!  Finish up the definition of CC.
 $!
 $   IF COMPILER .EQS. "DECC"
@@ -896,7 +722,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
 $   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
@@ -910,13 +736,13 @@ $ ENDIF
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" -
-     .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE"
+$ IF P3.EQS."SOCKETSHR" .OR. P3.EQS."MULTINET" .OR. P3.EQS."UCX" -
+     .OR. P3.EQS."TCPIP" .OR. P3.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
 $!
-$   IF P4.EQS."SOCKETSHR"
+$   IF P3.EQS."SOCKETSHR"
 $   THEN
 $!
 $!    Set the library to use SOCKETSHR
@@ -929,12 +755,12 @@ $   ENDIF
 $!
 $!  Check to see if MULTINET was chosen
 $!
-$   IF P4.EQS."MULTINET"
+$   IF P3.EQS."MULTINET"
 $   THEN
 $!
 $!    Set the library to use UXC emulation.
 $!
-$     P4 = "UCX"
+$     P3 = "UCX"
 $!
 $!    Done with MULTINET
 $!
@@ -942,7 +768,7 @@ $   ENDIF
 $!
 $!  Check to see if UCX was chosen
 $!
-$   IF P4.EQS."UCX"
+$   IF P3.EQS."UCX"
 $   THEN
 $!
 $!    Set the library to use UCX.
@@ -962,7 +788,7 @@ $   ENDIF
 $!
 $!  Check to see if TCPIP was chosen
 $!
-$   IF P4.EQS."TCPIP"
+$   IF P3.EQS."TCPIP"
 $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
@@ -975,7 +801,7 @@ $   ENDIF
 $!
 $!  Check to see if NONE was chosen
 $!
-$   IF P4.EQS."NONE"
+$   IF P3.EQS."NONE"
 $   THEN
 $!
 $!    Do not use a TCPIP library.
@@ -997,7 +823,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
@@ -1018,9 +844,9 @@ $! Written By:  Richard Levitte
 $!              richard@levitte.org
 $!
 $!
-$! Check To See If We Have A Option For P5.
+$! Check To See If We Have A Option For P4.
 $!
-$ IF (P5.EQS."")
+$ IF (P4.EQS."")
 $ THEN
 $!
 $!  Get The Version Of VMS We Are Using.
@@ -1042,7 +868,7 @@ $!  End The VMS Version Check.
 $!
 $   ENDIF
 $!
-$! End The P5 Check.
+$! End The P4 Check.
 $!
 $ ENDIF
 $!
diff --git a/src/lib/libssl/src/test/methtest.c b/src/lib/libssl/src/test/methtest.c
index 06ccb3b310..005c2f4822 100644
--- a/src/lib/libssl/src/test/methtest.c
+++ b/src/lib/libssl/src/test/methtest.c
@@ -96,10 +96,10 @@ char *argv[];
         METH_init(top);
         METH_control(tmp1,METH_CONTROL_DUMP,stdout);
         METH_control(tmp2,METH_CONTROL_DUMP,stdout);
-        exit(0);
+        EXIT(0);
 err:
         ERR_load_crypto_strings();
         ERR_print_errors_fp(stderr);
-        exit(1);
+        EXIT(1);
         return(0);
         }
diff --git a/src/lib/libssl/src/test/testgen b/src/lib/libssl/src/test/testgen
index 55c496f4bc..3798543e04 100644
--- a/src/lib/libssl/src/test/testgen
+++ b/src/lib/libssl/src/test/testgen
@@ -27,6 +27,8 @@ fi
 
 echo "This could take some time."
 
+rm -f testkey.pem testreq.pem
+
 ../apps/openssl req -config test.cnf $req_new -out testreq.pem
 if [ $? != 0 ]; then
 echo problems creating request
diff --git a/src/lib/libssl/src/test/testssl b/src/lib/libssl/src/test/testssl
index ba5e41c861..ca8e718022 100644
--- a/src/lib/libssl/src/test/testssl
+++ b/src/lib/libssl/src/test/testssl
@@ -121,8 +121,12 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
 
 #############################################################################
 
-echo test tls1 with 1024bit anonymous DH, multiple handshakes
-$ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
+if ../apps/openssl no-dh; then
+  echo skipping anonymous DH tests
+else
+  echo test tls1 with 1024bit anonymous DH, multiple handshakes
+  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
+fi
 
 if ../apps/openssl no-rsa; then
   echo skipping RSA tests
@@ -130,8 +134,12 @@ else
   echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
   ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
 
-  echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
-  ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+  if ../apps/openssl no-dh; then
+    echo skipping RSA+DHE tests
+  else
+    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
+    ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+  fi
 fi
 
 exit 0
diff --git a/src/lib/libssl/src/test/testssl.com b/src/lib/libssl/src/test/testssl.com
index 785f262f5a..26308f7715 100644
--- a/src/lib/libssl/src/test/testssl.com
+++ b/src/lib/libssl/src/test/testssl.com
@@ -159,16 +159,25 @@ $	if $severity .ne. 1 then goto exit3
 $
 $!###########################################################################
 $
-$       write sys$output "test tls1 with 1024bit anonymous DH, multiple handshakes"
-$       'ssltest' -v -bio_pair -tls1 -cipher "ADH" -dhe1024dsa -num 10 -f -time
-$       if $severity .ne. 1 then goto exit3
-$
 $       set noon
 $       define/user sys$output nla0:
 $       mcr 'exe_dir'openssl no-rsa
-$       save_severity=$SEVERITY
+$       no_rsa=$SEVERITY
+$       define/user sys$output nla0:
+$       mcr 'exe_dir'openssl no-dh
+$       no_dh=$SEVERITY
 $       set on
-$       if save_severity
+$
+$       if no_dh
+$       then
+$           write sys$output "skipping anonymous DH tests"
+$       else
+$           write sys$output "test tls1 with 1024bit anonymous DH, multiple handshakes"
+$           'ssltest' -v -bio_pair -tls1 -cipher "ADH" -dhe1024dsa -num 10 -f -time
+$           if $severity .ne. 1 then goto exit3
+$       endif
+$
+$       if no_rsa
 $       then
 $           write sys$output "skipping RSA tests"
 $       else
@@ -176,9 +185,14 @@ $	    write sys$output "test tls1 with 1024bit RSA, no DHE, multiple handshakes"
 $           mcr 'texe_dir'ssltest -v -bio_pair -tls1 -cert [-.apps]server2.pem -no_dhe -num 10 -f -time
 $           if $severity .ne. 1 then goto exit3
 $
-$           write sys$output "test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes"
-$           mcr 'texe_dir'ssltest -v -bio_pair -tls1 -cert [-.apps]server2.pem -dhe1024dsa -num 10 -f -time
-$           if $severity .ne. 1 then goto exit3
+$           if no_dh
+$           then
+$               write sys$output "skipping RSA+DHE tests"
+$           else
+$               write sys$output "test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes"
+$               mcr 'texe_dir'ssltest -v -bio_pair -tls1 -cert [-.apps]server2.pem -dhe1024dsa -num 10 -f -time
+$               if $severity .ne. 1 then goto exit3
+$           endif
 $       endif
 $
 $       RET = 1
diff --git a/src/lib/libssl/src/tools/Makefile.ssl b/src/lib/libssl/src/tools/Makefile.ssl
index 32d0b516ba..cb33d4a41e 100644
--- a/src/lib/libssl/src/tools/Makefile.ssl
+++ b/src/lib/libssl/src/tools/Makefile.ssl
@@ -27,13 +27,15 @@ all:
 install:
         @for i in $(APPS) ; \
         do  \
-        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-        chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+        chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+        mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
         done;
         @for i in $(MISC_APPS) ; \
         do  \
-        (cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
-        chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+        (cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+        chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+        mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
         done;
 
 files:
diff --git a/src/lib/libssl/src/tools/c_rehash.in b/src/lib/libssl/src/tools/c_rehash.in
index 5b053406c2..4497cbd9f1 100644
--- a/src/lib/libssl/src/tools/c_rehash.in
+++ b/src/lib/libssl/src/tools/c_rehash.in
@@ -100,7 +100,8 @@ sub check_file {
 
 sub link_hash_cert {
                 my $fname = $_[0];
-                my ($hash, $fprint) = `$openssl x509 -hash -fingerprint -noout -in "$fname"`;
+                $fname =~ s/'/'\\''/g;
+                my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname'`;
                 chomp $hash;
                 chomp $fprint;
                 $fprint =~ s/^.*=//;
@@ -130,7 +131,8 @@ sub link_hash_cert {
 
 sub link_hash_crl {
                 my $fname = $_[0];
-                my ($hash, $fprint) = `$openssl crl -hash -fingerprint -noout -in "$fname"`;
+                $fname =~ s/'/'\\''/g;
+                my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
                 chomp $hash;
                 chomp $fprint;
                 $fprint =~ s/^.*=//;
diff --git a/src/lib/libssl/src/util/cygwin.sh b/src/lib/libssl/src/util/cygwin.sh
index b607399b02..930f766b4f 100644
--- a/src/lib/libssl/src/util/cygwin.sh
+++ b/src/lib/libssl/src/util/cygwin.sh
@@ -96,6 +96,8 @@ fi
 
 get_openssl_version
 
+make depend || exit 1
+
 make || exit 1
 
 base_install
diff --git a/src/lib/libssl/src/util/domd b/src/lib/libssl/src/util/domd
index 8cbe383c16..49310bbdd1 100644
--- a/src/lib/libssl/src/util/domd
+++ b/src/lib/libssl/src/util/domd
@@ -15,9 +15,14 @@ cp Makefile.ssl Makefile.save
 # fake the presence of Kerberos
 touch $TOP/krb5.h
 if [ "$MAKEDEPEND" = "gcc" ]; then
+    args=""
+    while [ $# -gt 0 ]; do
+        if [ "$1" != "--" ]; then args="$args $1"; fi
+        shift
+    done
     sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp
     echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
-    gcc -D OPENSSL_DOING_MAKEDEPEND -M $@ >> Makefile.tmp
+    gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp
     ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
     rm -f Makefile.tmp
 else
diff --git a/src/lib/libssl/src/util/libeay.num b/src/lib/libssl/src/util/libeay.num
index 7e5728495f..f5c8c0be8a 100644
--- a/src/lib/libssl/src/util/libeay.num
+++ b/src/lib/libssl/src/util/libeay.num
@@ -980,7 +980,7 @@ BN_mul_word                             999	EXIST::FUNCTION:
 BN_sub_word                             1000    EXIST::FUNCTION:
 BN_dec2bn                               1001    EXIST::FUNCTION:
 BN_bn2dec                               1002    EXIST::FUNCTION:
-BIO_ghbn_ctrl                           1003    EXIST::FUNCTION:
+BIO_ghbn_ctrl                           1003    NOEXIST::FUNCTION:
 CRYPTO_free_ex_data                     1004    EXIST::FUNCTION:
 CRYPTO_get_ex_data                      1005    EXIST::FUNCTION:
 CRYPTO_set_ex_data                      1007    EXIST::FUNCTION:
@@ -1881,72 +1881,72 @@ BIO_f_linebuffer                        2463	EXIST:VMS:FUNCTION:
 BN_bntest_rand                          2464    EXIST::FUNCTION:
 OPENSSL_issetugid                       2465    EXIST::FUNCTION:
 BN_rand_range                           2466    EXIST::FUNCTION:
-ERR_load_ENGINE_strings                 2467    EXIST::FUNCTION:
-ENGINE_set_DSA                          2468    EXIST::FUNCTION:
-ENGINE_get_finish_function              2469    EXIST::FUNCTION:
-ENGINE_get_default_RSA                  2470    EXIST::FUNCTION:
+ERR_load_ENGINE_strings                 2467    EXIST::FUNCTION:ENGINE
+ENGINE_set_DSA                          2468    EXIST::FUNCTION:ENGINE
+ENGINE_get_finish_function              2469    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_RSA                  2470    EXIST::FUNCTION:ENGINE
 ENGINE_get_BN_mod_exp                   2471    NOEXIST::FUNCTION:
 DSA_get_default_openssl_method          2472    NOEXIST::FUNCTION:
-ENGINE_set_DH                           2473    EXIST::FUNCTION:
+ENGINE_set_DH                           2473    EXIST::FUNCTION:ENGINE
 ENGINE_set_def_BN_mod_exp_crt           2474    NOEXIST::FUNCTION:
 ENGINE_set_default_BN_mod_exp_crt       2474    NOEXIST::FUNCTION:
-ENGINE_init                             2475    EXIST::FUNCTION:
+ENGINE_init                             2475    EXIST::FUNCTION:ENGINE
 DH_get_default_openssl_method           2476    NOEXIST::FUNCTION:
 RSA_set_default_openssl_method          2477    NOEXIST::FUNCTION:
-ENGINE_finish                           2478    EXIST::FUNCTION:
-ENGINE_load_public_key                  2479    EXIST::FUNCTION:
-ENGINE_get_DH                           2480    EXIST::FUNCTION:
-ENGINE_ctrl                             2481    EXIST::FUNCTION:
-ENGINE_get_init_function                2482    EXIST::FUNCTION:
-ENGINE_set_init_function                2483    EXIST::FUNCTION:
-ENGINE_set_default_DSA                  2484    EXIST::FUNCTION:
-ENGINE_get_name                         2485    EXIST::FUNCTION:
-ENGINE_get_last                         2486    EXIST::FUNCTION:
-ENGINE_get_prev                         2487    EXIST::FUNCTION:
-ENGINE_get_default_DH                   2488    EXIST::FUNCTION:
-ENGINE_get_RSA                          2489    EXIST::FUNCTION:
-ENGINE_set_default                      2490    EXIST::FUNCTION:
-ENGINE_get_RAND                         2491    EXIST::FUNCTION:
-ENGINE_get_first                        2492    EXIST::FUNCTION:
-ENGINE_by_id                            2493    EXIST::FUNCTION:
-ENGINE_set_finish_function              2494    EXIST::FUNCTION:
+ENGINE_finish                           2478    EXIST::FUNCTION:ENGINE
+ENGINE_load_public_key                  2479    EXIST::FUNCTION:ENGINE
+ENGINE_get_DH                           2480    EXIST::FUNCTION:ENGINE
+ENGINE_ctrl                             2481    EXIST::FUNCTION:ENGINE
+ENGINE_get_init_function                2482    EXIST::FUNCTION:ENGINE
+ENGINE_set_init_function                2483    EXIST::FUNCTION:ENGINE
+ENGINE_set_default_DSA                  2484    EXIST::FUNCTION:ENGINE
+ENGINE_get_name                         2485    EXIST::FUNCTION:ENGINE
+ENGINE_get_last                         2486    EXIST::FUNCTION:ENGINE
+ENGINE_get_prev                         2487    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_DH                   2488    EXIST::FUNCTION:ENGINE
+ENGINE_get_RSA                          2489    EXIST::FUNCTION:ENGINE
+ENGINE_set_default                      2490    EXIST::FUNCTION:ENGINE
+ENGINE_get_RAND                         2491    EXIST::FUNCTION:ENGINE
+ENGINE_get_first                        2492    EXIST::FUNCTION:ENGINE
+ENGINE_by_id                            2493    EXIST::FUNCTION:ENGINE
+ENGINE_set_finish_function              2494    EXIST::FUNCTION:ENGINE
 ENGINE_get_def_BN_mod_exp_crt           2495    NOEXIST::FUNCTION:
 ENGINE_get_default_BN_mod_exp_crt       2495    NOEXIST::FUNCTION:
 RSA_get_default_openssl_method          2496    NOEXIST::FUNCTION:
-ENGINE_set_RSA                          2497    EXIST::FUNCTION:
-ENGINE_load_private_key                 2498    EXIST::FUNCTION:
-ENGINE_set_default_RAND                 2499    EXIST::FUNCTION:
+ENGINE_set_RSA                          2497    EXIST::FUNCTION:ENGINE
+ENGINE_load_private_key                 2498    EXIST::FUNCTION:ENGINE
+ENGINE_set_default_RAND                 2499    EXIST::FUNCTION:ENGINE
 ENGINE_set_BN_mod_exp                   2500    NOEXIST::FUNCTION:
-ENGINE_remove                           2501    EXIST::FUNCTION:
-ENGINE_free                             2502    EXIST::FUNCTION:
+ENGINE_remove                           2501    EXIST::FUNCTION:ENGINE
+ENGINE_free                             2502    EXIST::FUNCTION:ENGINE
 ENGINE_get_BN_mod_exp_crt               2503    NOEXIST::FUNCTION:
-ENGINE_get_next                         2504    EXIST::FUNCTION:
-ENGINE_set_name                         2505    EXIST::FUNCTION:
-ENGINE_get_default_DSA                  2506    EXIST::FUNCTION:
+ENGINE_get_next                         2504    EXIST::FUNCTION:ENGINE
+ENGINE_set_name                         2505    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_DSA                  2506    EXIST::FUNCTION:ENGINE
 ENGINE_set_default_BN_mod_exp           2507    NOEXIST::FUNCTION:
-ENGINE_set_default_RSA                  2508    EXIST::FUNCTION:
-ENGINE_get_default_RAND                 2509    EXIST::FUNCTION:
+ENGINE_set_default_RSA                  2508    EXIST::FUNCTION:ENGINE
+ENGINE_get_default_RAND                 2509    EXIST::FUNCTION:ENGINE
 ENGINE_get_default_BN_mod_exp           2510    NOEXIST::FUNCTION:
-ENGINE_set_RAND                         2511    EXIST::FUNCTION:
-ENGINE_set_id                           2512    EXIST::FUNCTION:
+ENGINE_set_RAND                         2511    EXIST::FUNCTION:ENGINE
+ENGINE_set_id                           2512    EXIST::FUNCTION:ENGINE
 ENGINE_set_BN_mod_exp_crt               2513    NOEXIST::FUNCTION:
-ENGINE_set_default_DH                   2514    EXIST::FUNCTION:
-ENGINE_new                              2515    EXIST::FUNCTION:
-ENGINE_get_id                           2516    EXIST::FUNCTION:
+ENGINE_set_default_DH                   2514    EXIST::FUNCTION:ENGINE
+ENGINE_new                              2515    EXIST::FUNCTION:ENGINE
+ENGINE_get_id                           2516    EXIST::FUNCTION:ENGINE
 DSA_set_default_openssl_method          2517    NOEXIST::FUNCTION:
-ENGINE_add                              2518    EXIST::FUNCTION:
+ENGINE_add                              2518    EXIST::FUNCTION:ENGINE
 DH_set_default_openssl_method           2519    NOEXIST::FUNCTION:
-ENGINE_get_DSA                          2520    EXIST::FUNCTION:
-ENGINE_get_ctrl_function                2521    EXIST::FUNCTION:
-ENGINE_set_ctrl_function                2522    EXIST::FUNCTION:
+ENGINE_get_DSA                          2520    EXIST::FUNCTION:ENGINE
+ENGINE_get_ctrl_function                2521    EXIST::FUNCTION:ENGINE
+ENGINE_set_ctrl_function                2522    EXIST::FUNCTION:ENGINE
 BN_pseudo_rand_range                    2523    EXIST::FUNCTION:
 X509_STORE_CTX_set_verify_cb            2524    EXIST::FUNCTION:
 ERR_load_COMP_strings                   2525    EXIST::FUNCTION:
 PKCS12_item_decrypt_d2i                 2526    EXIST::FUNCTION:
 ASN1_UTF8STRING_it                      2527    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_UTF8STRING_it                      2527    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_unregister_ciphers               2528    EXIST::FUNCTION:
-ENGINE_get_ciphers                      2529    EXIST::FUNCTION:
+ENGINE_unregister_ciphers               2528    EXIST::FUNCTION:ENGINE
+ENGINE_get_ciphers                      2529    EXIST::FUNCTION:ENGINE
 d2i_OCSP_BASICRESP                      2530    EXIST::FUNCTION:
 KRB5_CHECKSUM_it                        2531    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_CHECKSUM_it                        2531    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -1959,15 +1959,15 @@ X509V3_add1_i2d                         2536	EXIST::FUNCTION:
 PKCS7_ENVELOPE_it                       2537    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS7_ENVELOPE_it                       2537    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_add_input_boolean                    2538    EXIST::FUNCTION:
-ENGINE_unregister_RSA                   2539    EXIST::FUNCTION:
+ENGINE_unregister_RSA                   2539    EXIST::FUNCTION:ENGINE
 X509V3_EXT_nconf                        2540    EXIST::FUNCTION:
 ASN1_GENERALSTRING_free                 2541    EXIST::FUNCTION:
 d2i_OCSP_CERTSTATUS                     2542    EXIST::FUNCTION:
 X509_REVOKED_set_serialNumber           2543    EXIST::FUNCTION:
 X509_print_ex                           2544    EXIST::FUNCTION:BIO
 OCSP_ONEREQ_get1_ext_d2i                2545    EXIST::FUNCTION:
-ENGINE_register_all_RAND                2546    EXIST::FUNCTION:
-ENGINE_load_dynamic                     2547    EXIST::FUNCTION:
+ENGINE_register_all_RAND                2546    EXIST::FUNCTION:ENGINE
+ENGINE_load_dynamic                     2547    EXIST::FUNCTION:ENGINE
 PBKDF2PARAM_it                          2548    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PBKDF2PARAM_it                          2548    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 EXTENDED_KEY_USAGE_new                  2549    EXIST::FUNCTION:
@@ -1987,7 +1987,7 @@ X509_STORE_set_purpose                  2559	EXIST::FUNCTION:
 i2d_ASN1_GENERALSTRING                  2560    EXIST::FUNCTION:
 OCSP_response_status                    2561    EXIST::FUNCTION:
 i2d_OCSP_SERVICELOC                     2562    EXIST::FUNCTION:
-ENGINE_get_digest_engine                2563    EXIST::FUNCTION:
+ENGINE_get_digest_engine                2563    EXIST::FUNCTION:ENGINE
 EC_GROUP_set_curve_GFp                  2564    EXIST::FUNCTION:EC
 OCSP_REQUEST_get_ext_by_OBJ             2565    EXIST::FUNCTION:
 _ossl_old_des_random_key                2566    EXIST::FUNCTION:DES
@@ -2011,7 +2011,7 @@ _shadow_DES_rw_mode                     2581	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 _shadow_DES_rw_mode                     2581    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DES
 asn1_do_adb                             2582    EXIST::FUNCTION:
 ASN1_template_i2d                       2583    EXIST::FUNCTION:
-ENGINE_register_DH                      2584    EXIST::FUNCTION:
+ENGINE_register_DH                      2584    EXIST::FUNCTION:ENGINE
 UI_construct_prompt                     2585    EXIST::FUNCTION:
 X509_STORE_set_trust                    2586    EXIST::FUNCTION:
 UI_dup_input_string                     2587    EXIST::FUNCTION:
@@ -2039,7 +2039,7 @@ OCSP_resp_find                          2605	EXIST::FUNCTION:
 BN_nnmod                                2606    EXIST::FUNCTION:
 X509_CRL_sort                           2607    EXIST::FUNCTION:
 X509_REVOKED_set_revocationDate         2608    EXIST::FUNCTION:
-ENGINE_register_RAND                    2609    EXIST::FUNCTION:
+ENGINE_register_RAND                    2609    EXIST::FUNCTION:ENGINE
 OCSP_SERVICELOC_new                     2610    EXIST::FUNCTION:
 EC_POINT_set_affine_coordinates_GFp     2611    EXIST:!VMS:FUNCTION:EC
 EC_POINT_set_affine_coords_GFp          2611    EXIST:VMS:FUNCTION:EC
@@ -2049,11 +2049,11 @@ SXNET_it                                2613	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 UI_dup_input_boolean                    2614    EXIST::FUNCTION:
 PKCS12_add_CSPName_asc                  2615    EXIST::FUNCTION:
 EC_POINT_is_at_infinity                 2616    EXIST::FUNCTION:EC
-ENGINE_load_openbsd_dev_crypto          2617    EXIST::FUNCTION:
+ENGINE_load_cryptodev                   2617    EXIST::FUNCTION:ENGINE
 DSO_convert_filename                    2618    EXIST::FUNCTION:
 POLICYQUALINFO_it                       2619    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 POLICYQUALINFO_it                       2619    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_register_ciphers                 2620    EXIST::FUNCTION:
+ENGINE_register_ciphers                 2620    EXIST::FUNCTION:ENGINE
 BN_mod_lshift_quick                     2621    EXIST::FUNCTION:
 DSO_set_filename                        2622    EXIST::FUNCTION:
 ASN1_item_free                          2623    EXIST::FUNCTION:
@@ -2062,7 +2062,7 @@ AUTHORITY_KEYID_it                      2625	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 AUTHORITY_KEYID_it                      2625    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 KRB5_APREQBODY_new                      2626    EXIST::FUNCTION:
 X509V3_EXT_REQ_add_nconf                2627    EXIST::FUNCTION:
-ENGINE_ctrl_cmd_string                  2628    EXIST::FUNCTION:
+ENGINE_ctrl_cmd_string                  2628    EXIST::FUNCTION:ENGINE
 i2d_OCSP_RESPDATA                       2629    EXIST::FUNCTION:
 EVP_MD_CTX_init                         2630    EXIST::FUNCTION:
 EXTENDED_KEY_USAGE_free                 2631    EXIST::FUNCTION:
@@ -2071,8 +2071,8 @@ PKCS7_ATTR_SIGN_it                      2632	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 UI_add_error_string                     2633    EXIST::FUNCTION:
 KRB5_CHECKSUM_free                      2634    EXIST::FUNCTION:
 OCSP_REQUEST_get_ext                    2635    EXIST::FUNCTION:
-ENGINE_load_ubsec                       2636    EXIST::FUNCTION:
-ENGINE_register_all_digests             2637    EXIST::FUNCTION:
+ENGINE_load_ubsec                       2636    EXIST::FUNCTION:ENGINE
+ENGINE_register_all_digests             2637    EXIST::FUNCTION:ENGINE
 PKEY_USAGE_PERIOD_it                    2638    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKEY_USAGE_PERIOD_it                    2638    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 PKCS12_unpack_authsafes                 2639    EXIST::FUNCTION:
@@ -2098,16 +2098,16 @@ OCSP_CERTSTATUS_free                    2653	EXIST::FUNCTION:
 _ossl_old_des_crypt                     2654    EXIST::FUNCTION:DES
 ASN1_item_i2d                           2655    EXIST::FUNCTION:
 EVP_DecryptFinal_ex                     2656    EXIST::FUNCTION:
-ENGINE_load_openssl                     2657    EXIST::FUNCTION:
-ENGINE_get_cmd_defns                    2658    EXIST::FUNCTION:
-ENGINE_set_load_privkey_function        2659    EXIST:!VMS:FUNCTION:
-ENGINE_set_load_privkey_fn              2659    EXIST:VMS:FUNCTION:
+ENGINE_load_openssl                     2657    EXIST::FUNCTION:ENGINE
+ENGINE_get_cmd_defns                    2658    EXIST::FUNCTION:ENGINE
+ENGINE_set_load_privkey_function        2659    EXIST:!VMS:FUNCTION:ENGINE
+ENGINE_set_load_privkey_fn              2659    EXIST:VMS:FUNCTION:ENGINE
 EVP_EncryptFinal_ex                     2660    EXIST::FUNCTION:
-ENGINE_set_default_digests              2661    EXIST::FUNCTION:
+ENGINE_set_default_digests              2661    EXIST::FUNCTION:ENGINE
 X509_get0_pubkey_bitstr                 2662    EXIST::FUNCTION:
 asn1_ex_i2c                             2663    EXIST::FUNCTION:
-ENGINE_register_RSA                     2664    EXIST::FUNCTION:
-ENGINE_unregister_DSA                   2665    EXIST::FUNCTION:
+ENGINE_register_RSA                     2664    EXIST::FUNCTION:ENGINE
+ENGINE_unregister_DSA                   2665    EXIST::FUNCTION:ENGINE
 _ossl_old_des_key_sched                 2666    EXIST::FUNCTION:DES
 X509_EXTENSION_it                       2667    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_EXTENSION_it                       2667    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2120,7 +2120,7 @@ PKCS12_certbag2x509                     2672	EXIST::FUNCTION:
 _ossl_old_des_ofb64_encrypt             2673    EXIST::FUNCTION:DES
 d2i_EXTENDED_KEY_USAGE                  2674    EXIST::FUNCTION:
 ERR_print_errors_cb                     2675    EXIST::FUNCTION:
-ENGINE_set_ciphers                      2676    EXIST::FUNCTION:
+ENGINE_set_ciphers                      2676    EXIST::FUNCTION:ENGINE
 d2i_KRB5_APREQBODY                      2677    EXIST::FUNCTION:
 UI_method_get_flusher                   2678    EXIST::FUNCTION:
 X509_PUBKEY_it                          2679    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2156,7 +2156,7 @@ NCONF_get_number_e                      2704	EXIST::FUNCTION:
 _ossl_old_des_decrypt3                  2705    EXIST::FUNCTION:DES
 X509_signature_print                    2706    EXIST::FUNCTION:EVP
 OCSP_SINGLERESP_free                    2707    EXIST::FUNCTION:
-ENGINE_load_builtin_engines             2708    EXIST::FUNCTION:
+ENGINE_load_builtin_engines             2708    EXIST::FUNCTION:ENGINE
 i2d_OCSP_ONEREQ                         2709    EXIST::FUNCTION:
 OCSP_REQUEST_add_ext                    2710    EXIST::FUNCTION:
 OCSP_RESPBYTES_new                      2711    EXIST::FUNCTION:
@@ -2184,7 +2184,7 @@ X509_CERT_AUX_it                        2727	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 CERTIFICATEPOLICIES_it                  2728    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 CERTIFICATEPOLICIES_it                  2728    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 _ossl_old_des_ede3_cbc_encrypt          2729    EXIST::FUNCTION:DES
-RAND_set_rand_engine                    2730    EXIST::FUNCTION:
+RAND_set_rand_engine                    2730    EXIST::FUNCTION:ENGINE
 DSO_get_loaded_filename                 2731    EXIST::FUNCTION:
 X509_ATTRIBUTE_it                       2732    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_ATTRIBUTE_it                       2732    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2206,7 +2206,7 @@ i2d_OCSP_BASICRESP                      2744	EXIST::FUNCTION:
 i2d_OCSP_RESPBYTES                      2745    EXIST::FUNCTION:
 PKCS12_unpack_p7encdata                 2746    EXIST::FUNCTION:
 HMAC_CTX_init                           2747    EXIST::FUNCTION:HMAC
-ENGINE_get_digest                       2748    EXIST::FUNCTION:
+ENGINE_get_digest                       2748    EXIST::FUNCTION:ENGINE
 OCSP_RESPONSE_print                     2749    EXIST::FUNCTION:
 KRB5_TKTBODY_it                         2750    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_TKTBODY_it                         2750    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2219,16 +2219,16 @@ PBE2PARAM_it                            2753	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 PKCS12_certbag2x509crl                  2754    EXIST::FUNCTION:
 PKCS7_SIGNED_it                         2755    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS7_SIGNED_it                         2755    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_cipher                       2756    EXIST::FUNCTION:
+ENGINE_get_cipher                       2756    EXIST::FUNCTION:ENGINE
 i2d_OCSP_CRLID                          2757    EXIST::FUNCTION:
 OCSP_SINGLERESP_new                     2758    EXIST::FUNCTION:
-ENGINE_cmd_is_executable                2759    EXIST::FUNCTION:
+ENGINE_cmd_is_executable                2759    EXIST::FUNCTION:ENGINE
 RSA_up_ref                              2760    EXIST::FUNCTION:RSA
 ASN1_GENERALSTRING_it                   2761    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_GENERALSTRING_it                   2761    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_register_DSA                     2762    EXIST::FUNCTION:
+ENGINE_register_DSA                     2762    EXIST::FUNCTION:ENGINE
 X509V3_EXT_add_nconf_sk                 2763    EXIST::FUNCTION:
-ENGINE_set_load_pubkey_function         2764    EXIST::FUNCTION:
+ENGINE_set_load_pubkey_function         2764    EXIST::FUNCTION:ENGINE
 PKCS8_decrypt                           2765    EXIST::FUNCTION:
 PEM_bytes_read_bio                      2766    EXIST::FUNCTION:BIO
 DIRECTORYSTRING_it                      2767    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2265,7 +2265,7 @@ UI_method_set_flusher                   2789	EXIST::FUNCTION:
 X509_ocspid_print                       2790    EXIST::FUNCTION:BIO
 KRB5_ENCDATA_it                         2791    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_ENCDATA_it                         2791    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_load_pubkey_function         2792    EXIST::FUNCTION:
+ENGINE_get_load_pubkey_function         2792    EXIST::FUNCTION:ENGINE
 UI_add_user_data                        2793    EXIST::FUNCTION:
 OCSP_REQUEST_delete_ext                 2794    EXIST::FUNCTION:
 UI_get_method                           2795    EXIST::FUNCTION:
@@ -2289,16 +2289,16 @@ ASN1_FBOOLEAN_it                        2806	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 ASN1_FBOOLEAN_it                        2806    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_set_ex_data                          2807    EXIST::FUNCTION:
 _ossl_old_des_string_to_key             2808    EXIST::FUNCTION:DES
-ENGINE_register_all_RSA                 2809    EXIST::FUNCTION:
+ENGINE_register_all_RSA                 2809    EXIST::FUNCTION:ENGINE
 d2i_KRB5_PRINCNAME                      2810    EXIST::FUNCTION:
 OCSP_RESPBYTES_it                       2811    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_RESPBYTES_it                       2811    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 X509_CINF_it                            2812    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_CINF_it                            2812    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_unregister_digests               2813    EXIST::FUNCTION:
+ENGINE_unregister_digests               2813    EXIST::FUNCTION:ENGINE
 d2i_EDIPARTYNAME                        2814    EXIST::FUNCTION:
 d2i_OCSP_SERVICELOC                     2815    EXIST::FUNCTION:
-ENGINE_get_digests                      2816    EXIST::FUNCTION:
+ENGINE_get_digests                      2816    EXIST::FUNCTION:ENGINE
 _ossl_old_des_set_odd_parity            2817    EXIST::FUNCTION:DES
 OCSP_RESPDATA_free                      2818    EXIST::FUNCTION:
 d2i_KRB5_TICKET                         2819    EXIST::FUNCTION:
@@ -2309,7 +2309,7 @@ d2i_ASN1_GENERALSTRING                  2822	EXIST::FUNCTION:
 X509_CRL_set_version                    2823    EXIST::FUNCTION:
 BN_mod_sub                              2824    EXIST::FUNCTION:
 OCSP_SINGLERESP_get_ext_by_NID          2825    EXIST::FUNCTION:
-ENGINE_get_ex_new_index                 2826    EXIST::FUNCTION:
+ENGINE_get_ex_new_index                 2826    EXIST::FUNCTION:ENGINE
 OCSP_REQUEST_free                       2827    EXIST::FUNCTION:
 OCSP_REQUEST_add1_ext_i2d               2828    EXIST::FUNCTION:
 X509_VAL_it                             2829    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2343,7 +2343,7 @@ EC_POINT_method_of                      2852	EXIST::FUNCTION:EC
 i2d_KRB5_APREQBODY                      2853    EXIST::FUNCTION:
 _ossl_old_des_ecb3_encrypt              2854    EXIST::FUNCTION:DES
 CRYPTO_get_mem_ex_functions             2855    EXIST::FUNCTION:
-ENGINE_get_ex_data                      2856    EXIST::FUNCTION:
+ENGINE_get_ex_data                      2856    EXIST::FUNCTION:ENGINE
 UI_destroy_method                       2857    EXIST::FUNCTION:
 ASN1_item_i2d_bio                       2858    EXIST::FUNCTION:BIO
 OCSP_ONEREQ_get_ext_by_OBJ              2859    EXIST::FUNCTION:
@@ -2367,7 +2367,7 @@ PKCS12_SAFEBAGS_it                      2872	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 PKCS12_SAFEBAGS_it                      2872    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 d2i_OCSP_SIGNATURE                      2873    EXIST::FUNCTION:
 OCSP_request_add1_nonce                 2874    EXIST::FUNCTION:
-ENGINE_set_cmd_defns                    2875    EXIST::FUNCTION:
+ENGINE_set_cmd_defns                    2875    EXIST::FUNCTION:ENGINE
 OCSP_SERVICELOC_free                    2876    EXIST::FUNCTION:
 EC_GROUP_free                           2877    EXIST::FUNCTION:EC
 ASN1_BIT_STRING_it                      2878    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2384,7 +2384,7 @@ EC_GROUP_new_curve_GFp                  2885	EXIST::FUNCTION:EC
 OCSP_REQUEST_get1_ext_d2i               2886    EXIST::FUNCTION:
 PKCS12_item_pack_safebag                2887    EXIST::FUNCTION:
 asn1_ex_c2i                             2888    EXIST::FUNCTION:
-ENGINE_register_digests                 2889    EXIST::FUNCTION:
+ENGINE_register_digests                 2889    EXIST::FUNCTION:ENGINE
 i2d_OCSP_REVOKEDINFO                    2890    EXIST::FUNCTION:
 asn1_enc_restore                        2891    EXIST::FUNCTION:
 UI_free                                 2892    EXIST::FUNCTION:
@@ -2395,7 +2395,7 @@ EC_POINT_invert                         2896	EXIST::FUNCTION:EC
 OCSP_basic_sign                         2897    EXIST::FUNCTION:
 i2d_OCSP_RESPID                         2898    EXIST::FUNCTION:
 OCSP_check_nonce                        2899    EXIST::FUNCTION:
-ENGINE_ctrl_cmd                         2900    EXIST::FUNCTION:
+ENGINE_ctrl_cmd                         2900    EXIST::FUNCTION:ENGINE
 d2i_KRB5_ENCKEY                         2901    EXIST::FUNCTION:
 OCSP_parse_url                          2902    EXIST::FUNCTION:
 OCSP_SINGLERESP_get_ext                 2903    EXIST::FUNCTION:
@@ -2403,12 +2403,12 @@ OCSP_CRLID_free                         2904	EXIST::FUNCTION:
 OCSP_BASICRESP_get1_ext_d2i             2905    EXIST::FUNCTION:
 RSAPrivateKey_it                        2906    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
 RSAPrivateKey_it                        2906    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA
-ENGINE_register_all_DH                  2907    EXIST::FUNCTION:
+ENGINE_register_all_DH                  2907    EXIST::FUNCTION:ENGINE
 i2d_EDIPARTYNAME                        2908    EXIST::FUNCTION:
 EC_POINT_get_affine_coordinates_GFp     2909    EXIST:!VMS:FUNCTION:EC
 EC_POINT_get_affine_coords_GFp          2909    EXIST:VMS:FUNCTION:EC
 OCSP_CRLID_new                          2910    EXIST::FUNCTION:
-ENGINE_get_flags                        2911    EXIST::FUNCTION:
+ENGINE_get_flags                        2911    EXIST::FUNCTION:ENGINE
 OCSP_ONEREQ_it                          2912    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_ONEREQ_it                          2912    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_process                              2913    EXIST::FUNCTION:
@@ -2416,8 +2416,8 @@ ASN1_INTEGER_it                         2914	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 ASN1_INTEGER_it                         2914    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 EVP_CipherInit_ex                       2915    EXIST::FUNCTION:
 UI_get_string_type                      2916    EXIST::FUNCTION:
-ENGINE_unregister_DH                    2917    EXIST::FUNCTION:
-ENGINE_register_all_DSA                 2918    EXIST::FUNCTION:
+ENGINE_unregister_DH                    2917    EXIST::FUNCTION:ENGINE
+ENGINE_register_all_DSA                 2918    EXIST::FUNCTION:ENGINE
 OCSP_ONEREQ_get_ext_by_critical         2919    EXIST::FUNCTION:
 bn_dup_expand                           2920    EXIST::FUNCTION:
 OCSP_cert_id_new                        2921    EXIST::FUNCTION:
@@ -2438,11 +2438,11 @@ BN_mod_sub_quick                        2933	EXIST::FUNCTION:
 OCSP_ONEREQ_add_ext                     2934    EXIST::FUNCTION:
 OCSP_request_sign                       2935    EXIST::FUNCTION:
 EVP_DigestFinal_ex                      2936    EXIST::FUNCTION:
-ENGINE_set_digests                      2937    EXIST::FUNCTION:
+ENGINE_set_digests                      2937    EXIST::FUNCTION:ENGINE
 OCSP_id_issuer_cmp                      2938    EXIST::FUNCTION:
 OBJ_NAME_do_all                         2939    EXIST::FUNCTION:
 EC_POINTs_mul                           2940    EXIST::FUNCTION:EC
-ENGINE_register_complete                2941    EXIST::FUNCTION:
+ENGINE_register_complete                2941    EXIST::FUNCTION:ENGINE
 X509V3_EXT_nconf_nid                    2942    EXIST::FUNCTION:
 ASN1_SEQUENCE_it                        2943    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_SEQUENCE_it                        2943    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2451,7 +2451,7 @@ RAND_query_egd_bytes                    2945	EXIST::FUNCTION:
 UI_method_get_writer                    2946    EXIST::FUNCTION:
 UI_OpenSSL                              2947    EXIST::FUNCTION:
 PEM_def_callback                        2948    EXIST::FUNCTION:
-ENGINE_cleanup                          2949    EXIST::FUNCTION:
+ENGINE_cleanup                          2949    EXIST::FUNCTION:ENGINE
 DIST_POINT_it                           2950    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 DIST_POINT_it                           2950    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 OCSP_SINGLERESP_it                      2951    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2475,7 +2475,7 @@ OCSP_RESPID_new                         2967	EXIST::FUNCTION:
 OCSP_RESPDATA_it                        2968    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_RESPDATA_it                        2968    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 d2i_OCSP_RESPDATA                       2969    EXIST::FUNCTION:
-ENGINE_register_all_complete            2970    EXIST::FUNCTION:
+ENGINE_register_all_complete            2970    EXIST::FUNCTION:ENGINE
 OCSP_check_validity                     2971    EXIST::FUNCTION:
 PKCS12_BAGS_it                          2972    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS12_BAGS_it                          2972    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2487,7 +2487,7 @@ KRB5_AUTHENTBODY_it                     2976	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 X509_supported_extension                2977    EXIST::FUNCTION:
 i2d_KRB5_AUTHDATA                       2978    EXIST::FUNCTION:
 UI_method_get_opener                    2979    EXIST::FUNCTION:
-ENGINE_set_ex_data                      2980    EXIST::FUNCTION:
+ENGINE_set_ex_data                      2980    EXIST::FUNCTION:ENGINE
 OCSP_REQUEST_print                      2981    EXIST::FUNCTION:
 CBIGNUM_it                              2982    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 CBIGNUM_it                              2982    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2501,7 +2501,7 @@ OCSP_single_get0_status                 2989	EXIST::FUNCTION:
 BN_swap                                 2990    EXIST::FUNCTION:
 POLICYINFO_it                           2991    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 POLICYINFO_it                           2991    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_set_destroy_function             2992    EXIST::FUNCTION:
+ENGINE_set_destroy_function             2992    EXIST::FUNCTION:ENGINE
 asn1_enc_free                           2993    EXIST::FUNCTION:
 OCSP_RESPID_it                          2994    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 OCSP_RESPID_it                          2994    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2523,8 +2523,8 @@ EDIPARTYNAME_it                         3005	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 NETSCAPE_SPKI_it                        3006    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 NETSCAPE_SPKI_it                        3006    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 UI_get0_test_string                     3007    EXIST::FUNCTION:
-ENGINE_get_cipher_engine                3008    EXIST::FUNCTION:
-ENGINE_register_all_ciphers             3009    EXIST::FUNCTION:
+ENGINE_get_cipher_engine                3008    EXIST::FUNCTION:ENGINE
+ENGINE_register_all_ciphers             3009    EXIST::FUNCTION:ENGINE
 EC_POINT_copy                           3010    EXIST::FUNCTION:EC
 BN_kronecker                            3011    EXIST::FUNCTION:
 _ossl_old_des_ede3_ofb64_encrypt        3012    EXIST:!VMS:FUNCTION:DES
@@ -2545,9 +2545,9 @@ OCSP_RESPONSE_new                       3023	EXIST::FUNCTION:
 AES_set_encrypt_key                     3024    EXIST::FUNCTION:AES
 OCSP_resp_count                         3025    EXIST::FUNCTION:
 KRB5_CHECKSUM_new                       3026    EXIST::FUNCTION:
-ENGINE_load_cswift                      3027    EXIST::FUNCTION:
+ENGINE_load_cswift                      3027    EXIST::FUNCTION:ENGINE
 OCSP_onereq_get0_id                     3028    EXIST::FUNCTION:
-ENGINE_set_default_ciphers              3029    EXIST::FUNCTION:
+ENGINE_set_default_ciphers              3029    EXIST::FUNCTION:ENGINE
 NOTICEREF_it                            3030    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 NOTICEREF_it                            3030    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 X509V3_EXT_CRL_add_nconf                3031    EXIST::FUNCTION:
@@ -2565,7 +2565,7 @@ AES_decrypt                             3040	EXIST::FUNCTION:AES
 asn1_enc_init                           3041    EXIST::FUNCTION:
 UI_get_result_maxsize                   3042    EXIST::FUNCTION:
 OCSP_CERTID_new                         3043    EXIST::FUNCTION:
-ENGINE_unregister_RAND                  3044    EXIST::FUNCTION:
+ENGINE_unregister_RAND                  3044    EXIST::FUNCTION:ENGINE
 UI_method_get_closer                    3045    EXIST::FUNCTION:
 d2i_KRB5_ENCDATA                        3046    EXIST::FUNCTION:
 OCSP_request_onereq_count               3047    EXIST::FUNCTION:
@@ -2576,7 +2576,7 @@ ASN1_primitive_free                     3051	EXIST::FUNCTION:
 i2d_EXTENDED_KEY_USAGE                  3052    EXIST::FUNCTION:
 i2d_OCSP_SIGNATURE                      3053    EXIST::FUNCTION:
 asn1_enc_save                           3054    EXIST::FUNCTION:
-ENGINE_load_nuron                       3055    EXIST::FUNCTION:
+ENGINE_load_nuron                       3055    EXIST::FUNCTION:ENGINE
 _ossl_old_des_pcbc_encrypt              3056    EXIST::FUNCTION:DES
 PKCS12_MAC_DATA_it                      3057    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS12_MAC_DATA_it                      3057    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2598,15 +2598,15 @@ ASN1_item_d2i_bio                       3069	EXIST::FUNCTION:BIO
 EC_POINT_dbl                            3070    EXIST::FUNCTION:EC
 asn1_get_choice_selector                3071    EXIST::FUNCTION:
 i2d_KRB5_CHECKSUM                       3072    EXIST::FUNCTION:
-ENGINE_set_table_flags                  3073    EXIST::FUNCTION:
+ENGINE_set_table_flags                  3073    EXIST::FUNCTION:ENGINE
 AES_options                             3074    EXIST::FUNCTION:AES
-ENGINE_load_chil                        3075    EXIST::FUNCTION:
+ENGINE_load_chil                        3075    EXIST::FUNCTION:ENGINE
 OCSP_id_cmp                             3076    EXIST::FUNCTION:
 OCSP_BASICRESP_new                      3077    EXIST::FUNCTION:
 OCSP_REQUEST_get_ext_by_NID             3078    EXIST::FUNCTION:
 KRB5_APREQ_it                           3079    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 KRB5_APREQ_it                           3079    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_destroy_function             3080    EXIST::FUNCTION:
+ENGINE_get_destroy_function             3080    EXIST::FUNCTION:ENGINE
 CONF_set_nconf                          3081    EXIST::FUNCTION:
 ASN1_PRINTABLE_free                     3082    EXIST::FUNCTION:
 OCSP_BASICRESP_get_ext_by_NID           3083    EXIST::FUNCTION:
@@ -2667,7 +2667,7 @@ OCSP_CRLID_it                           3127	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 OCSP_CRLID_it                           3127    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 i2d_KRB5_AUTHENTBODY                    3128    EXIST::FUNCTION:
 OCSP_REQUEST_get_ext_count              3129    EXIST::FUNCTION:
-ENGINE_load_atalla                      3130    EXIST::FUNCTION:
+ENGINE_load_atalla                      3130    EXIST::FUNCTION:ENGINE
 X509_NAME_it                            3131    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 X509_NAME_it                            3131    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 USERNOTICE_it                           3132    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2685,7 +2685,7 @@ UI_method_set_opener                    3140	EXIST::FUNCTION:
 ASN1_item_ex_free                       3141    EXIST::FUNCTION:
 ASN1_BOOLEAN_it                         3142    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_BOOLEAN_it                         3142    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ENGINE_get_table_flags                  3143    EXIST::FUNCTION:
+ENGINE_get_table_flags                  3143    EXIST::FUNCTION:ENGINE
 UI_create_method                        3144    EXIST::FUNCTION:
 OCSP_ONEREQ_add1_ext_i2d                3145    EXIST::FUNCTION:
 _shadow_DES_check_key                   3146    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DES
@@ -2709,7 +2709,7 @@ PKCS7_it                                3160	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 PKCS7_it                                3160    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 OCSP_REQUEST_get_ext_by_critical        3161    EXIST:!VMS:FUNCTION:
 OCSP_REQUEST_get_ext_by_crit            3161    EXIST:VMS:FUNCTION:
-ENGINE_set_flags                        3162    EXIST::FUNCTION:
+ENGINE_set_flags                        3162    EXIST::FUNCTION:ENGINE
 _ossl_old_des_ecb_encrypt               3163    EXIST::FUNCTION:DES
 OCSP_response_get1_basic                3164    EXIST::FUNCTION:
 EVP_Digest                              3165    EXIST::FUNCTION:
@@ -2721,8 +2721,8 @@ ASN1_TIME_to_generalizedtime            3169	EXIST::FUNCTION:
 BIGNUM_it                               3170    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 BIGNUM_it                               3170    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 AES_cbc_encrypt                         3171    EXIST::FUNCTION:AES
-ENGINE_get_load_privkey_function        3172    EXIST:!VMS:FUNCTION:
-ENGINE_get_load_privkey_fn              3172    EXIST:VMS:FUNCTION:
+ENGINE_get_load_privkey_function        3172    EXIST:!VMS:FUNCTION:ENGINE
+ENGINE_get_load_privkey_fn              3172    EXIST:VMS:FUNCTION:ENGINE
 OCSP_RESPONSE_free                      3173    EXIST::FUNCTION:
 UI_method_set_reader                    3174    EXIST::FUNCTION:
 i2d_ASN1_T61STRING                      3175    EXIST::FUNCTION:
@@ -2736,7 +2736,7 @@ OCSP_crlID_new                          3181	EXIST:!OS2,!VMS,!WIN16:FUNCTION:
 OCSP_crlID2_new                         3181    EXIST:OS2,VMS,WIN16:FUNCTION:
 CONF_modules_load_file                  3182    EXIST::FUNCTION:
 CONF_imodule_set_usr_data               3183    EXIST::FUNCTION:
-ENGINE_set_default_string               3184    EXIST::FUNCTION:
+ENGINE_set_default_string               3184    EXIST::FUNCTION:ENGINE
 CONF_module_get_usr_data                3185    EXIST::FUNCTION:
 ASN1_add_oid_module                     3186    EXIST::FUNCTION:
 CONF_modules_finish                     3187    EXIST::FUNCTION:
@@ -2754,7 +2754,7 @@ CONF_imodule_get_name                   3198	EXIST::FUNCTION:
 ERR_peek_top_error                      3199    NOEXIST::FUNCTION:
 CONF_imodule_get_usr_data               3200    EXIST::FUNCTION:
 CONF_imodule_set_flags                  3201    EXIST::FUNCTION:
-ENGINE_add_conf_module                  3202    EXIST::FUNCTION:
+ENGINE_add_conf_module                  3202    EXIST::FUNCTION:ENGINE
 ERR_peek_last_error_line                3203    EXIST::FUNCTION:
 ERR_peek_last_error_line_data           3204    EXIST::FUNCTION:
 ERR_peek_last_error                     3205    EXIST::FUNCTION:
@@ -2762,8 +2762,8 @@ DES_read_2passwords                     3206	EXIST::FUNCTION:DES
 DES_read_password                       3207    EXIST::FUNCTION:DES
 UI_UTIL_read_pw                         3208    EXIST::FUNCTION:
 UI_UTIL_read_pw_string                  3209    EXIST::FUNCTION:
-ENGINE_load_aep                         3210    EXIST::FUNCTION:
-ENGINE_load_sureware                    3211    EXIST::FUNCTION:
+ENGINE_load_aep                         3210    EXIST::FUNCTION:ENGINE
+ENGINE_load_sureware                    3211    EXIST::FUNCTION:ENGINE
 OPENSSL_add_all_algorithms_noconf       3212    EXIST:!VMS:FUNCTION:
 OPENSSL_add_all_algo_noconf             3212    EXIST:VMS:FUNCTION:
 OPENSSL_add_all_algorithms_conf         3213    EXIST:!VMS:FUNCTION:
@@ -2772,7 +2772,7 @@ OPENSSL_load_builtin_modules            3214	EXIST::FUNCTION:
 AES_ofb128_encrypt                      3215    EXIST::FUNCTION:AES
 AES_ctr128_encrypt                      3216    EXIST::FUNCTION:AES
 AES_cfb128_encrypt                      3217    EXIST::FUNCTION:AES
-ENGINE_load_4758cca                     3218    EXIST::FUNCTION:
+ENGINE_load_4758cca                     3218    EXIST::FUNCTION:ENGINE
 _ossl_096_des_random_seed               3219    EXIST::FUNCTION:DES
 EVP_aes_256_ofb                         3220    EXIST::FUNCTION:AES
 EVP_aes_192_ofb                         3221    EXIST::FUNCTION:AES
@@ -2793,3 +2793,11 @@ ASN1_UNIVERSALSTRING_it                 3234	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 d2i_ASN1_UNIVERSALSTRING                3235    EXIST::FUNCTION:
 EVP_des_ede3_ecb                        3236    EXIST::FUNCTION:DES
 X509_REQ_print_ex                       3237    EXIST::FUNCTION:BIO
+ENGINE_up_ref                           3238    EXIST::FUNCTION:ENGINE
+BUF_MEM_grow_clean                      3239    EXIST::FUNCTION:
+CRYPTO_realloc_clean                    3240    EXIST::FUNCTION:
+BUF_strlcat                             3241    EXIST::FUNCTION:
+BIO_indent                              3242    EXIST::FUNCTION:
+BUF_strlcpy                             3243    EXIST::FUNCTION:
+OpenSSLDie                              3244    EXIST::FUNCTION:
+OPENSSL_cleanse                         3245    EXIST::FUNCTION:
diff --git a/src/lib/libssl/src/util/mk1mf.pl b/src/lib/libssl/src/util/mk1mf.pl
index c9271bbffe..c538f9dffb 100644
--- a/src/lib/libssl/src/util/mk1mf.pl
+++ b/src/lib/libssl/src/util/mk1mf.pl
@@ -24,6 +24,7 @@ $infile="MINFO";
 
 %ops=(
         "VC-WIN32",   "Microsoft Visual C++ [4-6] - Windows NT or 9X",
+        "VC-CE",   "Microsoft eMbedded Visual C++ 3.0 - Windows CE ONLY",
         "VC-NT",   "Microsoft Visual C++ [4-6] - Windows NT ONLY",
         "VC-W31-16",  "Microsoft Visual C++ 1.52 - Windows 3.1 - 286",
         "VC-WIN16",   "Alias for VC-W31-32",
@@ -63,6 +64,8 @@ and [options] can be one of
         no-asm                                  - No x86 asm
         no-krb5                                 - No KRB5
         no-ec                                   - No EC
+        no-engine                               - No engine
+        no-hw                                   - No hw
         nasm                                    - Use NASM for x86 asm
         gaswin                                  - Use GNU as with Mingw32
         no-socks                                - No socket code
@@ -137,6 +140,10 @@ elsif (($platform eq "VC-WIN32") || ($platform eq "VC-NT"))
         $NT = 1 if $platform eq "VC-NT";
         require 'VC-32.pl';
         }
+elsif ($platform eq "VC-CE")
+        {
+        require 'VC-CE.pl';
+        }
 elsif ($platform eq "Mingw32")
         {
         require 'Mingw32.pl';
@@ -213,7 +220,7 @@ $cflags.=" -DOPENSSL_NO_MD4"  if $no_md4;
 $cflags.=" -DOPENSSL_NO_MD5"  if $no_md5;
 $cflags.=" -DOPENSSL_NO_SHA"  if $no_sha;
 $cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1;
-$cflags.=" -DOPENSSL_NO_RIPEMD" if $no_rmd160;
+$cflags.=" -DOPENSSL_NO_RIPEMD" if $no_ripemd;
 $cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2;
 $cflags.=" -DOPENSSL_NO_BF"  if $no_bf;
 $cflags.=" -DOPENSSL_NO_CAST" if $no_cast;
@@ -227,6 +234,8 @@ $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
 $cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
 $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
+$cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
+$cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
 #$cflags.=" -DRSAref"  if $rsaref ne "";
 
 ## if ($unix)
@@ -266,6 +275,17 @@ $defs= <<"EOF";
 # The one monster makefile better suits building in non-unix
 # environments.
 
+EOF
+
+if ($platform eq "VC-CE")
+        {
+        $defs.= <<"EOF";
+!INCLUDE <\$(WCECOMPAT)/wcedefs.mak>
+
+EOF
+        }
+
+$defs.= <<"EOF";
 INSTALLTOP=$INSTALLTOP
 
 # Set your compiler options
@@ -632,6 +652,8 @@ sub var_add
         local($dir,$val)=@_;
         local(@a,$_,$ret);
 
+        return("") if $no_engine && $dir =~ /\/engine/;
+        return("") if $no_hw   && $dir =~ /\/hw/;
         return("") if $no_idea && $dir =~ /\/idea/;
         return("") if $no_aes  && $dir =~ /\/aes/;
         return("") if $no_rc2  && $dir =~ /\/rc2/;
@@ -641,6 +663,7 @@ sub var_add
         return("") if $no_rsa  && $dir =~ /^rsaref/;
         return("") if $no_dsa  && $dir =~ /\/dsa/;
         return("") if $no_dh   && $dir =~ /\/dh/;
+        return("") if $no_ec   && $dir =~ /\/ec/;
         if ($no_des && $dir =~ /\/des/)
                 {
                 if ($val =~ /read_pwd/)
@@ -675,7 +698,7 @@ sub var_add
         @a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2;
         @a=grep(!/(^md4)|(_md4$)/,@a) if $no_md4;
         @a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5;
-        @a=grep(!/(rmd)|(ripemd)/,@a) if $no_rmd160;
+        @a=grep(!/(rmd)|(ripemd)/,@a) if $no_ripemd;
 
         @a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa;
         @a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa;
@@ -692,6 +715,8 @@ sub var_add
         @a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1;
         @a=grep(!/_mdc2$/,@a) if $no_mdc2;
 
+        @a=grep(!/^engine$/,@a) if $no_engine;
+        @a=grep(!/^hw$/,@a) if $no_hw;
         @a=grep(!/(^rsa$)|(^genrsa$)/,@a) if $no_rsa;
         @a=grep(!/(^dsa$)|(^gendsa$)|(^dsaparam$)/,@a) if $no_dsa;
         @a=grep(!/^gendsa$/,@a) if $no_sha1;
@@ -885,10 +910,12 @@ sub read_options
         elsif (/^no-sock$/)     { $no_sock=1; }
         elsif (/^no-krb5$/)     { $no_krb5=1; }
         elsif (/^no-ec$/)       { $no_ec=1; }
+        elsif (/^no-engine$/)   { $no_engine=1; }
+        elsif (/^no-hw$/)       { $no_hw=1; }
 
         elsif (/^just-ssl$/)    { $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1;
                                   $no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1;
-                                  $no_ssl2=$no_err=$no_rmd160=$no_rc5=1;
+                                  $no_ssl2=$no_err=$no_ripemd=$no_rc5=1;
                                   $no_aes=1; }
 
         elsif (/^rsaref$/)      { }
diff --git a/src/lib/libssl/src/util/mkdef.pl b/src/lib/libssl/src/util/mkdef.pl
index adfd447dd3..cdd2164c4e 100644
--- a/src/lib/libssl/src/util/mkdef.pl
+++ b/src/lib/libssl/src/util/mkdef.pl
@@ -91,7 +91,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                          "BIO", "COMP", "BUFFER", "LHASH", "STACK", "ERR",
                          "LOCKING",
                          # External "algorithms"
-                         "FP_API", "STDIO", "SOCK", "KRB5" );
+                         "FP_API", "STDIO", "SOCK", "KRB5", "ENGINE", "HW" );
 
 my $options="";
 open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n";
@@ -107,7 +107,7 @@ my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf;
 my $no_cast;
 my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
 my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
-my $no_ec;
+my $no_ec; my $no_engine; my $no_hw;
 my $no_fp_api;
 
 foreach (@ARGV, split(/ /, $options))
@@ -176,6 +176,8 @@ foreach (@ARGV, split(/ /, $options))
         elsif (/^no-comp$/)     { $no_comp=1; }
         elsif (/^no-dso$/)      { $no_dso=1; }
         elsif (/^no-krb5$/)     { $no_krb5=1; }
+        elsif (/^no-engine$/)   { $no_engine=1; }
+        elsif (/^no-hw$/)       { $no_hw=1; }
         }
 
 
@@ -235,7 +237,7 @@ $crypto.=" crypto/dh/dh.h" ; # unless $no_dh;
 $crypto.=" crypto/ec/ec.h" ; # unless $no_ec;
 $crypto.=" crypto/hmac/hmac.h" ; # unless $no_hmac;
 
-$crypto.=" crypto/engine/engine.h";
+$crypto.=" crypto/engine/engine.h"; # unless $no_engine;
 $crypto.=" crypto/stack/stack.h" ; # unless $no_stack;
 $crypto.=" crypto/buffer/buffer.h" ; # unless $no_buffer;
 $crypto.=" crypto/bio/bio.h" ; # unless $no_bio;
@@ -438,7 +440,12 @@ sub do_defs
                         }
 
                         s/\/\*.*?\*\///gs;                   # ignore comments
+                        if (/\/\*/) {                        # if we have part
+                                $line = $_;                  # of a comment,
+                                next;                        # continue reading
+                        }
                         s/{[^{}]*}//gs;                      # ignore {} blocks
+                        print STDERR "DEBUG: \$def=\"$def\"\n" if $debug && $def ne "";
                         print STDERR "DEBUG: \$_=\"$_\"\n" if $debug;
                         if (/^\#\s*ifndef\s+(.*)/) {
                                 push(@tag,"-");
@@ -812,14 +819,14 @@ sub do_defs
                         } elsif (/\(\*(\w*(\{[0-9]+\})?)\([^\)]+/) {
                                 $s = $1;
                                 print STDERR "DEBUG: found ANSI C function $s\n" if $debug;
-                        } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s) {
+                        } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s) {
                                 # K&R C
                                 print STDERR "DEBUG: found K&R C function $s\n" if $debug;
                                 next;
-                        } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)$/s) {
-                                while (not /\(\)$/s) {
-                                        s/[^\(\)]*\)$/\)/s;
-                                        s/\([^\(\)]*\)\)$/\)/s;
+                        } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) {
+                                while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) {
+                                        s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
+                                        s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
                                 }
                                 s/\(void\)//;
                                 /(\w+(\{[0-9]+\})?)\W*\(\)/s;
@@ -1052,6 +1059,8 @@ sub is_valid
                         if ($keyword eq "COMP" && $no_comp) { return 0; }
                         if ($keyword eq "DSO" && $no_dso) { return 0; }
                         if ($keyword eq "KRB5" && $no_krb5) { return 0; }
+                        if ($keyword eq "ENGINE" && $no_engine) { return 0; }
+                        if ($keyword eq "HW" && $no_hw) { return 0; }
                         if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
 
                         # Nothing recognise as true
diff --git a/src/lib/libssl/src/util/mkerr.pl b/src/lib/libssl/src/util/mkerr.pl
index 4105047b21..1b2915c767 100644
--- a/src/lib/libssl/src/util/mkerr.pl
+++ b/src/lib/libssl/src/util/mkerr.pl
@@ -132,16 +132,16 @@ while (($hdr, $lib) = each %libinc)
                 my $name = $1;
                 $name =~ tr/[a-z]/[A-Z]/;
                 $ftrans{$name} = $1;
-            } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s){
+            } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s){
                 # K&R C
                 next ;
-            } elsif (/\w+\W+\w+\W*\(.*\)$/s) {
-                while (not /\(\)$/s) {
-                    s/[^\(\)]*\)$/\)/s;
-                    s/\([^\(\)]*\)\)$/\)/s;
+            } elsif (/\w+\W+\w+\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) {
+                while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) {
+                    s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
+                    s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
                 }
                 s/\(void\)//;
-                /(\w+)\W*\(\)/s;
+                /(\w+(\{[0-9]+\})?)\W*\(\)/s;
                 my $name = $1;
                 $name =~ tr/[a-z]/[A-Z]/;
                 $ftrans{$name} = $1;
@@ -262,7 +262,7 @@ foreach $lib (keys %csrc)
         } else {
             push @out,
 "/* ====================================================================\n",
-" * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.\n",
+" * Copyright (c) 2001-2003 The OpenSSL Project.  All rights reserved.\n",
 " *\n",
 " * Redistribution and use in source and binary forms, with or without\n",
 " * modification, are permitted provided that the following conditions\n",
@@ -404,7 +404,7 @@ EOF
         print OUT <<"EOF";
 /* $cfile */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/src/lib/libssl/src/util/pl/BC-32.pl b/src/lib/libssl/src/util/pl/BC-32.pl
index bd7a9d9301..e83b336190 100644
--- a/src/lib/libssl/src/util/pl/BC-32.pl
+++ b/src/lib/libssl/src/util/pl/BC-32.pl
@@ -51,9 +51,9 @@ $lfile='';
 $shlib_ex_obj="";
 $app_ex_obj="c0x32.obj"; 
 
-$asm='nasmw';
+$asm='nasmw -f obj';
 $asm.=" /Zi" if $debug;
-$afile='-f obj -o';
+$afile='-o';
 
 $bn_mulw_obj='';
 $bn_mulw_src='';
diff --git a/src/lib/libssl/src/util/pl/Mingw32.pl b/src/lib/libssl/src/util/pl/Mingw32.pl
index 45ab685974..043a3a53ee 100644
--- a/src/lib/libssl/src/util/pl/Mingw32.pl
+++ b/src/lib/libssl/src/util/pl/Mingw32.pl
@@ -1,17 +1,17 @@
 #!/usr/local/bin/perl
 #
-# Mingw32.pl -- Mingw32 with GNU cp (Mingw32f.pl uses DOS tools) 
+# Mingw32.pl -- Mingw
 #
 
 $o='/';
 $cp='cp';
-$rm='rem'; # use 'rm -f' if using GNU file utilities
+$rm='rm -f';
 $mkdir='gmkdir';
 
-# gcc wouldn't accept backslashes in paths
-#$o='\\';
-#$cp='copy';
-#$rm='del';
+$o='\\';
+$cp='copy';
+$rm='del';
+$mkdir='mkdir';
 
 # C compiler stuff
 
@@ -19,29 +19,29 @@ $cc='gcc';
 if ($debug)
         { $cflags="-DL_ENDIAN -DDSO_WIN32 -g2 -ggdb"; }
 else
-        { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -m486 -Wall"; }
+        { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -mcpu=i486 -Wall"; }
 
 if ($gaswin and !$no_asm)
         {
-        $bn_asm_obj='$(OBJ_D)/bn-win32.o';
+        $bn_asm_obj='$(OBJ_D)\bn-win32.o';
         $bn_asm_src='crypto/bn/asm/bn-win32.s';
-        $bnco_asm_obj='$(OBJ_D)/co-win32.o';
+        $bnco_asm_obj='$(OBJ_D)\co-win32.o';
         $bnco_asm_src='crypto/bn/asm/co-win32.s';
-        $des_enc_obj='$(OBJ_D)/d-win32.o $(OBJ_D)/y-win32.o';
+        $des_enc_obj='$(OBJ_D)\d-win32.o $(OBJ_D)\y-win32.o';
         $des_enc_src='crypto/des/asm/d-win32.s crypto/des/asm/y-win32.s';
-        $bf_enc_obj='$(OBJ_D)/b-win32.o';
+        $bf_enc_obj='$(OBJ_D)\b-win32.o';
         $bf_enc_src='crypto/bf/asm/b-win32.s';
-#       $cast_enc_obj='$(OBJ_D)/c-win32.o';
+#       $cast_enc_obj='$(OBJ_D)\c-win32.o';
 #       $cast_enc_src='crypto/cast/asm/c-win32.s';
-        $rc4_enc_obj='$(OBJ_D)/r4-win32.o';
+        $rc4_enc_obj='$(OBJ_D)\r4-win32.o';
         $rc4_enc_src='crypto/rc4/asm/r4-win32.s';
-        $rc5_enc_obj='$(OBJ_D)/r5-win32.o';
+        $rc5_enc_obj='$(OBJ_D)\r5-win32.o';
         $rc5_enc_src='crypto/rc5/asm/r5-win32.s';
-        $md5_asm_obj='$(OBJ_D)/m5-win32.o';
+        $md5_asm_obj='$(OBJ_D)\m5-win32.o';
         $md5_asm_src='crypto/md5/asm/m5-win32.s';
-        $rmd160_asm_obj='$(OBJ_D)/rm-win32.o';
+        $rmd160_asm_obj='$(OBJ_D)\rm-win32.o';
         $rmd160_asm_src='crypto/ripemd/asm/rm-win32.s';
-        $sha1_asm_obj='$(OBJ_D)/s1-win32.o';
+        $sha1_asm_obj='$(OBJ_D)\s1-win32.o';
         $sha1_asm_src='crypto/sha/asm/s1-win32.s';
         $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM";
         }
diff --git a/src/lib/libssl/src/util/pl/VC-32.pl b/src/lib/libssl/src/util/pl/VC-32.pl
index d6e3a11530..285990c589 100644
--- a/src/lib/libssl/src/util/pl/VC-32.pl
+++ b/src/lib/libssl/src/util/pl/VC-32.pl
@@ -91,7 +91,7 @@ if ($shlib)
         {
         $mlflags.=" $lflags /dll";
 #       $cflags =~ s| /MD| /MT|;
-        $lib_cflag=" -D_WINDLL -D_DLL";
+        $lib_cflag=" -D_WINDLL";
         $out_def="out32dll";
         $tmp_def="tmp32dll";
         }
diff --git a/src/lib/libssl/src/util/ssleay.num b/src/lib/libssl/src/util/ssleay.num
index fdea47205d..46e38a131f 100644
--- a/src/lib/libssl/src/util/ssleay.num
+++ b/src/lib/libssl/src/util/ssleay.num
@@ -169,7 +169,7 @@ SSL_add_file_cert_subjects_to_stack     185	EXIST:!VMS:FUNCTION:STDIO
 SSL_add_file_cert_subjs_to_stk          185     EXIST:VMS:FUNCTION:STDIO
 SSL_set_tmp_rsa_callback                186     EXIST::FUNCTION:RSA
 SSL_set_tmp_dh_callback                 187     EXIST::FUNCTION:DH
-SSL_add_dir_cert_subjects_to_stack      188     EXIST:!VMS,!WIN32:FUNCTION:STDIO
+SSL_add_dir_cert_subjects_to_stack      188     EXIST:!VMS:FUNCTION:STDIO
 SSL_add_dir_cert_subjs_to_stk           188     NOEXIST::FUNCTION:
 SSL_set_session_id_context              189     EXIST::FUNCTION:
 SSL_CTX_use_certificate_chain_file      222     EXIST:!VMS:FUNCTION:STDIO
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index e9d1e896d7..4ae8458259 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -204,6 +204,22 @@ extern "C" {
 
 /*    VRS Additional Kerberos5 entries
  */
+#define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
+#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
+#define SSL_TXT_KRB5_RC4_128_SHA      SSL3_TXT_KRB5_RC4_128_SHA
+#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
+#define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5       
+#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5       
+#define SSL_TXT_KRB5_RC4_128_MD5      SSL3_TXT_KRB5_RC4_128_MD5
+#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5 
+
+#define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA 
+#define SSL_TXT_KRB5_RC2_40_CBC_SHA   SSL3_TXT_KRB5_RC2_40_CBC_SHA 
+#define SSL_TXT_KRB5_RC4_40_SHA       SSL3_TXT_KRB5_RC4_40_SHA
+#define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5 
+#define SSL_TXT_KRB5_RC2_40_CBC_MD5   SSL3_TXT_KRB5_RC2_40_CBC_MD5 
+#define SSL_TXT_KRB5_RC4_40_MD5       SSL3_TXT_KRB5_RC4_40_MD5
+
 #define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA
 #define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5
 #define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
@@ -299,9 +315,7 @@ extern "C" {
 #include <openssl/crypto.h>
 #include <openssl/lhash.h>
 #include <openssl/buffer.h>
-#include <openssl/bio.h>
 #include <openssl/pem.h>
-#include <openssl/x509.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -507,6 +521,8 @@ typedef struct ssl_session_st
 /* Never bother the application with retries if the transport
  * is blocking: */
 #define SSL_MODE_AUTO_RETRY 0x00000004L
+/* Don't attempt to automatically build certificate chain */
+#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
 
 
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
@@ -704,10 +720,11 @@ struct ssl_ctx_st
 #define SSL_SESS_CACHE_SERVER                   0x0002
 #define SSL_SESS_CACHE_BOTH     (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
 #define SSL_SESS_CACHE_NO_AUTO_CLEAR            0x0080
-/* This one, when set, makes the server session-id lookup not look
- * in the cache.  If there is an application get_session callback
- * defined, this will still get called. */
+/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
 #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP       0x0100
+#define SSL_SESS_CACHE_NO_INTERNAL_STORE        0x0200
+#define SSL_SESS_CACHE_NO_INTERNAL \
+        (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
 
   struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
 #define SSL_CTX_sess_number(ctx) \
@@ -1212,14 +1229,12 @@ int	SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM t
 STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
 int     SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
                                             const char *file);
-#ifndef OPENSSL_SYS_WIN32
 #ifndef OPENSSL_SYS_VMS
 #ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */
 int     SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
                                            const char *dir);
 #endif
 #endif
-#endif
 
 #endif
 
@@ -1688,6 +1703,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_LENGTH_TOO_SHORT                           160
 #define SSL_R_LIBRARY_BUG                                274
 #define SSL_R_LIBRARY_HAS_NO_CIPHERS                     161
+#define SSL_R_MASTER_KEY_TOO_LONG                        1112
 #define SSL_R_MESSAGE_TOO_LONG                           1111
 #define SSL_R_MISSING_DH_DSA_CERT                        162
 #define SSL_R_MISSING_DH_KEY                             163
diff --git a/src/lib/libssl/ssl/shlib_version b/src/lib/libssl/ssl/shlib_version
index 5b844bbf42..d0f0988b41 100644
--- a/src/lib/libssl/ssl/shlib_version
+++ b/src/lib/libssl/ssl/shlib_version
@@ -1,2 +1,2 @@
-major=7
+major=8
 minor=0
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 8fd6951d77..1153aeda74 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -156,23 +156,29 @@ extern "C" {
 
 #define SSL3_CK_FZA_DMS_NULL_SHA                0x0300001C
 #define SSL3_CK_FZA_DMS_FZA_SHA                 0x0300001D
+#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
+         to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
+         of the ietf-tls list */
 #define SSL3_CK_FZA_DMS_RC4_SHA                 0x0300001E
+#endif
 
 /*    VRS Additional Kerberos5 entries
  */
-#define SSL3_CK_KRB5_DES_40_CBC_SHA             0x03000021
-#define SSL3_CK_KRB5_DES_40_CBC_MD5             0x03000022
-#define SSL3_CK_KRB5_DES_64_CBC_SHA             0x03000023
-#define SSL3_CK_KRB5_DES_64_CBC_MD5             0x03000024
-#define SSL3_CK_KRB5_DES_192_CBC3_SHA           0x03000025
-#define SSL3_CK_KRB5_DES_192_CBC3_MD5           0x03000026
-
-#define SSL3_TXT_KRB5_DES_40_CBC_SHA            "EXP-KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_40_CBC_MD5            "EXP-KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_64_CBC_SHA            "KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_64_CBC_MD5            "KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_192_CBC3_SHA          "KRB5-DES-CBC3-SHA"
-#define SSL3_TXT_KRB5_DES_192_CBC3_MD5          "KRB5-DES-CBC3-MD5"
+#define SSL3_CK_KRB5_DES_64_CBC_SHA             0x0300001E
+#define SSL3_CK_KRB5_DES_192_CBC3_SHA           0x0300001F
+#define SSL3_CK_KRB5_RC4_128_SHA                0x03000020
+#define SSL3_CK_KRB5_IDEA_128_CBC_SHA           0x03000021
+#define SSL3_CK_KRB5_DES_64_CBC_MD5             0x03000022
+#define SSL3_CK_KRB5_DES_192_CBC3_MD5           0x03000023
+#define SSL3_CK_KRB5_RC4_128_MD5                0x03000024
+#define SSL3_CK_KRB5_IDEA_128_CBC_MD5           0x03000025
+
+#define SSL3_CK_KRB5_DES_40_CBC_SHA             0x03000026
+#define SSL3_CK_KRB5_RC2_40_CBC_SHA             0x03000027
+#define SSL3_CK_KRB5_RC4_40_SHA                 0x03000028
+#define SSL3_CK_KRB5_DES_40_CBC_MD5             0x03000029
+#define SSL3_CK_KRB5_RC2_40_CBC_MD5             0x0300002A
+#define SSL3_CK_KRB5_RC4_40_MD5                 0x0300002B
 
 #define SSL3_TXT_RSA_NULL_MD5                   "NULL-MD5"
 #define SSL3_TXT_RSA_NULL_SHA                   "NULL-SHA"
@@ -209,6 +215,22 @@ extern "C" {
 #define SSL3_TXT_FZA_DMS_FZA_SHA                "FZA-FZA-CBC-SHA"
 #define SSL3_TXT_FZA_DMS_RC4_SHA                "FZA-RC4-SHA"
 
+#define SSL3_TXT_KRB5_DES_64_CBC_SHA            "KRB5-DES-CBC-SHA"
+#define SSL3_TXT_KRB5_DES_192_CBC3_SHA          "KRB5-DES-CBC3-SHA"
+#define SSL3_TXT_KRB5_RC4_128_SHA               "KRB5-RC4-SHA"
+#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA          "KRB5-IDEA-CBC-SHA"
+#define SSL3_TXT_KRB5_DES_64_CBC_MD5            "KRB5-DES-CBC-MD5"
+#define SSL3_TXT_KRB5_DES_192_CBC3_MD5          "KRB5-DES-CBC3-MD5"
+#define SSL3_TXT_KRB5_RC4_128_MD5               "KRB5-RC4-MD5"
+#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5          "KRB5-IDEA-CBC-MD5"
+
+#define SSL3_TXT_KRB5_DES_40_CBC_SHA            "EXP-KRB5-DES-CBC-SHA"
+#define SSL3_TXT_KRB5_RC2_40_CBC_SHA            "EXP-KRB5-RC2-CBC-SHA"
+#define SSL3_TXT_KRB5_RC4_40_SHA                "EXP-KRB5-RC4-SHA"
+#define SSL3_TXT_KRB5_DES_40_CBC_MD5            "EXP-KRB5-DES-CBC-MD5"
+#define SSL3_TXT_KRB5_RC2_40_CBC_MD5            "EXP-KRB5-RC2-CBC-MD5"
+#define SSL3_TXT_KRB5_RC4_40_MD5                "EXP-KRB5-RC4-MD5"
+
 #define SSL3_SSL_SESSION_ID_LENGTH              32
 #define SSL3_MAX_SSL_SESSION_ID_LENGTH          32
 
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index 23bfe44e21..d8ff8fc4a3 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -298,6 +298,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
                 os.length = sizeof ret->session_id;
 
         ret->session_id_length=os.length;
+        OPENSSL_assert(os.length <= sizeof ret->session_id);
         memcpy(ret->session_id,os.data,os.length);
 
         M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
@@ -369,9 +370,15 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
         if(os.data != NULL)
             {
             if (os.length > SSL_MAX_SID_CTX_LENGTH)
+                {
+                ret->sid_ctx_length=os.length;
                 SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
-            ret->sid_ctx_length=os.length;
-            memcpy(ret->sid_ctx,os.data,os.length);
+                }
+            else
+                {
+                ret->sid_ctx_length=os.length;
+                memcpy(ret->sid_ctx,os.data,os.length);
+                }
             OPENSSL_free(os.data); os.data=NULL; os.length=0;
             }
         else
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 3d31bbf05f..da90078a37 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -781,7 +781,7 @@ err:
 #endif
 #endif
 
-#else
+#else /* OPENSSL_SYS_WIN32 */
 
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                                        const char *dir)
@@ -789,10 +789,30 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
         WIN32_FIND_DATA FindFileData;
         HANDLE hFind;
         int ret = 0;
+#ifdef OPENSSL_SYS_WINCE
+        WCHAR* wdir = NULL;
+#endif
 
         CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
         
+#ifdef OPENSSL_SYS_WINCE
+        /* convert strings to UNICODE */
+        {
+                BOOL result = FALSE;
+                int i;
+                wdir = malloc((strlen(dir)+1)*2);
+                if (wdir == NULL)
+                        goto err_noclose;
+                for (i=0; i<(int)strlen(dir)+1; i++)
+                        wdir[i] = (short)dir[i];
+        }
+#endif
+
+#ifdef OPENSSL_SYS_WINCE
+        hFind = FindFirstFile(wdir, &FindFileData);
+#else
         hFind = FindFirstFile(dir, &FindFileData);
+#endif
         /* Note that a side effect is that the CAs will be sorted by name */
         if(hFind == INVALID_HANDLE_VALUE)
                 {
@@ -807,7 +827,11 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                 char buf[1024];
                 int r;
                 
+#ifdef OPENSSL_SYS_WINCE
+                if(strlen(dir)+_tcslen(FindFileData.cFileName)+2 > sizeof buf)
+#else
                 if(strlen(dir)+strlen(FindFileData.cFileName)+2 > sizeof buf)
+#endif
                         {
                         SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
                         goto err;
@@ -825,6 +849,10 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 err:    
         FindClose(hFind);
 err_noclose:
+#ifdef OPENSSL_SYS_WINCE
+        if (wdir != NULL)
+                free(wdir);
+#endif
         CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
         return ret;
         }
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index df48245b2c..438d9eacbb 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -674,13 +674,14 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                          * So additionally check whether the cipher name found
                          * has the correct length. We can save a strlen() call:
                          * just checking for the '\0' at the right place is
-                         * sufficient, we have to strncmp() anyway.
+                         * sufficient, we have to strncmp() anyway. (We cannot
+                         * use strcmp(), because buf is not '\0' terminated.)
                          */
                          j = found = 0;
                          while (ca_list[j])
                                 {
-                                if ((ca_list[j]->name[buflen] == '\0') &&
-                                    !strncmp(buf, ca_list[j]->name, buflen))
+                                if (!strncmp(buf, ca_list[j]->name, buflen) &&
+                                    (ca_list[j]->name[buflen] == '\0'))
                                         {
                                         found = 1;
                                         break;
@@ -757,7 +758,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
          */
         if (rule_str == NULL) return(NULL);
 
-        if (init_ciphers) load_ciphers();
+        if (init_ciphers)
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL);
+                if (init_ciphers) load_ciphers();
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
+                }
 
         /*
          * To reduce the work to do we only want to process the compiled
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 7067a745f3..d2cb181503 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -296,6 +296,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_LENGTH_TOO_SHORT                  ,"length too short"},
 {SSL_R_LIBRARY_BUG                       ,"library bug"},
 {SSL_R_LIBRARY_HAS_NO_CIPHERS            ,"library has no ciphers"},
+{SSL_R_MASTER_KEY_TOO_LONG               ,"master key too long"},
 {SSL_R_MESSAGE_TOO_LONG                  ,"message too long"},
 {SSL_R_MISSING_DH_DSA_CERT               ,"missing dh dsa cert"},
 {SSL_R_MISSING_DH_KEY                    ,"missing dh key"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 4bc4ce5b3a..8701fb33ca 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -273,6 +273,7 @@ SSL *SSL_new(SSL_CTX *ctx)
         s->verify_mode=ctx->verify_mode;
         s->verify_depth=ctx->verify_depth;
         s->sid_ctx_length=ctx->sid_ctx_length;
+        OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
         memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
         s->verify_callback=ctx->default_verify_callback;
         s->generate_session_id=ctx->generate_session_id;
@@ -314,7 +315,7 @@ err:
 int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
                                    unsigned int sid_ctx_len)
     {
-    if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
+    if(sid_ctx_len > sizeof ctx->sid_ctx)
         {
         SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
         return 0;
@@ -364,6 +365,10 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
          * any new session built out of this id/id_len and the ssl_version in
          * use by this SSL. */
         SSL_SESSION r, *p;
+
+        if(id_len > sizeof r.session_id)
+                return 0;
+
         r.ssl_version = ssl->version;
         r.session_id_length = id_len;
         memcpy(r.session_id, id, id_len);
@@ -1063,14 +1068,17 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
  * preference */
 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
         {
-        if ((s != NULL) && (s->cipher_list != NULL))
-                {
-                return(s->cipher_list);
-                }
-        else if ((s->ctx != NULL) &&
-                (s->ctx->cipher_list != NULL))
+        if (s != NULL)
                 {
-                return(s->ctx->cipher_list);
+                if (s->cipher_list != NULL)
+                        {
+                        return(s->cipher_list);
+                        }
+                else if ((s->ctx != NULL) &&
+                        (s->ctx->cipher_list != NULL))
+                        {
+                        return(s->ctx->cipher_list);
+                        }
                 }
         return(NULL);
         }
@@ -1079,14 +1087,17 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
  * algorithm id */
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
         {
-        if ((s != NULL) && (s->cipher_list_by_id != NULL))
-                {
-                return(s->cipher_list_by_id);
-                }
-        else if ((s != NULL) && (s->ctx != NULL) &&
-                (s->ctx->cipher_list_by_id != NULL))
+        if (s != NULL)
                 {
-                return(s->ctx->cipher_list_by_id);
+                if (s->cipher_list_by_id != NULL)
+                        {
+                        return(s->cipher_list_by_id);
+                        }
+                else if ((s->ctx != NULL) &&
+                        (s->ctx->cipher_list_by_id != NULL))
+                        {
+                        return(s->ctx->cipher_list_by_id);
+                        }
                 }
         return(NULL);
         }
@@ -1652,7 +1663,7 @@ void ssl_update_cache(SSL *s,int mode)
 
         i=s->ctx->session_cache_mode;
         if ((i & mode) && (!s->hit)
-                && ((i & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)
+                && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
                     || SSL_CTX_add_session(s->ctx,s->session))
                 && (s->ctx->new_session_cb != NULL))
                 {
@@ -1884,6 +1895,7 @@ SSL *SSL_dup(SSL *s)
                  * they should not both point to the same object,
                  * and thus we can't use SSL_copy_session_id. */
 
+                ret->method->ssl_free(ret);
                 ret->method = s->method;
                 ret->method->ssl_new(ret);
 
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 664f8c2230..a505e388fb 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -308,9 +308,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
                         if (copy)
                                 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
 
-                        /* The following should not return 1, otherwise,
-                         * things are very strange */
-                        SSL_CTX_add_session(s->ctx,ret);
+                        /* Add the externally cached session to the internal
+                         * cache as well if and only if we are supposed to. */
+                        if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
+                                /* The following should not return 1, otherwise,
+                                 * things are very strange */
+                                SSL_CTX_add_session(s->ctx,ret);
                         }
                 if (ret == NULL)
                         goto err;
@@ -524,13 +527,13 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 
         CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
 
-        memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
-        memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
-        memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH);
+        OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
+        OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
+        OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
         if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
         if (ss->peer != NULL) X509_free(ss->peer);
         if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
-        memset(ss,0,sizeof(*ss));
+        OPENSSL_cleanse(ss,sizeof(*ss));
         OPENSSL_free(ss);
         }
 
diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c
index 9ad518f9f4..57205fb429 100644
--- a/src/lib/libssl/t1_clnt.c
+++ b/src/lib/libssl/t1_clnt.c
@@ -79,11 +79,18 @@ SSL_METHOD *TLSv1_client_method(void)
 
         if (init)
                 {
-                memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
-                        sizeof(SSL_METHOD));
-                TLSv1_client_data.ssl_connect=ssl3_connect;
-                TLSv1_client_data.get_ssl_method=tls1_get_client_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
+                                sizeof(SSL_METHOD));
+                        TLSv1_client_data.ssl_connect=ssl3_connect;
+                        TLSv1_client_data.get_ssl_method=tls1_get_client_method;
+                        init=0;
+                        }
+                
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&TLSv1_client_data);
         }
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 5290bf6665..271e247eea 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -124,7 +124,7 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
         unsigned int j;
         HMAC_CTX ctx;
         HMAC_CTX ctx_tmp;
-        unsigned char A1[HMAC_MAX_MD_CBLOCK];
+        unsigned char A1[EVP_MAX_MD_SIZE];
         unsigned int A1_len;
         
         chunk=EVP_MD_size(md);
@@ -161,7 +161,7 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
                 }
         HMAC_CTX_cleanup(&ctx);
         HMAC_CTX_cleanup(&ctx_tmp);
-        memset(A1,0,sizeof(A1));
+        OPENSSL_cleanse(A1,sizeof(A1));
         }
 
 static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
@@ -418,10 +418,10 @@ printf("\niv=");
 printf("\n");
 #endif
 
-        memset(tmp1,0,sizeof(tmp1));
-        memset(tmp2,0,sizeof(tmp1));
-        memset(iv1,0,sizeof(iv1));
-        memset(iv2,0,sizeof(iv2));
+        OPENSSL_cleanse(tmp1,sizeof(tmp1));
+        OPENSSL_cleanse(tmp2,sizeof(tmp1));
+        OPENSSL_cleanse(iv1,sizeof(iv1));
+        OPENSSL_cleanse(iv2,sizeof(iv2));
         return(1);
 err:
         SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
@@ -476,7 +476,7 @@ printf("pre-master\n");
 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
 #endif
         tls1_generate_key_block(s,p1,p2,num);
-        memset(p2,0,num);
+        OPENSSL_cleanse(p2,num);
         OPENSSL_free(p2);
 #ifdef TLS_DEBUG
 printf("\nkey block\n");
@@ -683,10 +683,10 @@ int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
 
         tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
                 s->session->master_key,s->session->master_key_length,
-                out,buf2,12);
+                out,buf2,sizeof buf2);
         EVP_MD_CTX_cleanup(&ctx);
 
-        return((int)12);
+        return sizeof buf2;
         }
 
 int tls1_mac(SSL *ssl, unsigned char *md, int send)
@@ -773,7 +773,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
                 s->s3->server_random,SSL3_RANDOM_SIZE);
         tls1_PRF(s->ctx->md5,s->ctx->sha1,
                 buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
-                s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE);
+                s->session->master_key,buff,sizeof buff);
 #ifdef KSSL_DEBUG
         printf ("tls1_generate_master_secret() complete\n");
 #endif  /* KSSL_DEBUG */
diff --git a/src/lib/libssl/t1_meth.c b/src/lib/libssl/t1_meth.c
index 9bb36a7d1c..fcc243f782 100644
--- a/src/lib/libssl/t1_meth.c
+++ b/src/lib/libssl/t1_meth.c
@@ -76,13 +76,21 @@ SSL_METHOD *TLSv1_method(void)
 
         if (init)
                 {
-                memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
-                        sizeof(SSL_METHOD));
-                TLSv1_data.ssl_connect=ssl3_connect;
-                TLSv1_data.ssl_accept=ssl3_accept;
-                TLSv1_data.get_ssl_method=tls1_get_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+                
+                if (init)
+                        {
+                        memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
+                                sizeof(SSL_METHOD));
+                        TLSv1_data.ssl_connect=ssl3_connect;
+                        TLSv1_data.ssl_accept=ssl3_accept;
+                        TLSv1_data.get_ssl_method=tls1_get_method;
+                        init=0;
+                        }
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
+        
         return(&TLSv1_data);
         }
 
diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c
index 6e765e587f..1c1149e49f 100644
--- a/src/lib/libssl/t1_srvr.c
+++ b/src/lib/libssl/t1_srvr.c
@@ -80,11 +80,18 @@ SSL_METHOD *TLSv1_server_method(void)
 
         if (init)
                 {
-                memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
-                        sizeof(SSL_METHOD));
-                TLSv1_server_data.ssl_accept=ssl3_accept;
-                TLSv1_server_data.get_ssl_method=tls1_get_server_method;
-                init=0;
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+                if (init)
+                        {
+                        memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
+                                sizeof(SSL_METHOD));
+                        TLSv1_server_data.ssl_accept=ssl3_accept;
+                        TLSv1_server_data.get_ssl_method=tls1_get_server_method;
+                        init=0;
+                        }
+                        
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                 }
         return(&TLSv1_server_data);
         }
diff --git a/src/lib/libssl/test/Makefile.ssl b/src/lib/libssl/test/Makefile.ssl
index f489332a65..373f17a929 100644
--- a/src/lib/libssl/test/Makefile.ssl
+++ b/src/lib/libssl/test/Makefile.ssl
@@ -15,6 +15,9 @@ MAKE=		make -f $(MAKEFILE)
 MAKEDEPPROG=    makedepend
 MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 PERL=           perl
+# KRB5 stuff
+KRB5_INCLUDES=
+LIBKRB5=
 
 PEX_LIBS=
 EX_LIBS= #-lnsl -lsocket
@@ -116,158 +119,162 @@ tags:
 tests:  exe apps $(TESTS)
 
 apps:
-        @(cd ../apps; $(MAKE)  CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all)
+        @(cd ..; $(MAKE) DIRS=apps all)
 
-alltests:
-        (LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH=$$LIBPATH; DYLD_LIBRARY_PATH=$$LIBPATH; SHLIB_PATH=$$LIBPATH; \
-                export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
-                $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' alltests.chooser)
-alltests.chooser: \
+SET_SO_PATHS=OSSL_LIBPATH="`cd ..; pwd`"; \
+                LD_LIBRARY_PATH="$$OSSL_LIBPATH:$$LD_LIBRARY_PATH"; \
+                DYLD_LIBRARY_PATH="$$OSSL_LIBPATH:$$DYLD_LIBRARY_PATH"; \
+                SHLIB_PATH="$$OSSL_LIBPATH:$$SHLIB_PATH"; \
+                LIBPATH="$$OSSL_LIBPATH:$$LIBPATH"; \
+                if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="$${LIBPATH}:$$PATH"; fi; \
+                export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH
+
+alltests: \
         test_des test_idea test_sha test_md4 test_md5 test_hmac \
         test_md2 test_mdc2 \
-        test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_rd \
+        test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_aes \
         test_rand test_bn test_ec test_enc test_x509 test_rsa test_crl test_sid \
         test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
         test_ss test_ca test_engine test_evp test_ssl
 
 test_evp:
-        ./$(EVPTEST) evptests.txt
+        $(SET_SO_PATHS); ./$(EVPTEST) evptests.txt
 
 test_des:
-        ./$(DESTEST)
+        $(SET_SO_PATHS); ./$(DESTEST)
 
 test_idea:
-        ./$(IDEATEST)
+        $(SET_SO_PATHS); ./$(IDEATEST)
 
 test_sha:
-        ./$(SHATEST)
-        ./$(SHA1TEST)
+        $(SET_SO_PATHS); ./$(SHATEST)
+        $(SET_SO_PATHS); ./$(SHA1TEST)
 
 test_mdc2:
-        ./$(MDC2TEST)
+        $(SET_SO_PATHS); ./$(MDC2TEST)
 
 test_md5:
-        ./$(MD5TEST)
+        $(SET_SO_PATHS); ./$(MD5TEST)
 
 test_md4:
-        ./$(MD4TEST)
+        $(SET_SO_PATHS); ./$(MD4TEST)
 
 test_hmac:
-        ./$(HMACTEST)
+        $(SET_SO_PATHS); ./$(HMACTEST)
 
 test_md2:
-        ./$(MD2TEST)
+        $(SET_SO_PATHS); ./$(MD2TEST)
 
 test_rmd:
-        ./$(RMDTEST)
+        $(SET_SO_PATHS); ./$(RMDTEST)
 
 test_bf:
-        ./$(BFTEST)
+        $(SET_SO_PATHS); ./$(BFTEST)
 
 test_cast:
-        ./$(CASTTEST)
+        $(SET_SO_PATHS); ./$(CASTTEST)
 
 test_rc2:
-        ./$(RC2TEST)
+        $(SET_SO_PATHS); ./$(RC2TEST)
 
 test_rc4:
-        ./$(RC4TEST)
+        $(SET_SO_PATHS); ./$(RC4TEST)
 
 test_rc5:
-        ./$(RC5TEST)
+        $(SET_SO_PATHS); ./$(RC5TEST)
 
 test_rand:
-        ./$(RANDTEST)
+        $(SET_SO_PATHS); ./$(RANDTEST)
 
 test_enc:
-        @sh ./testenc
+        @$(SET_SO_PATHS); sh ./testenc
 
 test_x509:
         echo test normal x509v1 certificate
-        sh ./tx509 2>/dev/null
+        $(SET_SO_PATHS); sh ./tx509 2>/dev/null
         echo test first x509v3 certificate
-        sh ./tx509 v3-cert1.pem 2>/dev/null
+        $(SET_SO_PATHS); sh ./tx509 v3-cert1.pem 2>/dev/null
         echo test second x509v3 certificate
-        sh ./tx509 v3-cert2.pem 2>/dev/null
+        $(SET_SO_PATHS); sh ./tx509 v3-cert2.pem 2>/dev/null
 
 test_rsa:
-        @sh ./trsa 2>/dev/null
-        ./$(RSATEST)
+        @$(SET_SO_PATHS); sh ./trsa 2>/dev/null
+        $(SET_SO_PATHS); ./$(RSATEST)
 
 test_crl:
-        @sh ./tcrl 2>/dev/null
+        @$(SET_SO_PATHS); sh ./tcrl 2>/dev/null
 
 test_sid:
-        @sh ./tsid 2>/dev/null
+        @$(SET_SO_PATHS); sh ./tsid 2>/dev/null
 
 test_req:
-        @sh ./treq 2>/dev/null
-        @sh ./treq testreq2.pem 2>/dev/null
+        @$(SET_SO_PATHS); sh ./treq 2>/dev/null
+        @$(SET_SO_PATHS); sh ./treq testreq2.pem 2>/dev/null
 
 test_pkcs7:
-        @sh ./tpkcs7 2>/dev/null
-        @sh ./tpkcs7d 2>/dev/null
+        @$(SET_SO_PATHS); sh ./tpkcs7 2>/dev/null
+        @$(SET_SO_PATHS); sh ./tpkcs7d 2>/dev/null
 
 test_bn:
         @echo starting big number library test, could take a while...
-        @./$(BNTEST) >tmp.bntest
+        @$(SET_SO_PATHS); ./$(BNTEST) >tmp.bntest
         @echo quit >>tmp.bntest
         @echo "running bc"
         @<tmp.bntest sh -c "`sh ./bctest ignore`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"'
         @echo 'test a^b%c implementations'
-        ./$(EXPTEST)
+        $(SET_SO_PATHS); ./$(EXPTEST)
 
 test_ec:
         @echo 'test elliptic curves'
-        ./$(ECTEST)
+        $(SET_SO_PATHS); ./$(ECTEST)
 
 test_verify:
         @echo "The following command should have some OK's and some failures"
         @echo "There are definitly a few expired certificates"
-        -../apps/openssl verify -CApath ../certs ../certs/*.pem
+        -$(SET_SO_PATHS); ../apps/openssl verify -CApath ../certs ../certs/*.pem
 
 test_dh:
         @echo "Generate a set of DH parameters"
-        ./$(DHTEST)
+        $(SET_SO_PATHS); ./$(DHTEST)
 
 test_dsa:
         @echo "Generate a set of DSA parameters"
-        ./$(DSATEST)
-        ./$(DSATEST) -app2_1
+        $(SET_SO_PATHS); ./$(DSATEST)
+        $(SET_SO_PATHS); ./$(DSATEST) -app2_1
 
 test_gen:
         @echo "Generate and verify a certificate request"
-        @sh ./testgen
+        @$(SET_SO_PATHS); sh ./testgen
 
 test_ss keyU.ss certU.ss certCA.ss: testss
         @echo "Generate and certify a test certificate"
-        @sh ./testss
+        @$(SET_SO_PATHS); sh ./testss
 
 test_engine: 
         @echo "Manipulate the ENGINE structures"
-        ./$(ENGINETEST)
+        $(SET_SO_PATHS); ./$(ENGINETEST)
 
 test_ssl: keyU.ss certU.ss certCA.ss
         @echo "test SSL protocol"
-        @sh ./testssl keyU.ss certU.ss certCA.ss
+        @$(SET_SO_PATHS); sh ./testssl keyU.ss certU.ss certCA.ss
 
 test_ca:
-        @if ../apps/openssl no-rsa; then \
+        @$(SET_SO_PATHS); if ../apps/openssl no-rsa; then \
           echo "skipping CA.sh test -- requires RSA"; \
         else \
           echo "Generate and certify a test certificate via the 'ca' program"; \
           sh ./testca; \
         fi
 
-test_rd: #$(RDTEST)
+test_aes: #$(AESTEST)
 #       @echo "test Rijndael"
-#       ./$(RDTEST)
+#       $(SET_SO_PATHS); ./$(AESTEST)
 
 lint:
         lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-        $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC)
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
 
 dclean:
         $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -277,101 +284,241 @@ clean:
         rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss *.srl log
 
 $(DLIBSSL):
-        (cd ../ssl; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+        (cd ..; $(MAKE) DIRS=ssl all)
 
 $(DLIBCRYPTO):
-        (cd ../crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+        (cd ..; $(MAKE) DIRS=crypto all)
 
 $(RSATEST): $(RSATEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(BNTEST): $(BNTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(ECTEST): $(ECTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(EXPTEST): $(EXPTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(IDEATEST): $(IDEATEST).o $(DLIBCRYPTO)
-        $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(MD2TEST): $(MD2TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(SHATEST): $(SHATEST).o $(DLIBCRYPTO)
-        $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(SHA1TEST): $(SHA1TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(RMDTEST): $(RMDTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(MDC2TEST): $(MDC2TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(MD4TEST): $(MD4TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(MD5TEST): $(MD5TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(HMACTEST): $(HMACTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(RC2TEST): $(RC2TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(BFTEST): $(BFTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(CASTTEST): $(CASTTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(RC4TEST): $(RC4TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(RC5TEST): $(RC5TEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(DESTEST): $(DESTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(RANDTEST): $(RANDTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(DHTEST): $(DHTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(DSATEST): $(DSATEST).o $(DLIBCRYPTO)
-        $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(METHTEST): $(METHTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
-        $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(ENGINETEST): $(ENGINETEST).o $(DLIBCRYPTO)
-        $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 $(EVPTEST): $(EVPTEST).o $(DLIBCRYPTO)
-        $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
         
-#$(RDTEST).o: $(RDTEST).c
-#       $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(RDTEST).c
+#$(AESTEST).o: $(AESTEST).c
+#       $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
 
-#$(RDTEST): $(RDTEST).o $(DLIBCRYPTO)
-#       $(CC) -o $(RDTEST) $(CFLAGS) $(RDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+#$(AESTEST): $(AESTEST).o $(DLIBCRYPTO)
+#       if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+#         $(CC) -o $(AESTEST) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+#       else \
+#         LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+#         $(CC) -o $(AESTEST) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+#       fi
 
 dummytest: dummytest.o $(DLIBCRYPTO)
-        $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+        if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+          $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
+        else \
+          LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+          $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
+        fi
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-bftest.o: ../include/openssl/blowfish.h ../include/openssl/e_os2.h
+bftest.o: ../e_os.h ../include/openssl/blowfish.h ../include/openssl/e_os2.h
 bftest.o: ../include/openssl/opensslconf.h bftest.c
 bntest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 bntest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
@@ -394,31 +541,30 @@ bntest.o: ../include/openssl/sha.h ../include/openssl/stack.h
 bntest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 bntest.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
 bntest.o: ../include/openssl/x509_vfy.h bntest.c
-casttest.o: ../include/openssl/cast.h casttest.c
+casttest.o: ../e_os.h ../include/openssl/cast.h ../include/openssl/e_os2.h
+casttest.o: ../include/openssl/opensslconf.h casttest.c
 destest.o: ../include/openssl/crypto.h ../include/openssl/des.h
 destest.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h
 destest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 destest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 destest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 destest.o: ../include/openssl/ui_compat.h destest.c
-dhtest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+dhtest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
 dhtest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
 dhtest.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 dhtest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
 dhtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
 dhtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h dhtest.c
-dsatest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-dsatest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-dsatest.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-dsatest.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+dsatest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
+dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+dsatest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
 dsatest.o: ../include/openssl/err.h ../include/openssl/lhash.h
 dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 dsatest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-dsatest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-dsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-dsatest.o: ../include/openssl/ui.h dsatest.c
-ectest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+dsatest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+dsatest.o: ../include/openssl/symhacks.h dsatest.c
+ectest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ectest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
 ectest.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 ectest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
@@ -439,7 +585,7 @@ enginetest.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 enginetest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 enginetest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 enginetest.o: enginetest.c
-evp_test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+evp_test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 evp_test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 evp_test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 evp_test.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -459,14 +605,14 @@ evp_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 evp_test.o: ../include/openssl/sha.h ../include/openssl/stack.h
 evp_test.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 evp_test.o: ../include/openssl/ui_compat.h evp_test.c
-exptest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+exptest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
 exptest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 exptest.o: ../include/openssl/err.h ../include/openssl/lhash.h
 exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 exptest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
 exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 exptest.o: ../include/openssl/symhacks.h exptest.c
-hmactest.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+hmactest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 hmactest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 hmactest.o: ../include/openssl/bn.h ../include/openssl/cast.h
 hmactest.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -484,9 +630,9 @@ hmactest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 hmactest.o: ../include/openssl/sha.h ../include/openssl/stack.h
 hmactest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 hmactest.o: ../include/openssl/ui_compat.h hmactest.c
-ideatest.o: ../include/openssl/idea.h ../include/openssl/opensslconf.h
-ideatest.o: ideatest.c
-md2test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+ideatest.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/idea.h
+ideatest.o: ../include/openssl/opensslconf.h ideatest.c
+md2test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 md2test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 md2test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 md2test.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -503,7 +649,7 @@ md2test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 md2test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 md2test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 md2test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md2test.c
-md4test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+md4test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 md4test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 md4test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 md4test.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -520,7 +666,7 @@ md4test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 md4test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 md4test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 md4test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md4test.c
-md5test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+md5test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 md5test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 md5test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 md5test.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -537,7 +683,7 @@ md5test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 md5test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 md5test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 md5test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md5test.c
-mdc2test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+mdc2test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 mdc2test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 mdc2test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 mdc2test.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -554,12 +700,16 @@ mdc2test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 mdc2test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 mdc2test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 mdc2test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h mdc2test.c
-randtest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
-randtest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h randtest.c
+randtest.o: ../e_os.h ../include/openssl/e_os2.h
+randtest.o: ../include/openssl/opensslconf.h ../include/openssl/ossl_typ.h
+randtest.o: ../include/openssl/rand.h randtest.c
+rc2test.o: ../e_os.h ../include/openssl/e_os2.h
 rc2test.o: ../include/openssl/opensslconf.h ../include/openssl/rc2.h rc2test.c
+rc4test.o: ../e_os.h ../include/openssl/e_os2.h
 rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h rc4test.c
-rc5test.o: ../include/openssl/rc5.h rc5test.c
-rmdtest.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+rc5test.o: ../e_os.h ../include/openssl/e_os2.h
+rc5test.o: ../include/openssl/opensslconf.h ../include/openssl/rc5.h rc5test.c
+rmdtest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 rmdtest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 rmdtest.o: ../include/openssl/bn.h ../include/openssl/cast.h
 rmdtest.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -578,15 +728,13 @@ rmdtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 rmdtest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h rmdtest.c
 rsa_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 rsa_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-rsa_test.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-rsa_test.o: ../include/openssl/err.h ../include/openssl/lhash.h
-rsa_test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-rsa_test.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-rsa_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-rsa_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rsa_test.o: ../include/openssl/ui.h rsa_test.c
-sha1test.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+rsa_test.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+rsa_test.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+rsa_test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+rsa_test.o: ../include/openssl/symhacks.h rsa_test.c
+sha1test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 sha1test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 sha1test.o: ../include/openssl/bn.h ../include/openssl/cast.h
 sha1test.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -603,7 +751,7 @@ sha1test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 sha1test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 sha1test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 sha1test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h sha1test.c
-shatest.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+shatest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 shatest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 shatest.o: ../include/openssl/bn.h ../include/openssl/cast.h
 shatest.o: ../include/openssl/crypto.h ../include/openssl/des.h
diff --git a/src/lib/libssl/test/maketests.com b/src/lib/libssl/test/maketests.com
index 91e859deab..7c44e4545a 100644
--- a/src/lib/libssl/test/maketests.com
+++ b/src/lib/libssl/test/maketests.com
@@ -16,22 +16,10 @@ $!  The test "executeables" will be placed in a directory called
 $!  [.xxx.EXE.TEST] where "xxx" denotes AXP or VAX depending on your machines
 $!  architecture.
 $!
-$!  Specify RSAREF as P1 to compile with the RSAREF library instead of
-$!  the regular one.  If you specify NORSAREF it will compile with the
-$!  regular RSAREF routines.  (Note: If you are in the United States
-$!  you MUST compile with RSAREF unless you have a license from RSA).
-$!
-$!  Note: The RSAREF libraries are NOT INCLUDED and you have to
-$!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
-$!        get the ".tar-Z" file as the ".zip" file dosen't have the
-$!        directory structure stored.  You have to extract the file
-$!        into the [.RSAREF] directory under the root directory as that
-$!        is where the scripts will look for the files.
-$!
-$!  Specify DEBUG or NODEBUG P2 to compile with or without debugger
+$!  Specify DEBUG or NODEBUG P1 to compile with or without debugger
 $!  information.
 $!
-$!  Specify which compiler at P3 to try to compile under.
+$!  Specify which compiler at P2 to try to compile under.
 $!
 $!         VAXC  For VAX C.
 $!         DECC  For DEC C.
@@ -40,13 +28,13 @@ $!
 $!  If you don't speficy a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
-$!  P4, if defined, sets a TCP/IP library to use, through one of the following
+$!  P3, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!      UCX             for UCX
 $!      SOCKETSHR       for SOCKETSHR+NETLIB
 $!
-$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!  P4, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
 $!
 $! Define A TCP/IP Library That We Will Need To Link To.
@@ -91,10 +79,6 @@ $! Define The CRYPTO-LIB We Are To Use.
 $!
 $ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
 $!
-$! Define The RSAREF-LIB We Are To Use.
-$!
-$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
-$!
 $! Define The SSL We Are To Use.
 $!
 $ SSL_LIB := SYS$DISK:[-.'ARCH'.EXE.SSL]LIBSSL.OLB
@@ -227,74 +211,32 @@ $!
 $ ENDIF
 $!
 $! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
-$ IF (RSAREF.EQS."TRUE")
+$ IF (TCPIP_LIB.NES."")
 $ THEN
 $!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
-$!
-$   IF (TCPIP_LIB.NES."")
-$   THEN
-$!
-$!    Link With The RSAREF Library And A Specific TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-          'OBJECT_FILE',-
-          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-          'TCPIP_LIB','OPT_FILE'/OPTION
-$!
-$!  Else...
-$!
-$   ELSE
-$!
-$!    Link With The RSAREF Library And NO TCP/IP Library.
-$!
-$     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-          'OBJECT_FILE', -
-          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
-          'OPT_FILE'/OPTION
-$!
-$!  End The TCP/IP Library Check.
-$!
-$   ENDIF
-$!
-$! Else...
-$!
-$ ELSE
-$!
-$!  Don't Link With The RSAREF Routines.
-$!
-$!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
-$!
-$   IF (TCPIP_LIB.NES."")
-$   THEN
-$!
-$!    Don't Link With The RSAREF Routines And TCP/IP Library.
+$!  Don't Link With The RSAREF Routines And TCP/IP Library.
 $!
 $   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
         'OBJECT_FILE', -
         'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
         'TCPIP_LIB','OPT_FILE'/OPTION
 $!
-$!  Else...
+$! Else...
 $!
-$   ELSE
+$ ELSE
 $!
-$!    Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
+$!  Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
 $!
 $   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
         'OBJECT_FILE', -
         'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
         'OPT_FILE'/OPTION
 $!
-$!  End The TCP/IP Library Check.
-$!
-$   ENDIF
-$!
-$! End The RSAREF Link Check.
+$! End The TCP/IP Library Check.
 $!
-$ ENDIF 
+$ ENDIF
 $!
 $! Go Back And Do It Again.
 $!
@@ -459,32 +401,6 @@ $! End The Crypto Library Check.
 $!
 $ ENDIF
 $!
-$! See If We Need The RSAREF Library...
-$!
-$ IF (RSAREF.EQS."TRUE")
-$ THEN
-$!
-$!  Look For The Library LIBRSAGLUE.OLB.
-$!
-$   IF (F$SEARCH(RSAREF_LIB).EQS."")
-$   THEN
-$!
-$!    Tell The User We Can't Find The LIBRSAGLUE.OLB Library.
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "Can't Find The Library ",RSAREF_LIB,"."
-$     WRITE SYS$OUTPUT "We Can't Link Without It."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Since We Can't Link Without It, Exit.
-$!
-$     EXIT
-$   ENDIF
-$!
-$! End The RSAREF Library Check.
-$!
-$ ENDIF
-$!
 $! Look For The Library LIBSSL.OLB.
 $!
 $ IF (F$SEARCH(SSL_LIB).EQS."")
@@ -515,75 +431,10 @@ $ CHECK_OPTIONS:
 $!
 $! Check To See If P1 Is Blank.
 $!
-$ P1 = "NORSAREF"
-$ IF (P1.EQS."NORSAREF")
-$ THEN
-$!
-$!   P1 Is NORSAREF, So Compile With The Regular RSA Libraries.
-$!
-$    RSAREF = "FALSE"
-$ ELSE
-$!
-$!  Check To See If We Are To Use The RSAREF Library.
-$!
-$   IF (P1.EQS."RSAREF")
-$   THEN
-$!
-$!    Check To Make Sure We Have The RSAREF Source Code Directory.
-$!
-$     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
-$     THEN
-$!
-$!      We Don't Have The RSAREF Souce Code Directory, So Tell The
-$!      User This.
-$!
-$       WRITE SYS$OUTPUT ""
-$       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
-$       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
-$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
-$       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
-$       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
-$       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
-$       WRITE SYS$OUTPUT ""
-$!
-$!      Time To Exit.
-$!
-$       EXIT
-$!
-$!    Else, Compile Using The RSAREF Library.
-$!
-$     ELSE
-$       RSAREF = "TRUE"
-$     ENDIF
-$   ELSE 
-$!
-$!    They Entered An Invalid Option..
-$!
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
-$     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
-$     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
-$     WRITE SYS$OUTPUT ""
-$!
-$!    Time To EXIT.
-$!
-$     EXIT
-$!
-$!  End The Valid Arguement Check.
-$!
-$   ENDIF
-$!
-$! End The P1 Check.
-$!
-$ ENDIF
-$!
-$! Check To See If P2 Is Blank.
-$!
-$ IF (P2.EQS."NODEBUG")
+$ IF (P1.EQS."NODEBUG")
 $ THEN
 $!
-$!   P2 Is NODEBUG, So Compile Without Debugger Information.
+$!   P1 Is NODEBUG, So Compile Without Debugger Information.
 $!
 $    DEBUGGER  = "NODEBUG"
 $    TRACEBACK = "NOTRACEBACK" 
@@ -598,7 +449,7 @@ $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
 $!
-$   IF (P2.EQS."DEBUG")
+$   IF (P1.EQS."DEBUG")
 $   THEN
 $!
 $!    Compile With Debugger Information.
@@ -617,7 +468,7 @@ $!
 $!    Tell The User Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "    DEBUG    :  Compile With The Debugger Information."
 $     WRITE SYS$OUTPUT "    NODEBUG  :  Compile Without The Debugger Information."
@@ -631,13 +482,13 @@ $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
-$! End The P3 Check.
+$! End The P2 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P3 Is Blank.
+$! Check To See If P2 Is Blank.
 $!
-$ IF (P3.EQS."")
+$ IF (P2.EQS."")
 $ THEN
 $!
 $!  O.K., The User Didn't Specify A Compiler, Let's Try To
@@ -650,7 +501,7 @@ $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
 $!
-$     P3 = "GNUC"
+$     P2 = "GNUC"
 $!
 $!  End The GNU C Compiler Check.
 $!
@@ -663,7 +514,7 @@ $     THEN
 $!
 $!      Looks Like DECC, Set To Use DECC.
 $!
-$       P3 = "DECC"
+$       P2 = "DECC"
 $!
 $!      Else...
 $!
@@ -671,7 +522,7 @@ $     ELSE
 $!
 $!      Looks Like VAXC, Set To Use VAXC.
 $!
-$       P3 = "VAXC"
+$       P2 = "VAXC"
 $!
 $!    End The VAXC Compiler Check.
 $!
@@ -685,9 +536,9 @@ $!  End The Compiler Check.
 $!
 $ ENDIF
 $!
-$! Check To See If We Have A Option For P4.
+$! Check To See If We Have A Option For P3.
 $!
-$ IF (P4.EQS."")
+$ IF (P3.EQS."")
 $ THEN
 $!
 $!  Find out what socket library we have available
@@ -697,7 +548,7 @@ $   THEN
 $!
 $!    We have SOCKETSHR, and it is my opinion that it's the best to use.
 $!
-$     P4 = "SOCKETSHR"
+$     P3 = "SOCKETSHR"
 $!
 $!    Tell the user
 $!
@@ -717,7 +568,7 @@ $     THEN
 $!
 $!      Last resort: a UCX or UCX-compatible library
 $!
-$       P4 = "UCX"
+$       P3 = "UCX"
 $!
 $!      Tell the user
 $!
@@ -731,7 +582,7 @@ $ ENDIF
 $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
-$ CCDEFS = "TCPIP_TYPE_''P4'"
+$ CCDEFS = "TCPIP_TYPE_''P3'"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
@@ -741,12 +592,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 $!
 $!  Check To See If The User Entered A Valid Paramter.
 $!
-$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
+$ IF (P2.EQS."VAXC").OR.(P2.EQS."DECC").OR.(P2.EQS."GNUC")
 $ THEN
 $!
 $!  Check To See If The User Wanted DECC.
 $!
-$   IF (P3.EQS."DECC")
+$   IF (P2.EQS."DECC")
 $   THEN
 $!
 $!    Looks Like DECC, Set To Use DECC.
@@ -776,7 +627,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use VAXC.
 $!
-$   IF (P3.EQS."VAXC")
+$   IF (P2.EQS."VAXC")
 $   THEN
 $!
 $!    Looks Like VAXC, Set To Use VAXC.
@@ -814,7 +665,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use GNU C.
 $!
-$   IF (P3.EQS."GNUC")
+$   IF (P2.EQS."GNUC")
 $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
@@ -842,31 +693,6 @@ $!  Set up default defines
 $!
 $   CCDEFS = """FLAT_INC=1""," + CCDEFS
 $!
-$!  Check To See If We Are To Compile With RSAREF Routines.
-$!
-$   IF (RSAREF.EQS."TRUE")
-$   THEN
-$!
-$!    Compile With RSAREF.
-$!
-$     CCDEFS = CCDEFS + ",""RSAref=1"""
-$!
-$!    Tell The User This.
-$!
-$     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
-$!
-$!    Else, We Don't Care.  Compile Without The RSAREF Library.
-$!
-$   ELSE
-$!
-$!    Tell The User We Are Compile Without The RSAREF Routines.
-$!
-$     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
-$!
-$!  End The RSAREF Check.
-$!
-$   ENDIF
-$!
 $!  Finish up the definition of CC.
 $!
 $   IF COMPILER .EQS. "DECC"
@@ -896,7 +722,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
 $   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
@@ -910,13 +736,13 @@ $ ENDIF
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" -
-     .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE"
+$ IF P3.EQS."SOCKETSHR" .OR. P3.EQS."MULTINET" .OR. P3.EQS."UCX" -
+     .OR. P3.EQS."TCPIP" .OR. P3.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
 $!
-$   IF P4.EQS."SOCKETSHR"
+$   IF P3.EQS."SOCKETSHR"
 $   THEN
 $!
 $!    Set the library to use SOCKETSHR
@@ -929,12 +755,12 @@ $   ENDIF
 $!
 $!  Check to see if MULTINET was chosen
 $!
-$   IF P4.EQS."MULTINET"
+$   IF P3.EQS."MULTINET"
 $   THEN
 $!
 $!    Set the library to use UXC emulation.
 $!
-$     P4 = "UCX"
+$     P3 = "UCX"
 $!
 $!    Done with MULTINET
 $!
@@ -942,7 +768,7 @@ $   ENDIF
 $!
 $!  Check to see if UCX was chosen
 $!
-$   IF P4.EQS."UCX"
+$   IF P3.EQS."UCX"
 $   THEN
 $!
 $!    Set the library to use UCX.
@@ -962,7 +788,7 @@ $   ENDIF
 $!
 $!  Check to see if TCPIP was chosen
 $!
-$   IF P4.EQS."TCPIP"
+$   IF P3.EQS."TCPIP"
 $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
@@ -975,7 +801,7 @@ $   ENDIF
 $!
 $!  Check to see if NONE was chosen
 $!
-$   IF P4.EQS."NONE"
+$   IF P3.EQS."NONE"
 $   THEN
 $!
 $!    Do not use a TCPIP library.
@@ -997,7 +823,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
@@ -1018,9 +844,9 @@ $! Written By:  Richard Levitte
 $!              richard@levitte.org
 $!
 $!
-$! Check To See If We Have A Option For P5.
+$! Check To See If We Have A Option For P4.
 $!
-$ IF (P5.EQS."")
+$ IF (P4.EQS."")
 $ THEN
 $!
 $!  Get The Version Of VMS We Are Using.
@@ -1042,7 +868,7 @@ $!  End The VMS Version Check.
 $!
 $   ENDIF
 $!
-$! End The P5 Check.
+$! End The P4 Check.
 $!
 $ ENDIF
 $!
diff --git a/src/lib/libssl/test/methtest.c b/src/lib/libssl/test/methtest.c
index 06ccb3b310..005c2f4822 100644
--- a/src/lib/libssl/test/methtest.c
+++ b/src/lib/libssl/test/methtest.c
@@ -96,10 +96,10 @@ char *argv[];
         METH_init(top);
         METH_control(tmp1,METH_CONTROL_DUMP,stdout);
         METH_control(tmp2,METH_CONTROL_DUMP,stdout);
-        exit(0);
+        EXIT(0);
 err:
         ERR_load_crypto_strings();
         ERR_print_errors_fp(stderr);
-        exit(1);
+        EXIT(1);
         return(0);
         }
diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen
index 55c496f4bc..3798543e04 100644
--- a/src/lib/libssl/test/testgen
+++ b/src/lib/libssl/test/testgen
@@ -27,6 +27,8 @@ fi
 
 echo "This could take some time."
 
+rm -f testkey.pem testreq.pem
+
 ../apps/openssl req -config test.cnf $req_new -out testreq.pem
 if [ $? != 0 ]; then
 echo problems creating request
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
index ba5e41c861..ca8e718022 100644
--- a/src/lib/libssl/test/testssl
+++ b/src/lib/libssl/test/testssl
@@ -121,8 +121,12 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
 
 #############################################################################
 
-echo test tls1 with 1024bit anonymous DH, multiple handshakes
-$ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
+if ../apps/openssl no-dh; then
+  echo skipping anonymous DH tests
+else
+  echo test tls1 with 1024bit anonymous DH, multiple handshakes
+  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
+fi
 
 if ../apps/openssl no-rsa; then
   echo skipping RSA tests
@@ -130,8 +134,12 @@ else
   echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
   ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
 
-  echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
-  ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+  if ../apps/openssl no-dh; then
+    echo skipping RSA+DHE tests
+  else
+    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
+    ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+  fi
 fi
 
 exit 0
diff --git a/src/lib/libssl/test/testssl.com b/src/lib/libssl/test/testssl.com
index 785f262f5a..26308f7715 100644
--- a/src/lib/libssl/test/testssl.com
+++ b/src/lib/libssl/test/testssl.com
@@ -159,16 +159,25 @@ $	if $severity .ne. 1 then goto exit3
 $
 $!###########################################################################
 $
-$       write sys$output "test tls1 with 1024bit anonymous DH, multiple handshakes"
-$       'ssltest' -v -bio_pair -tls1 -cipher "ADH" -dhe1024dsa -num 10 -f -time
-$       if $severity .ne. 1 then goto exit3
-$
 $       set noon
 $       define/user sys$output nla0:
 $       mcr 'exe_dir'openssl no-rsa
-$       save_severity=$SEVERITY
+$       no_rsa=$SEVERITY
+$       define/user sys$output nla0:
+$       mcr 'exe_dir'openssl no-dh
+$       no_dh=$SEVERITY
 $       set on
-$       if save_severity
+$
+$       if no_dh
+$       then
+$           write sys$output "skipping anonymous DH tests"
+$       else
+$           write sys$output "test tls1 with 1024bit anonymous DH, multiple handshakes"
+$           'ssltest' -v -bio_pair -tls1 -cipher "ADH" -dhe1024dsa -num 10 -f -time
+$           if $severity .ne. 1 then goto exit3
+$       endif
+$
+$       if no_rsa
 $       then
 $           write sys$output "skipping RSA tests"
 $       else
@@ -176,9 +185,14 @@ $	    write sys$output "test tls1 with 1024bit RSA, no DHE, multiple handshakes"
 $           mcr 'texe_dir'ssltest -v -bio_pair -tls1 -cert [-.apps]server2.pem -no_dhe -num 10 -f -time
 $           if $severity .ne. 1 then goto exit3
 $
-$           write sys$output "test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes"
-$           mcr 'texe_dir'ssltest -v -bio_pair -tls1 -cert [-.apps]server2.pem -dhe1024dsa -num 10 -f -time
-$           if $severity .ne. 1 then goto exit3
+$           if no_dh
+$           then
+$               write sys$output "skipping RSA+DHE tests"
+$           else
+$               write sys$output "test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes"
+$               mcr 'texe_dir'ssltest -v -bio_pair -tls1 -cert [-.apps]server2.pem -dhe1024dsa -num 10 -f -time
+$               if $severity .ne. 1 then goto exit3
+$           endif
 $       endif
 $
 $       RET = 1