558 files changed, 8825 insertions, 2743 deletions
diff --git a/src/lib/libcrypto/aes/aes.h b/src/lib/libcrypto/aes/aes.h
index da067f4a8f..8a3ea0b883 100644
--- a/src/lib/libcrypto/aes/aes.h
+++ b/src/lib/libcrypto/aes/aes.h
@@ -52,6 +52,8 @@
 #ifndef HEADER_AES_H
 #define HEADER_AES_H
+#include <openssl/e_os2.h>
 #ifdef OPENSSL_NO_AES
 #error AES is disabled.
 #endif
@@ -64,6 +66,10 @@
 #define AES_MAXNR 14
 #define AES_BLOCK_SIZE 16
+#if defined(OPENSSL_FIPS)
+#define FIPS_AES_SIZE_T int
+#endif
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -95,6 +101,15 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
        const unsigned long length, const AES_KEY *key,
        unsigned char *ivec, int *num, const int enc);
+void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num, const int enc);
+void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num, const int enc);
+void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out,
+                            const int nbits,const AES_KEY *key,
+                            unsigned char *ivec,const int enc);
 void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
        const unsigned long length, const AES_KEY *key,
        unsigned char *ivec, int *num);
diff --git a/src/lib/libcrypto/aes/aes_cbc.c b/src/lib/libcrypto/aes/aes_cbc.c
index 1222a21002..d2ba6bcdb4 100644
--- a/src/lib/libcrypto/aes/aes_cbc.c
+++ b/src/lib/libcrypto/aes/aes_cbc.c
@@ -66,6 +66,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
        unsigned long n;
        unsigned long len = length;
        unsigned char tmp[AES_BLOCK_SIZE];
+        const unsigned char *iv = ivec;
        assert(in && out && key && ivec);
        assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
@@ -73,22 +74,39 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
        if (AES_ENCRYPT == enc) {
                while (len >= AES_BLOCK_SIZE) {
                        for(n=0; n < AES_BLOCK_SIZE; ++n)
-                                tmp[n] = in[n] ^ ivec[n];
+                                out[n] = in[n] ^ iv[n];
-                        AES_encrypt(tmp, out, key);
+                        AES_encrypt(out, out, key);
-                        memcpy(ivec, out, AES_BLOCK_SIZE);
+                        iv = out;
                        len -= AES_BLOCK_SIZE;
                        in += AES_BLOCK_SIZE;
                        out += AES_BLOCK_SIZE;
                }
                if (len) {
                        for(n=0; n < len; ++n)
-                                tmp[n] = in[n] ^ ivec[n];
+                                out[n] = in[n] ^ iv[n];
                        for(n=len; n < AES_BLOCK_SIZE; ++n)
-                                tmp[n] = ivec[n];
+                                out[n] = iv[n];
-                        AES_encrypt(tmp, tmp, key);
+                        AES_encrypt(out, out, key);
-                        memcpy(out, tmp, AES_BLOCK_SIZE);
+                        iv = out;
-                        memcpy(ivec, tmp, AES_BLOCK_SIZE);
+                }
-                }                       
+                memcpy(ivec,iv,AES_BLOCK_SIZE);
+        } else if (in != out) {
+                while (len >= AES_BLOCK_SIZE) {
+                        AES_decrypt(in, out, key);
+                        for(n=0; n < AES_BLOCK_SIZE; ++n)
+                                out[n] ^= iv[n];
+                        iv = in;
+                        len -= AES_BLOCK_SIZE;
+                        in  += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
+                }
+                if (len) {
+                        AES_decrypt(in,tmp,key);
+                        for(n=0; n < len; ++n)
+                                out[n] = tmp[n] ^ iv[n];
+                        iv = in;
+                }
+                memcpy(ivec,iv,AES_BLOCK_SIZE);
        } else {
                while (len >= AES_BLOCK_SIZE) {
                        memcpy(tmp, in, AES_BLOCK_SIZE);
@@ -102,10 +120,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                }
                if (len) {
                        memcpy(tmp, in, AES_BLOCK_SIZE);
-                        AES_decrypt(tmp, tmp, key);
+                        AES_decrypt(tmp, out, key);
                        for(n=0; n < len; ++n)
-                                out[n] = tmp[n] ^ ivec[n];
+                                out[n] ^= ivec[n];
+                        for(n=len; n < AES_BLOCK_SIZE; ++n)
+                                out[n] = tmp[n];
                        memcpy(ivec, tmp, AES_BLOCK_SIZE);
-                }                       
+                }
        }
 }
diff --git a/src/lib/libcrypto/aes/aes_cfb.c b/src/lib/libcrypto/aes/aes_cfb.c
index 9b569dda90..49f0411010 100644
--- a/src/lib/libcrypto/aes/aes_cfb.c
+++ b/src/lib/libcrypto/aes/aes_cfb.c
@@ -114,6 +114,7 @@
 #include <openssl/aes.h>
 #include "aes_locl.h"
+#include "e_os.h"
 /* The input and output encrypted as though 128bit cfb mode is being
 * used.  The extra state information to record how much of the
@@ -155,3 +156,70 @@ void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
        *num=n;
 }
+/* This expects a single block of size nbits for both in and out. Note that
+   it corrupts any extra bits in the last byte of out */
+void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out,
+                            const int nbits,const AES_KEY *key,
+                            unsigned char *ivec,const int enc)
+    {
+    int n,rem,num;
+    unsigned char ovec[AES_BLOCK_SIZE*2];
+    if (nbits<=0 || nbits>128) return;
+        /* fill in the first half of the new IV with the current IV */
+        memcpy(ovec,ivec,AES_BLOCK_SIZE);
+        /* construct the new IV */
+        AES_encrypt(ivec,ivec,key);
+        num = (nbits+7)/8;
+        if (enc)        /* encrypt the input */
+            for(n=0 ; n < num ; ++n)
+                out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n] ^ ivec[n]);
+        else            /* decrypt the input */
+            for(n=0 ; n < num ; ++n)
+                out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n]) ^ ivec[n];
+        /* shift ovec left... */
+        rem = nbits%8;
+        num = nbits/8;
+        if(rem==0)
+            memcpy(ivec,ovec+num,AES_BLOCK_SIZE);
+        else
+            for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
+                ivec[n] = ovec[n+num]<<rem | ovec[n+num+1]>>(8-rem);
+    /* it is not necessary to cleanse ovec, since the IV is not secret */
+    }
+/* N.B. This expects the input to be packed, MS bit first */
+void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
+                      const unsigned long length, const AES_KEY *key,
+                      unsigned char *ivec, int *num, const int enc)
+    {
+    unsigned int n;
+    unsigned char c[1],d[1];
+    assert(in && out && key && ivec && num);
+    assert(*num == 0);
+    memset(out,0,(length+7)/8);
+    for(n=0 ; n < length ; ++n)
+        {
+        c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
+        AES_cfbr_encrypt_block(c,d,1,key,ivec,enc);
+        out[n/8]=(out[n/8]&~(1 << (7-n%8)))|((d[0]&0x80) >> (n%8));
+        }
+    }
+void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
+                      const unsigned long length, const AES_KEY *key,
+                      unsigned char *ivec, int *num, const int enc)
+    {
+    unsigned int n;
+    assert(in && out && key && ivec && num);
+    assert(*num == 0);
+    for(n=0 ; n < length ; ++n)
+        AES_cfbr_encrypt_block(&in[n],&out[n],8,key,ivec,enc);
+    }
diff --git a/src/lib/libcrypto/aes/aes_core.c b/src/lib/libcrypto/aes/aes_core.c
index 2f41a825f8..ed566a8123 100644
--- a/src/lib/libcrypto/aes/aes_core.c
+++ b/src/lib/libcrypto/aes/aes_core.c
@@ -37,8 +37,11 @@
 #include <stdlib.h>
 #include <openssl/aes.h>
+#include <openssl/fips.h>
 #include "aes_locl.h"
+#ifndef OPENSSL_FIPS
 /*
 Te0[x] = S [x].[02, 01, 01, 03];
 Te1[x] = S [x].[03, 02, 01, 01];
@@ -1255,3 +1258,4 @@ void AES_decrypt(const unsigned char *in, unsigned char *out,
        PUTU32(out + 12, s3);
 }
+#endif /* ndef OPENSSL_FIPS */
diff --git a/src/lib/libcrypto/aes/aes_ctr.c b/src/lib/libcrypto/aes/aes_ctr.c
index 79e1c18f19..f36982be1e 100644
--- a/src/lib/libcrypto/aes/aes_ctr.c
+++ b/src/lib/libcrypto/aes/aes_ctr.c
@@ -59,7 +59,7 @@
 #include <openssl/aes.h>
 #include "aes_locl.h"
-/* NOTE: CTR mode is big-endian.  The rest of the AES code
+/* NOTE: the IV/counter CTR mode is big-endian.  The rest of the AES code
 * is endian-neutral. */
 /* increment counter (128-bit int) by 1 */
@@ -67,61 +67,36 @@ static void AES_ctr128_inc(unsigned char *counter) {
        unsigned long c;
        /* Grab bottom dword of counter and increment */
-#ifdef L_ENDIAN
-        c = GETU32(counter +  0);
-        c++;
-        PUTU32(counter +  0, c);
-#else
        c = GETU32(counter + 12);
-        c++;
+        c++;    c &= 0xFFFFFFFF;
        PUTU32(counter + 12, c);
-#endif
        /* if no overflow, we're done */
        if (c)
                return;
        /* Grab 1st dword of counter and increment */
-#ifdef L_ENDIAN
-        c = GETU32(counter +  4);
-        c++;
-        PUTU32(counter +  4, c);
-#else
        c = GETU32(counter +  8);
-        c++;
+        c++;    c &= 0xFFFFFFFF;
        PUTU32(counter +  8, c);
-#endif
        /* if no overflow, we're done */
        if (c)
                return;
        /* Grab 2nd dword of counter and increment */
-#ifdef L_ENDIAN
-        c = GETU32(counter +  8);
-        c++;
-        PUTU32(counter +  8, c);
-#else
        c = GETU32(counter +  4);
-        c++;
+        c++;    c &= 0xFFFFFFFF;
        PUTU32(counter +  4, c);
-#endif
        /* if no overflow, we're done */
        if (c)
                return;
        /* Grab top dword of counter and increment */
-#ifdef L_ENDIAN
-        c = GETU32(counter + 12);
-        c++;
-        PUTU32(counter + 12, c);
-#else
        c = GETU32(counter +  0);
-        c++;
+        c++;    c &= 0xFFFFFFFF;
        PUTU32(counter +  0, c);
-#endif
 }
 /* The input encrypted as though 128bit counter mode is being
diff --git a/src/lib/libcrypto/aes/aes_locl.h b/src/lib/libcrypto/aes/aes_locl.h
index f290946058..4184729e34 100644
--- a/src/lib/libcrypto/aes/aes_locl.h
+++ b/src/lib/libcrypto/aes/aes_locl.h
@@ -62,7 +62,7 @@
 #include <stdlib.h>
 #include <string.h>
-#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
+#if defined(_MSC_VER) && !defined(_M_IA64) && !defined(OPENSSL_SYS_WINCE)
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
 # define GETU32(p) SWAP(*((u32 *)(p)))
 # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
diff --git a/src/lib/libcrypto/asn1/a_bitstr.c b/src/lib/libcrypto/asn1/a_bitstr.c
index f4ea96cd54..b81bf4fc81 100644
--- a/src/lib/libcrypto/asn1/a_bitstr.c
+++ b/src/lib/libcrypto/asn1/a_bitstr.c
@@ -194,8 +194,12 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
                        c=(unsigned char *)OPENSSL_realloc_clean(a->data,
                                                                 a->length,
                                                                 w+1);
-                if (c == NULL) return(0);
+                if (c == NULL)
-                if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
+                        {
+                        ASN1err(ASN1_F_ASN1_BIT_STRING_SET_BIT,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
                a->data=c;
                a->length=w+1;
        }
diff --git a/src/lib/libcrypto/asn1/a_digest.c b/src/lib/libcrypto/asn1/a_digest.c
index 4931e222a0..7182e9fa5d 100644
--- a/src/lib/libcrypto/asn1/a_digest.c
+++ b/src/lib/libcrypto/asn1/a_digest.c
@@ -65,6 +65,7 @@
 # include <sys/types.h>
 #endif
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
 #include <openssl/x509.h>
@@ -78,7 +79,11 @@ int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
        unsigned char *str,*p;
        i=i2d(data,NULL);
-        if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL) return(0);
+        if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL)
+                {
+                ASN1err(ASN1_F_ASN1_DIGEST,ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
        p=str;
        i2d(data,&p);
diff --git a/src/lib/libcrypto/asn1/a_enum.c b/src/lib/libcrypto/asn1/a_enum.c
index ad8f0ffd1a..03ede68d1c 100644
--- a/src/lib/libcrypto/asn1/a_enum.c
+++ b/src/lib/libcrypto/asn1/a_enum.c
@@ -156,7 +156,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
                unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
                if (!new_data)
                        {
-                        ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+                        ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
                        goto err;
                        }
                ret->data=new_data;
diff --git a/src/lib/libcrypto/asn1/a_gentm.c b/src/lib/libcrypto/asn1/a_gentm.c
index 8581007868..0dfd576211 100644
--- a/src/lib/libcrypto/asn1/a_gentm.c
+++ b/src/lib/libcrypto/asn1/a_gentm.c
@@ -192,8 +192,9 @@ int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str)
                {
                if (s != NULL)
                        {
-                        ASN1_STRING_set((ASN1_STRING *)s,
+                        if (!ASN1_STRING_set((ASN1_STRING *)s,
-                                (unsigned char *)str,t.length);
+                                (unsigned char *)str,t.length))
+                                return 0;
                        s->type=V_ASN1_GENERALIZEDTIME;
                        }
                return(1);
@@ -223,7 +224,12 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
        if ((p == NULL) || ((size_t)s->length < len))
                {
                p=OPENSSL_malloc(len);
-                if (p == NULL) return(NULL);
+                if (p == NULL)
+                        {
+                        ASN1err(ASN1_F_ASN1_GENERALIZEDTIME_SET,
+                                ERR_R_MALLOC_FAILURE);
+                        return(NULL);
+                        }
                if (s->data != NULL)
                        OPENSSL_free(s->data);
                s->data=(unsigned char *)p;
diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c
index edb243c021..21cc64bb23 100644
--- a/src/lib/libcrypto/asn1/a_int.c
+++ b/src/lib/libcrypto/asn1/a_int.c
@@ -64,7 +64,26 @@ ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x)
 { return M_ASN1_INTEGER_dup(x);}
 int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
-{ return M_ASN1_INTEGER_cmp(x,y);}
+        { 
+        int neg, ret;
+        /* Compare signs */
+        neg = x->type & V_ASN1_NEG;
+        if (neg != (y->type & V_ASN1_NEG))
+                {
+                if (neg)
+                        return -1;
+                else
+                        return 1;
+                }
+        ret = ASN1_STRING_cmp(x, y);
+        if (neg)
+                return -ret;
+        else
+                return ret;
+        }
+        
 /* 
 * This converts an ASN1 INTEGER into its content encoding.
diff --git a/src/lib/libcrypto/asn1/a_print.c b/src/lib/libcrypto/asn1/a_print.c
index 8035513f04..d18e772320 100644
--- a/src/lib/libcrypto/asn1/a_print.c
+++ b/src/lib/libcrypto/asn1/a_print.c
@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
-int ASN1_PRINTABLE_type(unsigned char *s, int len)
+int ASN1_PRINTABLE_type(const unsigned char *s, int len)
        {
        int c;
        int ia5=0;
diff --git a/src/lib/libcrypto/asn1/a_set.c b/src/lib/libcrypto/asn1/a_set.c
index 0f839822ff..e24061c545 100644
--- a/src/lib/libcrypto/asn1/a_set.c
+++ b/src/lib/libcrypto/asn1/a_set.c
@@ -118,8 +118,13 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
                }
        pStart  = p; /* Catch the beg of Setblobs*/
-        if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array
+                /* In this array we will store the SET blobs */
-we will store the SET blobs */
+                rgSetBlob = (MYBLOB *)OPENSSL_malloc(sk_num(a) * sizeof(MYBLOB));
+                if (rgSetBlob == NULL)
+                        {
+                        ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
+                        return(0);
+                        }
        for (i=0; i<sk_num(a); i++)
                {
@@ -135,7 +140,11 @@ SetBlob
 /* Now we have to sort the blobs. I am using a simple algo.
    *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
        qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
-        if (!(pTempMem = OPENSSL_malloc(totSize))) return 0;
+                if (!(pTempMem = OPENSSL_malloc(totSize)))
+                        {
+                        ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
+                        return(0);
+                        }
 /* Copy to temp mem */
        p = pTempMem;
@@ -160,7 +169,13 @@ STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
        STACK *ret=NULL;
        if ((a == NULL) || ((*a) == NULL))
-                { if ((ret=sk_new_null()) == NULL) goto err; }
+                {
+                if ((ret=sk_new_null()) == NULL)
+                        {
+                        ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
        else
                ret=(*a);
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index bde666a6ff..a07122ba47 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -3,7 +3,7 @@
 * project 2000.
 */
 /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -553,7 +553,12 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
        if((type < 0) || (type > 30)) return -1;
        mbflag = tag2nbyte[type];
        if(mbflag == -1) return -1;
-        mbflag |= MBSTRING_FLAG;
+        if (mbflag == 0)
+                mbflag = MBSTRING_UTF8;
+        else if (mbflag == 4)
+                mbflag = MBSTRING_UNIV;
+        else            
+                mbflag |= MBSTRING_FLAG;
        stmp.data = NULL;
        ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
        if(ret < 0) return ret;
diff --git a/src/lib/libcrypto/asn1/a_type.c b/src/lib/libcrypto/asn1/a_type.c
index fe3fcd40b0..2292d49b93 100644
--- a/src/lib/libcrypto/asn1/a_type.c
+++ b/src/lib/libcrypto/asn1/a_type.c
@@ -71,7 +71,10 @@ int ASN1_TYPE_get(ASN1_TYPE *a)
 void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value)
        {
        if (a->value.ptr != NULL)
-                ASN1_primitive_free((ASN1_VALUE **)&a, NULL);
+                {
+                ASN1_TYPE **tmp_a = &a;
+                ASN1_primitive_free((ASN1_VALUE **)tmp_a, NULL);
+                }
        a->type=type;
        a->value.ptr=value;
        }
diff --git a/src/lib/libcrypto/asn1/a_utctm.c b/src/lib/libcrypto/asn1/a_utctm.c
index 999852dae5..7b25fed331 100644
--- a/src/lib/libcrypto/asn1/a_utctm.c
+++ b/src/lib/libcrypto/asn1/a_utctm.c
@@ -173,8 +173,9 @@ int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str)
                {
                if (s != NULL)
                        {
-                        ASN1_STRING_set((ASN1_STRING *)s,
+                        if (!ASN1_STRING_set((ASN1_STRING *)s,
-                                (unsigned char *)str,t.length);
+                                (unsigned char *)str,t.length))
+                                return 0;
                        s->type = V_ASN1_UTCTIME;
                        }
                return(1);
@@ -203,7 +204,11 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
        if ((p == NULL) || ((size_t)s->length < len))
                {
                p=OPENSSL_malloc(len);
-                if (p == NULL) return(NULL);
+                if (p == NULL)
+                        {
+                        ASN1err(ASN1_F_ASN1_UTCTIME_SET,ERR_R_MALLOC_FAILURE);
+                        return(NULL);
+                        }
                if (s->data != NULL)
                        OPENSSL_free(s->data);
                s->data=(unsigned char *)p;
diff --git a/src/lib/libcrypto/asn1/a_verify.c b/src/lib/libcrypto/asn1/a_verify.c
index da2a0a6d69..18ef0acf00 100644
--- a/src/lib/libcrypto/asn1/a_verify.c
+++ b/src/lib/libcrypto/asn1/a_verify.c
@@ -142,6 +142,13 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
                goto err;
                }
+        if (!EVP_VerifyInit_ex(&ctx,type, NULL))
+                {
+                ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+                ret=0;
+                goto err;
+                }
        inl = ASN1_item_i2d(asn, &buf_in, it);
        
        if (buf_in == NULL)
@@ -150,7 +157,6 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
                goto err;
                }
-        EVP_VerifyInit_ex(&ctx,type, NULL);
        EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
        OPENSSL_cleanse(buf_in,(unsigned int)inl);
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index 3414509f1b..ceaeb4cbe3 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -829,7 +829,7 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai,BIGNUM *bn);
 /* General */
 /* given a string, return the correct type, max is the maximum length */
-int ASN1_PRINTABLE_type(unsigned char *s, int max);
+int ASN1_PRINTABLE_type(const unsigned char *s, int max);
 int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass);
 ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp,
@@ -950,16 +950,19 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_A2I_ASN1_ENUMERATED                       101
 #define ASN1_F_A2I_ASN1_INTEGER                          102
 #define ASN1_F_A2I_ASN1_STRING                           103
+#define ASN1_F_ASN1_BIT_STRING_SET_BIT                   176
 #define ASN1_F_ASN1_CHECK_TLEN                           104
 #define ASN1_F_ASN1_COLLATE_PRIMITIVE                    105
 #define ASN1_F_ASN1_COLLECT                              106
 #define ASN1_F_ASN1_D2I_BIO                              107
 #define ASN1_F_ASN1_D2I_EX_PRIMITIVE                     108
 #define ASN1_F_ASN1_D2I_FP                               109
+#define ASN1_F_ASN1_DIGEST                               177
 #define ASN1_F_ASN1_DO_ADB                               110
 #define ASN1_F_ASN1_DUP                                  111
 #define ASN1_F_ASN1_ENUMERATED_SET                       112
 #define ASN1_F_ASN1_ENUMERATED_TO_BN                     113
+#define ASN1_F_ASN1_GENERALIZEDTIME_SET                  178
 #define ASN1_F_ASN1_GET_OBJECT                           114
 #define ASN1_F_ASN1_HEADER_NEW                           115
 #define ASN1_F_ASN1_I2D_BIO                              116
@@ -975,6 +978,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_SEQ_PACK                             126
 #define ASN1_F_ASN1_SEQ_UNPACK                           127
 #define ASN1_F_ASN1_SIGN                                 128
+#define ASN1_F_ASN1_STRING_SET                           179
 #define ASN1_F_ASN1_STRING_TABLE_ADD                     129
 #define ASN1_F_ASN1_STRING_TYPE_NEW                      130
 #define ASN1_F_ASN1_TEMPLATE_D2I                         131
@@ -984,6 +988,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING             134
 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING                 135
 #define ASN1_F_ASN1_UNPACK_STRING                        136
+#define ASN1_F_ASN1_UTCTIME_SET                          180
 #define ASN1_F_ASN1_VERIFY                               137
 #define ASN1_F_BN_TO_ASN1_ENUMERATED                     138
 #define ASN1_F_BN_TO_ASN1_INTEGER                        139
@@ -1007,6 +1012,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_D2I_X509_CINF                             157
 #define ASN1_F_D2I_X509_NAME                             158
 #define ASN1_F_D2I_X509_PKEY                             159
+#define ASN1_F_I2D_ASN1_SET                              181
 #define ASN1_F_I2D_ASN1_TIME                             160
 #define ASN1_F_I2D_DSA_PUBKEY                            161
 #define ASN1_F_I2D_NETSCAPE_RSA                          162
diff --git a/src/lib/libcrypto/asn1/asn1_err.c b/src/lib/libcrypto/asn1/asn1_err.c
index 094ec06fda..3b57c8fbae 100644
--- a/src/lib/libcrypto/asn1/asn1_err.c
+++ b/src/lib/libcrypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -70,16 +70,19 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0),      "a2i_ASN1_ENUMERATED"},
 {ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0), "a2i_ASN1_INTEGER"},
 {ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0),  "a2i_ASN1_STRING"},
+{ERR_PACK(0,ASN1_F_ASN1_BIT_STRING_SET_BIT,0),  "ASN1_BIT_STRING_set_bit"},
 {ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0),  "ASN1_CHECK_TLEN"},
 {ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0),   "ASN1_COLLATE_PRIMITIVE"},
 {ERR_PACK(0,ASN1_F_ASN1_COLLECT,0),     "ASN1_COLLECT"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0),     "ASN1_d2i_bio"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0),    "ASN1_D2I_EX_PRIMITIVE"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0),      "ASN1_d2i_fp"},
+{ERR_PACK(0,ASN1_F_ASN1_DIGEST,0),      "ASN1_digest"},
 {ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0),      "ASN1_DO_ADB"},
 {ERR_PACK(0,ASN1_F_ASN1_DUP,0), "ASN1_dup"},
 {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0),      "ASN1_ENUMERATED_set"},
 {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0),    "ASN1_ENUMERATED_to_BN"},
+{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_SET,0), "ASN1_GENERALIZEDTIME_set"},
 {ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0),  "ASN1_get_object"},
 {ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0),  "ASN1_HEADER_new"},
 {ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0),     "ASN1_i2d_bio"},
@@ -95,6 +98,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0),    "ASN1_seq_pack"},
 {ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0),  "ASN1_seq_unpack"},
 {ERR_PACK(0,ASN1_F_ASN1_SIGN,0),        "ASN1_sign"},
+{ERR_PACK(0,ASN1_F_ASN1_STRING_SET,0),  "ASN1_STRING_set"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0),    "ASN1_STRING_TABLE_add"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0),     "ASN1_STRING_type_new"},
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0),        "ASN1_TEMPLATE_D2I"},
@@ -104,6 +108,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),    "ASN1_TYPE_get_int_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),        "ASN1_TYPE_get_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),       "ASN1_unpack_string"},
+{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_SET,0), "ASN1_UTCTIME_set"},
 {ERR_PACK(0,ASN1_F_ASN1_VERIFY,0),      "ASN1_verify"},
 {ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0),    "BN_to_ASN1_ENUMERATED"},
 {ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0),       "BN_to_ASN1_INTEGER"},
@@ -127,6 +132,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_X509_CINF,0),    "D2I_X509_CINF"},
 {ERR_PACK(0,ASN1_F_D2I_X509_NAME,0),    "D2I_X509_NAME"},
 {ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),    "d2i_X509_PKEY"},
+{ERR_PACK(0,ASN1_F_I2D_ASN1_SET,0),     "i2d_ASN1_SET"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),    "I2D_ASN1_TIME"},
 {ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),   "i2d_DSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0), "i2d_Netscape_RSA"},
diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c
index a74f1368d3..97b9b35f4b 100644
--- a/src/lib/libcrypto/asn1/asn1_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_lib.c
@@ -349,6 +349,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
                if (str->data == NULL)
                        {
+                        ASN1err(ASN1_F_ASN1_STRING_SET,ERR_R_MALLOC_FAILURE);
                        str->data=c;
                        return(0);
                        }
diff --git a/src/lib/libcrypto/asn1/evp_asn1.c b/src/lib/libcrypto/asn1/evp_asn1.c
index 3506005a71..f92ce6cb5d 100644
--- a/src/lib/libcrypto/asn1/evp_asn1.c
+++ b/src/lib/libcrypto/asn1/evp_asn1.c
@@ -115,7 +115,11 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
        if ((osp=ASN1_STRING_new()) == NULL) return(0);
        /* Grow the 'string' */
-        ASN1_STRING_set(osp,NULL,size);
+        if (!ASN1_STRING_set(osp,NULL,size))
+                {
+                ASN1_STRING_free(osp);
+                return(0);
+                }
        M_ASN1_STRING_length_set(osp, size);
        p=M_ASN1_STRING_data(osp);
diff --git a/src/lib/libcrypto/asn1/p5_pbe.c b/src/lib/libcrypto/asn1/p5_pbe.c
index 891150638e..ec788267e0 100644
--- a/src/lib/libcrypto/asn1/p5_pbe.c
+++ b/src/lib/libcrypto/asn1/p5_pbe.c
@@ -76,47 +76,55 @@ IMPLEMENT_ASN1_FUNCTIONS(PBEPARAM)
 X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
             int saltlen)
 {
-        PBEPARAM *pbe;
+        PBEPARAM *pbe=NULL;
        ASN1_OBJECT *al;
        X509_ALGOR *algor;
-        ASN1_TYPE *astype;
+        ASN1_TYPE *astype=NULL;
        if (!(pbe = PBEPARAM_new ())) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
        }
        if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
-        ASN1_INTEGER_set (pbe->iter, iter);
+        if (!ASN1_INTEGER_set(pbe->iter, iter)) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
        if (!saltlen) saltlen = PKCS5_SALT_LEN;
        if (!(pbe->salt->data = OPENSSL_malloc (saltlen))) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
        }
        pbe->salt->length = saltlen;
        if (salt) memcpy (pbe->salt->data, salt, saltlen);
        else if (RAND_pseudo_bytes (pbe->salt->data, saltlen) < 0)
-                return NULL;
+                goto err;
        if (!(astype = ASN1_TYPE_new())) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
        }
        astype->type = V_ASN1_SEQUENCE;
        if(!ASN1_pack_string(pbe, i2d_PBEPARAM, &astype->value.sequence)) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
        }
        PBEPARAM_free (pbe);
+        pbe = NULL;
        
        al = OBJ_nid2obj(alg); /* never need to free al */
        if (!(algor = X509_ALGOR_new())) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
        }
        ASN1_OBJECT_free(algor->algorithm);
        algor->algorithm = al;
        algor->parameter = astype;
        return (algor);
+err:
+        if (pbe != NULL) PBEPARAM_free(pbe);
+        if (astype != NULL) ASN1_TYPE_free(astype);
+        return NULL;
 }
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index 91e1c8987d..e0dc0ec4ee 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -1,6 +1,6 @@
 /* p5_pbev2.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project 1999-2004.
 */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -113,7 +113,8 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
        if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;
        /* Create random IV */
-        if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
+        if (EVP_CIPHER_iv_length(cipher) &&
+                RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
                goto err;
        EVP_CIPHER_CTX_init(&ctx);
@@ -123,6 +124,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
        if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
                ASN1err(ASN1_F_PKCS5_PBE2_SET,
                                        ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
+                EVP_CIPHER_CTX_cleanup(&ctx);
                goto err;
        }
        EVP_CIPHER_CTX_cleanup(&ctx);
diff --git a/src/lib/libcrypto/asn1/t_bitst.c b/src/lib/libcrypto/asn1/t_bitst.c
index 8ee789f082..397332d9b8 100644
--- a/src/lib/libcrypto/asn1/t_bitst.c
+++ b/src/lib/libcrypto/asn1/t_bitst.c
@@ -84,7 +84,10 @@ int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
        int bitnum;
        bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
        if(bitnum < 0) return 0;
-        if(bs) ASN1_BIT_STRING_set_bit(bs, bitnum, value);
+        if(bs) {
+                if(!ASN1_BIT_STRING_set_bit(bs, bitnum, value))
+                        return 0;
+        }
        return 1;
 }
diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
index 11fce96825..b99f8fc522 100644
--- a/src/lib/libcrypto/asn1/x_crl.c
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -63,8 +63,6 @@
 static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
                                const X509_REVOKED * const *b);
-static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
-                                const X509_REVOKED * const *b);
 ASN1_SEQUENCE(X509_REVOKED) = {
        ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER),
@@ -72,43 +70,28 @@ ASN1_SEQUENCE(X509_REVOKED) = {
        ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
 } ASN1_SEQUENCE_END(X509_REVOKED)
-/* The X509_CRL_INFO structure needs a bit of customisation. This is actually
+/* The X509_CRL_INFO structure needs a bit of customisation.
- * mirroring the old behaviour: its purpose is to allow the use of
+ * Since we cache the original encoding the signature wont be affected by
- * sk_X509_REVOKED_find to lookup revoked certificates. Unfortunately
+ * reordering of the revoked field.
- * this will zap the original order and the signature so we keep a copy
- * of the original positions and reorder appropriately before encoding.
- *
- * Might want to see if there's a better way of doing this later...
 */
 static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
        X509_CRL_INFO *a = (X509_CRL_INFO *)*pval;
-        int i;
-        int (*old_cmp)(const X509_REVOKED * const *,
-                        const X509_REVOKED * const *);
        if(!a || !a->revoked) return 1;
        switch(operation) {
+                /* Just set cmp function here. We don't sort because that
-                /* Save original order */
+                 * would affect the output of X509_CRL_print().
+                 */
                case ASN1_OP_D2I_POST:
-                for (i=0; i<sk_X509_REVOKED_num(a->revoked); i++)
-                        sk_X509_REVOKED_value(a->revoked,i)->sequence=i;
                sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_cmp);
                break;
-                /* Restore original order */
-                case ASN1_OP_I2D_PRE:
-                old_cmp=sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_seq_cmp);
-                sk_X509_REVOKED_sort(a->revoked);
-                sk_X509_REVOKED_set_cmp_func(a->revoked,old_cmp);
-                break;
        }
        return 1;
 }
-ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = {
+ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = {
        ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER),
        ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR),
        ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME),
@@ -116,7 +99,7 @@ ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = {
        ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME),
        ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED),
        ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0)
-} ASN1_SEQUENCE_END_cb(X509_CRL_INFO, X509_CRL_INFO)
+} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)
 ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = {
        ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),
@@ -137,12 +120,6 @@ static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
                (ASN1_STRING *)(*b)->serialNumber));
        }
-static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
-                                const X509_REVOKED * const *b)
-        {
-        return((*a)->sequence-(*b)->sequence);
-        }
 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 {
        X509_CRL_INFO *inf;
@@ -153,6 +130,7 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
                ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE);
                return 0;
        }
+        inf->enc.modified = 1;
        return 1;
 }
diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c
index caece0f158..31f3377b64 100644
--- a/src/lib/libcrypto/asn1/x_name.c
+++ b/src/lib/libcrypto/asn1/x_name.c
@@ -160,21 +160,22 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, cons
                                        int tag, int aclass, char opt, ASN1_TLC *ctx)
 {
        unsigned char *p = *in, *q;
-        STACK *intname = NULL;
+        STACK *intname = NULL, **intname_pp = &intname;
        int i, j, ret;
-        X509_NAME *nm = NULL;
+        X509_NAME *nm = NULL, **nm_pp = &nm;
        STACK_OF(X509_NAME_ENTRY) *entries;
        X509_NAME_ENTRY *entry;
        q = p;
        /* Get internal representation of Name */
-        ret = ASN1_item_ex_d2i((ASN1_VALUE **)&intname, &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
+        ret = ASN1_item_ex_d2i((ASN1_VALUE **)intname_pp,
-                                                                tag, aclass, opt, ctx);
+                               &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
+                               tag, aclass, opt, ctx);
        
        if(ret <= 0) return ret;
        if(*val) x509_name_ex_free(val, NULL);
-        if(!x509_name_ex_new((ASN1_VALUE **)&nm, NULL)) goto err;
+        if(!x509_name_ex_new((ASN1_VALUE **)nm_pp, NULL)) goto err;
        /* We've decoded it: now cache encoding */
        if(!BUF_MEM_grow(nm->bytes, p - q)) goto err;
        memcpy(nm->bytes->data, q, p - q);
@@ -218,7 +219,7 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_IT
 static int x509_name_encode(X509_NAME *a)
 {
-        STACK *intname = NULL;
+        STACK *intname = NULL, **intname_pp = &intname;
        int len;
        unsigned char *p;
        STACK_OF(X509_NAME_ENTRY) *entries = NULL;
@@ -236,10 +237,12 @@ static int x509_name_encode(X509_NAME *a)
                }
                if(!sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr;
        }
-        len = ASN1_item_ex_i2d((ASN1_VALUE **)&intname, NULL, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
+        len = ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp, NULL,
+                               ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
        if (!BUF_MEM_grow(a->bytes,len)) goto memerr;
        p=(unsigned char *)a->bytes->data;
-        ASN1_item_ex_i2d((ASN1_VALUE **)&intname, &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
+        ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp,
+                         &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
        sk_pop_free(intname, sk_internal_free);
        a->modified = 0;
        return len;
diff --git a/src/lib/libcrypto/asn1/x_pubkey.c b/src/lib/libcrypto/asn1/x_pubkey.c
index d958540120..7d6d71af88 100644
--- a/src/lib/libcrypto/asn1/x_pubkey.c
+++ b/src/lib/libcrypto/asn1/x_pubkey.c
@@ -80,8 +80,7 @@ IMPLEMENT_ASN1_FUNCTIONS(X509_PUBKEY)
 int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
        {
-        int ok=0;
+        X509_PUBKEY *pk=NULL;
-        X509_PUBKEY *pk;
        X509_ALGOR *a;
        ASN1_OBJECT *o;
        unsigned char *s,*p = NULL;
@@ -104,7 +103,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
                        (a->parameter->type != V_ASN1_NULL))
                        {
                        ASN1_TYPE_free(a->parameter);
-                        a->parameter=ASN1_TYPE_new();
+                        if (!(a->parameter=ASN1_TYPE_new()))
+                                {
+                                X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
                        a->parameter->type=V_ASN1_NULL;
                        }
                }
@@ -118,14 +121,34 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
                dsa=pkey->pkey.dsa;
                dsa->write_params=0;
                ASN1_TYPE_free(a->parameter);
-                i=i2d_DSAparams(dsa,NULL);
+                if ((i=i2d_DSAparams(dsa,NULL)) <= 0)
-                if ((p=(unsigned char *)OPENSSL_malloc(i)) == NULL) goto err;
+                        goto err;
+                if (!(p=(unsigned char *)OPENSSL_malloc(i)))
+                        {
+                        X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
                pp=p;
                i2d_DSAparams(dsa,&pp);
-                a->parameter=ASN1_TYPE_new();
+                if (!(a->parameter=ASN1_TYPE_new()))
+                        {
+                        OPENSSL_free(p);
+                        X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
                a->parameter->type=V_ASN1_SEQUENCE;
-                a->parameter->value.sequence=ASN1_STRING_new();
+                if (!(a->parameter->value.sequence=ASN1_STRING_new()))
-                ASN1_STRING_set(a->parameter->value.sequence,p,i);
+                        {
+                        OPENSSL_free(p);
+                        X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                if (!ASN1_STRING_set(a->parameter->value.sequence,p,i))
+                        {
+                        OPENSSL_free(p);
+                        X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
                OPENSSL_free(p);
                }
        else
@@ -143,7 +166,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
                }
        p=s;
        i2d_PublicKey(pkey,&p);
-        if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err;
+        if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i))
+                {
+                X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
        /* Set number of unused bits to zero */
        pk->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
        pk->public_key->flags|=ASN1_STRING_FLAG_BITS_LEFT;
@@ -159,12 +186,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
                X509_PUBKEY_free(*x);
        *x=pk;
-        pk=NULL;
-        ok=1;
+        return 1;
 err:
        if (pk != NULL) X509_PUBKEY_free(pk);
-        return(ok);
+        return 0;
        }
 EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
diff --git a/src/lib/libcrypto/bf/bf_skey.c b/src/lib/libcrypto/bf/bf_skey.c
index 3673cdee6e..fc5bebefce 100644
--- a/src/lib/libcrypto/bf/bf_skey.c
+++ b/src/lib/libcrypto/bf/bf_skey.c
@@ -58,11 +58,12 @@
 #include <stdio.h>
 #include <string.h>
+#include <openssl/crypto.h>
 #include <openssl/blowfish.h>
 #include "bf_locl.h"
 #include "bf_pi.h"
-void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(BF)
        {
        int i;
        BF_LONG *p,ri,in[2];
diff --git a/src/lib/libcrypto/bf/blowfish.h b/src/lib/libcrypto/bf/blowfish.h
index cd49e85ab2..b4d8774961 100644
--- a/src/lib/libcrypto/bf/blowfish.h
+++ b/src/lib/libcrypto/bf/blowfish.h
@@ -104,7 +104,10 @@ typedef struct bf_key_st
        BF_LONG S[4*256];
        } BF_KEY;
- 
+#ifdef OPENSSL_FIPS 
+void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+#endif
 void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
 void BF_encrypt(BF_LONG *data,const BF_KEY *key);
diff --git a/src/lib/libcrypto/bio/b_print.c b/src/lib/libcrypto/bio/b_print.c
index 880dc69303..8b753e7ca0 100644
--- a/src/lib/libcrypto/bio/b_print.c
+++ b/src/lib/libcrypto/bio/b_print.c
@@ -641,7 +641,7 @@ fmtfp(
       multiplying by a factor of 10 */
    fracpart = roundv((pow10(max)) * (ufvalue - intpart));
-    if (fracpart >= pow10(max)) {
+    if (fracpart >= (long)pow10(max)) {
        intpart++;
        fracpart -= (long)pow10(max);
    }
diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h
index fbbc16d00c..2eb703830f 100644
--- a/src/lib/libcrypto/bio/bio.h
+++ b/src/lib/libcrypto/bio/bio.h
@@ -347,6 +347,7 @@ typedef struct bio_f_buffer_ctx_struct
 #define BIO_C_NWRITE0                           145
 #define BIO_C_NWRITE                            146
 #define BIO_C_RESET_READ_REQUEST                147
+#define BIO_C_SET_MD_CTX                        148
 #define BIO_set_app_data(s,arg)         BIO_set_ex_data(s,0,arg)
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index 9cdf159f82..8034ac93f9 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -213,13 +213,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                b->shutdown=(int)num&BIO_CLOSE;
                b->ptr=(char *)ptr;
                b->init=1;
+                {
 #if defined(OPENSSL_SYS_WINDOWS)
+                int fd = fileno((FILE*)ptr);
                if (num & BIO_FP_TEXT)
-                        _setmode(fileno((FILE *)ptr),_O_TEXT);
+                        _setmode(fd,_O_TEXT);
                else
-                        _setmode(fileno((FILE *)ptr),_O_BINARY);
+                        _setmode(fd,_O_BINARY);
 #elif defined(OPENSSL_SYS_MSDOS)
-                {
                int fd = fileno((FILE*)ptr);
                /* Set correct text/binary mode */
                if (num & BIO_FP_TEXT)
@@ -235,13 +236,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                        else
                                _setmode(fd,_O_BINARY);
                        }
-                }
 #elif defined(OPENSSL_SYS_OS2)
+                int fd = fileno((FILE*)ptr);
                if (num & BIO_FP_TEXT)
-                        setmode(fileno((FILE *)ptr), O_TEXT);
+                        setmode(fd, O_TEXT);
                else
-                        setmode(fileno((FILE *)ptr), O_BINARY);
+                        setmode(fd, O_BINARY);
 #endif
+                }
                break;
        case BIO_C_SET_FILENAME:
                file_free(b);
@@ -264,7 +266,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                        ret=0;
                        break;
                        }
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2)
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
                if (!(num & BIO_FP_TEXT))
                        strcat(p,"b");
                else
diff --git a/src/lib/libcrypto/bn/asm/ia64.S b/src/lib/libcrypto/bn/asm/ia64.S
index 7dfda85566..7b82b820e6 100644
--- a/src/lib/libcrypto/bn/asm/ia64.S
+++ b/src/lib/libcrypto/bn/asm/ia64.S
@@ -1,6 +1,6 @@
 .explicit
 .text
-.ident  "ia64.S, Version 2.0"
+.ident  "ia64.S, Version 2.1"
 .ident  "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
 //
@@ -35,7 +35,7 @@
 // What does it mean? You might ratiocinate that the original code
 // should run just faster... Because sum of latencies is smaller...
 // Wrong! Note that getf latency increased. This means that if a loop is
-// scheduled for lower latency (and they are), then it will suffer from
+// scheduled for lower latency (as they were), then it will suffer from
 // stall condition and the code will therefore turn anti-scalable, e.g.
 // original bn_mul_words spun at 5*n or 2.5 times slower than expected
 // on Itanium2! What to do? Reschedule loops for Itanium2? But then
@@ -145,6 +145,12 @@
 //      -Drum=nop.m in command line.
 //
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
+#define ADDP    addp4
+#else
+#define ADDP    add
+#endif
 #if 1
 //
 // bn_[add|sub]_words routines.
@@ -178,27 +184,12 @@ bn_add_words:
        brp.loop.imp    .L_bn_add_words_ctop,.L_bn_add_words_cend-16
                                        }
        .body
-{ .mib;
+{ .mib; ADDP            r14=0,r32               // rp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r14=0,r32               // rp
-#else
-        mov             r14=r32                 // rp
-#endif
        mov             r9=pr           };;
-{ .mii;
+{ .mii; ADDP            r15=0,r33               // ap
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r15=0,r33               // ap
-#else
-        mov             r15=r33                 // ap
-#endif
        mov             ar.lc=r10
        mov             ar.ec=6         }
-{ .mib;
+{ .mib; ADDP            r16=0,r34               // bp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r16=0,r34               // bp
-#else
-        mov             r16=r34                 // bp
-#endif
        mov             pr.rot=1<<16    };;
 .L_bn_add_words_ctop:
@@ -246,27 +237,12 @@ bn_sub_words:
        brp.loop.imp    .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16
                                        }
        .body
-{ .mib;
+{ .mib; ADDP            r14=0,r32               // rp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r14=0,r32               // rp
-#else
-        mov             r14=r32                 // rp
-#endif
        mov             r9=pr           };;
-{ .mii;
+{ .mii; ADDP            r15=0,r33               // ap
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r15=0,r33               // ap
-#else
-        mov             r15=r33                 // ap
-#endif
        mov             ar.lc=r10
        mov             ar.ec=6         }
-{ .mib;
+{ .mib; ADDP            r16=0,r34               // bp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r16=0,r34               // bp
-#else
-        mov             r16=r34                 // bp
-#endif
        mov             pr.rot=1<<16    };;
 .L_bn_sub_words_ctop:
@@ -332,16 +308,10 @@ bn_mul_words:
 #ifndef XMA_TEMPTATION
-{ .mii;
+{ .mmi; ADDP            r14=0,r32       // rp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        ADDP            r15=0,r33       // ap
-        addp4           r14=0,r32       // rp
-        addp4           r15=0,r33       // ap
-#else
-        mov             r14=r32         // rp
-        mov             r15=r33         // ap
-#endif
        mov             ar.lc=r10       }
-{ .mii; mov             r40=0   // serves as r35 at first (p27)
+{ .mmi; mov             r40=0           // serves as r35 at first (p27)
        mov             ar.ec=13        };;
 // This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium
@@ -424,89 +394,64 @@ bn_mul_words:
 .global bn_mul_add_words#
 .proc   bn_mul_add_words#
 .align  64
-//.skip 0       // makes the loop split at 64-byte boundary
+.skip   48      // makes the loop body aligned at 64-byte boundary
 bn_mul_add_words:
        .prologue
        .fframe 0
        .save   ar.pfs,r2
-{ .mii; alloc           r2=ar.pfs,4,12,0,16
-        cmp4.le         p6,p0=r34,r0    };;
-{ .mfb; mov             r8=r0                   // return value
-(p6)    br.ret.spnt.many        b0      };;
        .save   ar.lc,r3
-{ .mii; sub     r10=r34,r0,1
+        .save   pr,r9
-        mov     r3=ar.lc
+{ .mmi; alloc           r2=ar.pfs,4,4,0,8
-        mov     r9=pr                   };;
+        cmp4.le         p6,p0=r34,r0
+        mov             r3=ar.lc        };;
+{ .mib; mov             r8=r0           // return value
+        sub             r10=r34,r0,1
+(p6)    br.ret.spnt.many        b0      };;
        .body
-{ .mib; setf.sig        f8=r35  // w
+{ .mib; setf.sig        f8=r35          // w
-        mov             pr.rot=0x800001<<16
+        mov             r9=pr
-                        // ------^----- serves as (p50) at first (p27)
        brp.loop.imp    .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16
                                        }
-{ .mii;
+{ .mmi; ADDP            r14=0,r32       // rp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        ADDP            r15=0,r33       // ap
-        addp4           r14=0,r32       // rp
-        addp4           r15=0,r33       // ap
-#else
-        mov             r14=r32         // rp
-        mov             r15=r33         // ap
-#endif
        mov             ar.lc=r10       }
-{ .mii; mov             r40=0   // serves as r35 at first (p27)
+{ .mii; ADDP            r16=0,r32       // rp copy
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        mov             pr.rot=0x2001<<16
-        addp4           r18=0,r32       // rp copy
+                        // ------^----- serves as (p40) at first (p27)
-#else
+        mov             ar.ec=11        };;
-        mov             r18=r32         // rp copy
-#endif
+// This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on
-        mov             ar.ec=15        };;
+// Itanium 2. Yes, unlike previous versions it scales:-) Previous
+// version was peforming *all* additions in IALU and was starving
-// This loop spins in 3*(n+14) ticks on Itanium and should spin in
+// for those even on Itanium 2. In this version one addition is
-// 2*(n+14) on "wider" IA-64 implementations (to be verified with new
+// moved to FPU and is folded with multiplication. This is at cost
-// �-architecture manuals as they become available). As usual it's
+// of propogating the result from previous call to this subroutine
-// possible to compress the epilogue, down to 10 in this case, at the
+// to L2 cache... In other words negligible even for shorter keys.
-// cost of scalability. Compressed (and therefore non-scalable) loop
+// *Overall* performance improvement [over previous version] varies
-// running at 3*(n+11) would buy you ~10% on Itanium but take ~35%
+// from 11 to 22 percent depending on key length.
-// from "wider" IA-64 so let it be scalable! Special attention was
-// paid for having the loop body split at 64-byte boundary. ld8 is
-// scheduled for L1 cache as the data is more than likely there.
-// Indeed, bn_mul_words has put it there a moment ago:-)
 .L_bn_mul_add_words_ctop:
-{ .mfi; (p25)   getf.sig        r36=f52                 // low
+.pred.rel       "mutex",p40,p42
-        (p21)   xmpy.lu         f48=f37,f8
+{ .mfi; (p23)   getf.sig        r36=f45                 // low
-        (p28)   cmp.ltu         p54,p50=r41,r39 }
+        (p20)   xma.lu          f42=f36,f8,f50          // low
-{ .mfi; (p16)   ldf8            f32=[r15],8
+        (p40)   add             r39=r39,r35     }       // (p27)
-        (p21)   xmpy.hu         f40=f37,f8
+{ .mfi; (p16)   ldf8            f32=[r15],8             // *(ap++)
-        (p28)   add             r45=r45,r41     };;
+        (p20)   xma.hu          f36=f36,f8,f50          // high
-{ .mii; (p25)   getf.sig        r32=f44                 // high
+        (p42)   add             r39=r39,r35,1   };;     // (p27)
-        .pred.rel       "mutex",p50,p54
+{ .mmi; (p24)   getf.sig        r32=f40                 // high
-        (p50)   add             r40=r38,r35             // (p27)
+        (p16)   ldf8            f46=[r16],8             // *(rp1++)
-        (p54)   add             r40=r38,r35,1   }       // (p27)
+        (p40)   cmp.ltu         p41,p39=r39,r35 }       // (p27)
-{ .mfb; (p28)   cmp.ltu.unc     p60,p0=r45,r41
+{ .mib; (p26)   st8             [r14]=r39,8             // *(rp2++)
-        (p0)    nop.f           0x0
+        (p42)   cmp.leu         p41,p39=r39,r35         // (p27)
-        (p0)    nop.b           0x0             }
-{ .mii; (p27)   ld8             r44=[r18],8
-        (p62)   cmp.eq.or       p61,p0=-1,r46
-        (p62)   add             r46=1,r46       }
-{ .mfb; (p30)   st8             [r14]=r47,8
-        (p0)    nop.f           0x0
        br.ctop.sptk    .L_bn_mul_add_words_ctop};;
 .L_bn_mul_add_words_cend:
-{ .mii; nop.m           0x0
+{ .mmi; .pred.rel       "mutex",p40,p42
-.pred.rel       "mutex",p53,p57
+(p40)   add             r8=r35,r0
-(p53)   add             r8=r38,r0
+(p42)   add             r8=r35,r0,1
-(p57)   add             r8=r38,r0,1     }
+        mov             pr=r9,0x1ffff   }
-{ .mfb; nop.m   0x0
+{ .mib; rum             1<<5            // clear um.mfh
-        nop.f   0x0
+        mov             ar.lc=r3
-        nop.b   0x0                     };;
-{ .mii;
-(p63)   add             r8=1,r8
-        mov             pr=r9,0x1ffff
-        mov             ar.lc=r3        }
-{ .mfb; rum             1<<5            // clear um.mfh
-        nop.f           0x0
        br.ret.sptk.many        b0      };;
 .endp   bn_mul_add_words#
 #endif
@@ -527,7 +472,8 @@ bn_sqr_words:
        sxt4            r34=r34         };;
 { .mii; cmp.le          p6,p0=r34,r0
        mov             r8=r0           }       // return value
-{ .mfb; nop.f           0x0
+{ .mfb; ADDP            r32=0,r32
+        nop.f           0x0
 (p6)    br.ret.spnt.many        b0      };;
        .save   ar.lc,r3
@@ -536,11 +482,7 @@ bn_sqr_words:
        mov     r9=pr                   };;
        .body
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+{ .mib; ADDP            r33=0,r33
-{ .mii; addp4           r32=0,r32
-        addp4           r33=0,r33       };;
-#endif
-{ .mib;
        mov             pr.rot=1<<16
        brp.loop.imp    .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16
                                        }
@@ -605,7 +547,7 @@ bn_sqr_comba8:
        .prologue
        .fframe 0
        .save   ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii; alloc   r2=ar.pfs,2,1,0,0
        addp4   r33=0,r33
        addp4   r32=0,r32               };;
@@ -631,6 +573,10 @@ bn_sqr_comba8:
 // clause in Itanium �-architecture manual? Comments are welcomed and
 // highly appreciated.
 //
+// On Itanium 2 it takes ~190 ticks. This is because of stalls on
+// result from getf.sig. I do nothing about it at this point for
+// reasons depicted below.
+//
 // However! It should be noted that even 160 ticks is darn good result
 // as it's over 10 (yes, ten, spelled as t-e-n) times faster than the
 // C version (compiled with gcc with inline assembler). I really
@@ -673,7 +619,7 @@ bn_mul_comba8:
        .prologue
        .fframe 0
        .save   ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii; alloc   r2=ar.pfs,3,0,0,0
        addp4   r33=0,r33
        addp4   r34=0,r34               };;
@@ -1231,7 +1177,7 @@ bn_sqr_comba4:
        .prologue
        .fframe 0
        .save   ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii; alloc   r2=ar.pfs,2,1,0,0
        addp4   r32=0,r32
        addp4   r33=0,r33               };;
@@ -1264,7 +1210,7 @@ bn_mul_comba4:
        .prologue
        .fframe 0
        .save   ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii; alloc   r2=ar.pfs,3,0,0,0
        addp4   r33=0,r33
        addp4   r34=0,r34               };;
@@ -1448,8 +1394,8 @@ bn_mul_comba4:
 #define I       r21
 #if 0
-// Some preprocessors (most notably HP-UX) apper to be allergic to
+// Some preprocessors (most notably HP-UX) appear to be allergic to
-// macros enclosed to parenthesis as these three will be.
+// macros enclosed to parenthesis [as these three were].
 #define cont    p16
 #define break   p0      // p20
 #define equ     p24
@@ -1581,9 +1527,18 @@ bn_div_words:
 // output:      f8 = (int)(a/b)
 // clobbered:   f8,f9,f10,f11,pred
 pred=p15
-// This procedure is essentially Intel code and therefore is
+// One can argue that this snippet is copyrighted to Intel
-// copyrighted to Intel Corporation (I suppose...). It's sligtly
+// Corporation, as it's essentially identical to one of those
-// modified for specific needs.
+// found in "Divide, Square Root and Remainder" section at
+// http://www.intel.com/software/products/opensource/libraries/num.htm.
+// Yes, I admit that the referred code was used as template,
+// but after I realized that there hardly is any other instruction
+// sequence which would perform this operation. I mean I figure that
+// any independent attempt to implement high-performance division
+// will result in code virtually identical to the Intel code. It
+// should be noted though that below division kernel is 1 cycle
+// faster than Intel one (note commented splits:-), not to mention
+// original prologue (rather lack of one) and epilogue.
 .align  32
 .skip   16
 .L_udiv64_32_b6:
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index c9ebdbaabe..b79b1b60da 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -273,7 +273,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
        BN_init(&Ri);
        R= &(mont->RR);                                 /* grab RR as a temp */
-        BN_copy(&(mont->N),mod);                        /* Set N */
+        if (!BN_copy(&(mont->N),mod)) goto err;         /* Set N */
        mont->N.neg = 0;
 #ifdef MONT_WORD
diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c
index 8ef733013d..79d813d85e 100644
--- a/src/lib/libcrypto/bn/bntest.c
+++ b/src/lib/libcrypto/bn/bntest.c
@@ -232,7 +232,7 @@ int main(int argc, char *argv[])
        EXIT(0);
 err:
        BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
-                              * the failure, see test_bn in test/Makefile.ssl*/
+                              * the failure, see test_bn in test/Makefile */
        BIO_flush(out);
        ERR_load_crypto_strings();
        ERR_print_errors_fp(stderr);
diff --git a/src/lib/libcrypto/cast/c_skey.c b/src/lib/libcrypto/cast/c_skey.c
index 76e40005c9..dc4791a8cf 100644
--- a/src/lib/libcrypto/cast/c_skey.c
+++ b/src/lib/libcrypto/cast/c_skey.c
@@ -56,7 +56,9 @@
 * [including the GNU Public Licence.]
 */
+#include <openssl/crypto.h>
 #include <openssl/cast.h>
 #include "cast_lcl.h"
 #include "cast_s.h"
@@ -72,7 +74,7 @@
 #define S6 CAST_S_table6
 #define S7 CAST_S_table7
-void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(CAST)
        {
        CAST_LONG x[16];
        CAST_LONG z[16];
diff --git a/src/lib/libcrypto/cast/cast.h b/src/lib/libcrypto/cast/cast.h
index b28e4e4f3b..9e300178d9 100644
--- a/src/lib/libcrypto/cast/cast.h
+++ b/src/lib/libcrypto/cast/cast.h
@@ -81,7 +81,10 @@ typedef struct cast_key_st
        int short_key;  /* Use reduced rounds for short key */
        } CAST_KEY;
- 
+#ifdef OPENSSL_FIPS 
+void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
+#endif
 void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
 void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key,
                      int enc);
diff --git a/src/lib/libcrypto/comp/c_zlib.c b/src/lib/libcrypto/comp/c_zlib.c
index 8c0876151a..1bd2850d15 100644
--- a/src/lib/libcrypto/comp/c_zlib.c
+++ b/src/lib/libcrypto/comp/c_zlib.c
@@ -3,6 +3,7 @@
 #include <string.h>
 #include <openssl/objects.h>
 #include <openssl/comp.h>
+#include <openssl/err.h>
 COMP_METHOD *COMP_zlib(void );
@@ -189,7 +190,17 @@ COMP_METHOD *COMP_zlib(void)
        if (!zlib_loaded)
                {
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
-                zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
+                zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0);
+                if (!zlib_dso)
+                        {
+                        zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
+                        if (zlib_dso)
+                                {
+                                /* Clear the errors from the first failed
+                                   DSO_load() */
+                                ERR_clear_error();
+                                }
+                        }
 #else
                zlib_dso = DSO_load(NULL, "z", NULL, 0);
 #endif
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 2e9f52f1fd..b5a876ae68 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -632,6 +632,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
                        BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from)));
                        while (*p)
                                buf->data[to++]= *(p++);
+                        /* Since we change the pointer 'from', we also have
+                           to change the perceived length of the string it
+                           points at.  /RL */
+                        len -= e-from;
                        from=e;
                        }
                else
diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index 2924def2bb..fef0afb29f 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -105,7 +105,9 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
        "engine",
        "ui",
        "hwcrhk",               /* This is a HACK which will disappear in 0.9.8 */
-#if CRYPTO_NUM_LOCKS != 33
+        "fips",
+        "fips2",
+#if CRYPTO_NUM_LOCKS != 35
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
        };
@@ -478,13 +480,12 @@ const char *CRYPTO_get_lock_name(int type)
                return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
        }
-#ifdef _DLL
+#if defined(_WIN32) && defined(_WINDLL)
-#ifdef OPENSSL_SYS_WIN32
 /* All we really need to do is remove the 'error' state when a thread
 * detaches */
-BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
             LPVOID lpvReserved)
        {
        switch(fdwReason)
@@ -503,8 +504,6 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
        }
 #endif
-#endif
 void OpenSSLDie(const char *file,int line,const char *assertion)
        {
        fprintf(stderr,
@@ -512,3 +511,122 @@ void OpenSSLDie(const char *file,int line,const char *assertion)
                file,line,assertion);
        abort();
        }
+#ifdef OPENSSL_FIPS
+static int fips_started = 0;
+static int fips_mode = 0;
+static void *fips_rand_check = 0;
+static unsigned long fips_thread = 0;
+void fips_set_started(void)
+        {
+        fips_started = 1;
+        }
+int fips_is_started(void)
+        {
+        return fips_started;
+        }
+int fips_is_owning_thread(void)
+        {
+        int ret = 0;
+        if (fips_is_started())
+                {
+                CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
+                if (fips_thread != 0 && fips_thread == CRYPTO_thread_id())
+                        ret = 1;
+                CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
+                }
+        return ret;
+        }
+int fips_set_owning_thread(void)
+        {
+        int ret = 0;
+        if (fips_is_started())
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
+                if (fips_thread == 0)
+                        {
+                        fips_thread = CRYPTO_thread_id();
+                        ret = 1;
+                        }
+                CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
+                }
+        return ret;
+        }
+int fips_clear_owning_thread(void)
+        {
+        int ret = 0;
+        if (fips_is_started())
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
+                if (fips_thread == CRYPTO_thread_id())
+                        {
+                        fips_thread = 0;
+                        ret = 1;
+                        }
+                CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
+                }
+        return ret;
+        }
+void fips_set_mode(int onoff)
+        {
+        int owning_thread = fips_is_owning_thread();
+        if (fips_is_started())
+                {
+                if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
+                fips_mode = onoff;
+                if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
+                }
+        }
+void fips_set_rand_check(void *rand_check)
+        {
+        int owning_thread = fips_is_owning_thread();
+        if (fips_is_started())
+                {
+                if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
+                fips_rand_check = rand_check;
+                if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
+                }
+        }
+int FIPS_mode(void)
+        {
+        int ret = 0;
+        int owning_thread = fips_is_owning_thread();
+        if (fips_is_started())
+                {
+                if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
+                ret = fips_mode;
+                if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
+                }
+        return ret;
+        }
+void *FIPS_rand_check(void)
+        {
+        void *ret = 0;
+        int owning_thread = fips_is_owning_thread();
+        if (fips_is_started())
+                {
+                if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
+                ret = fips_rand_check;
+                if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
+                }
+        return ret;
+        }
+#endif /* OPENSSL_FIPS */
diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com
index 39e78c69e5..c044ce0099 100644
--- a/src/lib/libcrypto/crypto-lib.com
+++ b/src/lib/libcrypto/crypto-lib.com
@@ -158,7 +158,7 @@ $!
 $ APPS_DES = "DES/DES,CBC3_ENC"
 $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
 $
-$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time"
+$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time,o_str"
 $ LIB_MD2 = "md2_dgst,md2_one"
 $ LIB_MD4 = "md4_dgst,md4_one"
 $ LIB_MD5 = "md5_dgst,md5_one"
@@ -247,7 +247,7 @@ $ LIB_X509 = "x509_def,x509_d2,x509_r2x,x509_cmp,"+ -
 $ LIB_X509V3 = "v3_bcons,v3_bitst,v3_conf,v3_extku,v3_ia5,v3_lib,"+ -
        "v3_prn,v3_utl,v3err,v3_genn,v3_alt,v3_skey,v3_akey,v3_pku,"+ -
        "v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info,"+ -
-        "v3_ocsp,v3_akeya"
+        "v3_ocsp,v3_akeya,v3_pcia,v3_pci"
 $ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def,conf_mod,conf_mall,conf_sap"
 $ LIB_TXT_DB = "txt_db"
 $ LIB_PKCS7 = "pk7_asn1,pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,"+ -
@@ -752,8 +752,8 @@ $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "    ALL      :  Just Build Everything."
-$     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.SSL]LIBCRYPTO.OLB Library."
+$     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library."
-$     WRITE SYS$OUTPUT "    APPS     :  To Compile Just The [.xxx.EXE.SSL]*.EXE Programs."
+$     WRITE SYS$OUTPUT "    APPS     :  To Compile Just The [.xxx.EXE.CRYPTO]*.EXE Programs."
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT " Where 'xxx' Stands For:"
 $     WRITE SYS$OUTPUT ""
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index 273bc5e3f8..4d1dfac7f1 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -128,7 +128,9 @@ extern "C" {
 #define CRYPTO_LOCK_ENGINE              30
 #define CRYPTO_LOCK_UI                  31
 #define CRYPTO_LOCK_HWCRHK              32 /* This is a HACK which will disappear in 0.9.8 */
-#define CRYPTO_NUM_LOCKS                33
+#define CRYPTO_LOCK_FIPS                33
+#define CRYPTO_LOCK_FIPS2               34
+#define CRYPTO_NUM_LOCKS                35
 #define CRYPTO_LOCK             1
 #define CRYPTO_UNLOCK           2
@@ -434,6 +436,63 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);
 void OpenSSLDie(const char *file,int line,const char *assertion);
 #define OPENSSL_assert(e)       ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
+#ifdef OPENSSL_FIPS
+int FIPS_mode(void);
+void *FIPS_rand_check(void);
+#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
+                alg " previous FIPS forbidden algorithm error ignored");
+#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \
+                #alg " Algorithm forbidden in FIPS mode");
+#ifdef OPENSSL_FIPS_STRICT
+#define FIPS_BAD_ALGORITHM(alg) FIPS_BAD_ABORT(alg)
+#else
+#define FIPS_BAD_ALGORITHM(alg) \
+        { \
+        FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); \
+        ERR_add_error_data(2, "Algorithm=", #alg); \
+        return 0; \
+        }
+#endif
+/* Low level digest API blocking macro */
+#define FIPS_NON_FIPS_MD_Init(alg) \
+        int alg##_Init(alg##_CTX *c) \
+                { \
+                if (FIPS_mode()) \
+                        FIPS_BAD_ALGORITHM(alg) \
+                return private_##alg##_Init(c); \
+                } \
+        int private_##alg##_Init(alg##_CTX *c)
+/* For ciphers the API often varies from cipher to cipher and each needs to
+ * be treated as a special case. Variable key length ciphers (Blowfish, RC4,
+ * CAST) however are very similar and can use a blocking macro.
+ */
+#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
+        void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) \
+                { \
+                if (FIPS_mode()) \
+                        FIPS_BAD_ABORT(alg) \
+                private_##alg##_set_key(key, len, data); \
+                } \
+        void private_##alg##_set_key(alg##_KEY *key, int len, \
+                                        const unsigned char *data)
+#else
+#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
+        void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data)
+#define FIPS_NON_FIPS_MD_Init(alg) \
+        int alg##_Init(alg##_CTX *c) 
+#endif /* def OPENSSL_FIPS */
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.
diff --git a/src/lib/libcrypto/des/cfb64ede.c b/src/lib/libcrypto/des/cfb64ede.c
index 60c1aa08db..f3c6018528 100644
--- a/src/lib/libcrypto/des/cfb64ede.c
+++ b/src/lib/libcrypto/des/cfb64ede.c
@@ -57,6 +57,7 @@
 */
 #include "des_locl.h"
+#include "e_os.h"
 /* The input and output encrypted as though 64bit cfb mode is being
 * used.  The extra state information to record how much of the
@@ -140,3 +141,114 @@ void DES_ede2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
        DES_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,enc);
        }
 #endif
+/* This is compatible with the single key CFB-r for DES, even thought that's
+ * not what EVP needs.
+ */
+void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
+                          int numbits,long length,DES_key_schedule *ks1,
+                          DES_key_schedule *ks2,DES_key_schedule *ks3,
+                          DES_cblock *ivec,int enc)
+        {
+        register DES_LONG d0,d1,v0,v1;
+        register long l=length;
+        register int num=numbits,n=(numbits+7)/8,i;
+        DES_LONG ti[2];
+        unsigned char *iv;
+        unsigned char ovec[16];
+        if (num > 64) return;
+        iv = &(*ivec)[0];
+        c2l(iv,v0);
+        c2l(iv,v1);
+        if (enc)
+                {
+                while (l >= n)
+                        {
+                        l-=n;
+                        ti[0]=v0;
+                        ti[1]=v1;
+                        DES_encrypt3(ti,ks1,ks2,ks3);
+                        c2ln(in,d0,d1,n);
+                        in+=n;
+                        d0^=ti[0];
+                        d1^=ti[1];
+                        l2cn(d0,d1,out,n);
+                        out+=n;
+                        /* 30-08-94 - eay - changed because l>>32 and
+                         * l<<32 are bad under gcc :-( */
+                        if (num == 32)
+                                { v0=v1; v1=d0; }
+                        else if (num == 64)
+                                { v0=d0; v1=d1; }
+                        else
+                                {
+                                iv=&ovec[0];
+                                l2c(v0,iv);
+                                l2c(v1,iv);
+                                l2c(d0,iv);
+                                l2c(d1,iv);
+                                /* shift ovec left most of the bits... */
+                                memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+                                /* now the remaining bits */
+                                if(num%8 != 0)
+                                        for(i=0 ; i < 8 ; ++i)
+                                                {
+                                                ovec[i]<<=num%8;
+                                                ovec[i]|=ovec[i+1]>>(8-num%8);
+                                                }
+                                iv=&ovec[0];
+                                c2l(iv,v0);
+                                c2l(iv,v1);
+                                }
+                        }
+                }
+        else
+                {
+                while (l >= n)
+                        {
+                        l-=n;
+                        ti[0]=v0;
+                        ti[1]=v1;
+                        DES_encrypt3(ti,ks1,ks2,ks3);
+                        c2ln(in,d0,d1,n);
+                        in+=n;
+                        /* 30-08-94 - eay - changed because l>>32 and
+                         * l<<32 are bad under gcc :-( */
+                        if (num == 32)
+                                { v0=v1; v1=d0; }
+                        else if (num == 64)
+                                { v0=d0; v1=d1; }
+                        else
+                                {
+                                iv=&ovec[0];
+                                l2c(v0,iv);
+                                l2c(v1,iv);
+                                l2c(d0,iv);
+                                l2c(d1,iv);
+                                /* shift ovec left most of the bits... */
+                                memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+                                /* now the remaining bits */
+                                if(num%8 != 0)
+                                        for(i=0 ; i < 8 ; ++i)
+                                                {
+                                                ovec[i]<<=num%8;
+                                                ovec[i]|=ovec[i+1]>>(8-num%8);
+                                                }
+                                iv=&ovec[0];
+                                c2l(iv,v0);
+                                c2l(iv,v1);
+                                }
+                        d0^=ti[0];
+                        d1^=ti[1];
+                        l2cn(d0,d1,out,n);
+                        out+=n;
+                        }
+                }
+        iv = &(*ivec)[0];
+        l2c(v0,iv);
+        l2c(v1,iv);
+        v0=v1=d0=d1=ti[0]=ti[1]=0;
+        }
diff --git a/src/lib/libcrypto/des/des.h b/src/lib/libcrypto/des/des.h
index dfe5ff64e4..81bd874edd 100644
--- a/src/lib/libcrypto/des/des.h
+++ b/src/lib/libcrypto/des/des.h
@@ -130,7 +130,7 @@ OPENSSL_DECLARE_GLOBAL(int,DES_rw_mode);	/* defaults to DES_PCBC_MODE */
 #define DES_rw_mode OPENSSL_GLOBAL_REF(DES_rw_mode)
 const char *DES_options(void);
-void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
+void DES_ecb3_encrypt(const unsigned char *input, unsigned char *output,
                      DES_key_schedule *ks1,DES_key_schedule *ks2,
                      DES_key_schedule *ks3, int enc);
 DES_LONG DES_cbc_cksum(const unsigned char *input,DES_cblock *output,
@@ -189,6 +189,10 @@ void DES_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out,
                            long length,DES_key_schedule *ks1,
                            DES_key_schedule *ks2,DES_key_schedule *ks3,
                            DES_cblock *ivec,int *num,int enc);
+void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
+                          int numbits,long length,DES_key_schedule *ks1,
+                          DES_key_schedule *ks2,DES_key_schedule *ks3,
+                          DES_cblock *ivec,int enc);
 void DES_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out,
                            long length,DES_key_schedule *ks1,
                            DES_key_schedule *ks2,DES_key_schedule *ks3,
diff --git a/src/lib/libcrypto/des/des_enc.c b/src/lib/libcrypto/des/des_enc.c
index 4f09804c44..6a49ec4a55 100644
--- a/src/lib/libcrypto/des/des_enc.c
+++ b/src/lib/libcrypto/des/des_enc.c
@@ -58,7 +58,9 @@
 #include "des_locl.h"
+#ifndef OPENSSL_FIPS
 #ifndef OPENBSD_DES_ASM
 void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
        {
        register DES_LONG l,r,t,u;
@@ -289,8 +291,12 @@ void DES_decrypt3(DES_LONG *data, DES_key_schedule *ks1,
        data[1]=r;
        }
+#endif /* ndef OPENSSL_FIPS */
 #ifndef DES_DEFAULT_OPTIONS
+#if !defined(OPENSSL_FIPS_DES_ASM)
 #undef CBC_ENC_C__DONT_UPDATE_IV
 #include "ncbc_enc.c" /* DES_ncbc_encrypt */
@@ -406,4 +412,6 @@ void DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
        tin[0]=tin[1]=0;
        }
+#endif /* !defined(OPENSSL_FIPS_DES_ASM) */
 #endif /* DES_DEFAULT_OPTIONS */
diff --git a/src/lib/libcrypto/des/des_old.c b/src/lib/libcrypto/des/des_old.c
index 7e4cd7180d..88e9802aad 100644
--- a/src/lib/libcrypto/des/des_old.c
+++ b/src/lib/libcrypto/des/des_old.c
@@ -84,7 +84,7 @@ void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock
        des_key_schedule ks1,des_key_schedule ks2,
        des_key_schedule ks3, int enc)
        {
-        DES_ecb3_encrypt((const_DES_cblock *)input, output,
+        DES_ecb3_encrypt((const unsigned char *)input, (unsigned char *)output,
                (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
                (DES_key_schedule *)ks3, enc);
        }
diff --git a/src/lib/libcrypto/des/destest.c b/src/lib/libcrypto/des/destest.c
index 3983ac8e5f..e3e9d77f14 100644
--- a/src/lib/libcrypto/des/destest.c
+++ b/src/lib/libcrypto/des/destest.c
@@ -439,8 +439,8 @@ int main(int argc, char *argv[])
                memcpy(in,plain_data[i],8);
                memset(out,0,8);
                memset(outin,0,8);
-                des_ecb2_encrypt(&in,&out,ks,ks2,DES_ENCRYPT);
+                des_ecb2_encrypt(in,out,ks,ks2,DES_ENCRYPT);
-                des_ecb2_encrypt(&out,&outin,ks,ks2,DES_DECRYPT);
+                des_ecb2_encrypt(out,outin,ks,ks2,DES_DECRYPT);
                if (memcmp(out,cipher_ecb2[i],8) != 0)
                        {
diff --git a/src/lib/libcrypto/des/ecb3_enc.c b/src/lib/libcrypto/des/ecb3_enc.c
index c3437bc606..fa0c9c4d4f 100644
--- a/src/lib/libcrypto/des/ecb3_enc.c
+++ b/src/lib/libcrypto/des/ecb3_enc.c
@@ -58,15 +58,13 @@
 #include "des_locl.h"
-void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
+void DES_ecb3_encrypt(const unsigned char *in, unsigned char *out,
                      DES_key_schedule *ks1, DES_key_schedule *ks2,
                      DES_key_schedule *ks3,
             int enc)
        {
        register DES_LONG l0,l1;
        DES_LONG ll[2];
-        const unsigned char *in = &(*input)[0];
-        unsigned char *out = &(*output)[0];
        c2l(in,l0);
        c2l(in,l1);
diff --git a/src/lib/libcrypto/des/set_key.c b/src/lib/libcrypto/des/set_key.c
index 143008ed9c..8881d46a7a 100644
--- a/src/lib/libcrypto/des/set_key.c
+++ b/src/lib/libcrypto/des/set_key.c
@@ -65,6 +65,8 @@
 */
 #include "des_locl.h"
+#ifndef OPENSSL_FIPS
 OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key);    /* defaults to false */
 static const unsigned char odd_parity[256]={
@@ -405,3 +407,5 @@ void des_fixup_key_parity(des_cblock *key)
        des_set_odd_parity(key);
        }
 */
+#endif /* ndef OPENSSL_FIPS */
diff --git a/src/lib/libcrypto/dh/dh_check.c b/src/lib/libcrypto/dh/dh_check.c
index f0373f7d68..a7e9920efb 100644
--- a/src/lib/libcrypto/dh/dh_check.c
+++ b/src/lib/libcrypto/dh/dh_check.c
@@ -70,6 +70,8 @@
 * should hold.
 */
+#ifndef OPENSSL_FIPS
 int DH_check(const DH *dh, int *ret)
        {
        int ok=0;
@@ -118,3 +120,5 @@ err:
        if (q != NULL) BN_free(q);
        return(ok);
        }
+#endif
diff --git a/src/lib/libcrypto/dh/dh_err.c b/src/lib/libcrypto/dh/dh_err.c
index d837950aec..c2715044c9 100644
--- a/src/lib/libcrypto/dh/dh_err.c
+++ b/src/lib/libcrypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /* crypto/dh/dh_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
diff --git a/src/lib/libcrypto/dh/dh_gen.c b/src/lib/libcrypto/dh/dh_gen.c
index 06f78b35ab..23777f5a16 100644
--- a/src/lib/libcrypto/dh/dh_gen.c
+++ b/src/lib/libcrypto/dh/dh_gen.c
@@ -86,6 +86,9 @@
 * It's just as OK (and in some sense better) to use a generator of the
 * order-q subgroup.
 */
+#ifndef OPENSSL_FIPS
 DH *DH_generate_parameters(int prime_len, int generator,
             void (*callback)(int,int,void *), void *cb_arg)
        {
@@ -146,6 +149,7 @@ DH *DH_generate_parameters(int prime_len, int generator,
        if (callback != NULL) callback(3,0,cb_arg);
        ret->p=p;
        ret->g=BN_new();
+        if (ret->g == NULL) goto err;
        if (!BN_set_word(ret->g,g)) goto err;
        ok=1;
 err:
@@ -167,3 +171,5 @@ err:
                }
        return(ret);
        }
+#endif
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 77f2f50b51..ff125c2296 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -62,6 +62,8 @@
 #include <openssl/rand.h>
 #include <openssl/dh.h>
+#ifndef OPENSSL_FIPS
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
@@ -220,3 +222,5 @@ static int dh_finish(DH *dh)
                BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
        return(1);
        }
+#endif
diff --git a/src/lib/libcrypto/doc/ERR_error_string.pod b/src/lib/libcrypto/doc/ERR_error_string.pod
index e01beb817a..cdfa7fe1fe 100644
--- a/src/lib/libcrypto/doc/ERR_error_string.pod
+++ b/src/lib/libcrypto/doc/ERR_error_string.pod
@@ -11,7 +11,7 @@ error message
 #include <openssl/err.h>
 char *ERR_error_string(unsigned long e, char *buf);
- char *ERR_error_string_n(unsigned long e, char *buf, size_t len);
+ void ERR_error_string_n(unsigned long e, char *buf, size_t len);
 const char *ERR_lib_error_string(unsigned long e);
 const char *ERR_func_error_string(unsigned long e);
diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
index daf57e5895..40e525dd56 100644
--- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod
+++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
@@ -479,6 +479,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
                if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen))
                        {
                        /* Error */
+                        EVP_CIPHER_CTX_cleanup(&ctx);
                        return 0;
                        }
                fwrite(outbuf, 1, outlen, out);
@@ -486,6 +487,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
        if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen))
                {
                /* Error */
+                EVP_CIPHER_CTX_cleanup(&ctx);
                return 0;
                }
        fwrite(outbuf, 1, outlen, out);
diff --git a/src/lib/libcrypto/doc/EVP_SealInit.pod b/src/lib/libcrypto/doc/EVP_SealInit.pod
index b5e477e294..48a0e29954 100644
--- a/src/lib/libcrypto/doc/EVP_SealInit.pod
+++ b/src/lib/libcrypto/doc/EVP_SealInit.pod
@@ -8,8 +8,9 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
 #include <openssl/evp.h>
- int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
+ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 
-                int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
+                unsigned char **ek, int *ekl, unsigned char *iv,
+                EVP_PKEY **pubk, int npubk);
 int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
         int *outl, unsigned char *in, int inl);
 int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
diff --git a/src/lib/libcrypto/doc/EVP_SignInit.pod b/src/lib/libcrypto/doc/EVP_SignInit.pod
index e65e54ce52..0bace24938 100644
--- a/src/lib/libcrypto/doc/EVP_SignInit.pod
+++ b/src/lib/libcrypto/doc/EVP_SignInit.pod
@@ -29,11 +29,10 @@ EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the
 signature context B<ctx>. This function can be called several times on the
 same B<ctx> to include additional data.
-EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey>
+EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and
-and places the signature in B<sig>. If the B<s> parameter is not NULL
+places the signature in B<sig>. The number of bytes of data written (i.e. the
-then the number of bytes of data written (i.e. the length of the signature)
+length of the signature) will be written to the integer at B<s>, at most
-will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
+EVP_PKEY_size(pkey) bytes will be written. 
-will be written. 
 EVP_SignInit() initializes a signing context B<ctx> to use the default
 implementation of digest B<type>.
diff --git a/src/lib/libcrypto/doc/RSA_public_encrypt.pod b/src/lib/libcrypto/doc/RSA_public_encrypt.pod
index d53e19d2b7..ab0fe3b2cd 100644
--- a/src/lib/libcrypto/doc/RSA_public_encrypt.pod
+++ b/src/lib/libcrypto/doc/RSA_public_encrypt.pod
@@ -47,9 +47,10 @@ Encrypting user data directly with RSA is insecure.
 =back
 B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
-based padding modes, and less than RSA_size(B<rsa>) - 41 for
+based padding modes, less than RSA_size(B<rsa>) - 41 for
-RSA_PKCS1_OAEP_PADDING. The random number generator must be seeded
+RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
-prior to calling RSA_public_encrypt().
+The random number generator must be seeded prior to calling
+RSA_public_encrypt().
 RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
 private key B<rsa> and stores the plaintext in B<to>. B<to> must point
diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h
index 9b3baadf2c..225ff391f9 100644
--- a/src/lib/libcrypto/dsa/dsa.h
+++ b/src/lib/libcrypto/dsa/dsa.h
@@ -81,6 +81,10 @@
 #define DSA_FLAG_CACHE_MONT_P   0x01
+#if defined(OPENSSL_FIPS)
+#define FIPS_DSA_SIZE_T int
+#endif
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index dc9c249310..e40afeea51 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -80,6 +80,7 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>
+#ifndef OPENSSL_FIPS
 DSA *DSA_generate_parameters(int bits,
                unsigned char *seed_in, int seed_len,
                int *counter_ret, unsigned long *h_ret,
@@ -127,8 +128,9 @@ DSA *DSA_generate_parameters(int bits,
        c = BN_CTX_get(ctx2);
        p = BN_CTX_get(ctx2);
        test = BN_CTX_get(ctx2);
+        if (test == NULL) goto err;
-        BN_lshift(test,BN_value_one(),bits-1);
+        if (!BN_lshift(test,BN_value_one(),bits-1)) goto err;
        for (;;)
                {
@@ -196,7 +198,7 @@ DSA *DSA_generate_parameters(int bits,
                                callback(0,counter,cb_arg);
                        /* step 7 */
-                        BN_zero(W);
+                        if (!BN_zero(W)) goto err;
                        /* now 'buf' contains "SEED + offset - 1" */
                        for (k=0; k<=n; k++)
                                {
@@ -212,20 +214,20 @@ DSA *DSA_generate_parameters(int bits,
                                /* step 8 */
                                if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
                                        goto err;
-                                BN_lshift(r0,r0,160*k);
+                                if (!BN_lshift(r0,r0,160*k)) goto err;
-                                BN_add(W,W,r0);
+                                if (!BN_add(W,W,r0)) goto err;
                                }
                        /* more of step 8 */
-                        BN_mask_bits(W,bits-1);
+                        if (!BN_mask_bits(W,bits-1)) goto err;
-                        BN_copy(X,W); /* this should be ok */
+                        if (!BN_copy(X,W)) goto err;
-                        BN_add(X,X,test); /* this should be ok */
+                        if (!BN_add(X,X,test)) goto err;
                        /* step 9 */
-                        BN_lshift1(r0,q);
+                        if (!BN_lshift1(r0,q)) goto err;
-                        BN_mod(c,X,r0,ctx);
+                        if (!BN_mod(c,X,r0,ctx)) goto err;
-                        BN_sub(r0,c,BN_value_one());
+                        if (!BN_sub(r0,c,BN_value_one())) goto err;
-                        BN_sub(p,X,r0);
+                        if (!BN_sub(p,X,r0)) goto err;
                        /* step 10 */
                        if (BN_cmp(p,test) >= 0)
@@ -251,18 +253,18 @@ end:
        /* We now need to generate g */
        /* Set r0=(p-1)/q */
-        BN_sub(test,p,BN_value_one());
+        if (!BN_sub(test,p,BN_value_one())) goto err;
-        BN_div(r0,NULL,test,q,ctx);
+        if (!BN_div(r0,NULL,test,q,ctx)) goto err;
-        BN_set_word(test,h);
+        if (!BN_set_word(test,h)) goto err;
-        BN_MONT_CTX_set(mont,p,ctx);
+        if (!BN_MONT_CTX_set(mont,p,ctx)) goto err;
        for (;;)
                {
                /* g=test^r0%p */
-                BN_mod_exp_mont(g,test,r0,p,ctx,mont);
+                if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err;
                if (!BN_is_one(g)) break;
-                BN_add(test,test,BN_value_one());
+                if (!BN_add(test,test,BN_value_one())) goto err;
                h++;
                }
@@ -279,6 +281,11 @@ err:
                ret->p=BN_dup(p);
                ret->q=BN_dup(q);
                ret->g=BN_dup(g);
+                if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
+                        {
+                        ok=0;
+                        goto err;
+                        }
                if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20);
                if (counter_ret != NULL) *counter_ret=counter;
                if (h_ret != NULL) *h_ret=h;
@@ -293,4 +300,6 @@ err:
        if (mont != NULL) BN_MONT_CTX_free(mont);
        return(ok?ret:NULL);
        }
-#endif
+#endif /* ndef OPENSSL_FIPS */
+#endif /* ndef OPENSSL_NO_SHA */
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index ef87c3e637..30607ca579 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -64,6 +64,7 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_FIPS
 int DSA_generate_key(DSA *dsa)
        {
        int ok=0;
@@ -103,3 +104,4 @@ err:
        return(ok);
        }
 #endif
+#endif
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index b9e7f3ea5c..f1a85afcde 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -65,6 +65,7 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_FIPS
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -346,3 +347,4 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 {
        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
+#endif
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index 89205026f0..3c9753bac3 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -64,9 +64,17 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#include <openssl/fips.h>
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
        {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+                return NULL;
+#endif
        return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
        }
@@ -87,6 +95,10 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+                return 0;
+#endif
        return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
        }
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index c4aeddd056..8ef0c45025 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -65,10 +65,18 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#include <openssl/fips.h>
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                  DSA *dsa)
        {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+                return -1;
+#endif
        return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
        }
diff --git a/src/lib/libcrypto/dso/dso_win32.c b/src/lib/libcrypto/dso/dso_win32.c
index 6c30deb250..3fa90eb27c 100644
--- a/src/lib/libcrypto/dso/dso_win32.c
+++ b/src/lib/libcrypto/dso/dso_win32.c
@@ -61,7 +61,7 @@
 #include "cryptlib.h"
 #include <openssl/dso.h>
-#if !defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
+#if !defined(DSO_WIN32)
 DSO_METHOD *DSO_METHOD_win32(void)
        {
        return NULL;
diff --git a/src/lib/libcrypto/engine/hw_cryptodev.c b/src/lib/libcrypto/engine/hw_cryptodev.c
index 0ca442af8a..41184b6786 100644
--- a/src/lib/libcrypto/engine/hw_cryptodev.c
+++ b/src/lib/libcrypto/engine/hw_cryptodev.c
@@ -93,7 +93,7 @@ static int open_dev_crypto(void);
 static int get_dev_crypto(void);
 static struct dev_crypto_cipher *cipher_nid_to_cryptodev(int nid);
 static int get_cryptodev_ciphers(const int **cnids);
-static int get_cryptodev_digests(const int **cnids);
+/*static int get_cryptodev_digests(const int **cnids);*/
 static int cryptodev_usable_ciphers(const int **nids);
 static int cryptodev_usable_digests(const int **nids);
 static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -150,6 +150,7 @@ static struct dev_crypto_cipher ciphers[] = {
        { 0,                            NID_undef,              0,       0, },
 };
+#if 0 /* UNUSED */
 static struct {
        int     id;
        int     nid;
@@ -162,6 +163,7 @@ static struct {
        { CRYPTO_SHA1,                  NID_undef,              },
        { 0,                            NID_undef,              },
 };
+#endif
 /*
 * Return a fd if /dev/crypto seems usable, -1 otherwise.
@@ -297,6 +299,7 @@ get_cryptodev_ciphers(const int **cnids)
 * returning them here is harmless, as long as we return NULL
 * when asked for a handler in the cryptodev_engine_digests routine
 */
+#if 0 /* UNUSED */
 static int
 get_cryptodev_digests(const int **cnids)
 {
@@ -326,6 +329,7 @@ get_cryptodev_digests(const int **cnids)
                *cnids = NULL;
        return (count);
 }
+#endif
 /*
 * Find the useable ciphers|digests from dev/crypto - this is the first
@@ -832,7 +836,7 @@ static int
 bn2crparam(const BIGNUM *a, struct crparam *crp)
 {
        int i, j, k;
-        ssize_t words, bytes, bits;
+        ssize_t bytes, bits;
        u_char *b;
        crp->crp_p = NULL;
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index 792f329600..c78790a54c 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -149,6 +149,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
 {ERR_PACK(ERR_LIB_DSO,0,0)              ,"DSO support routines"},
 {ERR_PACK(ERR_LIB_ENGINE,0,0)           ,"engine routines"},
 {ERR_PACK(ERR_LIB_OCSP,0,0)             ,"OCSP routines"},
+{ERR_PACK(ERR_LIB_FIPS,0,0)             ,"FIPS routines"},
 {0,NULL},
        };
@@ -167,6 +168,7 @@ static ERR_STRING_DATA ERR_str_functs[]=
 #endif
        {ERR_PACK(0,SYS_F_OPENDIR,0),           "opendir"},
        {ERR_PACK(0,SYS_F_FREAD,0),             "fread"},
+        {ERR_PACK(0,SYS_F_GETADDRINFO,0),       "getaddrinfo"},
        {0,NULL},
        };
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index 8faa3a7b4f..2efa18866a 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -131,6 +131,7 @@ typedef struct err_state_st
 #define ERR_LIB_OCSP            39
 #define ERR_LIB_UI              40
 #define ERR_LIB_COMP            41
+#define ERR_LIB_FIPS            42
 #define ERR_LIB_USER            128
@@ -159,6 +160,7 @@ typedef struct err_state_st
 #define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),__FILE__,__LINE__)
 #define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),__FILE__,__LINE__)
 #define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),__FILE__,__LINE__)
+#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__)
 /* Borland C seems too stupid to be able to shift and do longs in
 * the pre-processor :-( */
@@ -183,6 +185,7 @@ typedef struct err_state_st
 #define SYS_F_WSASTARTUP        9 /* Winsock stuff */
 #define SYS_F_OPENDIR           10
 #define SYS_F_FREAD             11
+#define SYS_F_GETADDRINFO       12
 /* reasons */
diff --git a/src/lib/libcrypto/err/err_all.c b/src/lib/libcrypto/err/err_all.c
index dc505d9d9d..4dc9300892 100644
--- a/src/lib/libcrypto/err/err_all.c
+++ b/src/lib/libcrypto/err/err_all.c
@@ -87,6 +87,7 @@
 #endif
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
+#include <openssl/fips.h>
 void ERR_load_crypto_strings(void)
        {
@@ -130,4 +131,7 @@ void ERR_load_crypto_strings(void)
        ERR_load_OCSP_strings();
        ERR_load_UI_strings();
 #endif
+#ifdef OPENSSL_FIPS
+        ERR_load_FIPS_strings();
+#endif
        }
diff --git a/src/lib/libcrypto/err/openssl.ec b/src/lib/libcrypto/err/openssl.ec
index 29a69dfdd4..447a7f87ed 100644
--- a/src/lib/libcrypto/err/openssl.ec
+++ b/src/lib/libcrypto/err/openssl.ec
@@ -27,6 +27,7 @@ L DSO		crypto/dso/dso.h		crypto/dso/dso_err.c
 L ENGINE        crypto/engine/engine.h          crypto/engine/eng_err.c
 L OCSP          crypto/ocsp/ocsp.h              crypto/ocsp/ocsp_err.c
 L UI            crypto/ui/ui.h                  crypto/ui/ui_err.c
+L FIPS          fips/fips.h                     fips/fips_err.h
 # additional header files to be scanned for function names
 L NONE          crypto/x509/x509_vfy.h          NONE
diff --git a/src/lib/libcrypto/evp/bio_md.c b/src/lib/libcrypto/evp/bio_md.c
index c632dfb202..f4aa41ac4b 100644
--- a/src/lib/libcrypto/evp/bio_md.c
+++ b/src/lib/libcrypto/evp/bio_md.c
@@ -176,10 +176,11 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
                {
        case BIO_CTRL_RESET:
                if (b->init)
-                        EVP_DigestInit_ex(ctx,ctx->digest, NULL);
+                        ret = EVP_DigestInit_ex(ctx,ctx->digest, NULL);
                else
                        ret=0;
-                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                if (ret > 0)
+                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
                break;
        case BIO_C_GET_MD:
                if (b->init)
@@ -191,11 +192,12 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
                        ret=0;
                break;
        case BIO_C_GET_MD_CTX:
+                pctx=ptr;
+                *pctx=ctx;
+                break;
+        case BIO_C_SET_MD_CTX:
                if (b->init)
-                        {
+                        b->ptr=ptr;
-                        pctx=ptr;
-                        *pctx=ctx;
-                        }
                else
                        ret=0;
                break;
@@ -207,8 +209,9 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
        case BIO_C_SET_MD:
                md=ptr;
-                EVP_DigestInit_ex(ctx,md, NULL);
+                ret = EVP_DigestInit_ex(ctx,md, NULL);
-                b->init=1;
+                if (ret > 0)
+                        b->init=1;
                break;
        case BIO_CTRL_DUP:
                dbio=ptr;
diff --git a/src/lib/libcrypto/evp/c_allc.c b/src/lib/libcrypto/evp/c_allc.c
index 341a958fd4..fc96812365 100644
--- a/src/lib/libcrypto/evp/c_allc.c
+++ b/src/lib/libcrypto/evp/c_allc.c
@@ -67,6 +67,8 @@ void OpenSSL_add_all_ciphers(void)
 #ifndef OPENSSL_NO_DES
        EVP_add_cipher(EVP_des_cfb());
+        EVP_add_cipher(EVP_des_cfb1());
+        EVP_add_cipher(EVP_des_cfb8());
        EVP_add_cipher(EVP_des_ede_cfb());
        EVP_add_cipher(EVP_des_ede3_cfb());
@@ -150,6 +152,8 @@ void OpenSSL_add_all_ciphers(void)
        EVP_add_cipher(EVP_aes_128_ecb());
        EVP_add_cipher(EVP_aes_128_cbc());
        EVP_add_cipher(EVP_aes_128_cfb());
+        EVP_add_cipher(EVP_aes_128_cfb1());
+        EVP_add_cipher(EVP_aes_128_cfb8());
        EVP_add_cipher(EVP_aes_128_ofb());
 #if 0
        EVP_add_cipher(EVP_aes_128_ctr());
@@ -159,6 +163,8 @@ void OpenSSL_add_all_ciphers(void)
        EVP_add_cipher(EVP_aes_192_ecb());
        EVP_add_cipher(EVP_aes_192_cbc());
        EVP_add_cipher(EVP_aes_192_cfb());
+        EVP_add_cipher(EVP_aes_192_cfb1());
+        EVP_add_cipher(EVP_aes_192_cfb8());
        EVP_add_cipher(EVP_aes_192_ofb());
 #if 0
        EVP_add_cipher(EVP_aes_192_ctr());
@@ -168,6 +174,8 @@ void OpenSSL_add_all_ciphers(void)
        EVP_add_cipher(EVP_aes_256_ecb());
        EVP_add_cipher(EVP_aes_256_cbc());
        EVP_add_cipher(EVP_aes_256_cfb());
+        EVP_add_cipher(EVP_aes_256_cfb1());
+        EVP_add_cipher(EVP_aes_256_cfb8());
        EVP_add_cipher(EVP_aes_256_ofb());
 #if 0
        EVP_add_cipher(EVP_aes_256_ctr());
diff --git a/src/lib/libcrypto/evp/c_alld.c b/src/lib/libcrypto/evp/c_alld.c
index be91cdb037..aae7bf7482 100644
--- a/src/lib/libcrypto/evp/c_alld.c
+++ b/src/lib/libcrypto/evp/c_alld.c
@@ -75,7 +75,7 @@ void OpenSSL_add_all_digests(void)
        EVP_add_digest_alias(SN_md5,"ssl2-md5");
        EVP_add_digest_alias(SN_md5,"ssl3-md5");
 #endif
-#ifndef OPENSSL_NO_SHA
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
        EVP_add_digest(EVP_sha());
 #ifndef OPENSSL_NO_DSA
        EVP_add_digest(EVP_dss());
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index 0623ddf1f0..f21c63842c 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -137,6 +137,39 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
        return EVP_DigestInit_ex(ctx, type, NULL);
        }
+#ifdef OPENSSL_FIPS
+/* The purpose of these is to trap programs that attempt to use non FIPS
+ * algorithms in FIPS mode and ignore the errors.
+ */
+static int bad_init(EVP_MD_CTX *ctx)
+        { FIPS_ERROR_IGNORED("Digest init"); return 0;}
+static int bad_update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { FIPS_ERROR_IGNORED("Digest update"); return 0;}
+static int bad_final(EVP_MD_CTX *ctx,unsigned char *md)
+        { FIPS_ERROR_IGNORED("Digest Final"); return 0;}
+static const EVP_MD bad_md =
+        {
+        0,
+        0,
+        0,
+        0,
+        bad_init,
+        bad_update,
+        bad_final,
+        NULL,
+        NULL,
+        NULL,
+        0,
+        {0,0,0,0},
+        };
+#endif
 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
        {
        EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
@@ -195,6 +228,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 #endif
        if (ctx->digest != type)
                {
+#ifdef OPENSSL_FIPS
+                if (FIPS_mode())
+                        {
+                        if (!(type->flags & EVP_MD_FLAG_FIPS) 
+                         && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
+                                {
+                                EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS);
+                                ctx->digest = &bad_md;
+                                return 0;
+                                }
+                        }
+#endif
                if (ctx->digest && ctx->digest->ctx_size)
                        OPENSSL_free(ctx->md_data);
                ctx->digest=type;
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index fe8bcda631..f35036c9d7 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -67,34 +67,52 @@ typedef struct
 IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
                       NID_aes_128, 16, 16, 16, 128,
-                       0, aes_init_key, NULL, 
+                       EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, 
                       EVP_CIPHER_set_asn1_iv,
                       EVP_CIPHER_get_asn1_iv,
                       NULL)
 IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
                       NID_aes_192, 16, 24, 16, 128,
-                       0, aes_init_key, NULL, 
+                       EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, 
                       EVP_CIPHER_set_asn1_iv,
                       EVP_CIPHER_get_asn1_iv,
                       NULL)
 IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
                       NID_aes_256, 16, 32, 16, 128,
-                       0, aes_init_key, NULL, 
+                       EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, 
                       EVP_CIPHER_set_asn1_iv,
                       EVP_CIPHER_get_asn1_iv,
                       NULL)
+#define IMPLEMENT_AES_CFBR(ksize,cbits,flags)   IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags)
+IMPLEMENT_AES_CFBR(128,1,0)
+IMPLEMENT_AES_CFBR(192,1,0)
+IMPLEMENT_AES_CFBR(256,1,0)
+IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS)
 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-                   const unsigned char *iv, int enc) {
+                   const unsigned char *iv, int enc)
+        {
+        int ret;
        if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE
            || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE
            || enc) 
-                AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+                ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
        else
-                AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+                ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+        if(ret < 0)
+                {
+                EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
+                return 0;
+                }
        return 1;
-}
+        }
 #endif
diff --git a/src/lib/libcrypto/evp/e_des.c b/src/lib/libcrypto/evp/e_des.c
index 105266a4b3..46e2899825 100644
--- a/src/lib/libcrypto/evp/e_des.c
+++ b/src/lib/libcrypto/evp/e_des.c
@@ -56,9 +56,9 @@
 * [including the GNU Public Licence.]
 */
-#ifndef OPENSSL_NO_DES
 #include <stdio.h>
 #include "cryptlib.h"
+#ifndef OPENSSL_NO_DES
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
@@ -92,20 +92,55 @@ static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        return 1;
 }
-static int des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+static int des_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                          const unsigned char *in, unsigned int inl)
+                            const unsigned char *in, unsigned int inl)
 {
        DES_cfb64_encrypt(in, out, (long)inl, ctx->cipher_data,
                          (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
        return 1;
 }
+/* Although we have a CFB-r implementation for DES, it doesn't pack the right
+   way, so wrap it here */
+static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                           const unsigned char *in, unsigned int inl)
+    {
+    unsigned int n;
+    unsigned char c[1],d[1];
+    for(n=0 ; n < inl ; ++n)
+        {
+        c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
+        DES_cfb_encrypt(c,d,1,1,ctx->cipher_data,(DES_cblock *)ctx->iv,
+                        ctx->encrypt);
+        out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8));
+        }
+    return 1;
+    }
+static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                           const unsigned char *in, unsigned int inl)
+    {
+    DES_cfb_encrypt(in,out,8,inl,ctx->cipher_data,(DES_cblock *)ctx->iv,
+                    ctx->encrypt);
+    return 1;
+    }
 BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64,
-                        0, des_init_key, NULL,
+                        EVP_CIPH_FLAG_FIPS, des_init_key, NULL,
                        EVP_CIPHER_set_asn1_iv,
                        EVP_CIPHER_get_asn1_iv,
                        NULL)
+BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,
+                     EVP_CIPH_FLAG_FIPS,des_init_key,NULL,
+                     EVP_CIPHER_set_asn1_iv,
+                     EVP_CIPHER_get_asn1_iv,NULL)
+BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,
+                     EVP_CIPH_FLAG_FIPS,des_init_key,NULL,
+                     EVP_CIPHER_set_asn1_iv,
+                     EVP_CIPHER_get_asn1_iv,NULL)
 static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                        const unsigned char *iv, int enc)
diff --git a/src/lib/libcrypto/evp/e_des3.c b/src/lib/libcrypto/evp/e_des3.c
index 077860e7b6..677322bf02 100644
--- a/src/lib/libcrypto/evp/e_des3.c
+++ b/src/lib/libcrypto/evp/e_des3.c
@@ -56,9 +56,9 @@
 * [including the GNU Public Licence.]
 */
-#ifndef OPENSSL_NO_DES
 #include <stdio.h>
 #include "cryptlib.h"
+#ifndef OPENSSL_NO_DES
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
@@ -85,7 +85,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, unsigned int inl)
 {
        BLOCK_CIPHER_ecb_loop()
-                DES_ecb3_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), 
+                DES_ecb3_encrypt(in + i,out + i, 
                                 &data(ctx)->ks1, &data(ctx)->ks2,
                                 &data(ctx)->ks3,
                                 ctx->encrypt);
@@ -121,7 +121,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        return 1;
 }
-static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, unsigned int inl)
 {
        DES_ede3_cfb64_encrypt(in, out, (long)inl, 
@@ -130,23 +130,62 @@ static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        return 1;
 }
+/* Although we have a CFB-r implementation for 3-DES, it doesn't pack the right
+   way, so wrap it here */
+static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                const unsigned char *in, unsigned int inl)
+    {
+    unsigned int n;
+    unsigned char c[1],d[1];
+    for(n=0 ; n < inl ; ++n)
+        {
+        c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
+        DES_ede3_cfb_encrypt(c,d,1,1,
+                             &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3,
+                             (DES_cblock *)ctx->iv,ctx->encrypt);
+        out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8));
+        }
+    return 1;
+    }
+static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                const unsigned char *in, unsigned int inl)
+    {
+    DES_ede3_cfb_encrypt(in,out,8,inl,
+                         &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3,
+                         (DES_cblock *)ctx->iv,ctx->encrypt);
+    return 1;
+    }
 BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
-                        0, des_ede_init_key, NULL, 
+                        EVP_CIPH_FLAG_FIPS, des_ede_init_key, NULL, 
                        EVP_CIPHER_set_asn1_iv,
                        EVP_CIPHER_get_asn1_iv,
                        NULL)
-#define des_ede3_cfb_cipher des_ede_cfb_cipher
+#define des_ede3_cfb64_cipher des_ede_cfb64_cipher
 #define des_ede3_ofb_cipher des_ede_ofb_cipher
 #define des_ede3_cbc_cipher des_ede_cbc_cipher
 #define des_ede3_ecb_cipher des_ede_ecb_cipher
 BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
-                        0, des_ede3_init_key, NULL, 
+                        EVP_CIPH_FLAG_FIPS, des_ede3_init_key, NULL, 
                        EVP_CIPHER_set_asn1_iv,
                        EVP_CIPHER_get_asn1_iv,
                        NULL)
+BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
+                     EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL,
+                     EVP_CIPHER_set_asn1_iv,
+                     EVP_CIPHER_get_asn1_iv,NULL)
+BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
+                     EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL,
+                     EVP_CIPHER_set_asn1_iv,
+                     EVP_CIPHER_get_asn1_iv,NULL)
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                            const unsigned char *iv, int enc)
        {
diff --git a/src/lib/libcrypto/evp/e_null.c b/src/lib/libcrypto/evp/e_null.c
index 2420d7e5af..a84b0f14b1 100644
--- a/src/lib/libcrypto/evp/e_null.c
+++ b/src/lib/libcrypto/evp/e_null.c
@@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher=
        {
        NID_undef,
        1,0,0,
-        0,
+        EVP_CIPH_FLAG_FIPS,
        null_init_key,
        null_cipher,
        NULL,
diff --git a/src/lib/libcrypto/evp/e_rc4.c b/src/lib/libcrypto/evp/e_rc4.c
index d58f507837..8aa70585b9 100644
--- a/src/lib/libcrypto/evp/e_rc4.c
+++ b/src/lib/libcrypto/evp/e_rc4.c
@@ -62,6 +62,7 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#include "evp_locl.h"
 #include <openssl/rc4.h>
 /* FIXME: surely this is available elsewhere? */
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index f9b48792ce..62d95354ef 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -75,6 +75,10 @@
 #include <openssl/bio.h>
 #endif
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 /*
 #define EVP_RC2_KEY_SIZE                16
 #define EVP_RC4_KEY_SIZE                16
@@ -236,6 +240,7 @@ struct env_md_st
 #define EVP_MD_FLAG_ONESHOT     0x0001 /* digest can only handle a single
                                        * block */
+#define EVP_MD_FLAG_FIPS        0x0400 /* Note if suitable for use in FIPS mode */
 #define EVP_PKEY_NULL_method    NULL,NULL,{0,0,0,0}
@@ -278,6 +283,9 @@ struct env_md_ctx_st
 #define EVP_MD_CTX_FLAG_REUSE           0x0004 /* Don't free up ctx->md_data
                                                * in EVP_MD_CTX_cleanup */
+#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW  0x0008  /* Allow use of non FIPS digest
+                                                 * in FIPS mode */
 struct evp_cipher_st
        {
        int nid;
@@ -319,6 +327,10 @@ struct evp_cipher_st
 #define         EVP_CIPH_CUSTOM_KEY_LENGTH      0x80
 /* Don't use standard block padding */
 #define         EVP_CIPH_NO_PADDING             0x100
+/* Note if suitable for use in FIPS mode */
+#define         EVP_CIPH_FLAG_FIPS              0x400
+/* Allow non FIPS cipher in FIPS mode */
+#define         EVP_CIPH_FLAG_NON_FIPS_ALLOW    0x800
 /* ctrl() values */
@@ -425,6 +437,9 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d))
 #define EVP_CIPHER_CTX_type(c)         EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
 #define EVP_CIPHER_CTX_flags(e)         ((e)->cipher->flags)
+#define EVP_CIPHER_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs))
+#define EVP_CIPHER_CTX_clear_flags(ctx,flgs) ((ctx)->flags&=~(flgs))
+#define EVP_CIPHER_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs))
 #define EVP_CIPHER_CTX_mode(e)          ((e)->cipher->flags & EVP_CIPH_MODE)
 #define EVP_ENCODE_LENGTH(l)    (((l+2)/3*4)+(l/48+1)*2+80)
@@ -446,6 +461,7 @@ void BIO_set_md(BIO *,const EVP_MD *md);
 #endif
 #define BIO_get_md(b,mdp)               BIO_ctrl(b,BIO_C_GET_MD,0,(char *)mdp)
 #define BIO_get_md_ctx(b,mdcp)     BIO_ctrl(b,BIO_C_GET_MD_CTX,0,(char *)mdcp)
+#define BIO_set_md_ctx(b,mdcp)     BIO_ctrl(b,BIO_C_SET_MD_CTX,0,(char *)mdcp)
 #define BIO_get_cipher_status(b)        BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL)
 #define BIO_get_cipher_ctx(b,c_pp)      BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp)
@@ -587,9 +603,20 @@ const EVP_CIPHER *EVP_des_ede(void);
 const EVP_CIPHER *EVP_des_ede3(void);
 const EVP_CIPHER *EVP_des_ede_ecb(void);
 const EVP_CIPHER *EVP_des_ede3_ecb(void);
-const EVP_CIPHER *EVP_des_cfb(void);
+const EVP_CIPHER *EVP_des_cfb64(void);
-const EVP_CIPHER *EVP_des_ede_cfb(void);
+# define EVP_des_cfb EVP_des_cfb64
-const EVP_CIPHER *EVP_des_ede3_cfb(void);
+const EVP_CIPHER *EVP_des_cfb1(void);
+const EVP_CIPHER *EVP_des_cfb8(void);
+const EVP_CIPHER *EVP_des_ede_cfb64(void);
+# define EVP_des_ede_cfb EVP_des_ede_cfb64
+#if 0
+const EVP_CIPHER *EVP_des_ede_cfb1(void);
+const EVP_CIPHER *EVP_des_ede_cfb8(void);
+#endif
+const EVP_CIPHER *EVP_des_ede3_cfb64(void);
+# define EVP_des_ede3_cfb EVP_des_ede3_cfb64
+const EVP_CIPHER *EVP_des_ede3_cfb1(void);
+const EVP_CIPHER *EVP_des_ede3_cfb8(void);
 const EVP_CIPHER *EVP_des_ofb(void);
 const EVP_CIPHER *EVP_des_ede_ofb(void);
 const EVP_CIPHER *EVP_des_ede3_ofb(void);
@@ -613,7 +640,8 @@ const EVP_CIPHER *EVP_rc4_40(void);
 #endif
 #ifndef OPENSSL_NO_IDEA
 const EVP_CIPHER *EVP_idea_ecb(void);
-const EVP_CIPHER *EVP_idea_cfb(void);
+const EVP_CIPHER *EVP_idea_cfb64(void);
+# define EVP_idea_cfb EVP_idea_cfb64
 const EVP_CIPHER *EVP_idea_ofb(void);
 const EVP_CIPHER *EVP_idea_cbc(void);
 #endif
@@ -622,45 +650,58 @@ const EVP_CIPHER *EVP_rc2_ecb(void);
 const EVP_CIPHER *EVP_rc2_cbc(void);
 const EVP_CIPHER *EVP_rc2_40_cbc(void);
 const EVP_CIPHER *EVP_rc2_64_cbc(void);
-const EVP_CIPHER *EVP_rc2_cfb(void);
+const EVP_CIPHER *EVP_rc2_cfb64(void);
+# define EVP_rc2_cfb EVP_rc2_cfb64
 const EVP_CIPHER *EVP_rc2_ofb(void);
 #endif
 #ifndef OPENSSL_NO_BF
 const EVP_CIPHER *EVP_bf_ecb(void);
 const EVP_CIPHER *EVP_bf_cbc(void);
-const EVP_CIPHER *EVP_bf_cfb(void);
+const EVP_CIPHER *EVP_bf_cfb64(void);
+# define EVP_bf_cfb EVP_bf_cfb64
 const EVP_CIPHER *EVP_bf_ofb(void);
 #endif
 #ifndef OPENSSL_NO_CAST
 const EVP_CIPHER *EVP_cast5_ecb(void);
 const EVP_CIPHER *EVP_cast5_cbc(void);
-const EVP_CIPHER *EVP_cast5_cfb(void);
+const EVP_CIPHER *EVP_cast5_cfb64(void);
+# define EVP_cast5_cfb EVP_cast5_cfb64
 const EVP_CIPHER *EVP_cast5_ofb(void);
 #endif
 #ifndef OPENSSL_NO_RC5
 const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void);
 const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void);
-const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void);
+const EVP_CIPHER *EVP_rc5_32_12_16_cfb64(void);
+# define EVP_rc5_32_12_16_cfb EVP_rc5_32_12_16_cfb64
 const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void);
 #endif
 #ifndef OPENSSL_NO_AES
 const EVP_CIPHER *EVP_aes_128_ecb(void);
 const EVP_CIPHER *EVP_aes_128_cbc(void);
-const EVP_CIPHER *EVP_aes_128_cfb(void);
+const EVP_CIPHER *EVP_aes_128_cfb1(void);
+const EVP_CIPHER *EVP_aes_128_cfb8(void);
+const EVP_CIPHER *EVP_aes_128_cfb128(void);
+# define EVP_aes_128_cfb EVP_aes_128_cfb128
 const EVP_CIPHER *EVP_aes_128_ofb(void);
 #if 0
 const EVP_CIPHER *EVP_aes_128_ctr(void);
 #endif
 const EVP_CIPHER *EVP_aes_192_ecb(void);
 const EVP_CIPHER *EVP_aes_192_cbc(void);
-const EVP_CIPHER *EVP_aes_192_cfb(void);
+const EVP_CIPHER *EVP_aes_192_cfb1(void);
+const EVP_CIPHER *EVP_aes_192_cfb8(void);
+const EVP_CIPHER *EVP_aes_192_cfb128(void);
+# define EVP_aes_192_cfb EVP_aes_192_cfb128
 const EVP_CIPHER *EVP_aes_192_ofb(void);
 #if 0
 const EVP_CIPHER *EVP_aes_192_ctr(void);
 #endif
 const EVP_CIPHER *EVP_aes_256_ecb(void);
 const EVP_CIPHER *EVP_aes_256_cbc(void);
-const EVP_CIPHER *EVP_aes_256_cfb(void);
+const EVP_CIPHER *EVP_aes_256_cfb1(void);
+const EVP_CIPHER *EVP_aes_256_cfb8(void);
+const EVP_CIPHER *EVP_aes_256_cfb128(void);
+# define EVP_aes_256_cfb EVP_aes_256_cfb128
 const EVP_CIPHER *EVP_aes_256_ofb(void);
 #if 0
 const EVP_CIPHER *EVP_aes_256_ctr(void);
@@ -775,13 +816,18 @@ void ERR_load_EVP_strings(void);
 /* Error codes for the EVP functions. */
 /* Function codes. */
+#define EVP_F_AES_INIT_KEY                               129
 #define EVP_F_D2I_PKEY                                   100
+#define EVP_F_EVP_ADD_CIPHER                             130
+#define EVP_F_EVP_ADD_DIGEST                             131
 #define EVP_F_EVP_CIPHERINIT                             123
 #define EVP_F_EVP_CIPHER_CTX_CTRL                        124
 #define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH              122
 #define EVP_F_EVP_DECRYPTFINAL                           101
 #define EVP_F_EVP_DIGESTINIT                             128
 #define EVP_F_EVP_ENCRYPTFINAL                           127
+#define EVP_F_EVP_GET_CIPHERBYNAME                       132
+#define EVP_F_EVP_GET_DIGESTBYNAME                       133
 #define EVP_F_EVP_MD_CTX_COPY                            110
 #define EVP_F_EVP_OPENINIT                               102
 #define EVP_F_EVP_PBE_ALG_ADD                            115
@@ -805,6 +851,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_F_RC5_CTRL                                   125
 /* Reason codes. */
+#define EVP_R_AES_KEY_SETUP_FAILED                       140
 #define EVP_R_BAD_BLOCK_LENGTH                           136
 #define EVP_R_BAD_DECRYPT                                100
 #define EVP_R_BAD_KEY_LENGTH                             137
@@ -816,6 +863,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH          138
 #define EVP_R_DECODE_ERROR                               114
 #define EVP_R_DIFFERENT_KEY_TYPES                        101
+#define EVP_R_DISABLED_FOR_FIPS                          141
 #define EVP_R_ENCODE_ERROR                               115
 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR                   119
 #define EVP_R_EXPECTING_AN_RSA_KEY                       127
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index 8ea5aa935d..f549eeb437 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -82,6 +82,48 @@ int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
        return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc);
        }
+#ifdef OPENSSL_FIPS
+/* The purpose of these is to trap programs that attempt to use non FIPS
+ * algorithms in FIPS mode and ignore the errors.
+ */
+int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+            const unsigned char *iv, int enc)
+        { FIPS_ERROR_IGNORED("Cipher init"); return 0;}
+int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                 const unsigned char *in, unsigned int inl)
+        { FIPS_ERROR_IGNORED("Cipher update"); return 0;}
+/* NB: no cleanup because it is allowed after failed init */
+int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
+        { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;}
+int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
+        { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;}
+int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
+        { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;}
+static const EVP_CIPHER bad_cipher =
+        {
+        0,
+        0,
+        0,
+        0,
+        0,
+        bad_init,
+        bad_do_cipher,
+        NULL,
+        0,
+        bad_set_asn1,
+        bad_get_asn1,
+        bad_ctrl,
+        NULL
+        };
+#endif
 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
             const unsigned char *key, const unsigned char *iv, int enc)
        {
@@ -146,7 +188,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                else
                        ctx->engine = NULL;
 #endif
                ctx->cipher=cipher;
                if (ctx->cipher->ctx_size)
                        {
@@ -210,6 +251,24 @@ skip_to_init:
                }
        }
+#ifdef OPENSSL_FIPS
+        /* After 'key' is set no further parameters changes are permissible.
+         * So only check for non FIPS enabling at this point.
+         */
+        if (key && FIPS_mode())
+                {
+                if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
+                        & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
+                        {
+                        EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS);
+                        ERR_add_error_data(2, "cipher=",
+                                                EVP_CIPHER_name(ctx->cipher));
+                        ctx->cipher = &bad_cipher;
+                        return 0;
+                        }
+                }
+#endif
        if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
                if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
        }
diff --git a/src/lib/libcrypto/evp/evp_err.c b/src/lib/libcrypto/evp/evp_err.c
index 3a23d21c21..40135d0729 100644
--- a/src/lib/libcrypto/evp/evp_err.c
+++ b/src/lib/libcrypto/evp/evp_err.c
@@ -1,6 +1,6 @@
 /* crypto/evp/evp_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -66,13 +66,18 @@
 #ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA EVP_str_functs[]=
        {
+{ERR_PACK(0,EVP_F_AES_INIT_KEY,0),      "AES_INIT_KEY"},
 {ERR_PACK(0,EVP_F_D2I_PKEY,0),  "D2I_PKEY"},
+{ERR_PACK(0,EVP_F_EVP_ADD_CIPHER,0),    "EVP_add_cipher"},
+{ERR_PACK(0,EVP_F_EVP_ADD_DIGEST,0),    "EVP_add_digest"},
 {ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0),    "EVP_CipherInit"},
 {ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0),       "EVP_CIPHER_CTX_ctrl"},
 {ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0),     "EVP_CIPHER_CTX_set_key_length"},
 {ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0),  "EVP_DecryptFinal"},
 {ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0),    "EVP_DigestInit"},
 {ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0),  "EVP_EncryptFinal"},
+{ERR_PACK(0,EVP_F_EVP_GET_CIPHERBYNAME,0),      "EVP_get_cipherbyname"},
+{ERR_PACK(0,EVP_F_EVP_GET_DIGESTBYNAME,0),      "EVP_get_digestbyname"},
 {ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0),   "EVP_MD_CTX_copy"},
 {ERR_PACK(0,EVP_F_EVP_OPENINIT,0),      "EVP_OpenInit"},
 {ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0),   "EVP_PBE_alg_add"},
@@ -99,6 +104,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
 static ERR_STRING_DATA EVP_str_reasons[]=
        {
+{EVP_R_AES_KEY_SETUP_FAILED              ,"aes key setup failed"},
 {EVP_R_BAD_BLOCK_LENGTH                  ,"bad block length"},
 {EVP_R_BAD_DECRYPT                       ,"bad decrypt"},
 {EVP_R_BAD_KEY_LENGTH                    ,"bad key length"},
@@ -110,6 +116,7 @@ static ERR_STRING_DATA EVP_str_reasons[]=
 {EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"},
 {EVP_R_DECODE_ERROR                      ,"decode error"},
 {EVP_R_DIFFERENT_KEY_TYPES               ,"different key types"},
+{EVP_R_DISABLED_FOR_FIPS                 ,"disabled for fips"},
 {EVP_R_ENCODE_ERROR                      ,"encode error"},
 {EVP_R_EVP_PBE_CIPHERINIT_ERROR          ,"evp pbe cipherinit error"},
 {EVP_R_EXPECTING_AN_RSA_KEY              ,"expecting an rsa key"},
diff --git a/src/lib/libcrypto/evp/evp_lib.c b/src/lib/libcrypto/evp/evp_lib.c
index 52a3b287be..a63ba19317 100644
--- a/src/lib/libcrypto/evp/evp_lib.c
+++ b/src/lib/libcrypto/evp/evp_lib.c
@@ -68,7 +68,7 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
        if (c->cipher->set_asn1_parameters != NULL)
                ret=c->cipher->set_asn1_parameters(c,type);
        else
-                ret=1;
+                return -1;
        return(ret);
        }
@@ -79,7 +79,7 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
        if (c->cipher->get_asn1_parameters != NULL)
                ret=c->cipher->get_asn1_parameters(c,type);
        else
-                ret=1;
+                return -1;
        return(ret);
        }
@@ -133,6 +133,30 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx)
                return NID_rc4;
+                case NID_aes_128_cfb128:
+                case NID_aes_128_cfb8:
+                case NID_aes_128_cfb1:
+                return NID_aes_128_cfb128;
+                case NID_aes_192_cfb128:
+                case NID_aes_192_cfb8:
+                case NID_aes_192_cfb1:
+                return NID_aes_192_cfb128;
+                case NID_aes_256_cfb128:
+                case NID_aes_256_cfb8:
+                case NID_aes_256_cfb1:
+                return NID_aes_256_cfb128;
+                case NID_des_cfb64:
+                case NID_des_cfb8:
+                case NID_des_cfb1:
+                return NID_des_cfb64;
                default:
                /* Check it has an OID and it is valid */
                otmp = OBJ_nid2obj(nid);
diff --git a/src/lib/libcrypto/evp/evp_locl.h b/src/lib/libcrypto/evp/evp_locl.h
index 4d81a3bf4c..f8c5343620 100644
--- a/src/lib/libcrypto/evp/evp_locl.h
+++ b/src/lib/libcrypto/evp/evp_locl.h
@@ -90,7 +90,7 @@ static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const uns
 }
 #define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \
-static int cname##_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
+static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
 {\
        cprefix##_cfb##cbits##_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\
        return 1;\
@@ -127,7 +127,7 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
 #define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
                             iv_len, cbits, flags, init_key, cleanup, \
                             set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, cfb##cbits, cfb, CFB, kstruct, nid, 1, \
+BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
                  get_asn1, ctrl)
@@ -225,3 +225,28 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
                          get_asn1, ctrl)
 #define EVP_C_DATA(kstruct, ctx)        ((kstruct *)(ctx)->cipher_data)
+#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,flags) \
+        BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
+        BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
+                             NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
+                             flags, cipher##_init_key, NULL, \
+                             EVP_CIPHER_set_asn1_iv, \
+                             EVP_CIPHER_get_asn1_iv, \
+                             NULL)
+#ifdef OPENSSL_FIPS
+#define RC2_set_key     private_RC2_set_key
+#define RC4_set_key     private_RC4_set_key
+#define CAST_set_key    private_CAST_set_key
+#define RC5_32_set_key  private_RC5_32_set_key
+#define BF_set_key      private_BF_set_key
+#define idea_set_encrypt_key private_idea_set_encrypt_key
+#define MD5_Init        private_MD5_Init
+#define MD4_Init        private_MD4_Init
+#define MD2_Init        private_MD2_Init
+#define MDC2_Init       private_MDC2_Init
+#define SHA_Init        private_SHA_Init
+#endif
diff --git a/src/lib/libcrypto/evp/evp_pkey.c b/src/lib/libcrypto/evp/evp_pkey.c
index eb481ec661..47a69932a5 100644
--- a/src/lib/libcrypto/evp/evp_pkey.c
+++ b/src/lib/libcrypto/evp/evp_pkey.c
@@ -235,7 +235,11 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken)
                return NULL;
        }
        p8->broken = broken;
-        ASN1_INTEGER_set (p8->version, 0);
+        if (!ASN1_INTEGER_set(p8->version, 0)) {
+                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                PKCS8_PRIV_KEY_INFO_free (p8);
+                return NULL;
+        }
        if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) {
                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
                PKCS8_PRIV_KEY_INFO_free (p8);
@@ -303,29 +307,35 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken)
 #ifndef OPENSSL_NO_DSA
 static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
 {
-        ASN1_STRING *params;
+        ASN1_STRING *params = NULL;
-        ASN1_INTEGER *prkey;
+        ASN1_INTEGER *prkey = NULL;
-        ASN1_TYPE *ttmp;
+        ASN1_TYPE *ttmp = NULL;
-        STACK_OF(ASN1_TYPE) *ndsa;
+        STACK_OF(ASN1_TYPE) *ndsa = NULL;
-        unsigned char *p, *q;
+        unsigned char *p = NULL, *q;
        int len;
        p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa);
        len = i2d_DSAparams (pkey->pkey.dsa, NULL);
        if (!(p = OPENSSL_malloc(len))) {
                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-                PKCS8_PRIV_KEY_INFO_free (p8);
+                goto err;
-                return 0;
        }
        q = p;
        i2d_DSAparams (pkey->pkey.dsa, &q);
-        params = ASN1_STRING_new();
+        if (!(params = ASN1_STRING_new())) {
-        ASN1_STRING_set(params, p, len);
+                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+        if (!ASN1_STRING_set(params, p, len)) {
+                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
        OPENSSL_free(p);
+        p = NULL;
        /* Get private key into integer */
        if (!(prkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) {
                EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
-                return 0;
+                goto err;
        }
        switch(p8->broken) {
@@ -336,12 +346,13 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
                if (!ASN1_pack_string((char *)prkey, i2d_ASN1_INTEGER,
                                         &p8->pkey->value.octet_string)) {
                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-                        M_ASN1_INTEGER_free (prkey);
+                        goto err;
-                        return 0;
                }
                M_ASN1_INTEGER_free (prkey);
+                prkey = NULL;
                p8->pkeyalg->parameter->value.sequence = params;
+                params = NULL;
                p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
                break;
@@ -349,32 +360,51 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
                case PKCS8_NS_DB:
                p8->pkeyalg->parameter->value.sequence = params;
+                params = NULL;
                p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
-                ndsa = sk_ASN1_TYPE_new_null();
+                if (!(ndsa = sk_ASN1_TYPE_new_null())) {
-                ttmp = ASN1_TYPE_new();
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-                if (!(ttmp->value.integer = BN_to_ASN1_INTEGER (pkey->pkey.dsa->pub_key, NULL))) {
+                        goto err;
+                }
+                if (!(ttmp = ASN1_TYPE_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                if (!(ttmp->value.integer =
+                        BN_to_ASN1_INTEGER(pkey->pkey.dsa->pub_key, NULL))) {
                        EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
-                        PKCS8_PRIV_KEY_INFO_free(p8);
+                        goto err;
-                        return 0;
                }
                ttmp->type = V_ASN1_INTEGER;
-                sk_ASN1_TYPE_push(ndsa, ttmp);
+                if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
-                ttmp = ASN1_TYPE_new();
+                if (!(ttmp = ASN1_TYPE_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                ttmp->value.integer = prkey;
+                prkey = NULL;
                ttmp->type = V_ASN1_INTEGER;
-                sk_ASN1_TYPE_push(ndsa, ttmp);
+                if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                ttmp = NULL;
-                p8->pkey->value.octet_string = ASN1_OCTET_STRING_new();
+                if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE,
                                         &p8->pkey->value.octet_string->data,
                                         &p8->pkey->value.octet_string->length)) {
                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-                        sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+                        goto err;
-                        M_ASN1_INTEGER_free(prkey);
-                        return 0;
                }
                sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
                break;
@@ -382,31 +412,57 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
                case PKCS8_EMBEDDED_PARAM:
                p8->pkeyalg->parameter->type = V_ASN1_NULL;
-                ndsa = sk_ASN1_TYPE_new_null();
+                if (!(ndsa = sk_ASN1_TYPE_new_null())) {
-                ttmp = ASN1_TYPE_new();
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                if (!(ttmp = ASN1_TYPE_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                ttmp->value.sequence = params;
+                params = NULL;
                ttmp->type = V_ASN1_SEQUENCE;
-                sk_ASN1_TYPE_push(ndsa, ttmp);
+                if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
-                ttmp = ASN1_TYPE_new();
+                if (!(ttmp = ASN1_TYPE_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                ttmp->value.integer = prkey;
+                prkey = NULL;
                ttmp->type = V_ASN1_INTEGER;
-                sk_ASN1_TYPE_push(ndsa, ttmp);
+                if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                ttmp = NULL;
-                p8->pkey->value.octet_string = ASN1_OCTET_STRING_new();
+                if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE,
                                         &p8->pkey->value.octet_string->data,
                                         &p8->pkey->value.octet_string->length)) {
                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-                        sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+                        goto err;
-                        M_ASN1_INTEGER_free (prkey);
-                        return 0;
                }
                sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
                break;
        }
        return 1;
+err:
+        if (p != NULL) OPENSSL_free(p);
+        if (params != NULL) ASN1_STRING_free(params);
+        if (prkey != NULL) M_ASN1_INTEGER_free(prkey);
+        if (ttmp != NULL) ASN1_TYPE_free(ttmp);
+        if (ndsa != NULL) sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+        return 0;
 }
 #endif
diff --git a/src/lib/libcrypto/evp/evp_test.c b/src/lib/libcrypto/evp/evp_test.c
index 28460173f7..a624cfd248 100644
--- a/src/lib/libcrypto/evp/evp_test.c
+++ b/src/lib/libcrypto/evp/evp_test.c
@@ -136,7 +136,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
                  const unsigned char *iv,int in,
                  const unsigned char *plaintext,int pn,
                  const unsigned char *ciphertext,int cn,
-                  int encdec)
+                  int encdec,int multiplier)
    {
    EVP_CIPHER_CTX ctx;
    unsigned char out[4096];
@@ -162,22 +162,25 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
        if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
            {
            fprintf(stderr,"EncryptInit failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(10);
            }
        EVP_CIPHER_CTX_set_padding(&ctx,0);
-        if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn))
+        if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn*multiplier))
            {
            fprintf(stderr,"Encrypt failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(6);
            }
        if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2))
            {
            fprintf(stderr,"EncryptFinal failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(7);
            }
-        if(outl+outl2 != cn)
+        if(outl+outl2 != cn*multiplier)
            {
            fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n",
                    outl+outl2,cn);
@@ -198,22 +201,25 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
        if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
            {
            fprintf(stderr,"DecryptInit failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(11);
            }
        EVP_CIPHER_CTX_set_padding(&ctx,0);
-        if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn))
+        if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn*multiplier))
            {
            fprintf(stderr,"Decrypt failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(6);
            }
        if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2))
            {
            fprintf(stderr,"DecryptFinal failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(7);
            }
-        if(outl+outl2 != cn)
+        if(outl+outl2 != cn*multiplier)
            {
            fprintf(stderr,"Plaintext length mismatch got %d expected %d\n",
                    outl+outl2,cn);
@@ -238,7 +244,7 @@ static int test_cipher(const char *cipher,const unsigned char *key,int kn,
                       const unsigned char *iv,int in,
                       const unsigned char *plaintext,int pn,
                       const unsigned char *ciphertext,int cn,
-                       int encdec)
+                       int encdec,int multiplier)
    {
    const EVP_CIPHER *c;
@@ -246,7 +252,7 @@ static int test_cipher(const char *cipher,const unsigned char *key,int kn,
    if(!c)
        return 0;
-    test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec);
+    test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec,multiplier);
    return 1;
    }
@@ -272,16 +278,19 @@ static int test_digest(const char *digest,
    if(!EVP_DigestInit_ex(&ctx,d, NULL))
        {
        fprintf(stderr,"DigestInit failed\n");
+        ERR_print_errors_fp(stderr);
        EXIT(100);
        }
    if(!EVP_DigestUpdate(&ctx,plaintext,pn))
        {
        fprintf(stderr,"DigestUpdate failed\n");
+        ERR_print_errors_fp(stderr);
        EXIT(101);
        }
    if(!EVP_DigestFinal_ex(&ctx,md,&mdn))
        {
        fprintf(stderr,"DigestFinal failed\n");
+        ERR_print_errors_fp(stderr);
        EXIT(101);
        }
    EVP_MD_CTX_cleanup(&ctx);
@@ -359,6 +368,7 @@ int main(int argc,char **argv)
        unsigned char *iv,*key,*plaintext,*ciphertext;
        int encdec;
        int kn,in,pn,cn;
+        int multiplier=1;
        if(!fgets((char *)line,sizeof line,f))
            break;
@@ -383,7 +393,15 @@ int main(int argc,char **argv)
        pn=convert(plaintext);
        cn=convert(ciphertext);
-        if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec)
+        if(strchr(cipher,'*'))
+            {
+            p=cipher;
+            sstrsep(&p,"*");
+            multiplier=atoi(sstrsep(&p,"*"));
+            }
+        if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec,
+                        multiplier)
           && !test_digest(cipher,plaintext,pn,ciphertext,cn))
            {
            fprintf(stderr,"Can't find %s\n",cipher);
diff --git a/src/lib/libcrypto/evp/evptests.txt b/src/lib/libcrypto/evp/evptests.txt
index 80bd9c7765..dfe91a5bc0 100644
--- a/src/lib/libcrypto/evp/evptests.txt
+++ b/src/lib/libcrypto/evp/evptests.txt
@@ -92,7 +92,102 @@ AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:F58C4C04D6E5F1BA779EABFB5F7BFBD6:AE2D8A571E03AC9C9EB76FAC45AF8E51:9CFC4E967EDB808D679F777BC6702C7D
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:9CFC4E967EDB808D679F777BC6702C7D:30C81C46A35CE411E5FBC1191A0A52EF:39F23369A9D9BACFA530E26304231461
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39F23369A9D9BACFA530E26304231461:F69F2445DF4F9B17AD2B417BE66C3710:B2EB05E2C39BE9FCDA6C19078C6A9D1B
-# We don't support CFB{1,8}-AESxxx.{En,De}crypt
+# CFB1-AES128.Encrypt
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:1
+# all of the above packed into one...
+# in: 0110 1011 1100 0001 = 6bc1
+# out: 0110 1000 1011 0011 = 68b3
+AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:1
+# CFB1-AES128.Decrypt
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:0
+# all of the above packed into one...
+# in: 0110 1000 1011 0011 = 68b3
+# out: 0110 1011 1100 0001 = 6bc1
+AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:0
+# TODO: CFB1-AES192 and 256
+# CFB8-AES128.Encrypt
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:1
+# all of the above packed into one
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:1
+# CFB8-AES128.Decrypt
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:0
+# all of the above packed into one
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:0
+# TODO: 192 and 256 bit keys
 # For all CFB128 encrypts and decrypts, the transformed sequence is
 #   AES-bits-CFB:key:IV/ciphertext':plaintext:ciphertext:encdec
 # CFB128-AES128.Encrypt 
@@ -174,6 +269,16 @@ DESX-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363
 # DES EDE3 CBC tests (from destest)
 DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
+# DES CFB1 from FIPS 81
+# plaintext: 0100 1110 0110 1111 0111 0111 = 4e6f77
+# ciphertext: 1100 1101 0001 1110 1100 1001 = cd1ec9
+DES-CFB1*8:0123456789abcdef:1234567890abcdef:4e6f77:cd1ec9
+# DES CFB8 from FIPS 81
+DES-CFB8:0123456789abcdef:1234567890abcdef:4e6f7720697320746865:f31fda07011462ee187f
 # RC4 tests (from rc4test)
 RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596
 RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879
diff --git a/src/lib/libcrypto/evp/m_dss.c b/src/lib/libcrypto/evp/m_dss.c
index beb8d7fc5c..d393eb3400 100644
--- a/src/lib/libcrypto/evp/m_dss.c
+++ b/src/lib/libcrypto/evp/m_dss.c
@@ -77,7 +77,7 @@ static const EVP_MD dsa_md=
        NID_dsaWithSHA,
        NID_dsaWithSHA,
        SHA_DIGEST_LENGTH,
-        0,
+        EVP_MD_FLAG_FIPS,
        init,
        update,
        final,
diff --git a/src/lib/libcrypto/evp/m_md2.c b/src/lib/libcrypto/evp/m_md2.c
index 50914c83b3..0df48e5199 100644
--- a/src/lib/libcrypto/evp/m_md2.c
+++ b/src/lib/libcrypto/evp/m_md2.c
@@ -60,6 +60,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/md2.h>
diff --git a/src/lib/libcrypto/evp/m_md4.c b/src/lib/libcrypto/evp/m_md4.c
index e19b663754..0605e4b707 100644
--- a/src/lib/libcrypto/evp/m_md4.c
+++ b/src/lib/libcrypto/evp/m_md4.c
@@ -60,6 +60,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/md4.h>
diff --git a/src/lib/libcrypto/evp/m_md5.c b/src/lib/libcrypto/evp/m_md5.c
index b00a03e048..752615d473 100644
--- a/src/lib/libcrypto/evp/m_md5.c
+++ b/src/lib/libcrypto/evp/m_md5.c
@@ -60,6 +60,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/md5.h>
diff --git a/src/lib/libcrypto/evp/m_mdc2.c b/src/lib/libcrypto/evp/m_mdc2.c
index 9f6467c931..62de1336b8 100644
--- a/src/lib/libcrypto/evp/m_mdc2.c
+++ b/src/lib/libcrypto/evp/m_mdc2.c
@@ -60,6 +60,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/mdc2.h>
diff --git a/src/lib/libcrypto/evp/m_sha.c b/src/lib/libcrypto/evp/m_sha.c
index 10697c7ed3..d1785e5f74 100644
--- a/src/lib/libcrypto/evp/m_sha.c
+++ b/src/lib/libcrypto/evp/m_sha.c
@@ -56,10 +56,11 @@
 * [including the GNU Public Licence.]
 */
-#ifndef OPENSSL_NO_SHA
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
diff --git a/src/lib/libcrypto/evp/m_sha1.c b/src/lib/libcrypto/evp/m_sha1.c
index d6be3502f0..fe4402389a 100644
--- a/src/lib/libcrypto/evp/m_sha1.c
+++ b/src/lib/libcrypto/evp/m_sha1.c
@@ -77,7 +77,7 @@ static const EVP_MD sha1_md=
        NID_sha1,
        NID_sha1WithRSAEncryption,
        SHA_DIGEST_LENGTH,
-        0,
+        EVP_MD_FLAG_FIPS,
        init,
        update,
        final,
diff --git a/src/lib/libcrypto/evp/names.c b/src/lib/libcrypto/evp/names.c
index eb9f4329cd..7712453046 100644
--- a/src/lib/libcrypto/evp/names.c
+++ b/src/lib/libcrypto/evp/names.c
@@ -61,6 +61,9 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 int EVP_add_cipher(const EVP_CIPHER *c)
        {
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index 4c91f919d5..06ee80761f 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -77,6 +77,15 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
        if (key != NULL)
                {
+#ifdef OPENSSL_FIPS
+                if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
+                && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+                 || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+                 || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
+                OpenSSLDie(__FILE__,__LINE__,
+                        "HMAC: digest not allowed in FIPS mode");
+#endif
+                
                reset=1;
                j=EVP_MD_block_size(md);
                OPENSSL_assert(j <= sizeof ctx->key);
@@ -171,3 +180,10 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
        return(md);
        }
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
+        {
+        EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
+        EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
+        EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
+        }
diff --git a/src/lib/libcrypto/hmac/hmac.h b/src/lib/libcrypto/hmac/hmac.h
index 0364a1fcbd..294ab3b36a 100644
--- a/src/lib/libcrypto/hmac/hmac.h
+++ b/src/lib/libcrypto/hmac/hmac.h
@@ -98,6 +98,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
                    const unsigned char *d, int n, unsigned char *md,
                    unsigned int *md_len);
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/idea/idea.h b/src/lib/libcrypto/idea/idea.h
index 67132414ee..bf41844fd7 100644
--- a/src/lib/libcrypto/idea/idea.h
+++ b/src/lib/libcrypto/idea/idea.h
@@ -82,6 +82,10 @@ typedef struct idea_key_st
 const char *idea_options(void);
 void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
        IDEA_KEY_SCHEDULE *ks);
+#ifdef OPENSSL_FIPS
+void private_idea_set_encrypt_key(const unsigned char *key,
+                                                IDEA_KEY_SCHEDULE *ks);
+#endif
 void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
 void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
 void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,
diff --git a/src/lib/libcrypto/md2/md2.h b/src/lib/libcrypto/md2/md2.h
index ad9241455c..d0ef9da08e 100644
--- a/src/lib/libcrypto/md2/md2.h
+++ b/src/lib/libcrypto/md2/md2.h
@@ -80,6 +80,9 @@ typedef struct MD2state_st
        } MD2_CTX;
 const char *MD2_options(void);
+#ifdef OPENSSL_FIPS
+int private_MD2_Init(MD2_CTX *c);
+#endif
 int MD2_Init(MD2_CTX *c);
 int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len);
 int MD2_Final(unsigned char *md, MD2_CTX *c);
diff --git a/src/lib/libcrypto/md2/md2_dgst.c b/src/lib/libcrypto/md2/md2_dgst.c
index ecb64f0ec4..8124acd687 100644
--- a/src/lib/libcrypto/md2/md2_dgst.c
+++ b/src/lib/libcrypto/md2/md2_dgst.c
@@ -62,6 +62,8 @@
 #include <openssl/md2.h>
 #include <openssl/opensslv.h>
 #include <openssl/crypto.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
 const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT;
@@ -116,7 +118,7 @@ const char *MD2_options(void)
                return("md2(int)");
        }
-int MD2_Init(MD2_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD2)
        {
        c->num=0;
        memset(c->state,0,sizeof c->state);
diff --git a/src/lib/libcrypto/md32_common.h b/src/lib/libcrypto/md32_common.h
index 573850b122..733da6acaf 100644
--- a/src/lib/libcrypto/md32_common.h
+++ b/src/lib/libcrypto/md32_common.h
@@ -128,6 +128,10 @@
 *                                      <appro@fy.chalmers.se>
 */
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
 #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
 #error "DATA_ORDER must be defined!"
 #endif
@@ -207,7 +211,7 @@
                                : "cc");                \
                           ret;                         \
                        })
-#  elif defined(__powerpc) || defined(__ppc)
+#  elif defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__)
 #   define ROTATE(a,n)  ({ register unsigned int ret;   \
                                asm (                   \
                                "rlwinm %0,%1,%2,0,31"  \
@@ -555,6 +559,14 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
        static const unsigned char end[4]={0x80,0x00,0x00,0x00};
        const unsigned char *cp=end;
+#if 0
+        if(FIPS_mode() && !FIPS_md5_allowed())
+            {
+            FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
+            return 0;
+            }
+#endif
        /* c->num should definitly have room for at least one more byte. */
        p=c->data;
        i=c->num>>2;
diff --git a/src/lib/libcrypto/md4/md4.h b/src/lib/libcrypto/md4/md4.h
index 7a7b23682f..7e761efb62 100644
--- a/src/lib/libcrypto/md4/md4.h
+++ b/src/lib/libcrypto/md4/md4.h
@@ -104,6 +104,9 @@ typedef struct MD4state_st
        int num;
        } MD4_CTX;
+#ifdef OPENSSL_FIPS
+int private_MD4_Init(MD4_CTX *c);
+#endif
 int MD4_Init(MD4_CTX *c);
 int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
 int MD4_Final(unsigned char *md, MD4_CTX *c);
diff --git a/src/lib/libcrypto/md4/md4_dgst.c b/src/lib/libcrypto/md4/md4_dgst.c
index 7afb7185b6..ee7cc72262 100644
--- a/src/lib/libcrypto/md4/md4_dgst.c
+++ b/src/lib/libcrypto/md4/md4_dgst.c
@@ -70,7 +70,7 @@ const char *MD4_version="MD4" OPENSSL_VERSION_PTEXT;
 #define INIT_DATA_C (unsigned long)0x98badcfeL
 #define INIT_DATA_D (unsigned long)0x10325476L
-int MD4_Init(MD4_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD4)
        {
        c->A=INIT_DATA_A;
        c->B=INIT_DATA_B;
diff --git a/src/lib/libcrypto/md5/md5.h b/src/lib/libcrypto/md5/md5.h
index a252e02115..c663dd1816 100644
--- a/src/lib/libcrypto/md5/md5.h
+++ b/src/lib/libcrypto/md5/md5.h
@@ -104,6 +104,9 @@ typedef struct MD5state_st
        int num;
        } MD5_CTX;
+#ifdef OPENSSL_FIPS
+int private_MD5_Init(MD5_CTX *c);
+#endif
 int MD5_Init(MD5_CTX *c);
 int MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
 int MD5_Final(unsigned char *md, MD5_CTX *c);
diff --git a/src/lib/libcrypto/md5/md5_dgst.c b/src/lib/libcrypto/md5/md5_dgst.c
index 9c7abc3697..54b33c6509 100644
--- a/src/lib/libcrypto/md5/md5_dgst.c
+++ b/src/lib/libcrypto/md5/md5_dgst.c
@@ -70,7 +70,7 @@ const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT;
 #define INIT_DATA_C (unsigned long)0x98badcfeL
 #define INIT_DATA_D (unsigned long)0x10325476L
-int MD5_Init(MD5_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD5)
        {
        c->A=INIT_DATA_A;
        c->B=INIT_DATA_B;
diff --git a/src/lib/libcrypto/mdc2/Makefile b/src/lib/libcrypto/mdc2/Makefile
new file mode 100644
index 0000000000..38c785bf95
--- /dev/null
+++ b/src/lib/libcrypto/mdc2/Makefile
@@ -0,0 +1,98 @@
+#
+# SSLeay/crypto/mdc2/Makefile
+#
+DIR=    mdc2
+TOP=    ../..
+CC=     cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=       Makefile
+AR=             ar r
+CFLAGS= $(INCLUDES) $(CFLAG)
+GENERAL=Makefile
+TEST= mdc2test.c
+APPS=
+LIB=$(TOP)/libcrypto.a
+LIBSRC=mdc2dgst.c mdc2_one.c
+LIBOBJ=mdc2dgst.o mdc2_one.o
+SRC= $(LIBSRC)
+EXHEADER= mdc2.h
+HEADER= $(EXHEADER)
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+top:
+        (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+all:    lib
+lib:    $(LIBOBJ)
+        $(AR) $(LIB) $(LIBOBJ)
+        $(RANLIB) $(LIB) || echo Never mind.
+        @touch lib
+files:
+        $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+links:
+        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+install:
+        @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
+        do  \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+        done;
+tags:
+        ctags $(SRC)
+tests:
+lint:
+        lint -DLINT $(INCLUDES) $(SRC)>fluff
+depend:
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+dclean:
+        $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+        mv -f Makefile.new $(MAKEFILE)
+clean:
+        rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+mdc2_one.o: ../../e_os.h ../../include/openssl/bio.h
+mdc2_one.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+mdc2_one.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+mdc2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+mdc2_one.o: ../../include/openssl/lhash.h ../../include/openssl/mdc2.h
+mdc2_one.o: ../../include/openssl/opensslconf.h
+mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+mdc2_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+mdc2_one.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+mdc2_one.o: ../cryptlib.h mdc2_one.c
+mdc2dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+mdc2dgst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+mdc2dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+mdc2dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+mdc2dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h
+mdc2dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+mdc2dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+mdc2dgst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+mdc2dgst.o: mdc2dgst.c
diff --git a/src/lib/libcrypto/mdc2/mdc2.h b/src/lib/libcrypto/mdc2/mdc2.h
index 793a8a0f13..4cba101f37 100644
--- a/src/lib/libcrypto/mdc2/mdc2.h
+++ b/src/lib/libcrypto/mdc2/mdc2.h
@@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st
        int pad_type; /* either 1 or 2, default 1 */
        } MDC2_CTX;
+#ifdef OPENSSL_FIPS
+int private_MDC2_Init(MDC2_CTX *c);
+#endif
 int MDC2_Init(MDC2_CTX *c);
 int MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len);
 int MDC2_Final(unsigned char *md, MDC2_CTX *c);
diff --git a/src/lib/libcrypto/o_time.c b/src/lib/libcrypto/o_time.c
index 785468131e..e29091d650 100644
--- a/src/lib/libcrypto/o_time.c
+++ b/src/lib/libcrypto/o_time.c
@@ -114,16 +114,28 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
                        return NULL;
                logvalue[reslen] = '\0';
+                t = *timer;
+/* The following is extracted from the DEC C header time.h */
+/*
+**  Beginning in OpenVMS Version 7.0 mktime, time, ctime, strftime
+**  have two implementations.  One implementation is provided
+**  for compatibility and deals with time in terms of local time,
+**  the other __utc_* deals with time in terms of UTC.
+*/
+/* We use the same conditions as in said time.h to check if we should
+   assume that t contains local time (and should therefore be adjusted)
+   or UTC (and should therefore be left untouched). */
+#if __CRTL_VER < 70000000 || defined _VMS_V6_SOURCE
                /* Get the numerical value of the equivalence string */
                status = atoi(logvalue);
                /* and use it to move time to GMT */
-                t = *timer - status;
+                t -= status;
+#endif
                /* then convert the result to the time structure */
-#ifndef OPENSSL_THREADS
-                ts=(struct tm *)localtime(&t);
-#else
                /* Since there was no gmtime_r() to do this stuff for us,
                   we have to do it the hard way. */
                {
@@ -198,7 +210,6 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
                result->tm_isdst = 0; /* There's no way to know... */
                ts = result;
-#endif
                }
                }
 #endif
diff --git a/src/lib/libcrypto/objects/o_names.c b/src/lib/libcrypto/objects/o_names.c
index b4453b4a98..28c9370ca3 100644
--- a/src/lib/libcrypto/objects/o_names.c
+++ b/src/lib/libcrypto/objects/o_names.c
@@ -2,6 +2,7 @@
 #include <stdlib.h>
 #include <string.h>
+#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
 #include <openssl/safestack.h>
@@ -80,7 +81,11 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
                MemCheck_off();
                name_funcs = OPENSSL_malloc(sizeof(NAME_FUNCS));
                MemCheck_on();
-                if (!name_funcs) return(0);
+                if (!name_funcs)
+                        {
+                        OBJerr(OBJ_F_OBJ_NAME_NEW_INDEX,ERR_R_MALLOC_FAILURE);
+                        return(0);
+                        }
                name_funcs->hash_func = lh_strhash;
                name_funcs->cmp_func = OPENSSL_strcmp;
                name_funcs->free_func = 0; /* NULL is often declared to
diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 4534dc0985..f549d078ef 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -236,13 +236,13 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
        if (added == NULL)
                if (!init_added()) return(0);
        if ((o=OBJ_dup(obj)) == NULL) goto err;
-        if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err;
+        if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
        if ((o->length != 0) && (obj->data != NULL))
-                ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ));
+                if (!(ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
        if (o->sn != NULL)
-                ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ));
+                if (!(ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
        if (o->ln != NULL)
-                ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ));
+                if (!(ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
        for (i=ADDED_DATA; i<=ADDED_NID; i++)
                {
@@ -260,6 +260,8 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
                        ASN1_OBJECT_FLAG_DYNAMIC_DATA);
        return(o->nid);
+err2:
+        OBJerr(OBJ_F_OBJ_ADD_OBJECT,ERR_R_MALLOC_FAILURE);
 err:
        for (i=ADDED_DATA; i<=ADDED_NID; i++)
                if (ao[i] != NULL) OPENSSL_free(ao[i]);
@@ -648,7 +650,7 @@ int OBJ_create(const char *oid, const char *sn, const char *ln)
        if ((buf=(unsigned char *)OPENSSL_malloc(i)) == NULL)
                {
-                OBJerr(OBJ_F_OBJ_CREATE,OBJ_R_MALLOC_FAILURE);
+                OBJerr(OBJ_F_OBJ_CREATE,ERR_R_MALLOC_FAILURE);
                return(0);
                }
        i=a2d_ASN1_OBJECT(buf,i,oid,-1);
diff --git a/src/lib/libcrypto/objects/obj_err.c b/src/lib/libcrypto/objects/obj_err.c
index 80ab6855af..2b5f43e3cc 100644
--- a/src/lib/libcrypto/objects/obj_err.c
+++ b/src/lib/libcrypto/objects/obj_err.c
@@ -1,6 +1,6 @@
 /* crypto/objects/obj_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -66,8 +66,10 @@
 #ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA OBJ_str_functs[]=
        {
+{ERR_PACK(0,OBJ_F_OBJ_ADD_OBJECT,0),    "OBJ_add_object"},
 {ERR_PACK(0,OBJ_F_OBJ_CREATE,0),        "OBJ_create"},
 {ERR_PACK(0,OBJ_F_OBJ_DUP,0),   "OBJ_dup"},
+{ERR_PACK(0,OBJ_F_OBJ_NAME_NEW_INDEX,0),        "OBJ_NAME_new_index"},
 {ERR_PACK(0,OBJ_F_OBJ_NID2LN,0),        "OBJ_nid2ln"},
 {ERR_PACK(0,OBJ_F_OBJ_NID2OBJ,0),       "OBJ_nid2obj"},
 {ERR_PACK(0,OBJ_F_OBJ_NID2SN,0),        "OBJ_nid2sn"},
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 9838072b65..0e64a929ba 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -647,3 +647,21 @@ joint_iso_itu_t		646
 international_organizations             647
 ms_smartcard_login              648
 ms_upn          649
+aes_128_cfb1            650
+aes_192_cfb1            651
+aes_256_cfb1            652
+aes_128_cfb8            653
+aes_192_cfb8            654
+aes_256_cfb8            655
+des_cfb1                656
+des_cfb8                657
+des_ede3_cfb1           658
+des_ede3_cfb8           659
+streetAddress           660
+postalCode              661
+id_ppl          662
+proxyCertInfo           663
+id_ppl_anyLanguage              664
+id_ppl_inheritAll               665
+id_ppl_independent              666
+Independent             667
diff --git a/src/lib/libcrypto/objects/objects.h b/src/lib/libcrypto/objects/objects.h
index de10532813..f859d859b8 100644
--- a/src/lib/libcrypto/objects/objects.h
+++ b/src/lib/libcrypto/objects/objects.h
@@ -1026,8 +1026,10 @@ void ERR_load_OBJ_strings(void);
 /* Error codes for the OBJ functions. */
 /* Function codes. */
+#define OBJ_F_OBJ_ADD_OBJECT                             105
 #define OBJ_F_OBJ_CREATE                                 100
 #define OBJ_F_OBJ_DUP                                    101
+#define OBJ_F_OBJ_NAME_NEW_INDEX                         106
 #define OBJ_F_OBJ_NID2LN                                 102
 #define OBJ_F_OBJ_NID2OBJ                                103
 #define OBJ_F_OBJ_NID2SN                                 104
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index 3ba11f65cc..50e9031e61 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -312,6 +312,7 @@ id-pkix 9		: id-pda
 id-pkix 10              : id-aca
 id-pkix 11              : id-qcs
 id-pkix 12              : id-cct
+id-pkix 21              : id-ppl
 id-pkix 48              : id-ad
 # PKIX Modules
@@ -346,6 +347,7 @@ id-pe 9			: sbqp-routerIdentifier
 id-pe 10                : ac-proxying
 !Cname sinfo-access
 id-pe 11                : subjectInfoAccess     : Subject Information Access
+id-pe 14                : proxyCertInfo         : Proxy Certificate Information
 # PKIX policyQualifiers for Internet policy qualifiers
 id-qt 1                 : id-qt-cps             : Policy Qualifier CPS
@@ -461,6 +463,11 @@ id-cct 1		: id-cct-crs
 id-cct 2                : id-cct-PKIData
 id-cct 3                : id-cct-PKIResponse
+# Predefined Proxy Certificate policy languages
+id-ppl 0                : id-ppl-anyLanguage    : Any language
+id-ppl 1                : id-ppl-inheritAll     : Inherit all
+id-ppl 2                : id-ppl-independent    : Independent
 # access descriptors for authority info access extension
 !Cname ad-OCSP
 id-ad 1                 : OCSP                  : OCSP
@@ -536,10 +543,12 @@ X509 5			: 			: serialNumber
 X509 6                  : C                     : countryName
 X509 7                  : L                     : localityName
 X509 8                  : ST                    : stateOrProvinceName
+X509 9                  :                       : streetAddress
 X509 10                 : O                     : organizationName
 X509 11                 : OU                    : organizationalUnitName
 X509 12                 :                       : title
 X509 13                 :                       : description
+X509 17                 :                       : postalCode
 X509 41                 : name                  : name
 X509 42                 : GN                    : givenName
 X509 43                 :                       : initials
@@ -681,6 +690,19 @@ aes 43			: AES-256-OFB		: aes-256-ofb
 !Cname aes-256-cfb128
 aes 44                  : AES-256-CFB           : aes-256-cfb
+# There are no OIDs for these modes...
+                        : AES-128-CFB1          : aes-128-cfb1
+                        : AES-192-CFB1          : aes-192-cfb1
+                        : AES-256-CFB1          : aes-256-cfb1
+                        : AES-128-CFB8          : aes-128-cfb8
+                        : AES-192-CFB8          : aes-192-cfb8
+                        : AES-256-CFB8          : aes-256-cfb8
+                        : DES-CFB1              : des-cfb1
+                        : DES-CFB8              : des-cfb8
+                        : DES-EDE3-CFB1         : des-ede3-cfb1
+                        : DES-EDE3-CFB8         : des-ede3-cfb8
 # Hold instruction CRL entry extension
 !Cname hold-instruction-code
 id-ce 23                : holdInstructionCode   : Hold Instruction Code
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 02f1710fb3..5d5f688edd 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,8 +25,12 @@
 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
 *  major minor fix final patch/beta)
 */
-#define OPENSSL_VERSION_NUMBER  0x0090704fL
+#define OPENSSL_VERSION_NUMBER  0x0090707fL
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7d 17 Mar 2004"
+#ifdef OPENSSL_FIPS
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7g-fips 11 Apr 2005"
+#else
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7g 11 Apr 2005"
+#endif
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
diff --git a/src/lib/libcrypto/pem/pem_all.c b/src/lib/libcrypto/pem/pem_all.c
index e72b7134ce..07963314c9 100644
--- a/src/lib/libcrypto/pem/pem_all.c
+++ b/src/lib/libcrypto/pem/pem_all.c
@@ -64,6 +64,7 @@
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
+#include <openssl/fips.h>
 #ifndef OPENSSL_NO_RSA
 static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa);
@@ -128,7 +129,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
 #endif
+#ifdef OPENSSL_FIPS
+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_RSA(k, x);
+        ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_RSA(k, x);
+        ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+#endif
+#else
 IMPLEMENT_PEM_write_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+#endif
 IMPLEMENT_PEM_rw(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
 IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
@@ -158,7 +201,48 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
        return pkey_get_dsa(pktmp, dsa);
 }
+#ifdef OPENSSL_FIPS
+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_DSA(k, x);
+        ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_DSA(k, x);
+        ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+#endif
+#else
 IMPLEMENT_PEM_write_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+#endif
 IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
 #ifndef OPENSSL_NO_FP_API
@@ -190,7 +274,42 @@ IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
 * (When reading, parameter PEM_STRING_EVP_PKEY is a wildcard for anything
 * appropriate.)
 */
+#ifdef OPENSSL_FIPS
+int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+        {
+                if (FIPS_mode())
+                        return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
+                                                (char *)kstr, klen, cb, u);
+                else
+                        return PEM_ASN1_write_bio((int (*)())i2d_PrivateKey,
+                (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),
+                        bp,(char *)x,enc,kstr,klen,cb,u);
+        }
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+        {
+                if (FIPS_mode())
+                        return PEM_write_PKCS8PrivateKey(fp, x, enc,
+                                                (char *)kstr, klen, cb, u);
+                else
+                        return PEM_ASN1_write((int (*)())i2d_PrivateKey,
+                (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),
+                        fp,(char *)x,enc,kstr,klen,cb,u);
+        }
+#endif
+#else
 IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), PrivateKey)
+#endif
 IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY)
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 7785039b99..82815067b3 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -73,7 +73,7 @@ const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT;
 #define MIN_LENGTH      4
-static int load_iv(unsigned char **fromp,unsigned char *to, int num);
+static int load_iv(char **fromp,unsigned char *to, int num);
 static int check_pem(const char *nm, const char *name);
 int PEM_def_callback(char *buf, int num, int w, void *key)
@@ -301,7 +301,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
        if ((dsize=i2d(x,NULL)) < 0)
                {
-                PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE);
+                PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_ASN1_LIB);
                dsize=0;
                goto err;
                }
@@ -432,6 +432,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
        int o;
        const EVP_CIPHER *enc=NULL;
        char *p,c;
+        char **header_pp = &header;
        cipher->cipher=NULL;
        if ((header == NULL) || (*header == '\0') || (*header == '\n'))
@@ -478,15 +479,16 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
                PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_UNSUPPORTED_ENCRYPTION);
                return(0);
                }
-        if (!load_iv((unsigned char **)&header,&(cipher->iv[0]),enc->iv_len)) return(0);
+        if (!load_iv(header_pp,&(cipher->iv[0]),enc->iv_len))
+                return(0);
        return(1);
        }
-static int load_iv(unsigned char **fromp, unsigned char *to, int num)
+static int load_iv(char **fromp, unsigned char *to, int num)
        {
        int v,i;
-        unsigned char *from;
+        char *from;
        from= *fromp;
        for (i=0; i<num; i++) to[i]=0;
@@ -623,6 +625,9 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
        dataB=BUF_MEM_new();
        if ((nameB == NULL) || (headerB == NULL) || (dataB == NULL))
                {
+                BUF_MEM_free(nameB);
+                BUF_MEM_free(headerB);
+                BUF_MEM_free(dataB);
                PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE);
                return(0);
                }
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
index f77c949e87..9ecdbd5419 100644
--- a/src/lib/libcrypto/pem/pem_pkey.c
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -104,6 +104,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo
                if (klen <= 0) {
                        PEMerr(PEM_F_PEM_ASN1_READ_BIO,
                                        PEM_R_BAD_PASSWORD_READ);
+                        X509_SIG_free(p8);
                        goto err;
                }
                p8inf = PKCS8_decrypt(p8, psbuf, klen);
diff --git a/src/lib/libcrypto/perlasm/x86asm.pl b/src/lib/libcrypto/perlasm/x86asm.pl
index 7c675e3ced..60233f80e8 100644
--- a/src/lib/libcrypto/perlasm/x86asm.pl
+++ b/src/lib/libcrypto/perlasm/x86asm.pl
@@ -130,4 +130,6 @@ BSDI - a.out with a very primative version of as.
 EOF
        }
+sub main'align() {} # swallow align statements in 0.9.7 context
 1;
diff --git a/src/lib/libcrypto/perlasm/x86ms.pl b/src/lib/libcrypto/perlasm/x86ms.pl
index fbb4afb9bd..b6bd744057 100644
--- a/src/lib/libcrypto/perlasm/x86ms.pl
+++ b/src/lib/libcrypto/perlasm/x86ms.pl
@@ -160,6 +160,7 @@ sub main'not	{ &out1("not",@_); }
 sub main'call   { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
+sub main'movz   { &out2("movzx",@_); }
 sub out2
        {
diff --git a/src/lib/libcrypto/perlasm/x86nasm.pl b/src/lib/libcrypto/perlasm/x86nasm.pl
index 30346af4ea..5009acb4b3 100644
--- a/src/lib/libcrypto/perlasm/x86nasm.pl
+++ b/src/lib/libcrypto/perlasm/x86nasm.pl
@@ -86,7 +86,7 @@ sub get_mem
        {
        my($size,$addr,$reg1,$reg2,$idx)=@_;
        my($t,$post);
-        my($ret)="[";
+        my($ret)="$size [";
        $addr =~ s/^\s+//;
        if ($addr =~ /^(.+)\+(.+)$/)
                {
@@ -169,6 +169,7 @@ sub main'not	{ &out1("not",@_); }
 sub main'call   { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
+sub main'movz   { &out2("movzx",@_); }
 sub out2
        {
@@ -176,6 +177,11 @@ sub out2
        my($l,$t);
        push(@out,"\t$name\t");
+        if ($name eq "lea")
+                {
+                $p1 =~ s/^[^\[]*\[/\[/;
+                $p2 =~ s/^[^\[]*\[/\[/;
+                }
        $t=&conv($p1).",";
        $l=length($t);
        push(@out,$t);
diff --git a/src/lib/libcrypto/perlasm/x86unix.pl b/src/lib/libcrypto/perlasm/x86unix.pl
index 53ad5f4927..9717d18557 100644
--- a/src/lib/libcrypto/perlasm/x86unix.pl
+++ b/src/lib/libcrypto/perlasm/x86unix.pl
@@ -143,12 +143,12 @@ sub main'shl	{ &out2("sall",@_); }
 sub main'shr    { &out2("shrl",@_); }
 sub main'xor    { &out2("xorl",@_); }
 sub main'xorb   { &out2("xorb",@_); }
-sub main'add    { &out2("addl",@_); }
+sub main'add    { &out2($_[0]=~/%[a-d][lh]/?"addb":"addl",@_); }
 sub main'adc    { &out2("adcl",@_); }
 sub main'sub    { &out2("subl",@_); }
 sub main'rotl   { &out2("roll",@_); }
 sub main'rotr   { &out2("rorl",@_); }
-sub main'exch   { &out2("xchg",@_); }
+sub main'exch   { &out2($_[0]=~/%[a-d][lh]/?"xchgb":"xchgl",@_); }
 sub main'cmp    { &out2("cmpl",@_); }
 sub main'lea    { &out2("leal",@_); }
 sub main'mul    { &out1("mull",@_); }
@@ -170,7 +170,7 @@ sub main'jc	{ &out1("jc",@_); }
 sub main'jnc    { &out1("jnc",@_); }
 sub main'jno    { &out1("jno",@_); }
 sub main'dec    { &out1("decl",@_); }
-sub main'inc    { &out1("incl",@_); }
+sub main'inc    { &out1($_[0]=~/%[a-d][hl]/?"incb":"incl",@_); }
 sub main'push   { &out1("pushl",@_); $stack+=4; }
 sub main'pop    { &out1("popl",@_); $stack-=4; }
 sub main'pushf  { &out0("pushf"); $stack+=4; }
@@ -179,6 +179,7 @@ sub main'not	{ &out1("notl",@_); }
 sub main'call   { &out1("call",($_[0]=~/^\.L/?'':$under).$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
+sub main'movz   { &out2("movzbl",@_); }
 # The bswapl instruction is new for the 486. Emulate if i386.
 sub main'bswap
diff --git a/src/lib/libcrypto/pkcs12/p12_crpt.c b/src/lib/libcrypto/pkcs12/p12_crpt.c
index 5e8958612b..003ec7a33e 100644
--- a/src/lib/libcrypto/pkcs12/p12_crpt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crpt.c
@@ -88,7 +88,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
 {
        PBEPARAM *pbe;
-        int saltlen, iter;
+        int saltlen, iter, ret;
        unsigned char *salt, *pbuf;
        unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
@@ -117,8 +117,8 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                return 0;
        }
        PBEPARAM_free(pbe);
-        EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
+        ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
        OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
-        return 1;
+        return ret;
 }
diff --git a/src/lib/libcrypto/pkcs12/p12_init.c b/src/lib/libcrypto/pkcs12/p12_init.c
index eb837a78cf..5276b12669 100644
--- a/src/lib/libcrypto/pkcs12/p12_init.c
+++ b/src/lib/libcrypto/pkcs12/p12_init.c
@@ -76,15 +76,17 @@ PKCS12 *PKCS12_init (int mode)
                        if (!(pkcs12->authsafes->d.data =
                                 M_ASN1_OCTET_STRING_new())) {
                        PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
-                        return NULL;
+                        goto err;
                }
                break;
                default:
-                        PKCS12err(PKCS12_F_PKCS12_INIT,PKCS12_R_UNSUPPORTED_PKCS12_MODE);
+                        PKCS12err(PKCS12_F_PKCS12_INIT,
-                        PKCS12_free(pkcs12);
+                                PKCS12_R_UNSUPPORTED_PKCS12_MODE);
-                        return NULL;
+                        goto err;
-                break;
        }
                
        return pkcs12;
+err:
+        if (pkcs12 != NULL) PKCS12_free(pkcs12);
+        return NULL;
 }
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index 885087ad00..2b31999e11 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -249,14 +249,26 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
                if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
                                                                 return 1;
                if (!(x509 = PKCS12_certbag2x509(bag))) return 0;
-                if(ckid) X509_keyid_set1(x509, ckid->data, ckid->length);
+                if(ckid)
+                        {
+                        if (!X509_keyid_set1(x509, ckid->data, ckid->length))
+                                {
+                                X509_free(x509);
+                                return 0;
+                                }
+                        }
                if(fname) {
-                        int len;
+                        int len, r;
                        unsigned char *data;
                        len = ASN1_STRING_to_UTF8(&data, fname);
                        if(len > 0) {
-                                X509_alias_set1(x509, data, len);
+                                r = X509_alias_set1(x509, data, len);
                                OPENSSL_free(data);
+                                if (!r)
+                                        {
+                                        X509_free(x509);
+                                        return 0;
+                                        }
                        }
                }
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 0fb67f74b8..4886b9b289 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -148,7 +148,10 @@ int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
                        PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
                        return 0;
                }
-                ASN1_INTEGER_set(p12->mac->iter, iter);
+                if (!ASN1_INTEGER_set(p12->mac->iter, iter)) {
+                        PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
        }
        if (!saltlen) saltlen = PKCS12_SALT_LEN;
        p12->mac->salt->length = saltlen;
diff --git a/src/lib/libcrypto/pkcs7/pk7_attr.c b/src/lib/libcrypto/pkcs7/pk7_attr.c
index 5ff5a88b5c..039141027a 100644
--- a/src/lib/libcrypto/pkcs7/pk7_attr.c
+++ b/src/lib/libcrypto/pkcs7/pk7_attr.c
@@ -3,7 +3,7 @@
 * project 2001.
 */
 /* ====================================================================
- * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2001-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -94,17 +94,18 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap)
 }
 STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
-{
+        {
        ASN1_TYPE *cap;
        unsigned char *p;
        cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
-        if (!cap) return NULL;
+        if (!cap || (cap->type != V_ASN1_SEQUENCE))
+                return NULL;
        p = cap->value.sequence->data;
        return d2i_ASN1_SET_OF_X509_ALGOR(NULL, &p,
                                          cap->value.sequence->length,
                                          d2i_X509_ALGOR, X509_ALGOR_free,
                                          V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-}
+        }
 /* Basic smime-capabilities OID and optional integer arg */
 int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index b78e22819c..4ac29ae14d 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -239,7 +239,13 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                                OPENSSL_free(tmp);
                                goto err;
                                }
-                        M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
+                        if (!M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj))
+                                {
+                                PKCS7err(PKCS7_F_PKCS7_DATAINIT,
+                                        ERR_R_MALLOC_FAILURE);
+                                OPENSSL_free(tmp);
+                                goto err;
+                                }
                        }
                OPENSSL_free(tmp);
                OPENSSL_cleanse(key, keylen);
@@ -520,12 +526,20 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
        case NID_pkcs7_signedAndEnveloped:
                /* XXXXXXXXXXXXXXXX */
                si_sk=p7->d.signed_and_enveloped->signer_info;
-                os=M_ASN1_OCTET_STRING_new();
+                if (!(os=M_ASN1_OCTET_STRING_new()))
+                        {
+                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
                p7->d.signed_and_enveloped->enc_data->enc_data=os;
                break;
        case NID_pkcs7_enveloped:
                /* XXXXXXXXXXXXXXXX */
-                os=M_ASN1_OCTET_STRING_new();
+                if (!(os=M_ASN1_OCTET_STRING_new()))
+                        {
+                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
                p7->d.enveloped->enc_data->enc_data=os;
                break;
        case NID_pkcs7_signed:
@@ -599,7 +613,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                                if (!PKCS7_get_signed_attribute(si,
                                                        NID_pkcs9_signingTime))
                                        {
-                                        sign_time=X509_gmtime_adj(NULL,0);
+                                        if (!(sign_time=X509_gmtime_adj(NULL,0)))
+                                                {
+                                                PKCS7err(PKCS7_F_PKCS7_DATASIGN,
+                                                        ERR_R_MALLOC_FAILURE);
+                                                goto err;
+                                                }
                                        PKCS7_add_signed_attribute(si,
                                                NID_pkcs9_signingTime,
                                                V_ASN1_UTCTIME,sign_time);
@@ -608,8 +627,19 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                                /* Add digest */
                                md_tmp=EVP_MD_CTX_md(&ctx_tmp);
                                EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len);
-                                digest=M_ASN1_OCTET_STRING_new();
+                                if (!(digest=M_ASN1_OCTET_STRING_new()))
-                                M_ASN1_OCTET_STRING_set(digest,md_data,md_len);
+                                        {
+                                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,
+                                                ERR_R_MALLOC_FAILURE);
+                                        goto err;
+                                        }
+                                if (!M_ASN1_OCTET_STRING_set(digest,md_data,
+                                                                md_len))
+                                        {
+                                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,
+                                                ERR_R_MALLOC_FAILURE);
+                                        goto err;
+                                        }
                                PKCS7_add_signed_attribute(si,
                                        NID_pkcs9_messageDigest,
                                        V_ASN1_OCTET_STRING,digest);
diff --git a/src/lib/libcrypto/pkcs7/pk7_lib.c b/src/lib/libcrypto/pkcs7/pk7_lib.c
index 985b07245c..ee1817c7af 100644
--- a/src/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/src/lib/libcrypto/pkcs7/pk7_lib.c
@@ -164,7 +164,12 @@ int PKCS7_set_type(PKCS7 *p7, int type)
                p7->type=obj;
                if ((p7->d.sign=PKCS7_SIGNED_new()) == NULL)
                        goto err;
-                ASN1_INTEGER_set(p7->d.sign->version,1);
+                if (!ASN1_INTEGER_set(p7->d.sign->version,1))
+                        {
+                        PKCS7_SIGNED_free(p7->d.sign);
+                        p7->d.sign=NULL;
+                        goto err;
+                        }
                break;
        case NID_pkcs7_data:
                p7->type=obj;
@@ -176,6 +181,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
                if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new())
                        == NULL) goto err;
                ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1);
+                if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1))
+                        goto err;
                p7->d.signed_and_enveloped->enc_data->content_type
                                                = OBJ_nid2obj(NID_pkcs7_data);
                break;
@@ -183,7 +190,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
                p7->type=obj;
                if ((p7->d.enveloped=PKCS7_ENVELOPE_new())
                        == NULL) goto err;
-                ASN1_INTEGER_set(p7->d.enveloped->version,0);
+                if (!ASN1_INTEGER_set(p7->d.enveloped->version,0))
+                        goto err;
                p7->d.enveloped->enc_data->content_type
                                                = OBJ_nid2obj(NID_pkcs7_data);
                break;
@@ -191,7 +199,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
                p7->type=obj;
                if ((p7->d.encrypted=PKCS7_ENCRYPT_new())
                        == NULL) goto err;
-                ASN1_INTEGER_set(p7->d.encrypted->version,0);
+                if (!ASN1_INTEGER_set(p7->d.encrypted->version,0))
+                        goto err;
                p7->d.encrypted->enc_data->content_type
                                                = OBJ_nid2obj(NID_pkcs7_data);
                break;
@@ -318,15 +327,18 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
        if (pkey->type == EVP_PKEY_DSA) is_dsa = 1;
        else is_dsa = 0;
        /* We now need to add another PKCS7_SIGNER_INFO entry */
-        ASN1_INTEGER_set(p7i->version,1);
+        if (!ASN1_INTEGER_set(p7i->version,1))
-        X509_NAME_set(&p7i->issuer_and_serial->issuer,
+                goto err;
-                X509_get_issuer_name(x509));
+        if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
+                        X509_get_issuer_name(x509)))
+                goto err;
        /* because ASN1_INTEGER_set is used to set a 'long' we will do
         * things the ugly way. */
        M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
-        p7i->issuer_and_serial->serial=
+        if (!(p7i->issuer_and_serial->serial=
-                M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+                        M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
+                goto err;
        /* lets keep the pkey around for a while */
        CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
@@ -423,16 +435,20 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
 int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
        {
-        ASN1_INTEGER_set(p7i->version,0);
+        if (!ASN1_INTEGER_set(p7i->version,0))
-        X509_NAME_set(&p7i->issuer_and_serial->issuer,
+                return 0;
-                X509_get_issuer_name(x509));
+        if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
+                X509_get_issuer_name(x509)))
+                return 0;
        M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
-        p7i->issuer_and_serial->serial=
+        if (!(p7i->issuer_and_serial->serial=
-                M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+                M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
+                return 0;
        X509_ALGOR_free(p7i->key_enc_algor);
-        p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor);
+        if (!(p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor)))
+                return 0;
        CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
        p7i->cert=x509;
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index 6e5735de11..a852b49235 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -155,7 +155,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
        char buf[4096];
        int i, j=0, k, ret = 0;
        BIO *p7bio;
-        BIO *tmpout;
+        BIO *tmpin, *tmpout;
        if(!p7) {
                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER);
@@ -228,7 +228,30 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                /* Check for revocation status here */
        }
-        p7bio=PKCS7_dataInit(p7,indata);
+        /* Performance optimization: if the content is a memory BIO then
+         * store its contents in a temporary read only memory BIO. This
+         * avoids potentially large numbers of slow copies of data which will
+         * occur when reading from a read write memory BIO when signatures
+         * are calculated.
+         */
+        if (indata && (BIO_method_type(indata) == BIO_TYPE_MEM))
+                {
+                char *ptr;
+                long len;
+                len = BIO_get_mem_data(indata, &ptr);
+                tmpin = BIO_new_mem_buf(ptr, len);
+                if (tmpin == NULL)
+                        {
+                        PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                }
+        else
+                tmpin = indata;
+                
+        p7bio=PKCS7_dataInit(p7,tmpin);
        if(flags & PKCS7_TEXT) {
                if(!(tmpout = BIO_new(BIO_s_mem()))) {
@@ -270,9 +293,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
        ret = 1;
        err:
+        
+        if (tmpin == indata)
+                {
+                if(indata) BIO_pop(p7bio);
+                BIO_free_all(p7bio);
+                }
+        else
+                BIO_free_all(tmpin);
-        if(indata) BIO_pop(p7bio);
-        BIO_free_all(p7bio);
        sk_X509_free(signers);
        return ret;
@@ -296,10 +325,6 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE);
                return NULL;
        }
-        if(!(signers = sk_X509_new_null())) {
-                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
        /* Collect all the signers together */
@@ -310,6 +335,11 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
                return 0;
        }
+        if(!(signers = sk_X509_new_null())) {
+                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
        for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
        {
            si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c
index eeffc0df4c..c84968df88 100644
--- a/src/lib/libcrypto/rand/md_rand.c
+++ b/src/lib/libcrypto/rand/md_rand.c
@@ -126,6 +126,7 @@
 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <openssl/fips.h>
 #ifdef BN_DEBUG
 # define PREDICT
@@ -332,6 +333,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 #endif
        int do_stir_pool = 0;
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode())
+            {
+            FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD);
+            return 0;
+            }
+#endif
 #ifdef PREDICT
        if (rand_predictable)
                {
diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h
index 606382dd21..604df9be6c 100644
--- a/src/lib/libcrypto/rand/rand.h
+++ b/src/lib/libcrypto/rand/rand.h
@@ -71,6 +71,10 @@
 extern "C" {
 #endif
+#if defined(OPENSSL_FIPS)
+#define FIPS_RAND_SIZE_T int
+#endif
 typedef struct rand_meth_st
        {
        void (*seed)(const void *buf, int num);
@@ -121,11 +125,17 @@ void ERR_load_RAND_strings(void);
 /* Error codes for the RAND functions. */
 /* Function codes. */
+#define RAND_F_FIPS_RAND_BYTES                           102
 #define RAND_F_RAND_GET_RAND_METHOD                      101
 #define RAND_F_SSLEAY_RAND_BYTES                         100
 /* Reason codes. */
+#define RAND_R_NON_FIPS_METHOD                           101
+#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH                  105
+#define RAND_R_PRNG_NOT_REKEYED                          103
+#define RAND_R_PRNG_NOT_RESEEDED                         104
 #define RAND_R_PRNG_NOT_SEEDED                           100
+#define RAND_R_PRNG_STUCK                                102
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/rand/rand_egd.c b/src/lib/libcrypto/rand/rand_egd.c
index 6f742900a0..cd666abfcb 100644
--- a/src/lib/libcrypto/rand/rand_egd.c
+++ b/src/lib/libcrypto/rand/rand_egd.c
@@ -95,7 +95,7 @@
 *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
 */
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS)
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_VOS)
 int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
        {
        return(-1);
@@ -216,7 +216,9 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
            while (numbytes != 1)
                {
                num = read(fd, egdbuf, 1);
-                if (num >= 0)
+                if (num == 0)
+                        goto err;       /* descriptor closed */
+                else if (num > 0)
                    numbytes += num;
                else
                    {
@@ -246,7 +248,9 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
            while (numbytes != egdbuf[0])
                {
                num = read(fd, retrievebuf + numbytes, egdbuf[0] - numbytes);
-                if (num >= 0)
+                if (num == 0)
+                        goto err;       /* descriptor closed */
+                else if (num > 0)
                    numbytes += num;
                else
                    {
diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c
index b77267e213..95574659ac 100644
--- a/src/lib/libcrypto/rand/rand_err.c
+++ b/src/lib/libcrypto/rand/rand_err.c
@@ -1,6 +1,6 @@
 /* crypto/rand/rand_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -66,6 +66,7 @@
 #ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA RAND_str_functs[]=
        {
+{ERR_PACK(0,RAND_F_FIPS_RAND_BYTES,0),  "FIPS_RAND_BYTES"},
 {ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0),     "RAND_get_rand_method"},
 {ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0),        "SSLEAY_RAND_BYTES"},
 {0,NULL}
@@ -73,7 +74,12 @@ static ERR_STRING_DATA RAND_str_functs[]=
 static ERR_STRING_DATA RAND_str_reasons[]=
        {
+{RAND_R_NON_FIPS_METHOD                  ,"non fips method"},
+{RAND_R_PRNG_ASKING_FOR_TOO_MUCH         ,"prng asking for too much"},
+{RAND_R_PRNG_NOT_REKEYED                 ,"prng not rekeyed"},
+{RAND_R_PRNG_NOT_RESEEDED                ,"prng not reseeded"},
 {RAND_R_PRNG_NOT_SEEDED                  ,"PRNG not seeded"},
+{RAND_R_PRNG_STUCK                       ,"prng stuck"},
 {0,NULL}
        };
diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c
index 513e338985..88f1b56d91 100644
--- a/src/lib/libcrypto/rand/rand_lib.c
+++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -63,6 +63,8 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
 #ifndef OPENSSL_NO_ENGINE
 /* non-NULL if default_RAND_meth is ENGINE-provided */
@@ -85,6 +87,16 @@ int RAND_set_rand_method(const RAND_METHOD *meth)
 const RAND_METHOD *RAND_get_rand_method(void)
        {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode()
+                && default_RAND_meth != FIPS_rand_check())
+            {
+            RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
+            return 0;
+            }
+#endif
        if (!default_RAND_meth)
                {
 #ifndef OPENSSL_NO_ENGINE
diff --git a/src/lib/libcrypto/rand/rand_unix.c b/src/lib/libcrypto/rand/rand_unix.c
index 0599719dd1..9376554fae 100644
--- a/src/lib/libcrypto/rand/rand_unix.c
+++ b/src/lib/libcrypto/rand/rand_unix.c
@@ -120,6 +120,7 @@
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/times.h>
+#include <sys/stat.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <time.h>
@@ -151,9 +152,9 @@ int RAND_poll(void)
        int n = 0;
 #endif
 #ifdef DEVRANDOM
-        static const char *randomfiles[] = { DEVRANDOM, NULL };
+        static const char *randomfiles[] = { DEVRANDOM };
-        const char **randomfile = NULL;
+        struct stat randomstats[sizeof(randomfiles)/sizeof(randomfiles[0])];
-        int fd;
+        int fd,i;
 #endif
 #ifdef DEVRANDOM_EGD
        static const char *egdsockets[] = { DEVRANDOM_EGD, NULL };
@@ -161,26 +162,42 @@ int RAND_poll(void)
 #endif
 #ifdef DEVRANDOM
+        memset(randomstats,0,sizeof(randomstats));
        /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
         * have this. Use /dev/urandom if you can as /dev/random may block
         * if it runs out of random entries.  */
-        for (randomfile = randomfiles; *randomfile && n < ENTROPY_NEEDED; randomfile++)
+        for (i=0; i<sizeof(randomfiles)/sizeof(randomfiles[0]) && n < ENTROPY_NEEDED; i++)
                {
-                if ((fd = open(*randomfile, O_RDONLY|O_NONBLOCK
+                if ((fd = open(randomfiles[i], O_RDONLY
+#ifdef O_NONBLOCK
+                        |O_NONBLOCK
+#endif
+#ifdef O_BINARY
+                        |O_BINARY
+#endif
 #ifdef O_NOCTTY /* If it happens to be a TTY (god forbid), do not make it
                   our controlling tty */
                        |O_NOCTTY
 #endif
-#ifdef O_NOFOLLOW /* Fail if the file is a symbolic link */
-                        |O_NOFOLLOW
-#endif
                        )) >= 0)
                        {
                        struct timeval t = { 0, 10*1000 }; /* Spend 10ms on
                                                              each file. */
-                        int r;
+                        int r,j;
                        fd_set fset;
+                        struct stat *st=&randomstats[i];
+                        /* Avoid using same input... Used to be O_NOFOLLOW
+                         * above, but it's not universally appropriate... */
+                        if (fstat(fd,st) != 0)  { close(fd); continue; }
+                        for (j=0;j<i;j++)
+                                {
+                                if (randomstats[j].st_ino==st->st_ino &&
+                                    randomstats[j].st_dev==st->st_dev)
+                                        break;
+                                }
+                        if (j<i)                { close(fd); continue; }
                        do
                                {
diff --git a/src/lib/libcrypto/rand/rand_vms.c b/src/lib/libcrypto/rand/rand_vms.c
index 29b2d7af0b..1267a3acae 100644
--- a/src/lib/libcrypto/rand/rand_vms.c
+++ b/src/lib/libcrypto/rand/rand_vms.c
@@ -101,11 +101,12 @@ int RAND_poll(void)
        pitem = item;
        /* Setup */
-        while (pitems_data->length)
+        while (pitems_data->length
+                && (total_length + pitems_data->length <= 256))
                {
                pitem->length = pitems_data->length;
                pitem->code = pitems_data->code;
-                pitem->buffer = (long *)data_buffer[total_length];
+                pitem->buffer = (long *)&data_buffer[total_length];
                pitem->retlen = 0;
                total_length += pitems_data->length;
                pitems_data++;
diff --git a/src/lib/libcrypto/rand/rand_win.c b/src/lib/libcrypto/rand/rand_win.c
index 3584842224..30c69161ef 100644
--- a/src/lib/libcrypto/rand/rand_win.c
+++ b/src/lib/libcrypto/rand/rand_win.c
@@ -125,7 +125,7 @@
 * http://developer.intel.com/design/security/rng/redist_license.htm
 */
 #define PROV_INTEL_SEC 22
-#define INTEL_DEF_PROV TEXT("Intel Hardware Cryptographic Service Provider")
+#define INTEL_DEF_PROV L"Intel Hardware Cryptographic Service Provider"
 static void readtimer(void);
 static void readscreen(void);
@@ -152,7 +152,7 @@ typedef struct tagCURSORINFO
 #define CURSOR_SHOWING     0x00000001
 #endif /* CURSOR_SHOWING */
-typedef BOOL (WINAPI *CRYPTACQUIRECONTEXT)(HCRYPTPROV *, LPCTSTR, LPCTSTR,
+typedef BOOL (WINAPI *CRYPTACQUIRECONTEXTW)(HCRYPTPROV *, LPCWSTR, LPCWSTR,
                                    DWORD, DWORD);
 typedef BOOL (WINAPI *CRYPTGENRANDOM)(HCRYPTPROV, DWORD, BYTE *);
 typedef BOOL (WINAPI *CRYPTRELEASECONTEXT)(HCRYPTPROV, DWORD);
@@ -194,7 +194,7 @@ int RAND_poll(void)
        HWND h;
        HMODULE advapi, kernel, user, netapi;
-        CRYPTACQUIRECONTEXT acquire = 0;
+        CRYPTACQUIRECONTEXTW acquire = 0;
        CRYPTGENRANDOM gen = 0;
        CRYPTRELEASECONTEXT release = 0;
 #if 1 /* There was previously a problem with NETSTATGET.  Currently, this
@@ -213,6 +213,9 @@ int RAND_poll(void)
        GetVersionEx( &osverinfo ) ;
 #if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO
+#ifndef CryptAcquireContext
+#define CryptAcquireContext CryptAcquireContextW
+#endif
        /* poll the CryptoAPI PRNG */
        /* The CryptoAPI returns sizeof(buf) bytes of randomness */
        if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
@@ -223,21 +226,35 @@ int RAND_poll(void)
                }
 #endif
+#ifndef OPENSSL_SYS_WINCE
+        /*
+         * None of below libraries are present on Windows CE, which is
+         * why we #ifndef the whole section. This also excuses us from
+         * handling the GetProcAddress issue. The trouble is that in
+         * real Win32 API GetProcAddress is available in ANSI flavor
+         * only. In WinCE on the other hand GetProcAddress is a macro
+         * most commonly defined as GetProcAddressW, which accepts
+         * Unicode argument. If we were to call GetProcAddress under
+         * WinCE, I'd recommend to either redefine GetProcAddress as
+         * GetProcAddressA (there seem to be one in common CE spec) or
+         * implement own shim routine, which would accept ANSI argument
+         * and expand it to Unicode.
+         */
        /* load functions dynamically - not available on all systems */
        advapi = LoadLibrary(TEXT("ADVAPI32.DLL"));
        kernel = LoadLibrary(TEXT("KERNEL32.DLL"));
        user = LoadLibrary(TEXT("USER32.DLL"));
        netapi = LoadLibrary(TEXT("NETAPI32.DLL"));
-#ifndef OPENSSL_SYS_WINCE
 #if 1 /* There was previously a problem with NETSTATGET.  Currently, this
       * section is still experimental, but if all goes well, this conditional
       * will be removed
       */
        if (netapi)
                {
-                netstatget = (NETSTATGET) GetProcAddress(netapi,TEXT("NetStatisticsGet"));
+                netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet");
-                netfree = (NETFREE) GetProcAddress(netapi,TEXT("NetApiBufferFree"));
+                netfree = (NETFREE) GetProcAddress(netapi,"NetApiBufferFree");
                }
        if (netstatget && netfree)
@@ -264,9 +281,7 @@ int RAND_poll(void)
        if (netapi)
                FreeLibrary(netapi);
 #endif /* 1 */
-#endif /* !OPENSSL_SYS_WINCE */
- 
-#ifndef OPENSSL_SYS_WINCE
        /* It appears like this can cause an exception deep within ADVAPI32.DLL
         * at random times on Windows 2000.  Reported by Jeffrey Altman.  
         * Only use it on NT.
@@ -321,16 +336,20 @@ int RAND_poll(void)
                        free(buf);
                }
 #endif
-#endif /* !OPENSSL_SYS_WINCE */
        if (advapi)
                {
-                acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi,
+                /*
-                        TEXT("CryptAcquireContextA"));
+                 * If it's available, then it's available in both ANSI
+                 * and UNICODE flavors even in Win9x, documentation says.
+                 * We favor Unicode...
+                 */
+                acquire = (CRYPTACQUIRECONTEXTW) GetProcAddress(advapi,
+                        "CryptAcquireContextW");
                gen = (CRYPTGENRANDOM) GetProcAddress(advapi,
-                        TEXT("CryptGenRandom"));
+                        "CryptGenRandom");
                release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi,
-                        TEXT("CryptReleaseContext"));
+                        "CryptReleaseContext");
                }
        if (acquire && gen && release)
@@ -367,26 +386,15 @@ int RAND_poll(void)
        if (advapi)
                FreeLibrary(advapi);
-        /* timer data */
-        readtimer();
-        
-        /* memory usage statistics */
-        GlobalMemoryStatus(&m);
-        RAND_add(&m, sizeof(m), 1);
-        /* process ID */
-        w = GetCurrentProcessId();
-        RAND_add(&w, sizeof(w), 1);
        if (user)
                {
                GETCURSORINFO cursor;
                GETFOREGROUNDWINDOW win;
                GETQUEUESTATUS queue;
-                win = (GETFOREGROUNDWINDOW) GetProcAddress(user, TEXT("GetForegroundWindow"));
+                win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow");
-                cursor = (GETCURSORINFO) GetProcAddress(user, TEXT("GetCursorInfo"));
+                cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo");
-                queue = (GETQUEUESTATUS) GetProcAddress(user, TEXT("GetQueueStatus"));
+                queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus");
                if (win)
                        {
@@ -458,19 +466,19 @@ int RAND_poll(void)
                MODULEENTRY32 m;
                snap = (CREATETOOLHELP32SNAPSHOT)
-                        GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot"));
+                        GetProcAddress(kernel, "CreateToolhelp32Snapshot");
                close_snap = (CLOSETOOLHELP32SNAPSHOT)
-                        GetProcAddress(kernel, TEXT("CloseToolhelp32Snapshot"));
+                        GetProcAddress(kernel, "CloseToolhelp32Snapshot");
-                heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First"));
+                heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First");
-                heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next"));
+                heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next");
-                heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst"));
+                heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst");
-                heaplist_next = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListNext"));
+                heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext");
-                process_first = (PROCESS32) GetProcAddress(kernel, TEXT("Process32First"));
+                process_first = (PROCESS32) GetProcAddress(kernel, "Process32First");
-                process_next = (PROCESS32) GetProcAddress(kernel, TEXT("Process32Next"));
+                process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next");
-                thread_first = (THREAD32) GetProcAddress(kernel, TEXT("Thread32First"));
+                thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First");
-                thread_next = (THREAD32) GetProcAddress(kernel, TEXT("Thread32Next"));
+                thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next");
-                module_first = (MODULE32) GetProcAddress(kernel, TEXT("Module32First"));
+                module_first = (MODULE32) GetProcAddress(kernel, "Module32First");
-                module_next = (MODULE32) GetProcAddress(kernel, TEXT("Module32Next"));
+                module_next = (MODULE32) GetProcAddress(kernel, "Module32Next");
                if (snap && heap_first && heap_next && heaplist_first &&
                        heaplist_next && process_first && process_next &&
@@ -546,6 +554,18 @@ int RAND_poll(void)
                FreeLibrary(kernel);
                }
+#endif /* !OPENSSL_SYS_WINCE */
+        /* timer data */
+        readtimer();
+        
+        /* memory usage statistics */
+        GlobalMemoryStatus(&m);
+        RAND_add(&m, sizeof(m), 1);
+        /* process ID */
+        w = GetCurrentProcessId();
+        RAND_add(&w, sizeof(w), 1);
 #if 0
        printf("Exiting RAND_poll\n");
@@ -607,7 +627,7 @@ static void readtimer(void)
        DWORD w;
        LARGE_INTEGER l;
        static int have_perfc = 1;
-#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
+#if defined(_MSC_VER) && defined(_M_X86)
        static int have_tsc = 1;
        DWORD cyclecount;
@@ -660,7 +680,7 @@ static void readtimer(void)
 static void readscreen(void)
 {
-#ifndef OPENSSL_SYS_WINCE
+#if !defined(OPENSSL_SYS_WINCE) && !defined(OPENSSL_SYS_WIN32_CYGWIN)
  HDC           hScrDC;         /* screen DC */
  HDC           hMemDC;         /* memory DC */
  HBITMAP       hBitmap;        /* handle for our bitmap */
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index d88ee0d780..9bd89ba495 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -166,6 +166,7 @@ int RAND_write_file(const char *file)
        }
 #if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32)
+        {
        /* For some reason Win32 can't write to files created this way */
        
        /* chmod(..., 0600) is too late to protect the file,
@@ -173,6 +174,7 @@ int RAND_write_file(const char *file)
        int fd = open(file, O_CREAT, 0600);
        if (fd != -1)
                out = fdopen(fd, "wb");
+        }
 #endif
        if (out == NULL)
                out = fopen(file,"wb");
diff --git a/src/lib/libcrypto/rc2/rc2.h b/src/lib/libcrypto/rc2/rc2.h
index 7816b454dc..71788158d8 100644
--- a/src/lib/libcrypto/rc2/rc2.h
+++ b/src/lib/libcrypto/rc2/rc2.h
@@ -79,7 +79,10 @@ typedef struct rc2_key_st
        RC2_INT data[64];
        } RC2_KEY;
- 
+#ifdef OPENSSL_FIPS 
+void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
+                                                                int bits);
+#endif
 void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
 void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
                     int enc);
diff --git a/src/lib/libcrypto/rc2/rc2_skey.c b/src/lib/libcrypto/rc2/rc2_skey.c
index cab3080c73..22f372f85c 100644
--- a/src/lib/libcrypto/rc2/rc2_skey.c
+++ b/src/lib/libcrypto/rc2/rc2_skey.c
@@ -57,6 +57,7 @@
 */
 #include <openssl/rc2.h>
+#include <openssl/crypto.h>
 #include "rc2_locl.h"
 static unsigned char key_table[256]={
@@ -90,7 +91,19 @@ static unsigned char key_table[256]={
 * BSAFE uses the 'retarded' version.  What I previously shipped is
 * the same as specifying 1024 for the 'bits' parameter.  Bsafe uses
 * a version where the bits parameter is the same as len*8 */
+#ifdef OPENSSL_FIPS
+void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
+        {
+        if (FIPS_mode())
+                FIPS_BAD_ABORT(RC2)
+        private_RC2_set_key(key, len, data, bits);
+        }
+void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
+                                                                int bits)
+#else
 void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
+#endif
        {
        int i,j;
        unsigned char *k;
diff --git a/src/lib/libcrypto/rc4/asm/rc4-586.pl b/src/lib/libcrypto/rc4/asm/rc4-586.pl
index 7ef889e5a1..d6e98f0811 100644
--- a/src/lib/libcrypto/rc4/asm/rc4-586.pl
+++ b/src/lib/libcrypto/rc4/asm/rc4-586.pl
@@ -1,16 +1,37 @@
 #!/usr/local/bin/perl
-# define for pentium pro friendly version
+# At some point it became apparent that the original SSLeay RC4
+# assembler implementation performs suboptimaly on latest IA-32
+# microarchitectures. After re-tuning performance has changed as
+# following:
+#
+# Pentium       +0%
+# Pentium III   +17%
+# AMD           +52%(*)
+# P4            +180%(**)
+#
+# (*)   This number is actually a trade-off:-) It's possible to
+#       achieve +72%, but at the cost of -48% off PIII performance.
+#       In other words code performing further 13% faster on AMD
+#       would perform almost 2 times slower on Intel PIII...
+#       For reference! This code delivers ~80% of rc4-amd64.pl
+#       performance on the same Opteron machine.
+# (**)  This number requires compressed key schedule set up by
+#       RC4_set_key and therefore doesn't apply to 0.9.7 [option for
+#       compressed key schedule is implemented in 0.9.8 and later,
+#       see commentary section in rc4_skey.c for further details].
+#
+#                                       <appro@fy.chalmers.se>
 push(@INC,"perlasm","../../perlasm");
 require "x86asm.pl";
 &asm_init($ARGV[0],"rc4-586.pl");
-$tx="eax";
+$x="eax";
-$ty="ebx";
+$y="ebx";
-$x="ecx";
+$tx="ecx";
-$y="edx";
+$ty="edx";
 $in="esi";
 $out="edi";
 $d="ebp";
@@ -31,7 +52,7 @@ sub RC4_loop
                        {
                         &mov($ty,      &swtmp(2));
                        &cmp($ty,       $in);
-                         &jle(&label("finished"));
+                         &jbe(&label("finished"));
                        &inc($in);
                        }
                else
@@ -39,27 +60,23 @@ sub RC4_loop
                        &add($ty,       8);
                         &inc($in);
                        &cmp($ty,       $in);
-                         &jl(&label("finished"));
+                         &jb(&label("finished"));
                        &mov(&swtmp(2), $ty);
                        }
                }
        # Moved out
        # &mov( $tx,            &DWP(0,$d,$x,4)) if $p < 0;
-         &add(  $y,             $tx);
+        &add(   &LB($y),        &LB($tx));
-        &and(   $y,             0xff);
-         &inc(  $x);                    # NEXT ROUND 
        &mov(   $ty,            &DWP(0,$d,$y,4));
         # XXX
-        &mov(   &DWP(-4,$d,$x,4),$ty);                  # AGI
+        &mov(   &DWP(0,$d,$x,4),$ty);
         &add(  $ty,            $tx);
-        &and(   $x,             0xff);  # NEXT ROUND
-         &and(  $ty,            0xff);
        &mov(   &DWP(0,$d,$y,4),$tx);
-         &nop();
+         &and(  $ty,            0xff);
-        &mov(   $ty,            &DWP(0,$d,$ty,4));
+         &inc(  &LB($x));                       # NEXT ROUND
-         &mov(  $tx,            &DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND
+        &mov(   $tx,            &DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND
-         # XXX
+         &mov(  $ty,            &DWP(0,$d,$ty,4));
        if (!$char)
                {
@@ -88,35 +105,47 @@ sub RC4
        &function_begin_B($name,"");
+        &mov($ty,&wparam(1));           # len
+        &cmp($ty,0);
+        &jne(&label("proceed"));
+        &ret();
+        &set_label("proceed");
        &comment("");
        &push("ebp");
         &push("ebx");
-        &mov(   $d,     &wparam(0));    # key
-         &mov(  $ty,    &wparam(1));    # num
        &push("esi");
-         &push("edi");
+         &xor(  $x,     $x);            # avoid partial register stalls
+        &push("edi");
+         &xor(  $y,     $y);            # avoid partial register stalls
+        &mov(   $d,     &wparam(0));    # key
+         &mov(  $in,    &wparam(2));
-        &mov(   $x,     &DWP(0,$d,"",1));
+        &movb(  &LB($x),        &BP(0,$d,"",1));
-         &mov(  $y,     &DWP(4,$d,"",1));
+         &movb( &LB($y),        &BP(4,$d,"",1));
-        &mov(   $in,    &wparam(2));
+        &mov(   $out,   &wparam(3));
-         &inc(  $x);
+         &inc(  &LB($x));
        &stack_push(3); # 3 temp variables
         &add(  $d,     8);
-        &and(   $x,             0xff);
+        # detect compressed schedule, see commentary section in rc4_skey.c...
+        # in 0.9.7 context ~50 bytes below RC4_CHAR label remain redundant,
+        # as compressed key schedule is set up in 0.9.8 and later.
+        &cmp(&DWP(256,$d),-1);
+        &je(&label("RC4_CHAR"));
         &lea(  $ty,    &DWP(-8,$ty,$in));
        # check for 0 length input
-        &mov(   $out,   &wparam(3));
         &mov(  &swtmp(2),      $ty);   # this is now address to exit at
        &mov(   $tx,    &DWP(0,$d,$x,4));
         &cmp(  $ty,    $in);
-        &jl(    &label("end")); # less than 8 bytes
+        &jb(    &label("end")); # less than 8 bytes
        &set_label("start");
@@ -148,7 +177,7 @@ sub RC4
        &mov(   &DWP(-4,$out,"",0),     $tx);
         &mov(  $tx,            &DWP(0,$d,$x,4));
        &cmp($in,       $ty);
-         &jle(&label("start"));
+         &jbe(&label("start"));
        &set_label("end");
@@ -162,10 +191,37 @@ sub RC4
        &RC4_loop(5,0,1);
        &RC4_loop(6,1,1);
+        &jmp(&label("finished"));
+        &align(16);
+        # this is essentially Intel P4 specific codepath, see rc4_skey.c,
+        # and is engaged in 0.9.8 and later context...
+        &set_label("RC4_CHAR");
+        &lea    ($ty,&DWP(0,$in,$ty));
+        &mov    (&swtmp(2),$ty);
+        # strangely enough unrolled loop performs over 20% slower...
+        &set_label("RC4_CHAR_loop");
+                &movz   ($tx,&BP(0,$d,$x));
+                &add    (&LB($y),&LB($tx));
+                &movz   ($ty,&BP(0,$d,$y));
+                &movb   (&BP(0,$d,$y),&LB($tx));
+                &movb   (&BP(0,$d,$x),&LB($ty));
+                &add    (&LB($ty),&LB($tx));
+                &movz   ($ty,&BP(0,$d,$ty));
+                &xorb   (&LB($ty),&BP(0,$in));
+                &movb   (&BP(0,$out),&LB($ty));
+                &inc    (&LB($x));
+                &inc    ($in);
+                &inc    ($out);
+                &cmp    ($in,&swtmp(2));
+        &jb     (&label("RC4_CHAR_loop"));
        &set_label("finished");
        &dec(   $x);
         &stack_pop(3);
-        &mov(   &DWP(-4,$d,"",0),$y);
+        &movb(  &BP(-4,$d,"",0),&LB($y));
         &movb( &BP(-8,$d,"",0),&LB($x));
        &function_end($name);
diff --git a/src/lib/libcrypto/rc4/rc4.h b/src/lib/libcrypto/rc4/rc4.h
index 8722091f2e..dd90d9fde0 100644
--- a/src/lib/libcrypto/rc4/rc4.h
+++ b/src/lib/libcrypto/rc4/rc4.h
@@ -73,10 +73,17 @@ typedef struct rc4_key_st
        {
        RC4_INT x,y;
        RC4_INT data[256];
+#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
+        /* see crypto/rc4/asm/rc4-ia64.S for further details... */
+        RC4_INT pad[512-256-2];
+#endif
        } RC4_KEY;
 
 const char *RC4_options(void);
+#ifdef OPENSSL_FIPS
+void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
+#endif
 void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
 void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
                unsigned char *outdata);
diff --git a/src/lib/libcrypto/rc4/rc4_enc.c b/src/lib/libcrypto/rc4/rc4_enc.c
index d5f18a3a70..81a97ea3b7 100644
--- a/src/lib/libcrypto/rc4/rc4_enc.c
+++ b/src/lib/libcrypto/rc4/rc4_enc.c
@@ -77,6 +77,10 @@ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
        x=key->x;     
        y=key->y;     
        d=key->data; 
+#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
+        /* see crypto/rc4/asm/rc4-ia64.S for further details... */
+        d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));
+#endif
 #if defined(RC4_CHUNK)
        /*
diff --git a/src/lib/libcrypto/rc4/rc4_locl.h b/src/lib/libcrypto/rc4/rc4_locl.h
index 3bb80b6ce9..c712e1632e 100644
--- a/src/lib/libcrypto/rc4/rc4_locl.h
+++ b/src/lib/libcrypto/rc4/rc4_locl.h
@@ -1,4 +1,5 @@
 #ifndef HEADER_RC4_LOCL_H
 #define HEADER_RC4_LOCL_H
 #include <openssl/opensslconf.h>
+#include <cryptlib.h>
 #endif
diff --git a/src/lib/libcrypto/rc4/rc4_skey.c b/src/lib/libcrypto/rc4/rc4_skey.c
index bb10c1ebe2..07234f061a 100644
--- a/src/lib/libcrypto/rc4/rc4_skey.c
+++ b/src/lib/libcrypto/rc4/rc4_skey.c
@@ -57,6 +57,7 @@
 */
 #include <openssl/rc4.h>
+#include <openssl/crypto.h>
 #include "rc4_locl.h"
 #include <openssl/opensslv.h>
@@ -85,7 +86,7 @@ const char *RC4_options(void)
 * Date: Wed, 14 Sep 1994 06:35:31 GMT
 */
-void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(RC4)
        {
        register RC4_INT tmp;
        register int id1,id2;
@@ -93,6 +94,11 @@ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
        unsigned int i;
        
        d= &(key->data[0]);
+#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
+        /* see crypto/rc4/asm/rc4-ia64.S for further details... */
+        d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));
+#endif
        for (i=0; i<256; i++)
                d[i]=i;
        key->x = 0;     
diff --git a/src/lib/libcrypto/rc5/rc5.h b/src/lib/libcrypto/rc5/rc5.h
index 4adfd2db5a..aa3f26920b 100644
--- a/src/lib/libcrypto/rc5/rc5.h
+++ b/src/lib/libcrypto/rc5/rc5.h
@@ -92,7 +92,10 @@ typedef struct rc5_key_st
        RC5_32_INT data[2*(RC5_16_ROUNDS+1)];
        } RC5_32_KEY;
- 
+#ifdef OPENSSL_FIPS 
+void private_RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
+        int rounds);
+#endif
 void RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
        int rounds);
 void RC5_32_ecb_encrypt(const unsigned char *in,unsigned char *out,RC5_32_KEY *key,
diff --git a/src/lib/libcrypto/ripemd/ripemd.h b/src/lib/libcrypto/ripemd/ripemd.h
index 78d5f36560..7d0d998189 100644
--- a/src/lib/libcrypto/ripemd/ripemd.h
+++ b/src/lib/libcrypto/ripemd/ripemd.h
@@ -90,6 +90,9 @@ typedef struct RIPEMD160state_st
        int num;
        } RIPEMD160_CTX;
+#ifdef OPENSSL_FIPS
+int private_RIPEMD160_Init(RIPEMD160_CTX *c);
+#endif
 int RIPEMD160_Init(RIPEMD160_CTX *c);
 int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
 int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
diff --git a/src/lib/libcrypto/ripemd/rmd_dgst.c b/src/lib/libcrypto/ripemd/rmd_dgst.c
index 28896512e7..58ff010d11 100644
--- a/src/lib/libcrypto/ripemd/rmd_dgst.c
+++ b/src/lib/libcrypto/ripemd/rmd_dgst.c
@@ -58,6 +58,7 @@
 #include <stdio.h>
 #include "rmd_locl.h"
+#include <openssl/fips.h>
 #include <openssl/opensslv.h>
 const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
@@ -69,7 +70,7 @@ const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
     void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num);
 #  endif
-int RIPEMD160_Init(RIPEMD160_CTX *c)
+FIPS_NON_FIPS_MD_Init(RIPEMD160)
        {
        c->A=RIPEMD160_A;
        c->B=RIPEMD160_B;
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 62fa745f79..fc3bb5f86d 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -72,6 +72,10 @@
 #error RSA is disabled.
 #endif
+#if defined(OPENSSL_FIPS)
+#define FIPS_RSA_SIZE_T int
+#endif
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index e0d286266e..d4caab3f95 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -62,7 +62,7 @@
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
-#ifndef RSA_NULL
+#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS)
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                unsigned char *to, RSA *rsa,int padding);
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 00c25adbc5..adb5e34da5 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -62,6 +62,8 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
+#ifndef OPENSSL_FIPS
 RSA *RSA_generate_key(int bits, unsigned long e_value,
             void (*callback)(int,int,void *), void *cb_arg)
        {
@@ -195,3 +197,4 @@ err:
                return(rsa);
        }
+#endif
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index f462716a57..24fc94835e 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -139,8 +139,11 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
                ret=1;
 err:
        if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
-        OPENSSL_cleanse(s,(unsigned int)siglen);
+        if (s != NULL)
-        OPENSSL_free(s);
+                {
+                OPENSSL_cleanse(s,(unsigned int)siglen);
+                OPENSSL_free(s);
+                }
        return(ret);
        }
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 8a1e642183..cee09eccb1 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -169,7 +169,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
                }
        if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
                        RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
-                        return(0);
+                        goto err;
        }
        i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
@@ -222,8 +222,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
        }
 err:
        if (sig != NULL) X509_SIG_free(sig);
-        OPENSSL_cleanse(s,(unsigned int)siglen);
+        if (s != NULL)
-        OPENSSL_free(s);
+                {
+                OPENSSL_cleanse(s,(unsigned int)siglen);
+                OPENSSL_free(s);
+                }
        return(ret);
        }
diff --git a/src/lib/libcrypto/sha/asm/sha1-586.pl b/src/lib/libcrypto/sha/asm/sha1-586.pl
index e00f709553..041acc0348 100644
--- a/src/lib/libcrypto/sha/asm/sha1-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-586.pl
@@ -405,7 +405,7 @@ sub sha1_block_data
        &mov(&DWP(16,$tmp1,"",0),$E);
         &cmp("esi","eax");
        &mov(&DWP( 4,$tmp1,"",0),$B);
-         &jl(&label("start"));
+         &jb(&label("start"));
        &stack_pop(18+9);
         &pop("edi");
diff --git a/src/lib/libcrypto/sha/sha.h b/src/lib/libcrypto/sha/sha.h
index 3fd54a10cc..79c07b0fd1 100644
--- a/src/lib/libcrypto/sha/sha.h
+++ b/src/lib/libcrypto/sha/sha.h
@@ -69,6 +69,10 @@ extern "C" {
 #error SHA is disabled.
 #endif
+#if defined(OPENSSL_FIPS)
+#define FIPS_SHA_SIZE_T unsigned long
+#endif
 /*
 * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then !
@@ -101,6 +105,9 @@ typedef struct SHAstate_st
        } SHA_CTX;
 #ifndef OPENSSL_NO_SHA0
+#ifdef OPENSSL_FIPS
+int private_SHA_Init(SHA_CTX *c);
+#endif
 int SHA_Init(SHA_CTX *c);
 int SHA_Update(SHA_CTX *c, const void *data, unsigned long len);
 int SHA_Final(unsigned char *md, SHA_CTX *c);
diff --git a/src/lib/libcrypto/sha/sha1dgst.c b/src/lib/libcrypto/sha/sha1dgst.c
index 182f65982a..1e2009b760 100644
--- a/src/lib/libcrypto/sha/sha1dgst.c
+++ b/src/lib/libcrypto/sha/sha1dgst.c
@@ -62,12 +62,20 @@
 #define SHA_1
 #include <openssl/opensslv.h>
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_FIPS
 const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT;
 /* The implementation is in ../md32_common.h */
 #include "sha_locl.h"
+#else /* ndef OPENSSL_FIPS */
+static void *dummy=&dummy;
+#endif /* ndef OPENSSL_FIPS */
 #endif
diff --git a/src/lib/libcrypto/sha/sha_locl.h b/src/lib/libcrypto/sha/sha_locl.h
index 2dd63a62a6..a3623f72da 100644
--- a/src/lib/libcrypto/sha/sha_locl.h
+++ b/src/lib/libcrypto/sha/sha_locl.h
@@ -121,6 +121,11 @@
 #   define sha1_block_data_order                sha1_block_asm_data_order
 #   define DONT_IMPLEMENT_BLOCK_DATA_ORDER
 #   define HASH_BLOCK_DATA_ORDER_ALIGNED        sha1_block_asm_data_order
+#  elif defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
+#   define sha1_block_host_order                sha1_block_asm_host_order
+#   define DONT_IMPLEMENT_BLOCK_HOST_ORDER
+#   define sha1_block_data_order                sha1_block_asm_data_order
+#   define DONT_IMPLEMENT_BLOCK_DATA_ORDER
 #  endif
 # endif
  void sha1_block_host_order (SHA_CTX *c, const void *p,int num);
@@ -138,7 +143,11 @@
 #define INIT_DATA_h3 0x10325476UL
 #define INIT_DATA_h4 0xc3d2e1f0UL
+#if defined(SHA_0) && defined(OPENSSL_FIPS)
+FIPS_NON_FIPS_MD_Init(SHA)
+#else
 int HASH_INIT (SHA_CTX *c)
+#endif
        {
        c->h0=INIT_DATA_h0;
        c->h1=INIT_DATA_h1;
diff --git a/src/lib/libcrypto/sha/shatest.c b/src/lib/libcrypto/sha/shatest.c
index 5d2b1d3b1a..ff702aa53e 100644
--- a/src/lib/libcrypto/sha/shatest.c
+++ b/src/lib/libcrypto/sha/shatest.c
@@ -62,10 +62,10 @@
 #include "../e_os.h"
-#ifdef OPENSSL_NO_SHA
+#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA0)
 int main(int argc, char *argv[])
 {
-    printf("No SHA support\n");
+    printf("No SHA0 support\n");
    return(0);
 }
 #else
diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h
index ed9ed2c23a..bd1121c279 100644
--- a/src/lib/libcrypto/stack/safestack.h
+++ b/src/lib/libcrypto/stack/safestack.h
@@ -113,6 +113,8 @@ STACK_OF(type) \
        ((type * (*)(STACK_OF(type) *))sk_pop)(st)
 #define SKM_sk_sort(type, st) \
        ((void (*)(STACK_OF(type) *))sk_sort)(st)
+#define SKM_sk_is_sorted(type, st) \
+        ((int (*)(const STACK_OF(type) *))sk_is_sorted)(st)
 #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
        ((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \
@@ -187,6 +189,8 @@ STACK_OF(type) \
        ((type *)sk_pop(st))
 #define SKM_sk_sort(type, st) \
        sk_sort(st)
+#define SKM_sk_is_sorted(type, st) \
+        sk_is_sorted(st)
 #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
        d2i_ASN1_SET(st,pp,length, (char *(*)())d2i_func, (void (*)(void *))free_func, ex_tag,ex_class)
@@ -223,6 +227,7 @@ STACK_OF(type) \
 #define sk_ACCESS_DESCRIPTION_shift(st) SKM_sk_shift(ACCESS_DESCRIPTION, (st))
 #define sk_ACCESS_DESCRIPTION_pop(st) SKM_sk_pop(ACCESS_DESCRIPTION, (st))
 #define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st))
+#define sk_ACCESS_DESCRIPTION_is_sorted(st) SKM_sk_is_sorted(ACCESS_DESCRIPTION, (st))
 #define sk_ASN1_GENERALSTRING_new(st) SKM_sk_new(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_new_null() SKM_sk_new_null(ASN1_GENERALSTRING)
@@ -243,6 +248,7 @@ STACK_OF(type) \
 #define sk_ASN1_GENERALSTRING_shift(st) SKM_sk_shift(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_pop(st) SKM_sk_pop(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_sort(st) SKM_sk_sort(ASN1_GENERALSTRING, (st))
+#define sk_ASN1_GENERALSTRING_is_sorted(st) SKM_sk_is_sorted(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_INTEGER_new(st) SKM_sk_new(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_new_null() SKM_sk_new_null(ASN1_INTEGER)
@@ -263,6 +269,7 @@ STACK_OF(type) \
 #define sk_ASN1_INTEGER_shift(st) SKM_sk_shift(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_pop(st) SKM_sk_pop(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_sort(st) SKM_sk_sort(ASN1_INTEGER, (st))
+#define sk_ASN1_INTEGER_is_sorted(st) SKM_sk_is_sorted(ASN1_INTEGER, (st))
 #define sk_ASN1_OBJECT_new(st) SKM_sk_new(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_new_null() SKM_sk_new_null(ASN1_OBJECT)
@@ -283,6 +290,7 @@ STACK_OF(type) \
 #define sk_ASN1_OBJECT_shift(st) SKM_sk_shift(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_pop(st) SKM_sk_pop(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_sort(st) SKM_sk_sort(ASN1_OBJECT, (st))
+#define sk_ASN1_OBJECT_is_sorted(st) SKM_sk_is_sorted(ASN1_OBJECT, (st))
 #define sk_ASN1_STRING_TABLE_new(st) SKM_sk_new(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_new_null() SKM_sk_new_null(ASN1_STRING_TABLE)
@@ -303,6 +311,7 @@ STACK_OF(type) \
 #define sk_ASN1_STRING_TABLE_shift(st) SKM_sk_shift(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_pop(st) SKM_sk_pop(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_sort(st) SKM_sk_sort(ASN1_STRING_TABLE, (st))
+#define sk_ASN1_STRING_TABLE_is_sorted(st) SKM_sk_is_sorted(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_TYPE_new(st) SKM_sk_new(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_new_null() SKM_sk_new_null(ASN1_TYPE)
@@ -323,6 +332,7 @@ STACK_OF(type) \
 #define sk_ASN1_TYPE_shift(st) SKM_sk_shift(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_pop(st) SKM_sk_pop(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_sort(st) SKM_sk_sort(ASN1_TYPE, (st))
+#define sk_ASN1_TYPE_is_sorted(st) SKM_sk_is_sorted(ASN1_TYPE, (st))
 #define sk_ASN1_VALUE_new(st) SKM_sk_new(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_new_null() SKM_sk_new_null(ASN1_VALUE)
@@ -343,6 +353,7 @@ STACK_OF(type) \
 #define sk_ASN1_VALUE_shift(st) SKM_sk_shift(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_pop(st) SKM_sk_pop(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_sort(st) SKM_sk_sort(ASN1_VALUE, (st))
+#define sk_ASN1_VALUE_is_sorted(st) SKM_sk_is_sorted(ASN1_VALUE, (st))
 #define sk_BIO_new(st) SKM_sk_new(BIO, (st))
 #define sk_BIO_new_null() SKM_sk_new_null(BIO)
@@ -363,6 +374,7 @@ STACK_OF(type) \
 #define sk_BIO_shift(st) SKM_sk_shift(BIO, (st))
 #define sk_BIO_pop(st) SKM_sk_pop(BIO, (st))
 #define sk_BIO_sort(st) SKM_sk_sort(BIO, (st))
+#define sk_BIO_is_sorted(st) SKM_sk_is_sorted(BIO, (st))
 #define sk_CONF_IMODULE_new(st) SKM_sk_new(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_new_null() SKM_sk_new_null(CONF_IMODULE)
@@ -383,6 +395,7 @@ STACK_OF(type) \
 #define sk_CONF_IMODULE_shift(st) SKM_sk_shift(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_pop(st) SKM_sk_pop(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_sort(st) SKM_sk_sort(CONF_IMODULE, (st))
+#define sk_CONF_IMODULE_is_sorted(st) SKM_sk_is_sorted(CONF_IMODULE, (st))
 #define sk_CONF_MODULE_new(st) SKM_sk_new(CONF_MODULE, (st))
 #define sk_CONF_MODULE_new_null() SKM_sk_new_null(CONF_MODULE)
@@ -403,6 +416,7 @@ STACK_OF(type) \
 #define sk_CONF_MODULE_shift(st) SKM_sk_shift(CONF_MODULE, (st))
 #define sk_CONF_MODULE_pop(st) SKM_sk_pop(CONF_MODULE, (st))
 #define sk_CONF_MODULE_sort(st) SKM_sk_sort(CONF_MODULE, (st))
+#define sk_CONF_MODULE_is_sorted(st) SKM_sk_is_sorted(CONF_MODULE, (st))
 #define sk_CONF_VALUE_new(st) SKM_sk_new(CONF_VALUE, (st))
 #define sk_CONF_VALUE_new_null() SKM_sk_new_null(CONF_VALUE)
@@ -423,6 +437,7 @@ STACK_OF(type) \
 #define sk_CONF_VALUE_shift(st) SKM_sk_shift(CONF_VALUE, (st))
 #define sk_CONF_VALUE_pop(st) SKM_sk_pop(CONF_VALUE, (st))
 #define sk_CONF_VALUE_sort(st) SKM_sk_sort(CONF_VALUE, (st))
+#define sk_CONF_VALUE_is_sorted(st) SKM_sk_is_sorted(CONF_VALUE, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_new(st) SKM_sk_new(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_new_null() SKM_sk_new_null(CRYPTO_EX_DATA_FUNCS)
@@ -443,6 +458,7 @@ STACK_OF(type) \
 #define sk_CRYPTO_EX_DATA_FUNCS_shift(st) SKM_sk_shift(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_pop(st) SKM_sk_pop(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_sort(st) SKM_sk_sort(CRYPTO_EX_DATA_FUNCS, (st))
+#define sk_CRYPTO_EX_DATA_FUNCS_is_sorted(st) SKM_sk_is_sorted(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_dynlock_new(st) SKM_sk_new(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_new_null() SKM_sk_new_null(CRYPTO_dynlock)
@@ -463,6 +479,7 @@ STACK_OF(type) \
 #define sk_CRYPTO_dynlock_shift(st) SKM_sk_shift(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_pop(st) SKM_sk_pop(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_sort(st) SKM_sk_sort(CRYPTO_dynlock, (st))
+#define sk_CRYPTO_dynlock_is_sorted(st) SKM_sk_is_sorted(CRYPTO_dynlock, (st))
 #define sk_DIST_POINT_new(st) SKM_sk_new(DIST_POINT, (st))
 #define sk_DIST_POINT_new_null() SKM_sk_new_null(DIST_POINT)
@@ -483,6 +500,7 @@ STACK_OF(type) \
 #define sk_DIST_POINT_shift(st) SKM_sk_shift(DIST_POINT, (st))
 #define sk_DIST_POINT_pop(st) SKM_sk_pop(DIST_POINT, (st))
 #define sk_DIST_POINT_sort(st) SKM_sk_sort(DIST_POINT, (st))
+#define sk_DIST_POINT_is_sorted(st) SKM_sk_is_sorted(DIST_POINT, (st))
 #define sk_ENGINE_new(st) SKM_sk_new(ENGINE, (st))
 #define sk_ENGINE_new_null() SKM_sk_new_null(ENGINE)
@@ -503,6 +521,7 @@ STACK_OF(type) \
 #define sk_ENGINE_shift(st) SKM_sk_shift(ENGINE, (st))
 #define sk_ENGINE_pop(st) SKM_sk_pop(ENGINE, (st))
 #define sk_ENGINE_sort(st) SKM_sk_sort(ENGINE, (st))
+#define sk_ENGINE_is_sorted(st) SKM_sk_is_sorted(ENGINE, (st))
 #define sk_ENGINE_CLEANUP_ITEM_new(st) SKM_sk_new(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_new_null() SKM_sk_new_null(ENGINE_CLEANUP_ITEM)
@@ -523,6 +542,7 @@ STACK_OF(type) \
 #define sk_ENGINE_CLEANUP_ITEM_shift(st) SKM_sk_shift(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_pop(st) SKM_sk_pop(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st))
+#define sk_ENGINE_CLEANUP_ITEM_is_sorted(st) SKM_sk_is_sorted(ENGINE_CLEANUP_ITEM, (st))
 #define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME)
@@ -543,6 +563,7 @@ STACK_OF(type) \
 #define sk_GENERAL_NAME_shift(st) SKM_sk_shift(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_pop(st) SKM_sk_pop(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_sort(st) SKM_sk_sort(GENERAL_NAME, (st))
+#define sk_GENERAL_NAME_is_sorted(st) SKM_sk_is_sorted(GENERAL_NAME, (st))
 #define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY)
@@ -563,6 +584,7 @@ STACK_OF(type) \
 #define sk_KRB5_APREQBODY_shift(st) SKM_sk_shift(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_pop(st) SKM_sk_pop(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_sort(st) SKM_sk_sort(KRB5_APREQBODY, (st))
+#define sk_KRB5_APREQBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_APREQBODY, (st))
 #define sk_KRB5_AUTHDATA_new(st) SKM_sk_new(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_new_null() SKM_sk_new_null(KRB5_AUTHDATA)
@@ -583,6 +605,7 @@ STACK_OF(type) \
 #define sk_KRB5_AUTHDATA_shift(st) SKM_sk_shift(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_pop(st) SKM_sk_pop(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_sort(st) SKM_sk_sort(KRB5_AUTHDATA, (st))
+#define sk_KRB5_AUTHDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHENTBODY_new(st) SKM_sk_new(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_new_null() SKM_sk_new_null(KRB5_AUTHENTBODY)
@@ -603,6 +626,7 @@ STACK_OF(type) \
 #define sk_KRB5_AUTHENTBODY_shift(st) SKM_sk_shift(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_pop(st) SKM_sk_pop(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_sort(st) SKM_sk_sort(KRB5_AUTHENTBODY, (st))
+#define sk_KRB5_AUTHENTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_CHECKSUM_new(st) SKM_sk_new(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_new_null() SKM_sk_new_null(KRB5_CHECKSUM)
@@ -623,6 +647,7 @@ STACK_OF(type) \
 #define sk_KRB5_CHECKSUM_shift(st) SKM_sk_shift(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_pop(st) SKM_sk_pop(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_sort(st) SKM_sk_sort(KRB5_CHECKSUM, (st))
+#define sk_KRB5_CHECKSUM_is_sorted(st) SKM_sk_is_sorted(KRB5_CHECKSUM, (st))
 #define sk_KRB5_ENCDATA_new(st) SKM_sk_new(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_new_null() SKM_sk_new_null(KRB5_ENCDATA)
@@ -643,6 +668,7 @@ STACK_OF(type) \
 #define sk_KRB5_ENCDATA_shift(st) SKM_sk_shift(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_pop(st) SKM_sk_pop(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_sort(st) SKM_sk_sort(KRB5_ENCDATA, (st))
+#define sk_KRB5_ENCDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCKEY_new(st) SKM_sk_new(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_new_null() SKM_sk_new_null(KRB5_ENCKEY)
@@ -663,6 +689,7 @@ STACK_OF(type) \
 #define sk_KRB5_ENCKEY_shift(st) SKM_sk_shift(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_pop(st) SKM_sk_pop(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_sort(st) SKM_sk_sort(KRB5_ENCKEY, (st))
+#define sk_KRB5_ENCKEY_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCKEY, (st))
 #define sk_KRB5_PRINCNAME_new(st) SKM_sk_new(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_new_null() SKM_sk_new_null(KRB5_PRINCNAME)
@@ -683,6 +710,7 @@ STACK_OF(type) \
 #define sk_KRB5_PRINCNAME_shift(st) SKM_sk_shift(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_pop(st) SKM_sk_pop(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_sort(st) SKM_sk_sort(KRB5_PRINCNAME, (st))
+#define sk_KRB5_PRINCNAME_is_sorted(st) SKM_sk_is_sorted(KRB5_PRINCNAME, (st))
 #define sk_KRB5_TKTBODY_new(st) SKM_sk_new(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_new_null() SKM_sk_new_null(KRB5_TKTBODY)
@@ -703,6 +731,7 @@ STACK_OF(type) \
 #define sk_KRB5_TKTBODY_shift(st) SKM_sk_shift(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_pop(st) SKM_sk_pop(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_sort(st) SKM_sk_sort(KRB5_TKTBODY, (st))
+#define sk_KRB5_TKTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_TKTBODY, (st))
 #define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st))
 #define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER)
@@ -723,6 +752,7 @@ STACK_OF(type) \
 #define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st))
 #define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st))
 #define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
+#define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
 #define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
 #define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
@@ -743,6 +773,7 @@ STACK_OF(type) \
 #define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st))
 #define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st))
 #define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st))
+#define sk_MIME_PARAM_is_sorted(st) SKM_sk_is_sorted(MIME_PARAM, (st))
 #define sk_NAME_FUNCS_new(st) SKM_sk_new(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_new_null() SKM_sk_new_null(NAME_FUNCS)
@@ -763,6 +794,7 @@ STACK_OF(type) \
 #define sk_NAME_FUNCS_shift(st) SKM_sk_shift(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_pop(st) SKM_sk_pop(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_sort(st) SKM_sk_sort(NAME_FUNCS, (st))
+#define sk_NAME_FUNCS_is_sorted(st) SKM_sk_is_sorted(NAME_FUNCS, (st))
 #define sk_OCSP_CERTID_new(st) SKM_sk_new(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_new_null() SKM_sk_new_null(OCSP_CERTID)
@@ -783,6 +815,7 @@ STACK_OF(type) \
 #define sk_OCSP_CERTID_shift(st) SKM_sk_shift(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_pop(st) SKM_sk_pop(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_sort(st) SKM_sk_sort(OCSP_CERTID, (st))
+#define sk_OCSP_CERTID_is_sorted(st) SKM_sk_is_sorted(OCSP_CERTID, (st))
 #define sk_OCSP_ONEREQ_new(st) SKM_sk_new(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_new_null() SKM_sk_new_null(OCSP_ONEREQ)
@@ -803,6 +836,7 @@ STACK_OF(type) \
 #define sk_OCSP_ONEREQ_shift(st) SKM_sk_shift(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_pop(st) SKM_sk_pop(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_sort(st) SKM_sk_sort(OCSP_ONEREQ, (st))
+#define sk_OCSP_ONEREQ_is_sorted(st) SKM_sk_is_sorted(OCSP_ONEREQ, (st))
 #define sk_OCSP_SINGLERESP_new(st) SKM_sk_new(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_new_null() SKM_sk_new_null(OCSP_SINGLERESP)
@@ -823,6 +857,7 @@ STACK_OF(type) \
 #define sk_OCSP_SINGLERESP_shift(st) SKM_sk_shift(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_pop(st) SKM_sk_pop(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_sort(st) SKM_sk_sort(OCSP_SINGLERESP, (st))
+#define sk_OCSP_SINGLERESP_is_sorted(st) SKM_sk_is_sorted(OCSP_SINGLERESP, (st))
 #define sk_PKCS12_SAFEBAG_new(st) SKM_sk_new(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_new_null() SKM_sk_new_null(PKCS12_SAFEBAG)
@@ -843,6 +878,7 @@ STACK_OF(type) \
 #define sk_PKCS12_SAFEBAG_shift(st) SKM_sk_shift(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_pop(st) SKM_sk_pop(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_sort(st) SKM_sk_sort(PKCS12_SAFEBAG, (st))
+#define sk_PKCS12_SAFEBAG_is_sorted(st) SKM_sk_is_sorted(PKCS12_SAFEBAG, (st))
 #define sk_PKCS7_new(st) SKM_sk_new(PKCS7, (st))
 #define sk_PKCS7_new_null() SKM_sk_new_null(PKCS7)
@@ -863,6 +899,7 @@ STACK_OF(type) \
 #define sk_PKCS7_shift(st) SKM_sk_shift(PKCS7, (st))
 #define sk_PKCS7_pop(st) SKM_sk_pop(PKCS7, (st))
 #define sk_PKCS7_sort(st) SKM_sk_sort(PKCS7, (st))
+#define sk_PKCS7_is_sorted(st) SKM_sk_is_sorted(PKCS7, (st))
 #define sk_PKCS7_RECIP_INFO_new(st) SKM_sk_new(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_new_null() SKM_sk_new_null(PKCS7_RECIP_INFO)
@@ -883,6 +920,7 @@ STACK_OF(type) \
 #define sk_PKCS7_RECIP_INFO_shift(st) SKM_sk_shift(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_pop(st) SKM_sk_pop(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_sort(st) SKM_sk_sort(PKCS7_RECIP_INFO, (st))
+#define sk_PKCS7_RECIP_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_new(st) SKM_sk_new(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_new_null() SKM_sk_new_null(PKCS7_SIGNER_INFO)
@@ -903,6 +941,7 @@ STACK_OF(type) \
 #define sk_PKCS7_SIGNER_INFO_shift(st) SKM_sk_shift(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_pop(st) SKM_sk_pop(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_sort(st) SKM_sk_sort(PKCS7_SIGNER_INFO, (st))
+#define sk_PKCS7_SIGNER_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_SIGNER_INFO, (st))
 #define sk_POLICYINFO_new(st) SKM_sk_new(POLICYINFO, (st))
 #define sk_POLICYINFO_new_null() SKM_sk_new_null(POLICYINFO)
@@ -923,6 +962,7 @@ STACK_OF(type) \
 #define sk_POLICYINFO_shift(st) SKM_sk_shift(POLICYINFO, (st))
 #define sk_POLICYINFO_pop(st) SKM_sk_pop(POLICYINFO, (st))
 #define sk_POLICYINFO_sort(st) SKM_sk_sort(POLICYINFO, (st))
+#define sk_POLICYINFO_is_sorted(st) SKM_sk_is_sorted(POLICYINFO, (st))
 #define sk_POLICYQUALINFO_new(st) SKM_sk_new(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_new_null() SKM_sk_new_null(POLICYQUALINFO)
@@ -943,6 +983,7 @@ STACK_OF(type) \
 #define sk_POLICYQUALINFO_shift(st) SKM_sk_shift(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_pop(st) SKM_sk_pop(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_sort(st) SKM_sk_sort(POLICYQUALINFO, (st))
+#define sk_POLICYQUALINFO_is_sorted(st) SKM_sk_is_sorted(POLICYQUALINFO, (st))
 #define sk_SSL_CIPHER_new(st) SKM_sk_new(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_new_null() SKM_sk_new_null(SSL_CIPHER)
@@ -963,6 +1004,7 @@ STACK_OF(type) \
 #define sk_SSL_CIPHER_shift(st) SKM_sk_shift(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_pop(st) SKM_sk_pop(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_sort(st) SKM_sk_sort(SSL_CIPHER, (st))
+#define sk_SSL_CIPHER_is_sorted(st) SKM_sk_is_sorted(SSL_CIPHER, (st))
 #define sk_SSL_COMP_new(st) SKM_sk_new(SSL_COMP, (st))
 #define sk_SSL_COMP_new_null() SKM_sk_new_null(SSL_COMP)
@@ -983,6 +1025,7 @@ STACK_OF(type) \
 #define sk_SSL_COMP_shift(st) SKM_sk_shift(SSL_COMP, (st))
 #define sk_SSL_COMP_pop(st) SKM_sk_pop(SSL_COMP, (st))
 #define sk_SSL_COMP_sort(st) SKM_sk_sort(SSL_COMP, (st))
+#define sk_SSL_COMP_is_sorted(st) SKM_sk_is_sorted(SSL_COMP, (st))
 #define sk_SXNETID_new(st) SKM_sk_new(SXNETID, (st))
 #define sk_SXNETID_new_null() SKM_sk_new_null(SXNETID)
@@ -1003,6 +1046,7 @@ STACK_OF(type) \
 #define sk_SXNETID_shift(st) SKM_sk_shift(SXNETID, (st))
 #define sk_SXNETID_pop(st) SKM_sk_pop(SXNETID, (st))
 #define sk_SXNETID_sort(st) SKM_sk_sort(SXNETID, (st))
+#define sk_SXNETID_is_sorted(st) SKM_sk_is_sorted(SXNETID, (st))
 #define sk_UI_STRING_new(st) SKM_sk_new(UI_STRING, (st))
 #define sk_UI_STRING_new_null() SKM_sk_new_null(UI_STRING)
@@ -1023,6 +1067,7 @@ STACK_OF(type) \
 #define sk_UI_STRING_shift(st) SKM_sk_shift(UI_STRING, (st))
 #define sk_UI_STRING_pop(st) SKM_sk_pop(UI_STRING, (st))
 #define sk_UI_STRING_sort(st) SKM_sk_sort(UI_STRING, (st))
+#define sk_UI_STRING_is_sorted(st) SKM_sk_is_sorted(UI_STRING, (st))
 #define sk_X509_new(st) SKM_sk_new(X509, (st))
 #define sk_X509_new_null() SKM_sk_new_null(X509)
@@ -1043,6 +1088,7 @@ STACK_OF(type) \
 #define sk_X509_shift(st) SKM_sk_shift(X509, (st))
 #define sk_X509_pop(st) SKM_sk_pop(X509, (st))
 #define sk_X509_sort(st) SKM_sk_sort(X509, (st))
+#define sk_X509_is_sorted(st) SKM_sk_is_sorted(X509, (st))
 #define sk_X509V3_EXT_METHOD_new(st) SKM_sk_new(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_new_null() SKM_sk_new_null(X509V3_EXT_METHOD)
@@ -1063,6 +1109,7 @@ STACK_OF(type) \
 #define sk_X509V3_EXT_METHOD_shift(st) SKM_sk_shift(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_pop(st) SKM_sk_pop(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_sort(st) SKM_sk_sort(X509V3_EXT_METHOD, (st))
+#define sk_X509V3_EXT_METHOD_is_sorted(st) SKM_sk_is_sorted(X509V3_EXT_METHOD, (st))
 #define sk_X509_ALGOR_new(st) SKM_sk_new(X509_ALGOR, (st))
 #define sk_X509_ALGOR_new_null() SKM_sk_new_null(X509_ALGOR)
@@ -1083,6 +1130,7 @@ STACK_OF(type) \
 #define sk_X509_ALGOR_shift(st) SKM_sk_shift(X509_ALGOR, (st))
 #define sk_X509_ALGOR_pop(st) SKM_sk_pop(X509_ALGOR, (st))
 #define sk_X509_ALGOR_sort(st) SKM_sk_sort(X509_ALGOR, (st))
+#define sk_X509_ALGOR_is_sorted(st) SKM_sk_is_sorted(X509_ALGOR, (st))
 #define sk_X509_ATTRIBUTE_new(st) SKM_sk_new(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_new_null() SKM_sk_new_null(X509_ATTRIBUTE)
@@ -1103,6 +1151,7 @@ STACK_OF(type) \
 #define sk_X509_ATTRIBUTE_shift(st) SKM_sk_shift(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_pop(st) SKM_sk_pop(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_sort(st) SKM_sk_sort(X509_ATTRIBUTE, (st))
+#define sk_X509_ATTRIBUTE_is_sorted(st) SKM_sk_is_sorted(X509_ATTRIBUTE, (st))
 #define sk_X509_CRL_new(st) SKM_sk_new(X509_CRL, (st))
 #define sk_X509_CRL_new_null() SKM_sk_new_null(X509_CRL)
@@ -1123,6 +1172,7 @@ STACK_OF(type) \
 #define sk_X509_CRL_shift(st) SKM_sk_shift(X509_CRL, (st))
 #define sk_X509_CRL_pop(st) SKM_sk_pop(X509_CRL, (st))
 #define sk_X509_CRL_sort(st) SKM_sk_sort(X509_CRL, (st))
+#define sk_X509_CRL_is_sorted(st) SKM_sk_is_sorted(X509_CRL, (st))
 #define sk_X509_EXTENSION_new(st) SKM_sk_new(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_new_null() SKM_sk_new_null(X509_EXTENSION)
@@ -1143,6 +1193,7 @@ STACK_OF(type) \
 #define sk_X509_EXTENSION_shift(st) SKM_sk_shift(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_pop(st) SKM_sk_pop(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_sort(st) SKM_sk_sort(X509_EXTENSION, (st))
+#define sk_X509_EXTENSION_is_sorted(st) SKM_sk_is_sorted(X509_EXTENSION, (st))
 #define sk_X509_INFO_new(st) SKM_sk_new(X509_INFO, (st))
 #define sk_X509_INFO_new_null() SKM_sk_new_null(X509_INFO)
@@ -1163,6 +1214,7 @@ STACK_OF(type) \
 #define sk_X509_INFO_shift(st) SKM_sk_shift(X509_INFO, (st))
 #define sk_X509_INFO_pop(st) SKM_sk_pop(X509_INFO, (st))
 #define sk_X509_INFO_sort(st) SKM_sk_sort(X509_INFO, (st))
+#define sk_X509_INFO_is_sorted(st) SKM_sk_is_sorted(X509_INFO, (st))
 #define sk_X509_LOOKUP_new(st) SKM_sk_new(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_new_null() SKM_sk_new_null(X509_LOOKUP)
@@ -1183,6 +1235,7 @@ STACK_OF(type) \
 #define sk_X509_LOOKUP_shift(st) SKM_sk_shift(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_pop(st) SKM_sk_pop(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_sort(st) SKM_sk_sort(X509_LOOKUP, (st))
+#define sk_X509_LOOKUP_is_sorted(st) SKM_sk_is_sorted(X509_LOOKUP, (st))
 #define sk_X509_NAME_new(st) SKM_sk_new(X509_NAME, (st))
 #define sk_X509_NAME_new_null() SKM_sk_new_null(X509_NAME)
@@ -1203,6 +1256,7 @@ STACK_OF(type) \
 #define sk_X509_NAME_shift(st) SKM_sk_shift(X509_NAME, (st))
 #define sk_X509_NAME_pop(st) SKM_sk_pop(X509_NAME, (st))
 #define sk_X509_NAME_sort(st) SKM_sk_sort(X509_NAME, (st))
+#define sk_X509_NAME_is_sorted(st) SKM_sk_is_sorted(X509_NAME, (st))
 #define sk_X509_NAME_ENTRY_new(st) SKM_sk_new(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_new_null() SKM_sk_new_null(X509_NAME_ENTRY)
@@ -1223,6 +1277,7 @@ STACK_OF(type) \
 #define sk_X509_NAME_ENTRY_shift(st) SKM_sk_shift(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_pop(st) SKM_sk_pop(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_sort(st) SKM_sk_sort(X509_NAME_ENTRY, (st))
+#define sk_X509_NAME_ENTRY_is_sorted(st) SKM_sk_is_sorted(X509_NAME_ENTRY, (st))
 #define sk_X509_OBJECT_new(st) SKM_sk_new(X509_OBJECT, (st))
 #define sk_X509_OBJECT_new_null() SKM_sk_new_null(X509_OBJECT)
@@ -1243,6 +1298,7 @@ STACK_OF(type) \
 #define sk_X509_OBJECT_shift(st) SKM_sk_shift(X509_OBJECT, (st))
 #define sk_X509_OBJECT_pop(st) SKM_sk_pop(X509_OBJECT, (st))
 #define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st))
+#define sk_X509_OBJECT_is_sorted(st) SKM_sk_is_sorted(X509_OBJECT, (st))
 #define sk_X509_PURPOSE_new(st) SKM_sk_new(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE)
@@ -1263,6 +1319,7 @@ STACK_OF(type) \
 #define sk_X509_PURPOSE_shift(st) SKM_sk_shift(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_pop(st) SKM_sk_pop(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_sort(st) SKM_sk_sort(X509_PURPOSE, (st))
+#define sk_X509_PURPOSE_is_sorted(st) SKM_sk_is_sorted(X509_PURPOSE, (st))
 #define sk_X509_REVOKED_new(st) SKM_sk_new(X509_REVOKED, (st))
 #define sk_X509_REVOKED_new_null() SKM_sk_new_null(X509_REVOKED)
@@ -1283,6 +1340,7 @@ STACK_OF(type) \
 #define sk_X509_REVOKED_shift(st) SKM_sk_shift(X509_REVOKED, (st))
 #define sk_X509_REVOKED_pop(st) SKM_sk_pop(X509_REVOKED, (st))
 #define sk_X509_REVOKED_sort(st) SKM_sk_sort(X509_REVOKED, (st))
+#define sk_X509_REVOKED_is_sorted(st) SKM_sk_is_sorted(X509_REVOKED, (st))
 #define sk_X509_TRUST_new(st) SKM_sk_new(X509_TRUST, (st))
 #define sk_X509_TRUST_new_null() SKM_sk_new_null(X509_TRUST)
@@ -1303,6 +1361,7 @@ STACK_OF(type) \
 #define sk_X509_TRUST_shift(st) SKM_sk_shift(X509_TRUST, (st))
 #define sk_X509_TRUST_pop(st) SKM_sk_pop(X509_TRUST, (st))
 #define sk_X509_TRUST_sort(st) SKM_sk_sort(X509_TRUST, (st))
+#define sk_X509_TRUST_is_sorted(st) SKM_sk_is_sorted(X509_TRUST, (st))
 #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
        SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 
diff --git a/src/lib/libcrypto/stack/stack.c b/src/lib/libcrypto/stack/stack.c
index 2496f28a8c..c7173eb6ab 100644
--- a/src/lib/libcrypto/stack/stack.c
+++ b/src/lib/libcrypto/stack/stack.c
@@ -191,8 +191,7 @@ char *sk_delete(STACK *st, int loc)
        char *ret;
        int i,j;
-        if ((st == NULL) || (st->num == 0) || (loc < 0)
+        if(!st || (loc < 0) || (loc >= st->num)) return NULL;
-                                         || (loc >= st->num)) return(NULL);
        ret=st->data[loc];
        if (loc != st->num-1)
@@ -306,13 +305,13 @@ int sk_num(const STACK *st)
 char *sk_value(const STACK *st, int i)
 {
-        if(st == NULL) return NULL;
+        if(!st || (i < 0) || (i >= st->num)) return NULL;
        return st->data[i];
 }
 char *sk_set(STACK *st, int i, char *value)
 {
-        if(st == NULL) return NULL;
+        if(!st || (i < 0) || (i >= st->num)) return NULL;
        return (st->data[i] = value);
 }
@@ -332,3 +331,10 @@ void sk_sort(STACK *st)
                st->sorted=1;
                }
        }
+int sk_is_sorted(const STACK *st)
+        {
+        if (!st)
+                return 1;
+        return st->sorted;
+        }
diff --git a/src/lib/libcrypto/stack/stack.h b/src/lib/libcrypto/stack/stack.h
index 8b436ca4b9..7570b85fe8 100644
--- a/src/lib/libcrypto/stack/stack.h
+++ b/src/lib/libcrypto/stack/stack.h
@@ -99,6 +99,7 @@ int (*sk_set_cmp_func(STACK *sk, int (*c)(const char * const *,
                        (const char * const *, const char * const *);
 STACK *sk_dup(STACK *st);
 void sk_sort(STACK *st);
+int sk_is_sorted(const STACK *st);
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/util/cygwin.sh b/src/lib/libcrypto/util/cygwin.sh
index 930f766b4f..7f791d47f4 100644
--- a/src/lib/libcrypto/util/cygwin.sh
+++ b/src/lib/libcrypto/util/cygwin.sh
@@ -21,11 +21,11 @@ function cleanup()
 function get_openssl_version()
 {
-  eval `grep '^VERSION=' Makefile.ssl`
+  eval `grep '^VERSION=' Makefile`
  if [ -z "${VERSION}" ]
  then
-    echo "Error: Couldn't retrieve OpenSSL version from Makefile.ssl."
+    echo "Error: Couldn't retrieve OpenSSL version from Makefile."
-    echo "       Check value of variable VERSION in Makefile.ssl."
+    echo "       Check value of variable VERSION in Makefile."
    exit 1
  fi
 }
@@ -39,7 +39,7 @@ function base_install()
 function doc_install()
 {
-  DOC_DIR=${INSTALL_PREFIX}/usr/doc/openssl
+  DOC_DIR=${INSTALL_PREFIX}/usr/share/doc/openssl
  mkdir -p ${DOC_DIR}
  cp CHANGES CHANGES.SSLeay INSTALL LICENSE NEWS README ${DOC_DIR}
@@ -49,7 +49,7 @@ function doc_install()
 function create_cygwin_readme()
 {
-  README_DIR=${INSTALL_PREFIX}/usr/doc/Cygwin
+  README_DIR=${INSTALL_PREFIX}/usr/share/doc/Cygwin
  README_FILE=${README_DIR}/openssl-${VERSION}.README
  mkdir -p ${README_DIR}
@@ -112,8 +112,8 @@ cd ${INSTALL_PREFIX}
 strip usr/bin/*.exe usr/bin/*.dll
 # Runtime package
-find etc usr/bin usr/doc usr/ssl/certs usr/ssl/man/man[157] usr/ssl/misc \
+find etc usr/bin usr/share/doc usr/ssl/certs usr/ssl/man/man[157] \
-     usr/ssl/openssl.cnf usr/ssl/private -empty -o \! -type d |
+     usr/ssl/misc usr/ssl/openssl.cnf usr/ssl/private -empty -o \! -type d |
 tar cjfT openssl-${VERSION}-${SUBVERSION}.tar.bz2 -
 # Development package
 find usr/include usr/lib usr/ssl/man/man3 -empty -o \! -type d |
diff --git a/src/lib/libcrypto/util/domd b/src/lib/libcrypto/util/domd
index 49310bbdd1..5610521f0b 100644
--- a/src/lib/libcrypto/util/domd
+++ b/src/lib/libcrypto/util/domd
@@ -11,7 +11,7 @@ if [ "$1" = "-MD" ]; then
 fi
 if [ "$MAKEDEPEND" = "" ]; then MAKEDEPEND=makedepend; fi
-cp Makefile.ssl Makefile.save
+cp Makefile Makefile.save
 # fake the presence of Kerberos
 touch $TOP/krb5.h
 if [ "$MAKEDEPEND" = "gcc" ]; then
@@ -20,15 +20,15 @@ if [ "$MAKEDEPEND" = "gcc" ]; then
        if [ "$1" != "--" ]; then args="$args $1"; fi
        shift
    done
-    sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp
+    sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp
    echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
    gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp
    ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
    rm -f Makefile.tmp
 else
-    ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile.ssl $@
+    ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile $@
-    ${PERL} $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
+    ${PERL} $TOP/util/clean-depend.pl < Makefile > Makefile.new
 fi
-mv Makefile.new Makefile.ssl
+mv Makefile.new Makefile
 # unfake the presence of Kerberos
 rm $TOP/krb5.h
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 203c7713e7..56fb7446e0 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -284,20 +284,20 @@ EVP_add_alias                           291	NOEXIST::FUNCTION:
 EVP_add_cipher                          292     EXIST::FUNCTION:
 EVP_add_digest                          293     EXIST::FUNCTION:
 EVP_bf_cbc                              294     EXIST::FUNCTION:BF
-EVP_bf_cfb                              295     EXIST::FUNCTION:BF
+EVP_bf_cfb64                            295     EXIST::FUNCTION:BF
 EVP_bf_ecb                              296     EXIST::FUNCTION:BF
 EVP_bf_ofb                              297     EXIST::FUNCTION:BF
 EVP_cleanup                             298     EXIST::FUNCTION:
 EVP_des_cbc                             299     EXIST::FUNCTION:DES
-EVP_des_cfb                             300     EXIST::FUNCTION:DES
+EVP_des_cfb64                           300     EXIST::FUNCTION:DES
 EVP_des_ecb                             301     EXIST::FUNCTION:DES
 EVP_des_ede                             302     EXIST::FUNCTION:DES
 EVP_des_ede3                            303     EXIST::FUNCTION:DES
 EVP_des_ede3_cbc                        304     EXIST::FUNCTION:DES
-EVP_des_ede3_cfb                        305     EXIST::FUNCTION:DES
+EVP_des_ede3_cfb64                      305     EXIST::FUNCTION:DES
 EVP_des_ede3_ofb                        306     EXIST::FUNCTION:DES
 EVP_des_ede_cbc                         307     EXIST::FUNCTION:DES
-EVP_des_ede_cfb                         308     EXIST::FUNCTION:DES
+EVP_des_ede_cfb64                       308     EXIST::FUNCTION:DES
 EVP_des_ede_ofb                         309     EXIST::FUNCTION:DES
 EVP_des_ofb                             310     EXIST::FUNCTION:DES
 EVP_desx_cbc                            311     EXIST::FUNCTION:DES
@@ -308,14 +308,14 @@ EVP_get_cipherbyname                    315	EXIST::FUNCTION:
 EVP_get_digestbyname                    316     EXIST::FUNCTION:
 EVP_get_pw_prompt                       317     EXIST::FUNCTION:
 EVP_idea_cbc                            318     EXIST::FUNCTION:IDEA
-EVP_idea_cfb                            319     EXIST::FUNCTION:IDEA
+EVP_idea_cfb64                          319     EXIST::FUNCTION:IDEA
 EVP_idea_ecb                            320     EXIST::FUNCTION:IDEA
 EVP_idea_ofb                            321     EXIST::FUNCTION:IDEA
 EVP_md2                                 322     EXIST::FUNCTION:MD2
 EVP_md5                                 323     EXIST::FUNCTION:MD5
 EVP_md_null                             324     EXIST::FUNCTION:
 EVP_rc2_cbc                             325     EXIST::FUNCTION:RC2
-EVP_rc2_cfb                             326     EXIST::FUNCTION:RC2
+EVP_rc2_cfb64                           326     EXIST::FUNCTION:RC2
 EVP_rc2_ecb                             327     EXIST::FUNCTION:RC2
 EVP_rc2_ofb                             328     EXIST::FUNCTION:RC2
 EVP_rc4                                 329     EXIST::FUNCTION:RC4
@@ -962,7 +962,7 @@ i2t_ASN1_OBJECT                         979	EXIST::FUNCTION:
 BN_BLINDING_new                         980     EXIST::FUNCTION:
 BN_BLINDING_free                        981     EXIST::FUNCTION:
 EVP_cast5_cbc                           983     EXIST::FUNCTION:CAST
-EVP_cast5_cfb                           984     EXIST::FUNCTION:CAST
+EVP_cast5_cfb64                         984     EXIST::FUNCTION:CAST
 EVP_cast5_ecb                           985     EXIST::FUNCTION:CAST
 EVP_cast5_ofb                           986     EXIST::FUNCTION:CAST
 BF_decrypt                              987     EXIST::FUNCTION:BF
@@ -1057,7 +1057,7 @@ EVP_CIPHER_param_to_asn1                1084	EXIST::FUNCTION:
 EVP_CIPHER_get_asn1_iv                  1085    EXIST::FUNCTION:
 EVP_CIPHER_set_asn1_iv                  1086    EXIST::FUNCTION:
 EVP_rc5_32_12_16_cbc                    1087    EXIST::FUNCTION:RC5
-EVP_rc5_32_12_16_cfb                    1088    EXIST::FUNCTION:RC5
+EVP_rc5_32_12_16_cfb64                  1088    EXIST::FUNCTION:RC5
 EVP_rc5_32_12_16_ecb                    1089    EXIST::FUNCTION:RC5
 EVP_rc5_32_12_16_ofb                    1090    EXIST::FUNCTION:RC5
 asn1_add_error                          1091    EXIST::FUNCTION:
@@ -2776,10 +2776,10 @@ ENGINE_load_4758cca                     3218	EXIST::FUNCTION:ENGINE
 _ossl_096_des_random_seed               3219    EXIST::FUNCTION:DES
 EVP_aes_256_ofb                         3220    EXIST::FUNCTION:AES
 EVP_aes_192_ofb                         3221    EXIST::FUNCTION:AES
-EVP_aes_128_cfb                         3222    EXIST::FUNCTION:AES
+EVP_aes_128_cfb128                      3222    EXIST::FUNCTION:AES
-EVP_aes_256_cfb                         3223    EXIST::FUNCTION:AES
+EVP_aes_256_cfb128                      3223    EXIST::FUNCTION:AES
 EVP_aes_128_ofb                         3224    EXIST::FUNCTION:AES
-EVP_aes_192_cfb                         3225    EXIST::FUNCTION:AES
+EVP_aes_192_cfb128                      3225    EXIST::FUNCTION:AES
 CONF_modules_free                       3226    EXIST::FUNCTION:
 NCONF_default                           3227    EXIST::FUNCTION:
 OPENSSL_no_config                       3228    EXIST::FUNCTION:
@@ -2803,3 +2803,67 @@ OpenSSLDie                              3244	EXIST::FUNCTION:
 OPENSSL_cleanse                         3245    EXIST::FUNCTION:
 ENGINE_setup_bsd_cryptodev              3246    EXIST:__FreeBSD__:FUNCTION:ENGINE
 ERR_release_err_state_table             3247    EXIST::FUNCTION:LHASH
+EVP_aes_128_cfb8                        3248    EXIST::FUNCTION:AES
+FIPS_corrupt_rsa                        3249    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_des                       3250    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_aes_128_cfb1                        3251    EXIST::FUNCTION:AES
+EVP_aes_192_cfb8                        3252    EXIST::FUNCTION:AES
+FIPS_mode_set                           3253    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_dsa                       3254    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_aes_256_cfb8                        3255    EXIST::FUNCTION:AES
+FIPS_allow_md5                          3256    EXIST:OPENSSL_FIPS:FUNCTION:
+DES_ede3_cfb_encrypt                    3257    EXIST::FUNCTION:DES
+EVP_des_ede3_cfb8                       3258    EXIST::FUNCTION:DES
+FIPS_rand_seeded                        3259    EXIST:OPENSSL_FIPS:FUNCTION:
+AES_cfbr_encrypt_block                  3260    EXIST::FUNCTION:AES
+AES_cfb8_encrypt                        3261    EXIST::FUNCTION:AES
+FIPS_rand_seed                          3262    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_des                        3263    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_aes_192_cfb1                        3264    EXIST::FUNCTION:AES
+FIPS_selftest_aes                       3265    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_set_prng_key                       3266    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_des_cfb8                            3267    EXIST::FUNCTION:DES
+FIPS_corrupt_dsa                        3268    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_test_mode                          3269    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_rand_method                        3270    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_aes_256_cfb1                        3271    EXIST::FUNCTION:AES
+ERR_load_FIPS_strings                   3272    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_aes                        3273    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_sha1                      3274    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_rsa                       3275    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_sha1                       3276    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_des_cfb1                            3277    EXIST::FUNCTION:DES
+FIPS_dsa_check                          3278    EXIST:OPENSSL_FIPS:FUNCTION:
+AES_cfb1_encrypt                        3279    EXIST::FUNCTION:AES
+EVP_des_ede3_cfb1                       3280    EXIST::FUNCTION:DES
+FIPS_rand_check                         3281    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_md5_allowed                        3282    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_mode                               3283    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_failed                    3284    EXIST:OPENSSL_FIPS:FUNCTION:
+sk_is_sorted                            3285    EXIST::FUNCTION:
+X509_check_ca                           3286    EXIST::FUNCTION:
+private_idea_set_encrypt_key            3287    EXIST:OPENSSL_FIPS:FUNCTION:IDEA
+HMAC_CTX_set_flags                      3288    EXIST::FUNCTION:HMAC
+private_SHA_Init                        3289    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA0
+private_CAST_set_key                    3290    EXIST:OPENSSL_FIPS:FUNCTION:CAST
+private_RIPEMD160_Init                  3291    EXIST:OPENSSL_FIPS:FUNCTION:RIPEMD
+private_RC5_32_set_key                  3292    EXIST:OPENSSL_FIPS:FUNCTION:RC5
+private_MD5_Init                        3293    EXIST:OPENSSL_FIPS:FUNCTION:MD5
+private_RC4_set_key                     3294    EXIST:OPENSSL_FIPS:FUNCTION:RC4
+private_MDC2_Init                       3295    EXIST:OPENSSL_FIPS:FUNCTION:MDC2
+private_RC2_set_key                     3296    EXIST:OPENSSL_FIPS:FUNCTION:RC2
+private_MD4_Init                        3297    EXIST:OPENSSL_FIPS:FUNCTION:MD4
+private_BF_set_key                      3298    EXIST:OPENSSL_FIPS:FUNCTION:BF
+private_MD2_Init                        3299    EXIST:OPENSSL_FIPS:FUNCTION:MD2
+d2i_PROXY_CERT_INFO_EXTENSION           3300    EXIST::FUNCTION:
+PROXY_POLICY_it                         3301    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PROXY_POLICY_it                         3301    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+i2d_PROXY_POLICY                        3302    EXIST::FUNCTION:
+i2d_PROXY_CERT_INFO_EXTENSION           3303    EXIST::FUNCTION:
+d2i_PROXY_POLICY                        3304    EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_new           3305    EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_free          3306    EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_it            3307    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PROXY_CERT_INFO_EXTENSION_it            3307    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+PROXY_POLICY_free                       3308    EXIST::FUNCTION:
+PROXY_POLICY_new                        3309    EXIST::FUNCTION:
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index b4bc0457e5..957264c6b5 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -10,7 +10,7 @@ $OPTIONS="";
 $ssl_version="";
 $banner="\t\@echo Building OpenSSL";
-open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n";
+open(IN,"<Makefile") || die "unable to open Makefile!\n";
 while(<IN>) {
    $ssl_version=$1 if (/^VERSION=(.*)$/);
    $OPTIONS=$1 if (/^OPTIONS=(.*)$/);
@@ -18,7 +18,7 @@ while(<IN>) {
 }
 close(IN);
-die "Makefile.ssl is not the toplevel Makefile!\n" if $ssl_version eq "";
+die "Makefile is not the toplevel Makefile!\n" if $ssl_version eq "";
 $infile="MINFO";
@@ -222,7 +222,7 @@ $cflags.=" -DOPENSSL_NO_SHA"  if $no_sha;
 $cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1;
 $cflags.=" -DOPENSSL_NO_RIPEMD" if $no_ripemd;
 $cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2;
-$cflags.=" -DOPENSSL_NO_BF"  if $no_bf;
+$cflags.=" -DOPENSSL_NO_BF"   if $no_bf;
 $cflags.=" -DOPENSSL_NO_CAST" if $no_cast;
 $cflags.=" -DOPENSSL_NO_DES"  if $no_des;
 $cflags.=" -DOPENSSL_NO_RSA"  if $no_rsa;
@@ -236,6 +236,7 @@ $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
 $cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
 $cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
+$cflags.=" -DOPENSSL_FIPS"    if $fips;
 #$cflags.=" -DRSAref"  if $rsaref ne "";
 ## if ($unix)
@@ -631,15 +632,21 @@ foreach (split(/\s+/,$test))
 $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
 $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
-$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+if ($fips)
+        {
+        $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)","\$(BIN_D)$o.sha1","\$(BIN_D)$o\$(E_EXE)$exep");
+        }
+else
+        {
+        $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+        }
 print $defs;
 if ($platform eq "linux-elf") {
    print <<"EOF";
 # Generate perlasm output files
 %.cpp:
-        (cd \$(\@D)/..; PERL=perl make -f Makefile.ssl asm/\$(\@F))
+        (cd \$(\@D)/..; PERL=perl make -f Makefile asm/\$(\@F))
 EOF
 }
 print "###################################################################\n";
@@ -921,6 +928,7 @@ sub read_options
                                  $no_aes=1; }
        elsif (/^rsaref$/)      { }
+        elsif (/^fips$/)        { $fips=1; }
        elsif (/^gcc$/)         { $gcc=1; }
        elsif (/^debug$/)       { $debug=1; }
        elsif (/^profile$/)     { $profile=1; }
diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl
index 01a1bfda19..9918c3d549 100644
--- a/src/lib/libcrypto/util/mkdef.pl
+++ b/src/lib/libcrypto/util/mkdef.pl
@@ -79,7 +79,7 @@ my $OS2=0;
 my $safe_stack_def = 0;
 my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT",
-                        "EXPORT_VAR_AS_FUNCTION" );
+                        "EXPORT_VAR_AS_FUNCTION", "OPENSSL_FIPS" );
 my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" );
 my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                         "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
@@ -94,7 +94,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                         "FP_API", "STDIO", "SOCK", "KRB5", "ENGINE", "HW" );
 my $options="";
-open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n";
+open(IN,"<Makefile") || die "unable to open Makefile!\n";
 while(<IN>) {
    $options=$1 if (/^OPTIONS=(.*)$/);
 }
@@ -109,6 +109,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
 my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
 my $no_ec; my $no_engine; my $no_hw;
 my $no_fp_api;
+my $fips;
 foreach (@ARGV, split(/ /, $options))
        {
@@ -129,6 +130,7 @@ foreach (@ARGV, split(/ /, $options))
        }
        $VMS=1 if $_ eq "VMS";
        $OS2=1 if $_ eq "OS2";
+        $fips=1 if $_ eq "fips";
        $do_ssl=1 if $_ eq "ssleay";
        if ($_ eq "ssl") {
@@ -265,6 +267,7 @@ $crypto.=" crypto/ocsp/ocsp.h";
 $crypto.=" crypto/ui/ui.h crypto/ui/ui_compat.h";
 $crypto.=" crypto/krb5/krb5_asn.h";
 $crypto.=" crypto/tmdiff.h";
+$crypto.=" fips/fips.h fips/rand/fips_rand.h";
 my $symhacks="crypto/symhacks.h";
@@ -469,7 +472,7 @@ sub do_defs
                                        push(@tag,$1);
                                        $tag{$1}=-1;
                                }
-                        } elsif (/^\#\s*ifdef\s+(.*)/) {
+                        } elsif (/^\#\s*ifdef\s+(\S*)/) {
                                push(@tag,"-");
                                push(@tag,$1);
                                $tag{$1}=1;
@@ -794,7 +797,7 @@ sub do_defs
                }
                close(IN);
-                my $algs;
+                my $algs = '';
                my $plays;
                print STDERR "DEBUG: postprocessing ----------\n" if $debug;
@@ -864,6 +867,7 @@ sub do_defs
                        $platform{$s} =
                            &reduce_platforms((defined($platform{$s})?$platform{$s}.',':"").$p);
+                        $algorithm{$s} = '' if !defined $algorithm{$s};
                        $algorithm{$s} .= ','.$a;
                        if (defined($variant{$s})) {
@@ -1028,6 +1032,9 @@ sub is_valid
                        if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32 || $W16)) {
                                return 1;
                        }
+                        if ($keyword eq "OPENSSL_FIPS" && $fips) {
+                                return 1;
+                        }
                        return 0;
                } else {
                        # algorithms
@@ -1119,7 +1126,7 @@ sub print_test_file
 sub get_version {
   local *MF;
   my $v = '?';
-   open MF, 'Makefile.ssl' or return $v;
+   open MF, 'Makefile' or return $v;
   while (<MF>) {
     $v = $1, last if /^VERSION=(.*?)\s*$/;
   }
diff --git a/src/lib/libcrypto/util/mkerr.pl b/src/lib/libcrypto/util/mkerr.pl
index 1b2915c767..60e534807e 100644
--- a/src/lib/libcrypto/util/mkerr.pl
+++ b/src/lib/libcrypto/util/mkerr.pl
@@ -41,7 +41,8 @@ while (@ARGV) {
 }
 if($recurse) {
-        @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>);
+        @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>, <fips/*.c>,
+                   <fips/*/*.c>);
 } else {
        @source = @ARGV;
 }
@@ -262,7 +263,7 @@ foreach $lib (keys %csrc)
        } else {
            push @out,
 "/* ====================================================================\n",
-" * Copyright (c) 2001-2003 The OpenSSL Project.  All rights reserved.\n",
+" * Copyright (c) 2001-2005 The OpenSSL Project.  All rights reserved.\n",
 " *\n",
 " * Redistribution and use in source and binary forms, with or without\n",
 " * modification, are permitted provided that the following conditions\n",
@@ -404,7 +405,7 @@ EOF
        print OUT <<"EOF";
 /* $cfile */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
diff --git a/src/lib/libcrypto/util/mkfiles.pl b/src/lib/libcrypto/util/mkfiles.pl
index 29e1404c69..928a274303 100644
--- a/src/lib/libcrypto/util/mkfiles.pl
+++ b/src/lib/libcrypto/util/mkfiles.pl
@@ -51,6 +51,14 @@ my @dirs = (
 "crypto/ocsp",
 "crypto/ui",
 "crypto/krb5",
+"fips",
+"fips/aes",
+"fips/des",
+"fips/dsa",
+"fips/dh",
+"fips/rand",
+"fips/rsa",
+"fips/sha1",
 "ssl",
 "apps",
 "test",
@@ -58,7 +66,7 @@ my @dirs = (
 );
 foreach (@dirs) {
-        &files_dir ($_, "Makefile.ssl");
+        &files_dir ($_, "Makefile");
 }
 exit(0);
diff --git a/src/lib/libcrypto/util/mklink.pl b/src/lib/libcrypto/util/mklink.pl
index 9386da7aa4..c8653cecc3 100644
--- a/src/lib/libcrypto/util/mklink.pl
+++ b/src/lib/libcrypto/util/mklink.pl
@@ -52,6 +52,7 @@ $symlink_exists=eval {symlink("",""); 1};
 foreach $file (@files) {
    my $err = "";
    if ($symlink_exists) {
+        unlink "$from/$file";
        symlink("$to/$file", "$from/$file") or $err = " [$!]";
    } else {
        unlink "$from/$file"; 
diff --git a/src/lib/libcrypto/util/mkstack.pl b/src/lib/libcrypto/util/mkstack.pl
index 085c50f790..0ca9eb6a76 100644
--- a/src/lib/libcrypto/util/mkstack.pl
+++ b/src/lib/libcrypto/util/mkstack.pl
@@ -84,6 +84,7 @@ while(<IN>) {
 #define sk_${type_thing}_shift(st) SKM_sk_shift($type_thing, (st))
 #define sk_${type_thing}_pop(st) SKM_sk_pop($type_thing, (st))
 #define sk_${type_thing}_sort(st) SKM_sk_sort($type_thing, (st))
+#define sk_${type_thing}_is_sorted(st) SKM_sk_is_sorted($type_thing, (st))
 EOF
        }
        foreach $type_thing (sort @asn1setlst) {
diff --git a/src/lib/libcrypto/util/pl/BC-16.pl b/src/lib/libcrypto/util/pl/BC-16.pl
index 2033f524ca..8030653daa 100644
--- a/src/lib/libcrypto/util/pl/BC-16.pl
+++ b/src/lib/libcrypto/util/pl/BC-16.pl
@@ -64,7 +64,7 @@ $lfile='';
 $asm='bcc -c -B -Tml';
 $afile='/o';
-if ($no_asm)
+if ($no_asm || $fips)
        {
        $bn_asm_obj='';
        $bn_asm_src='';
@@ -119,11 +119,11 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$f,$_,@f);
-        
        $file =~ s/\//$o/g if $o ne '/';
-        $n=&bname($targer);
+        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
        $ret.="  \$(LINK) @&&|";
        
@@ -139,7 +139,12 @@ sub do_link_rule
                }
        else
                { $ret.="\n $r \$(APP_EX_OBJ) $files\n"; }
-        $ret.="  $target\n\n  $libs\n\n|\n\n";
+        $ret.="  $target\n\n  $libs\n\n|\n";
+        if (defined $sha1file)
+                {
+                $ret.="  $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libcrypto/util/pl/BC-32.pl b/src/lib/libcrypto/util/pl/BC-32.pl
index e83b336190..897ae9d824 100644
--- a/src/lib/libcrypto/util/pl/BC-32.pl
+++ b/src/lib/libcrypto/util/pl/BC-32.pl
@@ -62,7 +62,7 @@ $des_enc_src='';
 $bf_enc_obj='';
 $bf_enc_src='';
-if (!$no_asm)
+if (!$no_asm && !$fips)
        {
        $bn_mulw_obj='crypto\bn\asm\bn_win32.obj';
        $bn_mulw_src='crypto\bn\asm\bn_win32.asm';
@@ -122,13 +122,18 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
-        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($targer);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n\n";
+        $ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libcrypto/util/pl/Mingw32.pl b/src/lib/libcrypto/util/pl/Mingw32.pl
index 4bee638c4a..b9bb24d21d 100644
--- a/src/lib/libcrypto/util/pl/Mingw32.pl
+++ b/src/lib/libcrypto/util/pl/Mingw32.pl
@@ -21,7 +21,7 @@ if ($debug)
 else
        { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -mcpu=i486 -Wall"; }
-if ($gaswin and !$no_asm)
+if ($gaswin and !$no_asm and !$fips)
        {
        $bn_asm_obj='$(OBJ_D)\bn-win32.o';
        $bn_asm_src='crypto/bn/asm/bn-win32.s';
@@ -92,13 +92,18 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
 1;
diff --git a/src/lib/libcrypto/util/pl/OS2-EMX.pl b/src/lib/libcrypto/util/pl/OS2-EMX.pl
index ddb3524210..75d72ebbcb 100644
--- a/src/lib/libcrypto/util/pl/OS2-EMX.pl
+++ b/src/lib/libcrypto/util/pl/OS2-EMX.pl
@@ -48,7 +48,7 @@ $des_enc_src="";
 $bf_enc_obj="";
 $bf_enc_src="";
-if (!$no_asm)
+if (!$no_asm && !$fips)
        {
        $bn_asm_obj="crypto/bn/asm/bn-os2$obj crypto/bn/asm/co-os2$obj";
        $bn_asm_src="crypto/bn/asm/bn-os2.asm crypto/bn/asm/co-os2.asm";
@@ -106,13 +106,18 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files $libs\n\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libcrypto/util/pl/VC-16.pl b/src/lib/libcrypto/util/pl/VC-16.pl
index 7cda5e67a9..564ba3fd08 100644
--- a/src/lib/libcrypto/util/pl/VC-16.pl
+++ b/src/lib/libcrypto/util/pl/VC-16.pl
@@ -61,7 +61,7 @@ if ($shlib)
 else
        { $mlflags=''; }
-$app_ex_obj="setargv.obj";
+$app_ex_obj="";
 $obj='.obj';
 $ofile="/Fo";
@@ -90,7 +90,7 @@ $des_enc_src='';
 $bf_enc_obj='';
 $bf_enc_src='';
-if (!$no_asm)
+if (!$no_asm && !$fips)
        {
        if ($asmbits == 32)
                {
@@ -147,7 +147,7 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$f,$_,@f);
        
        $file =~ s/\//$o/g if $o ne '/';
@@ -165,7 +165,12 @@ sub do_link_rule
                }
        else
                { $ret.="  \$(APP_EX_OBJ) $files"; }
-        $ret.="\n  $target\n\n  $libs\n\n<<\n\n";
+        $ret.="\n  $target\n\n  $libs\n\n<<\n";
+        if (defined $sha1file)
+                {
+                $ret.="  $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index 285990c589..cf689b9feb 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -64,7 +64,7 @@ $des_enc_src='';
 $bf_enc_obj='';
 $bf_enc_src='';
-if (!$no_asm)
+if (!$no_asm && !$fips)
        {
        $bn_asm_obj='crypto\bn\asm\bn_win32.obj';
        $bn_asm_src='crypto\bn\asm\bn_win32.asm';
@@ -126,14 +126,19 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($targer);
        $ret.="$target: $files $dep_libs\n";
        $ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n";
-        $ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n\n";
+        $ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n";
+        if (defined $sha1file)
+                {
+                $ret.="  $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libcrypto/util/pl/linux.pl b/src/lib/libcrypto/util/pl/linux.pl
index 8924ed5480..df05c40526 100644
--- a/src/lib/libcrypto/util/pl/linux.pl
+++ b/src/lib/libcrypto/util/pl/linux.pl
@@ -72,13 +72,18 @@ sub do_shlib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libcrypto/util/pl/ultrix.pl b/src/lib/libcrypto/util/pl/ultrix.pl
index ea370c71f9..447b854708 100644
--- a/src/lib/libcrypto/util/pl/ultrix.pl
+++ b/src/lib/libcrypto/util/pl/ultrix.pl
@@ -17,7 +17,7 @@ else
 $cflags.=" -std1 -DL_ENDIAN";
-if (!$no_asm)
+if (!$no_asm && !$fips)
        {
        $bn_asm_obj='$(OBJ_D)/mips1.o';
        $bn_asm_src='crypto/bn/asm/mips1.s';
@@ -25,13 +25,18 @@ if (!$no_asm)
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libcrypto/util/pl/unix.pl b/src/lib/libcrypto/util/pl/unix.pl
index 146611ad99..bbd1798a2e 100644
--- a/src/lib/libcrypto/util/pl/unix.pl
+++ b/src/lib/libcrypto/util/pl/unix.pl
@@ -70,13 +70,18 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libcrypto/util/selftest.pl b/src/lib/libcrypto/util/selftest.pl
index 276b81183d..e9d5aa8938 100644
--- a/src/lib/libcrypto/util/selftest.pl
+++ b/src/lib/libcrypto/util/selftest.pl
@@ -34,9 +34,9 @@ foreach $_ (split("\n",$c)) {
    $platform0=$1 if (/Configuring for (.*)$/);
 }
-system "sh config" if (! -f "Makefile.ssl");
+system "sh config" if (! -f "Makefile");
-if (open(IN,"<Makefile.ssl")) {
+if (open(IN,"<Makefile")) {
    while (<IN>) {
        $version=$1 if (/^VERSION=(.*)$/);
        $platform=$1 if (/^PLATFORM=(.*)$/);
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
index b4b04183d0..a5e0d4aefa 100644
--- a/src/lib/libcrypto/x509/by_file.c
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -150,7 +150,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
                        x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL);
                        if (x == NULL)
                                {
-                                if ((ERR_GET_REASON(ERR_peek_error()) ==
+                                if ((ERR_GET_REASON(ERR_peek_last_error()) ==
                                        PEM_R_NO_START_LINE) && (count > 0))
                                        {
                                        ERR_clear_error();
@@ -217,7 +217,7 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
                        x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
                        if (x == NULL)
                                {
-                                if ((ERR_GET_REASON(ERR_peek_error()) ==
+                                if ((ERR_GET_REASON(ERR_peek_last_error()) ==
                                        PEM_R_NO_START_LINE) && (count > 0))
                                        {
                                        ERR_clear_error();
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index 8d0c7e2e17..e8c1a59cf2 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -410,6 +410,7 @@ typedef struct X509_crl_info_st
        ASN1_TIME *nextUpdate;
        STACK_OF(X509_REVOKED) *revoked;
        STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
+        ASN1_ENCODING enc;
        } X509_CRL_INFO;
 struct X509_crl_st
@@ -1037,18 +1038,18 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
 int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
                        unsigned char *bytes, int len, int loc, int set);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
-                char *field, int type, unsigned char *bytes, int len);
+                const char *field, int type, const unsigned char *bytes, int len);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
                        int type,unsigned char *bytes, int len);
-int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
+int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
-                        unsigned char *bytes, int len, int loc, int set);
+                        const unsigned char *bytes, int len, int loc, int set);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
-                        ASN1_OBJECT *obj, int type,unsigned char *bytes,
+                        ASN1_OBJECT *obj, int type,const unsigned char *bytes,
                        int len);
 int             X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
                        ASN1_OBJECT *obj);
 int             X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
-                        unsigned char *bytes, int len);
+                        const unsigned char *bytes, int len);
 ASN1_OBJECT *   X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
 ASN1_STRING *   X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index f460102f49..030d0966fc 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -254,33 +254,49 @@ static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
        return 0;
 }
+static int asn1_string_memcmp(ASN1_STRING *a, ASN1_STRING *b)
+        {
+        int j;
+        j = a->length - b->length;
+        if (j)
+                return j;
+        return memcmp(a->data, b->data, a->length);
+        }
+#define STR_TYPE_CMP (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_UTF8STRING)
 int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
        {
        int i,j;
        X509_NAME_ENTRY *na,*nb;
-        if (sk_X509_NAME_ENTRY_num(a->entries)
+        unsigned long nabit, nbbit;
-            != sk_X509_NAME_ENTRY_num(b->entries))
-                return sk_X509_NAME_ENTRY_num(a->entries)
+        j = sk_X509_NAME_ENTRY_num(a->entries)
-                  -sk_X509_NAME_ENTRY_num(b->entries);
+                  - sk_X509_NAME_ENTRY_num(b->entries);
+        if (j)
+                return j;
        for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
                {
                na=sk_X509_NAME_ENTRY_value(a->entries,i);
                nb=sk_X509_NAME_ENTRY_value(b->entries,i);
                j=na->value->type-nb->value->type;
-                if (j) return(j);
+                if (j)
-                if (na->value->type == V_ASN1_PRINTABLESTRING)
+                        {
+                        nabit = ASN1_tag2bit(na->value->type);
+                        nbbit = ASN1_tag2bit(nb->value->type);
+                        if (!(nabit & STR_TYPE_CMP) ||
+                                !(nbbit & STR_TYPE_CMP))
+                                return j;
+                        j = asn1_string_memcmp(na->value, nb->value);
+                        }
+                else if (na->value->type == V_ASN1_PRINTABLESTRING)
                        j=nocase_spacenorm_cmp(na->value, nb->value);
                else if (na->value->type == V_ASN1_IA5STRING
                        && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
                        j=nocase_cmp(na->value, nb->value);
                else
-                        {
+                        j = asn1_string_memcmp(na->value, nb->value);
-                        j=na->value->length-nb->value->length;
-                        if (j) return(j);
-                        j=memcmp(na->value->data,nb->value->data,
-                                na->value->length);
-                        }
                if (j) return(j);
                j=na->set-nb->set;
                if (j) return(j);
@@ -306,10 +322,16 @@ unsigned long X509_NAME_hash(X509_NAME *x)
        {
        unsigned long ret=0;
        unsigned char md[16];
+        EVP_MD_CTX md_ctx;
        /* Make sure X509_NAME structure contains valid cached encoding */
        i2d_X509_NAME(x,NULL);
-        EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
+        EVP_MD_CTX_init(&md_ctx);
+        EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+        EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
+        EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
+        EVP_DigestFinal_ex(&md_ctx,md,NULL);
+        EVP_MD_CTX_cleanup(&md_ctx);
        ret=(   ((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
                ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
index db051033d9..fb8a78dabe 100644
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ b/src/lib/libcrypto/x509/x509_r2x.c
@@ -92,8 +92,10 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
        X509_set_subject_name(ret,X509_NAME_dup(xn));
        X509_set_issuer_name(ret,X509_NAME_dup(xn));
-        X509_gmtime_adj(xi->validity->notBefore,0);
+        if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL)
-        X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days);
+                goto err;
+        if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL)
+                goto err;
        X509_set_pubkey(ret,X509_REQ_get_pubkey(r));
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 0affa3bf30..59fc6ca548 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -118,7 +118,7 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
 * used and there may be more: so the list is configurable.
 */
-static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef};
+static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef};
 static int *ext_nids = ext_nid_list;
@@ -143,32 +143,33 @@ void X509_REQ_set_extension_nids(int *nids)
 }
 STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
-{
+        {
        X509_ATTRIBUTE *attr;
-        STACK_OF(X509_ATTRIBUTE) *sk;
        ASN1_TYPE *ext = NULL;
-        int i;
+        int idx, *pnid;
        unsigned char *p;
-        if ((req == NULL) || (req->req_info == NULL))
+        if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
                return(NULL);
-        sk=req->req_info->attributes;
+        for (pnid = ext_nids; *pnid != NID_undef; pnid++)
-        if (!sk) return NULL;
+                {
-        for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
+                idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
-                attr = sk_X509_ATTRIBUTE_value(sk, i);
+                if (idx == -1)
-                if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) {
+                        continue;
-                        if(attr->single) ext = attr->value.single;
+                attr = X509_REQ_get_attr(req, idx);
-                        else if(sk_ASN1_TYPE_num(attr->value.set))
+                if(attr->single) ext = attr->value.single;
-                                ext = sk_ASN1_TYPE_value(attr->value.set, 0);
+                else if(sk_ASN1_TYPE_num(attr->value.set))
-                        break;
+                        ext = sk_ASN1_TYPE_value(attr->value.set, 0);
+                break;
                }
-        }
+        if(!ext || (ext->type != V_ASN1_SEQUENCE))
-        if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL;
+                return NULL;
        p = ext->value.sequence->data;
        return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p,
                        ext->value.sequence->length,
                        d2i_X509_EXTENSION, X509_EXTENSION_free,
                        V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-}
+        }
 /* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
 * in case we want to create a non standard one.
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
index e31ebc6741..f19e66a238 100644
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -122,8 +122,14 @@ const char *X509_verify_cert_error_string(long n)
                return("certificate revoked");
        case X509_V_ERR_INVALID_CA:
                return ("invalid CA certificate");
+        case X509_V_ERR_INVALID_NON_CA:
+                return ("invalid non-CA certificate (has CA markings)");
        case X509_V_ERR_PATH_LENGTH_EXCEEDED:
                return ("path length constraint exceeded");
+        case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
+                return("proxy path length constraint exceeded");
+        case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
+                return("proxy cerificates not allowed, please set the appropriate flag");
        case X509_V_ERR_INVALID_PURPOSE:
                return ("unsupported certificate purpose");
        case X509_V_ERR_CERT_UNTRUSTED:
@@ -140,19 +146,16 @@ const char *X509_verify_cert_error_string(long n)
                return("authority and issuer serial number mismatch");
        case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
                return("key usage does not include certificate signing");
        case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
                return("unable to get CRL issuer certificate");
        case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
                return("unhandled critical extension");
        case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
                return("key usage does not include CRL signing");
+        case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
+                return("key usage does not include digital signature");
        case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
                return("unhandled critical CRL extension");
        default:
                BIO_snprintf(buf,sizeof buf,"error number %ld",n);
                return(buf);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 2e4d0b823a..e43c861ee7 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -73,7 +73,7 @@
 static int null_callback(int ok,X509_STORE_CTX *e);
 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
-static int check_chain_purpose(X509_STORE_CTX *ctx);
+static int check_chain_extensions(X509_STORE_CTX *ctx);
 static int check_trust(X509_STORE_CTX *ctx);
 static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
@@ -281,7 +281,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                }
        /* We have the chain complete: now we need to check its purpose */
-        if (ctx->purpose > 0) ok = check_chain_purpose(ctx);
+        ok = check_chain_extensions(ctx);
        if (!ok) goto end;
@@ -365,21 +365,39 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
        else
                return 0;
 }
-        
 /* Check a certificate chains extensions for consistency
 * with the supplied purpose
 */
-static int check_chain_purpose(X509_STORE_CTX *ctx)
+static int check_chain_extensions(X509_STORE_CTX *ctx)
 {
 #ifdef OPENSSL_NO_CHAIN_VERIFY
        return 1;
 #else
-        int i, ok=0;
+        int i, ok=0, must_be_ca;
        X509 *x;
        int (*cb)();
+        int proxy_path_length = 0;
+        int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
        cb=ctx->verify_cb;
+        /* must_be_ca can have 1 of 3 values:
+           -1: we accept both CA and non-CA certificates, to allow direct
+               use of self-signed certificates (which are marked as CA).
+           0:  we only accept non-CA certificates.  This is currently not
+               used, but the possibility is present for future extensions.
+           1:  we only accept CA certificates.  This is currently used for
+               all certificates in the chain except the leaf certificate.
+        */
+        must_be_ca = -1;
+        /* A hack to keep people who don't want to modify their software
+           happy */
+        if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+                allow_proxy_certs = 1;
        /* Check all untrusted certificates */
        for (i = 0; i < ctx->last_untrusted; i++)
                {
@@ -394,23 +412,73 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
-                ret = X509_check_purpose(x, ctx->purpose, i);
+                if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
-                if ((ret == 0)
-                         || ((ctx->flags & X509_V_FLAG_X509_STRICT)
-                                && (ret != 1)))
                        {
-                        if (i)
+                        ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
+                        ctx->error_depth = i;
+                        ctx->current_cert = x;
+                        ok=cb(0,ctx);
+                        if (!ok) goto end;
+                        }
+                ret = X509_check_ca(x);
+                switch(must_be_ca)
+                        {
+                case -1:
+                        if ((ctx->flags & X509_V_FLAG_X509_STRICT)
+                                && (ret != 1) && (ret != 0))
+                                {
+                                ret = 0;
                                ctx->error = X509_V_ERR_INVALID_CA;
+                                }
                        else
-                                ctx->error = X509_V_ERR_INVALID_PURPOSE;
+                                ret = 1;
+                        break;
+                case 0:
+                        if (ret != 0)
+                                {
+                                ret = 0;
+                                ctx->error = X509_V_ERR_INVALID_NON_CA;
+                                }
+                        else
+                                ret = 1;
+                        break;
+                default:
+                        if ((ret == 0)
+                                || ((ctx->flags & X509_V_FLAG_X509_STRICT)
+                                        && (ret != 1)))
+                                {
+                                ret = 0;
+                                ctx->error = X509_V_ERR_INVALID_CA;
+                                }
+                        else
+                                ret = 1;
+                        break;
+                        }
+                if (ret == 0)
+                        {
                        ctx->error_depth = i;
                        ctx->current_cert = x;
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
+                if (ctx->purpose > 0)
+                        {
+                        ret = X509_check_purpose(x, ctx->purpose,
+                                must_be_ca > 0);
+                        if ((ret == 0)
+                                || ((ctx->flags & X509_V_FLAG_X509_STRICT)
+                                        && (ret != 1)))
+                                {
+                                ctx->error = X509_V_ERR_INVALID_PURPOSE;
+                                ctx->error_depth = i;
+                                ctx->current_cert = x;
+                                ok=cb(0,ctx);
+                                if (!ok) goto end;
+                                }
+                        }
                /* Check pathlen */
                if ((i > 1) && (x->ex_pathlen != -1)
-                           && (i > (x->ex_pathlen + 1)))
+                           && (i > (x->ex_pathlen + proxy_path_length + 1)))
                        {
                        ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                        ctx->error_depth = i;
@@ -418,6 +486,32 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
+                /* If this certificate is a proxy certificate, the next
+                   certificate must be another proxy certificate or a EE
+                   certificate.  If not, the next certificate must be a
+                   CA certificate.  */
+                if (x->ex_flags & EXFLAG_PROXY)
+                        {
+                        PROXY_CERT_INFO_EXTENSION *pci =
+                                X509_get_ext_d2i(x, NID_proxyCertInfo,
+                                        NULL, NULL);
+                        if (pci->pcPathLengthConstraint &&
+                                ASN1_INTEGER_get(pci->pcPathLengthConstraint)
+                                < i)
+                                {
+                                PROXY_CERT_INFO_EXTENSION_free(pci);
+                                ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+                                ctx->error_depth = i;
+                                ctx->current_cert = x;
+                                ok=cb(0,ctx);
+                                if (!ok) goto end;
+                                }
+                        PROXY_CERT_INFO_EXTENSION_free(pci);
+                        proxy_path_length++;
+                        must_be_ca = 0;
+                        }
+                else
+                        must_be_ca = 1;
                }
        ok = 1;
 end:
@@ -627,6 +721,15 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
        X509_EXTENSION *ext;
        /* Look for serial number of certificate in CRL */
        rtmp.serialNumber = X509_get_serialNumber(x);
+        /* Sort revoked into serial number order if not already sorted.
+         * Do this under a lock to avoid race condition.
+         */
+        if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked))
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
+                sk_X509_REVOKED_sort(crl->crl->revoked);
+                CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL);
+                }
        idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
        /* If found assume revoked: want something cleverer than
         * this to handle entry extensions in V2 CRLs.
@@ -772,6 +875,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                        }
                /* The last error (if any) is still in the error value */
+                ctx->current_issuer=xi;
                ctx->current_cert=xs;
                ok=(*cb)(1,ctx);
                if (!ok) goto end;
@@ -851,7 +955,8 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
        atm.length=sizeof(buff2);
        atm.data=(unsigned char *)buff2;
-        X509_time_adj(&atm,-offset*60, cmp_time);
+        if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
+                return 0;
        if (ctm->type == V_ASN1_UTCTIME)
                {
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 198495884c..7fd1f0bc4d 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -276,7 +276,7 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define         X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY   6
 #define         X509_V_ERR_CERT_SIGNATURE_FAILURE               7
 #define         X509_V_ERR_CRL_SIGNATURE_FAILURE                8
-#define         X509_V_ERR_CERT_NOT_YET_VALID                   9       
+#define         X509_V_ERR_CERT_NOT_YET_VALID                   9
 #define         X509_V_ERR_CERT_HAS_EXPIRED                     10
 #define         X509_V_ERR_CRL_NOT_YET_VALID                    11
 #define         X509_V_ERR_CRL_HAS_EXPIRED                      12
@@ -306,6 +306,10 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define         X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION         34
 #define         X509_V_ERR_KEYUSAGE_NO_CRL_SIGN                 35
 #define         X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION     36
+#define         X509_V_ERR_INVALID_NON_CA                       37
+#define         X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED           38
+#define         X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE        39
+#define         X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED       40
 /* The application is not happy */
 #define         X509_V_ERR_APPLICATION_VERIFICATION             50
@@ -324,6 +328,8 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define X509_V_FLAG_IGNORE_CRITICAL             0x10
 /* Disable workarounds for broken certificates */
 #define X509_V_FLAG_X509_STRICT                 0x20
+/* Enable proxy certificate validation */
+#define X509_V_FLAG_ALLOW_PROXY_CERTS           0x40
 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
             X509_NAME *name);
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
index 6cac440ea9..9d1646d5c8 100644
--- a/src/lib/libcrypto/x509/x509cset.c
+++ b/src/lib/libcrypto/x509/x509cset.c
@@ -129,6 +129,7 @@ int X509_CRL_sort(X509_CRL *c)
                r=sk_X509_REVOKED_value(c->crl->revoked,i);
                r->sequence=i;
                }
+        c->crl->enc.modified = 1;
        return 1;
        }
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
index 4c20e03ece..068abfe5f0 100644
--- a/src/lib/libcrypto/x509/x509name.c
+++ b/src/lib/libcrypto/x509/x509name.c
@@ -195,8 +195,8 @@ int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
        return ret;
 }
-int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
+int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
-                        unsigned char *bytes, int len, int loc, int set)
+                        const unsigned char *bytes, int len, int loc, int set)
 {
        X509_NAME_ENTRY *ne;
        int ret;
@@ -273,7 +273,7 @@ err:
        }
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
-                char *field, int type, unsigned char *bytes, int len)
+                const char *field, int type, const unsigned char *bytes, int len)
        {
        ASN1_OBJECT *obj;
        X509_NAME_ENTRY *nentry;
@@ -309,7 +309,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
        }
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
-             ASN1_OBJECT *obj, int type, unsigned char *bytes, int len)
+             ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
        {
        X509_NAME_ENTRY *ret;
@@ -347,7 +347,7 @@ int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
        }
 int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
-             unsigned char *bytes, int len)
+             const unsigned char *bytes, int len)
        {
        int i;
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index fb5015cd4d..ac6dea493a 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -103,6 +103,7 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
        {
+        x->crl->enc.modified = 1;
        return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg,
                x->sig_alg, x->signature, x->crl,pkey,md));
        }
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 5442480595..d8328ac468 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -3,7 +3,7 @@
 * project 1999.
 */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -60,10 +60,11 @@
 extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
+extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
-extern X509V3_EXT_METHOD v3_crl_hold;
+extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
 /* This table will be searched using OBJ_bsearch so it *must* kept in
 * order of the ext_nid values.
@@ -89,6 +90,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_akey_id,
 &v3_crld,
 &v3_ext_ku,
+&v3_delta_crl,
 &v3_crl_reason,
 #ifndef OPENSSL_NO_OCSP
 &v3_crl_invdate,
@@ -105,8 +107,9 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 #endif
 &v3_sinfo,
 #ifndef OPENSSL_NO_OCSP
-&v3_crl_hold
+&v3_crl_hold,
 #endif
+&v3_pci,
 };
 /* Number of standard extensions */
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
index 16cf125562..274965306d 100644
--- a/src/lib/libcrypto/x509v3/v3_bitst.c
+++ b/src/lib/libcrypto/x509v3/v3_bitst.c
@@ -124,7 +124,12 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
                for(bnam = method->usr_data; bnam->lname; bnam++) {
                        if(!strcmp(bnam->sname, val->name) ||
                                !strcmp(bnam->lname, val->name) ) {
-                                ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1);
+                                if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
+                                        X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
+                                                ERR_R_MALLOC_FAILURE);
+                                        M_ASN1_BIT_STRING_free(bs);
+                                        return NULL;
+                                }
                                break;
                        }
                }
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
index f9414456de..9683afa47c 100644
--- a/src/lib/libcrypto/x509v3/v3_ia5.c
+++ b/src/lib/libcrypto/x509v3/v3_ia5.c
@@ -82,7 +82,10 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
 {
        char *tmp;
        if(!ia5 || !ia5->length) return NULL;
-        if (!(tmp = OPENSSL_malloc(ia5->length + 1))) return NULL;
+        if(!(tmp = OPENSSL_malloc(ia5->length + 1))) {
+                X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
        memcpy(tmp, ia5->data, ia5->length);
        tmp[ia5->length] = 0;
        return tmp;
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
index f34cbfb731..7a43b4717b 100644
--- a/src/lib/libcrypto/x509v3/v3_int.c
+++ b/src/lib/libcrypto/x509v3/v3_int.c
@@ -3,7 +3,7 @@
 * project 1999.
 */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -61,9 +61,16 @@
 #include <openssl/x509v3.h>
 X509V3_EXT_METHOD v3_crl_num = { 
-NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
+        NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
-0,0,0,0,
+        0,0,0,0,
-(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+        (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
-0,
+        0,
-0,0,0,0, NULL};
+        0,0,0,0, NULL};
+X509V3_EXT_METHOD v3_delta_crl = { 
+        NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
+        0,0,0,0,
+        (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+        0,
+        0,0,0,0, NULL};
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index b3d1ae5d1c..bbdf6da493 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -63,7 +63,6 @@
 static void x509v3_cache_extensions(X509 *x);
-static int ca_check(const X509 *x);
 static int check_ssl_ca(const X509 *x);
 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
@@ -286,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex)
                NID_key_usage,          /* 83 */
                NID_subject_alt_name,   /* 85 */
                NID_basic_constraints,  /* 87 */
-                NID_ext_key_usage       /* 126 */
+                NID_ext_key_usage,      /* 126 */
+                NID_proxyCertInfo       /* 661 */
        };
        int ex_nid;
@@ -307,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
 static void x509v3_cache_extensions(X509 *x)
 {
        BASIC_CONSTRAINTS *bs;
+        PROXY_CERT_INFO_EXTENSION *pci;
        ASN1_BIT_STRING *usage;
        ASN1_BIT_STRING *ns;
        EXTENDED_KEY_USAGE *extusage;
@@ -335,6 +336,16 @@ static void x509v3_cache_extensions(X509 *x)
                BASIC_CONSTRAINTS_free(bs);
                x->ex_flags |= EXFLAG_BCONS;
        }
+        /* Handle proxy certificates */
+        if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+                if (x->ex_flags & EXFLAG_CA
+                    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
+                    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
+                        x->ex_flags |= EXFLAG_INVALID;
+                }
+                PROXY_CERT_INFO_EXTENSION_free(pci);
+                x->ex_flags |= EXFLAG_PROXY;
+        }
        /* Handle key usage */
        if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
                if(usage->length > 0) {
@@ -426,7 +437,7 @@ static void x509v3_cache_extensions(X509 *x)
 #define ns_reject(x, usage) \
        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-static int ca_check(const X509 *x)
+static int check_ca(const X509 *x)
 {
        /* keyUsage if present should allow cert signing */
        if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
@@ -435,25 +446,37 @@ static int ca_check(const X509 *x)
                /* If basicConstraints says not a CA then say so */
                else return 0;
        } else {
+                /* we support V1 roots for...  uh, I don't really know why. */
                if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
                /* If key usage present it must have certSign so tolerate it */
                else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
-                else return 2;
+                /* Older certificates could have Netscape-specific CA types */
+                else if (x->ex_flags & EXFLAG_NSCERT
+                         && x->ex_nscert & NS_ANY_CA) return 5;
+                /* can this still be regarded a CA certificate?  I doubt it */
+                return 0;
        }
 }
+int X509_check_ca(X509 *x)
+{
+        if(!(x->ex_flags & EXFLAG_SET)) {
+                CRYPTO_w_lock(CRYPTO_LOCK_X509);
+                x509v3_cache_extensions(x);
+                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+        }
+        return check_ca(x);
+}
 /* Check SSL CA: common checks for SSL client and server */
 static int check_ssl_ca(const X509 *x)
 {
        int ca_ret;
-        ca_ret = ca_check(x);
+        ca_ret = check_ca(x);
        if(!ca_ret) return 0;
        /* check nsCertType if present */
-        if(x->ex_flags & EXFLAG_NSCERT) {
+        if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
-                if(x->ex_nscert & NS_SSL_CA) return ca_ret;
-                return 0;
-        }
-        if(ca_ret != 2) return ca_ret;
        else return 0;
 }
@@ -498,14 +521,10 @@ static int purpose_smime(const X509 *x, int ca)
        if(xku_reject(x,XKU_SMIME)) return 0;
        if(ca) {
                int ca_ret;
-                ca_ret = ca_check(x);
+                ca_ret = check_ca(x);
                if(!ca_ret) return 0;
                /* check nsCertType if present */
-                if(x->ex_flags & EXFLAG_NSCERT) {
+                if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
-                        if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
-                        return 0;
-                }
-                if(ca_ret != 2) return ca_ret;
                else return 0;
        }
        if(x->ex_flags & EXFLAG_NSCERT) {
@@ -539,7 +558,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
        if(ca) {
                int ca_ret;
-                if((ca_ret = ca_check(x)) != 2) return ca_ret;
+                if((ca_ret = check_ca(x)) != 2) return ca_ret;
                else return 0;
        }
        if(ku_reject(x, KU_CRL_SIGN)) return 0;
@@ -552,17 +571,9 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
-        /* Must be a valid CA */
+        /* Must be a valid CA.  Should we really support the "I don't know"
-        if(ca) {
+           value (2)? */
-                int ca_ret;
+        if(ca) return check_ca(x);
-                ca_ret = ca_check(x);
-                if(ca_ret != 2) return ca_ret;
-                if(x->ex_flags & EXFLAG_NSCERT) {
-                        if(x->ex_nscert & NS_ANY_CA) return ca_ret;
-                        return 0;
-                }
-                return 0;
-        }
        /* leaf certificate is checked in OCSP_verify() */
        return 1;
 }
@@ -624,7 +635,13 @@ int X509_check_issued(X509 *issuer, X509 *subject)
                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
                }
        }
-        if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+        if(subject->ex_flags & EXFLAG_PROXY)
+                {
+                if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
+                        return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
+                }
+        else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
+                return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
        return X509_V_OK;
 }
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
index 6458e95bb9..2df0c3ef01 100644
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ b/src/lib/libcrypto/x509v3/v3err.c
@@ -1,6 +1,6 @@
 /* crypto/x509v3/v3err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -72,12 +72,14 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_DO_EXT_I2D,0),     "DO_EXT_I2D"},
 {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),  "hex_to_string"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),    "i2s_ASN1_ENUMERATED"},
+{ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0),     "I2S_ASN1_IA5STRING"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),       "i2s_ASN1_INTEGER"},
 {ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0),      "I2V_AUTHORITY_INFO_ACCESS"},
 {ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"},
 {ERR_PACK(0,X509V3_F_NREF_NOS,0),       "NREF_NOS"},
 {ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"},
 {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),    "R2I_CERTPOL"},
+{ERR_PACK(0,X509V3_F_R2I_PCI,0),        "R2I_PCI"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),     "S2I_ASN1_IA5STRING"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),       "s2i_ASN1_INTEGER"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),  "s2i_ASN1_OCTET_STRING"},
@@ -128,6 +130,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
 {X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
 {X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
+{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG    ,"incorrect policy syntax tag"},
 {X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
 {X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
 {X509V3_R_INVALID_NAME                   ,"invalid name"},
@@ -139,6 +142,8 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
 {X509V3_R_INVALID_OPTION                 ,"invalid option"},
 {X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
+{X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"},
+{X509V3_R_INVALID_PROXY_POLICY_SETTING   ,"invalid proxy policy setting"},
 {X509V3_R_INVALID_PURPOSE                ,"invalid purpose"},
 {X509V3_R_INVALID_SECTION                ,"invalid section"},
 {X509V3_R_INVALID_SYNTAX                 ,"invalid syntax"},
@@ -149,9 +154,16 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
 {X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
 {X509V3_R_NO_POLICY_IDENTIFIER           ,"no policy identifier"},
+{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"},
 {X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
 {X509V3_R_NO_SUBJECT_DETAILS             ,"no subject details"},
 {X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
+{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"},
+{X509V3_R_POLICY_PATH_LENGTH             ,"policy path length"},
+{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"},
+{X509V3_R_POLICY_SYNTAX_NOT              ,"policy syntax not"},
+{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"},
+{X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"},
 {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS   ,"unable to get issuer details"},
 {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID     ,"unable to get issuer keyid"},
 {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT    ,"unknown bit string argument"},
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index fb07a19016..e6d91251c2 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -287,6 +287,23 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
 DECLARE_STACK_OF(POLICYINFO)
 DECLARE_ASN1_SET_OF(POLICYINFO)
+/* Proxy certificate structures, see RFC 3820 */
+typedef struct PROXY_POLICY_st
+        {
+        ASN1_OBJECT *policyLanguage;
+        ASN1_OCTET_STRING *policy;
+        } PROXY_POLICY;
+typedef struct PROXY_CERT_INFO_EXTENSION_st
+        {
+        ASN1_INTEGER *pcPathLengthConstraint;
+        PROXY_POLICY *proxyPolicy;
+        } PROXY_CERT_INFO_EXTENSION;
+DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
+DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
 ",name:", val->name, ",value:", val->value);
@@ -325,6 +342,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 #define EXFLAG_INVALID          0x80
 #define EXFLAG_SET              0x100
 #define EXFLAG_CRITICAL         0x200
+#define EXFLAG_PROXY            0x400
 #define KU_DIGITAL_SIGNATURE    0x0080
 #define KU_NON_REPUDIATION      0x0040
@@ -527,6 +545,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
+int X509_check_ca(X509 *x);
 int X509_check_purpose(X509 *x, int id, int ca);
 int X509_supported_extension(X509_EXTENSION *ex);
 int X509_PURPOSE_set(int *p, int purpose);
@@ -564,12 +583,14 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_DO_EXT_I2D                              135
 #define X509V3_F_HEX_TO_STRING                           111
 #define X509V3_F_I2S_ASN1_ENUMERATED                     121
+#define X509V3_F_I2S_ASN1_IA5STRING                      142
 #define X509V3_F_I2S_ASN1_INTEGER                        120
 #define X509V3_F_I2V_AUTHORITY_INFO_ACCESS               138
 #define X509V3_F_NOTICE_SECTION                          132
 #define X509V3_F_NREF_NOS                                133
 #define X509V3_F_POLICY_SECTION                          131
 #define X509V3_F_R2I_CERTPOL                             130
+#define X509V3_F_R2I_PCI                                 142
 #define X509V3_F_S2I_ASN1_IA5STRING                      100
 #define X509V3_F_S2I_ASN1_INTEGER                        108
 #define X509V3_F_S2I_ASN1_OCTET_STRING                   112
@@ -617,6 +638,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED         103
 #define X509V3_R_EXTENSION_VALUE_ERROR                   116
 #define X509V3_R_ILLEGAL_HEX_DIGIT                       113
+#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG             153
 #define X509V3_R_INVALID_BOOLEAN_STRING                  104
 #define X509V3_R_INVALID_EXTENSION_STRING                105
 #define X509V3_R_INVALID_NAME                            106
@@ -628,6 +650,8 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER               110
 #define X509V3_R_INVALID_OPTION                          138
 #define X509V3_R_INVALID_POLICY_IDENTIFIER               134
+#define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER         147
+#define X509V3_R_INVALID_PROXY_POLICY_SETTING            151
 #define X509V3_R_INVALID_PURPOSE                         146
 #define X509V3_R_INVALID_SECTION                         135
 #define X509V3_R_INVALID_SYNTAX                          143
@@ -638,9 +662,16 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_NO_ISSUER_CERTIFICATE                   121
 #define X509V3_R_NO_ISSUER_DETAILS                       127
 #define X509V3_R_NO_POLICY_IDENTIFIER                    139
+#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED   148
 #define X509V3_R_NO_PUBLIC_KEY                           114
 #define X509V3_R_NO_SUBJECT_DETAILS                      125
 #define X509V3_R_ODD_NUMBER_OF_DIGITS                    112
+#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED        149
+#define X509V3_R_POLICY_PATH_LENGTH                      152
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED     150
+#define X509V3_R_POLICY_SYNTAX_NOT                       154
+#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED   155
+#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156
 #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS            122
 #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID              123
 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT             111
diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf
index 854d1f164e..4c1d595b0a 100644
--- a/src/lib/libssl/doc/openssl.cnf
+++ b/src/lib/libssl/doc/openssl.cnf
@@ -44,8 +44,8 @@ new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate     = $dir/cacert.pem       # The CA certificate
 serial          = $dir/serial           # The current serial number
-#crlnumber      = $dir/crlnumber        # the current crl number
+#crlnumber      = $dir/crlnumber        # the current crl number must be
-                                        # must be commented out to leave a V1 CRL
+                                        # commented out to leave a V1 CRL
 crl             = $dir/crl.pem          # The current CRL
 private_key     = $dir/private/cakey.pem# The private key
 RANDFILE        = $dir/private/.rand    # private random number file
@@ -258,3 +258,56 @@ basicConstraints = CA:true
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType                    = server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/src/lib/libssl/doc/standards.txt b/src/lib/libssl/doc/standards.txt
index edbe2f3a57..f6675b574b 100644
--- a/src/lib/libssl/doc/standards.txt
+++ b/src/lib/libssl/doc/standards.txt
@@ -88,6 +88,10 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
     (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status:           
     INFORMATIONAL)                                         
+3820 Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate
+     Profile. S. Tuecke, V. Welch, D. Engert, L. Pearlman, M. Thompson.
+     June 2004. (Format: TXT=86374 bytes) (Status: PROPOSED STANDARD)
 Related:
 --------
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 64ee4269ec..779e94a35c 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -235,7 +235,8 @@ static int ssl23_client_hello(SSL *s)
 #endif
                p=s->s3->client_random;
-                RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE);
+                if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
+                    return -1;
                /* Do the message type and length last */
                d= &(buf[2]);
@@ -248,6 +249,14 @@ static int ssl23_client_hello(SSL *s)
                        *(d++)=TLS1_VERSION_MINOR;
                        s->client_version=TLS1_VERSION;
                        }
+#ifdef OPENSSL_FIPS
+                else if(FIPS_mode())
+                        {
+                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                        return -1;
+                        }
+#endif
                else if (!(s->options & SSL_OP_NO_SSLv3))
                        {
                        *(d++)=SSL3_VERSION_MAJOR;
@@ -296,7 +305,9 @@ static int ssl23_client_hello(SSL *s)
                        i=ch_len;
                s2n(i,d);
                memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
-                RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+                if(RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
+                        return -1;
                memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
                p+=i;
@@ -426,6 +437,14 @@ static int ssl23_get_server_hello(SSL *s)
                if ((p[2] == SSL3_VERSION_MINOR) &&
                        !(s->options & SSL_OP_NO_SSLv3))
                        {
+#ifdef OPENSSL_FIPS
+                        if(FIPS_mode())
+                                {
+                                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                                goto err;
+                                }
+#endif
                        s->version=SSL3_VERSION;
                        s->method=SSLv3_client_method();
                        }
diff --git a/src/lib/libssl/s23_lib.c b/src/lib/libssl/s23_lib.c
index b70002a647..8d7dbcf569 100644
--- a/src/lib/libssl/s23_lib.c
+++ b/src/lib/libssl/s23_lib.c
@@ -87,7 +87,7 @@ static SSL_METHOD SSLv23_data= {
        ssl3_ctx_ctrl,
        ssl23_get_cipher_by_char,
        ssl23_put_cipher_by_char,
-        ssl_undefined_function,
+        ssl_undefined_const_function,
        ssl23_num_ciphers,
        ssl23_get_cipher,
        ssl_bad_method,
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index c5404ca0bc..92f3391f60 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -407,6 +407,15 @@ int ssl23_get_client_hello(SSL *s)
                        }
                }
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (s->version < TLS1_VERSION))
+                {
+                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                goto err;
+                }
+#endif
        if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
                {
                /* we have SSLv3/TLSv1 in an SSLv2 header
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 36f4a8b4c3..ebf83b0322 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -117,6 +117,7 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/md5.h>
+#include <openssl/fips.h>
 static SSL_METHOD *ssl3_get_client_method(int ver);
 static int ssl3_client_hello(SSL *s);
@@ -534,7 +535,8 @@ static int ssl3_client_hello(SSL *s)
                p=s->s3->client_random;
                Time=time(NULL);                        /* Time */
                l2n(Time,p);
-                RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+                if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+                    goto err;
                /* Do the message type and length last */
                d=p= &(buf[4]);
@@ -1160,11 +1162,14 @@ static int ssl3_get_key_exchange(SSL *s)
                        q=md_buf;
                        for (num=2; num > 0; num--)
                                {
+                                EVP_MD_CTX_set_flags(&md_ctx,
+                                        EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                EVP_DigestInit_ex(&md_ctx,(num == 2)
                                        ?s->ctx->md5:s->ctx->sha1, NULL);
                                EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
                                EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
                                EVP_DigestUpdate(&md_ctx,param,param_len);
+                                
                                EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
                                q+=i;
                                j+=i;
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index d04096016c..9bf1dbec06 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_NULL_SHA,
        SSL3_CK_RSA_NULL_SHA,
        SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_STRONG_NONE,
+        SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
        0,
        0,
        0,
@@ -183,7 +183,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_ADH_DES_40_CBC_SHA,
        SSL3_CK_ADH_DES_40_CBC_SHA,
        SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        128,
@@ -196,7 +196,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_ADH_DES_64_CBC_SHA,
        SSL3_CK_ADH_DES_64_CBC_SHA,
        SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -209,7 +209,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_ADH_DES_192_CBC_SHA,
        SSL3_CK_ADH_DES_192_CBC_SHA,
        SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -291,7 +291,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_DES_40_CBC_SHA,
        SSL3_CK_RSA_DES_40_CBC_SHA,
        SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -304,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_DES_64_CBC_SHA,
        SSL3_CK_RSA_DES_64_CBC_SHA,
        SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_DES_192_CBC3_SHA,
        SSL3_CK_RSA_DES_192_CBC3_SHA,
        SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -332,7 +332,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
        SSL3_CK_DH_DSS_DES_40_CBC_SHA,
        SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -345,7 +345,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
        SSL3_CK_DH_DSS_DES_64_CBC_SHA,
        SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -358,7 +358,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
        SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
        SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -371,7 +371,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
        SSL3_CK_DH_RSA_DES_40_CBC_SHA,
        SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -384,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
        SSL3_CK_DH_RSA_DES_64_CBC_SHA,
        SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -397,7 +397,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
        SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
        SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -412,7 +412,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
        SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
        SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
        SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
        SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -438,7 +438,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
        SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
        SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -451,7 +451,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
        SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
        SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -464,7 +464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
        SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
        SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -477,7 +477,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
        SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
        SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -541,7 +541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_KRB5_DES_64_CBC_SHA,
        SSL3_CK_KRB5_DES_64_CBC_SHA,
        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -555,7 +555,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_KRB5_DES_192_CBC3_SHA,
        SSL3_CK_KRB5_DES_192_CBC3_SHA,
        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        112,
        168,
@@ -653,7 +653,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_KRB5_DES_40_CBC_SHA,
        SSL3_CK_KRB5_DES_40_CBC_SHA,
        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -767,7 +767,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
            TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
            SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56,
+            SSL_EXPORT|SSL_EXP56|SSL_FIPS,
            0,
            56,
            56,
@@ -780,7 +780,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
            TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
            SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56,
+            SSL_EXPORT|SSL_EXP56|SSL_FIPS,
            0,
            56,
            56,
@@ -835,7 +835,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_RSA_WITH_AES_128_SHA,
            TLS1_CK_RSA_WITH_AES_128_SHA,
            SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -848,7 +848,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
            TLS1_CK_DH_DSS_WITH_AES_128_SHA,
            SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -861,7 +861,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
            TLS1_CK_DH_RSA_WITH_AES_128_SHA,
            SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -874,7 +874,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
            TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
            SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -887,7 +887,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
            TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
            SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -900,7 +900,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_ADH_WITH_AES_128_SHA,
            TLS1_CK_ADH_WITH_AES_128_SHA,
            SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -914,7 +914,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_RSA_WITH_AES_256_SHA,
            TLS1_CK_RSA_WITH_AES_256_SHA,
            SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -927,7 +927,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
            TLS1_CK_DH_DSS_WITH_AES_256_SHA,
            SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -940,7 +940,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
            TLS1_CK_DH_RSA_WITH_AES_256_SHA,
            SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -953,7 +953,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
            TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
            SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -966,7 +966,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
            TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
            SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -979,7 +979,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_ADH_WITH_AES_256_SHA,
            TLS1_CK_ADH_WITH_AES_256_SHA,
            SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -1057,7 +1057,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u)
                return(NULL);
        }
-int ssl3_pending(SSL *s)
+int ssl3_pending(const SSL *s)
        {
        if (s->rstate == SSL_ST_READ_BODY)
                return 0;
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 9f3e5139ad..cb0b12b400 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -862,7 +862,7 @@ start:
                {
                al=SSL_AD_UNEXPECTED_MESSAGE;
                SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
-                goto err;
+                goto f_err;
                }
        /* If the other end has shut down, throw anything we read away
@@ -969,7 +969,7 @@ start:
                        {
                        al=SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
-                        goto err;
+                        goto f_err;
                        }
                if (s->msg_callback)
@@ -1080,17 +1080,17 @@ start:
                if (    (rr->length != 1) || (rr->off != 0) ||
                        (rr->data[0] != SSL3_MT_CCS))
                        {
-                        i=SSL_AD_ILLEGAL_PARAMETER;
+                        al=SSL_AD_ILLEGAL_PARAMETER;
                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
-                        goto err;
+                        goto f_err;
                        }
                /* Check we have a cipher to change to */
                if (s->s3->tmp.new_cipher == NULL)
                        {
-                        i=SSL_AD_UNEXPECTED_MESSAGE;
+                        al=SSL_AD_UNEXPECTED_MESSAGE;
                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
-                        goto err;
+                        goto f_err;
                        }
                rr->length=0;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index deb3cffabe..c4a1a71523 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -125,6 +125,7 @@
 #include <openssl/krb5_asn.h>
 #endif
 #include <openssl/md5.h>
+#include <openssl/fips.h>
 static SSL_METHOD *ssl3_get_server_method(int ver);
 static int ssl3_get_client_hello(SSL *s);
@@ -955,7 +956,8 @@ static int ssl3_send_server_hello(SSL *s)
                p=s->s3->server_random;
                Time=time(NULL);                        /* Time */
                l2n(Time,p);
-                RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+                if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+                        return -1;
                /* Do the message type and length last */
                d=p= &(buf[4]);
@@ -1211,6 +1213,8 @@ static int ssl3_send_server_key_exchange(SSL *s)
                                j=0;
                                for (num=2; num > 0; num--)
                                        {
+                                        EVP_MD_CTX_set_flags(&md_ctx,
+                                                EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                        EVP_DigestInit_ex(&md_ctx,(num == 2)
                                                ?s->ctx->md5:s->ctx->sha1, NULL);
                                        EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1491,7 +1495,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
                        i = SSL_MAX_MASTER_KEY_LENGTH;
                        p[0] = s->client_version >> 8;
                        p[1] = s->client_version & 0xff;
-                        RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
+                        if(RAND_pseudo_bytes(p+2, i-2) <= 0)  /* should be RAND_bytes, but we cannot work around a failure */
+                                goto err;
                        }
        
                s->session->master_key_length=
@@ -1589,7 +1594,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                enc_ticket.length = i;
-                if (n < enc_ticket.length + 6)
+                if (n < (long)enc_ticket.length + 6)
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1602,7 +1607,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                authenticator.length = i;
-                if (n < enc_ticket.length + authenticator.length + 6)
+                if (n < (long)(enc_ticket.length + authenticator.length + 6))
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1627,8 +1632,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
                        goto err;
                        }
-                if (n != enc_ticket.length + authenticator.length +
+                if (n != (long)(enc_ticket.length + authenticator.length +
-                                                enc_pms.length + 6)
+                                                enc_pms.length + 6))
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                SSL_R_DATA_LENGTH_TOO_LONG);
diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES
index 4a0363a1c2..cccc4f812f 100644
--- a/src/lib/libssl/src/CHANGES
+++ b/src/lib/libssl/src/CHANGES
@@ -2,6 +2,112 @@
 OpenSSL CHANGES
 _______________
+ Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
+  *) Fixes for newer kerberos headers. NB: the casts are needed because
+     the 'length' field is signed on one version and unsigned on another
+     with no (?) obvious way to tell the difference, without these VC++
+     complains. Also the "definition" of FAR (blank) is no longer included
+     nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
+     some needed definitions.
+     [Steve Henson]
+  *) Undo Cygwin change.
+     [Ulf M�ller]
+  *) Added support for proxy certificates according to RFC 3820.
+     Because they may be a security thread to unaware applications,
+     they must be explicitely allowed in run-time.  See
+     docs/HOWTO/proxy_certificates.txt for further information.
+     [Richard Levitte]
+ Changes between 0.9.7e and 0.9.7f  [22 Mar 2005]
+  *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
+     server and client random values. Previously
+     (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
+     less random data when sizeof(time_t) > 4 (some 64 bit platforms).
+     This change has negligible security impact because:
+     1. Server and client random values still have 24 bytes of pseudo random
+        data.
+     2. Server and client random values are sent in the clear in the initial
+        handshake.
+     3. The master secret is derived using the premaster secret (48 bytes in
+        size for static RSA ciphersuites) as well as client server and random
+        values.
+     The OpenSSL team would like to thank the UK NISCC for bringing this issue
+     to our attention. 
+     [Stephen Henson, reported by UK NISCC]
+  *) Use Windows randomness collection on Cygwin.
+     [Ulf M�ller]
+  *) Fix hang in EGD/PRNGD query when communication socket is closed
+     prematurely by EGD/PRNGD.
+     [Darren Tucker <dtucker@zip.com.au> via Lutz J�nicke, resolves #1014]
+  *) Prompt for pass phrases when appropriate for PKCS12 input format.
+     [Steve Henson]
+  *) Back-port of selected performance improvements from development
+     branch, as well as improved support for PowerPC platforms.
+     [Andy Polyakov]
+  *) Add lots of checks for memory allocation failure, error codes to indicate
+     failure and freeing up memory if a failure occurs.
+     [Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson]
+  *) Add new -passin argument to dgst.
+     [Steve Henson]
+  *) Perform some character comparisons of different types in X509_NAME_cmp:
+     this is needed for some certificates that reencode DNs into UTF8Strings
+     (in violation of RFC3280) and can't or wont issue name rollover
+     certificates.
+     [Steve Henson]
+  *) Make an explicit check during certificate validation to see that
+     the CA setting in each certificate on the chain is correct.  As a
+     side effect always do the following basic checks on extensions,
+     not just when there's an associated purpose to the check:
+      - if there is an unhandled critical extension (unless the user
+        has chosen to ignore this fault)
+      - if the path length has been exceeded (if one is set at all)
+      - that certain extensions fit the associated purpose (if one has
+        been given)
+     [Richard Levitte]
+ Changes between 0.9.7d and 0.9.7e  [25 Oct 2004]
+  *) Avoid a race condition when CRLs are checked in a multi threaded 
+     environment. This would happen due to the reordering of the revoked
+     entries during signature checking and serial number lookup. Now the
+     encoding is cached and the serial number sort performed under a lock.
+     Add new STACK function sk_is_sorted().
+     [Steve Henson]
+  *) Add Delta CRL to the extension code.
+     [Steve Henson]
+  *) Various fixes to s3_pkt.c so alerts are sent properly.
+     [David Holmes <d.holmes@f5.com>]
+  *) Reduce the chances of duplicate issuer name and serial numbers (in
+     violation of RFC3280) using the OpenSSL certificate creation utilities.
+     This is done by creating a random 64 bit value for the initial serial
+     number when a serial number file is created or when a self signed
+     certificate is created using 'openssl req -x509'. The initial serial
+     number file is created using 'openssl x509 -next_serial' in CA.pl
+     rather than being initialized to 1.
+     [Steve Henson]
 Changes between 0.9.7c and 0.9.7d  [17 Mar 2004]
  *) Fix null-pointer assignment in do_change_cipher_spec() revealed           
@@ -2037,6 +2143,20 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Clean old EAY MD5 hack from e_os.h.
     [Richard Levitte]
+ Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
+  *) Fix null-pointer assignment in do_change_cipher_spec() revealed
+     by using the Codenomicon TLS Test Tool (CAN-2004-0079)
+     [Joe Orton, Steve Henson]
+ Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
+  *) Fix additional bug revealed by the NISCC test suite:
+     Stop bug triggering large recursion when presented with
+     certain ASN.1 tags (CAN-2003-0851)
+     [Steve Henson]
 Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
  *) Fix various bugs revealed by running the NISCC test suite:
diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure
index 4e7883c17a..e0e732c445 100644
--- a/src/lib/libssl/src/Configure
+++ b/src/lib/libssl/src/Configure
@@ -10,7 +10,7 @@ use strict;
 # see INSTALL for instructions.
-my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [[no-]fips] [debug] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
 # Options:
 #
@@ -135,15 +135,16 @@ my %table=(
 # Our development configs
 "purify",       "purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
 "debug",        "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
-"debug-ben",    "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
+"debug-ben",    "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
-"debug-ben-debug",      "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
+"debug-ben-debug",      "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::::",
 "debug-ben-strict",     "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
+"debug-ben-fips-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_FIPS -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-bodo",   "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-ulf",    "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-steve",  "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-steve",  "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-steve-linux-pseudo64",   "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn",
 "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -155,6 +156,12 @@ my %table=(
 "gcc",          "gcc:-O3::(unknown):::BN_LLONG:::",
 "cc",           "cc:-O::(unknown)::::::",
+####VOS Configurations
+"vos-gcc","gcc:-b hppa1.1-stratus-vos -O3 -Wall -Wuninitialized -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map:BN_LLONG:::::::::::::.so:",
+"debug-vos-gcc","gcc:-b hppa1.1-stratus-vos -O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:::::::::::::.so:",
+"vos-vcc","vcc:-b i386-stratus-vos -O3 -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map::::::::::::::.so:",
+"debug-vos-vcc","vcc:-b i386-stratus-vos -O0 -g -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map::::::::::::::.so:",
 #### Solaris x86 with GNU C setups
 # -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it
 # here because whenever GNU C instantiates an assembler template it
@@ -162,9 +169,19 @@ my %table=(
 # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
 # error message.
 "solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# -shared -static-libgcc might appear controversial, but modules taken
+# from static libgcc do not have relocations and linking them into our
+# shared objects doesn't have any negative side-effects. On the contrary,
+# doing so makes it possible to use gcc shared build with Sun C. Given
+# that gcc generates faster code [thanks to inline assembler], I would
+# actually recommend to consider using gcc shared build even with vendor
+# compiler:-)
+#                                               <appro@fy.chalmers.se>
+"solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o::::::asm/rc4-amd64.o:::dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### Solaris x86 with Sun C setups
 "solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL::::::::::dlfcn:solaris-shared:-KPIC:-xarch=amd64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### SPARC Solaris with GNU C setups
 "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -263,10 +280,10 @@ my %table=(
 "hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # IA-64 targets
-"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted with
 # with debugging of the following config.
-"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux64-shared:+Z::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
@@ -382,17 +399,20 @@ my %table=(
 "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-aout",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/linux_ppc32.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# -bpowerpc64-linux is transient option, -m64 should be the one to use...
+"linux-ppc64",  "gcc:-bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/linux_ppc64.o:::::::::dlfcn:linux-shared:-fPIC:-bpowerpc64-linux:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::",
 "linux-s390",   "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-s390x",  "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64-ecc",   "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-ecc",   "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o::::::asm/rc4-amd64.o:::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-em64t", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-m68",   "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-x86",   "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -415,7 +435,9 @@ my %table=(
 "qnx6", "cc:-DL_ENDIAN -DTERMIOS::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:",
 # Linux on ARM
-"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# ARM comes in both little- and big-endian flavors. The following line is
+# endian neutral, but ./config is free to throw in -D[BL]_ENDIAN...
+"linux-elf-arm","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # SCO/Caldera targets.
 #
@@ -442,11 +464,10 @@ my %table=(
 # IBM's AIX.
-"aix-cc",   "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
+"aix3-cc",    "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
-"aix-gcc",  "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::",
+"aix-gcc",    "gcc:-O3 -DB_ENDIAN::-D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:asm/aix_ppc32.o:::::::::dlfcn:",
-"aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::",
+"aix-cc",     "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::BN_LLONG RC4_CHAR:asm/aix_ppc32.o:::::::::dlfcn:aix-shared::-q32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
-"aix43-gcc",  "gcc:-O1 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
+"aix64-cc",   "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:asm/aix_ppc64.o:::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
-"aix64-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
 #
 # Cray T90 and similar (SDSC)
@@ -509,17 +530,17 @@ my %table=(
 "BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 # MinGW
-"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-mno-cygwin -lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32::::.dll",
+"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:-D_WINDLL:-mno-cygwin:.dll",
 # UWIN 
 "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:cygwin-shared:-D_WINDLL::.dll",
 # DJGPP
-"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
+"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall -DDEVRANDOM=\"/dev/urandom\\x24\":::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
@@ -542,7 +563,7 @@ my %table=(
 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
-"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/osx_ppc32.o::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 ##### A/UX
@@ -609,7 +630,7 @@ my $threads=0;
 my $no_asm=0;
 my $no_dso=0;
 my @skip=();
-my $Makefile="Makefile.ssl";
+my $Makefile="Makefile";
 my $des_locl="crypto/des/des_locl.h";
 my $des ="crypto/des/des.h";
 my $bn  ="crypto/bn/bn.h";
@@ -621,6 +642,7 @@ my $rc2	="crypto/rc2/rc2.h";
 my $bf  ="crypto/bf/bf_locl.h";
 my $bn_asm      ="bn_asm.o";
 my $des_enc="des_enc.o fcrypt_b.o";
+my $fips_des_enc="fips_des_enc.o";
 my $bf_enc      ="bf_enc.o";
 my $cast_enc="c_enc.o";
 my $rc4_enc="rc4_enc.o";
@@ -631,6 +653,8 @@ my $rmd160_obj="";
 my $processor="";
 my $default_ranlib;
 my $perl;
+my $fips=0;
+my $debug=0;
 my $no_ssl2=0;
 my $no_ssl3=0;
@@ -640,10 +664,6 @@ my $no_sha=0;
 my $no_rsa=0;
 my $no_dh=0;
-$default_ranlib= &which("ranlib") or $default_ranlib="true";
-$perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
-  or $perl="perl";
 &usage if ($#ARGV < 0);
 my $flags;
@@ -739,6 +759,8 @@ PROCESS_ARGS:
                        { $no_ssl3 = 1; }
                elsif (/^no-tls1?$/)
                        { $no_tls1 = 1; }
+                elsif (/^no-fips$/)
+                        { $fips = 0; }
                elsif (/^no-(.+)$/)
                        {
                        my $algo=$1;
@@ -804,6 +826,14 @@ PROCESS_ARGS:
                        }
                elsif (/^386$/)
                        { $processor=386; }
+                elsif (/^fips$/)
+                        {
+                        $fips=1;
+                        }
+                elsif (/^debug$/)
+                        {
+                        $debug=1;
+                        }
                elsif (/^rsaref$/)
                        {
                        # No RSAref support any more since it's not needed.
@@ -920,11 +950,15 @@ print "Configuring for $target\n";
 my $IsWindows=scalar grep /^$target$/,@WinTargets;
-$exe_ext=".exe" if ($target eq "Cygwin");
+$exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target eq "mingw");
-$exe_ext=".exe" if ($target eq "DJGPP");
+$exe_ext=".pm" if ($target eq "vos-gcc" or $target eq "debug-vos-gcc" or $target eq "vos-vcc" or $target eq "debug-vos-vcc");
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";
+$default_ranlib= &which("ranlib") or $default_ranlib="true";
+$perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
+  or $perl="perl";
 chop $openssldir if $openssldir =~ /\/$/;
 chop $prefix if $prefix =~ /\/$/;
@@ -1139,12 +1173,26 @@ if ($ranlib eq "")
 $bn_obj = $bn_asm unless $bn_obj ne "";
+my $fips_des_obj;
+my $fips_sha1_obj;
+if ($fips)
+        {
+        if ($des_obj =~ /\-elf\.o$/ && $no_shared) # FIPS DES module is not PIC
+                {
+                $fips_des_obj='asm/fips-dx86-elf.o';
+                $openssl_other_defines.="#define OPENSSL_FIPS_DES_ASM\n";
+                }
+        else {  $fips_des_obj=$fips_des_enc;  }
+        $fips_sha1_obj='asm/sx86-elf.o' if ($sha1_obj =~ /\-elf\.o$/);
+        $des_obj=$sha1_obj="";
+        $openssl_other_defines.="#define OPENSSL_FIPS\n";
+        }
 $des_obj=$des_enc       unless ($des_obj =~ /\.o$/);
 $bf_obj=$bf_enc         unless ($bf_obj =~ /\.o$/);
 $cast_obj=$cast_enc     unless ($cast_obj =~ /\.o$/);
 $rc4_obj=$rc4_enc       unless ($rc4_obj =~ /\.o$/);
 $rc5_obj=$rc5_enc       unless ($rc5_obj =~ /\.o$/);
-if ($sha1_obj =~ /\.o$/)
+if ($sha1_obj =~ /\.o$/ || $fips_sha1_obj =~ /\.o$/)
        {
 #       $sha1_obj=$sha1_enc;
        $cflags.=" -DSHA1_ASM";
@@ -1160,6 +1208,12 @@ if ($rmd160_obj =~ /\.o$/)
        $cflags.=" -DRMD160_ASM";
        }
+if ($debug)
+        {
+        $cflags.=" -g";
+        $cflags=~s/-fomit-frame-pointer//;
+        }
 # "Stringify" the C flags string.  This permits it to be made part of a string
 # and works as well on command lines.
 $cflags =~ s/([\\\"])/\\\1/g;
@@ -1232,12 +1286,14 @@ while (<IN>)
        s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/;
        s/^BN_ASM=.*$/BN_ASM= $bn_obj/;
        s/^DES_ENC=.*$/DES_ENC= $des_obj/;
+        s/^FIPS_DES_ENC=.*$/FIPS_DES_ENC= $fips_des_obj/;
        s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
        s/^CAST_ENC=.*$/CAST_ENC= $cast_obj/;
        s/^RC4_ENC=.*$/RC4_ENC= $rc4_obj/;
        s/^RC5_ENC=.*$/RC5_ENC= $rc5_obj/;
        s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/;
        s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/;
+        s/^FIPS_SHA1_ASM_OBJ=.*$/FIPS_SHA1_ASM_OBJ= $fips_sha1_obj/;
        s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/;
        s/^PROCESSOR=.*/PROCESSOR= $processor/;
        s/^RANLIB=.*/RANLIB= $ranlib/;
@@ -1470,7 +1526,7 @@ if($IsWindows) {
        printf OUT <<EOF;
 #ifndef MK1MF_BUILD
  /* auto-generated by Configure for crypto/cversion.c:
-   * for Unix builds, crypto/Makefile.ssl generates functional definitions;
+   * for Unix builds, crypto/Makefile generates functional definitions;
   * Windows builds (and other mk1mf builds) compile cversion.c with
   * -DMK1MF_BUILD and use definitions added to this file by util/mk1mf.pl. */
  #error "Windows builds (PLATFORM=$target) use mk1mf.pl-created Makefiles"
@@ -1478,7 +1534,7 @@ if($IsWindows) {
 EOF
        close(OUT);
 } else {
-        my $make_command = "make -f Makefile.ssl PERL=\'$perl\'";
+        my $make_command = "make PERL=\'$perl\'";
        my $make_targets = "";
        $make_targets .= " links" if $symlink;
        $make_targets .= " depend" if $depflags ne "" && $make_depend;
@@ -1487,12 +1543,10 @@ EOF
                if $make_targets ne "";
        if ( $perl =~ m@^/@) {
            &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
-            &dofile("apps/der_chop",$perl,'^#!/', '#!%s');
            &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
        } else {
            # No path for Perl known ...
            &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
-            &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
            &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
        }
        if ($depflags ne "" && !$make_depend) {
@@ -1569,10 +1623,10 @@ sub which
        my $path;
        foreach $path (split /:/, $ENV{PATH})
                {
-                if (-f "$path/$name" and -x _)
+                if (-f "$path/$name$exe_ext" and -x _)
                        {
-                        return "$path/$name" unless ($name eq "perl" and
+                        return "$path/$name$exe_ext" unless ($name eq "perl" and
-                         system("$path/$name -e " . '\'exit($]<5.0);\''));
+                         system("$path/$name$exe_ext -e " . '\'exit($]<5.0);\''));
                        }
                }
        }
diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ
index 0b40039ef8..943fc9d4a3 100644
--- a/src/lib/libssl/src/FAQ
+++ b/src/lib/libssl/src/FAQ
@@ -52,6 +52,7 @@ OpenSSL  -  Frequently Asked Questions
 * Is OpenSSL thread-safe?
 * I've compiled a program under Windows and it crashes: why?
 * How do I read or write a DER encoded buffer using the ASN1 functions?
+* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
 * I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
 * I've called <some function> and it fails, why?
 * I just get a load of numbers for the error output, what do they mean?
@@ -60,6 +61,7 @@ OpenSSL  -  Frequently Asked Questions
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 * Why doesn't my server application receive a client certificate?
 * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
+* I think I've detected a memory leak, is this a bug?
 ===============================================================================
@@ -68,7 +70,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7d was released on March 17, 2004.
+OpenSSL 0.9.7g was released on April 11, 2005.
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -460,7 +462,7 @@ get the best result from OpenSSL.  A bit more complicated solution is the
 following:
 ----- snip:start -----
-  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
+  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile | \
       sed -e 's/ -O[0-9] / -O0 /'`"
  rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
  make
@@ -470,6 +472,10 @@ This will only compile sha_dgst.c with -O0, the rest with the optimization
 level chosen by the configuration process.  When the above is done, do the
 test and installation and you're set.
+3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It
+should not be used and is not used in SSL/TLS nor any other recognized
+protocol in either case.
 * Why does the OpenSSL compilation fail with "ar: command not found"?
@@ -683,6 +689,20 @@ and attempts to free the buffer will have unpredictable results
 because it no longer points to the same address.
+* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
+The short answer is yes, because DER is a special case of BER and OpenSSL
+ASN1 decoders can process BER.
+The longer answer is that ASN1 structures can be encoded in a number of
+different ways. One set of ways is the Basic Encoding Rules (BER) with various
+permissible encodings. A restriction of BER is the Distinguished Encoding
+Rules (DER): these uniquely specify how a given structure is encoded.
+Therefore, because DER is a special case of BER, DER is an acceptable encoding
+for BER.
 * I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
 This usually happens when you try compiling something using the PKCS#12
@@ -765,5 +785,28 @@ The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
 Change your code to use the new name when compiling against OpenSSL 0.9.7.
+* I think I've detected a memory leak, is this a bug?
+In most cases the cause of an apparent memory leak is an OpenSSL internal table
+that is allocated when an application starts up. Since such tables do not grow
+in size over time they are harmless.
+These internal tables can be freed up when an application closes using various
+functions.  Currently these include following:
+Thread-local cleanup functions:
+  ERR_remove_state()
+Application-global cleanup functions that are aware of usage (and therefore
+thread-safe):
+  ENGINE_cleanup() and CONF_modules_unload()
+"Brutal" (thread-unsafe) Application-global cleanup functions:
+  ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
 ===============================================================================
diff --git a/src/lib/libssl/src/INSTALL b/src/lib/libssl/src/INSTALL
index 1c3f3c3fe9..503474f2e4 100644
--- a/src/lib/libssl/src/INSTALL
+++ b/src/lib/libssl/src/INSTALL
@@ -123,7 +123,7 @@
     generic configurations "cc" or "gcc" should usually work on 32 bit
     systems.
-     Configure creates the file Makefile.ssl from Makefile.org and
+     Configure creates the file Makefile from Makefile.org and
     defines various macros in crypto/opensslconf.h (generated from
     crypto/opensslconf.h.in).
@@ -159,7 +159,7 @@
     the failure that isn't a problem in OpenSSL itself (like a missing
     or malfunctioning bc).  If it is a problem with OpenSSL itself,
     try removing any compiler optimization flags from the CFLAG line
-     in Makefile.ssl and run "make clean; make". Please send a bug
+     in Makefile and run "make clean; make". Please send a bug
     report to <openssl-bugs@openssl.org>, including the output of
     "make report" in order to be added to the request tracker at
     http://www.openssl.org/support/rt2.html.
diff --git a/src/lib/libssl/src/INSTALL.W32 b/src/lib/libssl/src/INSTALL.W32
index 0f6c302f0d..c277efa18b 100644
--- a/src/lib/libssl/src/INSTALL.W32
+++ b/src/lib/libssl/src/INSTALL.W32
@@ -46,12 +46,13 @@
 http://www.kernel.org/pub/software/devel/nasm/binaries/win32/
 The NASM binary nasmw.exe needs to be installed anywhere on your PATH.
- Firstly you should run Configure:
+ Firstly you should run Configure (to build a FIPS-certified variant of
+ OpenSSL, add the option "fips"):
 > perl Configure VC-WIN32
 Next you need to build the Makefiles and optionally the assembly language
- files:
+ files (to build a FIPS-certified variant of OpenSSL, add the argument "fips"):
 - If you are using MASM then run:
@@ -100,10 +101,12 @@
 Borland C++ builder 5
 ---------------------
- * Configure for building with Borland Builder:
+ * Configure for building with Borland Builder (to build a FIPS-certified
+   variant of OpenSSL, add the option "fips"):
   > perl Configure BC-32
- * Create the appropriate makefile
+ * Create the appropriate makefile (to build a FIPS-certified variant of
+   OpenSSL, add the argument "fips")
   > ms\do_nasm
 * Build
@@ -194,6 +197,8 @@
   occur, try
   > ms\mingw32 no-asm
   instead.
+   If you want to build a FIPS-certified variant of OpenSSL, add the argument
+   "fips"
   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
   link with libeay32.a and libssl32.a instead.
diff --git a/src/lib/libssl/src/Makefile.org b/src/lib/libssl/src/Makefile.org
index a987a0298b..cc4000b148 100644
--- a/src/lib/libssl/src/Makefile.org
+++ b/src/lib/libssl/src/Makefile.org
@@ -101,6 +101,7 @@ PROCESSOR=
 # Set DES_ENC to des_enc.o if you want to use the C version
 #There are 4 x86 assember options.
+FIPS_DES_ENC= des_enc.o fcrypt_b.o
 DES_ENC= asm/dx86-out.o asm/yx86-out.o
 #DES_ENC= des_enc.o fcrypt_b.o          # C
 #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
@@ -153,6 +154,7 @@ MD5_ASM_OBJ= asm/mx86-out.o
 # Also need SHA1_ASM defined
 SHA1_ASM_OBJ= asm/sx86-out.o
+FIPS_SHA1_ASM_OBJ= asm/sx86-out.o
 #SHA1_ASM_OBJ= asm/sx86-elf.o       # elf
 #SHA1_ASM_OBJ= asm/sx86-sol.o       # solaris
 #SHA1_ASM_OBJ= asm/sx86-out.o       # a.out, FreeBSD
@@ -173,23 +175,24 @@ LIBKRB5=
 # we might set SHLIB_MARK to '$(SHARED_LIBS)'.
 SHLIB_MARK=
-DIRS=   crypto ssl $(SHLIB_MARK) apps test tools
+DIRS=   crypto fips ssl $(SHLIB_MARK) sigs apps test tools
 SHLIBDIRS= crypto ssl
 # dirs in crypto to build
-SDIRS=  \
+SDIRS=  objects \
        md2 md4 md5 sha mdc2 hmac ripemd \
        des rc2 rc4 rc5 idea bf cast \
        bn ec rsa dsa dh dso engine aes \
-        buffer bio stack lhash rand err objects \
+        buffer bio stack lhash rand err \
        evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
+FDIRS=  sha1 rand des aes dsa rsa dh
 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
 TESTS = alltests
-MAKEFILE= Makefile.ssl
+MAKEFILE= Makefile
-MAKE=     make -f Makefile.ssl
 MANDIR=$(OPENSSLDIR)/man
 MAN1=1
@@ -202,6 +205,7 @@ ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
+SIGS=   libcrypto.a.sha1
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
@@ -219,14 +223,32 @@ HEADER=         e_os.h
 # When we're prepared to use shared libraries in the programs we link here
 # we might remove 'clean-shared' from the targets to perform at this stage
-all: Makefile.ssl sub_all openssl.pc
+all: Makefile sub_all openssl.pc
+sigs:   $(SIGS)
+libcrypto.a.sha1: libcrypto.a
+        @if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+                $(RANLIB) libcrypto.a; \
+                fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.a.sha1; \
+        fi
 sub_all:
        @for i in $(DIRS); \
        do \
        if [ -d "$$i" ]; then \
                (cd $$i && echo "making all in $$i..." && \
-                $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+                $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+        else \
+                $(MAKE) $$i; \
+        fi; \
+        done;
+sub_target:
+        @for i in $(DIRS); \
+        do \
+        if [ -d "$$i" ]; then \
+                (cd $$i && echo "making $(TARGET) in $$i..." && \
+                $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TARGET='$(TARGET)' sub_target ) || exit 1; \
        else \
                $(MAKE) $$i; \
        fi; \
@@ -312,11 +334,18 @@ do_cygwin-shared:
        if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
                libs="$(LIBKRB5) $$libs"; \
        fi; \
-        ( set -x; ${CC}  -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \
+        shlib=cyg$${i}-$(SHLIB_VERSION_NUMBER).dll; \
+        [ "$(PLATFORM)" = "mingw" ] && shlib=$${i}eay32.dll; \
+        [ -f apps/$$shlib ] && rm apps/$$shlib; \
+        [ -f test/$$shlib ] && rm test/$$shlib; \
+        base=;  [ $$i = "crypto" ] && base=-Wl,--image-base,0xFE00000; \
+        ( set -x; ${CC} ${SHARED_LDFLAGS} \
+                -shared $$base -o $$shlib \
                -Wl,-Bsymbolic \
                -Wl,--whole-archive lib$$i.a \
                -Wl,--out-implib,lib$$i.dll.a \
-                -Wl,--no-whole-archive $$libs ) || exit 1; \
+                -Wl,--no-whole-archive $$libs ${EX_LIBS} ) || exit 1; \
+        cp -p $$shlib apps/; cp -p $$shlib test/; \
        libs="-l$$i $$libs"; \
        done
@@ -392,6 +421,7 @@ do_solaris-shared:
                  set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \
                        -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                        -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+                        -Wl,-Bsymbolic \
                        $${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \
                        $$libs ${EX_LIBS} -lc ) || exit 1; \
                libs="-l$$i $$libs"; \
@@ -456,8 +486,8 @@ do_irix-shared:
                if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
                        libs="$(LIBKRB5) $$libs"; \
                fi; \
-                ( WHOLELIB="-all lib$$i.a -notall"; \
+                ( WHOLELIB="-all lib$$i.a -none"; \
-                  (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-notall"; \
+                  (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-none"; \
                  set -x; ${CC} ${SHARED_LDFLAGS} \
                        -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                        -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
@@ -482,13 +512,18 @@ do_hpux-shared:
        if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
                libs="$(LIBKRB5) $$libs"; \
        fi; \
+        if expr $(PLATFORM) : '.*ia64' > /dev/null; then \
+                shlib=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+        else \
+                shlib=lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+        fi; \
+        [ -f $$shlib ] && rm -f $$shlib; \
        ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-                +vnocompatwarnings \
+                +vnocompatwarnings \
                -b -z +s \
-                -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+                -o $$shlib +h $$shlib \
-                +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                -Fl lib$$i.a -ldld -lc ) || exit 1; \
-        chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+        chmod a=rx $$shlib; \
        done
 # This assumes that GNU utilities are *not* used
@@ -505,12 +540,17 @@ do_hpux64-shared:
        if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
                libs="$(LIBKRB5) $$libs"; \
        fi; \
+        if expr $(PLATFORM) : '.*ia64' > /dev/null; then \
+                shlib=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+        else \
+                shlib=lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+        fi; \
+        [ -f $$shlib ] && rm -f $$shlib; \
        ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-                -b -z \
+                -b -z \
-                -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+                -o $$shlib +h $$shlib \
-                +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
                +forceload lib$$i.a -ldl -lc ) || exit 1; \
-        chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
+        chmod a=rx $$shlib; \
        done
 # The following method is said to work on all platforms.  Tests will
@@ -551,6 +591,8 @@ do_aix-shared:
                libs="$(LIBKRB5) $$libs"; \
        fi; \
        ( set -x; \
+          OBJECT_MODE=`expr x${SHARED_LDFLAGS} : 'x\-[a-z]\([0-9]*\)'`; \
+          OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
          ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \
          ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \
            $(SHAREDCMD) $(SHAREDFLAGS) \
@@ -577,7 +619,7 @@ do_reliantunix-shared:
        libs="-l$$i $$libs"; \
        done
-openssl.pc: Makefile.ssl
+openssl.pc: Makefile
        @ ( echo 'prefix=$(INSTALLTOP)'; \
            echo 'exec_prefix=$${prefix}'; \
            echo 'libdir=$${exec_prefix}/lib'; \
@@ -590,8 +632,8 @@ openssl.pc: Makefile.ssl
            echo 'Libs: -L$${libdir} -lssl -lcrypto $(LIBKRB5) $(EX_LIBS)'; \
            echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
-Makefile.ssl: Makefile.org
+Makefile: Makefile.org
-        @echo "Makefile.ssl is older than Makefile.org."
+        @echo "Makefile is older than Makefile.org."
        @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
        @false
@@ -604,7 +646,7 @@ clean:	libclean
        do \
        if [ -d "$$i" ]; then \
                (cd $$i && echo "making clean in $$i..." && \
-                $(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \
+                $(MAKE) EXE_EXT='${EXE_EXT}' SDIRS='${SDIRS}' clean ) || exit 1; \
                rm -f $(LIBS); \
        fi; \
        done;
@@ -621,7 +663,7 @@ makefile.one: files
        sh util/do_ms.sh
 files:
-        $(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO
+        $(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
        @for i in $(DIRS) ;\
        do \
        if [ -d "$$i" ]; then \
@@ -631,19 +673,18 @@ files:
        done;
 links:
-        @$(TOP)/util/point.sh Makefile.ssl Makefile
        @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
        @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
        @for i in $(DIRS); do \
        if [ -d "$$i" ]; then \
                (cd $$i && echo "making links in $$i..." && \
-                $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \
+                $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \
        fi; \
        done;
 gentests:
        @(cd test && echo "generating dummy tests (if needed)..." && \
-        $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
+        $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
 dclean:
        rm -f *.bak
@@ -657,29 +698,18 @@ dclean:
 rehash: rehash.time
 rehash.time: certs
-        @(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
+        @(OPENSSL="`pwd`/util/opensslwrap.sh"; \
-                export OPENSSL OPENSSL_DEBUG_MEMORY; \
+          OPENSSL_DEBUG_MEMORY=on; \
-                LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+          export OPENSSL OPENSSL_DEBUG_MEMORY; \
-                DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+          $(PERL) tools/c_rehash certs)
-                SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
-                LIBPATH="`pwd`:$$LIBPATH"; \
-                if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
-                export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
-                $(PERL) tools/c_rehash certs)
        touch rehash.time
 test:   tests
 tests: rehash
        @(cd test && echo "testing..." && \
-        $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
+        $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
-        @LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+        util/shlib_wrap.sh apps/openssl version -a
-        DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
-        SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
-        LIBPATH="`pwd`:$$LIBPATH"; \
-        if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
-        export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
-        apps/openssl version -a
 report:
        @$(PERL) util/selftest.pl
@@ -703,13 +733,8 @@ lint:
        done;
 tags:
-        @for i in $(DIRS) ;\
+        rm -f TAGS
-        do \
+        find . -name '[^.]*.[ch]' | xargs etags -a
-        if [ -d "$$i" ]; then \
-                (cd $$i && echo "making tags $$i..." && \
-                $(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \
-        fi; \
-        done;
 errors:
        $(PERL) util/mkerr.pl -recurse -write
@@ -729,11 +754,14 @@ crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
 crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
        $(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
+apps/openssl-vms.cnf: apps/openssl.cnf
+        $(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
 TABLE: Configure
        (echo 'Output of `Configure TABLE'"':"; \
        $(PERL) Configure TABLE) > TABLE
-update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
+update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf TABLE
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
@@ -770,16 +798,17 @@ dist:
 dist_pem_h:
        (cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)
-install: all install_docs
+install: all install_docs install_sw
+install_sw:
        @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
                $(INSTALL_PREFIX)$(INSTALLTOP)/lib \
                $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
                $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
                $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
                $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
-                $(INSTALL_PREFIX)$(OPENSSLDIR)/private \
+                $(INSTALL_PREFIX)$(OPENSSLDIR)/private
-                $(INSTALL_PREFIX)$(OPENSSLDIR)/lib
+        @headerlist="$(EXHEADER)"; for i in $$headerlist ;\
-        @for i in $(EXHEADER) ;\
        do \
        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
@@ -796,7 +825,11 @@ install: all install_docs
                if [ -f "$$i" ]; then \
                (       echo installing $$i; \
                        cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-                        $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+                        if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+                                : ; \
+                        else \
+                                $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+                        fi; \
                        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
                        mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
                fi; \
@@ -833,6 +866,15 @@ install: all install_docs
                        sed -e '1,/^$$/d' doc/openssl-shared.txt; \
                fi; \
        fi
+        @for i in $(SIGS) ;\
+        do \
+                if [ -f "$$i" ]; then \
+                (       echo installing $$i; \
+                        cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+                        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+                        mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+                fi; \
+        done;
        cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc
@@ -845,7 +887,7 @@ install_docs:
        @pod2man="`cd util; ./pod2mantest $(PERL)`"; \
        here="`pwd`"; \
        filecase=; \
-        if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \
+        if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \
                filecase=-i; \
        fi; \
        for i in doc/apps/*.pod; do \
diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS
index 4c1ba0a241..8e1ce65a5f 100644
--- a/src/lib/libssl/src/NEWS
+++ b/src/lib/libssl/src/NEWS
@@ -5,12 +5,34 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
+  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
+      o More compilation issues fixed.
+      o Adaptation to more modern Kerberos API.
+      o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin.
+      o Enhanced x86_64 assembler BIGNUM module.
+      o More constification.
+      o Added processing of proxy certificates (RFC 3820).
+  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f:
+      o Several compilation issues fixed.
+      o Many memory allocation failure checks added.
+      o Improved comparison of X509 Name type.
+      o Mandatory basic checks on certificates.
+      o Performance improvements.
+  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
+      o Fix race condition in CRL checking code.
+      o Fixes to PKCS#7 (S/MIME) code.
  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d:
      o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
      o Security: Fix null-pointer assignment in do_change_cipher_spec()
      o Allow multiple active certificates with same subject in CA index
-      o Multiple X590 verification fixes
+      o Multiple X509 verification fixes
      o Speed up HMAC and other operations
  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
diff --git a/src/lib/libssl/src/README b/src/lib/libssl/src/README
index f72a21036f..c52c2d94bd 100644
--- a/src/lib/libssl/src/README
+++ b/src/lib/libssl/src/README
@@ -1,7 +1,7 @@
- OpenSSL 0.9.7d 17 Mar 2004
+ OpenSSL 0.9.7g 11 April 2005
- Copyright (c) 1998-2004 The OpenSSL Project
+ Copyright (c) 1998-2005 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 All rights reserved.
@@ -173,11 +173,17 @@
 textual explanation of what your patch does.
 Note: For legal reasons, contributions from the US can be accepted only
- if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov;
+ if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov
- see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
+ (formerly BXA) with a copy to the ENC Encryption Request Coordinator;
- and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)).
+ please take some time to look at
+    http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
- The preferred format for changes is "diff -u" output. You might
+ and
+    http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e))
+ for the details. If "your encryption source code is too large to serve as
+ an email attachment", they are glad to receive it by fax instead; hope you
+ have a cheap long-distance plan.
+ Our preferred format for changes is "diff -u" output. You might
 generate it like this:
 # cd openssl-work
diff --git a/src/lib/libssl/src/VMS/mkshared.com b/src/lib/libssl/src/VMS/mkshared.com
index afdc85bbe0..19f3821bc6 100644
--- a/src/lib/libssl/src/VMS/mkshared.com
+++ b/src/lib/libssl/src/VMS/mkshared.com
@@ -266,6 +266,14 @@ $             falsesum = falsesum + 1
 $         endif
 $         if plat_entry .eqs. "VMS" then truesum = truesum + 1
 $         if plat_entry .eqs. "!VMS" then falsesum = falsesum + 1
+$         if f$trnlnm("OPENSSL_FIPS") .nes. ""
+$         then
+$           if plat_entry .eqs. "OPENSSL_FIPS" then truesum = truesum + 1
+$           if plat_entry .eqs. "!OPENSSL_FIPS" then falsesum = falsesum + 1
+$         else
+$           if plat_entry .eqs. "OPENSSL_FIPS" then falsesum = falsesum + 1
+$           if plat_entry .eqs. "!OPENSSL_FIPS" then truesum = truesum + 1
+$         endif
 $         goto loop1
 $       endif
 $     endloop1:
diff --git a/src/lib/libssl/src/apps/CA.pl.in b/src/lib/libssl/src/apps/CA.pl.in
index 8b2ce7ea42..39f267d313 100644
--- a/src/lib/libssl/src/apps/CA.pl.in
+++ b/src/lib/libssl/src/apps/CA.pl.in
@@ -36,13 +36,21 @@
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
+my $openssl;
+if(defined $ENV{OPENSSL}) {
+        $openssl = $ENV{OPENSSL};
+} else {
+        $openssl = "openssl";
+        $ENV{OPENSSL} = $openssl;
+}
 $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
 $DAYS="-days 365";
-$REQ="openssl req $SSLEAY_CONFIG";
+$REQ="$openssl req $SSLEAY_CONFIG";
-$CA="openssl ca $SSLEAY_CONFIG";
+$CA="$openssl ca $SSLEAY_CONFIG";
-$VERIFY="openssl verify";
+$VERIFY="$openssl verify";
-$X509="openssl x509";
+$X509="$openssl x509";
-$PKCS12="openssl pkcs12";
+$PKCS12="$openssl pkcs12";
 $CATOP="./demoCA";
 $CAKEY="cakey.pem";
@@ -82,9 +90,6 @@ foreach (@ARGV) {
                mkdir "${CATOP}/crl", $DIRMODE ;
                mkdir "${CATOP}/newcerts", $DIRMODE;
                mkdir "${CATOP}/private", $DIRMODE;
-                open OUT, ">${CATOP}/serial";
-                print OUT "01\n";
-                close OUT;
                open OUT, ">${CATOP}/index.txt";
                close OUT;
            }
@@ -106,6 +111,10 @@ foreach (@ARGV) {
                    $RET=$?;
                }
            }
+            if (! -f "${CATOP}/serial" ) {
+                system ("$X509 -in ${CATOP}/$CACERT -noout "
+                        . "-next_serial -out ${CATOP}/serial");
+            }
        } elsif (/^-pkcs12$/) {
            my $cname = $ARGV[1];
            $cname = "My Certificate" unless defined $cname;
diff --git a/src/lib/libssl/src/apps/CA.sh b/src/lib/libssl/src/apps/CA.sh
index d9f3069fb2..030a11fc25 100644
--- a/src/lib/libssl/src/apps/CA.sh
+++ b/src/lib/libssl/src/apps/CA.sh
@@ -30,11 +30,13 @@
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
+if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
 DAYS="-days 365"
-REQ="openssl req $SSLEAY_CONFIG"
+REQ="$OPENSSL req $SSLEAY_CONFIG"
-CA="openssl ca $SSLEAY_CONFIG"
+CA="$OPENSSL ca $SSLEAY_CONFIG"
-VERIFY="openssl verify"
+VERIFY="$OPENSSL verify"
-X509="openssl x509"
+X509="$OPENSSL x509"
 CATOP=./demoCA
 CAKEY=./cakey.pem
diff --git a/src/lib/libssl/src/apps/apps.c b/src/lib/libssl/src/apps/apps.c
index 1d37c4defb..9157cdfcdc 100644
--- a/src/lib/libssl/src/apps/apps.c
+++ b/src/lib/libssl/src/apps/apps.c
@@ -126,16 +126,6 @@
 #include <openssl/engine.h>
 #endif
-#ifdef OPENSSL_SYS_WINDOWS
-#define strcasecmp _stricmp
-#else
-#  ifdef NO_STRINGS_H
-    int strcasecmp();
-#  else
-#    include <strings.h>
-#  endif /* NO_STRINGS_H */
-#endif
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN
@@ -340,60 +330,6 @@ void program_name(char *in, char *out, int size)
 #endif
 #endif
-#ifdef OPENSSL_SYS_WIN32
-int WIN32_rename(char *from, char *to)
-        {
-#ifndef OPENSSL_SYS_WINCE
-        /* Windows rename gives an error if 'to' exists, so delete it
-         * first and ignore file not found errror
-         */
-        if((remove(to) != 0) && (errno != ENOENT))
-                return -1;
-#undef rename
-        return rename(from, to);
-#else
-        /* convert strings to UNICODE */
-        {
-        BOOL result = FALSE;
-        WCHAR* wfrom;
-        WCHAR* wto;
-        int i;
-        wfrom = malloc((strlen(from)+1)*2);
-        wto = malloc((strlen(to)+1)*2);
-        if (wfrom != NULL && wto != NULL)
-                {
-                for (i=0; i<(int)strlen(from)+1; i++)
-                        wfrom[i] = (short)from[i];
-                for (i=0; i<(int)strlen(to)+1; i++)
-                        wto[i] = (short)to[i];
-                result = MoveFile(wfrom, wto);
-                }
-        if (wfrom != NULL)
-                free(wfrom);
-        if (wto != NULL)
-                free(wto);
-        return result;
-        }
-#endif
-        }
-#endif
-#ifdef OPENSSL_SYS_VMS
-int VMS_strcasecmp(const char *str1, const char *str2)
-        {
-        while (*str1 && *str2)
-                {
-                int res = toupper(*str1) - toupper(*str2);
-                if (res) return res < 0 ? -1 : 1;
-                }
-        if (*str1)
-                return 1;
-        if (*str2)
-                return -1;
-        return 0;
-        }
-#endif
 int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
        {
        int num,len,i;
@@ -590,7 +526,7 @@ int password_callback(char *buf, int bufsiz, int verify,
                char *prompt = NULL;
                prompt = UI_construct_prompt(ui, "pass phrase",
-                        cb_data->prompt_info);
+                        prompt_info);
                ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
                UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
@@ -739,6 +675,51 @@ int add_oid_section(BIO *err, CONF *conf)
        return 1;
 }
+static int load_pkcs12(BIO *err, BIO *in, const char *desc,
+                pem_password_cb *pem_cb,  void *cb_data,
+                EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
+        {
+        const char *pass;
+        char tpass[PEM_BUFSIZE];
+        int len, ret = 0;
+        PKCS12 *p12;
+        p12 = d2i_PKCS12_bio(in, NULL);
+        if (p12 == NULL)
+                {
+                BIO_printf(err, "Error loading PKCS12 file for %s\n", desc);    
+                goto die;
+                }
+        /* See if an empty password will do */
+        if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0))
+                pass = "";
+        else
+                {
+                if (!pem_cb)
+                        pem_cb = (pem_password_cb *)password_callback;
+                len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
+                if (len < 0) 
+                        {
+                        BIO_printf(err, "Passpharse callback error for %s\n",
+                                        desc);
+                        goto die;
+                        }
+                if (len < PEM_BUFSIZE)
+                        tpass[len] = 0;
+                if (!PKCS12_verify_mac(p12, tpass, len))
+                        {
+                        BIO_printf(err,
+        "Mac verify error (wrong password?) in PKCS12 file for %s\n", desc);    
+                        goto die;
+                        }
+                pass = tpass;
+                }
+        ret = PKCS12_parse(p12, pass, pkey, cert, ca);
+        die:
+        if (p12)
+                PKCS12_free(p12);
+        return ret;
+        }
 X509 *load_cert(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *cert_descrip)
        {
@@ -819,11 +800,9 @@ X509 *load_cert(BIO *err, const char *file, int format,
                        (pem_password_cb *)password_callback, NULL);
        else if (format == FORMAT_PKCS12)
                {
-                PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL);
+                if (!load_pkcs12(err, cert,cert_descrip, NULL, NULL,
+                                        NULL, &x, NULL))
-                PKCS12_parse(p12, NULL, NULL, &x, NULL);
+                        goto end;
-                PKCS12_free(p12);
-                p12 = NULL;
                }
        else    {
                BIO_printf(err,"bad input format specified for %s\n",
@@ -902,11 +881,10 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 #endif
        else if (format == FORMAT_PKCS12)
                {
-                PKCS12 *p12 = d2i_PKCS12_bio(key, NULL);
+                if (!load_pkcs12(err, key, key_descrip,
+                                (pem_password_cb *)password_callback, &cb_data,
-                PKCS12_parse(p12, pass, &pkey, NULL, NULL);
+                                &pkey, NULL, NULL))
-                PKCS12_free(p12);
+                        goto end;
-                p12 = NULL;
                }
        else
                {
@@ -1486,12 +1464,9 @@ BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai)
                        }
                else
                        {
-                        ASN1_INTEGER_set(ai,1);
                        ret=BN_new();
-                        if (ret == NULL)
+                        if (ret == NULL || !rand_serial(ret, ai))
                                BIO_printf(bio_err, "Out of memory\n");
-                        else
-                                BN_one(ret);
                        }
                }
        else
@@ -1653,6 +1628,33 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
        return 0;
        }
+int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
+        {
+        BIGNUM *btmp;
+        int ret = 0;
+        if (b)
+                btmp = b;
+        else
+                btmp = BN_new();
+        if (!btmp)
+                return 0;
+        if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
+                goto error;
+        if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
+                goto error;
+        ret = 1;
+        
+        error:
+        if (!b)
+                BN_free(btmp);
+        
+        return ret;
+        }
 CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
        {
        CA_DB *retdb = NULL;
@@ -1970,9 +1972,48 @@ int rotate_index(char *dbfile, char *new_suffix, char *old_suffix)
 void free_index(CA_DB *db)
        {
-        if (db != NULL)
+        if (db)
                {
-                TXT_DB_free(db->db);
+                if (db->db) TXT_DB_free(db->db);
                OPENSSL_free(db);
                }
        }
+/* This code MUST COME AFTER anything that uses rename() */
+#ifdef OPENSSL_SYS_WIN32
+int WIN32_rename(char *from, char *to)
+        {
+#ifndef OPENSSL_SYS_WINCE
+        /* Windows rename gives an error if 'to' exists, so delete it
+         * first and ignore file not found errror
+         */
+        if((remove(to) != 0) && (errno != ENOENT))
+                return -1;
+#undef rename
+        return rename(from, to);
+#else
+        /* convert strings to UNICODE */
+        {
+        BOOL result = FALSE;
+        WCHAR* wfrom;
+        WCHAR* wto;
+        int i;
+        wfrom = malloc((strlen(from)+1)*2);
+        wto = malloc((strlen(to)+1)*2);
+        if (wfrom != NULL && wto != NULL)
+                {
+                for (i=0; i<(int)strlen(from)+1; i++)
+                        wfrom[i] = (short)from[i];
+                for (i=0; i<(int)strlen(to)+1; i++)
+                        wto[i] = (short)to[i];
+                result = MoveFile(wfrom, wto);
+                }
+        if (wfrom != NULL)
+                free(wfrom);
+        if (wto != NULL)
+                free(wto);
+        return result;
+        }
+#endif
+        }
+#endif
diff --git a/src/lib/libssl/src/apps/apps.h b/src/lib/libssl/src/apps/apps.h
index 8a9c4ab0a0..4320410dad 100644
--- a/src/lib/libssl/src/apps/apps.h
+++ b/src/lib/libssl/src/apps/apps.h
@@ -141,12 +141,6 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
 int WIN32_rename(char *oldname,char *newname);
 #endif
-/* VMS below version 7.0 doesn't have strcasecmp() */
-#ifdef OPENSSL_SYS_VMS
-#define strcasecmp(str1,str2) VMS_strcasecmp((str1),(str2))
-int VMS_strcasecmp(const char *str1, const char *str2);
-#endif
 #ifndef MONOLITH
 #define MAIN(a,v)       main(a,v)
@@ -154,9 +148,11 @@ int VMS_strcasecmp(const char *str1, const char *str2);
 #ifndef NON_MAIN
 CONF *config=NULL;
 BIO *bio_err=NULL;
+int in_FIPS_mode=0;
 #else
 extern CONF *config;
 extern BIO *bio_err;
+extern int in_FIPS_mode;
 #endif
 #else
@@ -165,6 +161,7 @@ extern BIO *bio_err;
 extern CONF *config;
 extern char *default_config_file;
 extern BIO *bio_err;
+extern int in_FIPS_mode;
 #endif
@@ -313,6 +310,7 @@ typedef struct ca_db_st
 BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai);
 int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai);
 int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix);
+int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
 CA_DB *load_index(char *dbfile, DB_ATTR *dbattr);
 int index_index(CA_DB *db);
 int save_index(char *dbfile, char *suffix, CA_DB *db);
@@ -341,4 +339,6 @@ X509_NAME *do_subject(char *str, long chtype);
 #define APP_PASS_LEN    1024
+#define SERIAL_RAND_BITS        64
 #endif
diff --git a/src/lib/libssl/src/apps/asn1pars.c b/src/lib/libssl/src/apps/asn1pars.c
index 7db40adf04..c89b358b23 100644
--- a/src/lib/libssl/src/apps/asn1pars.c
+++ b/src/lib/libssl/src/apps/asn1pars.c
@@ -278,6 +278,7 @@ bad:
                tmplen=num;
                for (i=0; i<sk_num(osk); i++)
                        {
+                        int typ;
                        ASN1_TYPE *atmp;
                        j=atoi(sk_value(osk,i));
                        if (j == 0)
@@ -296,6 +297,15 @@ bad:
                                ERR_print_errors(bio_err);
                                goto end;
                                }
+                        typ = ASN1_TYPE_get(at);
+                        if ((typ == V_ASN1_OBJECT)
+                                || (typ == V_ASN1_NULL))
+                                {
+                                BIO_printf(bio_err, "Can't parse %s type\n",
+                                        typ == V_ASN1_NULL ? "NULL" : "OBJECT");
+                                ERR_print_errors(bio_err);
+                                goto end;
+                                }
                        /* hmm... this is a little evil but it works */
                        tmpbuf=at->value.asn1_string->data;
                        tmplen=at->value.asn1_string->length;
diff --git a/src/lib/libssl/src/apps/ca.c b/src/lib/libssl/src/apps/ca.c
index 33362389cc..b934b52cc5 100644
--- a/src/lib/libssl/src/apps/ca.c
+++ b/src/lib/libssl/src/apps/ca.c
@@ -76,16 +76,6 @@
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#define strcasecmp _stricmp
-#else
-#  ifdef NO_STRINGS_H
-    int strcasecmp();
-#  else
-#    include <strings.h>
-#  endif /* NO_STRINGS_H */
-#endif
 #ifndef W_OK
 #  ifdef OPENSSL_SYS_VMS
 #    if defined(__DECC)
@@ -248,6 +238,7 @@ int MAIN(int argc, char **argv)
        {
        ENGINE *e = NULL;
        char *key=NULL,*passargin=NULL;
+        int create_ser = 0;
        int free_key = 0;
        int total=0;
        int total_done=0;
@@ -547,10 +538,6 @@ bad:
        ERR_load_crypto_strings();
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
        /*****************************************************************/
        tofree=NULL;
        if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
@@ -595,6 +582,10 @@ bad:
        if (!load_config(bio_err, conf))
                goto err;
+#ifndef OPENSSL_NO_ENGINE
+        e = setup_engine(bio_err, engine, 0);
+#endif
        /* Lets get the config section we are using */
        if (section == NULL)
                {
@@ -666,8 +657,10 @@ bad:
                        break;
                        }
                }
-#ifdef RL_DEBUG
        else
+                ERR_clear_error();
+#ifdef RL_DEBUG
+        if (!p)
                BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
 #endif
 #ifdef RL_DEBUG
@@ -1001,25 +994,27 @@ bad:
                        }
                }
+        if ((md == NULL) && ((md=NCONF_get_string(conf,
+                section,ENV_DEFAULT_MD)) == NULL))
+                {
+                lookup_fail(section,ENV_DEFAULT_MD);
+                goto err;
+                }
+        if ((dgst=EVP_get_digestbyname(md)) == NULL)
+                {
+                BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
+                goto err;
+                }
        if (req)
                {
-                if ((md == NULL) && ((md=NCONF_get_string(conf,
-                        section,ENV_DEFAULT_MD)) == NULL))
-                        {
-                        lookup_fail(section,ENV_DEFAULT_MD);
-                        goto err;
-                        }
                if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf,
                        section,ENV_DEFAULT_EMAIL_DN)) != NULL ))
                        {
                        if(strcmp(tmp_email_dn,"no") == 0)
                                email_dn=0;
                        }
-                if ((dgst=EVP_get_digestbyname(md)) == NULL)
-                        {
-                        BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
-                        goto err;
-                        }
                if (verbose)
                        BIO_printf(bio_err,"message digest is %s\n",
                                OBJ_nid2ln(dgst->type));
@@ -1106,7 +1101,7 @@ bad:
                        goto err;
                        }
-                if ((serial=load_serial(serialfile, 0, NULL)) == NULL)
+                if ((serial=load_serial(serialfile, create_ser, NULL)) == NULL)
                        {
                        BIO_printf(bio_err,"error while loading serial number\n");
                        goto err;
@@ -1402,23 +1397,10 @@ bad:
                /* we now have a CRL */
                if (verbose) BIO_printf(bio_err,"signing CRL\n");
-                if (md != NULL)
-                        {
-                        if ((dgst=EVP_get_digestbyname(md)) == NULL)
-                                {
-                                BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
-                                goto err;
-                                }
-                        }
-                else
-                        {
 #ifndef OPENSSL_NO_DSA
-                        if (pkey->type == EVP_PKEY_DSA) 
+                if (pkey->type == EVP_PKEY_DSA) 
-                                dgst=EVP_dss1();
+                        dgst=EVP_dss1();
-                        else
 #endif
-                                dgst=EVP_md5();
-                        }
                /* Add any extensions asked for */
diff --git a/src/lib/libssl/src/apps/crl.c b/src/lib/libssl/src/apps/crl.c
index 81d66587c1..878f65468e 100644
--- a/src/lib/libssl/src/apps/crl.c
+++ b/src/lib/libssl/src/apps/crl.c
@@ -355,7 +355,11 @@ bad:
        if (text) X509_CRL_print(out, x);
-        if (noout) goto end;
+        if (noout) 
+                {
+                ret = 0;
+                goto end;
+                }
        if      (outformat == FORMAT_ASN1)
                i=(int)i2d_X509_CRL_bio(out,x);
diff --git a/src/lib/libssl/src/apps/dgst.c b/src/lib/libssl/src/apps/dgst.c
index be25dafef7..17fb87b77c 100644
--- a/src/lib/libssl/src/apps/dgst.c
+++ b/src/lib/libssl/src/apps/dgst.c
@@ -66,6 +66,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/hmac.h>
 #undef BUFSIZE
 #define BUFSIZE 1024*8
@@ -73,9 +74,11 @@
 #undef PROG
 #define PROG    dgst_main
+static HMAC_CTX hmac_ctx;
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
          EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
-          const char *file);
+          const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow);
 int MAIN(int, char **);
@@ -100,9 +103,12 @@ int MAIN(int argc, char **argv)
        EVP_PKEY *sigkey = NULL;
        unsigned char *sigbuf = NULL;
        int siglen = 0;
+        char *passargin = NULL, *passin = NULL;
 #ifndef OPENSSL_NO_ENGINE
        char *engine=NULL;
 #endif
+        char *hmac_key=NULL;
+        int non_fips_allow = 0;
        apps_startup();
@@ -145,6 +151,12 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) break;
                        keyfile=*(++argv);
                        }
+                else if (!strcmp(*argv,"-passin"))
+                        {
+                        if (--argc < 1)
+                                break;
+                        passargin=*++argv;
+                        }
                else if (strcmp(*argv,"-verify") == 0)
                        {
                        if (--argc < 1) break;
@@ -181,6 +193,14 @@ int MAIN(int argc, char **argv)
                        out_bin = 1;
                else if (strcmp(*argv,"-d") == 0)
                        debug=1;
+                else if (strcmp(*argv,"-non-fips-allow") == 0)
+                        non_fips_allow=1;
+                else if (!strcmp(*argv,"-hmac"))
+                        {
+                        if (--argc < 1)
+                                break;
+                        hmac_key=*++argv;
+                        }
                else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
                        md=m;
                else
@@ -235,7 +255,7 @@ int MAIN(int argc, char **argv)
                }
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        e = setup_engine(bio_err, engine, 0);
 #endif
        in=BIO_new(BIO_s_file());
@@ -247,6 +267,12 @@ int MAIN(int argc, char **argv)
                BIO_set_callback_arg(in,bio_err);
                }
+        if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
+                {
+                BIO_printf(bio_err, "Error getting password\n");
+                goto end;
+                }
        if ((in == NULL) || (bmd == NULL))
                {
                ERR_print_errors(bio_err);
@@ -288,7 +314,7 @@ int MAIN(int argc, char **argv)
                        sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
                                e, "key file");
                else
-                        sigkey = load_key(bio_err, keyfile, keyform, 0, NULL,
+                        sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
                                e, "key file");
                if (!sigkey)
                        {
@@ -318,18 +344,30 @@ int MAIN(int argc, char **argv)
                        goto end;
                }
        }
-                
+        if (non_fips_allow)
+                {
+                EVP_MD_CTX *md_ctx;
+                BIO_get_md_ctx(bmd,&md_ctx);
+                EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+                }
        /* we use md as a filter, reading from 'in' */
-        BIO_set_md(bmd,md);
+        if (!BIO_set_md(bmd,md))
+                {
+                BIO_printf(bio_err, "Error setting digest %s\n",
+                                                        EVP_MD_name(md));
+                ERR_print_errors(bio_err);
+                goto end;
+                }
+                
        inp=BIO_push(bmd,in);
        if (argc == 0)
                {
                BIO_set_fp(in,stdin,BIO_NOCLOSE);
                err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
-                          siglen,"","(stdin)");
+                          siglen,"","(stdin)",bmd,hmac_key, non_fips_allow);
                }
        else
                {
@@ -347,14 +385,15 @@ int MAIN(int argc, char **argv)
                                }
                        if(!out_bin)
                                {
-                                size_t len = strlen(name)+strlen(argv[i])+5;
+                                size_t len = strlen(name)+strlen(argv[i])+(hmac_key ? 5 : 0)+5;
                                tmp=tofree=OPENSSL_malloc(len);
-                                BIO_snprintf(tmp,len,"%s(%s)= ",name,argv[i]);
+                                BIO_snprintf(tmp,len,"%s%s(%s)= ",
+                                                         hmac_key ? "HMAC-" : "",name,argv[i]);
                                }
                        else
                                tmp="";
                        r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
-                                siglen,tmp,argv[i]);
+                                siglen,tmp,argv[i],bmd,hmac_key,non_fips_allow);
                        if(r)
                            err=r;
                        if(tofree)
@@ -369,6 +408,8 @@ end:
                OPENSSL_free(buf);
                }
        if (in != NULL) BIO_free(in);
+        if (passin)
+                OPENSSL_free(passin);
        BIO_free_all(out);
        EVP_PKEY_free(sigkey);
        if(sigbuf) OPENSSL_free(sigbuf);
@@ -379,11 +420,25 @@ end:
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
          EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
-          const char *file)
+          const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow)
        {
-        int len;
+        unsigned int len;
        int i;
+        EVP_MD_CTX *md_ctx;
+        if (hmac_key)
+                {
+                EVP_MD *md;
+                BIO_get_md(bmd,&md);
+                HMAC_CTX_init(&hmac_ctx);
+                if (non_fips_allow)
+                        HMAC_CTX_set_flags(&hmac_ctx,
+                                        EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+                HMAC_Init_ex(&hmac_ctx,hmac_key,strlen(hmac_key),md, NULL);
+                BIO_get_md_ctx(bmd,&md_ctx);
+                BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx);
+                }
        for (;;)
                {
                i=BIO_read(bp,(char *)buf,BUFSIZE);
@@ -426,6 +481,11 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
                        return 1;
                        }
                }
+        else if(hmac_key)
+                {
+                HMAC_Final(&hmac_ctx,buf,&len);
+                HMAC_CTX_cleanup(&hmac_ctx);
+                }
        else
                len=BIO_gets(bp,(char *)buf,BUFSIZE);
@@ -433,7 +493,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
        else 
                {
                BIO_write(out,title,strlen(title));
-                for (i=0; i<len; i++)
+                for (i=0; (unsigned int)i<len; i++)
                        {
                        if (sep && (i != 0))
                                BIO_printf(out, ":");
@@ -441,6 +501,10 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
                        }
                BIO_printf(out, "\n");
                }
+        if (hmac_key)
+                {
+                BIO_set_md_ctx(bmd,md_ctx);
+                }
        return 0;
        }
diff --git a/src/lib/libssl/src/apps/enc.c b/src/lib/libssl/src/apps/enc.c
index 30378a9542..6f3161395e 100644
--- a/src/lib/libssl/src/apps/enc.c
+++ b/src/lib/libssl/src/apps/enc.c
@@ -114,9 +114,11 @@ int MAIN(int argc, char **argv)
        unsigned char salt[PKCS5_SALT_LEN];
        char *str=NULL, *passarg = NULL, *pass = NULL;
        char *hkey=NULL,*hiv=NULL,*hsalt = NULL;
+        char *md=NULL;
        int enc=1,printkey=0,i,base64=0;
        int debug=0,olb64=0,nosalt=0;
        const EVP_CIPHER *cipher=NULL,*c;
+        EVP_CIPHER_CTX *ctx = NULL;
        char *inf=NULL,*outf=NULL;
        BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
 #define PROG_NAME_SIZE  39
@@ -124,6 +126,8 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_ENGINE
        char *engine = NULL;
 #endif
+        const EVP_MD *dgst=NULL;
+        int non_fips_allow = 0;
        apps_startup();
@@ -253,6 +257,13 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        hiv= *(++argv);
                        }
+                else if (strcmp(*argv,"-md") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        md= *(++argv);
+                        }
+                else if (strcmp(*argv,"-non-fips-allow") == 0)
+                        non_fips_allow = 1;
                else if ((argv[0][0] == '-') &&
                        ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
                        {
@@ -271,8 +282,10 @@ bad:
                        BIO_printf(bio_err,"%-14s encrypt\n","-e");
                        BIO_printf(bio_err,"%-14s decrypt\n","-d");
                        BIO_printf(bio_err,"%-14s base64 encode/decode, depending on encryption flag\n","-a/-base64");
-                        BIO_printf(bio_err,"%-14s key is the next argument\n","-k");
+                        BIO_printf(bio_err,"%-14s passphrase is the next argument\n","-k");
-                        BIO_printf(bio_err,"%-14s key is the first line of the file argument\n","-kfile");
+                        BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile");
+                        BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md");
+                        BIO_printf(bio_err,"%-14s   from a passphrase.  One of md2, md5, sha or sha1\n","");
                        BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
                        BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
                        BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
@@ -296,6 +309,20 @@ bad:
        e = setup_engine(bio_err, engine, 0);
 #endif
+        if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
+                {
+                BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
+                goto end;
+                }
+        if (dgst == NULL)
+                {
+                if (in_FIPS_mode)
+                        dgst = EVP_sha1();
+                else
+                        dgst = EVP_md5();
+                }
        if (bufsize != NULL)
                {
                unsigned long n;
@@ -483,7 +510,7 @@ bad:
                                sptr = salt;
                        }
-                        EVP_BytesToKey(cipher,EVP_md5(),sptr,
+                        EVP_BytesToKey(cipher,dgst,sptr,
                                (unsigned char *)str,
                                strlen(str),1,key,iv);
                        /* zero the complete buffer or the string
@@ -516,13 +543,43 @@ bad:
                if ((benc=BIO_new(BIO_f_cipher())) == NULL)
                        goto end;
-                BIO_set_cipher(benc,cipher,key,iv,enc);
-                if (nopad)
+                /* Since we may be changing parameters work on the encryption
+                 * context rather than calling BIO_set_cipher().
+                 */
+                BIO_get_cipher_ctx(benc, &ctx);
+                if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))
                        {
-                        EVP_CIPHER_CTX *ctx;
+                        BIO_printf(bio_err, "Error setting cipher %s\n",
-                        BIO_get_cipher_ctx(benc, &ctx);
+                                        EVP_CIPHER_name(cipher));
+                        ERR_print_errors(bio_err);
+                        goto end;
+                        }
+                if (non_fips_allow)
+                        EVP_CIPHER_CTX_set_flags(ctx,
+                                EVP_CIPH_FLAG_NON_FIPS_ALLOW);
+                if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc))
+                        {
+                        BIO_printf(bio_err, "Error setting cipher %s\n",
+                                        EVP_CIPHER_name(cipher));
+                        ERR_print_errors(bio_err);
+                        goto end;
+                        }
+                if (nopad)
                        EVP_CIPHER_CTX_set_padding(ctx, 0);
+                if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc))
+                        {
+                        BIO_printf(bio_err, "Error setting cipher %s\n",
+                                        EVP_CIPHER_name(cipher));
+                        ERR_print_errors(bio_err);
+                        goto end;
                        }
                if (debug)
                        {
                        BIO_set_callback(benc,BIO_debug_callback);
diff --git a/src/lib/libssl/src/apps/makeapps.com b/src/lib/libssl/src/apps/makeapps.com
index 0197c8a171..2f1af9ec94 100644
--- a/src/lib/libssl/src/apps/makeapps.com
+++ b/src/lib/libssl/src/apps/makeapps.com
@@ -142,13 +142,13 @@ $ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+-
              "RSA;RSAUTL;DSA;DSAPARAM;"+-
              "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+-
              "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+-
-              "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP"
+              "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP;PRIME"
 $ APP_FILES := OPENSSL,'OBJ_DIR'VERIFY.OBJ,ASN1PARS.OBJ,REQ.OBJ,DGST.OBJ,DH.OBJ,DHPARAM.OBJ,ENC.OBJ,PASSWD.OBJ,GENDH.OBJ,ERRSTR.OBJ,-
               CA.OBJ,PKCS7.OBJ,CRL2P7.OBJ,CRL.OBJ,-
               RSA.OBJ,RSAUTL.OBJ,DSA.OBJ,DSAPARAM.OBJ,-
               X509.OBJ,GENRSA.OBJ,GENDSA.OBJ,S_SERVER.OBJ,S_CLIENT.OBJ,SPEED.OBJ,-
               S_TIME.OBJ,APPS.OBJ,S_CB.OBJ,S_SOCKET.OBJ,APP_RAND.OBJ,VERSION.OBJ,SESS_ID.OBJ,-
-               CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ,ENGINE.OBJ,OCSP.OBJ
+               CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ,ENGINE.OBJ,OCSP.OBJ,PRIME.OBJ
 $ TCPIP_PROGRAMS = ",,"
 $ IF COMPILER .EQS. "VAXC" THEN -
     TCPIP_PROGRAMS = ",OPENSSL,"
@@ -679,7 +679,7 @@ $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
         THEN CC = "CC/DECC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
           "/NOLIST/PREFIX=ALL" + -
-           "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+           "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
@@ -711,7 +711,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-           "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+           "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $     CCDEFS = CCDEFS + ",""VAXC"""
 $!
 $!    Define <sys> As SYS$COMMON:[SYSLIB]
@@ -743,7 +743,7 @@ $!    Use GNU C...
 $!
 $     IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC
 $     CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-           "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+           "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
diff --git a/src/lib/libssl/src/apps/openssl-vms.cnf b/src/lib/libssl/src/apps/openssl-vms.cnf
index d4498713fa..878467ce98 100644
--- a/src/lib/libssl/src/apps/openssl-vms.cnf
+++ b/src/lib/libssl/src/apps/openssl-vms.cnf
@@ -3,8 +3,13 @@
 # This is mostly being used for generation of certificate requests.
 #
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
 RANDFILE                = $ENV::HOME/.rnd
-oid_file                = $ENV::HOME/.oid
+# Extra OBJECT IDENTIFIER info:
+#oid_file               = $ENV::HOME/.oid
 oid_section             = new_oids
 # To use this configuration file with the "-extfile" option of the
@@ -29,22 +34,35 @@ default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]
-dir             = sys\$disk:[.demoCA    # Where everything is kept
+dir             = sys\$disk:[.demoCA            # Where everything is kept
 certs           = $dir.certs]           # Where the issued certs are kept
 crl_dir         = $dir.crl]             # Where the issued crl are kept
 database        = $dir]index.txt        # database index file.
-new_certs_dir   = $dir.newcerts]        # default place for new certs.
+#unique_subject = no                    # Set to 'no' to allow creation of
+                                        # several ctificates with same subject.
+new_certs_dir   = $dir.newcerts]                # default place for new certs.
 certificate     = $dir]cacert.pem       # The CA certificate
-serial          = $dir]serial.          # The current serial number
+serial          = $dir]serial.          # The current serial number
+#crlnumber      = $dir]crlnumber.       # the current crl number must be
+                                        # commented out to leave a V1 CRL
 crl             = $dir]crl.pem          # The current CRL
 private_key     = $dir.private]cakey.pem# The private key
 RANDFILE        = $dir.private].rand    # private random number file
 x509_extensions = usr_cert              # The extentions to add to the cert
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt        = ca_default            # Subject Name options
+cert_opt        = ca_default            # Certificate field options
+# Extension copying option: use with caution.
+# copy_extensions = copy
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions        = crl_ext
 default_days    = 365                   # how long to certify for
@@ -86,16 +104,19 @@ distinguished_name	= req_distinguished_name
 attributes              = req_attributes
 x509_extensions = v3_ca # The extentions to add to the self signed cert
-# This sets the permitted types in a DirectoryString. There are several
+# Passwords for private keys if not present they will be prompted for
-# options. 
+# input_password = secret
+# output_password = secret
+# This sets a mask for permitted string types. There are several options. 
 # default: PrintableString, T61String, BMPString.
 # pkix   : PrintableString, BMPString.
 # utf8only: only UTF8Strings.
-# nobmp : PrintableString, T61String (no BMPStrings).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 # MASK:XXXX a literal mask value.
 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
 # so use this option with caution!
-dirstring_type = nobmp
+string_mask = nombstr
 # req_extensions = v3_req # The extensions to add to a certificate request
@@ -124,7 +145,7 @@ commonName			= Common Name (eg, YOUR name)
 commonName_max                  = 64
 emailAddress                    = Email Address
-emailAddress_max                = 40
+emailAddress_max                = 64
 # SET-ex3                       = SET extension number 3
@@ -172,6 +193,9 @@ authorityKeyIdentifier=keyid,issuer:always
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
 # subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
 # Copy subject details
 # issuerAltName=issuer:copy
@@ -234,3 +258,56 @@ basicConstraints = CA:true
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType                    = server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/src/lib/libssl/src/apps/openssl.c b/src/lib/libssl/src/apps/openssl.c
index e0d89d4ab4..65a9ee8a66 100644
--- a/src/lib/libssl/src/apps/openssl.c
+++ b/src/lib/libssl/src/apps/openssl.c
@@ -129,6 +129,7 @@
 #include "progs.h"
 #include "s_apps.h"
 #include <openssl/err.h>
+#include <openssl/fips.h>
 /* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with the
 * base prototypes (we cast each variable inside the function to the required
@@ -147,6 +148,7 @@ char *default_config_file=NULL;
 #ifdef MONOLITH
 CONF *config=NULL;
 BIO *bio_err=NULL;
+int in_FIPS_mode=0;
 #endif
@@ -227,10 +229,31 @@ int main(int Argc, char *Argv[])
        char **argv,*p;
        LHASH *prog=NULL;
        long errline;
- 
        arg.data=NULL;
        arg.count=0;
+        in_FIPS_mode = 0;
+#ifdef OPENSSL_FIPS
+        if(getenv("OPENSSL_FIPS")) {
+#if defined(_WIN32)
+                char filename[MAX_PATH] = "";
+                GetModuleFileNameA( NULL, filename, MAX_PATH) ;
+                p = filename;
+#else
+                p = Argv[0];
+#endif
+                if (!FIPS_mode_set(1,p)) {
+                        ERR_load_crypto_strings();
+                        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+                        EXIT(1);
+                }
+                in_FIPS_mode = 1;
+                if (getenv("OPENSSL_FIPS_MD5"))
+                        FIPS_allow_md5(1);
+                }
+#endif
        if (bio_err == NULL)
                if ((bio_err=BIO_new(BIO_s_file())) != NULL)
                        BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
diff --git a/src/lib/libssl/src/apps/openssl.cnf b/src/lib/libssl/src/apps/openssl.cnf
index 854d1f164e..4c1d595b0a 100644
--- a/src/lib/libssl/src/apps/openssl.cnf
+++ b/src/lib/libssl/src/apps/openssl.cnf
@@ -44,8 +44,8 @@ new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate     = $dir/cacert.pem       # The CA certificate
 serial          = $dir/serial           # The current serial number
-#crlnumber      = $dir/crlnumber        # the current crl number
+#crlnumber      = $dir/crlnumber        # the current crl number must be
-                                        # must be commented out to leave a V1 CRL
+                                        # commented out to leave a V1 CRL
 crl             = $dir/crl.pem          # The current CRL
 private_key     = $dir/private/cakey.pem# The private key
 RANDFILE        = $dir/private/.rand    # private random number file
@@ -258,3 +258,56 @@ basicConstraints = CA:true
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType                    = server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/src/lib/libssl/src/apps/pkcs12.c b/src/lib/libssl/src/apps/pkcs12.c
index 71192bdf74..c961e6b57b 100644
--- a/src/lib/libssl/src/apps/pkcs12.c
+++ b/src/lib/libssl/src/apps/pkcs12.c
@@ -109,7 +109,7 @@ int MAIN(int argc, char **argv)
    int maciter = PKCS12_DEFAULT_ITER;
    int twopass = 0;
    int keytype = 0;
-    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+    int cert_pbe;
    int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
    int ret = 1;
    int macver = 1;
@@ -126,6 +126,13 @@ int MAIN(int argc, char **argv)
    apps_startup();
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+        cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    else
+#endif
+    cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
    enc = EVP_des_ede3_cbc();
    if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
@@ -666,7 +673,7 @@ int MAIN(int argc, char **argv)
    CRYPTO_push_info("verify MAC");
 #endif
        /* If we enter empty password try no password first */
-        if(!macpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
+        if(!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
                /* If mac and crypto pass the same set it to NULL too */
                if(!twopass) cpass = NULL;
        } else if (!PKCS12_verify_mac(p12, mpass, -1)) {
@@ -710,9 +717,10 @@ int MAIN(int argc, char **argv)
 int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
             int passlen, int options, char *pempass)
 {
-        STACK_OF(PKCS7) *asafes;
+        STACK_OF(PKCS7) *asafes = NULL;
        STACK_OF(PKCS12_SAFEBAG) *bags;
        int i, bagnid;
+        int ret = 0;
        PKCS7 *p7;
        if (!( asafes = PKCS12_unpack_authsafes(p12))) return 0;
@@ -730,16 +738,22 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
                        }
                        bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
                } else continue;
-                if (!bags) return 0;
+                if (!bags) goto err;
                if (!dump_certs_pkeys_bags (out, bags, pass, passlen, 
                                                 options, pempass)) {
                        sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
-                        return 0;
+                        goto err;
                }
                sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
+                bags = NULL;
        }
-        sk_PKCS7_pop_free (asafes, PKCS7_free);
+        ret = 1;
-        return 1;
+        err:
+        if (asafes)
+                sk_PKCS7_pop_free (asafes, PKCS7_free);
+        return ret;
 }
 int dump_certs_pkeys_bags (BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
diff --git a/src/lib/libssl/src/apps/pkcs8.c b/src/lib/libssl/src/apps/pkcs8.c
index ee8cf02813..d5085444e2 100644
--- a/src/lib/libssl/src/apps/pkcs8.c
+++ b/src/lib/libssl/src/apps/pkcs8.c
@@ -1,6 +1,6 @@
 /* pkcs8.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project 1999-2004.
 */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -68,7 +68,7 @@
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
-{
+        {
        ENGINE *e = NULL;
        char **args, *infile = NULL, *outfile = NULL;
        char *passargin = NULL, *passargout = NULL;
@@ -100,43 +100,70 @@ int MAIN(int argc, char **argv)
        ERR_load_crypto_strings();
        OpenSSL_add_all_algorithms();
        args = argv + 1;
-        while (!badarg && *args && *args[0] == '-') {
+        while (!badarg && *args && *args[0] == '-')
-                if (!strcmp(*args,"-v2")) {
+                {
-                        if (args[1]) {
+                if (!strcmp(*args,"-v2"))
+                        {
+                        if (args[1])
+                                {
                                args++;
                                cipher=EVP_get_cipherbyname(*args);
-                                if(!cipher) {
+                                if (!cipher)
+                                        {
                                        BIO_printf(bio_err,
                                                 "Unknown cipher %s\n", *args);
                                        badarg = 1;
+                                        }
                                }
-                        } else badarg = 1;
+                        else
-                } else if (!strcmp(*args,"-v1")) {
+                                badarg = 1;
-                        if (args[1]) {
+                        }
+                else if (!strcmp(*args,"-v1"))
+                        {
+                        if (args[1])
+                                {
                                args++;
                                pbe_nid=OBJ_txt2nid(*args);
-                                if(pbe_nid == NID_undef) {
+                                if (pbe_nid == NID_undef)
+                                        {
                                        BIO_printf(bio_err,
                                                 "Unknown PBE algorithm %s\n", *args);
                                        badarg = 1;
+                                        }
                                }
-                        } else badarg = 1;
+                        else
-                } else if (!strcmp(*args,"-inform")) {
+                                badarg = 1;
-                        if (args[1]) {
+                        }
+                else if (!strcmp(*args,"-inform"))
+                        {
+                        if (args[1])
+                                {
                                args++;
                                informat=str2fmt(*args);
-                        } else badarg = 1;
+                                }
-                } else if (!strcmp(*args,"-outform")) {
+                        else badarg = 1;
-                        if (args[1]) {
+                        }
+                else if (!strcmp(*args,"-outform"))
+                        {
+                        if (args[1])
+                                {
                                args++;
                                outformat=str2fmt(*args);
-                        } else badarg = 1;
+                                }
-                } else if (!strcmp (*args, "-topk8")) topk8 = 1;
+                        else badarg = 1;
-                else if (!strcmp (*args, "-noiter")) iter = 1;
+                        }
-                else if (!strcmp (*args, "-nocrypt")) nocrypt = 1;
+                else if (!strcmp (*args, "-topk8"))
-                else if (!strcmp (*args, "-nooct")) p8_broken = PKCS8_NO_OCTET;
+                        topk8 = 1;
-                else if (!strcmp (*args, "-nsdb")) p8_broken = PKCS8_NS_DB;
+                else if (!strcmp (*args, "-noiter"))
-                else if (!strcmp (*args, "-embed")) p8_broken = PKCS8_EMBEDDED_PARAM;
+                        iter = 1;
+                else if (!strcmp (*args, "-nocrypt"))
+                        nocrypt = 1;
+                else if (!strcmp (*args, "-nooct"))
+                        p8_broken = PKCS8_NO_OCTET;
+                else if (!strcmp (*args, "-nsdb"))
+                        p8_broken = PKCS8_NS_DB;
+                else if (!strcmp (*args, "-embed"))
+                        p8_broken = PKCS8_EMBEDDED_PARAM;
                else if (!strcmp(*args,"-passin"))
                        {
                        if (!args[1]) goto bad;
@@ -154,21 +181,30 @@ int MAIN(int argc, char **argv)
                        engine= *(++args);
                        }
 #endif
-                else if (!strcmp (*args, "-in")) {
+                else if (!strcmp (*args, "-in"))
-                        if (args[1]) {
+                        {
+                        if (args[1])
+                                {
                                args++;
                                infile = *args;
-                        } else badarg = 1;
+                                }
-                } else if (!strcmp (*args, "-out")) {
+                        else badarg = 1;
-                        if (args[1]) {
+                        }
+                else if (!strcmp (*args, "-out"))
+                        {
+                        if (args[1])
+                                {
                                args++;
                                outfile = *args;
-                        } else badarg = 1;
+                                }
-                } else badarg = 1;
+                        else badarg = 1;
+                        }
+                else badarg = 1;
                args++;
-        }
+                }
-        if (badarg) {
+        if (badarg)
+                {
                bad:
                BIO_printf(bio_err, "Usage pkcs8 [options]\n");
                BIO_printf(bio_err, "where options are\n");
@@ -189,147 +225,199 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_ENGINE
                BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
-                return (1);
+                return 1;
-        }
+                }
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
-        if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+        if (!app_passwd(bio_err, passargin, passargout, &passin, &passout))
+                {
                BIO_printf(bio_err, "Error getting passwords\n");
-                return (1);
+                return 1;
-        }
+                }
-        if ((pbe_nid == -1) && !cipher) pbe_nid = NID_pbeWithMD5AndDES_CBC;
+        if ((pbe_nid == -1) && !cipher)
+                pbe_nid = NID_pbeWithMD5AndDES_CBC;
-        if (infile) {
+        if (infile)
-                if (!(in = BIO_new_file(infile, "rb"))) {
+                {
+                if (!(in = BIO_new_file(infile, "rb")))
+                        {
                        BIO_printf(bio_err,
                                 "Can't open input file %s\n", infile);
                        return (1);
+                        }
                }
-        } else in = BIO_new_fp (stdin, BIO_NOCLOSE);
+        else
+                in = BIO_new_fp (stdin, BIO_NOCLOSE);
-        if (outfile) {
+        if (outfile)
-                if (!(out = BIO_new_file (outfile, "wb"))) {
+                {
+                if (!(out = BIO_new_file (outfile, "wb")))
+                        {
                        BIO_printf(bio_err,
                                 "Can't open output file %s\n", outfile);
                        return (1);
+                        }
                }
-        } else {
+        else
+                {
                out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
-                {
+                        {
                        BIO *tmpbio = BIO_new(BIO_f_linebuffer());
                        out = BIO_push(tmpbio, out);
-                }
+                        }
 #endif
-        }
+                }
        if (topk8)
                {
                BIO_free(in); /* Not needed in this section */
                pkey = load_key(bio_err, infile, informat, 1,
                        passin, e, "key");
-                if (!pkey) {
+                if (!pkey)
-                        return (1);
+                        {
-                }
+                        BIO_free_all(out);
-                if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
+                        return 1;
+                        }
+                if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken)))
+                        {
                        BIO_printf(bio_err, "Error converting key\n");
                        ERR_print_errors(bio_err);
-                        return (1);
+                        EVP_PKEY_free(pkey);
-                }
+                        BIO_free_all(out);
-                if(nocrypt) {
+                        return 1;
-                        if(outformat == FORMAT_PEM) 
+                        }
+                if (nocrypt)
+                        {
+                        if (outformat == FORMAT_PEM) 
                                PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
-                        else if(outformat == FORMAT_ASN1)
+                        else if (outformat == FORMAT_ASN1)
                                i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
-                        else {
+                        else
+                                {
                                BIO_printf(bio_err, "Bad format specified for key\n");
+                                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                                EVP_PKEY_free(pkey);
+                                BIO_free_all(out);
                                return (1);
+                                }
                        }
-                } else {
+                else
-                        if(passout) p8pass = passout;
+                        {
-                        else {
+                        if (passout)
+                                p8pass = passout;
+                        else
+                                {
                                p8pass = pass;
                                if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1))
+                                        {
+                                        PKCS8_PRIV_KEY_INFO_free(p8inf);
+                                        EVP_PKEY_free(pkey);
+                                        BIO_free_all(out);
                                        return (1);
-                        }
+                                        }
+                                }
                        app_RAND_load_file(NULL, bio_err, 0);
                        if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
                                        p8pass, strlen(p8pass),
-                                        NULL, 0, iter, p8inf))) {
+                                        NULL, 0, iter, p8inf)))
+                                {
                                BIO_printf(bio_err, "Error encrypting key\n");
                                ERR_print_errors(bio_err);
+                                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                                EVP_PKEY_free(pkey);
+                                BIO_free_all(out);
                                return (1);
-                        }
+                                }
                        app_RAND_write_file(NULL, bio_err);
-                        if(outformat == FORMAT_PEM) 
+                        if (outformat == FORMAT_PEM) 
                                PEM_write_bio_PKCS8(out, p8);
-                        else if(outformat == FORMAT_ASN1)
+                        else if (outformat == FORMAT_ASN1)
                                i2d_PKCS8_bio(out, p8);
-                        else {
+                        else
+                                {
                                BIO_printf(bio_err, "Bad format specified for key\n");
+                                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                                EVP_PKEY_free(pkey);
+                                BIO_free_all(out);
                                return (1);
-                        }
+                                }
                        X509_SIG_free(p8);
-                }
+                        }
                PKCS8_PRIV_KEY_INFO_free (p8inf);
                EVP_PKEY_free(pkey);
                BIO_free_all(out);
-                if(passin) OPENSSL_free(passin);
+                if (passin)
-                if(passout) OPENSSL_free(passout);
+                        OPENSSL_free(passin);
+                if (passout)
+                        OPENSSL_free(passout);
                return (0);
-        }
+                }
-        if(nocrypt) {
+        if (nocrypt)
-                if(informat == FORMAT_PEM) 
+                {
+                if (informat == FORMAT_PEM) 
                        p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in,NULL,NULL, NULL);
-                else if(informat == FORMAT_ASN1)
+                else if (informat == FORMAT_ASN1)
                        p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
-                else {
+                else
+                        {
                        BIO_printf(bio_err, "Bad format specified for key\n");
                        return (1);
+                        }
                }
-        } else {
+        else
-                if(informat == FORMAT_PEM) 
+                {
+                if (informat == FORMAT_PEM) 
                        p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
-                else if(informat == FORMAT_ASN1)
+                else if (informat == FORMAT_ASN1)
                        p8 = d2i_PKCS8_bio(in, NULL);
-                else {
+                else
+                        {
                        BIO_printf(bio_err, "Bad format specified for key\n");
                        return (1);
-                }
+                        }
-                if (!p8) {
+                if (!p8)
+                        {
                        BIO_printf (bio_err, "Error reading key\n");
                        ERR_print_errors(bio_err);
                        return (1);
-                }
+                        }
-                if(passin) p8pass = passin;
+                if (passin)
-                else {
+                        p8pass = passin;
+                else
+                        {
                        p8pass = pass;
                        EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
-                }
+                        }
                p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
                X509_SIG_free(p8);
-        }
+                }
-        if (!p8inf) {
+        if (!p8inf)
+                {
                BIO_printf(bio_err, "Error decrypting key\n");
                ERR_print_errors(bio_err);
                return (1);
-        }
+                }
-        if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
+        if (!(pkey = EVP_PKCS82PKEY(p8inf)))
+                {
                BIO_printf(bio_err, "Error converting key\n");
                ERR_print_errors(bio_err);
                return (1);
-        }
+                }
        
-        if (p8inf->broken) {
+        if (p8inf->broken)
+                {
                BIO_printf(bio_err, "Warning: broken key encoding: ");
-                switch (p8inf->broken) {
+                switch (p8inf->broken)
+                        {
                        case PKCS8_NO_OCTET:
                        BIO_printf(bio_err, "No Octet String in PrivateKey\n");
                        break;
@@ -349,21 +437,24 @@ int MAIN(int argc, char **argv)
        }
        
        PKCS8_PRIV_KEY_INFO_free(p8inf);
-        if(outformat == FORMAT_PEM) 
+        if (outformat == FORMAT_PEM) 
                PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
-        else if(outformat == FORMAT_ASN1)
+        else if (outformat == FORMAT_ASN1)
                i2d_PrivateKey_bio(out, pkey);
-        else {
+        else
+                {
                BIO_printf(bio_err, "Bad format specified for key\n");
                        return (1);
-        }
+                }
        end:
        EVP_PKEY_free(pkey);
        BIO_free_all(out);
        BIO_free(in);
-        if(passin) OPENSSL_free(passin);
+        if (passin)
-        if(passout) OPENSSL_free(passout);
+                OPENSSL_free(passin);
+        if (passout)
+                OPENSSL_free(passout);
        return (0);
-}
+        }
diff --git a/src/lib/libssl/src/apps/progs.h b/src/lib/libssl/src/apps/progs.h
index 70e4dbac07..0493257bde 100644
--- a/src/lib/libssl/src/apps/progs.h
+++ b/src/lib/libssl/src/apps/progs.h
@@ -35,6 +35,7 @@ extern int pkcs8_main(int argc,char *argv[]);
 extern int spkac_main(int argc,char *argv[]);
 extern int smime_main(int argc,char *argv[]);
 extern int rand_main(int argc,char *argv[]);
+extern int prime_main(int argc,char *argv[]);
 #ifndef OPENSSL_NO_ENGINE
 extern int engine_main(int argc,char *argv[]);
 #endif
@@ -115,6 +116,7 @@ FUNCTION functions[] = {
        {FUNC_TYPE_GENERAL,"spkac",spkac_main},
        {FUNC_TYPE_GENERAL,"smime",smime_main},
        {FUNC_TYPE_GENERAL,"rand",rand_main},
+        {FUNC_TYPE_GENERAL,"prime",prime_main},
 #ifndef OPENSSL_NO_ENGINE
        {FUNC_TYPE_GENERAL,"engine",engine_main},
 #endif
diff --git a/src/lib/libssl/src/apps/req.c b/src/lib/libssl/src/apps/req.c
index 1a3d1d0dfa..eebe71b15e 100644
--- a/src/lib/libssl/src/apps/req.c
+++ b/src/lib/libssl/src/apps/req.c
@@ -175,7 +175,7 @@ int MAIN(int argc, char **argv)
        char *passin = NULL, *passout = NULL;
        char *p;
        char *subj = NULL;
-        const EVP_MD *md_alg=NULL,*digest=EVP_md5();
+        const EVP_MD *md_alg=NULL,*digest;
        unsigned long chtype = MBSTRING_ASC;
 #ifndef MONOLITH
        char *to_free;
@@ -197,6 +197,13 @@ int MAIN(int argc, char **argv)
        informat=FORMAT_PEM;
        outformat=FORMAT_PEM;
+#ifdef  OPENSSL_FIPS
+        if (FIPS_mode())
+                digest = EVP_sha1();
+        else
+#endif
+                digest = EVP_md5();
        prog=argv[0];
        argc--;
        argv++;
@@ -499,13 +506,16 @@ bad:
        else
                {
                req_conf=config;
-                if( verbose )
-                        BIO_printf(bio_err,"Using configuration from %s\n",
-                        default_config_file);
                if (req_conf == NULL)
                        {
-                        BIO_printf(bio_err,"Unable to load config info\n");
+                        BIO_printf(bio_err,"Unable to load config info from %s\n", default_config_file);
+                        if (newreq)
+                                goto end;
                        }
+                else if( verbose )
+                        BIO_printf(bio_err,"Using configuration from %s\n",
+                        default_config_file);
                }
        if (req_conf != NULL)
@@ -831,7 +841,9 @@ loop:
                                }
                        else
                                {
-                                if (!ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L)) goto end;
+                                if (!rand_serial(NULL,
+                                        X509_get_serialNumber(x509ss)))
+                                                goto end;
                                }
                        if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
diff --git a/src/lib/libssl/src/apps/s_client.c b/src/lib/libssl/src/apps/s_client.c
index ae7c9f9ede..a70735b9dc 100644
--- a/src/lib/libssl/src/apps/s_client.c
+++ b/src/lib/libssl/src/apps/s_client.c
@@ -201,6 +201,9 @@ static void sc_usage(void)
        BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
        BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
        BIO_printf(bio_err," -debug        - extra output\n");
+#ifdef WATT32
+        BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
+#endif
        BIO_printf(bio_err," -msg          - Show protocol messages\n");
        BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
        BIO_printf(bio_err," -state        - print the 'ssl' states\n");
@@ -352,6 +355,10 @@ int MAIN(int argc, char **argv)
                        c_Pause=1;
                else if (strcmp(*argv,"-debug") == 0)
                        c_debug=1;
+#ifdef WATT32
+                else if (strcmp(*argv,"-wdebug") == 0)
+                        dbug_init();
+#endif
                else if (strcmp(*argv,"-msg") == 0)
                        c_msg=1;
                else if (strcmp(*argv,"-showcerts") == 0)
@@ -594,6 +601,8 @@ re_start:
        if (starttls_proto == 1)
                {
                BIO_read(sbio,mbuf,BUFSIZZ);
+                BIO_printf(sbio,"EHLO some.host.name\r\n");
+                BIO_read(sbio,mbuf,BUFSIZZ);
                BIO_printf(sbio,"STARTTLS\r\n");
                BIO_read(sbio,sbuf,BUFSIZZ);
                }
diff --git a/src/lib/libssl/src/apps/s_socket.c b/src/lib/libssl/src/apps/s_socket.c
index 9f92bcb3ae..2cb5fce192 100644
--- a/src/lib/libssl/src/apps/s_socket.c
+++ b/src/lib/libssl/src/apps/s_socket.c
@@ -151,7 +151,6 @@ static int ssl_sock_init(void)
 #ifdef WATT32
        extern int _watt_do_exit;
        _watt_do_exit = 0;
-        dbug_init();
        if (sock_init())
                return (0);
 #elif defined(OPENSSL_SYS_WINDOWS)
diff --git a/src/lib/libssl/src/apps/speed.c b/src/lib/libssl/src/apps/speed.c
index 2412200009..5ed510ced6 100644
--- a/src/lib/libssl/src/apps/speed.c
+++ b/src/lib/libssl/src/apps/speed.c
@@ -1395,6 +1395,7 @@ int MAIN(int argc, char **argv)
                                        EVP_DecryptInit_ex(&ctx,evp_cipher,NULL,key16,iv);
                                else
                                        EVP_EncryptInit_ex(&ctx,evp_cipher,NULL,key16,iv);
+                                EVP_CIPHER_CTX_set_padding(&ctx, 0);
                                Time_F(START);
                                if(decrypt)
diff --git a/src/lib/libssl/src/apps/verify.c b/src/lib/libssl/src/apps/verify.c
index 6a93c018b8..d73280cdd0 100644
--- a/src/lib/libssl/src/apps/verify.c
+++ b/src/lib/libssl/src/apps/verify.c
@@ -354,6 +354,7 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
                if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
                /* Continue after extension errors too */
                if (ctx->error == X509_V_ERR_INVALID_CA) ok=1;
+                if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1;
                if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1;
                if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1;
                if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c
index 9b95f7bd3f..e7115cac67 100644
--- a/src/lib/libssl/src/apps/x509.c
+++ b/src/lib/libssl/src/apps/x509.c
@@ -168,7 +168,7 @@ int MAIN(int argc, char **argv)
        char *CAkeyfile=NULL,*CAserial=NULL;
        char *alias=NULL;
        int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
-        int ocspid=0;
+        int next_serial=0,ocspid=0;
        int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
        int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
        int C=0;
@@ -179,7 +179,7 @@ int MAIN(int argc, char **argv)
        X509_REQ *rq=NULL;
        int fingerprint=0;
        char buf[256];
-        const EVP_MD *md_alg,*digest=EVP_md5();
+        const EVP_MD *md_alg,*digest;
        CONF *extconf = NULL;
        char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
        int need_rand = 0;
@@ -216,6 +216,13 @@ int MAIN(int argc, char **argv)
        if (ctx == NULL) goto end;
        X509_STORE_set_verify_cb_func(ctx,callb);
+#ifdef  OPENSSL_FIPS
+        if (FIPS_mode())
+                digest = EVP_sha1();
+        else
+#endif
+                digest = EVP_md5();
        argc--;
        argv++;
        num=0;
@@ -371,6 +378,8 @@ int MAIN(int argc, char **argv)
                        email= ++num;
                else if (strcmp(*argv,"-serial") == 0)
                        serial= ++num;
+                else if (strcmp(*argv,"-next_serial") == 0)
+                        next_serial= ++num;
                else if (strcmp(*argv,"-modulus") == 0)
                        modulus= ++num;
                else if (strcmp(*argv,"-pubkey") == 0)
@@ -591,12 +600,19 @@ bad:
                if ((x=X509_new()) == NULL) goto end;
                ci=x->cert_info;
-                if (sno)
+                if (sno == NULL)
                        {
-                        if (!X509_set_serialNumber(x, sno))
+                        sno = ASN1_INTEGER_new();
+                        if (!sno || !rand_serial(NULL, sno))
+                                goto end;
+                        if (!X509_set_serialNumber(x, sno)) 
                                goto end;
+                        ASN1_INTEGER_free(sno);
+                        sno = NULL;
                        }
-                else if (!ASN1_INTEGER_set(X509_get_serialNumber(x),0)) goto end;
+                else if (!X509_set_serialNumber(x, sno)) 
+                        goto end;
                if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
                if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
@@ -617,7 +633,7 @@ bad:
                if (xca == NULL) goto end;
                }
-        if (!noout || text)
+        if (!noout || text || next_serial)
                {
                OBJ_create("2.99999.3",
                        "SET.ex3","SET x509v3 extension 3");
@@ -691,6 +707,24 @@ bad:
                                i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber);
                                BIO_printf(STDout,"\n");
                                }
+                        else if (next_serial == i)
+                                {
+                                BIGNUM *bnser;
+                                ASN1_INTEGER *ser;
+                                ser = X509_get_serialNumber(x);
+                                bnser = ASN1_INTEGER_to_BN(ser, NULL);
+                                if (!bnser)
+                                        goto end;
+                                if (!BN_add_word(bnser, 1))
+                                        goto end;
+                                ser = BN_to_ASN1_INTEGER(bnser, NULL);
+                                if (!ser)
+                                        goto end;
+                                BN_free(bnser);
+                                i2a_ASN1_INTEGER(out, ser);
+                                ASN1_INTEGER_free(ser);
+                                BIO_puts(out, "\n");
+                                }
                        else if (email == i) 
                                {
                                int j;
@@ -947,9 +981,9 @@ bad:
        if (checkend)
                {
-                time_t tnow=time(NULL);
+                time_t tcheck=time(NULL) + checkoffset;
-                if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1)
+                if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0)
                        {
                        BIO_printf(out,"Certificate will expire\n");
                        ret=1;
@@ -1047,13 +1081,6 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create
                }
        else
                BUF_strlcpy(buf,serialfile,len);
-        serial=BN_new();
-        bs=ASN1_INTEGER_new();
-        if ((serial == NULL) || (bs == NULL))
-                {
-                ERR_print_errors(bio_err);
-                goto end;
-                }
        serial = load_serial(buf, create, NULL);
        if (serial == NULL) goto end;
diff --git a/src/lib/libssl/src/config b/src/lib/libssl/src/config
index 25a3703c1f..0715d378d9 100644
--- a/src/lib/libssl/src/config
+++ b/src/lib/libssl/src/config
@@ -23,6 +23,7 @@
 PREFIX=""
 SUFFIX=""
 TEST="false"
+EXE=""
 # pick up any command line args to config
 for i
@@ -110,16 +111,16 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
        echo "m68k-apple-aux3"; exit 0
        ;;
-    AIX:[3456789]:4:*)
+    AIX:[3-9]:4:*)
-        echo "${MACHINE}-ibm-aix43"; exit 0
+        echo "${MACHINE}-ibm-aix"; exit 0
        ;;
-    AIX:*:[56789]:*)
+    AIX:*:[5-9]:*)
-        echo "${MACHINE}-ibm-aix43"; exit 0
+        echo "${MACHINE}-ibm-aix"; exit 0
        ;;
    AIX:*)
-        echo "${MACHINE}-ibm-aix"; exit 0
+        echo "${MACHINE}-ibm-aix3"; exit 0
        ;;
    dgux:*)
@@ -288,6 +289,14 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
        echo "${MACHINE}-whatever-sysv4"; exit 0
        ;;
+    VOS:*:*:i786)
+     echo "i386-stratus-vos"; exit 0
+     ;;
+    VOS:*:*:*)
+     echo "hppa1.1-stratus-vos"; exit 0
+     ;;
    *:4*:R4*:m88k)
        echo "${MACHINE}-whatever-sysv4"; exit 0
        ;;
@@ -328,6 +337,9 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
        echo "mips-sony-newsos4"; exit 0;
        ;;
+    MINGW*)
+        echo "${MACHINE}-whatever-mingw"; echo 0;
+        ;;
    CYGWIN*)
        case "$RELEASE" in
            [bB]*|1.0|1.[12].*)
@@ -433,7 +445,7 @@ if [ "$SYSTEM" = "SunOS" ]; then
        egrep -e '^cc: .* C [0-9]\.[0-9]' | \
        sed 's/.* C \([0-9]\)\.\([0-9]\).*/\1\2/'`
  CCVER=${CCVER:-0}
-  if [ $CCVER -gt 40 ]; then
+  if [ $MACHINE != i86pc -a $CCVER -gt 40 ]; then
    CC=cc       # overrides gcc!!!
    if [ $CCVER -eq 50 ]; then
      echo "WARNING! Detected WorkShop C 5.0. Do make sure you have"
@@ -482,29 +494,29 @@ case "$GUESSOS" in
        OUT="irix-$CC"
        ;;
  mips3-sgi-irix)
-        CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+        #CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
-        CPU=${CPU:-0}
+        #CPU=${CPU:-0}
-        if [ $CPU -ge 5000 ]; then
+        #if [ $CPU -ge 5000 ]; then
-                options="$options -mips4"
+        #       options="$options -mips4"
-        else
+        #else
-                options="$options -mips3"
+        #       options="$options -mips3"
-        fi
+        #fi
        OUT="irix-mips3-$CC"
        ;;
  mips4-sgi-irix64)
        echo "WARNING! If you wish to build 64-bit library, then you have to"
        echo "         invoke './Configure irix64-mips4-$CC' *manually*."
-        if [ "$TEST" = "false" ]; then
+        if [ "$TEST" = "false" -a -t 1 ]; then
          echo "         You have about 5 seconds to press Ctrl-C to abort."
-          (stty -icanon min 0 time 50; read waste) < /dev/tty
+          (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
        fi
-        CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+        #CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
-        CPU=${CPU:-0}
+        #CPU=${CPU:-0}
-        if [ $CPU -ge 5000 ]; then
+        #if [ $CPU -ge 5000 ]; then
-                options="$options -mips4"
+        #        options="$options -mips4"
-        else
+        #else
-                options="$options -mips3"
+        #        options="$options -mips3"
-        fi
+        #fi
        OUT="irix-mips3-$CC"
        ;;
  alpha-*-linux2)
@@ -538,9 +550,14 @@ EOF
        rm dummy dummy.c
        ;;
  ppc64-*-linux2)
-        #Use the standard target for PPC architecture until we create a
+        echo "WARNING! If you wish to build 64-bit library, then you have to"
-        #special one for the 64bit architecture.
+        echo "         invoke './Configure linux-ppc64' *manually*."
-        OUT="linux-ppc" ;;
+        if [ "$TEST" = "false" -a -t 1 ]; then
+            echo "         You have about 5 seconds to press Ctrl-C to abort."
+            (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+        fi
+        OUT="linux-ppc"
+        ;;
  ppc-*-linux2) OUT="linux-ppc" ;;
  m68k-*-linux*) OUT="linux-m68k" ;;
  ia64-*-linux?) OUT="linux-ia64" ;;
@@ -551,9 +568,9 @@ EOF
        echo "WARNING! If you *know* that your GNU C supports 64-bit/V9 ABI"
        echo "         and wish to build 64-bit library, then you have to"
        echo "         invoke './Configure linux64-sparcv9' *manually*."
-        if [ "$TEST" = "false" ]; then
+        if [ "$TEST" = "false" -a -t 1 ]; then
          echo "          You have about 5 seconds to press Ctrl-C to abort."
-          (stty -icanon min 0 time 50; read waste) < /dev/tty
+          (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
        fi
        OUT="linux-sparcv9" ;;
  sparc-*-linux2)
@@ -584,7 +601,9 @@ EOF
        options="$options -mschedule=$CPUSCHEDULE -march=$CPUARCH"
        OUT="linux-parisc" ;;
-  arm*-*-linux2) OUT="linux-elf-arm" ;;
+  arm*b-*-linux2) OUT="linux-elf-arm"; options="$options -DB_ENDIAN" ;;
+  arm*l-*-linux2) OUT="linux-elf-arm"; options="$options -DL_ENDIAN" ;;
+  arm*-*-linux2)  OUT="linux-elf-arm" ;;
  s390-*-linux2) OUT="linux-s390" ;;
  s390x-*-linux?) OUT="linux-s390x" ;;
  x86_64-*-linux?) OUT="linux-x86_64" ;;
@@ -608,9 +627,9 @@ EOF
            if [ "$CC" = "cc" -a $CCVER -ge 50 ]; then
                echo "WARNING! If you wish to build 64-bit library, then you have to"
                echo "         invoke './Configure solaris64-sparcv9-cc' *manually*."
-                if [ "$TEST" = "false" ]; then
+                if [ "$TEST" = "false" -a -t 1 ]; then
                  echo "         You have about 5 seconds to press Ctrl-C to abort."
-                  (stty -icanon min 0 time 50; read waste) < /dev/tty
+                  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
                fi
            elif [ "$CC" = "gcc" -a "$GCC_ARCH" = "-m64" ]; then
                # $GCC_ARCH denotes default ABI chosen by compiler driver
@@ -620,17 +639,17 @@ EOF
                OUT="solaris64-sparcv9-gcc"
                echo "WARNING! If you wish to build 32-bit library, then you have to"
                echo "         invoke './Configure solaris-sparcv9-gcc' *manually*."
-                if [ "$TEST" = "false" ]; then
+                if [ "$TEST" = "false" -a -t 1 ]; then
                  echo "         You have about 5 seconds to press Ctrl-C to abort."
-                  (stty -icanon min 0 time 50; read waste) < /dev/tty
+                  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
                fi
            elif [ "$GCC_ARCH" = "-m32" ]; then
                echo "NOTICE! If you *know* that your GNU C supports 64-bit/V9 ABI"
                echo "        and wish to build 64-bit library, then you have to"
                echo "        invoke './Configure solaris64-sparcv9-gcc' *manually*."
-                if [ "$TEST" = "false" ]; then
+                if [ "$TEST" = "false" -a -t 1 ]; then
                  echo "         You have about 5 seconds to press Ctrl-C to abort."
-                  (stty -icanon min 0 time 50; read waste) < /dev/tty
+                  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
                fi
            fi
        fi
@@ -638,7 +657,14 @@ EOF
  sun4m-*-solaris2)     OUT="solaris-sparcv8-$CC" ;;
  sun4d-*-solaris2)     OUT="solaris-sparcv8-$CC" ;;
  sun4*-*-solaris2)     OUT="solaris-sparcv7-$CC" ;;
-  *86*-*-solaris2) OUT="solaris-x86-$CC" ;;
+  *86*-*-solaris2)
+        ISA64=`(isalist) 2>/dev/null | grep amd64`
+        if [ "$ISA64" != "" ]; then
+            OUT="solaris64-x86_64-$CC"
+        else
+            OUT="solaris-x86-$CC"
+        fi
+        ;;
  *-*-sunos4) OUT="sunos-$CC" ;;
  alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;;
  sparc64-*-freebsd*) OUT="FreeBSD-sparc64" ;;
@@ -679,6 +705,10 @@ EOF
  *-*-UnixWare21*) OUT="unixware-2.1" ;;
  *-*-Unixware20*) OUT="unixware-2.0" ;;
  *-*-Unixware21*) OUT="unixware-2.1" ;;
+  *-*-vos)
+        options="$options no-threads no-shared no-asm no-dso"
+        EXE=".pm"
+        OUT="vos-$CC" ;;
  BS2000-siemens-sysv4) OUT="BS2000-OSD" ;;
  RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
  *-siemens-sysv4) OUT="SINIX" ;;
@@ -702,9 +732,9 @@ EOF
             echo "WARNING! 64-bit ABI is the default configured ABI on HP-UXi."
             echo "         If you wish to build 32-bit library, the you have to"
             echo "         invoke './Configure hpux-ia64-cc' *manually*."
-             if [ "$TEST" = "false" ]; then
+             if [ "$TEST" = "false" -a -t 1 ]; then
                echo "         You have about 5 seconds to press Ctrl-C to abort."
-                (stty -icanon min 0 time 50; read waste) < /dev/tty
+                (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
             fi
             OUT="hpux64-ia64-cc"
        elif [ $CPU_VERSION -ge 532 ]; then     # PA-RISC 2.x CPU
@@ -714,9 +744,9 @@ EOF
             if [ $KERNEL_BITS -eq 64 -a "$CC" = "cc" ]; then
                echo "WARNING! If you wish to build 64-bit library then you have to"
                echo "         invoke './Configure hpux64-parisc2-cc' *manually*."
-                if [ "$TEST" = "false" ]; then
+                if [ "$TEST" = "false" -a -t 1 ]; then
                  echo "         You have about 5 seconds to press Ctrl-C to abort."
-                  (stty -icanon min 0 time 50; read waste) < /dev/tty
+                  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
                fi
             fi
        elif [ $CPU_VERSION -ge 528 ]; then     # PA-RISC 1.1+ CPU
@@ -728,8 +758,28 @@ EOF
        fi
        options="$options -D_REENTRANT" ;;
  *-hpux)       OUT="hpux-parisc-$CC" ;;
+  *-aix)
+        KERNEL_BITS=`(getconf KERNEL_BITMODE) 2>/dev/null`
+        KERNEL_BITS=${KERNEL_BITS:-32}
+        OBJECT_MODE=${OBJECT_MODE:-32}
+        if [ "$CC" = "gcc" ]; then
+            OUT="aix-gcc"
+        elif [ $OBJECT_MODE -eq 64 ]; then
+            echo 'Your $OBJECT_MODE was found to be set to 64' 
+            OUT="aix64-cc"
+        else
+            OUT="aix-cc"
+            if [ $KERNEL_BITS -eq 64 ]; then
+                echo "WARNING! If you wish to build 64-bit kit, then you have to"
+                echo "         invoke './Configure aix64-cc' *manually*."
+                if [ "$TEST" = "false" -a -t 1 ]; then
+                    echo "         You have ~5 seconds to press Ctrl-C to abort."
+                    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+                fi
+            fi
+        fi
+        ;;
  # these are all covered by the catchall below
-  # *-aix) OUT="aix-$CC" ;;
  # *-dgux) OUT="dgux" ;;
  mips-sony-newsos4) OUT="newsos4-gcc" ;;
  *-*-cygwin_pre1.3) OUT="Cygwin-pre1.3" ;;
@@ -806,8 +856,8 @@ fi
 if [ ".$PERL" = . ] ; then
        for i in . `echo $PATH | sed 's/:/ /g'`; do
-                if [ -f "$i/perl5" ] ; then
+                if [ -f "$i/perl5$EXE" ] ; then
-                        PERL="$i/perl5"
+                        PERL="$i/perl5$EXE"
                        break;
                fi;
        done
@@ -815,9 +865,9 @@ fi
 if [ ".$PERL" = . ] ; then
        for i in . `echo $PATH | sed 's/:/ /g'`; do
-                if [ -f "$i/perl" ] ; then
+                if [ -f "$i/perl$EXE" ] ; then
-                        if "$i/perl" -e 'exit($]<5.0)'; then
+                        if "$i/perl$EXE" -e 'exit($]<5.0)'; then
-                                PERL="$i/perl"
+                                PERL="$i/perl$EXE"
                                break;
                        fi;
                fi;
diff --git a/src/lib/libssl/src/crypto/aes/aes.h b/src/lib/libssl/src/crypto/aes/aes.h
index da067f4a8f..8a3ea0b883 100644
--- a/src/lib/libssl/src/crypto/aes/aes.h
+++ b/src/lib/libssl/src/crypto/aes/aes.h
@@ -52,6 +52,8 @@
 #ifndef HEADER_AES_H
 #define HEADER_AES_H
+#include <openssl/e_os2.h>
 #ifdef OPENSSL_NO_AES
 #error AES is disabled.
 #endif
@@ -64,6 +66,10 @@
 #define AES_MAXNR 14
 #define AES_BLOCK_SIZE 16
+#if defined(OPENSSL_FIPS)
+#define FIPS_AES_SIZE_T int
+#endif
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -95,6 +101,15 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
        const unsigned long length, const AES_KEY *key,
        unsigned char *ivec, int *num, const int enc);
+void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num, const int enc);
+void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num, const int enc);
+void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out,
+                            const int nbits,const AES_KEY *key,
+                            unsigned char *ivec,const int enc);
 void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
        const unsigned long length, const AES_KEY *key,
        unsigned char *ivec, int *num);
diff --git a/src/lib/libssl/src/crypto/aes/aes_cbc.c b/src/lib/libssl/src/crypto/aes/aes_cbc.c
index 1222a21002..d2ba6bcdb4 100644
--- a/src/lib/libssl/src/crypto/aes/aes_cbc.c
+++ b/src/lib/libssl/src/crypto/aes/aes_cbc.c
@@ -66,6 +66,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
        unsigned long n;
        unsigned long len = length;
        unsigned char tmp[AES_BLOCK_SIZE];
+        const unsigned char *iv = ivec;
        assert(in && out && key && ivec);
        assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
@@ -73,22 +74,39 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
        if (AES_ENCRYPT == enc) {
                while (len >= AES_BLOCK_SIZE) {
                        for(n=0; n < AES_BLOCK_SIZE; ++n)
-                                tmp[n] = in[n] ^ ivec[n];
+                                out[n] = in[n] ^ iv[n];
-                        AES_encrypt(tmp, out, key);
+                        AES_encrypt(out, out, key);
-                        memcpy(ivec, out, AES_BLOCK_SIZE);
+                        iv = out;
                        len -= AES_BLOCK_SIZE;
                        in += AES_BLOCK_SIZE;
                        out += AES_BLOCK_SIZE;
                }
                if (len) {
                        for(n=0; n < len; ++n)
-                                tmp[n] = in[n] ^ ivec[n];
+                                out[n] = in[n] ^ iv[n];
                        for(n=len; n < AES_BLOCK_SIZE; ++n)
-                                tmp[n] = ivec[n];
+                                out[n] = iv[n];
-                        AES_encrypt(tmp, tmp, key);
+                        AES_encrypt(out, out, key);
-                        memcpy(out, tmp, AES_BLOCK_SIZE);
+                        iv = out;
-                        memcpy(ivec, tmp, AES_BLOCK_SIZE);
+                }
-                }                       
+                memcpy(ivec,iv,AES_BLOCK_SIZE);
+        } else if (in != out) {
+                while (len >= AES_BLOCK_SIZE) {
+                        AES_decrypt(in, out, key);
+                        for(n=0; n < AES_BLOCK_SIZE; ++n)
+                                out[n] ^= iv[n];
+                        iv = in;
+                        len -= AES_BLOCK_SIZE;
+                        in  += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
+                }
+                if (len) {
+                        AES_decrypt(in,tmp,key);
+                        for(n=0; n < len; ++n)
+                                out[n] = tmp[n] ^ iv[n];
+                        iv = in;
+                }
+                memcpy(ivec,iv,AES_BLOCK_SIZE);
        } else {
                while (len >= AES_BLOCK_SIZE) {
                        memcpy(tmp, in, AES_BLOCK_SIZE);
@@ -102,10 +120,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                }
                if (len) {
                        memcpy(tmp, in, AES_BLOCK_SIZE);
-                        AES_decrypt(tmp, tmp, key);
+                        AES_decrypt(tmp, out, key);
                        for(n=0; n < len; ++n)
-                                out[n] = tmp[n] ^ ivec[n];
+                                out[n] ^= ivec[n];
+                        for(n=len; n < AES_BLOCK_SIZE; ++n)
+                                out[n] = tmp[n];
                        memcpy(ivec, tmp, AES_BLOCK_SIZE);
-                }                       
+                }
        }
 }
diff --git a/src/lib/libssl/src/crypto/aes/aes_cfb.c b/src/lib/libssl/src/crypto/aes/aes_cfb.c
index 9b569dda90..49f0411010 100644
--- a/src/lib/libssl/src/crypto/aes/aes_cfb.c
+++ b/src/lib/libssl/src/crypto/aes/aes_cfb.c
@@ -114,6 +114,7 @@
 #include <openssl/aes.h>
 #include "aes_locl.h"
+#include "e_os.h"
 /* The input and output encrypted as though 128bit cfb mode is being
 * used.  The extra state information to record how much of the
@@ -155,3 +156,70 @@ void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
        *num=n;
 }
+/* This expects a single block of size nbits for both in and out. Note that
+   it corrupts any extra bits in the last byte of out */
+void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out,
+                            const int nbits,const AES_KEY *key,
+                            unsigned char *ivec,const int enc)
+    {
+    int n,rem,num;
+    unsigned char ovec[AES_BLOCK_SIZE*2];
+    if (nbits<=0 || nbits>128) return;
+        /* fill in the first half of the new IV with the current IV */
+        memcpy(ovec,ivec,AES_BLOCK_SIZE);
+        /* construct the new IV */
+        AES_encrypt(ivec,ivec,key);
+        num = (nbits+7)/8;
+        if (enc)        /* encrypt the input */
+            for(n=0 ; n < num ; ++n)
+                out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n] ^ ivec[n]);
+        else            /* decrypt the input */
+            for(n=0 ; n < num ; ++n)
+                out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n]) ^ ivec[n];
+        /* shift ovec left... */
+        rem = nbits%8;
+        num = nbits/8;
+        if(rem==0)
+            memcpy(ivec,ovec+num,AES_BLOCK_SIZE);
+        else
+            for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
+                ivec[n] = ovec[n+num]<<rem | ovec[n+num+1]>>(8-rem);
+    /* it is not necessary to cleanse ovec, since the IV is not secret */
+    }
+/* N.B. This expects the input to be packed, MS bit first */
+void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
+                      const unsigned long length, const AES_KEY *key,
+                      unsigned char *ivec, int *num, const int enc)
+    {
+    unsigned int n;
+    unsigned char c[1],d[1];
+    assert(in && out && key && ivec && num);
+    assert(*num == 0);
+    memset(out,0,(length+7)/8);
+    for(n=0 ; n < length ; ++n)
+        {
+        c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
+        AES_cfbr_encrypt_block(c,d,1,key,ivec,enc);
+        out[n/8]=(out[n/8]&~(1 << (7-n%8)))|((d[0]&0x80) >> (n%8));
+        }
+    }
+void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
+                      const unsigned long length, const AES_KEY *key,
+                      unsigned char *ivec, int *num, const int enc)
+    {
+    unsigned int n;
+    assert(in && out && key && ivec && num);
+    assert(*num == 0);
+    for(n=0 ; n < length ; ++n)
+        AES_cfbr_encrypt_block(&in[n],&out[n],8,key,ivec,enc);
+    }
diff --git a/src/lib/libssl/src/crypto/aes/aes_core.c b/src/lib/libssl/src/crypto/aes/aes_core.c
index 2f41a825f8..ed566a8123 100644
--- a/src/lib/libssl/src/crypto/aes/aes_core.c
+++ b/src/lib/libssl/src/crypto/aes/aes_core.c
@@ -37,8 +37,11 @@
 #include <stdlib.h>
 #include <openssl/aes.h>
+#include <openssl/fips.h>
 #include "aes_locl.h"
+#ifndef OPENSSL_FIPS
 /*
 Te0[x] = S [x].[02, 01, 01, 03];
 Te1[x] = S [x].[03, 02, 01, 01];
@@ -1255,3 +1258,4 @@ void AES_decrypt(const unsigned char *in, unsigned char *out,
        PUTU32(out + 12, s3);
 }
+#endif /* ndef OPENSSL_FIPS */
diff --git a/src/lib/libssl/src/crypto/aes/aes_ctr.c b/src/lib/libssl/src/crypto/aes/aes_ctr.c
index 79e1c18f19..f36982be1e 100644
--- a/src/lib/libssl/src/crypto/aes/aes_ctr.c
+++ b/src/lib/libssl/src/crypto/aes/aes_ctr.c
@@ -59,7 +59,7 @@
 #include <openssl/aes.h>
 #include "aes_locl.h"
-/* NOTE: CTR mode is big-endian.  The rest of the AES code
+/* NOTE: the IV/counter CTR mode is big-endian.  The rest of the AES code
 * is endian-neutral. */
 /* increment counter (128-bit int) by 1 */
@@ -67,61 +67,36 @@ static void AES_ctr128_inc(unsigned char *counter) {
        unsigned long c;
        /* Grab bottom dword of counter and increment */
-#ifdef L_ENDIAN
-        c = GETU32(counter +  0);
-        c++;
-        PUTU32(counter +  0, c);
-#else
        c = GETU32(counter + 12);
-        c++;
+        c++;    c &= 0xFFFFFFFF;
        PUTU32(counter + 12, c);
-#endif
        /* if no overflow, we're done */
        if (c)
                return;
        /* Grab 1st dword of counter and increment */
-#ifdef L_ENDIAN
-        c = GETU32(counter +  4);
-        c++;
-        PUTU32(counter +  4, c);
-#else
        c = GETU32(counter +  8);
-        c++;
+        c++;    c &= 0xFFFFFFFF;
        PUTU32(counter +  8, c);
-#endif
        /* if no overflow, we're done */
        if (c)
                return;
        /* Grab 2nd dword of counter and increment */
-#ifdef L_ENDIAN
-        c = GETU32(counter +  8);
-        c++;
-        PUTU32(counter +  8, c);
-#else
        c = GETU32(counter +  4);
-        c++;
+        c++;    c &= 0xFFFFFFFF;
        PUTU32(counter +  4, c);
-#endif
        /* if no overflow, we're done */
        if (c)
                return;
        /* Grab top dword of counter and increment */
-#ifdef L_ENDIAN
-        c = GETU32(counter + 12);
-        c++;
-        PUTU32(counter + 12, c);
-#else
        c = GETU32(counter +  0);
-        c++;
+        c++;    c &= 0xFFFFFFFF;
        PUTU32(counter +  0, c);
-#endif
 }
 /* The input encrypted as though 128bit counter mode is being
diff --git a/src/lib/libssl/src/crypto/aes/aes_locl.h b/src/lib/libssl/src/crypto/aes/aes_locl.h
index f290946058..4184729e34 100644
--- a/src/lib/libssl/src/crypto/aes/aes_locl.h
+++ b/src/lib/libssl/src/crypto/aes/aes_locl.h
@@ -62,7 +62,7 @@
 #include <stdlib.h>
 #include <string.h>
-#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
+#if defined(_MSC_VER) && !defined(_M_IA64) && !defined(OPENSSL_SYS_WINCE)
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
 # define GETU32(p) SWAP(*((u32 *)(p)))
 # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
diff --git a/src/lib/libssl/src/crypto/asn1/a_bitstr.c b/src/lib/libssl/src/crypto/asn1/a_bitstr.c
index f4ea96cd54..b81bf4fc81 100644
--- a/src/lib/libssl/src/crypto/asn1/a_bitstr.c
+++ b/src/lib/libssl/src/crypto/asn1/a_bitstr.c
@@ -194,8 +194,12 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
                        c=(unsigned char *)OPENSSL_realloc_clean(a->data,
                                                                 a->length,
                                                                 w+1);
-                if (c == NULL) return(0);
+                if (c == NULL)
-                if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
+                        {
+                        ASN1err(ASN1_F_ASN1_BIT_STRING_SET_BIT,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
                a->data=c;
                a->length=w+1;
        }
diff --git a/src/lib/libssl/src/crypto/asn1/a_digest.c b/src/lib/libssl/src/crypto/asn1/a_digest.c
index 4931e222a0..7182e9fa5d 100644
--- a/src/lib/libssl/src/crypto/asn1/a_digest.c
+++ b/src/lib/libssl/src/crypto/asn1/a_digest.c
@@ -65,6 +65,7 @@
 # include <sys/types.h>
 #endif
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
 #include <openssl/x509.h>
@@ -78,7 +79,11 @@ int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
        unsigned char *str,*p;
        i=i2d(data,NULL);
-        if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL) return(0);
+        if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL)
+                {
+                ASN1err(ASN1_F_ASN1_DIGEST,ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
        p=str;
        i2d(data,&p);
diff --git a/src/lib/libssl/src/crypto/asn1/a_enum.c b/src/lib/libssl/src/crypto/asn1/a_enum.c
index ad8f0ffd1a..03ede68d1c 100644
--- a/src/lib/libssl/src/crypto/asn1/a_enum.c
+++ b/src/lib/libssl/src/crypto/asn1/a_enum.c
@@ -156,7 +156,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
                unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
                if (!new_data)
                        {
-                        ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+                        ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
                        goto err;
                        }
                ret->data=new_data;
diff --git a/src/lib/libssl/src/crypto/asn1/a_gentm.c b/src/lib/libssl/src/crypto/asn1/a_gentm.c
index 8581007868..0dfd576211 100644
--- a/src/lib/libssl/src/crypto/asn1/a_gentm.c
+++ b/src/lib/libssl/src/crypto/asn1/a_gentm.c
@@ -192,8 +192,9 @@ int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str)
                {
                if (s != NULL)
                        {
-                        ASN1_STRING_set((ASN1_STRING *)s,
+                        if (!ASN1_STRING_set((ASN1_STRING *)s,
-                                (unsigned char *)str,t.length);
+                                (unsigned char *)str,t.length))
+                                return 0;
                        s->type=V_ASN1_GENERALIZEDTIME;
                        }
                return(1);
@@ -223,7 +224,12 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
        if ((p == NULL) || ((size_t)s->length < len))
                {
                p=OPENSSL_malloc(len);
-                if (p == NULL) return(NULL);
+                if (p == NULL)
+                        {
+                        ASN1err(ASN1_F_ASN1_GENERALIZEDTIME_SET,
+                                ERR_R_MALLOC_FAILURE);
+                        return(NULL);
+                        }
                if (s->data != NULL)
                        OPENSSL_free(s->data);
                s->data=(unsigned char *)p;
diff --git a/src/lib/libssl/src/crypto/asn1/a_int.c b/src/lib/libssl/src/crypto/asn1/a_int.c
index edb243c021..21cc64bb23 100644
--- a/src/lib/libssl/src/crypto/asn1/a_int.c
+++ b/src/lib/libssl/src/crypto/asn1/a_int.c
@@ -64,7 +64,26 @@ ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x)
 { return M_ASN1_INTEGER_dup(x);}
 int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
-{ return M_ASN1_INTEGER_cmp(x,y);}
+        { 
+        int neg, ret;
+        /* Compare signs */
+        neg = x->type & V_ASN1_NEG;
+        if (neg != (y->type & V_ASN1_NEG))
+                {
+                if (neg)
+                        return -1;
+                else
+                        return 1;
+                }
+        ret = ASN1_STRING_cmp(x, y);
+        if (neg)
+                return -ret;
+        else
+                return ret;
+        }
+        
 /* 
 * This converts an ASN1 INTEGER into its content encoding.
diff --git a/src/lib/libssl/src/crypto/asn1/a_print.c b/src/lib/libssl/src/crypto/asn1/a_print.c
index 8035513f04..d18e772320 100644
--- a/src/lib/libssl/src/crypto/asn1/a_print.c
+++ b/src/lib/libssl/src/crypto/asn1/a_print.c
@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
-int ASN1_PRINTABLE_type(unsigned char *s, int len)
+int ASN1_PRINTABLE_type(const unsigned char *s, int len)
        {
        int c;
        int ia5=0;
diff --git a/src/lib/libssl/src/crypto/asn1/a_set.c b/src/lib/libssl/src/crypto/asn1/a_set.c
index 0f839822ff..e24061c545 100644
--- a/src/lib/libssl/src/crypto/asn1/a_set.c
+++ b/src/lib/libssl/src/crypto/asn1/a_set.c
@@ -118,8 +118,13 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
                }
        pStart  = p; /* Catch the beg of Setblobs*/
-        if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array
+                /* In this array we will store the SET blobs */
-we will store the SET blobs */
+                rgSetBlob = (MYBLOB *)OPENSSL_malloc(sk_num(a) * sizeof(MYBLOB));
+                if (rgSetBlob == NULL)
+                        {
+                        ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
+                        return(0);
+                        }
        for (i=0; i<sk_num(a); i++)
                {
@@ -135,7 +140,11 @@ SetBlob
 /* Now we have to sort the blobs. I am using a simple algo.
    *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
        qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
-        if (!(pTempMem = OPENSSL_malloc(totSize))) return 0;
+                if (!(pTempMem = OPENSSL_malloc(totSize)))
+                        {
+                        ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
+                        return(0);
+                        }
 /* Copy to temp mem */
        p = pTempMem;
@@ -160,7 +169,13 @@ STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
        STACK *ret=NULL;
        if ((a == NULL) || ((*a) == NULL))
-                { if ((ret=sk_new_null()) == NULL) goto err; }
+                {
+                if ((ret=sk_new_null()) == NULL)
+                        {
+                        ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
        else
                ret=(*a);
diff --git a/src/lib/libssl/src/crypto/asn1/a_strex.c b/src/lib/libssl/src/crypto/asn1/a_strex.c
index bde666a6ff..a07122ba47 100644
--- a/src/lib/libssl/src/crypto/asn1/a_strex.c
+++ b/src/lib/libssl/src/crypto/asn1/a_strex.c
@@ -3,7 +3,7 @@
 * project 2000.
 */
 /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -553,7 +553,12 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
        if((type < 0) || (type > 30)) return -1;
        mbflag = tag2nbyte[type];
        if(mbflag == -1) return -1;
-        mbflag |= MBSTRING_FLAG;
+        if (mbflag == 0)
+                mbflag = MBSTRING_UTF8;
+        else if (mbflag == 4)
+                mbflag = MBSTRING_UNIV;
+        else            
+                mbflag |= MBSTRING_FLAG;
        stmp.data = NULL;
        ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
        if(ret < 0) return ret;
diff --git a/src/lib/libssl/src/crypto/asn1/a_type.c b/src/lib/libssl/src/crypto/asn1/a_type.c
index fe3fcd40b0..2292d49b93 100644
--- a/src/lib/libssl/src/crypto/asn1/a_type.c
+++ b/src/lib/libssl/src/crypto/asn1/a_type.c
@@ -71,7 +71,10 @@ int ASN1_TYPE_get(ASN1_TYPE *a)
 void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value)
        {
        if (a->value.ptr != NULL)
-                ASN1_primitive_free((ASN1_VALUE **)&a, NULL);
+                {
+                ASN1_TYPE **tmp_a = &a;
+                ASN1_primitive_free((ASN1_VALUE **)tmp_a, NULL);
+                }
        a->type=type;
        a->value.ptr=value;
        }
diff --git a/src/lib/libssl/src/crypto/asn1/a_utctm.c b/src/lib/libssl/src/crypto/asn1/a_utctm.c
index 999852dae5..7b25fed331 100644
--- a/src/lib/libssl/src/crypto/asn1/a_utctm.c
+++ b/src/lib/libssl/src/crypto/asn1/a_utctm.c
@@ -173,8 +173,9 @@ int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str)
                {
                if (s != NULL)
                        {
-                        ASN1_STRING_set((ASN1_STRING *)s,
+                        if (!ASN1_STRING_set((ASN1_STRING *)s,
-                                (unsigned char *)str,t.length);
+                                (unsigned char *)str,t.length))
+                                return 0;
                        s->type = V_ASN1_UTCTIME;
                        }
                return(1);
@@ -203,7 +204,11 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
        if ((p == NULL) || ((size_t)s->length < len))
                {
                p=OPENSSL_malloc(len);
-                if (p == NULL) return(NULL);
+                if (p == NULL)
+                        {
+                        ASN1err(ASN1_F_ASN1_UTCTIME_SET,ERR_R_MALLOC_FAILURE);
+                        return(NULL);
+                        }
                if (s->data != NULL)
                        OPENSSL_free(s->data);
                s->data=(unsigned char *)p;
diff --git a/src/lib/libssl/src/crypto/asn1/a_verify.c b/src/lib/libssl/src/crypto/asn1/a_verify.c
index da2a0a6d69..18ef0acf00 100644
--- a/src/lib/libssl/src/crypto/asn1/a_verify.c
+++ b/src/lib/libssl/src/crypto/asn1/a_verify.c
@@ -142,6 +142,13 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
                goto err;
                }
+        if (!EVP_VerifyInit_ex(&ctx,type, NULL))
+                {
+                ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+                ret=0;
+                goto err;
+                }
        inl = ASN1_item_i2d(asn, &buf_in, it);
        
        if (buf_in == NULL)
@@ -150,7 +157,6 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
                goto err;
                }
-        EVP_VerifyInit_ex(&ctx,type, NULL);
        EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
        OPENSSL_cleanse(buf_in,(unsigned int)inl);
diff --git a/src/lib/libssl/src/crypto/asn1/asn1.h b/src/lib/libssl/src/crypto/asn1/asn1.h
index 3414509f1b..ceaeb4cbe3 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1.h
+++ b/src/lib/libssl/src/crypto/asn1/asn1.h
@@ -829,7 +829,7 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai,BIGNUM *bn);
 /* General */
 /* given a string, return the correct type, max is the maximum length */
-int ASN1_PRINTABLE_type(unsigned char *s, int max);
+int ASN1_PRINTABLE_type(const unsigned char *s, int max);
 int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass);
 ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp,
@@ -950,16 +950,19 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_A2I_ASN1_ENUMERATED                       101
 #define ASN1_F_A2I_ASN1_INTEGER                          102
 #define ASN1_F_A2I_ASN1_STRING                           103
+#define ASN1_F_ASN1_BIT_STRING_SET_BIT                   176
 #define ASN1_F_ASN1_CHECK_TLEN                           104
 #define ASN1_F_ASN1_COLLATE_PRIMITIVE                    105
 #define ASN1_F_ASN1_COLLECT                              106
 #define ASN1_F_ASN1_D2I_BIO                              107
 #define ASN1_F_ASN1_D2I_EX_PRIMITIVE                     108
 #define ASN1_F_ASN1_D2I_FP                               109
+#define ASN1_F_ASN1_DIGEST                               177
 #define ASN1_F_ASN1_DO_ADB                               110
 #define ASN1_F_ASN1_DUP                                  111
 #define ASN1_F_ASN1_ENUMERATED_SET                       112
 #define ASN1_F_ASN1_ENUMERATED_TO_BN                     113
+#define ASN1_F_ASN1_GENERALIZEDTIME_SET                  178
 #define ASN1_F_ASN1_GET_OBJECT                           114
 #define ASN1_F_ASN1_HEADER_NEW                           115
 #define ASN1_F_ASN1_I2D_BIO                              116
@@ -975,6 +978,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_SEQ_PACK                             126
 #define ASN1_F_ASN1_SEQ_UNPACK                           127
 #define ASN1_F_ASN1_SIGN                                 128
+#define ASN1_F_ASN1_STRING_SET                           179
 #define ASN1_F_ASN1_STRING_TABLE_ADD                     129
 #define ASN1_F_ASN1_STRING_TYPE_NEW                      130
 #define ASN1_F_ASN1_TEMPLATE_D2I                         131
@@ -984,6 +988,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING             134
 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING                 135
 #define ASN1_F_ASN1_UNPACK_STRING                        136
+#define ASN1_F_ASN1_UTCTIME_SET                          180
 #define ASN1_F_ASN1_VERIFY                               137
 #define ASN1_F_BN_TO_ASN1_ENUMERATED                     138
 #define ASN1_F_BN_TO_ASN1_INTEGER                        139
@@ -1007,6 +1012,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_D2I_X509_CINF                             157
 #define ASN1_F_D2I_X509_NAME                             158
 #define ASN1_F_D2I_X509_PKEY                             159
+#define ASN1_F_I2D_ASN1_SET                              181
 #define ASN1_F_I2D_ASN1_TIME                             160
 #define ASN1_F_I2D_DSA_PUBKEY                            161
 #define ASN1_F_I2D_NETSCAPE_RSA                          162
diff --git a/src/lib/libssl/src/crypto/asn1/asn1_err.c b/src/lib/libssl/src/crypto/asn1/asn1_err.c
index 094ec06fda..3b57c8fbae 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1_err.c
+++ b/src/lib/libssl/src/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -70,16 +70,19 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0),      "a2i_ASN1_ENUMERATED"},
 {ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0), "a2i_ASN1_INTEGER"},
 {ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0),  "a2i_ASN1_STRING"},
+{ERR_PACK(0,ASN1_F_ASN1_BIT_STRING_SET_BIT,0),  "ASN1_BIT_STRING_set_bit"},
 {ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0),  "ASN1_CHECK_TLEN"},
 {ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0),   "ASN1_COLLATE_PRIMITIVE"},
 {ERR_PACK(0,ASN1_F_ASN1_COLLECT,0),     "ASN1_COLLECT"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0),     "ASN1_d2i_bio"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0),    "ASN1_D2I_EX_PRIMITIVE"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0),      "ASN1_d2i_fp"},
+{ERR_PACK(0,ASN1_F_ASN1_DIGEST,0),      "ASN1_digest"},
 {ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0),      "ASN1_DO_ADB"},
 {ERR_PACK(0,ASN1_F_ASN1_DUP,0), "ASN1_dup"},
 {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0),      "ASN1_ENUMERATED_set"},
 {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0),    "ASN1_ENUMERATED_to_BN"},
+{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_SET,0), "ASN1_GENERALIZEDTIME_set"},
 {ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0),  "ASN1_get_object"},
 {ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0),  "ASN1_HEADER_new"},
 {ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0),     "ASN1_i2d_bio"},
@@ -95,6 +98,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0),    "ASN1_seq_pack"},
 {ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0),  "ASN1_seq_unpack"},
 {ERR_PACK(0,ASN1_F_ASN1_SIGN,0),        "ASN1_sign"},
+{ERR_PACK(0,ASN1_F_ASN1_STRING_SET,0),  "ASN1_STRING_set"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0),    "ASN1_STRING_TABLE_add"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0),     "ASN1_STRING_type_new"},
 {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0),        "ASN1_TEMPLATE_D2I"},
@@ -104,6 +108,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),    "ASN1_TYPE_get_int_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),        "ASN1_TYPE_get_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),       "ASN1_unpack_string"},
+{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_SET,0), "ASN1_UTCTIME_set"},
 {ERR_PACK(0,ASN1_F_ASN1_VERIFY,0),      "ASN1_verify"},
 {ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0),    "BN_to_ASN1_ENUMERATED"},
 {ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0),       "BN_to_ASN1_INTEGER"},
@@ -127,6 +132,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_X509_CINF,0),    "D2I_X509_CINF"},
 {ERR_PACK(0,ASN1_F_D2I_X509_NAME,0),    "D2I_X509_NAME"},
 {ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),    "d2i_X509_PKEY"},
+{ERR_PACK(0,ASN1_F_I2D_ASN1_SET,0),     "i2d_ASN1_SET"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),    "I2D_ASN1_TIME"},
 {ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),   "i2d_DSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0), "i2d_Netscape_RSA"},
diff --git a/src/lib/libssl/src/crypto/asn1/asn1_lib.c b/src/lib/libssl/src/crypto/asn1/asn1_lib.c
index a74f1368d3..97b9b35f4b 100644
--- a/src/lib/libssl/src/crypto/asn1/asn1_lib.c
+++ b/src/lib/libssl/src/crypto/asn1/asn1_lib.c
@@ -349,6 +349,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
                if (str->data == NULL)
                        {
+                        ASN1err(ASN1_F_ASN1_STRING_SET,ERR_R_MALLOC_FAILURE);
                        str->data=c;
                        return(0);
                        }
diff --git a/src/lib/libssl/src/crypto/asn1/evp_asn1.c b/src/lib/libssl/src/crypto/asn1/evp_asn1.c
index 3506005a71..f92ce6cb5d 100644
--- a/src/lib/libssl/src/crypto/asn1/evp_asn1.c
+++ b/src/lib/libssl/src/crypto/asn1/evp_asn1.c
@@ -115,7 +115,11 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
        if ((osp=ASN1_STRING_new()) == NULL) return(0);
        /* Grow the 'string' */
-        ASN1_STRING_set(osp,NULL,size);
+        if (!ASN1_STRING_set(osp,NULL,size))
+                {
+                ASN1_STRING_free(osp);
+                return(0);
+                }
        M_ASN1_STRING_length_set(osp, size);
        p=M_ASN1_STRING_data(osp);
diff --git a/src/lib/libssl/src/crypto/asn1/p5_pbe.c b/src/lib/libssl/src/crypto/asn1/p5_pbe.c
index 891150638e..ec788267e0 100644
--- a/src/lib/libssl/src/crypto/asn1/p5_pbe.c
+++ b/src/lib/libssl/src/crypto/asn1/p5_pbe.c
@@ -76,47 +76,55 @@ IMPLEMENT_ASN1_FUNCTIONS(PBEPARAM)
 X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
             int saltlen)
 {
-        PBEPARAM *pbe;
+        PBEPARAM *pbe=NULL;
        ASN1_OBJECT *al;
        X509_ALGOR *algor;
-        ASN1_TYPE *astype;
+        ASN1_TYPE *astype=NULL;
        if (!(pbe = PBEPARAM_new ())) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
        }
        if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
-        ASN1_INTEGER_set (pbe->iter, iter);
+        if (!ASN1_INTEGER_set(pbe->iter, iter)) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
        if (!saltlen) saltlen = PKCS5_SALT_LEN;
        if (!(pbe->salt->data = OPENSSL_malloc (saltlen))) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
        }
        pbe->salt->length = saltlen;
        if (salt) memcpy (pbe->salt->data, salt, saltlen);
        else if (RAND_pseudo_bytes (pbe->salt->data, saltlen) < 0)
-                return NULL;
+                goto err;
        if (!(astype = ASN1_TYPE_new())) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
        }
        astype->type = V_ASN1_SEQUENCE;
        if(!ASN1_pack_string(pbe, i2d_PBEPARAM, &astype->value.sequence)) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
        }
        PBEPARAM_free (pbe);
+        pbe = NULL;
        
        al = OBJ_nid2obj(alg); /* never need to free al */
        if (!(algor = X509_ALGOR_new())) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
        }
        ASN1_OBJECT_free(algor->algorithm);
        algor->algorithm = al;
        algor->parameter = astype;
        return (algor);
+err:
+        if (pbe != NULL) PBEPARAM_free(pbe);
+        if (astype != NULL) ASN1_TYPE_free(astype);
+        return NULL;
 }
diff --git a/src/lib/libssl/src/crypto/asn1/p5_pbev2.c b/src/lib/libssl/src/crypto/asn1/p5_pbev2.c
index 91e1c8987d..e0dc0ec4ee 100644
--- a/src/lib/libssl/src/crypto/asn1/p5_pbev2.c
+++ b/src/lib/libssl/src/crypto/asn1/p5_pbev2.c
@@ -1,6 +1,6 @@
 /* p5_pbev2.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project 1999-2004.
 */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -113,7 +113,8 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
        if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;
        /* Create random IV */
-        if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
+        if (EVP_CIPHER_iv_length(cipher) &&
+                RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
                goto err;
        EVP_CIPHER_CTX_init(&ctx);
@@ -123,6 +124,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
        if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
                ASN1err(ASN1_F_PKCS5_PBE2_SET,
                                        ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
+                EVP_CIPHER_CTX_cleanup(&ctx);
                goto err;
        }
        EVP_CIPHER_CTX_cleanup(&ctx);
diff --git a/src/lib/libssl/src/crypto/asn1/t_bitst.c b/src/lib/libssl/src/crypto/asn1/t_bitst.c
index 8ee789f082..397332d9b8 100644
--- a/src/lib/libssl/src/crypto/asn1/t_bitst.c
+++ b/src/lib/libssl/src/crypto/asn1/t_bitst.c
@@ -84,7 +84,10 @@ int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
        int bitnum;
        bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
        if(bitnum < 0) return 0;
-        if(bs) ASN1_BIT_STRING_set_bit(bs, bitnum, value);
+        if(bs) {
+                if(!ASN1_BIT_STRING_set_bit(bs, bitnum, value))
+                        return 0;
+        }
        return 1;
 }
diff --git a/src/lib/libssl/src/crypto/asn1/x_crl.c b/src/lib/libssl/src/crypto/asn1/x_crl.c
index 11fce96825..b99f8fc522 100644
--- a/src/lib/libssl/src/crypto/asn1/x_crl.c
+++ b/src/lib/libssl/src/crypto/asn1/x_crl.c
@@ -63,8 +63,6 @@
 static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
                                const X509_REVOKED * const *b);
-static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
-                                const X509_REVOKED * const *b);
 ASN1_SEQUENCE(X509_REVOKED) = {
        ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER),
@@ -72,43 +70,28 @@ ASN1_SEQUENCE(X509_REVOKED) = {
        ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
 } ASN1_SEQUENCE_END(X509_REVOKED)
-/* The X509_CRL_INFO structure needs a bit of customisation. This is actually
+/* The X509_CRL_INFO structure needs a bit of customisation.
- * mirroring the old behaviour: its purpose is to allow the use of
+ * Since we cache the original encoding the signature wont be affected by
- * sk_X509_REVOKED_find to lookup revoked certificates. Unfortunately
+ * reordering of the revoked field.
- * this will zap the original order and the signature so we keep a copy
- * of the original positions and reorder appropriately before encoding.
- *
- * Might want to see if there's a better way of doing this later...
 */
 static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
        X509_CRL_INFO *a = (X509_CRL_INFO *)*pval;
-        int i;
-        int (*old_cmp)(const X509_REVOKED * const *,
-                        const X509_REVOKED * const *);
        if(!a || !a->revoked) return 1;
        switch(operation) {
+                /* Just set cmp function here. We don't sort because that
-                /* Save original order */
+                 * would affect the output of X509_CRL_print().
+                 */
                case ASN1_OP_D2I_POST:
-                for (i=0; i<sk_X509_REVOKED_num(a->revoked); i++)
-                        sk_X509_REVOKED_value(a->revoked,i)->sequence=i;
                sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_cmp);
                break;
-                /* Restore original order */
-                case ASN1_OP_I2D_PRE:
-                old_cmp=sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_seq_cmp);
-                sk_X509_REVOKED_sort(a->revoked);
-                sk_X509_REVOKED_set_cmp_func(a->revoked,old_cmp);
-                break;
        }
        return 1;
 }
-ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = {
+ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = {
        ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER),
        ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR),
        ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME),
@@ -116,7 +99,7 @@ ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = {
        ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME),
        ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED),
        ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0)
-} ASN1_SEQUENCE_END_cb(X509_CRL_INFO, X509_CRL_INFO)
+} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)
 ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = {
        ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),
@@ -137,12 +120,6 @@ static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
                (ASN1_STRING *)(*b)->serialNumber));
        }
-static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
-                                const X509_REVOKED * const *b)
-        {
-        return((*a)->sequence-(*b)->sequence);
-        }
 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 {
        X509_CRL_INFO *inf;
@@ -153,6 +130,7 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
                ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE);
                return 0;
        }
+        inf->enc.modified = 1;
        return 1;
 }
diff --git a/src/lib/libssl/src/crypto/asn1/x_name.c b/src/lib/libssl/src/crypto/asn1/x_name.c
index caece0f158..31f3377b64 100644
--- a/src/lib/libssl/src/crypto/asn1/x_name.c
+++ b/src/lib/libssl/src/crypto/asn1/x_name.c
@@ -160,21 +160,22 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, cons
                                        int tag, int aclass, char opt, ASN1_TLC *ctx)
 {
        unsigned char *p = *in, *q;
-        STACK *intname = NULL;
+        STACK *intname = NULL, **intname_pp = &intname;
        int i, j, ret;
-        X509_NAME *nm = NULL;
+        X509_NAME *nm = NULL, **nm_pp = &nm;
        STACK_OF(X509_NAME_ENTRY) *entries;
        X509_NAME_ENTRY *entry;
        q = p;
        /* Get internal representation of Name */
-        ret = ASN1_item_ex_d2i((ASN1_VALUE **)&intname, &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
+        ret = ASN1_item_ex_d2i((ASN1_VALUE **)intname_pp,
-                                                                tag, aclass, opt, ctx);
+                               &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
+                               tag, aclass, opt, ctx);
        
        if(ret <= 0) return ret;
        if(*val) x509_name_ex_free(val, NULL);
-        if(!x509_name_ex_new((ASN1_VALUE **)&nm, NULL)) goto err;
+        if(!x509_name_ex_new((ASN1_VALUE **)nm_pp, NULL)) goto err;
        /* We've decoded it: now cache encoding */
        if(!BUF_MEM_grow(nm->bytes, p - q)) goto err;
        memcpy(nm->bytes->data, q, p - q);
@@ -218,7 +219,7 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_IT
 static int x509_name_encode(X509_NAME *a)
 {
-        STACK *intname = NULL;
+        STACK *intname = NULL, **intname_pp = &intname;
        int len;
        unsigned char *p;
        STACK_OF(X509_NAME_ENTRY) *entries = NULL;
@@ -236,10 +237,12 @@ static int x509_name_encode(X509_NAME *a)
                }
                if(!sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr;
        }
-        len = ASN1_item_ex_i2d((ASN1_VALUE **)&intname, NULL, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
+        len = ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp, NULL,
+                               ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
        if (!BUF_MEM_grow(a->bytes,len)) goto memerr;
        p=(unsigned char *)a->bytes->data;
-        ASN1_item_ex_i2d((ASN1_VALUE **)&intname, &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
+        ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp,
+                         &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
        sk_pop_free(intname, sk_internal_free);
        a->modified = 0;
        return len;
diff --git a/src/lib/libssl/src/crypto/asn1/x_pubkey.c b/src/lib/libssl/src/crypto/asn1/x_pubkey.c
index d958540120..7d6d71af88 100644
--- a/src/lib/libssl/src/crypto/asn1/x_pubkey.c
+++ b/src/lib/libssl/src/crypto/asn1/x_pubkey.c
@@ -80,8 +80,7 @@ IMPLEMENT_ASN1_FUNCTIONS(X509_PUBKEY)
 int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
        {
-        int ok=0;
+        X509_PUBKEY *pk=NULL;
-        X509_PUBKEY *pk;
        X509_ALGOR *a;
        ASN1_OBJECT *o;
        unsigned char *s,*p = NULL;
@@ -104,7 +103,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
                        (a->parameter->type != V_ASN1_NULL))
                        {
                        ASN1_TYPE_free(a->parameter);
-                        a->parameter=ASN1_TYPE_new();
+                        if (!(a->parameter=ASN1_TYPE_new()))
+                                {
+                                X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
                        a->parameter->type=V_ASN1_NULL;
                        }
                }
@@ -118,14 +121,34 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
                dsa=pkey->pkey.dsa;
                dsa->write_params=0;
                ASN1_TYPE_free(a->parameter);
-                i=i2d_DSAparams(dsa,NULL);
+                if ((i=i2d_DSAparams(dsa,NULL)) <= 0)
-                if ((p=(unsigned char *)OPENSSL_malloc(i)) == NULL) goto err;
+                        goto err;
+                if (!(p=(unsigned char *)OPENSSL_malloc(i)))
+                        {
+                        X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
                pp=p;
                i2d_DSAparams(dsa,&pp);
-                a->parameter=ASN1_TYPE_new();
+                if (!(a->parameter=ASN1_TYPE_new()))
+                        {
+                        OPENSSL_free(p);
+                        X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
                a->parameter->type=V_ASN1_SEQUENCE;
-                a->parameter->value.sequence=ASN1_STRING_new();
+                if (!(a->parameter->value.sequence=ASN1_STRING_new()))
-                ASN1_STRING_set(a->parameter->value.sequence,p,i);
+                        {
+                        OPENSSL_free(p);
+                        X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                if (!ASN1_STRING_set(a->parameter->value.sequence,p,i))
+                        {
+                        OPENSSL_free(p);
+                        X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
                OPENSSL_free(p);
                }
        else
@@ -143,7 +166,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
                }
        p=s;
        i2d_PublicKey(pkey,&p);
-        if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err;
+        if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i))
+                {
+                X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
        /* Set number of unused bits to zero */
        pk->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
        pk->public_key->flags|=ASN1_STRING_FLAG_BITS_LEFT;
@@ -159,12 +186,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
                X509_PUBKEY_free(*x);
        *x=pk;
-        pk=NULL;
-        ok=1;
+        return 1;
 err:
        if (pk != NULL) X509_PUBKEY_free(pk);
-        return(ok);
+        return 0;
        }
 EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
diff --git a/src/lib/libssl/src/crypto/bf/bf_skey.c b/src/lib/libssl/src/crypto/bf/bf_skey.c
index 3673cdee6e..fc5bebefce 100644
--- a/src/lib/libssl/src/crypto/bf/bf_skey.c
+++ b/src/lib/libssl/src/crypto/bf/bf_skey.c
@@ -58,11 +58,12 @@
 #include <stdio.h>
 #include <string.h>
+#include <openssl/crypto.h>
 #include <openssl/blowfish.h>
 #include "bf_locl.h"
 #include "bf_pi.h"
-void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(BF)
        {
        int i;
        BF_LONG *p,ri,in[2];
diff --git a/src/lib/libssl/src/crypto/bf/blowfish.h b/src/lib/libssl/src/crypto/bf/blowfish.h
index cd49e85ab2..b4d8774961 100644
--- a/src/lib/libssl/src/crypto/bf/blowfish.h
+++ b/src/lib/libssl/src/crypto/bf/blowfish.h
@@ -104,7 +104,10 @@ typedef struct bf_key_st
        BF_LONG S[4*256];
        } BF_KEY;
- 
+#ifdef OPENSSL_FIPS 
+void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+#endif
 void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
 void BF_encrypt(BF_LONG *data,const BF_KEY *key);
diff --git a/src/lib/libssl/src/crypto/bio/b_print.c b/src/lib/libssl/src/crypto/bio/b_print.c
index 880dc69303..8b753e7ca0 100644
--- a/src/lib/libssl/src/crypto/bio/b_print.c
+++ b/src/lib/libssl/src/crypto/bio/b_print.c
@@ -641,7 +641,7 @@ fmtfp(
       multiplying by a factor of 10 */
    fracpart = roundv((pow10(max)) * (ufvalue - intpart));
-    if (fracpart >= pow10(max)) {
+    if (fracpart >= (long)pow10(max)) {
        intpart++;
        fracpart -= (long)pow10(max);
    }
diff --git a/src/lib/libssl/src/crypto/bio/bio.h b/src/lib/libssl/src/crypto/bio/bio.h
index fbbc16d00c..2eb703830f 100644
--- a/src/lib/libssl/src/crypto/bio/bio.h
+++ b/src/lib/libssl/src/crypto/bio/bio.h
@@ -347,6 +347,7 @@ typedef struct bio_f_buffer_ctx_struct
 #define BIO_C_NWRITE0                           145
 #define BIO_C_NWRITE                            146
 #define BIO_C_RESET_READ_REQUEST                147
+#define BIO_C_SET_MD_CTX                        148
 #define BIO_set_app_data(s,arg)         BIO_set_ex_data(s,0,arg)
diff --git a/src/lib/libssl/src/crypto/bio/bss_file.c b/src/lib/libssl/src/crypto/bio/bss_file.c
index 9cdf159f82..8034ac93f9 100644
--- a/src/lib/libssl/src/crypto/bio/bss_file.c
+++ b/src/lib/libssl/src/crypto/bio/bss_file.c
@@ -213,13 +213,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                b->shutdown=(int)num&BIO_CLOSE;
                b->ptr=(char *)ptr;
                b->init=1;
+                {
 #if defined(OPENSSL_SYS_WINDOWS)
+                int fd = fileno((FILE*)ptr);
                if (num & BIO_FP_TEXT)
-                        _setmode(fileno((FILE *)ptr),_O_TEXT);
+                        _setmode(fd,_O_TEXT);
                else
-                        _setmode(fileno((FILE *)ptr),_O_BINARY);
+                        _setmode(fd,_O_BINARY);
 #elif defined(OPENSSL_SYS_MSDOS)
-                {
                int fd = fileno((FILE*)ptr);
                /* Set correct text/binary mode */
                if (num & BIO_FP_TEXT)
@@ -235,13 +236,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                        else
                                _setmode(fd,_O_BINARY);
                        }
-                }
 #elif defined(OPENSSL_SYS_OS2)
+                int fd = fileno((FILE*)ptr);
                if (num & BIO_FP_TEXT)
-                        setmode(fileno((FILE *)ptr), O_TEXT);
+                        setmode(fd, O_TEXT);
                else
-                        setmode(fileno((FILE *)ptr), O_BINARY);
+                        setmode(fd, O_BINARY);
 #endif
+                }
                break;
        case BIO_C_SET_FILENAME:
                file_free(b);
@@ -264,7 +266,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                        ret=0;
                        break;
                        }
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2)
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
                if (!(num & BIO_FP_TEXT))
                        strcat(p,"b");
                else
diff --git a/src/lib/libssl/src/crypto/bn/asm/ia64.S b/src/lib/libssl/src/crypto/bn/asm/ia64.S
index 7dfda85566..7b82b820e6 100644
--- a/src/lib/libssl/src/crypto/bn/asm/ia64.S
+++ b/src/lib/libssl/src/crypto/bn/asm/ia64.S
@@ -1,6 +1,6 @@
 .explicit
 .text
-.ident  "ia64.S, Version 2.0"
+.ident  "ia64.S, Version 2.1"
 .ident  "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
 //
@@ -35,7 +35,7 @@
 // What does it mean? You might ratiocinate that the original code
 // should run just faster... Because sum of latencies is smaller...
 // Wrong! Note that getf latency increased. This means that if a loop is
-// scheduled for lower latency (and they are), then it will suffer from
+// scheduled for lower latency (as they were), then it will suffer from
 // stall condition and the code will therefore turn anti-scalable, e.g.
 // original bn_mul_words spun at 5*n or 2.5 times slower than expected
 // on Itanium2! What to do? Reschedule loops for Itanium2? But then
@@ -145,6 +145,12 @@
 //      -Drum=nop.m in command line.
 //
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
+#define ADDP    addp4
+#else
+#define ADDP    add
+#endif
 #if 1
 //
 // bn_[add|sub]_words routines.
@@ -178,27 +184,12 @@ bn_add_words:
        brp.loop.imp    .L_bn_add_words_ctop,.L_bn_add_words_cend-16
                                        }
        .body
-{ .mib;
+{ .mib; ADDP            r14=0,r32               // rp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r14=0,r32               // rp
-#else
-        mov             r14=r32                 // rp
-#endif
        mov             r9=pr           };;
-{ .mii;
+{ .mii; ADDP            r15=0,r33               // ap
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r15=0,r33               // ap
-#else
-        mov             r15=r33                 // ap
-#endif
        mov             ar.lc=r10
        mov             ar.ec=6         }
-{ .mib;
+{ .mib; ADDP            r16=0,r34               // bp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r16=0,r34               // bp
-#else
-        mov             r16=r34                 // bp
-#endif
        mov             pr.rot=1<<16    };;
 .L_bn_add_words_ctop:
@@ -246,27 +237,12 @@ bn_sub_words:
        brp.loop.imp    .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16
                                        }
        .body
-{ .mib;
+{ .mib; ADDP            r14=0,r32               // rp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r14=0,r32               // rp
-#else
-        mov             r14=r32                 // rp
-#endif
        mov             r9=pr           };;
-{ .mii;
+{ .mii; ADDP            r15=0,r33               // ap
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r15=0,r33               // ap
-#else
-        mov             r15=r33                 // ap
-#endif
        mov             ar.lc=r10
        mov             ar.ec=6         }
-{ .mib;
+{ .mib; ADDP            r16=0,r34               // bp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-        addp4           r16=0,r34               // bp
-#else
-        mov             r16=r34                 // bp
-#endif
        mov             pr.rot=1<<16    };;
 .L_bn_sub_words_ctop:
@@ -332,16 +308,10 @@ bn_mul_words:
 #ifndef XMA_TEMPTATION
-{ .mii;
+{ .mmi; ADDP            r14=0,r32       // rp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        ADDP            r15=0,r33       // ap
-        addp4           r14=0,r32       // rp
-        addp4           r15=0,r33       // ap
-#else
-        mov             r14=r32         // rp
-        mov             r15=r33         // ap
-#endif
        mov             ar.lc=r10       }
-{ .mii; mov             r40=0   // serves as r35 at first (p27)
+{ .mmi; mov             r40=0           // serves as r35 at first (p27)
        mov             ar.ec=13        };;
 // This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium
@@ -424,89 +394,64 @@ bn_mul_words:
 .global bn_mul_add_words#
 .proc   bn_mul_add_words#
 .align  64
-//.skip 0       // makes the loop split at 64-byte boundary
+.skip   48      // makes the loop body aligned at 64-byte boundary
 bn_mul_add_words:
        .prologue
        .fframe 0
        .save   ar.pfs,r2
-{ .mii; alloc           r2=ar.pfs,4,12,0,16
-        cmp4.le         p6,p0=r34,r0    };;
-{ .mfb; mov             r8=r0                   // return value
-(p6)    br.ret.spnt.many        b0      };;
        .save   ar.lc,r3
-{ .mii; sub     r10=r34,r0,1
+        .save   pr,r9
-        mov     r3=ar.lc
+{ .mmi; alloc           r2=ar.pfs,4,4,0,8
-        mov     r9=pr                   };;
+        cmp4.le         p6,p0=r34,r0
+        mov             r3=ar.lc        };;
+{ .mib; mov             r8=r0           // return value
+        sub             r10=r34,r0,1
+(p6)    br.ret.spnt.many        b0      };;
        .body
-{ .mib; setf.sig        f8=r35  // w
+{ .mib; setf.sig        f8=r35          // w
-        mov             pr.rot=0x800001<<16
+        mov             r9=pr
-                        // ------^----- serves as (p50) at first (p27)
        brp.loop.imp    .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16
                                        }
-{ .mii;
+{ .mmi; ADDP            r14=0,r32       // rp
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        ADDP            r15=0,r33       // ap
-        addp4           r14=0,r32       // rp
-        addp4           r15=0,r33       // ap
-#else
-        mov             r14=r32         // rp
-        mov             r15=r33         // ap
-#endif
        mov             ar.lc=r10       }
-{ .mii; mov             r40=0   // serves as r35 at first (p27)
+{ .mii; ADDP            r16=0,r32       // rp copy
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+        mov             pr.rot=0x2001<<16
-        addp4           r18=0,r32       // rp copy
+                        // ------^----- serves as (p40) at first (p27)
-#else
+        mov             ar.ec=11        };;
-        mov             r18=r32         // rp copy
-#endif
+// This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on
-        mov             ar.ec=15        };;
+// Itanium 2. Yes, unlike previous versions it scales:-) Previous
+// version was peforming *all* additions in IALU and was starving
-// This loop spins in 3*(n+14) ticks on Itanium and should spin in
+// for those even on Itanium 2. In this version one addition is
-// 2*(n+14) on "wider" IA-64 implementations (to be verified with new
+// moved to FPU and is folded with multiplication. This is at cost
-// �-architecture manuals as they become available). As usual it's
+// of propogating the result from previous call to this subroutine
-// possible to compress the epilogue, down to 10 in this case, at the
+// to L2 cache... In other words negligible even for shorter keys.
-// cost of scalability. Compressed (and therefore non-scalable) loop
+// *Overall* performance improvement [over previous version] varies
-// running at 3*(n+11) would buy you ~10% on Itanium but take ~35%
+// from 11 to 22 percent depending on key length.
-// from "wider" IA-64 so let it be scalable! Special attention was
-// paid for having the loop body split at 64-byte boundary. ld8 is
-// scheduled for L1 cache as the data is more than likely there.
-// Indeed, bn_mul_words has put it there a moment ago:-)
 .L_bn_mul_add_words_ctop:
-{ .mfi; (p25)   getf.sig        r36=f52                 // low
+.pred.rel       "mutex",p40,p42
-        (p21)   xmpy.lu         f48=f37,f8
+{ .mfi; (p23)   getf.sig        r36=f45                 // low
-        (p28)   cmp.ltu         p54,p50=r41,r39 }
+        (p20)   xma.lu          f42=f36,f8,f50          // low
-{ .mfi; (p16)   ldf8            f32=[r15],8
+        (p40)   add             r39=r39,r35     }       // (p27)
-        (p21)   xmpy.hu         f40=f37,f8
+{ .mfi; (p16)   ldf8            f32=[r15],8             // *(ap++)
-        (p28)   add             r45=r45,r41     };;
+        (p20)   xma.hu          f36=f36,f8,f50          // high
-{ .mii; (p25)   getf.sig        r32=f44                 // high
+        (p42)   add             r39=r39,r35,1   };;     // (p27)
-        .pred.rel       "mutex",p50,p54
+{ .mmi; (p24)   getf.sig        r32=f40                 // high
-        (p50)   add             r40=r38,r35             // (p27)
+        (p16)   ldf8            f46=[r16],8             // *(rp1++)
-        (p54)   add             r40=r38,r35,1   }       // (p27)
+        (p40)   cmp.ltu         p41,p39=r39,r35 }       // (p27)
-{ .mfb; (p28)   cmp.ltu.unc     p60,p0=r45,r41
+{ .mib; (p26)   st8             [r14]=r39,8             // *(rp2++)
-        (p0)    nop.f           0x0
+        (p42)   cmp.leu         p41,p39=r39,r35         // (p27)
-        (p0)    nop.b           0x0             }
-{ .mii; (p27)   ld8             r44=[r18],8
-        (p62)   cmp.eq.or       p61,p0=-1,r46
-        (p62)   add             r46=1,r46       }
-{ .mfb; (p30)   st8             [r14]=r47,8
-        (p0)    nop.f           0x0
        br.ctop.sptk    .L_bn_mul_add_words_ctop};;
 .L_bn_mul_add_words_cend:
-{ .mii; nop.m           0x0
+{ .mmi; .pred.rel       "mutex",p40,p42
-.pred.rel       "mutex",p53,p57
+(p40)   add             r8=r35,r0
-(p53)   add             r8=r38,r0
+(p42)   add             r8=r35,r0,1
-(p57)   add             r8=r38,r0,1     }
+        mov             pr=r9,0x1ffff   }
-{ .mfb; nop.m   0x0
+{ .mib; rum             1<<5            // clear um.mfh
-        nop.f   0x0
+        mov             ar.lc=r3
-        nop.b   0x0                     };;
-{ .mii;
-(p63)   add             r8=1,r8
-        mov             pr=r9,0x1ffff
-        mov             ar.lc=r3        }
-{ .mfb; rum             1<<5            // clear um.mfh
-        nop.f           0x0
        br.ret.sptk.many        b0      };;
 .endp   bn_mul_add_words#
 #endif
@@ -527,7 +472,8 @@ bn_sqr_words:
        sxt4            r34=r34         };;
 { .mii; cmp.le          p6,p0=r34,r0
        mov             r8=r0           }       // return value
-{ .mfb; nop.f           0x0
+{ .mfb; ADDP            r32=0,r32
+        nop.f           0x0
 (p6)    br.ret.spnt.many        b0      };;
        .save   ar.lc,r3
@@ -536,11 +482,7 @@ bn_sqr_words:
        mov     r9=pr                   };;
        .body
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+{ .mib; ADDP            r33=0,r33
-{ .mii; addp4           r32=0,r32
-        addp4           r33=0,r33       };;
-#endif
-{ .mib;
        mov             pr.rot=1<<16
        brp.loop.imp    .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16
                                        }
@@ -605,7 +547,7 @@ bn_sqr_comba8:
        .prologue
        .fframe 0
        .save   ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii; alloc   r2=ar.pfs,2,1,0,0
        addp4   r33=0,r33
        addp4   r32=0,r32               };;
@@ -631,6 +573,10 @@ bn_sqr_comba8:
 // clause in Itanium �-architecture manual? Comments are welcomed and
 // highly appreciated.
 //
+// On Itanium 2 it takes ~190 ticks. This is because of stalls on
+// result from getf.sig. I do nothing about it at this point for
+// reasons depicted below.
+//
 // However! It should be noted that even 160 ticks is darn good result
 // as it's over 10 (yes, ten, spelled as t-e-n) times faster than the
 // C version (compiled with gcc with inline assembler). I really
@@ -673,7 +619,7 @@ bn_mul_comba8:
        .prologue
        .fframe 0
        .save   ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii; alloc   r2=ar.pfs,3,0,0,0
        addp4   r33=0,r33
        addp4   r34=0,r34               };;
@@ -1231,7 +1177,7 @@ bn_sqr_comba4:
        .prologue
        .fframe 0
        .save   ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii; alloc   r2=ar.pfs,2,1,0,0
        addp4   r32=0,r32
        addp4   r33=0,r33               };;
@@ -1264,7 +1210,7 @@ bn_mul_comba4:
        .prologue
        .fframe 0
        .save   ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii; alloc   r2=ar.pfs,3,0,0,0
        addp4   r33=0,r33
        addp4   r34=0,r34               };;
@@ -1448,8 +1394,8 @@ bn_mul_comba4:
 #define I       r21
 #if 0
-// Some preprocessors (most notably HP-UX) apper to be allergic to
+// Some preprocessors (most notably HP-UX) appear to be allergic to
-// macros enclosed to parenthesis as these three will be.
+// macros enclosed to parenthesis [as these three were].
 #define cont    p16
 #define break   p0      // p20
 #define equ     p24
@@ -1581,9 +1527,18 @@ bn_div_words:
 // output:      f8 = (int)(a/b)
 // clobbered:   f8,f9,f10,f11,pred
 pred=p15
-// This procedure is essentially Intel code and therefore is
+// One can argue that this snippet is copyrighted to Intel
-// copyrighted to Intel Corporation (I suppose...). It's sligtly
+// Corporation, as it's essentially identical to one of those
-// modified for specific needs.
+// found in "Divide, Square Root and Remainder" section at
+// http://www.intel.com/software/products/opensource/libraries/num.htm.
+// Yes, I admit that the referred code was used as template,
+// but after I realized that there hardly is any other instruction
+// sequence which would perform this operation. I mean I figure that
+// any independent attempt to implement high-performance division
+// will result in code virtually identical to the Intel code. It
+// should be noted though that below division kernel is 1 cycle
+// faster than Intel one (note commented splits:-), not to mention
+// original prologue (rather lack of one) and epilogue.
 .align  32
 .skip   16
 .L_udiv64_32_b6:
diff --git a/src/lib/libssl/src/crypto/bn/bn_mont.c b/src/lib/libssl/src/crypto/bn/bn_mont.c
index c9ebdbaabe..b79b1b60da 100644
--- a/src/lib/libssl/src/crypto/bn/bn_mont.c
+++ b/src/lib/libssl/src/crypto/bn/bn_mont.c
@@ -273,7 +273,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
        BN_init(&Ri);
        R= &(mont->RR);                                 /* grab RR as a temp */
-        BN_copy(&(mont->N),mod);                        /* Set N */
+        if (!BN_copy(&(mont->N),mod)) goto err;         /* Set N */
        mont->N.neg = 0;
 #ifdef MONT_WORD
diff --git a/src/lib/libssl/src/crypto/bn/bntest.c b/src/lib/libssl/src/crypto/bn/bntest.c
index 8ef733013d..79d813d85e 100644
--- a/src/lib/libssl/src/crypto/bn/bntest.c
+++ b/src/lib/libssl/src/crypto/bn/bntest.c
@@ -232,7 +232,7 @@ int main(int argc, char *argv[])
        EXIT(0);
 err:
        BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
-                              * the failure, see test_bn in test/Makefile.ssl*/
+                              * the failure, see test_bn in test/Makefile */
        BIO_flush(out);
        ERR_load_crypto_strings();
        ERR_print_errors_fp(stderr);
diff --git a/src/lib/libssl/src/crypto/cast/c_skey.c b/src/lib/libssl/src/crypto/cast/c_skey.c
index 76e40005c9..dc4791a8cf 100644
--- a/src/lib/libssl/src/crypto/cast/c_skey.c
+++ b/src/lib/libssl/src/crypto/cast/c_skey.c
@@ -56,7 +56,9 @@
 * [including the GNU Public Licence.]
 */
+#include <openssl/crypto.h>
 #include <openssl/cast.h>
 #include "cast_lcl.h"
 #include "cast_s.h"
@@ -72,7 +74,7 @@
 #define S6 CAST_S_table6
 #define S7 CAST_S_table7
-void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(CAST)
        {
        CAST_LONG x[16];
        CAST_LONG z[16];
diff --git a/src/lib/libssl/src/crypto/cast/cast.h b/src/lib/libssl/src/crypto/cast/cast.h
index b28e4e4f3b..9e300178d9 100644
--- a/src/lib/libssl/src/crypto/cast/cast.h
+++ b/src/lib/libssl/src/crypto/cast/cast.h
@@ -81,7 +81,10 @@ typedef struct cast_key_st
        int short_key;  /* Use reduced rounds for short key */
        } CAST_KEY;
- 
+#ifdef OPENSSL_FIPS 
+void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
+#endif
 void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
 void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key,
                      int enc);
diff --git a/src/lib/libssl/src/crypto/comp/c_zlib.c b/src/lib/libssl/src/crypto/comp/c_zlib.c
index 8c0876151a..1bd2850d15 100644
--- a/src/lib/libssl/src/crypto/comp/c_zlib.c
+++ b/src/lib/libssl/src/crypto/comp/c_zlib.c
@@ -3,6 +3,7 @@
 #include <string.h>
 #include <openssl/objects.h>
 #include <openssl/comp.h>
+#include <openssl/err.h>
 COMP_METHOD *COMP_zlib(void );
@@ -189,7 +190,17 @@ COMP_METHOD *COMP_zlib(void)
        if (!zlib_loaded)
                {
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
-                zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
+                zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0);
+                if (!zlib_dso)
+                        {
+                        zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
+                        if (zlib_dso)
+                                {
+                                /* Clear the errors from the first failed
+                                   DSO_load() */
+                                ERR_clear_error();
+                                }
+                        }
 #else
                zlib_dso = DSO_load(NULL, "z", NULL, 0);
 #endif
diff --git a/src/lib/libssl/src/crypto/conf/conf_def.c b/src/lib/libssl/src/crypto/conf/conf_def.c
index 2e9f52f1fd..b5a876ae68 100644
--- a/src/lib/libssl/src/crypto/conf/conf_def.c
+++ b/src/lib/libssl/src/crypto/conf/conf_def.c
@@ -632,6 +632,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
                        BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from)));
                        while (*p)
                                buf->data[to++]= *(p++);
+                        /* Since we change the pointer 'from', we also have
+                           to change the perceived length of the string it
+                           points at.  /RL */
+                        len -= e-from;
                        from=e;
                        }
                else
diff --git a/src/lib/libssl/src/crypto/cryptlib.c b/src/lib/libssl/src/crypto/cryptlib.c
index 2924def2bb..fef0afb29f 100644
--- a/src/lib/libssl/src/crypto/cryptlib.c
+++ b/src/lib/libssl/src/crypto/cryptlib.c
@@ -105,7 +105,9 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
        "engine",
        "ui",
        "hwcrhk",               /* This is a HACK which will disappear in 0.9.8 */
-#if CRYPTO_NUM_LOCKS != 33
+        "fips",
+        "fips2",
+#if CRYPTO_NUM_LOCKS != 35
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
        };
@@ -478,13 +480,12 @@ const char *CRYPTO_get_lock_name(int type)
                return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
        }
-#ifdef _DLL
+#if defined(_WIN32) && defined(_WINDLL)
-#ifdef OPENSSL_SYS_WIN32
 /* All we really need to do is remove the 'error' state when a thread
 * detaches */
-BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
             LPVOID lpvReserved)
        {
        switch(fdwReason)
@@ -503,8 +504,6 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
        }
 #endif
-#endif
 void OpenSSLDie(const char *file,int line,const char *assertion)
        {
        fprintf(stderr,
@@ -512,3 +511,122 @@ void OpenSSLDie(const char *file,int line,const char *assertion)
                file,line,assertion);
        abort();
        }
+#ifdef OPENSSL_FIPS
+static int fips_started = 0;
+static int fips_mode = 0;
+static void *fips_rand_check = 0;
+static unsigned long fips_thread = 0;
+void fips_set_started(void)
+        {
+        fips_started = 1;
+        }
+int fips_is_started(void)
+        {
+        return fips_started;
+        }
+int fips_is_owning_thread(void)
+        {
+        int ret = 0;
+        if (fips_is_started())
+                {
+                CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
+                if (fips_thread != 0 && fips_thread == CRYPTO_thread_id())
+                        ret = 1;
+                CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
+                }
+        return ret;
+        }
+int fips_set_owning_thread(void)
+        {
+        int ret = 0;
+        if (fips_is_started())
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
+                if (fips_thread == 0)
+                        {
+                        fips_thread = CRYPTO_thread_id();
+                        ret = 1;
+                        }
+                CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
+                }
+        return ret;
+        }
+int fips_clear_owning_thread(void)
+        {
+        int ret = 0;
+        if (fips_is_started())
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
+                if (fips_thread == CRYPTO_thread_id())
+                        {
+                        fips_thread = 0;
+                        ret = 1;
+                        }
+                CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
+                }
+        return ret;
+        }
+void fips_set_mode(int onoff)
+        {
+        int owning_thread = fips_is_owning_thread();
+        if (fips_is_started())
+                {
+                if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
+                fips_mode = onoff;
+                if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
+                }
+        }
+void fips_set_rand_check(void *rand_check)
+        {
+        int owning_thread = fips_is_owning_thread();
+        if (fips_is_started())
+                {
+                if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
+                fips_rand_check = rand_check;
+                if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
+                }
+        }
+int FIPS_mode(void)
+        {
+        int ret = 0;
+        int owning_thread = fips_is_owning_thread();
+        if (fips_is_started())
+                {
+                if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
+                ret = fips_mode;
+                if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
+                }
+        return ret;
+        }
+void *FIPS_rand_check(void)
+        {
+        void *ret = 0;
+        int owning_thread = fips_is_owning_thread();
+        if (fips_is_started())
+                {
+                if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
+                ret = fips_rand_check;
+                if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
+                }
+        return ret;
+        }
+#endif /* OPENSSL_FIPS */
diff --git a/src/lib/libssl/src/crypto/crypto-lib.com b/src/lib/libssl/src/crypto/crypto-lib.com
index 39e78c69e5..c044ce0099 100644
--- a/src/lib/libssl/src/crypto/crypto-lib.com
+++ b/src/lib/libssl/src/crypto/crypto-lib.com
@@ -158,7 +158,7 @@ $!
 $ APPS_DES = "DES/DES,CBC3_ENC"
 $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
 $
-$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time"
+$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time,o_str"
 $ LIB_MD2 = "md2_dgst,md2_one"
 $ LIB_MD4 = "md4_dgst,md4_one"
 $ LIB_MD5 = "md5_dgst,md5_one"
@@ -247,7 +247,7 @@ $ LIB_X509 = "x509_def,x509_d2,x509_r2x,x509_cmp,"+ -
 $ LIB_X509V3 = "v3_bcons,v3_bitst,v3_conf,v3_extku,v3_ia5,v3_lib,"+ -
        "v3_prn,v3_utl,v3err,v3_genn,v3_alt,v3_skey,v3_akey,v3_pku,"+ -
        "v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info,"+ -
-        "v3_ocsp,v3_akeya"
+        "v3_ocsp,v3_akeya,v3_pcia,v3_pci"
 $ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def,conf_mod,conf_mall,conf_sap"
 $ LIB_TXT_DB = "txt_db"
 $ LIB_PKCS7 = "pk7_asn1,pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,"+ -
@@ -752,8 +752,8 @@ $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "    ALL      :  Just Build Everything."
-$     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.SSL]LIBCRYPTO.OLB Library."
+$     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library."
-$     WRITE SYS$OUTPUT "    APPS     :  To Compile Just The [.xxx.EXE.SSL]*.EXE Programs."
+$     WRITE SYS$OUTPUT "    APPS     :  To Compile Just The [.xxx.EXE.CRYPTO]*.EXE Programs."
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT " Where 'xxx' Stands For:"
 $     WRITE SYS$OUTPUT ""
diff --git a/src/lib/libssl/src/crypto/crypto.h b/src/lib/libssl/src/crypto/crypto.h
index 273bc5e3f8..4d1dfac7f1 100644
--- a/src/lib/libssl/src/crypto/crypto.h
+++ b/src/lib/libssl/src/crypto/crypto.h
@@ -128,7 +128,9 @@ extern "C" {
 #define CRYPTO_LOCK_ENGINE              30
 #define CRYPTO_LOCK_UI                  31
 #define CRYPTO_LOCK_HWCRHK              32 /* This is a HACK which will disappear in 0.9.8 */
-#define CRYPTO_NUM_LOCKS                33
+#define CRYPTO_LOCK_FIPS                33
+#define CRYPTO_LOCK_FIPS2               34
+#define CRYPTO_NUM_LOCKS                35
 #define CRYPTO_LOCK             1
 #define CRYPTO_UNLOCK           2
@@ -434,6 +436,63 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);
 void OpenSSLDie(const char *file,int line,const char *assertion);
 #define OPENSSL_assert(e)       ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
+#ifdef OPENSSL_FIPS
+int FIPS_mode(void);
+void *FIPS_rand_check(void);
+#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
+                alg " previous FIPS forbidden algorithm error ignored");
+#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \
+                #alg " Algorithm forbidden in FIPS mode");
+#ifdef OPENSSL_FIPS_STRICT
+#define FIPS_BAD_ALGORITHM(alg) FIPS_BAD_ABORT(alg)
+#else
+#define FIPS_BAD_ALGORITHM(alg) \
+        { \
+        FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); \
+        ERR_add_error_data(2, "Algorithm=", #alg); \
+        return 0; \
+        }
+#endif
+/* Low level digest API blocking macro */
+#define FIPS_NON_FIPS_MD_Init(alg) \
+        int alg##_Init(alg##_CTX *c) \
+                { \
+                if (FIPS_mode()) \
+                        FIPS_BAD_ALGORITHM(alg) \
+                return private_##alg##_Init(c); \
+                } \
+        int private_##alg##_Init(alg##_CTX *c)
+/* For ciphers the API often varies from cipher to cipher and each needs to
+ * be treated as a special case. Variable key length ciphers (Blowfish, RC4,
+ * CAST) however are very similar and can use a blocking macro.
+ */
+#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
+        void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) \
+                { \
+                if (FIPS_mode()) \
+                        FIPS_BAD_ABORT(alg) \
+                private_##alg##_set_key(key, len, data); \
+                } \
+        void private_##alg##_set_key(alg##_KEY *key, int len, \
+                                        const unsigned char *data)
+#else
+#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
+        void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data)
+#define FIPS_NON_FIPS_MD_Init(alg) \
+        int alg##_Init(alg##_CTX *c) 
+#endif /* def OPENSSL_FIPS */
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.
diff --git a/src/lib/libssl/src/crypto/des/cfb64ede.c b/src/lib/libssl/src/crypto/des/cfb64ede.c
index 60c1aa08db..f3c6018528 100644
--- a/src/lib/libssl/src/crypto/des/cfb64ede.c
+++ b/src/lib/libssl/src/crypto/des/cfb64ede.c
@@ -57,6 +57,7 @@
 */
 #include "des_locl.h"
+#include "e_os.h"
 /* The input and output encrypted as though 64bit cfb mode is being
 * used.  The extra state information to record how much of the
@@ -140,3 +141,114 @@ void DES_ede2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
        DES_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,enc);
        }
 #endif
+/* This is compatible with the single key CFB-r for DES, even thought that's
+ * not what EVP needs.
+ */
+void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
+                          int numbits,long length,DES_key_schedule *ks1,
+                          DES_key_schedule *ks2,DES_key_schedule *ks3,
+                          DES_cblock *ivec,int enc)
+        {
+        register DES_LONG d0,d1,v0,v1;
+        register long l=length;
+        register int num=numbits,n=(numbits+7)/8,i;
+        DES_LONG ti[2];
+        unsigned char *iv;
+        unsigned char ovec[16];
+        if (num > 64) return;
+        iv = &(*ivec)[0];
+        c2l(iv,v0);
+        c2l(iv,v1);
+        if (enc)
+                {
+                while (l >= n)
+                        {
+                        l-=n;
+                        ti[0]=v0;
+                        ti[1]=v1;
+                        DES_encrypt3(ti,ks1,ks2,ks3);
+                        c2ln(in,d0,d1,n);
+                        in+=n;
+                        d0^=ti[0];
+                        d1^=ti[1];
+                        l2cn(d0,d1,out,n);
+                        out+=n;
+                        /* 30-08-94 - eay - changed because l>>32 and
+                         * l<<32 are bad under gcc :-( */
+                        if (num == 32)
+                                { v0=v1; v1=d0; }
+                        else if (num == 64)
+                                { v0=d0; v1=d1; }
+                        else
+                                {
+                                iv=&ovec[0];
+                                l2c(v0,iv);
+                                l2c(v1,iv);
+                                l2c(d0,iv);
+                                l2c(d1,iv);
+                                /* shift ovec left most of the bits... */
+                                memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+                                /* now the remaining bits */
+                                if(num%8 != 0)
+                                        for(i=0 ; i < 8 ; ++i)
+                                                {
+                                                ovec[i]<<=num%8;
+                                                ovec[i]|=ovec[i+1]>>(8-num%8);
+                                                }
+                                iv=&ovec[0];
+                                c2l(iv,v0);
+                                c2l(iv,v1);
+                                }
+                        }
+                }
+        else
+                {
+                while (l >= n)
+                        {
+                        l-=n;
+                        ti[0]=v0;
+                        ti[1]=v1;
+                        DES_encrypt3(ti,ks1,ks2,ks3);
+                        c2ln(in,d0,d1,n);
+                        in+=n;
+                        /* 30-08-94 - eay - changed because l>>32 and
+                         * l<<32 are bad under gcc :-( */
+                        if (num == 32)
+                                { v0=v1; v1=d0; }
+                        else if (num == 64)
+                                { v0=d0; v1=d1; }
+                        else
+                                {
+                                iv=&ovec[0];
+                                l2c(v0,iv);
+                                l2c(v1,iv);
+                                l2c(d0,iv);
+                                l2c(d1,iv);
+                                /* shift ovec left most of the bits... */
+                                memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+                                /* now the remaining bits */
+                                if(num%8 != 0)
+                                        for(i=0 ; i < 8 ; ++i)
+                                                {
+                                                ovec[i]<<=num%8;
+                                                ovec[i]|=ovec[i+1]>>(8-num%8);
+                                                }
+                                iv=&ovec[0];
+                                c2l(iv,v0);
+                                c2l(iv,v1);
+                                }
+                        d0^=ti[0];
+                        d1^=ti[1];
+                        l2cn(d0,d1,out,n);
+                        out+=n;
+                        }
+                }
+        iv = &(*ivec)[0];
+        l2c(v0,iv);
+        l2c(v1,iv);
+        v0=v1=d0=d1=ti[0]=ti[1]=0;
+        }
diff --git a/src/lib/libssl/src/crypto/des/des.h b/src/lib/libssl/src/crypto/des/des.h
index dfe5ff64e4..81bd874edd 100644
--- a/src/lib/libssl/src/crypto/des/des.h
+++ b/src/lib/libssl/src/crypto/des/des.h
@@ -130,7 +130,7 @@ OPENSSL_DECLARE_GLOBAL(int,DES_rw_mode);	/* defaults to DES_PCBC_MODE */
 #define DES_rw_mode OPENSSL_GLOBAL_REF(DES_rw_mode)
 const char *DES_options(void);
-void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
+void DES_ecb3_encrypt(const unsigned char *input, unsigned char *output,
                      DES_key_schedule *ks1,DES_key_schedule *ks2,
                      DES_key_schedule *ks3, int enc);
 DES_LONG DES_cbc_cksum(const unsigned char *input,DES_cblock *output,
@@ -189,6 +189,10 @@ void DES_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out,
                            long length,DES_key_schedule *ks1,
                            DES_key_schedule *ks2,DES_key_schedule *ks3,
                            DES_cblock *ivec,int *num,int enc);
+void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
+                          int numbits,long length,DES_key_schedule *ks1,
+                          DES_key_schedule *ks2,DES_key_schedule *ks3,
+                          DES_cblock *ivec,int enc);
 void DES_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out,
                            long length,DES_key_schedule *ks1,
                            DES_key_schedule *ks2,DES_key_schedule *ks3,
diff --git a/src/lib/libssl/src/crypto/des/des_enc.c b/src/lib/libssl/src/crypto/des/des_enc.c
index 4f09804c44..6a49ec4a55 100644
--- a/src/lib/libssl/src/crypto/des/des_enc.c
+++ b/src/lib/libssl/src/crypto/des/des_enc.c
@@ -58,7 +58,9 @@
 #include "des_locl.h"
+#ifndef OPENSSL_FIPS
 #ifndef OPENBSD_DES_ASM
 void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
        {
        register DES_LONG l,r,t,u;
@@ -289,8 +291,12 @@ void DES_decrypt3(DES_LONG *data, DES_key_schedule *ks1,
        data[1]=r;
        }
+#endif /* ndef OPENSSL_FIPS */
 #ifndef DES_DEFAULT_OPTIONS
+#if !defined(OPENSSL_FIPS_DES_ASM)
 #undef CBC_ENC_C__DONT_UPDATE_IV
 #include "ncbc_enc.c" /* DES_ncbc_encrypt */
@@ -406,4 +412,6 @@ void DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
        tin[0]=tin[1]=0;
        }
+#endif /* !defined(OPENSSL_FIPS_DES_ASM) */
 #endif /* DES_DEFAULT_OPTIONS */
diff --git a/src/lib/libssl/src/crypto/des/des_old.c b/src/lib/libssl/src/crypto/des/des_old.c
index 7e4cd7180d..88e9802aad 100644
--- a/src/lib/libssl/src/crypto/des/des_old.c
+++ b/src/lib/libssl/src/crypto/des/des_old.c
@@ -84,7 +84,7 @@ void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock
        des_key_schedule ks1,des_key_schedule ks2,
        des_key_schedule ks3, int enc)
        {
-        DES_ecb3_encrypt((const_DES_cblock *)input, output,
+        DES_ecb3_encrypt((const unsigned char *)input, (unsigned char *)output,
                (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
                (DES_key_schedule *)ks3, enc);
        }
diff --git a/src/lib/libssl/src/crypto/des/destest.c b/src/lib/libssl/src/crypto/des/destest.c
index 3983ac8e5f..e3e9d77f14 100644
--- a/src/lib/libssl/src/crypto/des/destest.c
+++ b/src/lib/libssl/src/crypto/des/destest.c
@@ -439,8 +439,8 @@ int main(int argc, char *argv[])
                memcpy(in,plain_data[i],8);
                memset(out,0,8);
                memset(outin,0,8);
-                des_ecb2_encrypt(&in,&out,ks,ks2,DES_ENCRYPT);
+                des_ecb2_encrypt(in,out,ks,ks2,DES_ENCRYPT);
-                des_ecb2_encrypt(&out,&outin,ks,ks2,DES_DECRYPT);
+                des_ecb2_encrypt(out,outin,ks,ks2,DES_DECRYPT);
                if (memcmp(out,cipher_ecb2[i],8) != 0)
                        {
diff --git a/src/lib/libssl/src/crypto/des/ecb3_enc.c b/src/lib/libssl/src/crypto/des/ecb3_enc.c
index c3437bc606..fa0c9c4d4f 100644
--- a/src/lib/libssl/src/crypto/des/ecb3_enc.c
+++ b/src/lib/libssl/src/crypto/des/ecb3_enc.c
@@ -58,15 +58,13 @@
 #include "des_locl.h"
-void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
+void DES_ecb3_encrypt(const unsigned char *in, unsigned char *out,
                      DES_key_schedule *ks1, DES_key_schedule *ks2,
                      DES_key_schedule *ks3,
             int enc)
        {
        register DES_LONG l0,l1;
        DES_LONG ll[2];
-        const unsigned char *in = &(*input)[0];
-        unsigned char *out = &(*output)[0];
        c2l(in,l0);
        c2l(in,l1);
diff --git a/src/lib/libssl/src/crypto/des/set_key.c b/src/lib/libssl/src/crypto/des/set_key.c
index 143008ed9c..8881d46a7a 100644
--- a/src/lib/libssl/src/crypto/des/set_key.c
+++ b/src/lib/libssl/src/crypto/des/set_key.c
@@ -65,6 +65,8 @@
 */
 #include "des_locl.h"
+#ifndef OPENSSL_FIPS
 OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key);    /* defaults to false */
 static const unsigned char odd_parity[256]={
@@ -405,3 +407,5 @@ void des_fixup_key_parity(des_cblock *key)
        des_set_odd_parity(key);
        }
 */
+#endif /* ndef OPENSSL_FIPS */
diff --git a/src/lib/libssl/src/crypto/dh/dh_check.c b/src/lib/libssl/src/crypto/dh/dh_check.c
index f0373f7d68..a7e9920efb 100644
--- a/src/lib/libssl/src/crypto/dh/dh_check.c
+++ b/src/lib/libssl/src/crypto/dh/dh_check.c
@@ -70,6 +70,8 @@
 * should hold.
 */
+#ifndef OPENSSL_FIPS
 int DH_check(const DH *dh, int *ret)
        {
        int ok=0;
@@ -118,3 +120,5 @@ err:
        if (q != NULL) BN_free(q);
        return(ok);
        }
+#endif
diff --git a/src/lib/libssl/src/crypto/dh/dh_err.c b/src/lib/libssl/src/crypto/dh/dh_err.c
index d837950aec..c2715044c9 100644
--- a/src/lib/libssl/src/crypto/dh/dh_err.c
+++ b/src/lib/libssl/src/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /* crypto/dh/dh_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
diff --git a/src/lib/libssl/src/crypto/dh/dh_gen.c b/src/lib/libssl/src/crypto/dh/dh_gen.c
index 06f78b35ab..23777f5a16 100644
--- a/src/lib/libssl/src/crypto/dh/dh_gen.c
+++ b/src/lib/libssl/src/crypto/dh/dh_gen.c
@@ -86,6 +86,9 @@
 * It's just as OK (and in some sense better) to use a generator of the
 * order-q subgroup.
 */
+#ifndef OPENSSL_FIPS
 DH *DH_generate_parameters(int prime_len, int generator,
             void (*callback)(int,int,void *), void *cb_arg)
        {
@@ -146,6 +149,7 @@ DH *DH_generate_parameters(int prime_len, int generator,
        if (callback != NULL) callback(3,0,cb_arg);
        ret->p=p;
        ret->g=BN_new();
+        if (ret->g == NULL) goto err;
        if (!BN_set_word(ret->g,g)) goto err;
        ok=1;
 err:
@@ -167,3 +171,5 @@ err:
                }
        return(ret);
        }
+#endif
diff --git a/src/lib/libssl/src/crypto/dh/dh_key.c b/src/lib/libssl/src/crypto/dh/dh_key.c
index 77f2f50b51..ff125c2296 100644
--- a/src/lib/libssl/src/crypto/dh/dh_key.c
+++ b/src/lib/libssl/src/crypto/dh/dh_key.c
@@ -62,6 +62,8 @@
 #include <openssl/rand.h>
 #include <openssl/dh.h>
+#ifndef OPENSSL_FIPS
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
@@ -220,3 +222,5 @@ static int dh_finish(DH *dh)
                BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
        return(1);
        }
+#endif
diff --git a/src/lib/libssl/src/crypto/dsa/dsa.h b/src/lib/libssl/src/crypto/dsa/dsa.h
index 9b3baadf2c..225ff391f9 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa.h
+++ b/src/lib/libssl/src/crypto/dsa/dsa.h
@@ -81,6 +81,10 @@
 #define DSA_FLAG_CACHE_MONT_P   0x01
+#if defined(OPENSSL_FIPS)
+#define FIPS_DSA_SIZE_T int
+#endif
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_gen.c b/src/lib/libssl/src/crypto/dsa/dsa_gen.c
index dc9c249310..e40afeea51 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_gen.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_gen.c
@@ -80,6 +80,7 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>
+#ifndef OPENSSL_FIPS
 DSA *DSA_generate_parameters(int bits,
                unsigned char *seed_in, int seed_len,
                int *counter_ret, unsigned long *h_ret,
@@ -127,8 +128,9 @@ DSA *DSA_generate_parameters(int bits,
        c = BN_CTX_get(ctx2);
        p = BN_CTX_get(ctx2);
        test = BN_CTX_get(ctx2);
+        if (test == NULL) goto err;
-        BN_lshift(test,BN_value_one(),bits-1);
+        if (!BN_lshift(test,BN_value_one(),bits-1)) goto err;
        for (;;)
                {
@@ -196,7 +198,7 @@ DSA *DSA_generate_parameters(int bits,
                                callback(0,counter,cb_arg);
                        /* step 7 */
-                        BN_zero(W);
+                        if (!BN_zero(W)) goto err;
                        /* now 'buf' contains "SEED + offset - 1" */
                        for (k=0; k<=n; k++)
                                {
@@ -212,20 +214,20 @@ DSA *DSA_generate_parameters(int bits,
                                /* step 8 */
                                if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
                                        goto err;
-                                BN_lshift(r0,r0,160*k);
+                                if (!BN_lshift(r0,r0,160*k)) goto err;
-                                BN_add(W,W,r0);
+                                if (!BN_add(W,W,r0)) goto err;
                                }
                        /* more of step 8 */
-                        BN_mask_bits(W,bits-1);
+                        if (!BN_mask_bits(W,bits-1)) goto err;
-                        BN_copy(X,W); /* this should be ok */
+                        if (!BN_copy(X,W)) goto err;
-                        BN_add(X,X,test); /* this should be ok */
+                        if (!BN_add(X,X,test)) goto err;
                        /* step 9 */
-                        BN_lshift1(r0,q);
+                        if (!BN_lshift1(r0,q)) goto err;
-                        BN_mod(c,X,r0,ctx);
+                        if (!BN_mod(c,X,r0,ctx)) goto err;
-                        BN_sub(r0,c,BN_value_one());
+                        if (!BN_sub(r0,c,BN_value_one())) goto err;
-                        BN_sub(p,X,r0);
+                        if (!BN_sub(p,X,r0)) goto err;
                        /* step 10 */
                        if (BN_cmp(p,test) >= 0)
@@ -251,18 +253,18 @@ end:
        /* We now need to generate g */
        /* Set r0=(p-1)/q */
-        BN_sub(test,p,BN_value_one());
+        if (!BN_sub(test,p,BN_value_one())) goto err;
-        BN_div(r0,NULL,test,q,ctx);
+        if (!BN_div(r0,NULL,test,q,ctx)) goto err;
-        BN_set_word(test,h);
+        if (!BN_set_word(test,h)) goto err;
-        BN_MONT_CTX_set(mont,p,ctx);
+        if (!BN_MONT_CTX_set(mont,p,ctx)) goto err;
        for (;;)
                {
                /* g=test^r0%p */
-                BN_mod_exp_mont(g,test,r0,p,ctx,mont);
+                if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err;
                if (!BN_is_one(g)) break;
-                BN_add(test,test,BN_value_one());
+                if (!BN_add(test,test,BN_value_one())) goto err;
                h++;
                }
@@ -279,6 +281,11 @@ err:
                ret->p=BN_dup(p);
                ret->q=BN_dup(q);
                ret->g=BN_dup(g);
+                if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
+                        {
+                        ok=0;
+                        goto err;
+                        }
                if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20);
                if (counter_ret != NULL) *counter_ret=counter;
                if (h_ret != NULL) *h_ret=h;
@@ -293,4 +300,6 @@ err:
        if (mont != NULL) BN_MONT_CTX_free(mont);
        return(ok?ret:NULL);
        }
-#endif
+#endif /* ndef OPENSSL_FIPS */
+#endif /* ndef OPENSSL_NO_SHA */
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_key.c b/src/lib/libssl/src/crypto/dsa/dsa_key.c
index ef87c3e637..30607ca579 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_key.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_key.c
@@ -64,6 +64,7 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_FIPS
 int DSA_generate_key(DSA *dsa)
        {
        int ok=0;
@@ -103,3 +104,4 @@ err:
        return(ok);
        }
 #endif
+#endif
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
index b9e7f3ea5c..f1a85afcde 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
@@ -65,6 +65,7 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_FIPS
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -346,3 +347,4 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 {
        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
+#endif
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_sign.c b/src/lib/libssl/src/crypto/dsa/dsa_sign.c
index 89205026f0..3c9753bac3 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_sign.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_sign.c
@@ -64,9 +64,17 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#include <openssl/fips.h>
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
        {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+                return NULL;
+#endif
        return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
        }
@@ -87,6 +95,10 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+                return 0;
+#endif
        return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
        }
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_vrf.c b/src/lib/libssl/src/crypto/dsa/dsa_vrf.c
index c4aeddd056..8ef0c45025 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_vrf.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_vrf.c
@@ -65,10 +65,18 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#include <openssl/fips.h>
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                  DSA *dsa)
        {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+                return -1;
+#endif
        return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
        }
diff --git a/src/lib/libssl/src/crypto/dso/dso_win32.c b/src/lib/libssl/src/crypto/dso/dso_win32.c
index 6c30deb250..3fa90eb27c 100644
--- a/src/lib/libssl/src/crypto/dso/dso_win32.c
+++ b/src/lib/libssl/src/crypto/dso/dso_win32.c
@@ -61,7 +61,7 @@
 #include "cryptlib.h"
 #include <openssl/dso.h>
-#if !defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
+#if !defined(DSO_WIN32)
 DSO_METHOD *DSO_METHOD_win32(void)
        {
        return NULL;
diff --git a/src/lib/libssl/src/crypto/engine/hw_cryptodev.c b/src/lib/libssl/src/crypto/engine/hw_cryptodev.c
index 0ca442af8a..41184b6786 100644
--- a/src/lib/libssl/src/crypto/engine/hw_cryptodev.c
+++ b/src/lib/libssl/src/crypto/engine/hw_cryptodev.c
@@ -93,7 +93,7 @@ static int open_dev_crypto(void);
 static int get_dev_crypto(void);
 static struct dev_crypto_cipher *cipher_nid_to_cryptodev(int nid);
 static int get_cryptodev_ciphers(const int **cnids);
-static int get_cryptodev_digests(const int **cnids);
+/*static int get_cryptodev_digests(const int **cnids);*/
 static int cryptodev_usable_ciphers(const int **nids);
 static int cryptodev_usable_digests(const int **nids);
 static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -150,6 +150,7 @@ static struct dev_crypto_cipher ciphers[] = {
        { 0,                            NID_undef,              0,       0, },
 };
+#if 0 /* UNUSED */
 static struct {
        int     id;
        int     nid;
@@ -162,6 +163,7 @@ static struct {
        { CRYPTO_SHA1,                  NID_undef,              },
        { 0,                            NID_undef,              },
 };
+#endif
 /*
 * Return a fd if /dev/crypto seems usable, -1 otherwise.
@@ -297,6 +299,7 @@ get_cryptodev_ciphers(const int **cnids)
 * returning them here is harmless, as long as we return NULL
 * when asked for a handler in the cryptodev_engine_digests routine
 */
+#if 0 /* UNUSED */
 static int
 get_cryptodev_digests(const int **cnids)
 {
@@ -326,6 +329,7 @@ get_cryptodev_digests(const int **cnids)
                *cnids = NULL;
        return (count);
 }
+#endif
 /*
 * Find the useable ciphers|digests from dev/crypto - this is the first
@@ -832,7 +836,7 @@ static int
 bn2crparam(const BIGNUM *a, struct crparam *crp)
 {
        int i, j, k;
-        ssize_t words, bytes, bits;
+        ssize_t bytes, bits;
        u_char *b;
        crp->crp_p = NULL;
diff --git a/src/lib/libssl/src/crypto/err/err.c b/src/lib/libssl/src/crypto/err/err.c
index 792f329600..c78790a54c 100644
--- a/src/lib/libssl/src/crypto/err/err.c
+++ b/src/lib/libssl/src/crypto/err/err.c
@@ -149,6 +149,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
 {ERR_PACK(ERR_LIB_DSO,0,0)              ,"DSO support routines"},
 {ERR_PACK(ERR_LIB_ENGINE,0,0)           ,"engine routines"},
 {ERR_PACK(ERR_LIB_OCSP,0,0)             ,"OCSP routines"},
+{ERR_PACK(ERR_LIB_FIPS,0,0)             ,"FIPS routines"},
 {0,NULL},
        };
@@ -167,6 +168,7 @@ static ERR_STRING_DATA ERR_str_functs[]=
 #endif
        {ERR_PACK(0,SYS_F_OPENDIR,0),           "opendir"},
        {ERR_PACK(0,SYS_F_FREAD,0),             "fread"},
+        {ERR_PACK(0,SYS_F_GETADDRINFO,0),       "getaddrinfo"},
        {0,NULL},
        };
diff --git a/src/lib/libssl/src/crypto/err/err.h b/src/lib/libssl/src/crypto/err/err.h
index 8faa3a7b4f..2efa18866a 100644
--- a/src/lib/libssl/src/crypto/err/err.h
+++ b/src/lib/libssl/src/crypto/err/err.h
@@ -131,6 +131,7 @@ typedef struct err_state_st
 #define ERR_LIB_OCSP            39
 #define ERR_LIB_UI              40
 #define ERR_LIB_COMP            41
+#define ERR_LIB_FIPS            42
 #define ERR_LIB_USER            128
@@ -159,6 +160,7 @@ typedef struct err_state_st
 #define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),__FILE__,__LINE__)
 #define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),__FILE__,__LINE__)
 #define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),__FILE__,__LINE__)
+#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__)
 /* Borland C seems too stupid to be able to shift and do longs in
 * the pre-processor :-( */
@@ -183,6 +185,7 @@ typedef struct err_state_st
 #define SYS_F_WSASTARTUP        9 /* Winsock stuff */
 #define SYS_F_OPENDIR           10
 #define SYS_F_FREAD             11
+#define SYS_F_GETADDRINFO       12
 /* reasons */
diff --git a/src/lib/libssl/src/crypto/err/err_all.c b/src/lib/libssl/src/crypto/err/err_all.c
index dc505d9d9d..4dc9300892 100644
--- a/src/lib/libssl/src/crypto/err/err_all.c
+++ b/src/lib/libssl/src/crypto/err/err_all.c
@@ -87,6 +87,7 @@
 #endif
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
+#include <openssl/fips.h>
 void ERR_load_crypto_strings(void)
        {
@@ -130,4 +131,7 @@ void ERR_load_crypto_strings(void)
        ERR_load_OCSP_strings();
        ERR_load_UI_strings();
 #endif
+#ifdef OPENSSL_FIPS
+        ERR_load_FIPS_strings();
+#endif
        }
diff --git a/src/lib/libssl/src/crypto/err/openssl.ec b/src/lib/libssl/src/crypto/err/openssl.ec
index 29a69dfdd4..447a7f87ed 100644
--- a/src/lib/libssl/src/crypto/err/openssl.ec
+++ b/src/lib/libssl/src/crypto/err/openssl.ec
@@ -27,6 +27,7 @@ L DSO		crypto/dso/dso.h		crypto/dso/dso_err.c
 L ENGINE        crypto/engine/engine.h          crypto/engine/eng_err.c
 L OCSP          crypto/ocsp/ocsp.h              crypto/ocsp/ocsp_err.c
 L UI            crypto/ui/ui.h                  crypto/ui/ui_err.c
+L FIPS          fips/fips.h                     fips/fips_err.h
 # additional header files to be scanned for function names
 L NONE          crypto/x509/x509_vfy.h          NONE
diff --git a/src/lib/libssl/src/crypto/evp/bio_md.c b/src/lib/libssl/src/crypto/evp/bio_md.c
index c632dfb202..f4aa41ac4b 100644
--- a/src/lib/libssl/src/crypto/evp/bio_md.c
+++ b/src/lib/libssl/src/crypto/evp/bio_md.c
@@ -176,10 +176,11 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
                {
        case BIO_CTRL_RESET:
                if (b->init)
-                        EVP_DigestInit_ex(ctx,ctx->digest, NULL);
+                        ret = EVP_DigestInit_ex(ctx,ctx->digest, NULL);
                else
                        ret=0;
-                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                if (ret > 0)
+                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
                break;
        case BIO_C_GET_MD:
                if (b->init)
@@ -191,11 +192,12 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
                        ret=0;
                break;
        case BIO_C_GET_MD_CTX:
+                pctx=ptr;
+                *pctx=ctx;
+                break;
+        case BIO_C_SET_MD_CTX:
                if (b->init)
-                        {
+                        b->ptr=ptr;
-                        pctx=ptr;
-                        *pctx=ctx;
-                        }
                else
                        ret=0;
                break;
@@ -207,8 +209,9 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
        case BIO_C_SET_MD:
                md=ptr;
-                EVP_DigestInit_ex(ctx,md, NULL);
+                ret = EVP_DigestInit_ex(ctx,md, NULL);
-                b->init=1;
+                if (ret > 0)
+                        b->init=1;
                break;
        case BIO_CTRL_DUP:
                dbio=ptr;
diff --git a/src/lib/libssl/src/crypto/evp/c_allc.c b/src/lib/libssl/src/crypto/evp/c_allc.c
index 341a958fd4..fc96812365 100644
--- a/src/lib/libssl/src/crypto/evp/c_allc.c
+++ b/src/lib/libssl/src/crypto/evp/c_allc.c
@@ -67,6 +67,8 @@ void OpenSSL_add_all_ciphers(void)
 #ifndef OPENSSL_NO_DES
        EVP_add_cipher(EVP_des_cfb());
+        EVP_add_cipher(EVP_des_cfb1());
+        EVP_add_cipher(EVP_des_cfb8());
        EVP_add_cipher(EVP_des_ede_cfb());
        EVP_add_cipher(EVP_des_ede3_cfb());
@@ -150,6 +152,8 @@ void OpenSSL_add_all_ciphers(void)
        EVP_add_cipher(EVP_aes_128_ecb());
        EVP_add_cipher(EVP_aes_128_cbc());
        EVP_add_cipher(EVP_aes_128_cfb());
+        EVP_add_cipher(EVP_aes_128_cfb1());
+        EVP_add_cipher(EVP_aes_128_cfb8());
        EVP_add_cipher(EVP_aes_128_ofb());
 #if 0
        EVP_add_cipher(EVP_aes_128_ctr());
@@ -159,6 +163,8 @@ void OpenSSL_add_all_ciphers(void)
        EVP_add_cipher(EVP_aes_192_ecb());
        EVP_add_cipher(EVP_aes_192_cbc());
        EVP_add_cipher(EVP_aes_192_cfb());
+        EVP_add_cipher(EVP_aes_192_cfb1());
+        EVP_add_cipher(EVP_aes_192_cfb8());
        EVP_add_cipher(EVP_aes_192_ofb());
 #if 0
        EVP_add_cipher(EVP_aes_192_ctr());
@@ -168,6 +174,8 @@ void OpenSSL_add_all_ciphers(void)
        EVP_add_cipher(EVP_aes_256_ecb());
        EVP_add_cipher(EVP_aes_256_cbc());
        EVP_add_cipher(EVP_aes_256_cfb());
+        EVP_add_cipher(EVP_aes_256_cfb1());
+        EVP_add_cipher(EVP_aes_256_cfb8());
        EVP_add_cipher(EVP_aes_256_ofb());
 #if 0
        EVP_add_cipher(EVP_aes_256_ctr());
diff --git a/src/lib/libssl/src/crypto/evp/c_alld.c b/src/lib/libssl/src/crypto/evp/c_alld.c
index be91cdb037..aae7bf7482 100644
--- a/src/lib/libssl/src/crypto/evp/c_alld.c
+++ b/src/lib/libssl/src/crypto/evp/c_alld.c
@@ -75,7 +75,7 @@ void OpenSSL_add_all_digests(void)
        EVP_add_digest_alias(SN_md5,"ssl2-md5");
        EVP_add_digest_alias(SN_md5,"ssl3-md5");
 #endif
-#ifndef OPENSSL_NO_SHA
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
        EVP_add_digest(EVP_sha());
 #ifndef OPENSSL_NO_DSA
        EVP_add_digest(EVP_dss());
diff --git a/src/lib/libssl/src/crypto/evp/digest.c b/src/lib/libssl/src/crypto/evp/digest.c
index 0623ddf1f0..f21c63842c 100644
--- a/src/lib/libssl/src/crypto/evp/digest.c
+++ b/src/lib/libssl/src/crypto/evp/digest.c
@@ -137,6 +137,39 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
        return EVP_DigestInit_ex(ctx, type, NULL);
        }
+#ifdef OPENSSL_FIPS
+/* The purpose of these is to trap programs that attempt to use non FIPS
+ * algorithms in FIPS mode and ignore the errors.
+ */
+static int bad_init(EVP_MD_CTX *ctx)
+        { FIPS_ERROR_IGNORED("Digest init"); return 0;}
+static int bad_update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { FIPS_ERROR_IGNORED("Digest update"); return 0;}
+static int bad_final(EVP_MD_CTX *ctx,unsigned char *md)
+        { FIPS_ERROR_IGNORED("Digest Final"); return 0;}
+static const EVP_MD bad_md =
+        {
+        0,
+        0,
+        0,
+        0,
+        bad_init,
+        bad_update,
+        bad_final,
+        NULL,
+        NULL,
+        NULL,
+        0,
+        {0,0,0,0},
+        };
+#endif
 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
        {
        EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
@@ -195,6 +228,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 #endif
        if (ctx->digest != type)
                {
+#ifdef OPENSSL_FIPS
+                if (FIPS_mode())
+                        {
+                        if (!(type->flags & EVP_MD_FLAG_FIPS) 
+                         && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
+                                {
+                                EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS);
+                                ctx->digest = &bad_md;
+                                return 0;
+                                }
+                        }
+#endif
                if (ctx->digest && ctx->digest->ctx_size)
                        OPENSSL_free(ctx->md_data);
                ctx->digest=type;
diff --git a/src/lib/libssl/src/crypto/evp/e_aes.c b/src/lib/libssl/src/crypto/evp/e_aes.c
index fe8bcda631..f35036c9d7 100644
--- a/src/lib/libssl/src/crypto/evp/e_aes.c
+++ b/src/lib/libssl/src/crypto/evp/e_aes.c
@@ -67,34 +67,52 @@ typedef struct
 IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
                       NID_aes_128, 16, 16, 16, 128,
-                       0, aes_init_key, NULL, 
+                       EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, 
                       EVP_CIPHER_set_asn1_iv,
                       EVP_CIPHER_get_asn1_iv,
                       NULL)
 IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
                       NID_aes_192, 16, 24, 16, 128,
-                       0, aes_init_key, NULL, 
+                       EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, 
                       EVP_CIPHER_set_asn1_iv,
                       EVP_CIPHER_get_asn1_iv,
                       NULL)
 IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
                       NID_aes_256, 16, 32, 16, 128,
-                       0, aes_init_key, NULL, 
+                       EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, 
                       EVP_CIPHER_set_asn1_iv,
                       EVP_CIPHER_get_asn1_iv,
                       NULL)
+#define IMPLEMENT_AES_CFBR(ksize,cbits,flags)   IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags)
+IMPLEMENT_AES_CFBR(128,1,0)
+IMPLEMENT_AES_CFBR(192,1,0)
+IMPLEMENT_AES_CFBR(256,1,0)
+IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS)
 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-                   const unsigned char *iv, int enc) {
+                   const unsigned char *iv, int enc)
+        {
+        int ret;
        if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE
            || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE
            || enc) 
-                AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+                ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
        else
-                AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+                ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+        if(ret < 0)
+                {
+                EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
+                return 0;
+                }
        return 1;
-}
+        }
 #endif
diff --git a/src/lib/libssl/src/crypto/evp/e_des.c b/src/lib/libssl/src/crypto/evp/e_des.c
index 105266a4b3..46e2899825 100644
--- a/src/lib/libssl/src/crypto/evp/e_des.c
+++ b/src/lib/libssl/src/crypto/evp/e_des.c
@@ -56,9 +56,9 @@
 * [including the GNU Public Licence.]
 */
-#ifndef OPENSSL_NO_DES
 #include <stdio.h>
 #include "cryptlib.h"
+#ifndef OPENSSL_NO_DES
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
@@ -92,20 +92,55 @@ static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        return 1;
 }
-static int des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+static int des_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                          const unsigned char *in, unsigned int inl)
+                            const unsigned char *in, unsigned int inl)
 {
        DES_cfb64_encrypt(in, out, (long)inl, ctx->cipher_data,
                          (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
        return 1;
 }
+/* Although we have a CFB-r implementation for DES, it doesn't pack the right
+   way, so wrap it here */
+static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                           const unsigned char *in, unsigned int inl)
+    {
+    unsigned int n;
+    unsigned char c[1],d[1];
+    for(n=0 ; n < inl ; ++n)
+        {
+        c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
+        DES_cfb_encrypt(c,d,1,1,ctx->cipher_data,(DES_cblock *)ctx->iv,
+                        ctx->encrypt);
+        out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8));
+        }
+    return 1;
+    }
+static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                           const unsigned char *in, unsigned int inl)
+    {
+    DES_cfb_encrypt(in,out,8,inl,ctx->cipher_data,(DES_cblock *)ctx->iv,
+                    ctx->encrypt);
+    return 1;
+    }
 BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64,
-                        0, des_init_key, NULL,
+                        EVP_CIPH_FLAG_FIPS, des_init_key, NULL,
                        EVP_CIPHER_set_asn1_iv,
                        EVP_CIPHER_get_asn1_iv,
                        NULL)
+BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,
+                     EVP_CIPH_FLAG_FIPS,des_init_key,NULL,
+                     EVP_CIPHER_set_asn1_iv,
+                     EVP_CIPHER_get_asn1_iv,NULL)
+BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,
+                     EVP_CIPH_FLAG_FIPS,des_init_key,NULL,
+                     EVP_CIPHER_set_asn1_iv,
+                     EVP_CIPHER_get_asn1_iv,NULL)
 static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                        const unsigned char *iv, int enc)
diff --git a/src/lib/libssl/src/crypto/evp/e_des3.c b/src/lib/libssl/src/crypto/evp/e_des3.c
index 077860e7b6..677322bf02 100644
--- a/src/lib/libssl/src/crypto/evp/e_des3.c
+++ b/src/lib/libssl/src/crypto/evp/e_des3.c
@@ -56,9 +56,9 @@
 * [including the GNU Public Licence.]
 */
-#ifndef OPENSSL_NO_DES
 #include <stdio.h>
 #include "cryptlib.h"
+#ifndef OPENSSL_NO_DES
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
@@ -85,7 +85,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, unsigned int inl)
 {
        BLOCK_CIPHER_ecb_loop()
-                DES_ecb3_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), 
+                DES_ecb3_encrypt(in + i,out + i, 
                                 &data(ctx)->ks1, &data(ctx)->ks2,
                                 &data(ctx)->ks3,
                                 ctx->encrypt);
@@ -121,7 +121,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        return 1;
 }
-static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, unsigned int inl)
 {
        DES_ede3_cfb64_encrypt(in, out, (long)inl, 
@@ -130,23 +130,62 @@ static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        return 1;
 }
+/* Although we have a CFB-r implementation for 3-DES, it doesn't pack the right
+   way, so wrap it here */
+static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                const unsigned char *in, unsigned int inl)
+    {
+    unsigned int n;
+    unsigned char c[1],d[1];
+    for(n=0 ; n < inl ; ++n)
+        {
+        c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
+        DES_ede3_cfb_encrypt(c,d,1,1,
+                             &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3,
+                             (DES_cblock *)ctx->iv,ctx->encrypt);
+        out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8));
+        }
+    return 1;
+    }
+static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                const unsigned char *in, unsigned int inl)
+    {
+    DES_ede3_cfb_encrypt(in,out,8,inl,
+                         &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3,
+                         (DES_cblock *)ctx->iv,ctx->encrypt);
+    return 1;
+    }
 BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
-                        0, des_ede_init_key, NULL, 
+                        EVP_CIPH_FLAG_FIPS, des_ede_init_key, NULL, 
                        EVP_CIPHER_set_asn1_iv,
                        EVP_CIPHER_get_asn1_iv,
                        NULL)
-#define des_ede3_cfb_cipher des_ede_cfb_cipher
+#define des_ede3_cfb64_cipher des_ede_cfb64_cipher
 #define des_ede3_ofb_cipher des_ede_ofb_cipher
 #define des_ede3_cbc_cipher des_ede_cbc_cipher
 #define des_ede3_ecb_cipher des_ede_ecb_cipher
 BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
-                        0, des_ede3_init_key, NULL, 
+                        EVP_CIPH_FLAG_FIPS, des_ede3_init_key, NULL, 
                        EVP_CIPHER_set_asn1_iv,
                        EVP_CIPHER_get_asn1_iv,
                        NULL)
+BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
+                     EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL,
+                     EVP_CIPHER_set_asn1_iv,
+                     EVP_CIPHER_get_asn1_iv,NULL)
+BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
+                     EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL,
+                     EVP_CIPHER_set_asn1_iv,
+                     EVP_CIPHER_get_asn1_iv,NULL)
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                            const unsigned char *iv, int enc)
        {
diff --git a/src/lib/libssl/src/crypto/evp/e_null.c b/src/lib/libssl/src/crypto/evp/e_null.c
index 2420d7e5af..a84b0f14b1 100644
--- a/src/lib/libssl/src/crypto/evp/e_null.c
+++ b/src/lib/libssl/src/crypto/evp/e_null.c
@@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher=
        {
        NID_undef,
        1,0,0,
-        0,
+        EVP_CIPH_FLAG_FIPS,
        null_init_key,
        null_cipher,
        NULL,
diff --git a/src/lib/libssl/src/crypto/evp/e_rc4.c b/src/lib/libssl/src/crypto/evp/e_rc4.c
index d58f507837..8aa70585b9 100644
--- a/src/lib/libssl/src/crypto/evp/e_rc4.c
+++ b/src/lib/libssl/src/crypto/evp/e_rc4.c
@@ -62,6 +62,7 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#include "evp_locl.h"
 #include <openssl/rc4.h>
 /* FIXME: surely this is available elsewhere? */
diff --git a/src/lib/libssl/src/crypto/evp/evp.h b/src/lib/libssl/src/crypto/evp/evp.h
index f9b48792ce..62d95354ef 100644
--- a/src/lib/libssl/src/crypto/evp/evp.h
+++ b/src/lib/libssl/src/crypto/evp/evp.h
@@ -75,6 +75,10 @@
 #include <openssl/bio.h>
 #endif
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 /*
 #define EVP_RC2_KEY_SIZE                16
 #define EVP_RC4_KEY_SIZE                16
@@ -236,6 +240,7 @@ struct env_md_st
 #define EVP_MD_FLAG_ONESHOT     0x0001 /* digest can only handle a single
                                        * block */
+#define EVP_MD_FLAG_FIPS        0x0400 /* Note if suitable for use in FIPS mode */
 #define EVP_PKEY_NULL_method    NULL,NULL,{0,0,0,0}
@@ -278,6 +283,9 @@ struct env_md_ctx_st
 #define EVP_MD_CTX_FLAG_REUSE           0x0004 /* Don't free up ctx->md_data
                                                * in EVP_MD_CTX_cleanup */
+#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW  0x0008  /* Allow use of non FIPS digest
+                                                 * in FIPS mode */
 struct evp_cipher_st
        {
        int nid;
@@ -319,6 +327,10 @@ struct evp_cipher_st
 #define         EVP_CIPH_CUSTOM_KEY_LENGTH      0x80
 /* Don't use standard block padding */
 #define         EVP_CIPH_NO_PADDING             0x100
+/* Note if suitable for use in FIPS mode */
+#define         EVP_CIPH_FLAG_FIPS              0x400
+/* Allow non FIPS cipher in FIPS mode */
+#define         EVP_CIPH_FLAG_NON_FIPS_ALLOW    0x800
 /* ctrl() values */
@@ -425,6 +437,9 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d))
 #define EVP_CIPHER_CTX_type(c)         EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
 #define EVP_CIPHER_CTX_flags(e)         ((e)->cipher->flags)
+#define EVP_CIPHER_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs))
+#define EVP_CIPHER_CTX_clear_flags(ctx,flgs) ((ctx)->flags&=~(flgs))
+#define EVP_CIPHER_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs))
 #define EVP_CIPHER_CTX_mode(e)          ((e)->cipher->flags & EVP_CIPH_MODE)
 #define EVP_ENCODE_LENGTH(l)    (((l+2)/3*4)+(l/48+1)*2+80)
@@ -446,6 +461,7 @@ void BIO_set_md(BIO *,const EVP_MD *md);
 #endif
 #define BIO_get_md(b,mdp)               BIO_ctrl(b,BIO_C_GET_MD,0,(char *)mdp)
 #define BIO_get_md_ctx(b,mdcp)     BIO_ctrl(b,BIO_C_GET_MD_CTX,0,(char *)mdcp)
+#define BIO_set_md_ctx(b,mdcp)     BIO_ctrl(b,BIO_C_SET_MD_CTX,0,(char *)mdcp)
 #define BIO_get_cipher_status(b)        BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL)
 #define BIO_get_cipher_ctx(b,c_pp)      BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp)
@@ -587,9 +603,20 @@ const EVP_CIPHER *EVP_des_ede(void);
 const EVP_CIPHER *EVP_des_ede3(void);
 const EVP_CIPHER *EVP_des_ede_ecb(void);
 const EVP_CIPHER *EVP_des_ede3_ecb(void);
-const EVP_CIPHER *EVP_des_cfb(void);
+const EVP_CIPHER *EVP_des_cfb64(void);
-const EVP_CIPHER *EVP_des_ede_cfb(void);
+# define EVP_des_cfb EVP_des_cfb64
-const EVP_CIPHER *EVP_des_ede3_cfb(void);
+const EVP_CIPHER *EVP_des_cfb1(void);
+const EVP_CIPHER *EVP_des_cfb8(void);
+const EVP_CIPHER *EVP_des_ede_cfb64(void);
+# define EVP_des_ede_cfb EVP_des_ede_cfb64
+#if 0
+const EVP_CIPHER *EVP_des_ede_cfb1(void);
+const EVP_CIPHER *EVP_des_ede_cfb8(void);
+#endif
+const EVP_CIPHER *EVP_des_ede3_cfb64(void);
+# define EVP_des_ede3_cfb EVP_des_ede3_cfb64
+const EVP_CIPHER *EVP_des_ede3_cfb1(void);
+const EVP_CIPHER *EVP_des_ede3_cfb8(void);
 const EVP_CIPHER *EVP_des_ofb(void);
 const EVP_CIPHER *EVP_des_ede_ofb(void);
 const EVP_CIPHER *EVP_des_ede3_ofb(void);
@@ -613,7 +640,8 @@ const EVP_CIPHER *EVP_rc4_40(void);
 #endif
 #ifndef OPENSSL_NO_IDEA
 const EVP_CIPHER *EVP_idea_ecb(void);
-const EVP_CIPHER *EVP_idea_cfb(void);
+const EVP_CIPHER *EVP_idea_cfb64(void);
+# define EVP_idea_cfb EVP_idea_cfb64
 const EVP_CIPHER *EVP_idea_ofb(void);
 const EVP_CIPHER *EVP_idea_cbc(void);
 #endif
@@ -622,45 +650,58 @@ const EVP_CIPHER *EVP_rc2_ecb(void);
 const EVP_CIPHER *EVP_rc2_cbc(void);
 const EVP_CIPHER *EVP_rc2_40_cbc(void);
 const EVP_CIPHER *EVP_rc2_64_cbc(void);
-const EVP_CIPHER *EVP_rc2_cfb(void);
+const EVP_CIPHER *EVP_rc2_cfb64(void);
+# define EVP_rc2_cfb EVP_rc2_cfb64
 const EVP_CIPHER *EVP_rc2_ofb(void);
 #endif
 #ifndef OPENSSL_NO_BF
 const EVP_CIPHER *EVP_bf_ecb(void);
 const EVP_CIPHER *EVP_bf_cbc(void);
-const EVP_CIPHER *EVP_bf_cfb(void);
+const EVP_CIPHER *EVP_bf_cfb64(void);
+# define EVP_bf_cfb EVP_bf_cfb64
 const EVP_CIPHER *EVP_bf_ofb(void);
 #endif
 #ifndef OPENSSL_NO_CAST
 const EVP_CIPHER *EVP_cast5_ecb(void);
 const EVP_CIPHER *EVP_cast5_cbc(void);
-const EVP_CIPHER *EVP_cast5_cfb(void);
+const EVP_CIPHER *EVP_cast5_cfb64(void);
+# define EVP_cast5_cfb EVP_cast5_cfb64
 const EVP_CIPHER *EVP_cast5_ofb(void);
 #endif
 #ifndef OPENSSL_NO_RC5
 const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void);
 const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void);
-const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void);
+const EVP_CIPHER *EVP_rc5_32_12_16_cfb64(void);
+# define EVP_rc5_32_12_16_cfb EVP_rc5_32_12_16_cfb64
 const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void);
 #endif
 #ifndef OPENSSL_NO_AES
 const EVP_CIPHER *EVP_aes_128_ecb(void);
 const EVP_CIPHER *EVP_aes_128_cbc(void);
-const EVP_CIPHER *EVP_aes_128_cfb(void);
+const EVP_CIPHER *EVP_aes_128_cfb1(void);
+const EVP_CIPHER *EVP_aes_128_cfb8(void);
+const EVP_CIPHER *EVP_aes_128_cfb128(void);
+# define EVP_aes_128_cfb EVP_aes_128_cfb128
 const EVP_CIPHER *EVP_aes_128_ofb(void);
 #if 0
 const EVP_CIPHER *EVP_aes_128_ctr(void);
 #endif
 const EVP_CIPHER *EVP_aes_192_ecb(void);
 const EVP_CIPHER *EVP_aes_192_cbc(void);
-const EVP_CIPHER *EVP_aes_192_cfb(void);
+const EVP_CIPHER *EVP_aes_192_cfb1(void);
+const EVP_CIPHER *EVP_aes_192_cfb8(void);
+const EVP_CIPHER *EVP_aes_192_cfb128(void);
+# define EVP_aes_192_cfb EVP_aes_192_cfb128
 const EVP_CIPHER *EVP_aes_192_ofb(void);
 #if 0
 const EVP_CIPHER *EVP_aes_192_ctr(void);
 #endif
 const EVP_CIPHER *EVP_aes_256_ecb(void);
 const EVP_CIPHER *EVP_aes_256_cbc(void);
-const EVP_CIPHER *EVP_aes_256_cfb(void);
+const EVP_CIPHER *EVP_aes_256_cfb1(void);
+const EVP_CIPHER *EVP_aes_256_cfb8(void);
+const EVP_CIPHER *EVP_aes_256_cfb128(void);
+# define EVP_aes_256_cfb EVP_aes_256_cfb128
 const EVP_CIPHER *EVP_aes_256_ofb(void);
 #if 0
 const EVP_CIPHER *EVP_aes_256_ctr(void);
@@ -775,13 +816,18 @@ void ERR_load_EVP_strings(void);
 /* Error codes for the EVP functions. */
 /* Function codes. */
+#define EVP_F_AES_INIT_KEY                               129
 #define EVP_F_D2I_PKEY                                   100
+#define EVP_F_EVP_ADD_CIPHER                             130
+#define EVP_F_EVP_ADD_DIGEST                             131
 #define EVP_F_EVP_CIPHERINIT                             123
 #define EVP_F_EVP_CIPHER_CTX_CTRL                        124
 #define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH              122
 #define EVP_F_EVP_DECRYPTFINAL                           101
 #define EVP_F_EVP_DIGESTINIT                             128
 #define EVP_F_EVP_ENCRYPTFINAL                           127
+#define EVP_F_EVP_GET_CIPHERBYNAME                       132
+#define EVP_F_EVP_GET_DIGESTBYNAME                       133
 #define EVP_F_EVP_MD_CTX_COPY                            110
 #define EVP_F_EVP_OPENINIT                               102
 #define EVP_F_EVP_PBE_ALG_ADD                            115
@@ -805,6 +851,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_F_RC5_CTRL                                   125
 /* Reason codes. */
+#define EVP_R_AES_KEY_SETUP_FAILED                       140
 #define EVP_R_BAD_BLOCK_LENGTH                           136
 #define EVP_R_BAD_DECRYPT                                100
 #define EVP_R_BAD_KEY_LENGTH                             137
@@ -816,6 +863,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH          138
 #define EVP_R_DECODE_ERROR                               114
 #define EVP_R_DIFFERENT_KEY_TYPES                        101
+#define EVP_R_DISABLED_FOR_FIPS                          141
 #define EVP_R_ENCODE_ERROR                               115
 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR                   119
 #define EVP_R_EXPECTING_AN_RSA_KEY                       127
diff --git a/src/lib/libssl/src/crypto/evp/evp_enc.c b/src/lib/libssl/src/crypto/evp/evp_enc.c
index 8ea5aa935d..f549eeb437 100644
--- a/src/lib/libssl/src/crypto/evp/evp_enc.c
+++ b/src/lib/libssl/src/crypto/evp/evp_enc.c
@@ -82,6 +82,48 @@ int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
        return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc);
        }
+#ifdef OPENSSL_FIPS
+/* The purpose of these is to trap programs that attempt to use non FIPS
+ * algorithms in FIPS mode and ignore the errors.
+ */
+int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+            const unsigned char *iv, int enc)
+        { FIPS_ERROR_IGNORED("Cipher init"); return 0;}
+int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                 const unsigned char *in, unsigned int inl)
+        { FIPS_ERROR_IGNORED("Cipher update"); return 0;}
+/* NB: no cleanup because it is allowed after failed init */
+int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
+        { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;}
+int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
+        { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;}
+int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
+        { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;}
+static const EVP_CIPHER bad_cipher =
+        {
+        0,
+        0,
+        0,
+        0,
+        0,
+        bad_init,
+        bad_do_cipher,
+        NULL,
+        0,
+        bad_set_asn1,
+        bad_get_asn1,
+        bad_ctrl,
+        NULL
+        };
+#endif
 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
             const unsigned char *key, const unsigned char *iv, int enc)
        {
@@ -146,7 +188,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                else
                        ctx->engine = NULL;
 #endif
                ctx->cipher=cipher;
                if (ctx->cipher->ctx_size)
                        {
@@ -210,6 +251,24 @@ skip_to_init:
                }
        }
+#ifdef OPENSSL_FIPS
+        /* After 'key' is set no further parameters changes are permissible.
+         * So only check for non FIPS enabling at this point.
+         */
+        if (key && FIPS_mode())
+                {
+                if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
+                        & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
+                        {
+                        EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS);
+                        ERR_add_error_data(2, "cipher=",
+                                                EVP_CIPHER_name(ctx->cipher));
+                        ctx->cipher = &bad_cipher;
+                        return 0;
+                        }
+                }
+#endif
        if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
                if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
        }
diff --git a/src/lib/libssl/src/crypto/evp/evp_err.c b/src/lib/libssl/src/crypto/evp/evp_err.c
index 3a23d21c21..40135d0729 100644
--- a/src/lib/libssl/src/crypto/evp/evp_err.c
+++ b/src/lib/libssl/src/crypto/evp/evp_err.c
@@ -1,6 +1,6 @@
 /* crypto/evp/evp_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -66,13 +66,18 @@
 #ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA EVP_str_functs[]=
        {
+{ERR_PACK(0,EVP_F_AES_INIT_KEY,0),      "AES_INIT_KEY"},
 {ERR_PACK(0,EVP_F_D2I_PKEY,0),  "D2I_PKEY"},
+{ERR_PACK(0,EVP_F_EVP_ADD_CIPHER,0),    "EVP_add_cipher"},
+{ERR_PACK(0,EVP_F_EVP_ADD_DIGEST,0),    "EVP_add_digest"},
 {ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0),    "EVP_CipherInit"},
 {ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0),       "EVP_CIPHER_CTX_ctrl"},
 {ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0),     "EVP_CIPHER_CTX_set_key_length"},
 {ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0),  "EVP_DecryptFinal"},
 {ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0),    "EVP_DigestInit"},
 {ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0),  "EVP_EncryptFinal"},
+{ERR_PACK(0,EVP_F_EVP_GET_CIPHERBYNAME,0),      "EVP_get_cipherbyname"},
+{ERR_PACK(0,EVP_F_EVP_GET_DIGESTBYNAME,0),      "EVP_get_digestbyname"},
 {ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0),   "EVP_MD_CTX_copy"},
 {ERR_PACK(0,EVP_F_EVP_OPENINIT,0),      "EVP_OpenInit"},
 {ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0),   "EVP_PBE_alg_add"},
@@ -99,6 +104,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
 static ERR_STRING_DATA EVP_str_reasons[]=
        {
+{EVP_R_AES_KEY_SETUP_FAILED              ,"aes key setup failed"},
 {EVP_R_BAD_BLOCK_LENGTH                  ,"bad block length"},
 {EVP_R_BAD_DECRYPT                       ,"bad decrypt"},
 {EVP_R_BAD_KEY_LENGTH                    ,"bad key length"},
@@ -110,6 +116,7 @@ static ERR_STRING_DATA EVP_str_reasons[]=
 {EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"},
 {EVP_R_DECODE_ERROR                      ,"decode error"},
 {EVP_R_DIFFERENT_KEY_TYPES               ,"different key types"},
+{EVP_R_DISABLED_FOR_FIPS                 ,"disabled for fips"},
 {EVP_R_ENCODE_ERROR                      ,"encode error"},
 {EVP_R_EVP_PBE_CIPHERINIT_ERROR          ,"evp pbe cipherinit error"},
 {EVP_R_EXPECTING_AN_RSA_KEY              ,"expecting an rsa key"},
diff --git a/src/lib/libssl/src/crypto/evp/evp_lib.c b/src/lib/libssl/src/crypto/evp/evp_lib.c
index 52a3b287be..a63ba19317 100644
--- a/src/lib/libssl/src/crypto/evp/evp_lib.c
+++ b/src/lib/libssl/src/crypto/evp/evp_lib.c
@@ -68,7 +68,7 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
        if (c->cipher->set_asn1_parameters != NULL)
                ret=c->cipher->set_asn1_parameters(c,type);
        else
-                ret=1;
+                return -1;
        return(ret);
        }
@@ -79,7 +79,7 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
        if (c->cipher->get_asn1_parameters != NULL)
                ret=c->cipher->get_asn1_parameters(c,type);
        else
-                ret=1;
+                return -1;
        return(ret);
        }
@@ -133,6 +133,30 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx)
                return NID_rc4;
+                case NID_aes_128_cfb128:
+                case NID_aes_128_cfb8:
+                case NID_aes_128_cfb1:
+                return NID_aes_128_cfb128;
+                case NID_aes_192_cfb128:
+                case NID_aes_192_cfb8:
+                case NID_aes_192_cfb1:
+                return NID_aes_192_cfb128;
+                case NID_aes_256_cfb128:
+                case NID_aes_256_cfb8:
+                case NID_aes_256_cfb1:
+                return NID_aes_256_cfb128;
+                case NID_des_cfb64:
+                case NID_des_cfb8:
+                case NID_des_cfb1:
+                return NID_des_cfb64;
                default:
                /* Check it has an OID and it is valid */
                otmp = OBJ_nid2obj(nid);
diff --git a/src/lib/libssl/src/crypto/evp/evp_locl.h b/src/lib/libssl/src/crypto/evp/evp_locl.h
index 4d81a3bf4c..f8c5343620 100644
--- a/src/lib/libssl/src/crypto/evp/evp_locl.h
+++ b/src/lib/libssl/src/crypto/evp/evp_locl.h
@@ -90,7 +90,7 @@ static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const uns
 }
 #define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \
-static int cname##_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
+static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
 {\
        cprefix##_cfb##cbits##_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\
        return 1;\
@@ -127,7 +127,7 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
 #define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
                             iv_len, cbits, flags, init_key, cleanup, \
                             set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, cfb##cbits, cfb, CFB, kstruct, nid, 1, \
+BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
                  get_asn1, ctrl)
@@ -225,3 +225,28 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
                          get_asn1, ctrl)
 #define EVP_C_DATA(kstruct, ctx)        ((kstruct *)(ctx)->cipher_data)
+#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,flags) \
+        BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
+        BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
+                             NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
+                             flags, cipher##_init_key, NULL, \
+                             EVP_CIPHER_set_asn1_iv, \
+                             EVP_CIPHER_get_asn1_iv, \
+                             NULL)
+#ifdef OPENSSL_FIPS
+#define RC2_set_key     private_RC2_set_key
+#define RC4_set_key     private_RC4_set_key
+#define CAST_set_key    private_CAST_set_key
+#define RC5_32_set_key  private_RC5_32_set_key
+#define BF_set_key      private_BF_set_key
+#define idea_set_encrypt_key private_idea_set_encrypt_key
+#define MD5_Init        private_MD5_Init
+#define MD4_Init        private_MD4_Init
+#define MD2_Init        private_MD2_Init
+#define MDC2_Init       private_MDC2_Init
+#define SHA_Init        private_SHA_Init
+#endif
diff --git a/src/lib/libssl/src/crypto/evp/evp_pkey.c b/src/lib/libssl/src/crypto/evp/evp_pkey.c
index eb481ec661..47a69932a5 100644
--- a/src/lib/libssl/src/crypto/evp/evp_pkey.c
+++ b/src/lib/libssl/src/crypto/evp/evp_pkey.c
@@ -235,7 +235,11 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken)
                return NULL;
        }
        p8->broken = broken;
-        ASN1_INTEGER_set (p8->version, 0);
+        if (!ASN1_INTEGER_set(p8->version, 0)) {
+                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                PKCS8_PRIV_KEY_INFO_free (p8);
+                return NULL;
+        }
        if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) {
                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
                PKCS8_PRIV_KEY_INFO_free (p8);
@@ -303,29 +307,35 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken)
 #ifndef OPENSSL_NO_DSA
 static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
 {
-        ASN1_STRING *params;
+        ASN1_STRING *params = NULL;
-        ASN1_INTEGER *prkey;
+        ASN1_INTEGER *prkey = NULL;
-        ASN1_TYPE *ttmp;
+        ASN1_TYPE *ttmp = NULL;
-        STACK_OF(ASN1_TYPE) *ndsa;
+        STACK_OF(ASN1_TYPE) *ndsa = NULL;
-        unsigned char *p, *q;
+        unsigned char *p = NULL, *q;
        int len;
        p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa);
        len = i2d_DSAparams (pkey->pkey.dsa, NULL);
        if (!(p = OPENSSL_malloc(len))) {
                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-                PKCS8_PRIV_KEY_INFO_free (p8);
+                goto err;
-                return 0;
        }
        q = p;
        i2d_DSAparams (pkey->pkey.dsa, &q);
-        params = ASN1_STRING_new();
+        if (!(params = ASN1_STRING_new())) {
-        ASN1_STRING_set(params, p, len);
+                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+        if (!ASN1_STRING_set(params, p, len)) {
+                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
        OPENSSL_free(p);
+        p = NULL;
        /* Get private key into integer */
        if (!(prkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) {
                EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
-                return 0;
+                goto err;
        }
        switch(p8->broken) {
@@ -336,12 +346,13 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
                if (!ASN1_pack_string((char *)prkey, i2d_ASN1_INTEGER,
                                         &p8->pkey->value.octet_string)) {
                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-                        M_ASN1_INTEGER_free (prkey);
+                        goto err;
-                        return 0;
                }
                M_ASN1_INTEGER_free (prkey);
+                prkey = NULL;
                p8->pkeyalg->parameter->value.sequence = params;
+                params = NULL;
                p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
                break;
@@ -349,32 +360,51 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
                case PKCS8_NS_DB:
                p8->pkeyalg->parameter->value.sequence = params;
+                params = NULL;
                p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
-                ndsa = sk_ASN1_TYPE_new_null();
+                if (!(ndsa = sk_ASN1_TYPE_new_null())) {
-                ttmp = ASN1_TYPE_new();
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-                if (!(ttmp->value.integer = BN_to_ASN1_INTEGER (pkey->pkey.dsa->pub_key, NULL))) {
+                        goto err;
+                }
+                if (!(ttmp = ASN1_TYPE_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                if (!(ttmp->value.integer =
+                        BN_to_ASN1_INTEGER(pkey->pkey.dsa->pub_key, NULL))) {
                        EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
-                        PKCS8_PRIV_KEY_INFO_free(p8);
+                        goto err;
-                        return 0;
                }
                ttmp->type = V_ASN1_INTEGER;
-                sk_ASN1_TYPE_push(ndsa, ttmp);
+                if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
-                ttmp = ASN1_TYPE_new();
+                if (!(ttmp = ASN1_TYPE_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                ttmp->value.integer = prkey;
+                prkey = NULL;
                ttmp->type = V_ASN1_INTEGER;
-                sk_ASN1_TYPE_push(ndsa, ttmp);
+                if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                ttmp = NULL;
-                p8->pkey->value.octet_string = ASN1_OCTET_STRING_new();
+                if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE,
                                         &p8->pkey->value.octet_string->data,
                                         &p8->pkey->value.octet_string->length)) {
                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-                        sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+                        goto err;
-                        M_ASN1_INTEGER_free(prkey);
-                        return 0;
                }
                sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
                break;
@@ -382,31 +412,57 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
                case PKCS8_EMBEDDED_PARAM:
                p8->pkeyalg->parameter->type = V_ASN1_NULL;
-                ndsa = sk_ASN1_TYPE_new_null();
+                if (!(ndsa = sk_ASN1_TYPE_new_null())) {
-                ttmp = ASN1_TYPE_new();
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                if (!(ttmp = ASN1_TYPE_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                ttmp->value.sequence = params;
+                params = NULL;
                ttmp->type = V_ASN1_SEQUENCE;
-                sk_ASN1_TYPE_push(ndsa, ttmp);
+                if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
-                ttmp = ASN1_TYPE_new();
+                if (!(ttmp = ASN1_TYPE_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                ttmp->value.integer = prkey;
+                prkey = NULL;
                ttmp->type = V_ASN1_INTEGER;
-                sk_ASN1_TYPE_push(ndsa, ttmp);
+                if (!sk_ASN1_TYPE_push(ndsa, ttmp)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                ttmp = NULL;
-                p8->pkey->value.octet_string = ASN1_OCTET_STRING_new();
+                if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE,
                                         &p8->pkey->value.octet_string->data,
                                         &p8->pkey->value.octet_string->length)) {
                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
-                        sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+                        goto err;
-                        M_ASN1_INTEGER_free (prkey);
-                        return 0;
                }
                sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
                break;
        }
        return 1;
+err:
+        if (p != NULL) OPENSSL_free(p);
+        if (params != NULL) ASN1_STRING_free(params);
+        if (prkey != NULL) M_ASN1_INTEGER_free(prkey);
+        if (ttmp != NULL) ASN1_TYPE_free(ttmp);
+        if (ndsa != NULL) sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+        return 0;
 }
 #endif
diff --git a/src/lib/libssl/src/crypto/evp/evp_test.c b/src/lib/libssl/src/crypto/evp/evp_test.c
index 28460173f7..a624cfd248 100644
--- a/src/lib/libssl/src/crypto/evp/evp_test.c
+++ b/src/lib/libssl/src/crypto/evp/evp_test.c
@@ -136,7 +136,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
                  const unsigned char *iv,int in,
                  const unsigned char *plaintext,int pn,
                  const unsigned char *ciphertext,int cn,
-                  int encdec)
+                  int encdec,int multiplier)
    {
    EVP_CIPHER_CTX ctx;
    unsigned char out[4096];
@@ -162,22 +162,25 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
        if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
            {
            fprintf(stderr,"EncryptInit failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(10);
            }
        EVP_CIPHER_CTX_set_padding(&ctx,0);
-        if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn))
+        if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn*multiplier))
            {
            fprintf(stderr,"Encrypt failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(6);
            }
        if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2))
            {
            fprintf(stderr,"EncryptFinal failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(7);
            }
-        if(outl+outl2 != cn)
+        if(outl+outl2 != cn*multiplier)
            {
            fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n",
                    outl+outl2,cn);
@@ -198,22 +201,25 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
        if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
            {
            fprintf(stderr,"DecryptInit failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(11);
            }
        EVP_CIPHER_CTX_set_padding(&ctx,0);
-        if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn))
+        if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn*multiplier))
            {
            fprintf(stderr,"Decrypt failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(6);
            }
        if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2))
            {
            fprintf(stderr,"DecryptFinal failed\n");
+            ERR_print_errors_fp(stderr);
            test1_exit(7);
            }
-        if(outl+outl2 != cn)
+        if(outl+outl2 != cn*multiplier)
            {
            fprintf(stderr,"Plaintext length mismatch got %d expected %d\n",
                    outl+outl2,cn);
@@ -238,7 +244,7 @@ static int test_cipher(const char *cipher,const unsigned char *key,int kn,
                       const unsigned char *iv,int in,
                       const unsigned char *plaintext,int pn,
                       const unsigned char *ciphertext,int cn,
-                       int encdec)
+                       int encdec,int multiplier)
    {
    const EVP_CIPHER *c;
@@ -246,7 +252,7 @@ static int test_cipher(const char *cipher,const unsigned char *key,int kn,
    if(!c)
        return 0;
-    test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec);
+    test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec,multiplier);
    return 1;
    }
@@ -272,16 +278,19 @@ static int test_digest(const char *digest,
    if(!EVP_DigestInit_ex(&ctx,d, NULL))
        {
        fprintf(stderr,"DigestInit failed\n");
+        ERR_print_errors_fp(stderr);
        EXIT(100);
        }
    if(!EVP_DigestUpdate(&ctx,plaintext,pn))
        {
        fprintf(stderr,"DigestUpdate failed\n");
+        ERR_print_errors_fp(stderr);
        EXIT(101);
        }
    if(!EVP_DigestFinal_ex(&ctx,md,&mdn))
        {
        fprintf(stderr,"DigestFinal failed\n");
+        ERR_print_errors_fp(stderr);
        EXIT(101);
        }
    EVP_MD_CTX_cleanup(&ctx);
@@ -359,6 +368,7 @@ int main(int argc,char **argv)
        unsigned char *iv,*key,*plaintext,*ciphertext;
        int encdec;
        int kn,in,pn,cn;
+        int multiplier=1;
        if(!fgets((char *)line,sizeof line,f))
            break;
@@ -383,7 +393,15 @@ int main(int argc,char **argv)
        pn=convert(plaintext);
        cn=convert(ciphertext);
-        if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec)
+        if(strchr(cipher,'*'))
+            {
+            p=cipher;
+            sstrsep(&p,"*");
+            multiplier=atoi(sstrsep(&p,"*"));
+            }
+        if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec,
+                        multiplier)
           && !test_digest(cipher,plaintext,pn,ciphertext,cn))
            {
            fprintf(stderr,"Can't find %s\n",cipher);
diff --git a/src/lib/libssl/src/crypto/evp/evptests.txt b/src/lib/libssl/src/crypto/evp/evptests.txt
index 80bd9c7765..dfe91a5bc0 100644
--- a/src/lib/libssl/src/crypto/evp/evptests.txt
+++ b/src/lib/libssl/src/crypto/evp/evptests.txt
@@ -92,7 +92,102 @@ AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:F58C4C04D6E5F1BA779EABFB5F7BFBD6:AE2D8A571E03AC9C9EB76FAC45AF8E51:9CFC4E967EDB808D679F777BC6702C7D
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:9CFC4E967EDB808D679F777BC6702C7D:30C81C46A35CE411E5FBC1191A0A52EF:39F23369A9D9BACFA530E26304231461
 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39F23369A9D9BACFA530E26304231461:F69F2445DF4F9B17AD2B417BE66C3710:B2EB05E2C39BE9FCDA6C19078C6A9D1B
-# We don't support CFB{1,8}-AESxxx.{En,De}crypt
+# CFB1-AES128.Encrypt
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:1
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:1
+# all of the above packed into one...
+# in: 0110 1011 1100 0001 = 6bc1
+# out: 0110 1000 1011 0011 = 68b3
+AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:1
+# CFB1-AES128.Decrypt
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:0
+AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:0
+# all of the above packed into one...
+# in: 0110 1000 1011 0011 = 68b3
+# out: 0110 1011 1100 0001 = 6bc1
+AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:0
+# TODO: CFB1-AES192 and 256
+# CFB8-AES128.Encrypt
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:1
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:1
+# all of the above packed into one
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:1
+# CFB8-AES128.Decrypt
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:0
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:0
+# all of the above packed into one
+AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:0
+# TODO: 192 and 256 bit keys
 # For all CFB128 encrypts and decrypts, the transformed sequence is
 #   AES-bits-CFB:key:IV/ciphertext':plaintext:ciphertext:encdec
 # CFB128-AES128.Encrypt 
@@ -174,6 +269,16 @@ DESX-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363
 # DES EDE3 CBC tests (from destest)
 DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
+# DES CFB1 from FIPS 81
+# plaintext: 0100 1110 0110 1111 0111 0111 = 4e6f77
+# ciphertext: 1100 1101 0001 1110 1100 1001 = cd1ec9
+DES-CFB1*8:0123456789abcdef:1234567890abcdef:4e6f77:cd1ec9
+# DES CFB8 from FIPS 81
+DES-CFB8:0123456789abcdef:1234567890abcdef:4e6f7720697320746865:f31fda07011462ee187f
 # RC4 tests (from rc4test)
 RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596
 RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879
diff --git a/src/lib/libssl/src/crypto/evp/m_dss.c b/src/lib/libssl/src/crypto/evp/m_dss.c
index beb8d7fc5c..d393eb3400 100644
--- a/src/lib/libssl/src/crypto/evp/m_dss.c
+++ b/src/lib/libssl/src/crypto/evp/m_dss.c
@@ -77,7 +77,7 @@ static const EVP_MD dsa_md=
        NID_dsaWithSHA,
        NID_dsaWithSHA,
        SHA_DIGEST_LENGTH,
-        0,
+        EVP_MD_FLAG_FIPS,
        init,
        update,
        final,
diff --git a/src/lib/libssl/src/crypto/evp/m_md2.c b/src/lib/libssl/src/crypto/evp/m_md2.c
index 50914c83b3..0df48e5199 100644
--- a/src/lib/libssl/src/crypto/evp/m_md2.c
+++ b/src/lib/libssl/src/crypto/evp/m_md2.c
@@ -60,6 +60,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/md2.h>
diff --git a/src/lib/libssl/src/crypto/evp/m_md4.c b/src/lib/libssl/src/crypto/evp/m_md4.c
index e19b663754..0605e4b707 100644
--- a/src/lib/libssl/src/crypto/evp/m_md4.c
+++ b/src/lib/libssl/src/crypto/evp/m_md4.c
@@ -60,6 +60,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/md4.h>
diff --git a/src/lib/libssl/src/crypto/evp/m_md5.c b/src/lib/libssl/src/crypto/evp/m_md5.c
index b00a03e048..752615d473 100644
--- a/src/lib/libssl/src/crypto/evp/m_md5.c
+++ b/src/lib/libssl/src/crypto/evp/m_md5.c
@@ -60,6 +60,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/md5.h>
diff --git a/src/lib/libssl/src/crypto/evp/m_mdc2.c b/src/lib/libssl/src/crypto/evp/m_mdc2.c
index 9f6467c931..62de1336b8 100644
--- a/src/lib/libssl/src/crypto/evp/m_mdc2.c
+++ b/src/lib/libssl/src/crypto/evp/m_mdc2.c
@@ -60,6 +60,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/mdc2.h>
diff --git a/src/lib/libssl/src/crypto/evp/m_sha.c b/src/lib/libssl/src/crypto/evp/m_sha.c
index 10697c7ed3..d1785e5f74 100644
--- a/src/lib/libssl/src/crypto/evp/m_sha.c
+++ b/src/lib/libssl/src/crypto/evp/m_sha.c
@@ -56,10 +56,11 @@
 * [including the GNU Public Licence.]
 */
-#ifndef OPENSSL_NO_SHA
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
+#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
diff --git a/src/lib/libssl/src/crypto/evp/m_sha1.c b/src/lib/libssl/src/crypto/evp/m_sha1.c
index d6be3502f0..fe4402389a 100644
--- a/src/lib/libssl/src/crypto/evp/m_sha1.c
+++ b/src/lib/libssl/src/crypto/evp/m_sha1.c
@@ -77,7 +77,7 @@ static const EVP_MD sha1_md=
        NID_sha1,
        NID_sha1WithRSAEncryption,
        SHA_DIGEST_LENGTH,
-        0,
+        EVP_MD_FLAG_FIPS,
        init,
        update,
        final,
diff --git a/src/lib/libssl/src/crypto/evp/names.c b/src/lib/libssl/src/crypto/evp/names.c
index eb9f4329cd..7712453046 100644
--- a/src/lib/libssl/src/crypto/evp/names.c
+++ b/src/lib/libssl/src/crypto/evp/names.c
@@ -61,6 +61,9 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 int EVP_add_cipher(const EVP_CIPHER *c)
        {
diff --git a/src/lib/libssl/src/crypto/hmac/hmac.c b/src/lib/libssl/src/crypto/hmac/hmac.c
index 4c91f919d5..06ee80761f 100644
--- a/src/lib/libssl/src/crypto/hmac/hmac.c
+++ b/src/lib/libssl/src/crypto/hmac/hmac.c
@@ -77,6 +77,15 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
        if (key != NULL)
                {
+#ifdef OPENSSL_FIPS
+                if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
+                && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+                 || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+                 || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
+                OpenSSLDie(__FILE__,__LINE__,
+                        "HMAC: digest not allowed in FIPS mode");
+#endif
+                
                reset=1;
                j=EVP_MD_block_size(md);
                OPENSSL_assert(j <= sizeof ctx->key);
@@ -171,3 +180,10 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
        return(md);
        }
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
+        {
+        EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
+        EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
+        EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
+        }
diff --git a/src/lib/libssl/src/crypto/hmac/hmac.h b/src/lib/libssl/src/crypto/hmac/hmac.h
index 0364a1fcbd..294ab3b36a 100644
--- a/src/lib/libssl/src/crypto/hmac/hmac.h
+++ b/src/lib/libssl/src/crypto/hmac/hmac.h
@@ -98,6 +98,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
                    const unsigned char *d, int n, unsigned char *md,
                    unsigned int *md_len);
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libssl/src/crypto/idea/idea.h b/src/lib/libssl/src/crypto/idea/idea.h
index 67132414ee..bf41844fd7 100644
--- a/src/lib/libssl/src/crypto/idea/idea.h
+++ b/src/lib/libssl/src/crypto/idea/idea.h
@@ -82,6 +82,10 @@ typedef struct idea_key_st
 const char *idea_options(void);
 void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
        IDEA_KEY_SCHEDULE *ks);
+#ifdef OPENSSL_FIPS
+void private_idea_set_encrypt_key(const unsigned char *key,
+                                                IDEA_KEY_SCHEDULE *ks);
+#endif
 void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
 void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
 void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,
diff --git a/src/lib/libssl/src/crypto/md2/md2.h b/src/lib/libssl/src/crypto/md2/md2.h
index ad9241455c..d0ef9da08e 100644
--- a/src/lib/libssl/src/crypto/md2/md2.h
+++ b/src/lib/libssl/src/crypto/md2/md2.h
@@ -80,6 +80,9 @@ typedef struct MD2state_st
        } MD2_CTX;
 const char *MD2_options(void);
+#ifdef OPENSSL_FIPS
+int private_MD2_Init(MD2_CTX *c);
+#endif
 int MD2_Init(MD2_CTX *c);
 int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len);
 int MD2_Final(unsigned char *md, MD2_CTX *c);
diff --git a/src/lib/libssl/src/crypto/md2/md2_dgst.c b/src/lib/libssl/src/crypto/md2/md2_dgst.c
index ecb64f0ec4..8124acd687 100644
--- a/src/lib/libssl/src/crypto/md2/md2_dgst.c
+++ b/src/lib/libssl/src/crypto/md2/md2_dgst.c
@@ -62,6 +62,8 @@
 #include <openssl/md2.h>
 #include <openssl/opensslv.h>
 #include <openssl/crypto.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
 const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT;
@@ -116,7 +118,7 @@ const char *MD2_options(void)
                return("md2(int)");
        }
-int MD2_Init(MD2_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD2)
        {
        c->num=0;
        memset(c->state,0,sizeof c->state);
diff --git a/src/lib/libssl/src/crypto/md32_common.h b/src/lib/libssl/src/crypto/md32_common.h
index 573850b122..733da6acaf 100644
--- a/src/lib/libssl/src/crypto/md32_common.h
+++ b/src/lib/libssl/src/crypto/md32_common.h
@@ -128,6 +128,10 @@
 *                                      <appro@fy.chalmers.se>
 */
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
 #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
 #error "DATA_ORDER must be defined!"
 #endif
@@ -207,7 +211,7 @@
                                : "cc");                \
                           ret;                         \
                        })
-#  elif defined(__powerpc) || defined(__ppc)
+#  elif defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__)
 #   define ROTATE(a,n)  ({ register unsigned int ret;   \
                                asm (                   \
                                "rlwinm %0,%1,%2,0,31"  \
@@ -555,6 +559,14 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
        static const unsigned char end[4]={0x80,0x00,0x00,0x00};
        const unsigned char *cp=end;
+#if 0
+        if(FIPS_mode() && !FIPS_md5_allowed())
+            {
+            FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
+            return 0;
+            }
+#endif
        /* c->num should definitly have room for at least one more byte. */
        p=c->data;
        i=c->num>>2;
diff --git a/src/lib/libssl/src/crypto/md4/md4.h b/src/lib/libssl/src/crypto/md4/md4.h
index 7a7b23682f..7e761efb62 100644
--- a/src/lib/libssl/src/crypto/md4/md4.h
+++ b/src/lib/libssl/src/crypto/md4/md4.h
@@ -104,6 +104,9 @@ typedef struct MD4state_st
        int num;
        } MD4_CTX;
+#ifdef OPENSSL_FIPS
+int private_MD4_Init(MD4_CTX *c);
+#endif
 int MD4_Init(MD4_CTX *c);
 int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
 int MD4_Final(unsigned char *md, MD4_CTX *c);
diff --git a/src/lib/libssl/src/crypto/md4/md4_dgst.c b/src/lib/libssl/src/crypto/md4/md4_dgst.c
index 7afb7185b6..ee7cc72262 100644
--- a/src/lib/libssl/src/crypto/md4/md4_dgst.c
+++ b/src/lib/libssl/src/crypto/md4/md4_dgst.c
@@ -70,7 +70,7 @@ const char *MD4_version="MD4" OPENSSL_VERSION_PTEXT;
 #define INIT_DATA_C (unsigned long)0x98badcfeL
 #define INIT_DATA_D (unsigned long)0x10325476L
-int MD4_Init(MD4_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD4)
        {
        c->A=INIT_DATA_A;
        c->B=INIT_DATA_B;
diff --git a/src/lib/libssl/src/crypto/md5/md5.h b/src/lib/libssl/src/crypto/md5/md5.h
index a252e02115..c663dd1816 100644
--- a/src/lib/libssl/src/crypto/md5/md5.h
+++ b/src/lib/libssl/src/crypto/md5/md5.h
@@ -104,6 +104,9 @@ typedef struct MD5state_st
        int num;
        } MD5_CTX;
+#ifdef OPENSSL_FIPS
+int private_MD5_Init(MD5_CTX *c);
+#endif
 int MD5_Init(MD5_CTX *c);
 int MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
 int MD5_Final(unsigned char *md, MD5_CTX *c);
diff --git a/src/lib/libssl/src/crypto/md5/md5_dgst.c b/src/lib/libssl/src/crypto/md5/md5_dgst.c
index 9c7abc3697..54b33c6509 100644
--- a/src/lib/libssl/src/crypto/md5/md5_dgst.c
+++ b/src/lib/libssl/src/crypto/md5/md5_dgst.c
@@ -70,7 +70,7 @@ const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT;
 #define INIT_DATA_C (unsigned long)0x98badcfeL
 #define INIT_DATA_D (unsigned long)0x10325476L
-int MD5_Init(MD5_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD5)
        {
        c->A=INIT_DATA_A;
        c->B=INIT_DATA_B;
diff --git a/src/lib/libssl/src/crypto/mdc2/Makefile b/src/lib/libssl/src/crypto/mdc2/Makefile
new file mode 100644
index 0000000000..38c785bf95
--- /dev/null
+++ b/src/lib/libssl/src/crypto/mdc2/Makefile
@@ -0,0 +1,98 @@
+#
+# SSLeay/crypto/mdc2/Makefile
+#
+DIR=    mdc2
+TOP=    ../..
+CC=     cc
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=       Makefile
+AR=             ar r
+CFLAGS= $(INCLUDES) $(CFLAG)
+GENERAL=Makefile
+TEST= mdc2test.c
+APPS=
+LIB=$(TOP)/libcrypto.a
+LIBSRC=mdc2dgst.c mdc2_one.c
+LIBOBJ=mdc2dgst.o mdc2_one.o
+SRC= $(LIBSRC)
+EXHEADER= mdc2.h
+HEADER= $(EXHEADER)
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+top:
+        (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+all:    lib
+lib:    $(LIBOBJ)
+        $(AR) $(LIB) $(LIBOBJ)
+        $(RANLIB) $(LIB) || echo Never mind.
+        @touch lib
+files:
+        $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+links:
+        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+install:
+        @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
+        do  \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+        done;
+tags:
+        ctags $(SRC)
+tests:
+lint:
+        lint -DLINT $(INCLUDES) $(SRC)>fluff
+depend:
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+dclean:
+        $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+        mv -f Makefile.new $(MAKEFILE)
+clean:
+        rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+mdc2_one.o: ../../e_os.h ../../include/openssl/bio.h
+mdc2_one.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+mdc2_one.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+mdc2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+mdc2_one.o: ../../include/openssl/lhash.h ../../include/openssl/mdc2.h
+mdc2_one.o: ../../include/openssl/opensslconf.h
+mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+mdc2_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+mdc2_one.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+mdc2_one.o: ../cryptlib.h mdc2_one.c
+mdc2dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+mdc2dgst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+mdc2dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+mdc2dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+mdc2dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h
+mdc2dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+mdc2dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+mdc2dgst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+mdc2dgst.o: mdc2dgst.c
diff --git a/src/lib/libssl/src/crypto/mdc2/mdc2.h b/src/lib/libssl/src/crypto/mdc2/mdc2.h
index 793a8a0f13..4cba101f37 100644
--- a/src/lib/libssl/src/crypto/mdc2/mdc2.h
+++ b/src/lib/libssl/src/crypto/mdc2/mdc2.h
@@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st
        int pad_type; /* either 1 or 2, default 1 */
        } MDC2_CTX;
+#ifdef OPENSSL_FIPS
+int private_MDC2_Init(MDC2_CTX *c);
+#endif
 int MDC2_Init(MDC2_CTX *c);
 int MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len);
 int MDC2_Final(unsigned char *md, MDC2_CTX *c);
diff --git a/src/lib/libssl/src/crypto/o_time.c b/src/lib/libssl/src/crypto/o_time.c
index 785468131e..e29091d650 100644
--- a/src/lib/libssl/src/crypto/o_time.c
+++ b/src/lib/libssl/src/crypto/o_time.c
@@ -114,16 +114,28 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
                        return NULL;
                logvalue[reslen] = '\0';
+                t = *timer;
+/* The following is extracted from the DEC C header time.h */
+/*
+**  Beginning in OpenVMS Version 7.0 mktime, time, ctime, strftime
+**  have two implementations.  One implementation is provided
+**  for compatibility and deals with time in terms of local time,
+**  the other __utc_* deals with time in terms of UTC.
+*/
+/* We use the same conditions as in said time.h to check if we should
+   assume that t contains local time (and should therefore be adjusted)
+   or UTC (and should therefore be left untouched). */
+#if __CRTL_VER < 70000000 || defined _VMS_V6_SOURCE
                /* Get the numerical value of the equivalence string */
                status = atoi(logvalue);
                /* and use it to move time to GMT */
-                t = *timer - status;
+                t -= status;
+#endif
                /* then convert the result to the time structure */
-#ifndef OPENSSL_THREADS
-                ts=(struct tm *)localtime(&t);
-#else
                /* Since there was no gmtime_r() to do this stuff for us,
                   we have to do it the hard way. */
                {
@@ -198,7 +210,6 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
                result->tm_isdst = 0; /* There's no way to know... */
                ts = result;
-#endif
                }
                }
 #endif
diff --git a/src/lib/libssl/src/crypto/objects/o_names.c b/src/lib/libssl/src/crypto/objects/o_names.c
index b4453b4a98..28c9370ca3 100644
--- a/src/lib/libssl/src/crypto/objects/o_names.c
+++ b/src/lib/libssl/src/crypto/objects/o_names.c
@@ -2,6 +2,7 @@
 #include <stdlib.h>
 #include <string.h>
+#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
 #include <openssl/safestack.h>
@@ -80,7 +81,11 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
                MemCheck_off();
                name_funcs = OPENSSL_malloc(sizeof(NAME_FUNCS));
                MemCheck_on();
-                if (!name_funcs) return(0);
+                if (!name_funcs)
+                        {
+                        OBJerr(OBJ_F_OBJ_NAME_NEW_INDEX,ERR_R_MALLOC_FAILURE);
+                        return(0);
+                        }
                name_funcs->hash_func = lh_strhash;
                name_funcs->cmp_func = OPENSSL_strcmp;
                name_funcs->free_func = 0; /* NULL is often declared to
diff --git a/src/lib/libssl/src/crypto/objects/obj_dat.c b/src/lib/libssl/src/crypto/objects/obj_dat.c
index 4534dc0985..f549d078ef 100644
--- a/src/lib/libssl/src/crypto/objects/obj_dat.c
+++ b/src/lib/libssl/src/crypto/objects/obj_dat.c
@@ -236,13 +236,13 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
        if (added == NULL)
                if (!init_added()) return(0);
        if ((o=OBJ_dup(obj)) == NULL) goto err;
-        if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err;
+        if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
        if ((o->length != 0) && (obj->data != NULL))
-                ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ));
+                if (!(ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
        if (o->sn != NULL)
-                ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ));
+                if (!(ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
        if (o->ln != NULL)
-                ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ));
+                if (!(ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2;
        for (i=ADDED_DATA; i<=ADDED_NID; i++)
                {
@@ -260,6 +260,8 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
                        ASN1_OBJECT_FLAG_DYNAMIC_DATA);
        return(o->nid);
+err2:
+        OBJerr(OBJ_F_OBJ_ADD_OBJECT,ERR_R_MALLOC_FAILURE);
 err:
        for (i=ADDED_DATA; i<=ADDED_NID; i++)
                if (ao[i] != NULL) OPENSSL_free(ao[i]);
@@ -648,7 +650,7 @@ int OBJ_create(const char *oid, const char *sn, const char *ln)
        if ((buf=(unsigned char *)OPENSSL_malloc(i)) == NULL)
                {
-                OBJerr(OBJ_F_OBJ_CREATE,OBJ_R_MALLOC_FAILURE);
+                OBJerr(OBJ_F_OBJ_CREATE,ERR_R_MALLOC_FAILURE);
                return(0);
                }
        i=a2d_ASN1_OBJECT(buf,i,oid,-1);
diff --git a/src/lib/libssl/src/crypto/objects/obj_err.c b/src/lib/libssl/src/crypto/objects/obj_err.c
index 80ab6855af..2b5f43e3cc 100644
--- a/src/lib/libssl/src/crypto/objects/obj_err.c
+++ b/src/lib/libssl/src/crypto/objects/obj_err.c
@@ -1,6 +1,6 @@
 /* crypto/objects/obj_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -66,8 +66,10 @@
 #ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA OBJ_str_functs[]=
        {
+{ERR_PACK(0,OBJ_F_OBJ_ADD_OBJECT,0),    "OBJ_add_object"},
 {ERR_PACK(0,OBJ_F_OBJ_CREATE,0),        "OBJ_create"},
 {ERR_PACK(0,OBJ_F_OBJ_DUP,0),   "OBJ_dup"},
+{ERR_PACK(0,OBJ_F_OBJ_NAME_NEW_INDEX,0),        "OBJ_NAME_new_index"},
 {ERR_PACK(0,OBJ_F_OBJ_NID2LN,0),        "OBJ_nid2ln"},
 {ERR_PACK(0,OBJ_F_OBJ_NID2OBJ,0),       "OBJ_nid2obj"},
 {ERR_PACK(0,OBJ_F_OBJ_NID2SN,0),        "OBJ_nid2sn"},
diff --git a/src/lib/libssl/src/crypto/objects/obj_mac.num b/src/lib/libssl/src/crypto/objects/obj_mac.num
index 9838072b65..0e64a929ba 100644
--- a/src/lib/libssl/src/crypto/objects/obj_mac.num
+++ b/src/lib/libssl/src/crypto/objects/obj_mac.num
@@ -647,3 +647,21 @@ joint_iso_itu_t		646
 international_organizations             647
 ms_smartcard_login              648
 ms_upn          649
+aes_128_cfb1            650
+aes_192_cfb1            651
+aes_256_cfb1            652
+aes_128_cfb8            653
+aes_192_cfb8            654
+aes_256_cfb8            655
+des_cfb1                656
+des_cfb8                657
+des_ede3_cfb1           658
+des_ede3_cfb8           659
+streetAddress           660
+postalCode              661
+id_ppl          662
+proxyCertInfo           663
+id_ppl_anyLanguage              664
+id_ppl_inheritAll               665
+id_ppl_independent              666
+Independent             667
diff --git a/src/lib/libssl/src/crypto/objects/objects.h b/src/lib/libssl/src/crypto/objects/objects.h
index de10532813..f859d859b8 100644
--- a/src/lib/libssl/src/crypto/objects/objects.h
+++ b/src/lib/libssl/src/crypto/objects/objects.h
@@ -1026,8 +1026,10 @@ void ERR_load_OBJ_strings(void);
 /* Error codes for the OBJ functions. */
 /* Function codes. */
+#define OBJ_F_OBJ_ADD_OBJECT                             105
 #define OBJ_F_OBJ_CREATE                                 100
 #define OBJ_F_OBJ_DUP                                    101
+#define OBJ_F_OBJ_NAME_NEW_INDEX                         106
 #define OBJ_F_OBJ_NID2LN                                 102
 #define OBJ_F_OBJ_NID2OBJ                                103
 #define OBJ_F_OBJ_NID2SN                                 104
diff --git a/src/lib/libssl/src/crypto/objects/objects.txt b/src/lib/libssl/src/crypto/objects/objects.txt
index 3ba11f65cc..50e9031e61 100644
--- a/src/lib/libssl/src/crypto/objects/objects.txt
+++ b/src/lib/libssl/src/crypto/objects/objects.txt
@@ -312,6 +312,7 @@ id-pkix 9		: id-pda
 id-pkix 10              : id-aca
 id-pkix 11              : id-qcs
 id-pkix 12              : id-cct
+id-pkix 21              : id-ppl
 id-pkix 48              : id-ad
 # PKIX Modules
@@ -346,6 +347,7 @@ id-pe 9			: sbqp-routerIdentifier
 id-pe 10                : ac-proxying
 !Cname sinfo-access
 id-pe 11                : subjectInfoAccess     : Subject Information Access
+id-pe 14                : proxyCertInfo         : Proxy Certificate Information
 # PKIX policyQualifiers for Internet policy qualifiers
 id-qt 1                 : id-qt-cps             : Policy Qualifier CPS
@@ -461,6 +463,11 @@ id-cct 1		: id-cct-crs
 id-cct 2                : id-cct-PKIData
 id-cct 3                : id-cct-PKIResponse
+# Predefined Proxy Certificate policy languages
+id-ppl 0                : id-ppl-anyLanguage    : Any language
+id-ppl 1                : id-ppl-inheritAll     : Inherit all
+id-ppl 2                : id-ppl-independent    : Independent
 # access descriptors for authority info access extension
 !Cname ad-OCSP
 id-ad 1                 : OCSP                  : OCSP
@@ -536,10 +543,12 @@ X509 5			: 			: serialNumber
 X509 6                  : C                     : countryName
 X509 7                  : L                     : localityName
 X509 8                  : ST                    : stateOrProvinceName
+X509 9                  :                       : streetAddress
 X509 10                 : O                     : organizationName
 X509 11                 : OU                    : organizationalUnitName
 X509 12                 :                       : title
 X509 13                 :                       : description
+X509 17                 :                       : postalCode
 X509 41                 : name                  : name
 X509 42                 : GN                    : givenName
 X509 43                 :                       : initials
@@ -681,6 +690,19 @@ aes 43			: AES-256-OFB		: aes-256-ofb
 !Cname aes-256-cfb128
 aes 44                  : AES-256-CFB           : aes-256-cfb
+# There are no OIDs for these modes...
+                        : AES-128-CFB1          : aes-128-cfb1
+                        : AES-192-CFB1          : aes-192-cfb1
+                        : AES-256-CFB1          : aes-256-cfb1
+                        : AES-128-CFB8          : aes-128-cfb8
+                        : AES-192-CFB8          : aes-192-cfb8
+                        : AES-256-CFB8          : aes-256-cfb8
+                        : DES-CFB1              : des-cfb1
+                        : DES-CFB8              : des-cfb8
+                        : DES-EDE3-CFB1         : des-ede3-cfb1
+                        : DES-EDE3-CFB8         : des-ede3-cfb8
 # Hold instruction CRL entry extension
 !Cname hold-instruction-code
 id-ce 23                : holdInstructionCode   : Hold Instruction Code
diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h
index 02f1710fb3..5d5f688edd 100644
--- a/src/lib/libssl/src/crypto/opensslv.h
+++ b/src/lib/libssl/src/crypto/opensslv.h
@@ -25,8 +25,12 @@
 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
 *  major minor fix final patch/beta)
 */
-#define OPENSSL_VERSION_NUMBER  0x0090704fL
+#define OPENSSL_VERSION_NUMBER  0x0090707fL
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7d 17 Mar 2004"
+#ifdef OPENSSL_FIPS
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7g-fips 11 Apr 2005"
+#else
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7g 11 Apr 2005"
+#endif
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
diff --git a/src/lib/libssl/src/crypto/pem/pem_all.c b/src/lib/libssl/src/crypto/pem/pem_all.c
index e72b7134ce..07963314c9 100644
--- a/src/lib/libssl/src/crypto/pem/pem_all.c
+++ b/src/lib/libssl/src/crypto/pem/pem_all.c
@@ -64,6 +64,7 @@
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
+#include <openssl/fips.h>
 #ifndef OPENSSL_NO_RSA
 static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa);
@@ -128,7 +129,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
 #endif
+#ifdef OPENSSL_FIPS
+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_RSA(k, x);
+        ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_RSA(k, x);
+        ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+#endif
+#else
 IMPLEMENT_PEM_write_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+#endif
 IMPLEMENT_PEM_rw(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
 IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
@@ -158,7 +201,48 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
        return pkey_get_dsa(pktmp, dsa);
 }
+#ifdef OPENSSL_FIPS
+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_DSA(k, x);
+        ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_DSA(k, x);
+        ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+#endif
+#else
 IMPLEMENT_PEM_write_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+#endif
 IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
 #ifndef OPENSSL_NO_FP_API
@@ -190,7 +274,42 @@ IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
 * (When reading, parameter PEM_STRING_EVP_PKEY is a wildcard for anything
 * appropriate.)
 */
+#ifdef OPENSSL_FIPS
+int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+        {
+                if (FIPS_mode())
+                        return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
+                                                (char *)kstr, klen, cb, u);
+                else
+                        return PEM_ASN1_write_bio((int (*)())i2d_PrivateKey,
+                (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),
+                        bp,(char *)x,enc,kstr,klen,cb,u);
+        }
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+        {
+                if (FIPS_mode())
+                        return PEM_write_PKCS8PrivateKey(fp, x, enc,
+                                                (char *)kstr, klen, cb, u);
+                else
+                        return PEM_ASN1_write((int (*)())i2d_PrivateKey,
+                (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),
+                        fp,(char *)x,enc,kstr,klen,cb,u);
+        }
+#endif
+#else
 IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), PrivateKey)
+#endif
 IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY)
diff --git a/src/lib/libssl/src/crypto/pem/pem_lib.c b/src/lib/libssl/src/crypto/pem/pem_lib.c
index 7785039b99..82815067b3 100644
--- a/src/lib/libssl/src/crypto/pem/pem_lib.c
+++ b/src/lib/libssl/src/crypto/pem/pem_lib.c
@@ -73,7 +73,7 @@ const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT;
 #define MIN_LENGTH      4
-static int load_iv(unsigned char **fromp,unsigned char *to, int num);
+static int load_iv(char **fromp,unsigned char *to, int num);
 static int check_pem(const char *nm, const char *name);
 int PEM_def_callback(char *buf, int num, int w, void *key)
@@ -301,7 +301,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
        if ((dsize=i2d(x,NULL)) < 0)
                {
-                PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE);
+                PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_ASN1_LIB);
                dsize=0;
                goto err;
                }
@@ -432,6 +432,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
        int o;
        const EVP_CIPHER *enc=NULL;
        char *p,c;
+        char **header_pp = &header;
        cipher->cipher=NULL;
        if ((header == NULL) || (*header == '\0') || (*header == '\n'))
@@ -478,15 +479,16 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
                PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_UNSUPPORTED_ENCRYPTION);
                return(0);
                }
-        if (!load_iv((unsigned char **)&header,&(cipher->iv[0]),enc->iv_len)) return(0);
+        if (!load_iv(header_pp,&(cipher->iv[0]),enc->iv_len))
+                return(0);
        return(1);
        }
-static int load_iv(unsigned char **fromp, unsigned char *to, int num)
+static int load_iv(char **fromp, unsigned char *to, int num)
        {
        int v,i;
-        unsigned char *from;
+        char *from;
        from= *fromp;
        for (i=0; i<num; i++) to[i]=0;
@@ -623,6 +625,9 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
        dataB=BUF_MEM_new();
        if ((nameB == NULL) || (headerB == NULL) || (dataB == NULL))
                {
+                BUF_MEM_free(nameB);
+                BUF_MEM_free(headerB);
+                BUF_MEM_free(dataB);
                PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE);
                return(0);
                }
diff --git a/src/lib/libssl/src/crypto/pem/pem_pkey.c b/src/lib/libssl/src/crypto/pem/pem_pkey.c
index f77c949e87..9ecdbd5419 100644
--- a/src/lib/libssl/src/crypto/pem/pem_pkey.c
+++ b/src/lib/libssl/src/crypto/pem/pem_pkey.c
@@ -104,6 +104,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo
                if (klen <= 0) {
                        PEMerr(PEM_F_PEM_ASN1_READ_BIO,
                                        PEM_R_BAD_PASSWORD_READ);
+                        X509_SIG_free(p8);
                        goto err;
                }
                p8inf = PKCS8_decrypt(p8, psbuf, klen);
diff --git a/src/lib/libssl/src/crypto/perlasm/x86asm.pl b/src/lib/libssl/src/crypto/perlasm/x86asm.pl
index 7c675e3ced..60233f80e8 100644
--- a/src/lib/libssl/src/crypto/perlasm/x86asm.pl
+++ b/src/lib/libssl/src/crypto/perlasm/x86asm.pl
@@ -130,4 +130,6 @@ BSDI - a.out with a very primative version of as.
 EOF
        }
+sub main'align() {} # swallow align statements in 0.9.7 context
 1;
diff --git a/src/lib/libssl/src/crypto/perlasm/x86ms.pl b/src/lib/libssl/src/crypto/perlasm/x86ms.pl
index fbb4afb9bd..b6bd744057 100644
--- a/src/lib/libssl/src/crypto/perlasm/x86ms.pl
+++ b/src/lib/libssl/src/crypto/perlasm/x86ms.pl
@@ -160,6 +160,7 @@ sub main'not	{ &out1("not",@_); }
 sub main'call   { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
+sub main'movz   { &out2("movzx",@_); }
 sub out2
        {
diff --git a/src/lib/libssl/src/crypto/perlasm/x86nasm.pl b/src/lib/libssl/src/crypto/perlasm/x86nasm.pl
index 30346af4ea..5009acb4b3 100644
--- a/src/lib/libssl/src/crypto/perlasm/x86nasm.pl
+++ b/src/lib/libssl/src/crypto/perlasm/x86nasm.pl
@@ -86,7 +86,7 @@ sub get_mem
        {
        my($size,$addr,$reg1,$reg2,$idx)=@_;
        my($t,$post);
-        my($ret)="[";
+        my($ret)="$size [";
        $addr =~ s/^\s+//;
        if ($addr =~ /^(.+)\+(.+)$/)
                {
@@ -169,6 +169,7 @@ sub main'not	{ &out1("not",@_); }
 sub main'call   { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
+sub main'movz   { &out2("movzx",@_); }
 sub out2
        {
@@ -176,6 +177,11 @@ sub out2
        my($l,$t);
        push(@out,"\t$name\t");
+        if ($name eq "lea")
+                {
+                $p1 =~ s/^[^\[]*\[/\[/;
+                $p2 =~ s/^[^\[]*\[/\[/;
+                }
        $t=&conv($p1).",";
        $l=length($t);
        push(@out,$t);
diff --git a/src/lib/libssl/src/crypto/perlasm/x86unix.pl b/src/lib/libssl/src/crypto/perlasm/x86unix.pl
index 53ad5f4927..9717d18557 100644
--- a/src/lib/libssl/src/crypto/perlasm/x86unix.pl
+++ b/src/lib/libssl/src/crypto/perlasm/x86unix.pl
@@ -143,12 +143,12 @@ sub main'shl	{ &out2("sall",@_); }
 sub main'shr    { &out2("shrl",@_); }
 sub main'xor    { &out2("xorl",@_); }
 sub main'xorb   { &out2("xorb",@_); }
-sub main'add    { &out2("addl",@_); }
+sub main'add    { &out2($_[0]=~/%[a-d][lh]/?"addb":"addl",@_); }
 sub main'adc    { &out2("adcl",@_); }
 sub main'sub    { &out2("subl",@_); }
 sub main'rotl   { &out2("roll",@_); }
 sub main'rotr   { &out2("rorl",@_); }
-sub main'exch   { &out2("xchg",@_); }
+sub main'exch   { &out2($_[0]=~/%[a-d][lh]/?"xchgb":"xchgl",@_); }
 sub main'cmp    { &out2("cmpl",@_); }
 sub main'lea    { &out2("leal",@_); }
 sub main'mul    { &out1("mull",@_); }
@@ -170,7 +170,7 @@ sub main'jc	{ &out1("jc",@_); }
 sub main'jnc    { &out1("jnc",@_); }
 sub main'jno    { &out1("jno",@_); }
 sub main'dec    { &out1("decl",@_); }
-sub main'inc    { &out1("incl",@_); }
+sub main'inc    { &out1($_[0]=~/%[a-d][hl]/?"incb":"incl",@_); }
 sub main'push   { &out1("pushl",@_); $stack+=4; }
 sub main'pop    { &out1("popl",@_); $stack-=4; }
 sub main'pushf  { &out0("pushf"); $stack+=4; }
@@ -179,6 +179,7 @@ sub main'not	{ &out1("notl",@_); }
 sub main'call   { &out1("call",($_[0]=~/^\.L/?'':$under).$_[0]); }
 sub main'ret    { &out0("ret"); }
 sub main'nop    { &out0("nop"); }
+sub main'movz   { &out2("movzbl",@_); }
 # The bswapl instruction is new for the 486. Emulate if i386.
 sub main'bswap
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
index 5e8958612b..003ec7a33e 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
@@ -88,7 +88,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
 {
        PBEPARAM *pbe;
-        int saltlen, iter;
+        int saltlen, iter, ret;
        unsigned char *salt, *pbuf;
        unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
@@ -117,8 +117,8 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                return 0;
        }
        PBEPARAM_free(pbe);
-        EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
+        ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
        OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
        OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
-        return 1;
+        return ret;
 }
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_init.c b/src/lib/libssl/src/crypto/pkcs12/p12_init.c
index eb837a78cf..5276b12669 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_init.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_init.c
@@ -76,15 +76,17 @@ PKCS12 *PKCS12_init (int mode)
                        if (!(pkcs12->authsafes->d.data =
                                 M_ASN1_OCTET_STRING_new())) {
                        PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
-                        return NULL;
+                        goto err;
                }
                break;
                default:
-                        PKCS12err(PKCS12_F_PKCS12_INIT,PKCS12_R_UNSUPPORTED_PKCS12_MODE);
+                        PKCS12err(PKCS12_F_PKCS12_INIT,
-                        PKCS12_free(pkcs12);
+                                PKCS12_R_UNSUPPORTED_PKCS12_MODE);
-                        return NULL;
+                        goto err;
-                break;
        }
                
        return pkcs12;
+err:
+        if (pkcs12 != NULL) PKCS12_free(pkcs12);
+        return NULL;
 }
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c b/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c
index 885087ad00..2b31999e11 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c
@@ -249,14 +249,26 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
                if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
                                                                 return 1;
                if (!(x509 = PKCS12_certbag2x509(bag))) return 0;
-                if(ckid) X509_keyid_set1(x509, ckid->data, ckid->length);
+                if(ckid)
+                        {
+                        if (!X509_keyid_set1(x509, ckid->data, ckid->length))
+                                {
+                                X509_free(x509);
+                                return 0;
+                                }
+                        }
                if(fname) {
-                        int len;
+                        int len, r;
                        unsigned char *data;
                        len = ASN1_STRING_to_UTF8(&data, fname);
                        if(len > 0) {
-                                X509_alias_set1(x509, data, len);
+                                r = X509_alias_set1(x509, data, len);
                                OPENSSL_free(data);
+                                if (!r)
+                                        {
+                                        X509_free(x509);
+                                        return 0;
+                                        }
                        }
                }
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c b/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c
index 0fb67f74b8..4886b9b289 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c
@@ -148,7 +148,10 @@ int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
                        PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
                        return 0;
                }
-                ASN1_INTEGER_set(p12->mac->iter, iter);
+                if (!ASN1_INTEGER_set(p12->mac->iter, iter)) {
+                        PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
        }
        if (!saltlen) saltlen = PKCS12_SALT_LEN;
        p12->mac->salt->length = saltlen;
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_attr.c b/src/lib/libssl/src/crypto/pkcs7/pk7_attr.c
index 5ff5a88b5c..039141027a 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_attr.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_attr.c
@@ -3,7 +3,7 @@
 * project 2001.
 */
 /* ====================================================================
- * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2001-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -94,17 +94,18 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap)
 }
 STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
-{
+        {
        ASN1_TYPE *cap;
        unsigned char *p;
        cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
-        if (!cap) return NULL;
+        if (!cap || (cap->type != V_ASN1_SEQUENCE))
+                return NULL;
        p = cap->value.sequence->data;
        return d2i_ASN1_SET_OF_X509_ALGOR(NULL, &p,
                                          cap->value.sequence->length,
                                          d2i_X509_ALGOR, X509_ALGOR_free,
                                          V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-}
+        }
 /* Basic smime-capabilities OID and optional integer arg */
 int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
index b78e22819c..4ac29ae14d 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
@@ -239,7 +239,13 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                                OPENSSL_free(tmp);
                                goto err;
                                }
-                        M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
+                        if (!M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj))
+                                {
+                                PKCS7err(PKCS7_F_PKCS7_DATAINIT,
+                                        ERR_R_MALLOC_FAILURE);
+                                OPENSSL_free(tmp);
+                                goto err;
+                                }
                        }
                OPENSSL_free(tmp);
                OPENSSL_cleanse(key, keylen);
@@ -520,12 +526,20 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
        case NID_pkcs7_signedAndEnveloped:
                /* XXXXXXXXXXXXXXXX */
                si_sk=p7->d.signed_and_enveloped->signer_info;
-                os=M_ASN1_OCTET_STRING_new();
+                if (!(os=M_ASN1_OCTET_STRING_new()))
+                        {
+                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
                p7->d.signed_and_enveloped->enc_data->enc_data=os;
                break;
        case NID_pkcs7_enveloped:
                /* XXXXXXXXXXXXXXXX */
-                os=M_ASN1_OCTET_STRING_new();
+                if (!(os=M_ASN1_OCTET_STRING_new()))
+                        {
+                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
                p7->d.enveloped->enc_data->enc_data=os;
                break;
        case NID_pkcs7_signed:
@@ -599,7 +613,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                                if (!PKCS7_get_signed_attribute(si,
                                                        NID_pkcs9_signingTime))
                                        {
-                                        sign_time=X509_gmtime_adj(NULL,0);
+                                        if (!(sign_time=X509_gmtime_adj(NULL,0)))
+                                                {
+                                                PKCS7err(PKCS7_F_PKCS7_DATASIGN,
+                                                        ERR_R_MALLOC_FAILURE);
+                                                goto err;
+                                                }
                                        PKCS7_add_signed_attribute(si,
                                                NID_pkcs9_signingTime,
                                                V_ASN1_UTCTIME,sign_time);
@@ -608,8 +627,19 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                                /* Add digest */
                                md_tmp=EVP_MD_CTX_md(&ctx_tmp);
                                EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len);
-                                digest=M_ASN1_OCTET_STRING_new();
+                                if (!(digest=M_ASN1_OCTET_STRING_new()))
-                                M_ASN1_OCTET_STRING_set(digest,md_data,md_len);
+                                        {
+                                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,
+                                                ERR_R_MALLOC_FAILURE);
+                                        goto err;
+                                        }
+                                if (!M_ASN1_OCTET_STRING_set(digest,md_data,
+                                                                md_len))
+                                        {
+                                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,
+                                                ERR_R_MALLOC_FAILURE);
+                                        goto err;
+                                        }
                                PKCS7_add_signed_attribute(si,
                                        NID_pkcs9_messageDigest,
                                        V_ASN1_OCTET_STRING,digest);
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_lib.c b/src/lib/libssl/src/crypto/pkcs7/pk7_lib.c
index 985b07245c..ee1817c7af 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_lib.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_lib.c
@@ -164,7 +164,12 @@ int PKCS7_set_type(PKCS7 *p7, int type)
                p7->type=obj;
                if ((p7->d.sign=PKCS7_SIGNED_new()) == NULL)
                        goto err;
-                ASN1_INTEGER_set(p7->d.sign->version,1);
+                if (!ASN1_INTEGER_set(p7->d.sign->version,1))
+                        {
+                        PKCS7_SIGNED_free(p7->d.sign);
+                        p7->d.sign=NULL;
+                        goto err;
+                        }
                break;
        case NID_pkcs7_data:
                p7->type=obj;
@@ -176,6 +181,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
                if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new())
                        == NULL) goto err;
                ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1);
+                if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1))
+                        goto err;
                p7->d.signed_and_enveloped->enc_data->content_type
                                                = OBJ_nid2obj(NID_pkcs7_data);
                break;
@@ -183,7 +190,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
                p7->type=obj;
                if ((p7->d.enveloped=PKCS7_ENVELOPE_new())
                        == NULL) goto err;
-                ASN1_INTEGER_set(p7->d.enveloped->version,0);
+                if (!ASN1_INTEGER_set(p7->d.enveloped->version,0))
+                        goto err;
                p7->d.enveloped->enc_data->content_type
                                                = OBJ_nid2obj(NID_pkcs7_data);
                break;
@@ -191,7 +199,8 @@ int PKCS7_set_type(PKCS7 *p7, int type)
                p7->type=obj;
                if ((p7->d.encrypted=PKCS7_ENCRYPT_new())
                        == NULL) goto err;
-                ASN1_INTEGER_set(p7->d.encrypted->version,0);
+                if (!ASN1_INTEGER_set(p7->d.encrypted->version,0))
+                        goto err;
                p7->d.encrypted->enc_data->content_type
                                                = OBJ_nid2obj(NID_pkcs7_data);
                break;
@@ -318,15 +327,18 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
        if (pkey->type == EVP_PKEY_DSA) is_dsa = 1;
        else is_dsa = 0;
        /* We now need to add another PKCS7_SIGNER_INFO entry */
-        ASN1_INTEGER_set(p7i->version,1);
+        if (!ASN1_INTEGER_set(p7i->version,1))
-        X509_NAME_set(&p7i->issuer_and_serial->issuer,
+                goto err;
-                X509_get_issuer_name(x509));
+        if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
+                        X509_get_issuer_name(x509)))
+                goto err;
        /* because ASN1_INTEGER_set is used to set a 'long' we will do
         * things the ugly way. */
        M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
-        p7i->issuer_and_serial->serial=
+        if (!(p7i->issuer_and_serial->serial=
-                M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+                        M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
+                goto err;
        /* lets keep the pkey around for a while */
        CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
@@ -423,16 +435,20 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
 int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
        {
-        ASN1_INTEGER_set(p7i->version,0);
+        if (!ASN1_INTEGER_set(p7i->version,0))
-        X509_NAME_set(&p7i->issuer_and_serial->issuer,
+                return 0;
-                X509_get_issuer_name(x509));
+        if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
+                X509_get_issuer_name(x509)))
+                return 0;
        M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
-        p7i->issuer_and_serial->serial=
+        if (!(p7i->issuer_and_serial->serial=
-                M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
+                M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
+                return 0;
        X509_ALGOR_free(p7i->key_enc_algor);
-        p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor);
+        if (!(p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor)))
+                return 0;
        CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
        p7i->cert=x509;
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
index 6e5735de11..a852b49235 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
@@ -155,7 +155,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
        char buf[4096];
        int i, j=0, k, ret = 0;
        BIO *p7bio;
-        BIO *tmpout;
+        BIO *tmpin, *tmpout;
        if(!p7) {
                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER);
@@ -228,7 +228,30 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                /* Check for revocation status here */
        }
-        p7bio=PKCS7_dataInit(p7,indata);
+        /* Performance optimization: if the content is a memory BIO then
+         * store its contents in a temporary read only memory BIO. This
+         * avoids potentially large numbers of slow copies of data which will
+         * occur when reading from a read write memory BIO when signatures
+         * are calculated.
+         */
+        if (indata && (BIO_method_type(indata) == BIO_TYPE_MEM))
+                {
+                char *ptr;
+                long len;
+                len = BIO_get_mem_data(indata, &ptr);
+                tmpin = BIO_new_mem_buf(ptr, len);
+                if (tmpin == NULL)
+                        {
+                        PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                }
+        else
+                tmpin = indata;
+                
+        p7bio=PKCS7_dataInit(p7,tmpin);
        if(flags & PKCS7_TEXT) {
                if(!(tmpout = BIO_new(BIO_s_mem()))) {
@@ -270,9 +293,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
        ret = 1;
        err:
+        
+        if (tmpin == indata)
+                {
+                if(indata) BIO_pop(p7bio);
+                BIO_free_all(p7bio);
+                }
+        else
+                BIO_free_all(tmpin);
-        if(indata) BIO_pop(p7bio);
-        BIO_free_all(p7bio);
        sk_X509_free(signers);
        return ret;
@@ -296,10 +325,6 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE);
                return NULL;
        }
-        if(!(signers = sk_X509_new_null())) {
-                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
        /* Collect all the signers together */
@@ -310,6 +335,11 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
                return 0;
        }
+        if(!(signers = sk_X509_new_null())) {
+                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
        for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
        {
            si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
diff --git a/src/lib/libssl/src/crypto/rand/md_rand.c b/src/lib/libssl/src/crypto/rand/md_rand.c
index eeffc0df4c..c84968df88 100644
--- a/src/lib/libssl/src/crypto/rand/md_rand.c
+++ b/src/lib/libssl/src/crypto/rand/md_rand.c
@@ -126,6 +126,7 @@
 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <openssl/fips.h>
 #ifdef BN_DEBUG
 # define PREDICT
@@ -332,6 +333,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 #endif
        int do_stir_pool = 0;
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode())
+            {
+            FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD);
+            return 0;
+            }
+#endif
 #ifdef PREDICT
        if (rand_predictable)
                {
diff --git a/src/lib/libssl/src/crypto/rand/rand.h b/src/lib/libssl/src/crypto/rand/rand.h
index 606382dd21..604df9be6c 100644
--- a/src/lib/libssl/src/crypto/rand/rand.h
+++ b/src/lib/libssl/src/crypto/rand/rand.h
@@ -71,6 +71,10 @@
 extern "C" {
 #endif
+#if defined(OPENSSL_FIPS)
+#define FIPS_RAND_SIZE_T int
+#endif
 typedef struct rand_meth_st
        {
        void (*seed)(const void *buf, int num);
@@ -121,11 +125,17 @@ void ERR_load_RAND_strings(void);
 /* Error codes for the RAND functions. */
 /* Function codes. */
+#define RAND_F_FIPS_RAND_BYTES                           102
 #define RAND_F_RAND_GET_RAND_METHOD                      101
 #define RAND_F_SSLEAY_RAND_BYTES                         100
 /* Reason codes. */
+#define RAND_R_NON_FIPS_METHOD                           101
+#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH                  105
+#define RAND_R_PRNG_NOT_REKEYED                          103
+#define RAND_R_PRNG_NOT_RESEEDED                         104
 #define RAND_R_PRNG_NOT_SEEDED                           100
+#define RAND_R_PRNG_STUCK                                102
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libssl/src/crypto/rand/rand_egd.c b/src/lib/libssl/src/crypto/rand/rand_egd.c
index 6f742900a0..cd666abfcb 100644
--- a/src/lib/libssl/src/crypto/rand/rand_egd.c
+++ b/src/lib/libssl/src/crypto/rand/rand_egd.c
@@ -95,7 +95,7 @@
 *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
 */
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS)
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_VOS)
 int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
        {
        return(-1);
@@ -216,7 +216,9 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
            while (numbytes != 1)
                {
                num = read(fd, egdbuf, 1);
-                if (num >= 0)
+                if (num == 0)
+                        goto err;       /* descriptor closed */
+                else if (num > 0)
                    numbytes += num;
                else
                    {
@@ -246,7 +248,9 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
            while (numbytes != egdbuf[0])
                {
                num = read(fd, retrievebuf + numbytes, egdbuf[0] - numbytes);
-                if (num >= 0)
+                if (num == 0)
+                        goto err;       /* descriptor closed */
+                else if (num > 0)
                    numbytes += num;
                else
                    {
diff --git a/src/lib/libssl/src/crypto/rand/rand_err.c b/src/lib/libssl/src/crypto/rand/rand_err.c
index b77267e213..95574659ac 100644
--- a/src/lib/libssl/src/crypto/rand/rand_err.c
+++ b/src/lib/libssl/src/crypto/rand/rand_err.c
@@ -1,6 +1,6 @@
 /* crypto/rand/rand_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -66,6 +66,7 @@
 #ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA RAND_str_functs[]=
        {
+{ERR_PACK(0,RAND_F_FIPS_RAND_BYTES,0),  "FIPS_RAND_BYTES"},
 {ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0),     "RAND_get_rand_method"},
 {ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0),        "SSLEAY_RAND_BYTES"},
 {0,NULL}
@@ -73,7 +74,12 @@ static ERR_STRING_DATA RAND_str_functs[]=
 static ERR_STRING_DATA RAND_str_reasons[]=
        {
+{RAND_R_NON_FIPS_METHOD                  ,"non fips method"},
+{RAND_R_PRNG_ASKING_FOR_TOO_MUCH         ,"prng asking for too much"},
+{RAND_R_PRNG_NOT_REKEYED                 ,"prng not rekeyed"},
+{RAND_R_PRNG_NOT_RESEEDED                ,"prng not reseeded"},
 {RAND_R_PRNG_NOT_SEEDED                  ,"PRNG not seeded"},
+{RAND_R_PRNG_STUCK                       ,"prng stuck"},
 {0,NULL}
        };
diff --git a/src/lib/libssl/src/crypto/rand/rand_lib.c b/src/lib/libssl/src/crypto/rand/rand_lib.c
index 513e338985..88f1b56d91 100644
--- a/src/lib/libssl/src/crypto/rand/rand_lib.c
+++ b/src/lib/libssl/src/crypto/rand/rand_lib.c
@@ -63,6 +63,8 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
 #ifndef OPENSSL_NO_ENGINE
 /* non-NULL if default_RAND_meth is ENGINE-provided */
@@ -85,6 +87,16 @@ int RAND_set_rand_method(const RAND_METHOD *meth)
 const RAND_METHOD *RAND_get_rand_method(void)
        {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode()
+                && default_RAND_meth != FIPS_rand_check())
+            {
+            RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
+            return 0;
+            }
+#endif
        if (!default_RAND_meth)
                {
 #ifndef OPENSSL_NO_ENGINE
diff --git a/src/lib/libssl/src/crypto/rand/rand_unix.c b/src/lib/libssl/src/crypto/rand/rand_unix.c
index 0599719dd1..9376554fae 100644
--- a/src/lib/libssl/src/crypto/rand/rand_unix.c
+++ b/src/lib/libssl/src/crypto/rand/rand_unix.c
@@ -120,6 +120,7 @@
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/times.h>
+#include <sys/stat.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <time.h>
@@ -151,9 +152,9 @@ int RAND_poll(void)
        int n = 0;
 #endif
 #ifdef DEVRANDOM
-        static const char *randomfiles[] = { DEVRANDOM, NULL };
+        static const char *randomfiles[] = { DEVRANDOM };
-        const char **randomfile = NULL;
+        struct stat randomstats[sizeof(randomfiles)/sizeof(randomfiles[0])];
-        int fd;
+        int fd,i;
 #endif
 #ifdef DEVRANDOM_EGD
        static const char *egdsockets[] = { DEVRANDOM_EGD, NULL };
@@ -161,26 +162,42 @@ int RAND_poll(void)
 #endif
 #ifdef DEVRANDOM
+        memset(randomstats,0,sizeof(randomstats));
        /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
         * have this. Use /dev/urandom if you can as /dev/random may block
         * if it runs out of random entries.  */
-        for (randomfile = randomfiles; *randomfile && n < ENTROPY_NEEDED; randomfile++)
+        for (i=0; i<sizeof(randomfiles)/sizeof(randomfiles[0]) && n < ENTROPY_NEEDED; i++)
                {
-                if ((fd = open(*randomfile, O_RDONLY|O_NONBLOCK
+                if ((fd = open(randomfiles[i], O_RDONLY
+#ifdef O_NONBLOCK
+                        |O_NONBLOCK
+#endif
+#ifdef O_BINARY
+                        |O_BINARY
+#endif
 #ifdef O_NOCTTY /* If it happens to be a TTY (god forbid), do not make it
                   our controlling tty */
                        |O_NOCTTY
 #endif
-#ifdef O_NOFOLLOW /* Fail if the file is a symbolic link */
-                        |O_NOFOLLOW
-#endif
                        )) >= 0)
                        {
                        struct timeval t = { 0, 10*1000 }; /* Spend 10ms on
                                                              each file. */
-                        int r;
+                        int r,j;
                        fd_set fset;
+                        struct stat *st=&randomstats[i];
+                        /* Avoid using same input... Used to be O_NOFOLLOW
+                         * above, but it's not universally appropriate... */
+                        if (fstat(fd,st) != 0)  { close(fd); continue; }
+                        for (j=0;j<i;j++)
+                                {
+                                if (randomstats[j].st_ino==st->st_ino &&
+                                    randomstats[j].st_dev==st->st_dev)
+                                        break;
+                                }
+                        if (j<i)                { close(fd); continue; }
                        do
                                {
diff --git a/src/lib/libssl/src/crypto/rand/rand_vms.c b/src/lib/libssl/src/crypto/rand/rand_vms.c
index 29b2d7af0b..1267a3acae 100644
--- a/src/lib/libssl/src/crypto/rand/rand_vms.c
+++ b/src/lib/libssl/src/crypto/rand/rand_vms.c
@@ -101,11 +101,12 @@ int RAND_poll(void)
        pitem = item;
        /* Setup */
-        while (pitems_data->length)
+        while (pitems_data->length
+                && (total_length + pitems_data->length <= 256))
                {
                pitem->length = pitems_data->length;
                pitem->code = pitems_data->code;
-                pitem->buffer = (long *)data_buffer[total_length];
+                pitem->buffer = (long *)&data_buffer[total_length];
                pitem->retlen = 0;
                total_length += pitems_data->length;
                pitems_data++;
diff --git a/src/lib/libssl/src/crypto/rand/rand_win.c b/src/lib/libssl/src/crypto/rand/rand_win.c
index 3584842224..30c69161ef 100644
--- a/src/lib/libssl/src/crypto/rand/rand_win.c
+++ b/src/lib/libssl/src/crypto/rand/rand_win.c
@@ -125,7 +125,7 @@
 * http://developer.intel.com/design/security/rng/redist_license.htm
 */
 #define PROV_INTEL_SEC 22
-#define INTEL_DEF_PROV TEXT("Intel Hardware Cryptographic Service Provider")
+#define INTEL_DEF_PROV L"Intel Hardware Cryptographic Service Provider"
 static void readtimer(void);
 static void readscreen(void);
@@ -152,7 +152,7 @@ typedef struct tagCURSORINFO
 #define CURSOR_SHOWING     0x00000001
 #endif /* CURSOR_SHOWING */
-typedef BOOL (WINAPI *CRYPTACQUIRECONTEXT)(HCRYPTPROV *, LPCTSTR, LPCTSTR,
+typedef BOOL (WINAPI *CRYPTACQUIRECONTEXTW)(HCRYPTPROV *, LPCWSTR, LPCWSTR,
                                    DWORD, DWORD);
 typedef BOOL (WINAPI *CRYPTGENRANDOM)(HCRYPTPROV, DWORD, BYTE *);
 typedef BOOL (WINAPI *CRYPTRELEASECONTEXT)(HCRYPTPROV, DWORD);
@@ -194,7 +194,7 @@ int RAND_poll(void)
        HWND h;
        HMODULE advapi, kernel, user, netapi;
-        CRYPTACQUIRECONTEXT acquire = 0;
+        CRYPTACQUIRECONTEXTW acquire = 0;
        CRYPTGENRANDOM gen = 0;
        CRYPTRELEASECONTEXT release = 0;
 #if 1 /* There was previously a problem with NETSTATGET.  Currently, this
@@ -213,6 +213,9 @@ int RAND_poll(void)
        GetVersionEx( &osverinfo ) ;
 #if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO
+#ifndef CryptAcquireContext
+#define CryptAcquireContext CryptAcquireContextW
+#endif
        /* poll the CryptoAPI PRNG */
        /* The CryptoAPI returns sizeof(buf) bytes of randomness */
        if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
@@ -223,21 +226,35 @@ int RAND_poll(void)
                }
 #endif
+#ifndef OPENSSL_SYS_WINCE
+        /*
+         * None of below libraries are present on Windows CE, which is
+         * why we #ifndef the whole section. This also excuses us from
+         * handling the GetProcAddress issue. The trouble is that in
+         * real Win32 API GetProcAddress is available in ANSI flavor
+         * only. In WinCE on the other hand GetProcAddress is a macro
+         * most commonly defined as GetProcAddressW, which accepts
+         * Unicode argument. If we were to call GetProcAddress under
+         * WinCE, I'd recommend to either redefine GetProcAddress as
+         * GetProcAddressA (there seem to be one in common CE spec) or
+         * implement own shim routine, which would accept ANSI argument
+         * and expand it to Unicode.
+         */
        /* load functions dynamically - not available on all systems */
        advapi = LoadLibrary(TEXT("ADVAPI32.DLL"));
        kernel = LoadLibrary(TEXT("KERNEL32.DLL"));
        user = LoadLibrary(TEXT("USER32.DLL"));
        netapi = LoadLibrary(TEXT("NETAPI32.DLL"));
-#ifndef OPENSSL_SYS_WINCE
 #if 1 /* There was previously a problem with NETSTATGET.  Currently, this
       * section is still experimental, but if all goes well, this conditional
       * will be removed
       */
        if (netapi)
                {
-                netstatget = (NETSTATGET) GetProcAddress(netapi,TEXT("NetStatisticsGet"));
+                netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet");
-                netfree = (NETFREE) GetProcAddress(netapi,TEXT("NetApiBufferFree"));
+                netfree = (NETFREE) GetProcAddress(netapi,"NetApiBufferFree");
                }
        if (netstatget && netfree)
@@ -264,9 +281,7 @@ int RAND_poll(void)
        if (netapi)
                FreeLibrary(netapi);
 #endif /* 1 */
-#endif /* !OPENSSL_SYS_WINCE */
- 
-#ifndef OPENSSL_SYS_WINCE
        /* It appears like this can cause an exception deep within ADVAPI32.DLL
         * at random times on Windows 2000.  Reported by Jeffrey Altman.  
         * Only use it on NT.
@@ -321,16 +336,20 @@ int RAND_poll(void)
                        free(buf);
                }
 #endif
-#endif /* !OPENSSL_SYS_WINCE */
        if (advapi)
                {
-                acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi,
+                /*
-                        TEXT("CryptAcquireContextA"));
+                 * If it's available, then it's available in both ANSI
+                 * and UNICODE flavors even in Win9x, documentation says.
+                 * We favor Unicode...
+                 */
+                acquire = (CRYPTACQUIRECONTEXTW) GetProcAddress(advapi,
+                        "CryptAcquireContextW");
                gen = (CRYPTGENRANDOM) GetProcAddress(advapi,
-                        TEXT("CryptGenRandom"));
+                        "CryptGenRandom");
                release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi,
-                        TEXT("CryptReleaseContext"));
+                        "CryptReleaseContext");
                }
        if (acquire && gen && release)
@@ -367,26 +386,15 @@ int RAND_poll(void)
        if (advapi)
                FreeLibrary(advapi);
-        /* timer data */
-        readtimer();
-        
-        /* memory usage statistics */
-        GlobalMemoryStatus(&m);
-        RAND_add(&m, sizeof(m), 1);
-        /* process ID */
-        w = GetCurrentProcessId();
-        RAND_add(&w, sizeof(w), 1);
        if (user)
                {
                GETCURSORINFO cursor;
                GETFOREGROUNDWINDOW win;
                GETQUEUESTATUS queue;
-                win = (GETFOREGROUNDWINDOW) GetProcAddress(user, TEXT("GetForegroundWindow"));
+                win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow");
-                cursor = (GETCURSORINFO) GetProcAddress(user, TEXT("GetCursorInfo"));
+                cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo");
-                queue = (GETQUEUESTATUS) GetProcAddress(user, TEXT("GetQueueStatus"));
+                queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus");
                if (win)
                        {
@@ -458,19 +466,19 @@ int RAND_poll(void)
                MODULEENTRY32 m;
                snap = (CREATETOOLHELP32SNAPSHOT)
-                        GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot"));
+                        GetProcAddress(kernel, "CreateToolhelp32Snapshot");
                close_snap = (CLOSETOOLHELP32SNAPSHOT)
-                        GetProcAddress(kernel, TEXT("CloseToolhelp32Snapshot"));
+                        GetProcAddress(kernel, "CloseToolhelp32Snapshot");
-                heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First"));
+                heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First");
-                heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next"));
+                heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next");
-                heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst"));
+                heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst");
-                heaplist_next = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListNext"));
+                heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext");
-                process_first = (PROCESS32) GetProcAddress(kernel, TEXT("Process32First"));
+                process_first = (PROCESS32) GetProcAddress(kernel, "Process32First");
-                process_next = (PROCESS32) GetProcAddress(kernel, TEXT("Process32Next"));
+                process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next");
-                thread_first = (THREAD32) GetProcAddress(kernel, TEXT("Thread32First"));
+                thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First");
-                thread_next = (THREAD32) GetProcAddress(kernel, TEXT("Thread32Next"));
+                thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next");
-                module_first = (MODULE32) GetProcAddress(kernel, TEXT("Module32First"));
+                module_first = (MODULE32) GetProcAddress(kernel, "Module32First");
-                module_next = (MODULE32) GetProcAddress(kernel, TEXT("Module32Next"));
+                module_next = (MODULE32) GetProcAddress(kernel, "Module32Next");
                if (snap && heap_first && heap_next && heaplist_first &&
                        heaplist_next && process_first && process_next &&
@@ -546,6 +554,18 @@ int RAND_poll(void)
                FreeLibrary(kernel);
                }
+#endif /* !OPENSSL_SYS_WINCE */
+        /* timer data */
+        readtimer();
+        
+        /* memory usage statistics */
+        GlobalMemoryStatus(&m);
+        RAND_add(&m, sizeof(m), 1);
+        /* process ID */
+        w = GetCurrentProcessId();
+        RAND_add(&w, sizeof(w), 1);
 #if 0
        printf("Exiting RAND_poll\n");
@@ -607,7 +627,7 @@ static void readtimer(void)
        DWORD w;
        LARGE_INTEGER l;
        static int have_perfc = 1;
-#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
+#if defined(_MSC_VER) && defined(_M_X86)
        static int have_tsc = 1;
        DWORD cyclecount;
@@ -660,7 +680,7 @@ static void readtimer(void)
 static void readscreen(void)
 {
-#ifndef OPENSSL_SYS_WINCE
+#if !defined(OPENSSL_SYS_WINCE) && !defined(OPENSSL_SYS_WIN32_CYGWIN)
  HDC           hScrDC;         /* screen DC */
  HDC           hMemDC;         /* memory DC */
  HBITMAP       hBitmap;        /* handle for our bitmap */
diff --git a/src/lib/libssl/src/crypto/rand/randfile.c b/src/lib/libssl/src/crypto/rand/randfile.c
index d88ee0d780..9bd89ba495 100644
--- a/src/lib/libssl/src/crypto/rand/randfile.c
+++ b/src/lib/libssl/src/crypto/rand/randfile.c
@@ -166,6 +166,7 @@ int RAND_write_file(const char *file)
        }
 #if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32)
+        {
        /* For some reason Win32 can't write to files created this way */
        
        /* chmod(..., 0600) is too late to protect the file,
@@ -173,6 +174,7 @@ int RAND_write_file(const char *file)
        int fd = open(file, O_CREAT, 0600);
        if (fd != -1)
                out = fdopen(fd, "wb");
+        }
 #endif
        if (out == NULL)
                out = fopen(file,"wb");
diff --git a/src/lib/libssl/src/crypto/rc2/rc2.h b/src/lib/libssl/src/crypto/rc2/rc2.h
index 7816b454dc..71788158d8 100644
--- a/src/lib/libssl/src/crypto/rc2/rc2.h
+++ b/src/lib/libssl/src/crypto/rc2/rc2.h
@@ -79,7 +79,10 @@ typedef struct rc2_key_st
        RC2_INT data[64];
        } RC2_KEY;
- 
+#ifdef OPENSSL_FIPS 
+void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
+                                                                int bits);
+#endif
 void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
 void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
                     int enc);
diff --git a/src/lib/libssl/src/crypto/rc2/rc2_skey.c b/src/lib/libssl/src/crypto/rc2/rc2_skey.c
index cab3080c73..22f372f85c 100644
--- a/src/lib/libssl/src/crypto/rc2/rc2_skey.c
+++ b/src/lib/libssl/src/crypto/rc2/rc2_skey.c
@@ -57,6 +57,7 @@
 */
 #include <openssl/rc2.h>
+#include <openssl/crypto.h>
 #include "rc2_locl.h"
 static unsigned char key_table[256]={
@@ -90,7 +91,19 @@ static unsigned char key_table[256]={
 * BSAFE uses the 'retarded' version.  What I previously shipped is
 * the same as specifying 1024 for the 'bits' parameter.  Bsafe uses
 * a version where the bits parameter is the same as len*8 */
+#ifdef OPENSSL_FIPS
+void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
+        {
+        if (FIPS_mode())
+                FIPS_BAD_ABORT(RC2)
+        private_RC2_set_key(key, len, data, bits);
+        }
+void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
+                                                                int bits)
+#else
 void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
+#endif
        {
        int i,j;
        unsigned char *k;
diff --git a/src/lib/libssl/src/crypto/rc4/asm/rc4-586.pl b/src/lib/libssl/src/crypto/rc4/asm/rc4-586.pl
index 7ef889e5a1..d6e98f0811 100644
--- a/src/lib/libssl/src/crypto/rc4/asm/rc4-586.pl
+++ b/src/lib/libssl/src/crypto/rc4/asm/rc4-586.pl
@@ -1,16 +1,37 @@
 #!/usr/local/bin/perl
-# define for pentium pro friendly version
+# At some point it became apparent that the original SSLeay RC4
+# assembler implementation performs suboptimaly on latest IA-32
+# microarchitectures. After re-tuning performance has changed as
+# following:
+#
+# Pentium       +0%
+# Pentium III   +17%
+# AMD           +52%(*)
+# P4            +180%(**)
+#
+# (*)   This number is actually a trade-off:-) It's possible to
+#       achieve +72%, but at the cost of -48% off PIII performance.
+#       In other words code performing further 13% faster on AMD
+#       would perform almost 2 times slower on Intel PIII...
+#       For reference! This code delivers ~80% of rc4-amd64.pl
+#       performance on the same Opteron machine.
+# (**)  This number requires compressed key schedule set up by
+#       RC4_set_key and therefore doesn't apply to 0.9.7 [option for
+#       compressed key schedule is implemented in 0.9.8 and later,
+#       see commentary section in rc4_skey.c for further details].
+#
+#                                       <appro@fy.chalmers.se>
 push(@INC,"perlasm","../../perlasm");
 require "x86asm.pl";
 &asm_init($ARGV[0],"rc4-586.pl");
-$tx="eax";
+$x="eax";
-$ty="ebx";
+$y="ebx";
-$x="ecx";
+$tx="ecx";
-$y="edx";
+$ty="edx";
 $in="esi";
 $out="edi";
 $d="ebp";
@@ -31,7 +52,7 @@ sub RC4_loop
                        {
                         &mov($ty,      &swtmp(2));
                        &cmp($ty,       $in);
-                         &jle(&label("finished"));
+                         &jbe(&label("finished"));
                        &inc($in);
                        }
                else
@@ -39,27 +60,23 @@ sub RC4_loop
                        &add($ty,       8);
                         &inc($in);
                        &cmp($ty,       $in);
-                         &jl(&label("finished"));
+                         &jb(&label("finished"));
                        &mov(&swtmp(2), $ty);
                        }
                }
        # Moved out
        # &mov( $tx,            &DWP(0,$d,$x,4)) if $p < 0;
-         &add(  $y,             $tx);
+        &add(   &LB($y),        &LB($tx));
-        &and(   $y,             0xff);
-         &inc(  $x);                    # NEXT ROUND 
        &mov(   $ty,            &DWP(0,$d,$y,4));
         # XXX
-        &mov(   &DWP(-4,$d,$x,4),$ty);                  # AGI
+        &mov(   &DWP(0,$d,$x,4),$ty);
         &add(  $ty,            $tx);
-        &and(   $x,             0xff);  # NEXT ROUND
-         &and(  $ty,            0xff);
        &mov(   &DWP(0,$d,$y,4),$tx);
-         &nop();
+         &and(  $ty,            0xff);
-        &mov(   $ty,            &DWP(0,$d,$ty,4));
+         &inc(  &LB($x));                       # NEXT ROUND
-         &mov(  $tx,            &DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND
+        &mov(   $tx,            &DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND
-         # XXX
+         &mov(  $ty,            &DWP(0,$d,$ty,4));
        if (!$char)
                {
@@ -88,35 +105,47 @@ sub RC4
        &function_begin_B($name,"");
+        &mov($ty,&wparam(1));           # len
+        &cmp($ty,0);
+        &jne(&label("proceed"));
+        &ret();
+        &set_label("proceed");
        &comment("");
        &push("ebp");
         &push("ebx");
-        &mov(   $d,     &wparam(0));    # key
-         &mov(  $ty,    &wparam(1));    # num
        &push("esi");
-         &push("edi");
+         &xor(  $x,     $x);            # avoid partial register stalls
+        &push("edi");
+         &xor(  $y,     $y);            # avoid partial register stalls
+        &mov(   $d,     &wparam(0));    # key
+         &mov(  $in,    &wparam(2));
-        &mov(   $x,     &DWP(0,$d,"",1));
+        &movb(  &LB($x),        &BP(0,$d,"",1));
-         &mov(  $y,     &DWP(4,$d,"",1));
+         &movb( &LB($y),        &BP(4,$d,"",1));
-        &mov(   $in,    &wparam(2));
+        &mov(   $out,   &wparam(3));
-         &inc(  $x);
+         &inc(  &LB($x));
        &stack_push(3); # 3 temp variables
         &add(  $d,     8);
-        &and(   $x,             0xff);
+        # detect compressed schedule, see commentary section in rc4_skey.c...
+        # in 0.9.7 context ~50 bytes below RC4_CHAR label remain redundant,
+        # as compressed key schedule is set up in 0.9.8 and later.
+        &cmp(&DWP(256,$d),-1);
+        &je(&label("RC4_CHAR"));
         &lea(  $ty,    &DWP(-8,$ty,$in));
        # check for 0 length input
-        &mov(   $out,   &wparam(3));
         &mov(  &swtmp(2),      $ty);   # this is now address to exit at
        &mov(   $tx,    &DWP(0,$d,$x,4));
         &cmp(  $ty,    $in);
-        &jl(    &label("end")); # less than 8 bytes
+        &jb(    &label("end")); # less than 8 bytes
        &set_label("start");
@@ -148,7 +177,7 @@ sub RC4
        &mov(   &DWP(-4,$out,"",0),     $tx);
         &mov(  $tx,            &DWP(0,$d,$x,4));
        &cmp($in,       $ty);
-         &jle(&label("start"));
+         &jbe(&label("start"));
        &set_label("end");
@@ -162,10 +191,37 @@ sub RC4
        &RC4_loop(5,0,1);
        &RC4_loop(6,1,1);
+        &jmp(&label("finished"));
+        &align(16);
+        # this is essentially Intel P4 specific codepath, see rc4_skey.c,
+        # and is engaged in 0.9.8 and later context...
+        &set_label("RC4_CHAR");
+        &lea    ($ty,&DWP(0,$in,$ty));
+        &mov    (&swtmp(2),$ty);
+        # strangely enough unrolled loop performs over 20% slower...
+        &set_label("RC4_CHAR_loop");
+                &movz   ($tx,&BP(0,$d,$x));
+                &add    (&LB($y),&LB($tx));
+                &movz   ($ty,&BP(0,$d,$y));
+                &movb   (&BP(0,$d,$y),&LB($tx));
+                &movb   (&BP(0,$d,$x),&LB($ty));
+                &add    (&LB($ty),&LB($tx));
+                &movz   ($ty,&BP(0,$d,$ty));
+                &xorb   (&LB($ty),&BP(0,$in));
+                &movb   (&BP(0,$out),&LB($ty));
+                &inc    (&LB($x));
+                &inc    ($in);
+                &inc    ($out);
+                &cmp    ($in,&swtmp(2));
+        &jb     (&label("RC4_CHAR_loop"));
        &set_label("finished");
        &dec(   $x);
         &stack_pop(3);
-        &mov(   &DWP(-4,$d,"",0),$y);
+        &movb(  &BP(-4,$d,"",0),&LB($y));
         &movb( &BP(-8,$d,"",0),&LB($x));
        &function_end($name);
diff --git a/src/lib/libssl/src/crypto/rc4/rc4.h b/src/lib/libssl/src/crypto/rc4/rc4.h
index 8722091f2e..dd90d9fde0 100644
--- a/src/lib/libssl/src/crypto/rc4/rc4.h
+++ b/src/lib/libssl/src/crypto/rc4/rc4.h
@@ -73,10 +73,17 @@ typedef struct rc4_key_st
        {
        RC4_INT x,y;
        RC4_INT data[256];
+#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
+        /* see crypto/rc4/asm/rc4-ia64.S for further details... */
+        RC4_INT pad[512-256-2];
+#endif
        } RC4_KEY;
 
 const char *RC4_options(void);
+#ifdef OPENSSL_FIPS
+void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
+#endif
 void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
 void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
                unsigned char *outdata);
diff --git a/src/lib/libssl/src/crypto/rc4/rc4_enc.c b/src/lib/libssl/src/crypto/rc4/rc4_enc.c
index d5f18a3a70..81a97ea3b7 100644
--- a/src/lib/libssl/src/crypto/rc4/rc4_enc.c
+++ b/src/lib/libssl/src/crypto/rc4/rc4_enc.c
@@ -77,6 +77,10 @@ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
        x=key->x;     
        y=key->y;     
        d=key->data; 
+#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
+        /* see crypto/rc4/asm/rc4-ia64.S for further details... */
+        d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));
+#endif
 #if defined(RC4_CHUNK)
        /*
diff --git a/src/lib/libssl/src/crypto/rc4/rc4_locl.h b/src/lib/libssl/src/crypto/rc4/rc4_locl.h
index 3bb80b6ce9..c712e1632e 100644
--- a/src/lib/libssl/src/crypto/rc4/rc4_locl.h
+++ b/src/lib/libssl/src/crypto/rc4/rc4_locl.h
@@ -1,4 +1,5 @@
 #ifndef HEADER_RC4_LOCL_H
 #define HEADER_RC4_LOCL_H
 #include <openssl/opensslconf.h>
+#include <cryptlib.h>
 #endif
diff --git a/src/lib/libssl/src/crypto/rc4/rc4_skey.c b/src/lib/libssl/src/crypto/rc4/rc4_skey.c
index bb10c1ebe2..07234f061a 100644
--- a/src/lib/libssl/src/crypto/rc4/rc4_skey.c
+++ b/src/lib/libssl/src/crypto/rc4/rc4_skey.c
@@ -57,6 +57,7 @@
 */
 #include <openssl/rc4.h>
+#include <openssl/crypto.h>
 #include "rc4_locl.h"
 #include <openssl/opensslv.h>
@@ -85,7 +86,7 @@ const char *RC4_options(void)
 * Date: Wed, 14 Sep 1994 06:35:31 GMT
 */
-void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(RC4)
        {
        register RC4_INT tmp;
        register int id1,id2;
@@ -93,6 +94,11 @@ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
        unsigned int i;
        
        d= &(key->data[0]);
+#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
+        /* see crypto/rc4/asm/rc4-ia64.S for further details... */
+        d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));
+#endif
        for (i=0; i<256; i++)
                d[i]=i;
        key->x = 0;     
diff --git a/src/lib/libssl/src/crypto/rc5/rc5.h b/src/lib/libssl/src/crypto/rc5/rc5.h
index 4adfd2db5a..aa3f26920b 100644
--- a/src/lib/libssl/src/crypto/rc5/rc5.h
+++ b/src/lib/libssl/src/crypto/rc5/rc5.h
@@ -92,7 +92,10 @@ typedef struct rc5_key_st
        RC5_32_INT data[2*(RC5_16_ROUNDS+1)];
        } RC5_32_KEY;
- 
+#ifdef OPENSSL_FIPS 
+void private_RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
+        int rounds);
+#endif
 void RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
        int rounds);
 void RC5_32_ecb_encrypt(const unsigned char *in,unsigned char *out,RC5_32_KEY *key,
diff --git a/src/lib/libssl/src/crypto/ripemd/ripemd.h b/src/lib/libssl/src/crypto/ripemd/ripemd.h
index 78d5f36560..7d0d998189 100644
--- a/src/lib/libssl/src/crypto/ripemd/ripemd.h
+++ b/src/lib/libssl/src/crypto/ripemd/ripemd.h
@@ -90,6 +90,9 @@ typedef struct RIPEMD160state_st
        int num;
        } RIPEMD160_CTX;
+#ifdef OPENSSL_FIPS
+int private_RIPEMD160_Init(RIPEMD160_CTX *c);
+#endif
 int RIPEMD160_Init(RIPEMD160_CTX *c);
 int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
 int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
diff --git a/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c b/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c
index 28896512e7..58ff010d11 100644
--- a/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c
+++ b/src/lib/libssl/src/crypto/ripemd/rmd_dgst.c
@@ -58,6 +58,7 @@
 #include <stdio.h>
 #include "rmd_locl.h"
+#include <openssl/fips.h>
 #include <openssl/opensslv.h>
 const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
@@ -69,7 +70,7 @@ const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
     void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num);
 #  endif
-int RIPEMD160_Init(RIPEMD160_CTX *c)
+FIPS_NON_FIPS_MD_Init(RIPEMD160)
        {
        c->A=RIPEMD160_A;
        c->B=RIPEMD160_B;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa.h b/src/lib/libssl/src/crypto/rsa/rsa.h
index 62fa745f79..fc3bb5f86d 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa.h
+++ b/src/lib/libssl/src/crypto/rsa/rsa.h
@@ -72,6 +72,10 @@
 #error RSA is disabled.
 #endif
+#if defined(OPENSSL_FIPS)
+#define FIPS_RSA_SIZE_T int
+#endif
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
index e0d286266e..d4caab3f95 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -62,7 +62,7 @@
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
-#ifndef RSA_NULL
+#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS)
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                unsigned char *to, RSA *rsa,int padding);
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_gen.c b/src/lib/libssl/src/crypto/rsa/rsa_gen.c
index 00c25adbc5..adb5e34da5 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_gen.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_gen.c
@@ -62,6 +62,8 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
+#ifndef OPENSSL_FIPS
 RSA *RSA_generate_key(int bits, unsigned long e_value,
             void (*callback)(int,int,void *), void *cb_arg)
        {
@@ -195,3 +197,4 @@ err:
                return(rsa);
        }
+#endif
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_saos.c b/src/lib/libssl/src/crypto/rsa/rsa_saos.c
index f462716a57..24fc94835e 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_saos.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_saos.c
@@ -139,8 +139,11 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
                ret=1;
 err:
        if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
-        OPENSSL_cleanse(s,(unsigned int)siglen);
+        if (s != NULL)
-        OPENSSL_free(s);
+                {
+                OPENSSL_cleanse(s,(unsigned int)siglen);
+                OPENSSL_free(s);
+                }
        return(ret);
        }
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_sign.c b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
index 8a1e642183..cee09eccb1 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_sign.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
@@ -169,7 +169,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
                }
        if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
                        RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
-                        return(0);
+                        goto err;
        }
        i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
@@ -222,8 +222,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
        }
 err:
        if (sig != NULL) X509_SIG_free(sig);
-        OPENSSL_cleanse(s,(unsigned int)siglen);
+        if (s != NULL)
-        OPENSSL_free(s);
+                {
+                OPENSSL_cleanse(s,(unsigned int)siglen);
+                OPENSSL_free(s);
+                }
        return(ret);
        }
diff --git a/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl b/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl
index e00f709553..041acc0348 100644
--- a/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl
+++ b/src/lib/libssl/src/crypto/sha/asm/sha1-586.pl
@@ -405,7 +405,7 @@ sub sha1_block_data
        &mov(&DWP(16,$tmp1,"",0),$E);
         &cmp("esi","eax");
        &mov(&DWP( 4,$tmp1,"",0),$B);
-         &jl(&label("start"));
+         &jb(&label("start"));
        &stack_pop(18+9);
         &pop("edi");
diff --git a/src/lib/libssl/src/crypto/sha/sha.h b/src/lib/libssl/src/crypto/sha/sha.h
index 3fd54a10cc..79c07b0fd1 100644
--- a/src/lib/libssl/src/crypto/sha/sha.h
+++ b/src/lib/libssl/src/crypto/sha/sha.h
@@ -69,6 +69,10 @@ extern "C" {
 #error SHA is disabled.
 #endif
+#if defined(OPENSSL_FIPS)
+#define FIPS_SHA_SIZE_T unsigned long
+#endif
 /*
 * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then !
@@ -101,6 +105,9 @@ typedef struct SHAstate_st
        } SHA_CTX;
 #ifndef OPENSSL_NO_SHA0
+#ifdef OPENSSL_FIPS
+int private_SHA_Init(SHA_CTX *c);
+#endif
 int SHA_Init(SHA_CTX *c);
 int SHA_Update(SHA_CTX *c, const void *data, unsigned long len);
 int SHA_Final(unsigned char *md, SHA_CTX *c);
diff --git a/src/lib/libssl/src/crypto/sha/sha1dgst.c b/src/lib/libssl/src/crypto/sha/sha1dgst.c
index 182f65982a..1e2009b760 100644
--- a/src/lib/libssl/src/crypto/sha/sha1dgst.c
+++ b/src/lib/libssl/src/crypto/sha/sha1dgst.c
@@ -62,12 +62,20 @@
 #define SHA_1
 #include <openssl/opensslv.h>
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_FIPS
 const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT;
 /* The implementation is in ../md32_common.h */
 #include "sha_locl.h"
+#else /* ndef OPENSSL_FIPS */
+static void *dummy=&dummy;
+#endif /* ndef OPENSSL_FIPS */
 #endif
diff --git a/src/lib/libssl/src/crypto/sha/sha_locl.h b/src/lib/libssl/src/crypto/sha/sha_locl.h
index 2dd63a62a6..a3623f72da 100644
--- a/src/lib/libssl/src/crypto/sha/sha_locl.h
+++ b/src/lib/libssl/src/crypto/sha/sha_locl.h
@@ -121,6 +121,11 @@
 #   define sha1_block_data_order                sha1_block_asm_data_order
 #   define DONT_IMPLEMENT_BLOCK_DATA_ORDER
 #   define HASH_BLOCK_DATA_ORDER_ALIGNED        sha1_block_asm_data_order
+#  elif defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
+#   define sha1_block_host_order                sha1_block_asm_host_order
+#   define DONT_IMPLEMENT_BLOCK_HOST_ORDER
+#   define sha1_block_data_order                sha1_block_asm_data_order
+#   define DONT_IMPLEMENT_BLOCK_DATA_ORDER
 #  endif
 # endif
  void sha1_block_host_order (SHA_CTX *c, const void *p,int num);
@@ -138,7 +143,11 @@
 #define INIT_DATA_h3 0x10325476UL
 #define INIT_DATA_h4 0xc3d2e1f0UL
+#if defined(SHA_0) && defined(OPENSSL_FIPS)
+FIPS_NON_FIPS_MD_Init(SHA)
+#else
 int HASH_INIT (SHA_CTX *c)
+#endif
        {
        c->h0=INIT_DATA_h0;
        c->h1=INIT_DATA_h1;
diff --git a/src/lib/libssl/src/crypto/sha/shatest.c b/src/lib/libssl/src/crypto/sha/shatest.c
index 5d2b1d3b1a..ff702aa53e 100644
--- a/src/lib/libssl/src/crypto/sha/shatest.c
+++ b/src/lib/libssl/src/crypto/sha/shatest.c
@@ -62,10 +62,10 @@
 #include "../e_os.h"
-#ifdef OPENSSL_NO_SHA
+#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA0)
 int main(int argc, char *argv[])
 {
-    printf("No SHA support\n");
+    printf("No SHA0 support\n");
    return(0);
 }
 #else
diff --git a/src/lib/libssl/src/crypto/stack/safestack.h b/src/lib/libssl/src/crypto/stack/safestack.h
index ed9ed2c23a..bd1121c279 100644
--- a/src/lib/libssl/src/crypto/stack/safestack.h
+++ b/src/lib/libssl/src/crypto/stack/safestack.h
@@ -113,6 +113,8 @@ STACK_OF(type) \
        ((type * (*)(STACK_OF(type) *))sk_pop)(st)
 #define SKM_sk_sort(type, st) \
        ((void (*)(STACK_OF(type) *))sk_sort)(st)
+#define SKM_sk_is_sorted(type, st) \
+        ((int (*)(const STACK_OF(type) *))sk_is_sorted)(st)
 #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
        ((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \
@@ -187,6 +189,8 @@ STACK_OF(type) \
        ((type *)sk_pop(st))
 #define SKM_sk_sort(type, st) \
        sk_sort(st)
+#define SKM_sk_is_sorted(type, st) \
+        sk_is_sorted(st)
 #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
        d2i_ASN1_SET(st,pp,length, (char *(*)())d2i_func, (void (*)(void *))free_func, ex_tag,ex_class)
@@ -223,6 +227,7 @@ STACK_OF(type) \
 #define sk_ACCESS_DESCRIPTION_shift(st) SKM_sk_shift(ACCESS_DESCRIPTION, (st))
 #define sk_ACCESS_DESCRIPTION_pop(st) SKM_sk_pop(ACCESS_DESCRIPTION, (st))
 #define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st))
+#define sk_ACCESS_DESCRIPTION_is_sorted(st) SKM_sk_is_sorted(ACCESS_DESCRIPTION, (st))
 #define sk_ASN1_GENERALSTRING_new(st) SKM_sk_new(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_new_null() SKM_sk_new_null(ASN1_GENERALSTRING)
@@ -243,6 +248,7 @@ STACK_OF(type) \
 #define sk_ASN1_GENERALSTRING_shift(st) SKM_sk_shift(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_pop(st) SKM_sk_pop(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_sort(st) SKM_sk_sort(ASN1_GENERALSTRING, (st))
+#define sk_ASN1_GENERALSTRING_is_sorted(st) SKM_sk_is_sorted(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_INTEGER_new(st) SKM_sk_new(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_new_null() SKM_sk_new_null(ASN1_INTEGER)
@@ -263,6 +269,7 @@ STACK_OF(type) \
 #define sk_ASN1_INTEGER_shift(st) SKM_sk_shift(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_pop(st) SKM_sk_pop(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_sort(st) SKM_sk_sort(ASN1_INTEGER, (st))
+#define sk_ASN1_INTEGER_is_sorted(st) SKM_sk_is_sorted(ASN1_INTEGER, (st))
 #define sk_ASN1_OBJECT_new(st) SKM_sk_new(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_new_null() SKM_sk_new_null(ASN1_OBJECT)
@@ -283,6 +290,7 @@ STACK_OF(type) \
 #define sk_ASN1_OBJECT_shift(st) SKM_sk_shift(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_pop(st) SKM_sk_pop(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_sort(st) SKM_sk_sort(ASN1_OBJECT, (st))
+#define sk_ASN1_OBJECT_is_sorted(st) SKM_sk_is_sorted(ASN1_OBJECT, (st))
 #define sk_ASN1_STRING_TABLE_new(st) SKM_sk_new(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_new_null() SKM_sk_new_null(ASN1_STRING_TABLE)
@@ -303,6 +311,7 @@ STACK_OF(type) \
 #define sk_ASN1_STRING_TABLE_shift(st) SKM_sk_shift(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_pop(st) SKM_sk_pop(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_sort(st) SKM_sk_sort(ASN1_STRING_TABLE, (st))
+#define sk_ASN1_STRING_TABLE_is_sorted(st) SKM_sk_is_sorted(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_TYPE_new(st) SKM_sk_new(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_new_null() SKM_sk_new_null(ASN1_TYPE)
@@ -323,6 +332,7 @@ STACK_OF(type) \
 #define sk_ASN1_TYPE_shift(st) SKM_sk_shift(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_pop(st) SKM_sk_pop(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_sort(st) SKM_sk_sort(ASN1_TYPE, (st))
+#define sk_ASN1_TYPE_is_sorted(st) SKM_sk_is_sorted(ASN1_TYPE, (st))
 #define sk_ASN1_VALUE_new(st) SKM_sk_new(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_new_null() SKM_sk_new_null(ASN1_VALUE)
@@ -343,6 +353,7 @@ STACK_OF(type) \
 #define sk_ASN1_VALUE_shift(st) SKM_sk_shift(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_pop(st) SKM_sk_pop(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_sort(st) SKM_sk_sort(ASN1_VALUE, (st))
+#define sk_ASN1_VALUE_is_sorted(st) SKM_sk_is_sorted(ASN1_VALUE, (st))
 #define sk_BIO_new(st) SKM_sk_new(BIO, (st))
 #define sk_BIO_new_null() SKM_sk_new_null(BIO)
@@ -363,6 +374,7 @@ STACK_OF(type) \
 #define sk_BIO_shift(st) SKM_sk_shift(BIO, (st))
 #define sk_BIO_pop(st) SKM_sk_pop(BIO, (st))
 #define sk_BIO_sort(st) SKM_sk_sort(BIO, (st))
+#define sk_BIO_is_sorted(st) SKM_sk_is_sorted(BIO, (st))
 #define sk_CONF_IMODULE_new(st) SKM_sk_new(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_new_null() SKM_sk_new_null(CONF_IMODULE)
@@ -383,6 +395,7 @@ STACK_OF(type) \
 #define sk_CONF_IMODULE_shift(st) SKM_sk_shift(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_pop(st) SKM_sk_pop(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_sort(st) SKM_sk_sort(CONF_IMODULE, (st))
+#define sk_CONF_IMODULE_is_sorted(st) SKM_sk_is_sorted(CONF_IMODULE, (st))
 #define sk_CONF_MODULE_new(st) SKM_sk_new(CONF_MODULE, (st))
 #define sk_CONF_MODULE_new_null() SKM_sk_new_null(CONF_MODULE)
@@ -403,6 +416,7 @@ STACK_OF(type) \
 #define sk_CONF_MODULE_shift(st) SKM_sk_shift(CONF_MODULE, (st))
 #define sk_CONF_MODULE_pop(st) SKM_sk_pop(CONF_MODULE, (st))
 #define sk_CONF_MODULE_sort(st) SKM_sk_sort(CONF_MODULE, (st))
+#define sk_CONF_MODULE_is_sorted(st) SKM_sk_is_sorted(CONF_MODULE, (st))
 #define sk_CONF_VALUE_new(st) SKM_sk_new(CONF_VALUE, (st))
 #define sk_CONF_VALUE_new_null() SKM_sk_new_null(CONF_VALUE)
@@ -423,6 +437,7 @@ STACK_OF(type) \
 #define sk_CONF_VALUE_shift(st) SKM_sk_shift(CONF_VALUE, (st))
 #define sk_CONF_VALUE_pop(st) SKM_sk_pop(CONF_VALUE, (st))
 #define sk_CONF_VALUE_sort(st) SKM_sk_sort(CONF_VALUE, (st))
+#define sk_CONF_VALUE_is_sorted(st) SKM_sk_is_sorted(CONF_VALUE, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_new(st) SKM_sk_new(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_new_null() SKM_sk_new_null(CRYPTO_EX_DATA_FUNCS)
@@ -443,6 +458,7 @@ STACK_OF(type) \
 #define sk_CRYPTO_EX_DATA_FUNCS_shift(st) SKM_sk_shift(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_pop(st) SKM_sk_pop(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_sort(st) SKM_sk_sort(CRYPTO_EX_DATA_FUNCS, (st))
+#define sk_CRYPTO_EX_DATA_FUNCS_is_sorted(st) SKM_sk_is_sorted(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_dynlock_new(st) SKM_sk_new(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_new_null() SKM_sk_new_null(CRYPTO_dynlock)
@@ -463,6 +479,7 @@ STACK_OF(type) \
 #define sk_CRYPTO_dynlock_shift(st) SKM_sk_shift(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_pop(st) SKM_sk_pop(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_sort(st) SKM_sk_sort(CRYPTO_dynlock, (st))
+#define sk_CRYPTO_dynlock_is_sorted(st) SKM_sk_is_sorted(CRYPTO_dynlock, (st))
 #define sk_DIST_POINT_new(st) SKM_sk_new(DIST_POINT, (st))
 #define sk_DIST_POINT_new_null() SKM_sk_new_null(DIST_POINT)
@@ -483,6 +500,7 @@ STACK_OF(type) \
 #define sk_DIST_POINT_shift(st) SKM_sk_shift(DIST_POINT, (st))
 #define sk_DIST_POINT_pop(st) SKM_sk_pop(DIST_POINT, (st))
 #define sk_DIST_POINT_sort(st) SKM_sk_sort(DIST_POINT, (st))
+#define sk_DIST_POINT_is_sorted(st) SKM_sk_is_sorted(DIST_POINT, (st))
 #define sk_ENGINE_new(st) SKM_sk_new(ENGINE, (st))
 #define sk_ENGINE_new_null() SKM_sk_new_null(ENGINE)
@@ -503,6 +521,7 @@ STACK_OF(type) \
 #define sk_ENGINE_shift(st) SKM_sk_shift(ENGINE, (st))
 #define sk_ENGINE_pop(st) SKM_sk_pop(ENGINE, (st))
 #define sk_ENGINE_sort(st) SKM_sk_sort(ENGINE, (st))
+#define sk_ENGINE_is_sorted(st) SKM_sk_is_sorted(ENGINE, (st))
 #define sk_ENGINE_CLEANUP_ITEM_new(st) SKM_sk_new(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_new_null() SKM_sk_new_null(ENGINE_CLEANUP_ITEM)
@@ -523,6 +542,7 @@ STACK_OF(type) \
 #define sk_ENGINE_CLEANUP_ITEM_shift(st) SKM_sk_shift(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_pop(st) SKM_sk_pop(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st))
+#define sk_ENGINE_CLEANUP_ITEM_is_sorted(st) SKM_sk_is_sorted(ENGINE_CLEANUP_ITEM, (st))
 #define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME)
@@ -543,6 +563,7 @@ STACK_OF(type) \
 #define sk_GENERAL_NAME_shift(st) SKM_sk_shift(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_pop(st) SKM_sk_pop(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_sort(st) SKM_sk_sort(GENERAL_NAME, (st))
+#define sk_GENERAL_NAME_is_sorted(st) SKM_sk_is_sorted(GENERAL_NAME, (st))
 #define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY)
@@ -563,6 +584,7 @@ STACK_OF(type) \
 #define sk_KRB5_APREQBODY_shift(st) SKM_sk_shift(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_pop(st) SKM_sk_pop(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_sort(st) SKM_sk_sort(KRB5_APREQBODY, (st))
+#define sk_KRB5_APREQBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_APREQBODY, (st))
 #define sk_KRB5_AUTHDATA_new(st) SKM_sk_new(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_new_null() SKM_sk_new_null(KRB5_AUTHDATA)
@@ -583,6 +605,7 @@ STACK_OF(type) \
 #define sk_KRB5_AUTHDATA_shift(st) SKM_sk_shift(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_pop(st) SKM_sk_pop(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_sort(st) SKM_sk_sort(KRB5_AUTHDATA, (st))
+#define sk_KRB5_AUTHDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHENTBODY_new(st) SKM_sk_new(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_new_null() SKM_sk_new_null(KRB5_AUTHENTBODY)
@@ -603,6 +626,7 @@ STACK_OF(type) \
 #define sk_KRB5_AUTHENTBODY_shift(st) SKM_sk_shift(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_pop(st) SKM_sk_pop(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_sort(st) SKM_sk_sort(KRB5_AUTHENTBODY, (st))
+#define sk_KRB5_AUTHENTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_CHECKSUM_new(st) SKM_sk_new(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_new_null() SKM_sk_new_null(KRB5_CHECKSUM)
@@ -623,6 +647,7 @@ STACK_OF(type) \
 #define sk_KRB5_CHECKSUM_shift(st) SKM_sk_shift(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_pop(st) SKM_sk_pop(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_sort(st) SKM_sk_sort(KRB5_CHECKSUM, (st))
+#define sk_KRB5_CHECKSUM_is_sorted(st) SKM_sk_is_sorted(KRB5_CHECKSUM, (st))
 #define sk_KRB5_ENCDATA_new(st) SKM_sk_new(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_new_null() SKM_sk_new_null(KRB5_ENCDATA)
@@ -643,6 +668,7 @@ STACK_OF(type) \
 #define sk_KRB5_ENCDATA_shift(st) SKM_sk_shift(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_pop(st) SKM_sk_pop(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_sort(st) SKM_sk_sort(KRB5_ENCDATA, (st))
+#define sk_KRB5_ENCDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCKEY_new(st) SKM_sk_new(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_new_null() SKM_sk_new_null(KRB5_ENCKEY)
@@ -663,6 +689,7 @@ STACK_OF(type) \
 #define sk_KRB5_ENCKEY_shift(st) SKM_sk_shift(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_pop(st) SKM_sk_pop(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_sort(st) SKM_sk_sort(KRB5_ENCKEY, (st))
+#define sk_KRB5_ENCKEY_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCKEY, (st))
 #define sk_KRB5_PRINCNAME_new(st) SKM_sk_new(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_new_null() SKM_sk_new_null(KRB5_PRINCNAME)
@@ -683,6 +710,7 @@ STACK_OF(type) \
 #define sk_KRB5_PRINCNAME_shift(st) SKM_sk_shift(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_pop(st) SKM_sk_pop(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_sort(st) SKM_sk_sort(KRB5_PRINCNAME, (st))
+#define sk_KRB5_PRINCNAME_is_sorted(st) SKM_sk_is_sorted(KRB5_PRINCNAME, (st))
 #define sk_KRB5_TKTBODY_new(st) SKM_sk_new(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_new_null() SKM_sk_new_null(KRB5_TKTBODY)
@@ -703,6 +731,7 @@ STACK_OF(type) \
 #define sk_KRB5_TKTBODY_shift(st) SKM_sk_shift(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_pop(st) SKM_sk_pop(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_sort(st) SKM_sk_sort(KRB5_TKTBODY, (st))
+#define sk_KRB5_TKTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_TKTBODY, (st))
 #define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st))
 #define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER)
@@ -723,6 +752,7 @@ STACK_OF(type) \
 #define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st))
 #define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st))
 #define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
+#define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
 #define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
 #define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
@@ -743,6 +773,7 @@ STACK_OF(type) \
 #define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st))
 #define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st))
 #define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st))
+#define sk_MIME_PARAM_is_sorted(st) SKM_sk_is_sorted(MIME_PARAM, (st))
 #define sk_NAME_FUNCS_new(st) SKM_sk_new(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_new_null() SKM_sk_new_null(NAME_FUNCS)
@@ -763,6 +794,7 @@ STACK_OF(type) \
 #define sk_NAME_FUNCS_shift(st) SKM_sk_shift(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_pop(st) SKM_sk_pop(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_sort(st) SKM_sk_sort(NAME_FUNCS, (st))
+#define sk_NAME_FUNCS_is_sorted(st) SKM_sk_is_sorted(NAME_FUNCS, (st))
 #define sk_OCSP_CERTID_new(st) SKM_sk_new(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_new_null() SKM_sk_new_null(OCSP_CERTID)
@@ -783,6 +815,7 @@ STACK_OF(type) \
 #define sk_OCSP_CERTID_shift(st) SKM_sk_shift(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_pop(st) SKM_sk_pop(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_sort(st) SKM_sk_sort(OCSP_CERTID, (st))
+#define sk_OCSP_CERTID_is_sorted(st) SKM_sk_is_sorted(OCSP_CERTID, (st))
 #define sk_OCSP_ONEREQ_new(st) SKM_sk_new(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_new_null() SKM_sk_new_null(OCSP_ONEREQ)
@@ -803,6 +836,7 @@ STACK_OF(type) \
 #define sk_OCSP_ONEREQ_shift(st) SKM_sk_shift(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_pop(st) SKM_sk_pop(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_sort(st) SKM_sk_sort(OCSP_ONEREQ, (st))
+#define sk_OCSP_ONEREQ_is_sorted(st) SKM_sk_is_sorted(OCSP_ONEREQ, (st))
 #define sk_OCSP_SINGLERESP_new(st) SKM_sk_new(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_new_null() SKM_sk_new_null(OCSP_SINGLERESP)
@@ -823,6 +857,7 @@ STACK_OF(type) \
 #define sk_OCSP_SINGLERESP_shift(st) SKM_sk_shift(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_pop(st) SKM_sk_pop(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_sort(st) SKM_sk_sort(OCSP_SINGLERESP, (st))
+#define sk_OCSP_SINGLERESP_is_sorted(st) SKM_sk_is_sorted(OCSP_SINGLERESP, (st))
 #define sk_PKCS12_SAFEBAG_new(st) SKM_sk_new(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_new_null() SKM_sk_new_null(PKCS12_SAFEBAG)
@@ -843,6 +878,7 @@ STACK_OF(type) \
 #define sk_PKCS12_SAFEBAG_shift(st) SKM_sk_shift(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_pop(st) SKM_sk_pop(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_sort(st) SKM_sk_sort(PKCS12_SAFEBAG, (st))
+#define sk_PKCS12_SAFEBAG_is_sorted(st) SKM_sk_is_sorted(PKCS12_SAFEBAG, (st))
 #define sk_PKCS7_new(st) SKM_sk_new(PKCS7, (st))
 #define sk_PKCS7_new_null() SKM_sk_new_null(PKCS7)
@@ -863,6 +899,7 @@ STACK_OF(type) \
 #define sk_PKCS7_shift(st) SKM_sk_shift(PKCS7, (st))
 #define sk_PKCS7_pop(st) SKM_sk_pop(PKCS7, (st))
 #define sk_PKCS7_sort(st) SKM_sk_sort(PKCS7, (st))
+#define sk_PKCS7_is_sorted(st) SKM_sk_is_sorted(PKCS7, (st))
 #define sk_PKCS7_RECIP_INFO_new(st) SKM_sk_new(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_new_null() SKM_sk_new_null(PKCS7_RECIP_INFO)
@@ -883,6 +920,7 @@ STACK_OF(type) \
 #define sk_PKCS7_RECIP_INFO_shift(st) SKM_sk_shift(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_pop(st) SKM_sk_pop(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_sort(st) SKM_sk_sort(PKCS7_RECIP_INFO, (st))
+#define sk_PKCS7_RECIP_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_new(st) SKM_sk_new(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_new_null() SKM_sk_new_null(PKCS7_SIGNER_INFO)
@@ -903,6 +941,7 @@ STACK_OF(type) \
 #define sk_PKCS7_SIGNER_INFO_shift(st) SKM_sk_shift(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_pop(st) SKM_sk_pop(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_sort(st) SKM_sk_sort(PKCS7_SIGNER_INFO, (st))
+#define sk_PKCS7_SIGNER_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_SIGNER_INFO, (st))
 #define sk_POLICYINFO_new(st) SKM_sk_new(POLICYINFO, (st))
 #define sk_POLICYINFO_new_null() SKM_sk_new_null(POLICYINFO)
@@ -923,6 +962,7 @@ STACK_OF(type) \
 #define sk_POLICYINFO_shift(st) SKM_sk_shift(POLICYINFO, (st))
 #define sk_POLICYINFO_pop(st) SKM_sk_pop(POLICYINFO, (st))
 #define sk_POLICYINFO_sort(st) SKM_sk_sort(POLICYINFO, (st))
+#define sk_POLICYINFO_is_sorted(st) SKM_sk_is_sorted(POLICYINFO, (st))
 #define sk_POLICYQUALINFO_new(st) SKM_sk_new(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_new_null() SKM_sk_new_null(POLICYQUALINFO)
@@ -943,6 +983,7 @@ STACK_OF(type) \
 #define sk_POLICYQUALINFO_shift(st) SKM_sk_shift(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_pop(st) SKM_sk_pop(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_sort(st) SKM_sk_sort(POLICYQUALINFO, (st))
+#define sk_POLICYQUALINFO_is_sorted(st) SKM_sk_is_sorted(POLICYQUALINFO, (st))
 #define sk_SSL_CIPHER_new(st) SKM_sk_new(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_new_null() SKM_sk_new_null(SSL_CIPHER)
@@ -963,6 +1004,7 @@ STACK_OF(type) \
 #define sk_SSL_CIPHER_shift(st) SKM_sk_shift(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_pop(st) SKM_sk_pop(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_sort(st) SKM_sk_sort(SSL_CIPHER, (st))
+#define sk_SSL_CIPHER_is_sorted(st) SKM_sk_is_sorted(SSL_CIPHER, (st))
 #define sk_SSL_COMP_new(st) SKM_sk_new(SSL_COMP, (st))
 #define sk_SSL_COMP_new_null() SKM_sk_new_null(SSL_COMP)
@@ -983,6 +1025,7 @@ STACK_OF(type) \
 #define sk_SSL_COMP_shift(st) SKM_sk_shift(SSL_COMP, (st))
 #define sk_SSL_COMP_pop(st) SKM_sk_pop(SSL_COMP, (st))
 #define sk_SSL_COMP_sort(st) SKM_sk_sort(SSL_COMP, (st))
+#define sk_SSL_COMP_is_sorted(st) SKM_sk_is_sorted(SSL_COMP, (st))
 #define sk_SXNETID_new(st) SKM_sk_new(SXNETID, (st))
 #define sk_SXNETID_new_null() SKM_sk_new_null(SXNETID)
@@ -1003,6 +1046,7 @@ STACK_OF(type) \
 #define sk_SXNETID_shift(st) SKM_sk_shift(SXNETID, (st))
 #define sk_SXNETID_pop(st) SKM_sk_pop(SXNETID, (st))
 #define sk_SXNETID_sort(st) SKM_sk_sort(SXNETID, (st))
+#define sk_SXNETID_is_sorted(st) SKM_sk_is_sorted(SXNETID, (st))
 #define sk_UI_STRING_new(st) SKM_sk_new(UI_STRING, (st))
 #define sk_UI_STRING_new_null() SKM_sk_new_null(UI_STRING)
@@ -1023,6 +1067,7 @@ STACK_OF(type) \
 #define sk_UI_STRING_shift(st) SKM_sk_shift(UI_STRING, (st))
 #define sk_UI_STRING_pop(st) SKM_sk_pop(UI_STRING, (st))
 #define sk_UI_STRING_sort(st) SKM_sk_sort(UI_STRING, (st))
+#define sk_UI_STRING_is_sorted(st) SKM_sk_is_sorted(UI_STRING, (st))
 #define sk_X509_new(st) SKM_sk_new(X509, (st))
 #define sk_X509_new_null() SKM_sk_new_null(X509)
@@ -1043,6 +1088,7 @@ STACK_OF(type) \
 #define sk_X509_shift(st) SKM_sk_shift(X509, (st))
 #define sk_X509_pop(st) SKM_sk_pop(X509, (st))
 #define sk_X509_sort(st) SKM_sk_sort(X509, (st))
+#define sk_X509_is_sorted(st) SKM_sk_is_sorted(X509, (st))
 #define sk_X509V3_EXT_METHOD_new(st) SKM_sk_new(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_new_null() SKM_sk_new_null(X509V3_EXT_METHOD)
@@ -1063,6 +1109,7 @@ STACK_OF(type) \
 #define sk_X509V3_EXT_METHOD_shift(st) SKM_sk_shift(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_pop(st) SKM_sk_pop(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_sort(st) SKM_sk_sort(X509V3_EXT_METHOD, (st))
+#define sk_X509V3_EXT_METHOD_is_sorted(st) SKM_sk_is_sorted(X509V3_EXT_METHOD, (st))
 #define sk_X509_ALGOR_new(st) SKM_sk_new(X509_ALGOR, (st))
 #define sk_X509_ALGOR_new_null() SKM_sk_new_null(X509_ALGOR)
@@ -1083,6 +1130,7 @@ STACK_OF(type) \
 #define sk_X509_ALGOR_shift(st) SKM_sk_shift(X509_ALGOR, (st))
 #define sk_X509_ALGOR_pop(st) SKM_sk_pop(X509_ALGOR, (st))
 #define sk_X509_ALGOR_sort(st) SKM_sk_sort(X509_ALGOR, (st))
+#define sk_X509_ALGOR_is_sorted(st) SKM_sk_is_sorted(X509_ALGOR, (st))
 #define sk_X509_ATTRIBUTE_new(st) SKM_sk_new(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_new_null() SKM_sk_new_null(X509_ATTRIBUTE)
@@ -1103,6 +1151,7 @@ STACK_OF(type) \
 #define sk_X509_ATTRIBUTE_shift(st) SKM_sk_shift(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_pop(st) SKM_sk_pop(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_sort(st) SKM_sk_sort(X509_ATTRIBUTE, (st))
+#define sk_X509_ATTRIBUTE_is_sorted(st) SKM_sk_is_sorted(X509_ATTRIBUTE, (st))
 #define sk_X509_CRL_new(st) SKM_sk_new(X509_CRL, (st))
 #define sk_X509_CRL_new_null() SKM_sk_new_null(X509_CRL)
@@ -1123,6 +1172,7 @@ STACK_OF(type) \
 #define sk_X509_CRL_shift(st) SKM_sk_shift(X509_CRL, (st))
 #define sk_X509_CRL_pop(st) SKM_sk_pop(X509_CRL, (st))
 #define sk_X509_CRL_sort(st) SKM_sk_sort(X509_CRL, (st))
+#define sk_X509_CRL_is_sorted(st) SKM_sk_is_sorted(X509_CRL, (st))
 #define sk_X509_EXTENSION_new(st) SKM_sk_new(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_new_null() SKM_sk_new_null(X509_EXTENSION)
@@ -1143,6 +1193,7 @@ STACK_OF(type) \
 #define sk_X509_EXTENSION_shift(st) SKM_sk_shift(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_pop(st) SKM_sk_pop(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_sort(st) SKM_sk_sort(X509_EXTENSION, (st))
+#define sk_X509_EXTENSION_is_sorted(st) SKM_sk_is_sorted(X509_EXTENSION, (st))
 #define sk_X509_INFO_new(st) SKM_sk_new(X509_INFO, (st))
 #define sk_X509_INFO_new_null() SKM_sk_new_null(X509_INFO)
@@ -1163,6 +1214,7 @@ STACK_OF(type) \
 #define sk_X509_INFO_shift(st) SKM_sk_shift(X509_INFO, (st))
 #define sk_X509_INFO_pop(st) SKM_sk_pop(X509_INFO, (st))
 #define sk_X509_INFO_sort(st) SKM_sk_sort(X509_INFO, (st))
+#define sk_X509_INFO_is_sorted(st) SKM_sk_is_sorted(X509_INFO, (st))
 #define sk_X509_LOOKUP_new(st) SKM_sk_new(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_new_null() SKM_sk_new_null(X509_LOOKUP)
@@ -1183,6 +1235,7 @@ STACK_OF(type) \
 #define sk_X509_LOOKUP_shift(st) SKM_sk_shift(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_pop(st) SKM_sk_pop(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_sort(st) SKM_sk_sort(X509_LOOKUP, (st))
+#define sk_X509_LOOKUP_is_sorted(st) SKM_sk_is_sorted(X509_LOOKUP, (st))
 #define sk_X509_NAME_new(st) SKM_sk_new(X509_NAME, (st))
 #define sk_X509_NAME_new_null() SKM_sk_new_null(X509_NAME)
@@ -1203,6 +1256,7 @@ STACK_OF(type) \
 #define sk_X509_NAME_shift(st) SKM_sk_shift(X509_NAME, (st))
 #define sk_X509_NAME_pop(st) SKM_sk_pop(X509_NAME, (st))
 #define sk_X509_NAME_sort(st) SKM_sk_sort(X509_NAME, (st))
+#define sk_X509_NAME_is_sorted(st) SKM_sk_is_sorted(X509_NAME, (st))
 #define sk_X509_NAME_ENTRY_new(st) SKM_sk_new(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_new_null() SKM_sk_new_null(X509_NAME_ENTRY)
@@ -1223,6 +1277,7 @@ STACK_OF(type) \
 #define sk_X509_NAME_ENTRY_shift(st) SKM_sk_shift(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_pop(st) SKM_sk_pop(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_sort(st) SKM_sk_sort(X509_NAME_ENTRY, (st))
+#define sk_X509_NAME_ENTRY_is_sorted(st) SKM_sk_is_sorted(X509_NAME_ENTRY, (st))
 #define sk_X509_OBJECT_new(st) SKM_sk_new(X509_OBJECT, (st))
 #define sk_X509_OBJECT_new_null() SKM_sk_new_null(X509_OBJECT)
@@ -1243,6 +1298,7 @@ STACK_OF(type) \
 #define sk_X509_OBJECT_shift(st) SKM_sk_shift(X509_OBJECT, (st))
 #define sk_X509_OBJECT_pop(st) SKM_sk_pop(X509_OBJECT, (st))
 #define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st))
+#define sk_X509_OBJECT_is_sorted(st) SKM_sk_is_sorted(X509_OBJECT, (st))
 #define sk_X509_PURPOSE_new(st) SKM_sk_new(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE)
@@ -1263,6 +1319,7 @@ STACK_OF(type) \
 #define sk_X509_PURPOSE_shift(st) SKM_sk_shift(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_pop(st) SKM_sk_pop(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_sort(st) SKM_sk_sort(X509_PURPOSE, (st))
+#define sk_X509_PURPOSE_is_sorted(st) SKM_sk_is_sorted(X509_PURPOSE, (st))
 #define sk_X509_REVOKED_new(st) SKM_sk_new(X509_REVOKED, (st))
 #define sk_X509_REVOKED_new_null() SKM_sk_new_null(X509_REVOKED)
@@ -1283,6 +1340,7 @@ STACK_OF(type) \
 #define sk_X509_REVOKED_shift(st) SKM_sk_shift(X509_REVOKED, (st))
 #define sk_X509_REVOKED_pop(st) SKM_sk_pop(X509_REVOKED, (st))
 #define sk_X509_REVOKED_sort(st) SKM_sk_sort(X509_REVOKED, (st))
+#define sk_X509_REVOKED_is_sorted(st) SKM_sk_is_sorted(X509_REVOKED, (st))
 #define sk_X509_TRUST_new(st) SKM_sk_new(X509_TRUST, (st))
 #define sk_X509_TRUST_new_null() SKM_sk_new_null(X509_TRUST)
@@ -1303,6 +1361,7 @@ STACK_OF(type) \
 #define sk_X509_TRUST_shift(st) SKM_sk_shift(X509_TRUST, (st))
 #define sk_X509_TRUST_pop(st) SKM_sk_pop(X509_TRUST, (st))
 #define sk_X509_TRUST_sort(st) SKM_sk_sort(X509_TRUST, (st))
+#define sk_X509_TRUST_is_sorted(st) SKM_sk_is_sorted(X509_TRUST, (st))
 #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
        SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 
diff --git a/src/lib/libssl/src/crypto/stack/stack.c b/src/lib/libssl/src/crypto/stack/stack.c
index 2496f28a8c..c7173eb6ab 100644
--- a/src/lib/libssl/src/crypto/stack/stack.c
+++ b/src/lib/libssl/src/crypto/stack/stack.c
@@ -191,8 +191,7 @@ char *sk_delete(STACK *st, int loc)
        char *ret;
        int i,j;
-        if ((st == NULL) || (st->num == 0) || (loc < 0)
+        if(!st || (loc < 0) || (loc >= st->num)) return NULL;
-                                         || (loc >= st->num)) return(NULL);
        ret=st->data[loc];
        if (loc != st->num-1)
@@ -306,13 +305,13 @@ int sk_num(const STACK *st)
 char *sk_value(const STACK *st, int i)
 {
-        if(st == NULL) return NULL;
+        if(!st || (i < 0) || (i >= st->num)) return NULL;
        return st->data[i];
 }
 char *sk_set(STACK *st, int i, char *value)
 {
-        if(st == NULL) return NULL;
+        if(!st || (i < 0) || (i >= st->num)) return NULL;
        return (st->data[i] = value);
 }
@@ -332,3 +331,10 @@ void sk_sort(STACK *st)
                st->sorted=1;
                }
        }
+int sk_is_sorted(const STACK *st)
+        {
+        if (!st)
+                return 1;
+        return st->sorted;
+        }
diff --git a/src/lib/libssl/src/crypto/stack/stack.h b/src/lib/libssl/src/crypto/stack/stack.h
index 8b436ca4b9..7570b85fe8 100644
--- a/src/lib/libssl/src/crypto/stack/stack.h
+++ b/src/lib/libssl/src/crypto/stack/stack.h
@@ -99,6 +99,7 @@ int (*sk_set_cmp_func(STACK *sk, int (*c)(const char * const *,
                        (const char * const *, const char * const *);
 STACK *sk_dup(STACK *st);
 void sk_sort(STACK *st);
+int sk_is_sorted(const STACK *st);
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libssl/src/crypto/x509/by_file.c b/src/lib/libssl/src/crypto/x509/by_file.c
index b4b04183d0..a5e0d4aefa 100644
--- a/src/lib/libssl/src/crypto/x509/by_file.c
+++ b/src/lib/libssl/src/crypto/x509/by_file.c
@@ -150,7 +150,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
                        x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL);
                        if (x == NULL)
                                {
-                                if ((ERR_GET_REASON(ERR_peek_error()) ==
+                                if ((ERR_GET_REASON(ERR_peek_last_error()) ==
                                        PEM_R_NO_START_LINE) && (count > 0))
                                        {
                                        ERR_clear_error();
@@ -217,7 +217,7 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
                        x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
                        if (x == NULL)
                                {
-                                if ((ERR_GET_REASON(ERR_peek_error()) ==
+                                if ((ERR_GET_REASON(ERR_peek_last_error()) ==
                                        PEM_R_NO_START_LINE) && (count > 0))
                                        {
                                        ERR_clear_error();
diff --git a/src/lib/libssl/src/crypto/x509/x509.h b/src/lib/libssl/src/crypto/x509/x509.h
index 8d0c7e2e17..e8c1a59cf2 100644
--- a/src/lib/libssl/src/crypto/x509/x509.h
+++ b/src/lib/libssl/src/crypto/x509/x509.h
@@ -410,6 +410,7 @@ typedef struct X509_crl_info_st
        ASN1_TIME *nextUpdate;
        STACK_OF(X509_REVOKED) *revoked;
        STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
+        ASN1_ENCODING enc;
        } X509_CRL_INFO;
 struct X509_crl_st
@@ -1037,18 +1038,18 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
 int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
                        unsigned char *bytes, int len, int loc, int set);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
-                char *field, int type, unsigned char *bytes, int len);
+                const char *field, int type, const unsigned char *bytes, int len);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
                        int type,unsigned char *bytes, int len);
-int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
+int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
-                        unsigned char *bytes, int len, int loc, int set);
+                        const unsigned char *bytes, int len, int loc, int set);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
-                        ASN1_OBJECT *obj, int type,unsigned char *bytes,
+                        ASN1_OBJECT *obj, int type,const unsigned char *bytes,
                        int len);
 int             X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
                        ASN1_OBJECT *obj);
 int             X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
-                        unsigned char *bytes, int len);
+                        const unsigned char *bytes, int len);
 ASN1_OBJECT *   X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
 ASN1_STRING *   X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
diff --git a/src/lib/libssl/src/crypto/x509/x509_cmp.c b/src/lib/libssl/src/crypto/x509/x509_cmp.c
index f460102f49..030d0966fc 100644
--- a/src/lib/libssl/src/crypto/x509/x509_cmp.c
+++ b/src/lib/libssl/src/crypto/x509/x509_cmp.c
@@ -254,33 +254,49 @@ static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
        return 0;
 }
+static int asn1_string_memcmp(ASN1_STRING *a, ASN1_STRING *b)
+        {
+        int j;
+        j = a->length - b->length;
+        if (j)
+                return j;
+        return memcmp(a->data, b->data, a->length);
+        }
+#define STR_TYPE_CMP (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_UTF8STRING)
 int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
        {
        int i,j;
        X509_NAME_ENTRY *na,*nb;
-        if (sk_X509_NAME_ENTRY_num(a->entries)
+        unsigned long nabit, nbbit;
-            != sk_X509_NAME_ENTRY_num(b->entries))
-                return sk_X509_NAME_ENTRY_num(a->entries)
+        j = sk_X509_NAME_ENTRY_num(a->entries)
-                  -sk_X509_NAME_ENTRY_num(b->entries);
+                  - sk_X509_NAME_ENTRY_num(b->entries);
+        if (j)
+                return j;
        for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
                {
                na=sk_X509_NAME_ENTRY_value(a->entries,i);
                nb=sk_X509_NAME_ENTRY_value(b->entries,i);
                j=na->value->type-nb->value->type;
-                if (j) return(j);
+                if (j)
-                if (na->value->type == V_ASN1_PRINTABLESTRING)
+                        {
+                        nabit = ASN1_tag2bit(na->value->type);
+                        nbbit = ASN1_tag2bit(nb->value->type);
+                        if (!(nabit & STR_TYPE_CMP) ||
+                                !(nbbit & STR_TYPE_CMP))
+                                return j;
+                        j = asn1_string_memcmp(na->value, nb->value);
+                        }
+                else if (na->value->type == V_ASN1_PRINTABLESTRING)
                        j=nocase_spacenorm_cmp(na->value, nb->value);
                else if (na->value->type == V_ASN1_IA5STRING
                        && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
                        j=nocase_cmp(na->value, nb->value);
                else
-                        {
+                        j = asn1_string_memcmp(na->value, nb->value);
-                        j=na->value->length-nb->value->length;
-                        if (j) return(j);
-                        j=memcmp(na->value->data,nb->value->data,
-                                na->value->length);
-                        }
                if (j) return(j);
                j=na->set-nb->set;
                if (j) return(j);
@@ -306,10 +322,16 @@ unsigned long X509_NAME_hash(X509_NAME *x)
        {
        unsigned long ret=0;
        unsigned char md[16];
+        EVP_MD_CTX md_ctx;
        /* Make sure X509_NAME structure contains valid cached encoding */
        i2d_X509_NAME(x,NULL);
-        EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
+        EVP_MD_CTX_init(&md_ctx);
+        EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+        EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
+        EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
+        EVP_DigestFinal_ex(&md_ctx,md,NULL);
+        EVP_MD_CTX_cleanup(&md_ctx);
        ret=(   ((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
                ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
diff --git a/src/lib/libssl/src/crypto/x509/x509_r2x.c b/src/lib/libssl/src/crypto/x509/x509_r2x.c
index db051033d9..fb8a78dabe 100644
--- a/src/lib/libssl/src/crypto/x509/x509_r2x.c
+++ b/src/lib/libssl/src/crypto/x509/x509_r2x.c
@@ -92,8 +92,10 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
        X509_set_subject_name(ret,X509_NAME_dup(xn));
        X509_set_issuer_name(ret,X509_NAME_dup(xn));
-        X509_gmtime_adj(xi->validity->notBefore,0);
+        if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL)
-        X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days);
+                goto err;
+        if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL)
+                goto err;
        X509_set_pubkey(ret,X509_REQ_get_pubkey(r));
diff --git a/src/lib/libssl/src/crypto/x509/x509_req.c b/src/lib/libssl/src/crypto/x509/x509_req.c
index 0affa3bf30..59fc6ca548 100644
--- a/src/lib/libssl/src/crypto/x509/x509_req.c
+++ b/src/lib/libssl/src/crypto/x509/x509_req.c
@@ -118,7 +118,7 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
 * used and there may be more: so the list is configurable.
 */
-static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef};
+static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef};
 static int *ext_nids = ext_nid_list;
@@ -143,32 +143,33 @@ void X509_REQ_set_extension_nids(int *nids)
 }
 STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
-{
+        {
        X509_ATTRIBUTE *attr;
-        STACK_OF(X509_ATTRIBUTE) *sk;
        ASN1_TYPE *ext = NULL;
-        int i;
+        int idx, *pnid;
        unsigned char *p;
-        if ((req == NULL) || (req->req_info == NULL))
+        if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
                return(NULL);
-        sk=req->req_info->attributes;
+        for (pnid = ext_nids; *pnid != NID_undef; pnid++)
-        if (!sk) return NULL;
+                {
-        for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
+                idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
-                attr = sk_X509_ATTRIBUTE_value(sk, i);
+                if (idx == -1)
-                if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) {
+                        continue;
-                        if(attr->single) ext = attr->value.single;
+                attr = X509_REQ_get_attr(req, idx);
-                        else if(sk_ASN1_TYPE_num(attr->value.set))
+                if(attr->single) ext = attr->value.single;
-                                ext = sk_ASN1_TYPE_value(attr->value.set, 0);
+                else if(sk_ASN1_TYPE_num(attr->value.set))
-                        break;
+                        ext = sk_ASN1_TYPE_value(attr->value.set, 0);
+                break;
                }
-        }
+        if(!ext || (ext->type != V_ASN1_SEQUENCE))
-        if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL;
+                return NULL;
        p = ext->value.sequence->data;
        return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p,
                        ext->value.sequence->length,
                        d2i_X509_EXTENSION, X509_EXTENSION_free,
                        V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-}
+        }
 /* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
 * in case we want to create a non standard one.
diff --git a/src/lib/libssl/src/crypto/x509/x509_txt.c b/src/lib/libssl/src/crypto/x509/x509_txt.c
index e31ebc6741..f19e66a238 100644
--- a/src/lib/libssl/src/crypto/x509/x509_txt.c
+++ b/src/lib/libssl/src/crypto/x509/x509_txt.c
@@ -122,8 +122,14 @@ const char *X509_verify_cert_error_string(long n)
                return("certificate revoked");
        case X509_V_ERR_INVALID_CA:
                return ("invalid CA certificate");
+        case X509_V_ERR_INVALID_NON_CA:
+                return ("invalid non-CA certificate (has CA markings)");
        case X509_V_ERR_PATH_LENGTH_EXCEEDED:
                return ("path length constraint exceeded");
+        case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
+                return("proxy path length constraint exceeded");
+        case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
+                return("proxy cerificates not allowed, please set the appropriate flag");
        case X509_V_ERR_INVALID_PURPOSE:
                return ("unsupported certificate purpose");
        case X509_V_ERR_CERT_UNTRUSTED:
@@ -140,19 +146,16 @@ const char *X509_verify_cert_error_string(long n)
                return("authority and issuer serial number mismatch");
        case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
                return("key usage does not include certificate signing");
        case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
                return("unable to get CRL issuer certificate");
        case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
                return("unhandled critical extension");
        case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
                return("key usage does not include CRL signing");
+        case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
+                return("key usage does not include digital signature");
        case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
                return("unhandled critical CRL extension");
        default:
                BIO_snprintf(buf,sizeof buf,"error number %ld",n);
                return(buf);
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index 2e4d0b823a..e43c861ee7 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -73,7 +73,7 @@
 static int null_callback(int ok,X509_STORE_CTX *e);
 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
-static int check_chain_purpose(X509_STORE_CTX *ctx);
+static int check_chain_extensions(X509_STORE_CTX *ctx);
 static int check_trust(X509_STORE_CTX *ctx);
 static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
@@ -281,7 +281,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                }
        /* We have the chain complete: now we need to check its purpose */
-        if (ctx->purpose > 0) ok = check_chain_purpose(ctx);
+        ok = check_chain_extensions(ctx);
        if (!ok) goto end;
@@ -365,21 +365,39 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
        else
                return 0;
 }
-        
 /* Check a certificate chains extensions for consistency
 * with the supplied purpose
 */
-static int check_chain_purpose(X509_STORE_CTX *ctx)
+static int check_chain_extensions(X509_STORE_CTX *ctx)
 {
 #ifdef OPENSSL_NO_CHAIN_VERIFY
        return 1;
 #else
-        int i, ok=0;
+        int i, ok=0, must_be_ca;
        X509 *x;
        int (*cb)();
+        int proxy_path_length = 0;
+        int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
        cb=ctx->verify_cb;
+        /* must_be_ca can have 1 of 3 values:
+           -1: we accept both CA and non-CA certificates, to allow direct
+               use of self-signed certificates (which are marked as CA).
+           0:  we only accept non-CA certificates.  This is currently not
+               used, but the possibility is present for future extensions.
+           1:  we only accept CA certificates.  This is currently used for
+               all certificates in the chain except the leaf certificate.
+        */
+        must_be_ca = -1;
+        /* A hack to keep people who don't want to modify their software
+           happy */
+        if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+                allow_proxy_certs = 1;
        /* Check all untrusted certificates */
        for (i = 0; i < ctx->last_untrusted; i++)
                {
@@ -394,23 +412,73 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
-                ret = X509_check_purpose(x, ctx->purpose, i);
+                if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
-                if ((ret == 0)
-                         || ((ctx->flags & X509_V_FLAG_X509_STRICT)
-                                && (ret != 1)))
                        {
-                        if (i)
+                        ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
+                        ctx->error_depth = i;
+                        ctx->current_cert = x;
+                        ok=cb(0,ctx);
+                        if (!ok) goto end;
+                        }
+                ret = X509_check_ca(x);
+                switch(must_be_ca)
+                        {
+                case -1:
+                        if ((ctx->flags & X509_V_FLAG_X509_STRICT)
+                                && (ret != 1) && (ret != 0))
+                                {
+                                ret = 0;
                                ctx->error = X509_V_ERR_INVALID_CA;
+                                }
                        else
-                                ctx->error = X509_V_ERR_INVALID_PURPOSE;
+                                ret = 1;
+                        break;
+                case 0:
+                        if (ret != 0)
+                                {
+                                ret = 0;
+                                ctx->error = X509_V_ERR_INVALID_NON_CA;
+                                }
+                        else
+                                ret = 1;
+                        break;
+                default:
+                        if ((ret == 0)
+                                || ((ctx->flags & X509_V_FLAG_X509_STRICT)
+                                        && (ret != 1)))
+                                {
+                                ret = 0;
+                                ctx->error = X509_V_ERR_INVALID_CA;
+                                }
+                        else
+                                ret = 1;
+                        break;
+                        }
+                if (ret == 0)
+                        {
                        ctx->error_depth = i;
                        ctx->current_cert = x;
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
+                if (ctx->purpose > 0)
+                        {
+                        ret = X509_check_purpose(x, ctx->purpose,
+                                must_be_ca > 0);
+                        if ((ret == 0)
+                                || ((ctx->flags & X509_V_FLAG_X509_STRICT)
+                                        && (ret != 1)))
+                                {
+                                ctx->error = X509_V_ERR_INVALID_PURPOSE;
+                                ctx->error_depth = i;
+                                ctx->current_cert = x;
+                                ok=cb(0,ctx);
+                                if (!ok) goto end;
+                                }
+                        }
                /* Check pathlen */
                if ((i > 1) && (x->ex_pathlen != -1)
-                           && (i > (x->ex_pathlen + 1)))
+                           && (i > (x->ex_pathlen + proxy_path_length + 1)))
                        {
                        ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                        ctx->error_depth = i;
@@ -418,6 +486,32 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
+                /* If this certificate is a proxy certificate, the next
+                   certificate must be another proxy certificate or a EE
+                   certificate.  If not, the next certificate must be a
+                   CA certificate.  */
+                if (x->ex_flags & EXFLAG_PROXY)
+                        {
+                        PROXY_CERT_INFO_EXTENSION *pci =
+                                X509_get_ext_d2i(x, NID_proxyCertInfo,
+                                        NULL, NULL);
+                        if (pci->pcPathLengthConstraint &&
+                                ASN1_INTEGER_get(pci->pcPathLengthConstraint)
+                                < i)
+                                {
+                                PROXY_CERT_INFO_EXTENSION_free(pci);
+                                ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+                                ctx->error_depth = i;
+                                ctx->current_cert = x;
+                                ok=cb(0,ctx);
+                                if (!ok) goto end;
+                                }
+                        PROXY_CERT_INFO_EXTENSION_free(pci);
+                        proxy_path_length++;
+                        must_be_ca = 0;
+                        }
+                else
+                        must_be_ca = 1;
                }
        ok = 1;
 end:
@@ -627,6 +721,15 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
        X509_EXTENSION *ext;
        /* Look for serial number of certificate in CRL */
        rtmp.serialNumber = X509_get_serialNumber(x);
+        /* Sort revoked into serial number order if not already sorted.
+         * Do this under a lock to avoid race condition.
+         */
+        if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked))
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
+                sk_X509_REVOKED_sort(crl->crl->revoked);
+                CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL);
+                }
        idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
        /* If found assume revoked: want something cleverer than
         * this to handle entry extensions in V2 CRLs.
@@ -772,6 +875,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                        }
                /* The last error (if any) is still in the error value */
+                ctx->current_issuer=xi;
                ctx->current_cert=xs;
                ok=(*cb)(1,ctx);
                if (!ok) goto end;
@@ -851,7 +955,8 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
        atm.length=sizeof(buff2);
        atm.data=(unsigned char *)buff2;
-        X509_time_adj(&atm,-offset*60, cmp_time);
+        if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
+                return 0;
        if (ctm->type == V_ASN1_UTCTIME)
                {
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.h b/src/lib/libssl/src/crypto/x509/x509_vfy.h
index 198495884c..7fd1f0bc4d 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.h
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.h
@@ -276,7 +276,7 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define         X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY   6
 #define         X509_V_ERR_CERT_SIGNATURE_FAILURE               7
 #define         X509_V_ERR_CRL_SIGNATURE_FAILURE                8
-#define         X509_V_ERR_CERT_NOT_YET_VALID                   9       
+#define         X509_V_ERR_CERT_NOT_YET_VALID                   9
 #define         X509_V_ERR_CERT_HAS_EXPIRED                     10
 #define         X509_V_ERR_CRL_NOT_YET_VALID                    11
 #define         X509_V_ERR_CRL_HAS_EXPIRED                      12
@@ -306,6 +306,10 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define         X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION         34
 #define         X509_V_ERR_KEYUSAGE_NO_CRL_SIGN                 35
 #define         X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION     36
+#define         X509_V_ERR_INVALID_NON_CA                       37
+#define         X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED           38
+#define         X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE        39
+#define         X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED       40
 /* The application is not happy */
 #define         X509_V_ERR_APPLICATION_VERIFICATION             50
@@ -324,6 +328,8 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define X509_V_FLAG_IGNORE_CRITICAL             0x10
 /* Disable workarounds for broken certificates */
 #define X509_V_FLAG_X509_STRICT                 0x20
+/* Enable proxy certificate validation */
+#define X509_V_FLAG_ALLOW_PROXY_CERTS           0x40
 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
             X509_NAME *name);
diff --git a/src/lib/libssl/src/crypto/x509/x509cset.c b/src/lib/libssl/src/crypto/x509/x509cset.c
index 6cac440ea9..9d1646d5c8 100644
--- a/src/lib/libssl/src/crypto/x509/x509cset.c
+++ b/src/lib/libssl/src/crypto/x509/x509cset.c
@@ -129,6 +129,7 @@ int X509_CRL_sort(X509_CRL *c)
                r=sk_X509_REVOKED_value(c->crl->revoked,i);
                r->sequence=i;
                }
+        c->crl->enc.modified = 1;
        return 1;
        }
diff --git a/src/lib/libssl/src/crypto/x509/x509name.c b/src/lib/libssl/src/crypto/x509/x509name.c
index 4c20e03ece..068abfe5f0 100644
--- a/src/lib/libssl/src/crypto/x509/x509name.c
+++ b/src/lib/libssl/src/crypto/x509/x509name.c
@@ -195,8 +195,8 @@ int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
        return ret;
 }
-int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
+int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
-                        unsigned char *bytes, int len, int loc, int set)
+                        const unsigned char *bytes, int len, int loc, int set)
 {
        X509_NAME_ENTRY *ne;
        int ret;
@@ -273,7 +273,7 @@ err:
        }
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
-                char *field, int type, unsigned char *bytes, int len)
+                const char *field, int type, const unsigned char *bytes, int len)
        {
        ASN1_OBJECT *obj;
        X509_NAME_ENTRY *nentry;
@@ -309,7 +309,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
        }
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
-             ASN1_OBJECT *obj, int type, unsigned char *bytes, int len)
+             ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len)
        {
        X509_NAME_ENTRY *ret;
@@ -347,7 +347,7 @@ int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
        }
 int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
-             unsigned char *bytes, int len)
+             const unsigned char *bytes, int len)
        {
        int i;
diff --git a/src/lib/libssl/src/crypto/x509/x_all.c b/src/lib/libssl/src/crypto/x509/x_all.c
index fb5015cd4d..ac6dea493a 100644
--- a/src/lib/libssl/src/crypto/x509/x_all.c
+++ b/src/lib/libssl/src/crypto/x509/x_all.c
@@ -103,6 +103,7 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
        {
+        x->crl->enc.modified = 1;
        return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg,
                x->sig_alg, x->signature, x->crl,pkey,md));
        }
diff --git a/src/lib/libssl/src/crypto/x509v3/ext_dat.h b/src/lib/libssl/src/crypto/x509v3/ext_dat.h
index 5442480595..d8328ac468 100644
--- a/src/lib/libssl/src/crypto/x509v3/ext_dat.h
+++ b/src/lib/libssl/src/crypto/x509v3/ext_dat.h
@@ -3,7 +3,7 @@
 * project 1999.
 */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -60,10 +60,11 @@
 extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
+extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
-extern X509V3_EXT_METHOD v3_crl_hold;
+extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
 /* This table will be searched using OBJ_bsearch so it *must* kept in
 * order of the ext_nid values.
@@ -89,6 +90,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_akey_id,
 &v3_crld,
 &v3_ext_ku,
+&v3_delta_crl,
 &v3_crl_reason,
 #ifndef OPENSSL_NO_OCSP
 &v3_crl_invdate,
@@ -105,8 +107,9 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 #endif
 &v3_sinfo,
 #ifndef OPENSSL_NO_OCSP
-&v3_crl_hold
+&v3_crl_hold,
 #endif
+&v3_pci,
 };
 /* Number of standard extensions */
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_bitst.c b/src/lib/libssl/src/crypto/x509v3/v3_bitst.c
index 16cf125562..274965306d 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_bitst.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_bitst.c
@@ -124,7 +124,12 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
                for(bnam = method->usr_data; bnam->lname; bnam++) {
                        if(!strcmp(bnam->sname, val->name) ||
                                !strcmp(bnam->lname, val->name) ) {
-                                ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1);
+                                if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
+                                        X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
+                                                ERR_R_MALLOC_FAILURE);
+                                        M_ASN1_BIT_STRING_free(bs);
+                                        return NULL;
+                                }
                                break;
                        }
                }
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_ia5.c b/src/lib/libssl/src/crypto/x509v3/v3_ia5.c
index f9414456de..9683afa47c 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_ia5.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_ia5.c
@@ -82,7 +82,10 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
 {
        char *tmp;
        if(!ia5 || !ia5->length) return NULL;
-        if (!(tmp = OPENSSL_malloc(ia5->length + 1))) return NULL;
+        if(!(tmp = OPENSSL_malloc(ia5->length + 1))) {
+                X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
        memcpy(tmp, ia5->data, ia5->length);
        tmp[ia5->length] = 0;
        return tmp;
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_int.c b/src/lib/libssl/src/crypto/x509v3/v3_int.c
index f34cbfb731..7a43b4717b 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_int.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_int.c
@@ -3,7 +3,7 @@
 * project 1999.
 */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -61,9 +61,16 @@
 #include <openssl/x509v3.h>
 X509V3_EXT_METHOD v3_crl_num = { 
-NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
+        NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
-0,0,0,0,
+        0,0,0,0,
-(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+        (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
-0,
+        0,
-0,0,0,0, NULL};
+        0,0,0,0, NULL};
+X509V3_EXT_METHOD v3_delta_crl = { 
+        NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
+        0,0,0,0,
+        (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+        0,
+        0,0,0,0, NULL};
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_purp.c b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
index b3d1ae5d1c..bbdf6da493 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_purp.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
@@ -63,7 +63,6 @@
 static void x509v3_cache_extensions(X509 *x);
-static int ca_check(const X509 *x);
 static int check_ssl_ca(const X509 *x);
 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
@@ -286,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex)
                NID_key_usage,          /* 83 */
                NID_subject_alt_name,   /* 85 */
                NID_basic_constraints,  /* 87 */
-                NID_ext_key_usage       /* 126 */
+                NID_ext_key_usage,      /* 126 */
+                NID_proxyCertInfo       /* 661 */
        };
        int ex_nid;
@@ -307,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
 static void x509v3_cache_extensions(X509 *x)
 {
        BASIC_CONSTRAINTS *bs;
+        PROXY_CERT_INFO_EXTENSION *pci;
        ASN1_BIT_STRING *usage;
        ASN1_BIT_STRING *ns;
        EXTENDED_KEY_USAGE *extusage;
@@ -335,6 +336,16 @@ static void x509v3_cache_extensions(X509 *x)
                BASIC_CONSTRAINTS_free(bs);
                x->ex_flags |= EXFLAG_BCONS;
        }
+        /* Handle proxy certificates */
+        if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+                if (x->ex_flags & EXFLAG_CA
+                    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
+                    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
+                        x->ex_flags |= EXFLAG_INVALID;
+                }
+                PROXY_CERT_INFO_EXTENSION_free(pci);
+                x->ex_flags |= EXFLAG_PROXY;
+        }
        /* Handle key usage */
        if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
                if(usage->length > 0) {
@@ -426,7 +437,7 @@ static void x509v3_cache_extensions(X509 *x)
 #define ns_reject(x, usage) \
        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-static int ca_check(const X509 *x)
+static int check_ca(const X509 *x)
 {
        /* keyUsage if present should allow cert signing */
        if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
@@ -435,25 +446,37 @@ static int ca_check(const X509 *x)
                /* If basicConstraints says not a CA then say so */
                else return 0;
        } else {
+                /* we support V1 roots for...  uh, I don't really know why. */
                if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
                /* If key usage present it must have certSign so tolerate it */
                else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
-                else return 2;
+                /* Older certificates could have Netscape-specific CA types */
+                else if (x->ex_flags & EXFLAG_NSCERT
+                         && x->ex_nscert & NS_ANY_CA) return 5;
+                /* can this still be regarded a CA certificate?  I doubt it */
+                return 0;
        }
 }
+int X509_check_ca(X509 *x)
+{
+        if(!(x->ex_flags & EXFLAG_SET)) {
+                CRYPTO_w_lock(CRYPTO_LOCK_X509);
+                x509v3_cache_extensions(x);
+                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+        }
+        return check_ca(x);
+}
 /* Check SSL CA: common checks for SSL client and server */
 static int check_ssl_ca(const X509 *x)
 {
        int ca_ret;
-        ca_ret = ca_check(x);
+        ca_ret = check_ca(x);
        if(!ca_ret) return 0;
        /* check nsCertType if present */
-        if(x->ex_flags & EXFLAG_NSCERT) {
+        if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
-                if(x->ex_nscert & NS_SSL_CA) return ca_ret;
-                return 0;
-        }
-        if(ca_ret != 2) return ca_ret;
        else return 0;
 }
@@ -498,14 +521,10 @@ static int purpose_smime(const X509 *x, int ca)
        if(xku_reject(x,XKU_SMIME)) return 0;
        if(ca) {
                int ca_ret;
-                ca_ret = ca_check(x);
+                ca_ret = check_ca(x);
                if(!ca_ret) return 0;
                /* check nsCertType if present */
-                if(x->ex_flags & EXFLAG_NSCERT) {
+                if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
-                        if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
-                        return 0;
-                }
-                if(ca_ret != 2) return ca_ret;
                else return 0;
        }
        if(x->ex_flags & EXFLAG_NSCERT) {
@@ -539,7 +558,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
        if(ca) {
                int ca_ret;
-                if((ca_ret = ca_check(x)) != 2) return ca_ret;
+                if((ca_ret = check_ca(x)) != 2) return ca_ret;
                else return 0;
        }
        if(ku_reject(x, KU_CRL_SIGN)) return 0;
@@ -552,17 +571,9 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
-        /* Must be a valid CA */
+        /* Must be a valid CA.  Should we really support the "I don't know"
-        if(ca) {
+           value (2)? */
-                int ca_ret;
+        if(ca) return check_ca(x);
-                ca_ret = ca_check(x);
-                if(ca_ret != 2) return ca_ret;
-                if(x->ex_flags & EXFLAG_NSCERT) {
-                        if(x->ex_nscert & NS_ANY_CA) return ca_ret;
-                        return 0;
-                }
-                return 0;
-        }
        /* leaf certificate is checked in OCSP_verify() */
        return 1;
 }
@@ -624,7 +635,13 @@ int X509_check_issued(X509 *issuer, X509 *subject)
                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
                }
        }
-        if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+        if(subject->ex_flags & EXFLAG_PROXY)
+                {
+                if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
+                        return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
+                }
+        else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
+                return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
        return X509_V_OK;
 }
diff --git a/src/lib/libssl/src/crypto/x509v3/v3err.c b/src/lib/libssl/src/crypto/x509v3/v3err.c
index 6458e95bb9..2df0c3ef01 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3err.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3err.c
@@ -1,6 +1,6 @@
 /* crypto/x509v3/v3err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -72,12 +72,14 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_DO_EXT_I2D,0),     "DO_EXT_I2D"},
 {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),  "hex_to_string"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),    "i2s_ASN1_ENUMERATED"},
+{ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0),     "I2S_ASN1_IA5STRING"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),       "i2s_ASN1_INTEGER"},
 {ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0),      "I2V_AUTHORITY_INFO_ACCESS"},
 {ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"},
 {ERR_PACK(0,X509V3_F_NREF_NOS,0),       "NREF_NOS"},
 {ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"},
 {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),    "R2I_CERTPOL"},
+{ERR_PACK(0,X509V3_F_R2I_PCI,0),        "R2I_PCI"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),     "S2I_ASN1_IA5STRING"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),       "s2i_ASN1_INTEGER"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),  "s2i_ASN1_OCTET_STRING"},
@@ -128,6 +130,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
 {X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
 {X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
+{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG    ,"incorrect policy syntax tag"},
 {X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
 {X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
 {X509V3_R_INVALID_NAME                   ,"invalid name"},
@@ -139,6 +142,8 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
 {X509V3_R_INVALID_OPTION                 ,"invalid option"},
 {X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
+{X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"},
+{X509V3_R_INVALID_PROXY_POLICY_SETTING   ,"invalid proxy policy setting"},
 {X509V3_R_INVALID_PURPOSE                ,"invalid purpose"},
 {X509V3_R_INVALID_SECTION                ,"invalid section"},
 {X509V3_R_INVALID_SYNTAX                 ,"invalid syntax"},
@@ -149,9 +154,16 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
 {X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
 {X509V3_R_NO_POLICY_IDENTIFIER           ,"no policy identifier"},
+{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"},
 {X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
 {X509V3_R_NO_SUBJECT_DETAILS             ,"no subject details"},
 {X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
+{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"},
+{X509V3_R_POLICY_PATH_LENGTH             ,"policy path length"},
+{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"},
+{X509V3_R_POLICY_SYNTAX_NOT              ,"policy syntax not"},
+{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"},
+{X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"},
 {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS   ,"unable to get issuer details"},
 {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID     ,"unable to get issuer keyid"},
 {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT    ,"unknown bit string argument"},
diff --git a/src/lib/libssl/src/crypto/x509v3/x509v3.h b/src/lib/libssl/src/crypto/x509v3/x509v3.h
index fb07a19016..e6d91251c2 100644
--- a/src/lib/libssl/src/crypto/x509v3/x509v3.h
+++ b/src/lib/libssl/src/crypto/x509v3/x509v3.h
@@ -287,6 +287,23 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
 DECLARE_STACK_OF(POLICYINFO)
 DECLARE_ASN1_SET_OF(POLICYINFO)
+/* Proxy certificate structures, see RFC 3820 */
+typedef struct PROXY_POLICY_st
+        {
+        ASN1_OBJECT *policyLanguage;
+        ASN1_OCTET_STRING *policy;
+        } PROXY_POLICY;
+typedef struct PROXY_CERT_INFO_EXTENSION_st
+        {
+        ASN1_INTEGER *pcPathLengthConstraint;
+        PROXY_POLICY *proxyPolicy;
+        } PROXY_CERT_INFO_EXTENSION;
+DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
+DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
 ",name:", val->name, ",value:", val->value);
@@ -325,6 +342,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 #define EXFLAG_INVALID          0x80
 #define EXFLAG_SET              0x100
 #define EXFLAG_CRITICAL         0x200
+#define EXFLAG_PROXY            0x400
 #define KU_DIGITAL_SIGNATURE    0x0080
 #define KU_NON_REPUDIATION      0x0040
@@ -527,6 +545,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
+int X509_check_ca(X509 *x);
 int X509_check_purpose(X509 *x, int id, int ca);
 int X509_supported_extension(X509_EXTENSION *ex);
 int X509_PURPOSE_set(int *p, int purpose);
@@ -564,12 +583,14 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_DO_EXT_I2D                              135
 #define X509V3_F_HEX_TO_STRING                           111
 #define X509V3_F_I2S_ASN1_ENUMERATED                     121
+#define X509V3_F_I2S_ASN1_IA5STRING                      142
 #define X509V3_F_I2S_ASN1_INTEGER                        120
 #define X509V3_F_I2V_AUTHORITY_INFO_ACCESS               138
 #define X509V3_F_NOTICE_SECTION                          132
 #define X509V3_F_NREF_NOS                                133
 #define X509V3_F_POLICY_SECTION                          131
 #define X509V3_F_R2I_CERTPOL                             130
+#define X509V3_F_R2I_PCI                                 142
 #define X509V3_F_S2I_ASN1_IA5STRING                      100
 #define X509V3_F_S2I_ASN1_INTEGER                        108
 #define X509V3_F_S2I_ASN1_OCTET_STRING                   112
@@ -617,6 +638,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED         103
 #define X509V3_R_EXTENSION_VALUE_ERROR                   116
 #define X509V3_R_ILLEGAL_HEX_DIGIT                       113
+#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG             153
 #define X509V3_R_INVALID_BOOLEAN_STRING                  104
 #define X509V3_R_INVALID_EXTENSION_STRING                105
 #define X509V3_R_INVALID_NAME                            106
@@ -628,6 +650,8 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER               110
 #define X509V3_R_INVALID_OPTION                          138
 #define X509V3_R_INVALID_POLICY_IDENTIFIER               134
+#define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER         147
+#define X509V3_R_INVALID_PROXY_POLICY_SETTING            151
 #define X509V3_R_INVALID_PURPOSE                         146
 #define X509V3_R_INVALID_SECTION                         135
 #define X509V3_R_INVALID_SYNTAX                          143
@@ -638,9 +662,16 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_NO_ISSUER_CERTIFICATE                   121
 #define X509V3_R_NO_ISSUER_DETAILS                       127
 #define X509V3_R_NO_POLICY_IDENTIFIER                    139
+#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED   148
 #define X509V3_R_NO_PUBLIC_KEY                           114
 #define X509V3_R_NO_SUBJECT_DETAILS                      125
 #define X509V3_R_ODD_NUMBER_OF_DIGITS                    112
+#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED        149
+#define X509V3_R_POLICY_PATH_LENGTH                      152
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED     150
+#define X509V3_R_POLICY_SYNTAX_NOT                       154
+#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED   155
+#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156
 #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS            122
 #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID              123
 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT             111
diff --git a/src/lib/libssl/src/doc/apps/asn1parse.pod b/src/lib/libssl/src/doc/apps/asn1parse.pod
index e76e9813ab..69ee4dfee6 100644
--- a/src/lib/libssl/src/doc/apps/asn1parse.pod
+++ b/src/lib/libssl/src/doc/apps/asn1parse.pod
@@ -123,7 +123,7 @@ C<1.2.3.4	shortName	A long name>
 =head1 BUGS
-There should be options to change the format of input lines. The output of some
+There should be options to change the format of output lines. The output of some
 ASN.1 types is not well handled (if at all).
 =cut
diff --git a/src/lib/libssl/src/doc/apps/dgst.pod b/src/lib/libssl/src/doc/apps/dgst.pod
index 1648742bcf..b0d198724c 100644
--- a/src/lib/libssl/src/doc/apps/dgst.pod
+++ b/src/lib/libssl/src/doc/apps/dgst.pod
@@ -14,6 +14,7 @@ B<openssl> B<dgst>
 [B<-binary>]
 [B<-out filename>]
 [B<-sign filename>]
+[B<-passin arg>]
 [B<-verify filename>]
 [B<-prverify filename>]
 [B<-signature filename>]
@@ -59,6 +60,11 @@ filename to output to, or standard output by default.
 digitally sign the digest using the private key in "filename".
+=item B<-passin arg>
+the private key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
 =item B<-verify filename>
 verify the signature using the the public key in "filename".
diff --git a/src/lib/libssl/src/doc/apps/enc.pod b/src/lib/libssl/src/doc/apps/enc.pod
index ddf081617f..18fe7c81c7 100644
--- a/src/lib/libssl/src/doc/apps/enc.pod
+++ b/src/lib/libssl/src/doc/apps/enc.pod
@@ -86,7 +86,7 @@ versions of OpenSSL. Superseded by the B<-pass> argument.
 =item B<-kfile filename>
 read the password to derive the key from the first line of B<filename>.
-This is for computability with previous versions of OpenSSL. Superseded by
+This is for compatibility with previous versions of OpenSSL. Superseded by
 the B<-pass> argument.
 =item B<-S salt>
diff --git a/src/lib/libssl/src/doc/crypto/BN_num_bytes.pod b/src/lib/libssl/src/doc/crypto/BN_num_bytes.pod
index 61589fb9ac..a6a2e3f819 100644
--- a/src/lib/libssl/src/doc/crypto/BN_num_bytes.pod
+++ b/src/lib/libssl/src/doc/crypto/BN_num_bytes.pod
@@ -16,8 +16,14 @@ BN_num_bits, BN_num_bytes, BN_num_bits_word - get BIGNUM size
 =head1 DESCRIPTION
-These functions return the size of a B<BIGNUM> in bytes or bits,
+BN_num_bytes() returns the size of a B<BIGNUM> in bytes.
-and the size of an unsigned integer in bits.
+BN_num_bits_word() returns the number of significant bits in a word.
+If we take 0x00000432 as an example, it returns 11, not 16, not 32.
+Basically, except for a zero, it returns I<floor(log2(w))+1>.
+BN_num_bits() returns the number of significant bits in a B<BIGNUM>,
+following the same principle as BN_num_bits_word().
 BN_num_bytes() is a macro.
@@ -25,9 +31,23 @@ BN_num_bytes() is a macro.
 The size.
+=head1 NOTES
+Some have tried using BN_num_bits() on individual numbers in RSA keys,
+DH keys and DSA keys, and found that they don't always come up with
+the number of bits they expected (something like 512, 1024, 2048,
+...).  This is because generating a number with some specific number
+of bits doesn't always set the highest bits, thereby making the number
+of I<significant> bits a little lower.  If you want to know the "key
+size" of such a key, either use functions like RSA_size(), DH_size()
+and DSA_size(), or use BN_num_bytes() and multiply with 8 (although
+there's no real guarantee that will match the "key size", just a lot
+more probability).
 =head1 SEE ALSO
-L<bn(3)|bn(3)>
+L<bn(3)|bn(3)>, L<DH_size(3)|DH_size(3)>, L<DSA_size(3)|DSA_size(3)>,
+L<RSA_size(3)|RSA_size(3)>
 =head1 HISTORY
diff --git a/src/lib/libssl/src/doc/crypto/ERR_error_string.pod b/src/lib/libssl/src/doc/crypto/ERR_error_string.pod
index e01beb817a..cdfa7fe1fe 100644
--- a/src/lib/libssl/src/doc/crypto/ERR_error_string.pod
+++ b/src/lib/libssl/src/doc/crypto/ERR_error_string.pod
@@ -11,7 +11,7 @@ error message
 #include <openssl/err.h>
 char *ERR_error_string(unsigned long e, char *buf);
- char *ERR_error_string_n(unsigned long e, char *buf, size_t len);
+ void ERR_error_string_n(unsigned long e, char *buf, size_t len);
 const char *ERR_lib_error_string(unsigned long e);
 const char *ERR_func_error_string(unsigned long e);
diff --git a/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod b/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod
index daf57e5895..40e525dd56 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod
@@ -479,6 +479,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
                if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen))
                        {
                        /* Error */
+                        EVP_CIPHER_CTX_cleanup(&ctx);
                        return 0;
                        }
                fwrite(outbuf, 1, outlen, out);
@@ -486,6 +487,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
        if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen))
                {
                /* Error */
+                EVP_CIPHER_CTX_cleanup(&ctx);
                return 0;
                }
        fwrite(outbuf, 1, outlen, out);
diff --git a/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod b/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod
index b5e477e294..48a0e29954 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod
@@ -8,8 +8,9 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
 #include <openssl/evp.h>
- int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
+ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 
-                int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
+                unsigned char **ek, int *ekl, unsigned char *iv,
+                EVP_PKEY **pubk, int npubk);
 int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
         int *outl, unsigned char *in, int inl);
 int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
diff --git a/src/lib/libssl/src/doc/crypto/EVP_SignInit.pod b/src/lib/libssl/src/doc/crypto/EVP_SignInit.pod
index e65e54ce52..0bace24938 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_SignInit.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_SignInit.pod
@@ -29,11 +29,10 @@ EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the
 signature context B<ctx>. This function can be called several times on the
 same B<ctx> to include additional data.
-EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey>
+EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and
-and places the signature in B<sig>. If the B<s> parameter is not NULL
+places the signature in B<sig>. The number of bytes of data written (i.e. the
-then the number of bytes of data written (i.e. the length of the signature)
+length of the signature) will be written to the integer at B<s>, at most
-will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
+EVP_PKEY_size(pkey) bytes will be written. 
-will be written. 
 EVP_SignInit() initializes a signing context B<ctx> to use the default
 implementation of digest B<type>.
diff --git a/src/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod b/src/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod
index d53e19d2b7..ab0fe3b2cd 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod
@@ -47,9 +47,10 @@ Encrypting user data directly with RSA is insecure.
 =back
 B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
-based padding modes, and less than RSA_size(B<rsa>) - 41 for
+based padding modes, less than RSA_size(B<rsa>) - 41 for
-RSA_PKCS1_OAEP_PADDING. The random number generator must be seeded
+RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
-prior to calling RSA_public_encrypt().
+The random number generator must be seeded prior to calling
+RSA_public_encrypt().
 RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
 private key B<rsa> and stores the plaintext in B<to>. B<to> must point
diff --git a/src/lib/libssl/src/doc/crypto/blowfish.pod b/src/lib/libssl/src/doc/crypto/blowfish.pod
index ed71334f56..5b2d274c15 100644
--- a/src/lib/libssl/src/doc/crypto/blowfish.pod
+++ b/src/lib/libssl/src/doc/crypto/blowfish.pod
@@ -32,7 +32,7 @@ by Counterpane (see http://www.counterpane.com/blowfish.html ).
 Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data.
 It uses a variable size key, but typically, 128 bit (16 byte) keys are
-a considered good for strong encryption.  Blowfish can be used in the same
+considered good for strong encryption.  Blowfish can be used in the same
 modes as DES (see L<des_modes(7)|des_modes(7)>).  Blowfish is currently one
 of the faster block ciphers.  It is quite a bit faster than DES, and much
 faster than IDEA or RC2.
diff --git a/src/lib/libssl/src/doc/crypto/pem.pod b/src/lib/libssl/src/doc/crypto/pem.pod
index 8613114452..4f9a27df0c 100644
--- a/src/lib/libssl/src/doc/crypto/pem.pod
+++ b/src/lib/libssl/src/doc/crypto/pem.pod
@@ -471,6 +471,6 @@ is guaranteed to work.
 =head1 RETURN CODES
 The read routines return either a pointer to the structure read or NULL
-is an error occurred.
+if an error occurred.
 The write routines return 1 for success or 0 for failure.
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod
index 914eb7c9e3..f62a869a9b 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod
@@ -8,9 +8,9 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_des
 #include <openssl/ssl.h>
- const char *SSL_CIPHER_get_name(SSL_CIPHER *cipher);
+ const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
- int SSL_CIPHER_get_bits(SSL_CIPHER *cipher, int *alg_bits);
+ int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits);
- char *SSL_CIPHER_get_version(SSL_CIPHER *cipher);
+ char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
 char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod
index 5686faf299..0c40a91f2f 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod
@@ -15,7 +15,7 @@ SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data - internal ap
 int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg);
- void *SSL_CTX_get_ex_data(SSL_CTX *ctx, int idx);
+ void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx);
 typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
                int idx, long argl, void *argp);
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod
index 7f10c6e945..2a3747e75c 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod
@@ -8,12 +8,12 @@ SSL_CTX_get_verify_mode, SSL_get_verify_mode, SSL_CTX_get_verify_depth, SSL_get_
 #include <openssl/ssl.h>
- int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
+ int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
- int SSL_get_verify_mode(SSL *ssl);
+ int SSL_get_verify_mode(const SSL *ssl);
- int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
+ int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
- int SSL_get_verify_depth(SSL *ssl);
+ int SSL_get_verify_depth(const SSL *ssl);
- int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int, X509_STORE_CTX *);
+ int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *);
- int (*SSL_get_verify_callback(SSL *ssl))(int, X509_STORE_CTX *);
+ int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_store.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_store.pod
index 3a240c4d37..6acf0d9f9b 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_store.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_store.pod
@@ -9,7 +9,7 @@ SSL_CTX_set_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate ver
 #include <openssl/ssl.h>
 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
- X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx);
+ X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_info_callback.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_info_callback.pod
index 63d0b8d33f..0b4affd5eb 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_info_callback.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_info_callback.pod
@@ -9,10 +9,10 @@ SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL
 #include <openssl/ssl.h>
 void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)());
- void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))();
+ void (*SSL_CTX_get_info_callback(const SSL_CTX *ctx))();
 void SSL_set_info_callback(SSL *ssl, void (*callback)());
- void (*SSL_get_info_callback(SSL *ssl))();
+ void (*SSL_get_info_callback(const SSL *ssl))();
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
index 766f0c9200..5ab1b32f93 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
@@ -163,7 +163,7 @@ When choosing a cipher, use the server's preferences instead of the client
 preferences. When not set, the SSL server will always follow the clients
 preferences. When set, the SSLv3/TLSv1 server will choose following its
 own preferences. Because of the different protocol, for SSLv2 the server
-will send his list of preferences to the client and the client chooses.
+will send its list of preferences to the client and the client chooses.
 =item SSL_OP_PKCS1_CHECK_1
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_quiet_shutdown.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
index 1d0526d59a..393f8ff0b4 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
@@ -9,10 +9,10 @@ SSL_CTX_set_quiet_shutdown, SSL_CTX_get_quiet_shutdown, SSL_set_quiet_shutdown,
 #include <openssl/ssl.h>
 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
- int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
+ int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
 void SSL_set_quiet_shutdown(SSL *ssl, int mode);
- int SSL_get_quiet_shutdown(SSL *ssl);
+ int SSL_get_quiet_shutdown(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_id_context.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_id_context.pod
index 5949395159..58fc685506 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_id_context.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_id_context.pod
@@ -46,7 +46,8 @@ B<SSL_MAX_SSL_SESSION_ID_LENGTH>.
 =head1 WARNINGS
-If the session id context is not set on an SSL/TLS server, stored sessions
+If the session id context is not set on an SSL/TLS server and client
+certificates are used, stored sessions
 will not be reused but a fatal error will be flagged and the handshake
 will fail.
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod
index ea2faba3ec..48c888c337 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod
@@ -31,8 +31,8 @@ SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_f
 int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
 int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
- int SSL_CTX_check_private_key(SSL_CTX *ctx);
+ int SSL_CTX_check_private_key(const SSL_CTX *ctx);
- int SSL_check_private_key(SSL *ssl);
+ int SSL_check_private_key(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod
index da0bcf1590..657cda931f 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod
@@ -15,7 +15,7 @@ SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data -
 int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg);
- void *SSL_SESSION_get_ex_data(SSL_SESSION *session, int idx);
+ void *SSL_SESSION_get_ex_data(const SSL_SESSION *session, int idx);
 typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
                int idx, long argl, void *argp);
diff --git a/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod
index ea3c2bcfe6..00883ed2a0 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod
@@ -8,14 +8,14 @@ SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION
 #include <openssl/ssl.h>
- long SSL_SESSION_get_time(SSL_SESSION *s);
+ long SSL_SESSION_get_time(const SSL_SESSION *s);
 long SSL_SESSION_set_time(SSL_SESSION *s, long tm);
- long SSL_SESSION_get_timeout(SSL_SESSION *s);
+ long SSL_SESSION_get_timeout(const SSL_SESSION *s);
 long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm);
- long SSL_get_time(SSL_SESSION *s);
+ long SSL_get_time(const SSL_SESSION *s);
 long SSL_set_time(SSL_SESSION *s, long tm);
- long SSL_get_timeout(SSL_SESSION *s);
+ long SSL_get_timeout(const SSL_SESSION *s);
 long SSL_set_timeout(SSL_SESSION *s, long tm);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_SSL_CTX.pod b/src/lib/libssl/src/doc/ssl/SSL_get_SSL_CTX.pod
index 52d0227b19..659c482c79 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_SSL_CTX.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_SSL_CTX.pod
@@ -8,7 +8,7 @@ SSL_get_SSL_CTX - get the SSL_CTX from which an SSL is created
 #include <openssl/ssl.h>
- SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
+ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_ciphers.pod b/src/lib/libssl/src/doc/ssl/SSL_get_ciphers.pod
index 2a57455c23..aecadd9138 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_ciphers.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_ciphers.pod
@@ -8,8 +8,8 @@ SSL_get_ciphers, SSL_get_cipher_list - get list of available SSL_CIPHERs
 #include <openssl/ssl.h>
- STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *ssl);
+ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl);
- const char *SSL_get_cipher_list(SSL *ssl, int priority);
+ const char *SSL_get_cipher_list(const SSL *ssl, int priority);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod b/src/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod
index 5693fdebb2..68181b2407 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod
@@ -8,8 +8,8 @@ SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs
 #include <openssl/ssl.h>
- STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
+ STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
- STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx); 
+ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); 
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_current_cipher.pod b/src/lib/libssl/src/doc/ssl/SSL_get_current_cipher.pod
index 2dd7261d89..e5ab12491e 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_current_cipher.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_current_cipher.pod
@@ -9,7 +9,7 @@ SSL_get_cipher_bits, SSL_get_cipher_version - get SSL_CIPHER of a connection
 #include <openssl/ssl.h>
- SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);
+ SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl);
 #define SSL_get_cipher(s) \
                SSL_CIPHER_get_name(SSL_get_current_cipher(s))
 #define SSL_get_cipher_name(s) \
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_default_timeout.pod b/src/lib/libssl/src/doc/ssl/SSL_get_default_timeout.pod
index 8d43b31345..a648a9b82d 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_default_timeout.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_default_timeout.pod
@@ -8,7 +8,7 @@ SSL_get_default_timeout - get default session timeout value
 #include <openssl/ssl.h>
- long SSL_get_default_timeout(SSL *ssl);
+ long SSL_get_default_timeout(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_error.pod b/src/lib/libssl/src/doc/ssl/SSL_get_error.pod
index fe28dd942a..48c6b15db7 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_error.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_error.pod
@@ -8,7 +8,7 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation
 #include <openssl/ssl.h>
- int SSL_get_error(SSL *ssl, int ret);
+ int SSL_get_error(const SSL *ssl, int ret);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod b/src/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod
index 6644ef8fbc..228d23d8c0 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod
@@ -15,7 +15,7 @@ SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data - internal application sp
 int SSL_set_ex_data(SSL *ssl, int idx, void *arg);
- void *SSL_get_ex_data(SSL *ssl, int idx);
+ void *SSL_get_ex_data(const SSL *ssl, int idx);
 typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
                int idx, long argl, void *argp);
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_fd.pod b/src/lib/libssl/src/doc/ssl/SSL_get_fd.pod
index a3f7625931..89260b522c 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_fd.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_fd.pod
@@ -8,9 +8,9 @@ SSL_get_fd - get file descriptor linked to an SSL object
 #include <openssl/ssl.h>
- int SSL_get_fd(SSL *ssl);
+ int SSL_get_fd(const SSL *ssl);
- int SSL_get_rfd(SSL *ssl);
+ int SSL_get_rfd(const SSL *ssl);
- int SSL_get_wfd(SSL *ssl);
+ int SSL_get_wfd(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod b/src/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod
index 390ce0b41b..49fb88f86f 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod
@@ -8,7 +8,7 @@ SSL_get_peer_cert_chain - get the X509 certificate chain of the peer
 #include <openssl/ssl.h>
- STACKOF(X509) *SSL_get_peer_cert_chain(SSL *ssl);
+ STACKOF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod b/src/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod
index 60635a9660..ef7c8be180 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod
@@ -8,7 +8,7 @@ SSL_get_peer_certificate - get the X509 certificate of the peer
 #include <openssl/ssl.h>
- X509 *SSL_get_peer_certificate(SSL *ssl);
+ X509 *SSL_get_peer_certificate(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_session.pod b/src/lib/libssl/src/doc/ssl/SSL_get_session.pod
index dd9aba40b6..0c41caa922 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_session.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_session.pod
@@ -8,8 +8,8 @@ SSL_get_session - retrieve TLS/SSL session data
 #include <openssl/ssl.h>
- SSL_SESSION *SSL_get_session(SSL *ssl);
+ SSL_SESSION *SSL_get_session(const SSL *ssl);
- SSL_SESSION *SSL_get0_session(SSL *ssl);
+ SSL_SESSION *SSL_get0_session(const SSL *ssl);
 SSL_SESSION *SSL_get1_session(SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod b/src/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod
index e6bac9c35a..55b56a53f9 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod
@@ -8,7 +8,7 @@ SSL_get_verify_result - get result of peer certificate verification
 #include <openssl/ssl.h>
- long SSL_get_verify_result(SSL *ssl);
+ long SSL_get_verify_result(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_version.pod b/src/lib/libssl/src/doc/ssl/SSL_get_version.pod
index 24d5291256..cc271db2c5 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_get_version.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_version.pod
@@ -8,7 +8,7 @@ SSL_get_version - get the protocol version of a connection.
 #include <openssl/ssl.h>
- const char *SSL_get_version(SSL *ssl);
+ const char *SSL_get_version(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_pending.pod b/src/lib/libssl/src/doc/ssl/SSL_pending.pod
index b4c48598b2..43f2874e8b 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_pending.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_pending.pod
@@ -8,7 +8,7 @@ SSL_pending - obtain number of readable bytes buffered in an SSL object
 #include <openssl/ssl.h>
- int SSL_pending(SSL *ssl);
+ int SSL_pending(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod b/src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod
index 6289e635d9..011a022a12 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod
@@ -10,7 +10,7 @@ SSL_set_shutdown, SSL_get_shutdown - manipulate shutdown state of an SSL connect
 void SSL_set_shutdown(SSL *ssl, int mode);
- int SSL_get_shutdown(SSL *ssl);
+ int SSL_get_shutdown(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_shutdown.pod b/src/lib/libssl/src/doc/ssl/SSL_shutdown.pod
index 6b5012be7a..89911acbca 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_shutdown.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_shutdown.pod
@@ -38,7 +38,7 @@ behaviour.
 =over 4
 =item When the application is the first party to send the "close notify"
-alert, SSL_shutdown() will only send the alert and the set the
+alert, SSL_shutdown() will only send the alert and then set the
 SSL_SENT_SHUTDOWN flag (so that the session is considered good and will
 be kept in cache). SSL_shutdown() will then return with 0. If a unidirectional
 shutdown is enough (the underlying connection shall be closed anyway), this
diff --git a/src/lib/libssl/src/doc/ssl/SSL_state_string.pod b/src/lib/libssl/src/doc/ssl/SSL_state_string.pod
index b4be1aaa48..fe25d47c71 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_state_string.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_state_string.pod
@@ -8,8 +8,8 @@ SSL_state_string, SSL_state_string_long - get textual description of state of an
 #include <openssl/ssl.h>
- const char *SSL_state_string(SSL *ssl);
+ const char *SSL_state_string(const SSL *ssl);
- const char *SSL_state_string_long(SSL *ssl);
+ const char *SSL_state_string_long(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/SSL_want.pod b/src/lib/libssl/src/doc/ssl/SSL_want.pod
index 50cc89db80..c0059c0d4a 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_want.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_want.pod
@@ -8,11 +8,11 @@ SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup
 #include <openssl/ssl.h>
- int SSL_want(SSL *ssl);
+ int SSL_want(const SSL *ssl);
- int SSL_want_nothing(SSL *ssl);
+ int SSL_want_nothing(const SSL *ssl);
- int SSL_want_read(SSL *ssl);
+ int SSL_want_read(const SSL *ssl);
- int SSL_want_write(SSL *ssl);
+ int SSL_want_write(const SSL *ssl);
- int SSL_want_x509_lookup(SSL *ssl);
+ int SSL_want_x509_lookup(const SSL *ssl);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod b/src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod
index 0321a5a36f..81d276477f 100644
--- a/src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod
+++ b/src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod
@@ -8,7 +8,7 @@ d2i_SSL_SESSION, i2d_SSL_SESSION - convert SSL_SESSION object from/to ASN1 repre
 #include <openssl/ssl.h>
- SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, long length);
+ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length);
 int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/ssl/ssl.pod b/src/lib/libssl/src/doc/ssl/ssl.pod
index 4d7a6b7e2b..b41f3e3645 100644
--- a/src/lib/libssl/src/doc/ssl/ssl.pod
+++ b/src/lib/libssl/src/doc/ssl/ssl.pod
@@ -213,7 +213,7 @@ protocol context defined in the B<SSL_CTX> structure.
 =item int B<SSL_CTX_add_session>(SSL_CTX *ctx, SSL_SESSION *c);
-=item int B<SSL_CTX_check_private_key>(SSL_CTX *ctx);
+=item int B<SSL_CTX_check_private_key>(const SSL_CTX *ctx);
 =item long B<SSL_CTX_ctrl>(SSL_CTX *ctx, int cmd, long larg, char *parg);
@@ -225,23 +225,23 @@ protocol context defined in the B<SSL_CTX> structure.
 =item X509_STORE *B<SSL_CTX_get_cert_store>(SSL_CTX *ctx);
-=item STACK *B<SSL_CTX_get_client_CA_list>(SSL_CTX *ctx);
+=item STACK *B<SSL_CTX_get_client_CA_list>(const SSL_CTX *ctx);
 =item int (*B<SSL_CTX_get_client_cert_cb>(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
-=item char *B<SSL_CTX_get_ex_data>(SSL_CTX *s, int idx);
+=item char *B<SSL_CTX_get_ex_data>(const SSL_CTX *s, int idx);
 =item int B<SSL_CTX_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
 =item void (*B<SSL_CTX_get_info_callback>(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);
-=item int B<SSL_CTX_get_quiet_shutdown>(SSL_CTX *ctx);
+=item int B<SSL_CTX_get_quiet_shutdown>(const SSL_CTX *ctx);
 =item int B<SSL_CTX_get_session_cache_mode>(SSL_CTX *ctx);
-=item long B<SSL_CTX_get_timeout>(SSL_CTX *ctx);
+=item long B<SSL_CTX_get_timeout>(const SSL_CTX *ctx);
-=item int (*B<SSL_CTX_get_verify_callback>(SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
+=item int (*B<SSL_CTX_get_verify_callback>(const SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
 =item int B<SSL_CTX_get_verify_mode>(SSL_CTX *ctx);
@@ -383,27 +383,27 @@ sessions defined in the B<SSL_SESSION> structures.
 =over 4
-=item int B<SSL_SESSION_cmp>(SSL_SESSION *a, SSL_SESSION *b);
+=item int B<SSL_SESSION_cmp>(const SSL_SESSION *a, const SSL_SESSION *b);
 =item void B<SSL_SESSION_free>(SSL_SESSION *ss);
 =item char *B<SSL_SESSION_get_app_data>(SSL_SESSION *s);
-=item char *B<SSL_SESSION_get_ex_data>(SSL_SESSION *s, int idx);
+=item char *B<SSL_SESSION_get_ex_data>(const SSL_SESSION *s, int idx);
 =item int B<SSL_SESSION_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
-=item long B<SSL_SESSION_get_time>(SSL_SESSION *s);
+=item long B<SSL_SESSION_get_time>(const SSL_SESSION *s);
-=item long B<SSL_SESSION_get_timeout>(SSL_SESSION *s);
+=item long B<SSL_SESSION_get_timeout>(const SSL_SESSION *s);
-=item unsigned long B<SSL_SESSION_hash>(SSL_SESSION *a);
+=item unsigned long B<SSL_SESSION_hash>(const SSL_SESSION *a);
 =item SSL_SESSION *B<SSL_SESSION_new>(void);
-=item int B<SSL_SESSION_print>(BIO *bp, SSL_SESSION *x);
+=item int B<SSL_SESSION_print>(BIO *bp, const SSL_SESSION *x);
-=item int B<SSL_SESSION_print_fp>(FILE *fp, SSL_SESSION *x);
+=item int B<SSL_SESSION_print_fp>(FILE *fp, const SSL_SESSION *x);
 =item void B<SSL_SESSION_set_app_data>(SSL_SESSION *s, char *a);
@@ -438,7 +438,7 @@ connection defined in the B<SSL> structure.
 =item char *B<SSL_alert_type_string_long>(int value);
-=item int B<SSL_check_private_key>(SSL *ssl);
+=item int B<SSL_check_private_key>(const SSL *ssl);
 =item void B<SSL_clear>(SSL *ssl);
@@ -446,7 +446,7 @@ connection defined in the B<SSL> structure.
 =item int B<SSL_connect>(SSL *ssl);
-=item void B<SSL_copy_session_id>(SSL *t, SSL *f);
+=item void B<SSL_copy_session_id>(SSL *t, const SSL *f);
 =item long B<SSL_ctrl>(SSL *ssl, int cmd, long larg, char *parg);
@@ -458,77 +458,77 @@ connection defined in the B<SSL> structure.
 =item void B<SSL_free>(SSL *ssl);
-=item SSL_CTX *B<SSL_get_SSL_CTX>(SSL *ssl);
+=item SSL_CTX *B<SSL_get_SSL_CTX>(const SSL *ssl);
 =item char *B<SSL_get_app_data>(SSL *ssl);
-=item X509 *B<SSL_get_certificate>(SSL *ssl);
+=item X509 *B<SSL_get_certificate>(const SSL *ssl);
-=item const char *B<SSL_get_cipher>(SSL *ssl);
+=item const char *B<SSL_get_cipher>(const SSL *ssl);
-=item int B<SSL_get_cipher_bits>(SSL *ssl, int *alg_bits);
+=item int B<SSL_get_cipher_bits>(const SSL *ssl, int *alg_bits);
-=item char *B<SSL_get_cipher_list>(SSL *ssl, int n);
+=item char *B<SSL_get_cipher_list>(const SSL *ssl, int n);
-=item char *B<SSL_get_cipher_name>(SSL *ssl);
+=item char *B<SSL_get_cipher_name>(const SSL *ssl);
-=item char *B<SSL_get_cipher_version>(SSL *ssl);
+=item char *B<SSL_get_cipher_version>(const SSL *ssl);
-=item STACK *B<SSL_get_ciphers>(SSL *ssl);
+=item STACK *B<SSL_get_ciphers>(const SSL *ssl);
-=item STACK *B<SSL_get_client_CA_list>(SSL *ssl);
+=item STACK *B<SSL_get_client_CA_list>(const SSL *ssl);
 =item SSL_CIPHER *B<SSL_get_current_cipher>(SSL *ssl);
-=item long B<SSL_get_default_timeout>(SSL *ssl);
+=item long B<SSL_get_default_timeout>(const SSL *ssl);
-=item int B<SSL_get_error>(SSL *ssl, int i);
+=item int B<SSL_get_error>(const SSL *ssl, int i);
-=item char *B<SSL_get_ex_data>(SSL *ssl, int idx);
+=item char *B<SSL_get_ex_data>(const SSL *ssl, int idx);
 =item int B<SSL_get_ex_data_X509_STORE_CTX_idx>(void);
 =item int B<SSL_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
-=item int B<SSL_get_fd>(SSL *ssl);
+=item int B<SSL_get_fd>(const SSL *ssl);
-=item void (*B<SSL_get_info_callback>(SSL *ssl);)(void)
+=item void (*B<SSL_get_info_callback>(const SSL *ssl);)()
-=item STACK *B<SSL_get_peer_cert_chain>(SSL *ssl);
+=item STACK *B<SSL_get_peer_cert_chain>(const SSL *ssl);
-=item X509 *B<SSL_get_peer_certificate>(SSL *ssl);
+=item X509 *B<SSL_get_peer_certificate>(const SSL *ssl);
 =item EVP_PKEY *B<SSL_get_privatekey>(SSL *ssl);
-=item int B<SSL_get_quiet_shutdown>(SSL *ssl);
+=item int B<SSL_get_quiet_shutdown>(const SSL *ssl);
-=item BIO *B<SSL_get_rbio>(SSL *ssl);
+=item BIO *B<SSL_get_rbio>(const SSL *ssl);
-=item int B<SSL_get_read_ahead>(SSL *ssl);
+=item int B<SSL_get_read_ahead>(const SSL *ssl);
-=item SSL_SESSION *B<SSL_get_session>(SSL *ssl);
+=item SSL_SESSION *B<SSL_get_session>(const SSL *ssl);
-=item char *B<SSL_get_shared_ciphers>(SSL *ssl, char *buf, int len);
+=item char *B<SSL_get_shared_ciphers>(const SSL *ssl, char *buf, int len);
-=item int B<SSL_get_shutdown>(SSL *ssl);
+=item int B<SSL_get_shutdown>(const SSL *ssl);
 =item SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl);
-=item int B<SSL_get_state>(SSL *ssl);
+=item int B<SSL_get_state>(const SSL *ssl);
-=item long B<SSL_get_time>(SSL *ssl);
+=item long B<SSL_get_time>(const SSL *ssl);
-=item long B<SSL_get_timeout>(SSL *ssl);
+=item long B<SSL_get_timeout>(const SSL *ssl);
-=item int (*B<SSL_get_verify_callback>(SSL *ssl);)(void)
+=item int (*B<SSL_get_verify_callback>(const SSL *ssl))(int,X509_STORE_CTX *)
-=item int B<SSL_get_verify_mode>(SSL *ssl);
+=item int B<SSL_get_verify_mode>(const SSL *ssl);
-=item long B<SSL_get_verify_result>(SSL *ssl);
+=item long B<SSL_get_verify_result>(const SSL *ssl);
-=item char *B<SSL_get_version>(SSL *ssl);
+=item char *B<SSL_get_version>(const SSL *ssl);
-=item BIO *B<SSL_get_wbio>(SSL *ssl);
+=item BIO *B<SSL_get_wbio>(const SSL *ssl);
 =item int B<SSL_in_accept_init>(SSL *ssl);
@@ -550,7 +550,7 @@ connection defined in the B<SSL> structure.
 =item int B<SSL_peek>(SSL *ssl, void *buf, int num);
-=item int B<SSL_pending>(SSL *ssl);
+=item int B<SSL_pending>(const SSL *ssl);
 =item int B<SSL_read>(SSL *ssl, void *buf, int num);
@@ -610,11 +610,11 @@ connection defined in the B<SSL> structure.
 =item int B<SSL_shutdown>(SSL *ssl);
-=item int B<SSL_state>(SSL *ssl);
+=item int B<SSL_state>(const SSL *ssl);
-=item char *B<SSL_state_string>(SSL *ssl);
+=item char *B<SSL_state_string>(const SSL *ssl);
-=item char *B<SSL_state_string_long>(SSL *ssl);
+=item char *B<SSL_state_string_long>(const SSL *ssl);
 =item long B<SSL_total_renegotiations>(SSL *ssl);
@@ -636,17 +636,17 @@ connection defined in the B<SSL> structure.
 =item int B<SSL_use_certificate_file>(SSL *ssl, char *file, int type);
-=item int B<SSL_version>(SSL *ssl);
+=item int B<SSL_version>(const SSL *ssl);
-=item int B<SSL_want>(SSL *ssl);
+=item int B<SSL_want>(const SSL *ssl);
-=item int B<SSL_want_nothing>(SSL *ssl);
+=item int B<SSL_want_nothing>(const SSL *ssl);
-=item int B<SSL_want_read>(SSL *ssl);
+=item int B<SSL_want_read>(const SSL *ssl);
-=item int B<SSL_want_write>(SSL *ssl);
+=item int B<SSL_want_write>(const SSL *ssl);
-=item int B<SSL_want_x509_lookup>(s);
+=item int B<SSL_want_x509_lookup>(const SSL *ssl);
 =item int B<SSL_write>(SSL *ssl, const void *buf, int num);
diff --git a/src/lib/libssl/src/doc/standards.txt b/src/lib/libssl/src/doc/standards.txt
index edbe2f3a57..f6675b574b 100644
--- a/src/lib/libssl/src/doc/standards.txt
+++ b/src/lib/libssl/src/doc/standards.txt
@@ -88,6 +88,10 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
     (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status:           
     INFORMATIONAL)                                         
+3820 Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate
+     Profile. S. Tuecke, V. Welch, D. Engert, L. Pearlman, M. Thompson.
+     June 2004. (Format: TXT=86374 bytes) (Status: PROPOSED STANDARD)
 Related:
 --------
diff --git a/src/lib/libssl/src/e_os.h b/src/lib/libssl/src/e_os.h
index 096eabe09a..5a328b7fa8 100644
--- a/src/lib/libssl/src/e_os.h
+++ b/src/lib/libssl/src/e_os.h
@@ -510,11 +510,31 @@ extern char *sys_errlist[]; extern int sys_nerr;
 #define IRIX_CC_BUG     /* CDS++ up to V2.0Bsomething suffered from the same bug.*/
 #endif
+#if defined(OPENSSL_SYS_WINDOWS)
+#  define strcasecmp _stricmp
+#  define strncasecmp _strnicmp
+#elif defined(OPENSSL_SYS_VMS)
+/* VMS below version 7.0 doesn't have strcasecmp() */
+#  include "o_str.h"
+#  define strcasecmp OPENSSL_strcasecmp
+#  define strncasecmp OPENSSL_strncasecmp
+#  define OPENSSL_IMPLEMENTS_strncasecmp
+#elif defined(OPENSSL_SYS_OS2) && defined(__EMX__)
+#  define strcasecmp stricmp
+#  define strncasecmp strnicmp
+#else
+#  ifdef NO_STRINGS_H
+    int strcasecmp();
+    int strncasecmp();
+#  else
+#    include <strings.h>
+#  endif /* NO_STRINGS_H */
+#endif
 #if defined(OPENSSL_SYS_OS2) && defined(__EMX__)
 # include <io.h>
 # include <fcntl.h>
 # define NO_SYSLOG
-# define strcasecmp stricmp
 #endif
 /* vxworks */
diff --git a/src/lib/libssl/src/e_os2.h b/src/lib/libssl/src/e_os2.h
index 81be3025f6..4ca79a4d65 100644
--- a/src/lib/libssl/src/e_os2.h
+++ b/src/lib/libssl/src/e_os2.h
@@ -189,6 +189,11 @@ extern "C" {
 # endif
 #endif
+/* --------------------------------- VOS ----------------------------------- */
+#ifdef OPENSSL_SYSNAME_VOS
+# define OPENSSL_SYS_VOS
+#endif
 /* ------------------------------- VxWorks --------------------------------- */
 #ifdef OPENSSL_SYSNAME_VXWORKS
 # define OPENSSL_SYS_VXWORKS
@@ -243,7 +248,7 @@ extern "C" {
 #define OPENSSL_EXTERN OPENSSL_IMPORT
 /* Macros to allow global variables to be reached through function calls when
-   required (if a shared library version requvres it, for example.
+   required (if a shared library version requires it, for example.
   The way it's done allows definitions like this:
        // in foobar.c
@@ -253,9 +258,10 @@ extern "C" {
        #define foobar OPENSSL_GLOBAL_REF(foobar)
 */
 #ifdef OPENSSL_EXPORT_VAR_AS_FUNCTION
-# define OPENSSL_IMPLEMENT_GLOBAL(type,name) static type _hide_##name; \
+# define OPENSSL_IMPLEMENT_GLOBAL(type,name)                         \
-        type *_shadow_##name(void) { return &_hide_##name; } \
+        extern type _hide_##name;                                    \
-        static type _hide_##name
+        type *_shadow_##name(void) { return &_hide_##name; }         \
+        static type _hide_##name
 # define OPENSSL_DECLARE_GLOBAL(type,name) type *_shadow_##name(void)
 # define OPENSSL_GLOBAL_REF(name) (*(_shadow_##name()))
 #else
diff --git a/src/lib/libssl/src/install.com b/src/lib/libssl/src/install.com
index 4e4fe80dfe..8de3a7f977 100644
--- a/src/lib/libssl/src/install.com
+++ b/src/lib/libssl/src/install.com
@@ -52,23 +52,23 @@ $	IF F$PARSE("WRK_SSLPRIVATE:") .EQS. "" THEN -
 $       IF F$PARSE("WRK_SSLROOT:[VMS]") .EQS. "" THEN -
           CREATE/DIR/LOG WRK_SSLROOT:[VMS]
 $
-$       SDIRS := CRYPTO,SSL,APPS,VMS!,RSAREF,TEST,TOOLS
+$       DIRS := CRYPTO,FIPS,SSL,APPS,VMS!,RSAREF,TEST,TOOLS
 $       EXHEADER := e_os2.h
 $
 $       COPY 'EXHEADER' WRK_SSLINCLUDE: /LOG
 $       SET FILE/PROT=WORLD:RE WRK_SSLINCLUDE:'EXHEADER'
 $
 $       I = 0
-$ LOOP_SDIRS: 
+$ LOOP_DIRS: 
-$       D = F$ELEMENT(I, ",", SDIRS)
+$       D = F$ELEMENT(I, ",", DIRS)
 $       I = I + 1
-$       IF D .EQS. "," THEN GOTO LOOP_SDIRS_END
+$       IF D .EQS. "," THEN GOTO LOOP_DIRS_END
 $       WRITE SYS$OUTPUT "Installing ",D," files."
 $       SET DEFAULT [.'D']
 $       @INSTALL 'ROOT']
 $       SET DEFAULT [-]
-$       GOTO LOOP_SDIRS
+$       GOTO LOOP_DIRS
-$ LOOP_SDIRS_END:
+$ LOOP_DIRS_END:
 $
 $       DEASSIGN WRK_SSLROOT
 $       DEASSIGN WRK_SSLVLIB
diff --git a/src/lib/libssl/src/makevms.com b/src/lib/libssl/src/makevms.com
index 443f3c15c5..d892fe9f0d 100644
--- a/src/lib/libssl/src/makevms.com
+++ b/src/lib/libssl/src/makevms.com
@@ -178,7 +178,7 @@ $ WRITE H_FILE "# define OPENSSL_SYS_VMS"
 $ WRITE H_FILE "#endif"
 $ CONFIG_LOGICALS := NO_ASM,NO_RSA,NO_DSA,NO_DH,NO_MD2,NO_MD5,NO_RIPEMD,-
        NO_SHA,NO_SHA0,NO_SHA1,NO_DES/NO_MDC2;NO_MDC2,NO_RC2,NO_RC4,NO_RC5,-
-        NO_IDEA,NO_BF,NO_CAST,NO_HMAC,NO_SSL2
+        NO_IDEA,NO_BF,NO_CAST,NO_HMAC,NO_SSL2,FIPS
 $ CONFIG_LOG_I = 0
 $ CONFIG_LOG_LOOP:
 $   CONFIG_LOG_E1 = F$ELEMENT(CONFIG_LOG_I,",",CONFIG_LOGICALS)
@@ -357,7 +357,7 @@ $! Copy a lot of files around.
 $!
 $ SOFTLINKS: 
 $!
-$! Tell The User We Are Partly Rebuilding The [.TEST] Directory.
+$! Tell The User We Are Partly Rebuilding The [.APPS] Directory.
 $!
 $ WRITE SYS$OUTPUT "Rebuilding The '[.APPS]MD4.C', '[.APPS]MD5.C' And '[.APPS]RMD160.C' Files."
 $!
@@ -480,6 +480,33 @@ $!
 $ EXHEADER := ssl.h,ssl2.h,ssl3.h,ssl23.h,tls1.h,kssl.h
 $ COPY SYS$DISK:[.SSL]'EXHEADER' SYS$DISK:[.INCLUDE.OPENSSL]
 $!
+$! Copy All The ".H" Files From The [.FIPS] Directories.
+$!
+$ FDIRS := ,SHA1,RAND,DES,AES,DSA,RSA
+$ EXHEADER_ := fips.h
+$ EXHEADER_SHA1 :=
+$ EXHEADER_RAND := fips_rand.h
+$ EXHEADER_DES :=
+$ EXHEADER_AES :=
+$ EXHEADER_DSA :=
+$ EXHEADER_RSA :=
+$
+$ I = 0
+$ LOOP_FDIRS: 
+$ D = F$EDIT(F$ELEMENT(I, ",", FDIRS),"TRIM")
+$ I = I + 1
+$ IF D .EQS. "," THEN GOTO LOOP_FDIRS_END
+$ tmp = EXHEADER_'D'
+$ IF tmp .EQS. "" THEN GOTO LOOP_FDIRS
+$ IF D .EQS. ""
+$ THEN
+$   COPY [.FIPS]'tmp' SYS$DISK:[.INCLUDE.OPENSSL] !/LOG
+$ ELSE
+$   COPY [.FIPS.'D']'tmp' SYS$DISK:[.INCLUDE.OPENSSL] !/LOG
+$ ENDIF
+$ GOTO LOOP_FDIRS
+$ LOOP_FDIRS_END:
+$!
 $! Purge all doubles
 $!
 $ PURGE SYS$DISK:[.INCLUDE.OPENSSL]*.H
@@ -505,9 +532,21 @@ $! Build The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library.
 $!  
 $ @CRYPTO-LIB LIBRARY 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" "''ISSEVEN'" "''BUILDPART'"
 $!
+$! Go Back To The Main Directory.
+$!
+$ SET DEFAULT [-]
+$!
+$! Go To The [.FIPS] Directory.
+$!
+$ SET DEFAULT SYS$DISK:[.FIPS]
+$!
+$! Build The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library.
+$!  
+$ @FIPS-LIB LIBRARY 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" "''ISSEVEN'" "''BUILDPART'"
+$!
 $! Build The [.xxx.EXE.CRYPTO]*.EXE Test Applications.
 $!  
-$ @CRYPTO-LIB APPS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
+$ @FIPS-LIB APPS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN'
 $!
 $! Go Back To The Main Directory.
 $!
diff --git a/src/lib/libssl/src/ms/do_masm.bat b/src/lib/libssl/src/ms/do_masm.bat
index f4c958c561..61c52562f7 100644
--- a/src/lib/libssl/src/ms/do_masm.bat
+++ b/src/lib/libssl/src/ms/do_masm.bat
@@ -1,3 +1,5 @@
+rem use "fips" as the first argument to make a proper FIPS build.
 @echo off
 echo Generating x86 for MASM assember
@@ -56,13 +58,13 @@ cd ..\..\..
 echo on
 perl util\mkfiles.pl >MINFO
-rem perl util\mk1mf.pl VC-MSDOS no-sock >ms\msdos.mak
+rem perl util\mk1mf.pl no-sock %1 VC-MSDOS >ms\msdos.mak
-rem perl util\mk1mf.pl VC-W31-32 >ms\w31.mak
+rem perl util\mk1mf.pl %1 VC-W31-32 >ms\w31.mak
-perl util\mk1mf.pl dll VC-W31-32 >ms\w31dll.mak
+perl util\mk1mf.pl dll %1 VC-W31-32 >ms\w31dll.mak
-perl util\mk1mf.pl VC-WIN32 >ms\nt.mak
+perl util\mk1mf.pl %1 VC-WIN32 >ms\nt.mak
-perl util\mk1mf.pl dll VC-WIN32 >ms\ntdll.mak
+perl util\mk1mf.pl dll %1 VC-WIN32 >ms\ntdll.mak
-perl util\mkdef.pl 16 libeay > ms\libeay16.def
+perl util\mkdef.pl 16 libeay %1 > ms\libeay16.def
-perl util\mkdef.pl 32 libeay > ms\libeay32.def
+perl util\mkdef.pl 32 libeay %1 > ms\libeay32.def
-perl util\mkdef.pl 16 ssleay > ms\ssleay16.def
+perl util\mkdef.pl 16 ssleay %1 > ms\ssleay16.def
-perl util\mkdef.pl 32 ssleay > ms\ssleay32.def
+perl util\mkdef.pl 32 ssleay %1 > ms\ssleay32.def
diff --git a/src/lib/libssl/src/ms/do_ms.bat b/src/lib/libssl/src/ms/do_ms.bat
index a8cf515bac..72179708bf 100644
--- a/src/lib/libssl/src/ms/do_ms.bat
+++ b/src/lib/libssl/src/ms/do_ms.bat
@@ -1,14 +1,14 @@
 perl util\mkfiles.pl >MINFO
-rem perl util\mk1mf.pl VC-MSDOS no-sock >ms\msdos.mak
+rem perl util\mk1mf.pl no-sock %1 VC-MSDOS >ms\msdos.mak
-rem perl util\mk1mf.pl VC-W31-32 >ms\w31.mak
+rem perl util\mk1mf.pl %1 VC-W31-32 >ms\w31.mak
-perl util\mk1mf.pl dll VC-W31-32 >ms\w31dll.mak
+perl util\mk1mf.pl dll %1 VC-W31-32 >ms\w31dll.mak
-perl util\mk1mf.pl no-asm VC-WIN32 >ms\nt.mak
+perl util\mk1mf.pl no-asm %1 VC-WIN32 >ms\nt.mak
-perl util\mk1mf.pl dll no-asm VC-WIN32 >ms\ntdll.mak
+perl util\mk1mf.pl dll no-asm %1 VC-WIN32 >ms\ntdll.mak
-perl util\mk1mf.pl no-asm VC-CE >ms\ce.mak
+perl util\mk1mf.pl no-asm %1 VC-CE >ms\ce.mak
-perl util\mk1mf.pl dll no-asm VC-CE >ms\cedll.mak
+perl util\mk1mf.pl dll no-asm %1 VC-CE >ms\cedll.mak
-perl util\mkdef.pl 16 libeay > ms\libeay16.def
+perl util\mkdef.pl 16 libeay %1 > ms\libeay16.def
-perl util\mkdef.pl 32 libeay > ms\libeay32.def
+perl util\mkdef.pl 32 libeay %1 > ms\libeay32.def
-perl util\mkdef.pl 16 ssleay > ms\ssleay16.def
+perl util\mkdef.pl 16 ssleay %1 > ms\ssleay16.def
-perl util\mkdef.pl 32 ssleay > ms\ssleay32.def
+perl util\mkdef.pl 32 ssleay %1 > ms\ssleay32.def
diff --git a/src/lib/libssl/src/ms/do_nasm.bat b/src/lib/libssl/src/ms/do_nasm.bat
index 557f8a66d7..270dab0058 100644
--- a/src/lib/libssl/src/ms/do_nasm.bat
+++ b/src/lib/libssl/src/ms/do_nasm.bat
@@ -1,3 +1,4 @@
+rem use "fips" as the first argument to make a proper FIPS build.
 @echo off
 echo Generating x86 for NASM assember
@@ -57,14 +58,14 @@ cd ..\..\..
 echo on
 perl util\mkfiles.pl >MINFO
-rem perl util\mk1mf.pl VC-MSDOS no-sock >ms\msdos.mak
+rem perl util\mk1mf.pl no-sock %1 VC-MSDOS >ms\msdos.mak
-rem perl util\mk1mf.pl VC-W31-32 >ms\w31.mak
+rem perl util\mk1mf.pl %1 VC-W31-32 >ms\w31.mak
-perl util\mk1mf.pl dll VC-W31-32 >ms\w31dll.mak
+perl util\mk1mf.pl dll %1 VC-W31-32 >ms\w31dll.mak
-perl util\mk1mf.pl nasm VC-WIN32 >ms\nt.mak
+perl util\mk1mf.pl nasm %1 VC-WIN32 >ms\nt.mak
-perl util\mk1mf.pl dll nasm VC-WIN32 >ms\ntdll.mak
+perl util\mk1mf.pl dll nasm %1 VC-WIN32 >ms\ntdll.mak
-perl util\mk1mf.pl nasm BC-NT >ms\bcb.mak
+perl util\mk1mf.pl nasm %1 BC-NT >ms\bcb.mak
-perl util\mkdef.pl 16 libeay > ms\libeay16.def
+perl util\mkdef.pl 16 libeay %1 > ms\libeay16.def
-perl util\mkdef.pl 32 libeay > ms\libeay32.def
+perl util\mkdef.pl 32 libeay %1 > ms\libeay32.def
-perl util\mkdef.pl 16 ssleay > ms\ssleay16.def
+perl util\mkdef.pl 16 ssleay %1 > ms\ssleay16.def
-perl util\mkdef.pl 32 ssleay > ms\ssleay32.def
+perl util\mkdef.pl 32 ssleay %1 > ms\ssleay32.def
diff --git a/src/lib/libssl/src/ms/do_nt.bat b/src/lib/libssl/src/ms/do_nt.bat
index 9c06c27caa..66b408b283 100644
--- a/src/lib/libssl/src/ms/do_nt.bat
+++ b/src/lib/libssl/src/ms/do_nt.bat
@@ -1,7 +1,7 @@
 perl util\mkfiles.pl >MINFO
-perl util\mk1mf.pl no-asm VC-NT >ms\nt.mak
+perl util\mk1mf.pl no-asm %1 VC-NT >ms\nt.mak
-perl util\mk1mf.pl dll no-asm VC-NT >ms\ntdll.mak
+perl util\mk1mf.pl dll no-asm %1 VC-NT >ms\ntdll.mak
-perl util\mkdef.pl libeay NT > ms\libeay32.def
+perl util\mkdef.pl libeay NT %1 > ms\libeay32.def
-perl util\mkdef.pl ssleay NT > ms\ssleay32.def
+perl util\mkdef.pl ssleay NT %1 > ms\ssleay32.def
diff --git a/src/lib/libssl/src/ms/test.bat b/src/lib/libssl/src/ms/test.bat
index c3a1b0c28d..7fb0442147 100644
--- a/src/lib/libssl/src/ms/test.bat
+++ b/src/lib/libssl/src/ms/test.bat
@@ -87,20 +87,22 @@ echo testss
 call %test%\testss openssl
 if errorlevel 1 goto done
+set SSL_TEST=ssltest -key keyU.ss -cert certU.ss -c_key keyU.ss -c_cert certU.ss -CAfile certCA.ss
 echo test sslv2
 ssltest -ssl2
 if errorlevel 1 goto done
 echo test sslv2 with server authentication
-ssltest -ssl2 -server_auth -CAfile cert.tmp
+%SSL_TEST% -ssl2 -server_auth
 if errorlevel 1 goto done
 echo test sslv2 with client authentication
-ssltest -ssl2 -client_auth -CAfile cert.tmp
+%SSL_TEST% -ssl2 -client_auth
 if errorlevel 1 goto done
 echo test sslv2 with both client and server authentication
-ssltest -ssl2 -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -ssl2 -server_auth -client_auth
 if errorlevel 1 goto done
 echo test sslv3
@@ -108,15 +110,15 @@ ssltest -ssl3
 if errorlevel 1 goto done
 echo test sslv3 with server authentication
-ssltest -ssl3 -server_auth -CAfile cert.tmp
+%SSL_TEST% -ssl3 -server_auth
 if errorlevel 1 goto done
 echo test sslv3 with client authentication
-ssltest -ssl3 -client_auth -CAfile cert.tmp
+%SSL_TEST% -ssl3 -client_auth
 if errorlevel 1 goto done
 echo test sslv3 with both client and server authentication
-ssltest -ssl3 -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -ssl3 -server_auth -client_auth
 if errorlevel 1 goto done
 echo test sslv2/sslv3
@@ -124,15 +126,15 @@ ssltest
 if errorlevel 1 goto done
 echo test sslv2/sslv3 with server authentication
-ssltest -server_auth -CAfile cert.tmp
+%SSL_TEST% -server_auth
 if errorlevel 1 goto done
 echo test sslv2/sslv3 with client authentication
-ssltest -client_auth -CAfile cert.tmp
+%SSL_TEST% -client_auth
 if errorlevel 1 goto done
 echo test sslv2/sslv3 with both client and server authentication
-ssltest -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -server_auth -client_auth
 if errorlevel 1 goto done
 echo test sslv2 via BIO pair
@@ -144,15 +146,15 @@ ssltest -bio_pair -dhe1024dsa -v
 if errorlevel 1 goto done
 echo test sslv2 with server authentication via BIO pair
-ssltest -bio_pair -ssl2 -server_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl2 -server_auth
 if errorlevel 1 goto done
 echo test sslv2 with client authentication via BIO pair
-ssltest -bio_pair -ssl2 -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl2 -client_auth
 if errorlevel 1 goto done
 echo test sslv2 with both client and server authentication via BIO pair
-ssltest -bio_pair -ssl2 -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl2 -server_auth -client_auth
 if errorlevel 1 goto done
 echo test sslv3 via BIO pair
@@ -160,31 +162,31 @@ ssltest -bio_pair -ssl3
 if errorlevel 1 goto done
 echo test sslv3 with server authentication via BIO pair
-ssltest -bio_pair -ssl3 -server_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl3 -server_auth
 if errorlevel 1 goto done
 echo test sslv3 with client authentication  via BIO pair
-ssltest -bio_pair -ssl3 -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl3 -client_auth
 if errorlevel 1 goto done
 echo test sslv3 with both client and server authentication via BIO pair
-ssltest -bio_pair -ssl3 -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl3 -server_auth -client_auth
 if errorlevel 1 goto done
 echo test sslv2/sslv3 via BIO pair
-ssltest
+ssltest -bio_pair
 if errorlevel 1 goto done
 echo test sslv2/sslv3 with server authentication
-ssltest -bio_pair -server_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -server_auth
 if errorlevel 1 goto done
 echo test sslv2/sslv3 with client authentication via BIO pair
-ssltest -bio_pair -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -client_auth
 if errorlevel 1 goto done
 echo test sslv2/sslv3 with both client and server authentication via BIO pair
-ssltest -bio_pair -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -server_auth -client_auth
 if errorlevel 1 goto done
 del cert.tmp
diff --git a/src/lib/libssl/src/ms/testss.bat b/src/lib/libssl/src/ms/testss.bat
index f7e58e2756..b4aaf3c601 100644
--- a/src/lib/libssl/src/ms/testss.bat
+++ b/src/lib/libssl/src/ms/testss.bat
@@ -4,7 +4,7 @@ rem set ssleay=..\out\ssleay
 set ssleay=%1
 set reqcmd=%ssleay% req
-set x509cmd=%ssleay% x509
+set x509cmd=%ssleay% x509 -sha1
 set verifycmd=%ssleay% verify
 set CAkey=keyCA.ss
diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec
index 6a272f6969..98ef153e3b 100644
--- a/src/lib/libssl/src/openssl.spec
+++ b/src/lib/libssl/src/openssl.spec
@@ -1,7 +1,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 7
-%define librev d
+%define librev g
 Release: 1
 %define openssldir /var/ssl
diff --git a/src/lib/libssl/src/shlib/hpux10-cc.sh b/src/lib/libssl/src/shlib/hpux10-cc.sh
index 81eb9d4cab..fcadda827d 100644
--- a/src/lib/libssl/src/shlib/hpux10-cc.sh
+++ b/src/lib/libssl/src/shlib/hpux10-cc.sh
@@ -74,9 +74,9 @@ make clean
 # Hack the Makefiles to pick up the dynamic libraries during linking
 #
-sed 's/^PEX_LIBS=.*$/PEX_LIBS=-L\/usr\/local\/ssl\/lib/' Makefile.ssl >xxx; mv xxx Makefile.ssl
+sed 's/^PEX_LIBS=.*$/PEX_LIBS=-L\/usr\/local\/ssl\/lib/' Makefile >xxx; mv xxx Makefile.ssl
-sed 's/-L\.\.//' apps/Makefile.ssl >xxx; mv xxx apps/Makefile.ssl
+sed 's/-L\.\.//' apps/Makefile >xxx; mv xxx apps/Makefile
-sed 's/-L\.\.//' test/Makefile.ssl >xxx; mv xxx test/Makefile.ssl
+sed 's/-L\.\.//' test/Makefile >xxx; mv xxx test/Makefile
 # Build the static libs and the executables in one make.
 make
 # Install everything
diff --git a/src/lib/libssl/src/ssl/kssl.c b/src/lib/libssl/src/ssl/kssl.c
index 51378897f6..3afa95f3fa 100644
--- a/src/lib/libssl/src/ssl/kssl.c
+++ b/src/lib/libssl/src/ssl/kssl.c
@@ -73,6 +73,8 @@
 #undef _XOPEN_SOURCE /* To avoid clashes with anything else... */
 #include <string.h>
+#define KRB5_PRIVATE    1
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
@@ -80,6 +82,10 @@
 #ifndef OPENSSL_NO_KRB5
+#ifndef ENOMEM
+#define ENOMEM KRB5KRB_ERR_GENERIC
+#endif
 /* 
 * When OpenSSL is built on Windows, we do not want to require that
 * the Kerberos DLLs be available in order for the OpenSSL DLLs to
@@ -932,7 +938,7 @@ print_krb5_data(char *label, krb5_data *kdata)
        int i;
        printf("%s[%d] ", label, kdata->length);
-        for (i=0; i < kdata->length; i++)
+        for (i=0; i < (int)kdata->length; i++)
                {
                if (0 &&  isprint((int) kdata->data[i]))
                        printf( "%c ",  kdata->data[i]);
@@ -984,14 +990,14 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 #ifdef KRB5_HEIMDAL
        printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
                                           keyblk->keyvalue->length);
-        for (i=0; i < keyblk->keyvalue->length; i++)
+        for (i=0; i < (int)keyblk->keyvalue->length; i++)
                {
                printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
                }
        printf("\n");
 #else
        printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
-        for (i=0; i < keyblk->length; i++)
+        for (i=0; i < (int)keyblk->length; i++)
                {
                printf("%02x",keyblk->contents[i]);
                }
@@ -1010,12 +1016,12 @@ print_krb5_princ(char *label, krb5_principal_data *princ)
        printf("%s principal Realm: ", label);
        if (princ == NULL)  return;
-        for (ui=0; ui < princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
+        for (ui=0; ui < (int)princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
        printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
-        for (i=0; i < princ->length; i++)
+        for (i=0; i < (int)princ->length; i++)
                {
                printf("\t%d [%d]: ", i, princ->data[i].length);
-                for (uj=0; uj < princ->data[i].length; uj++)  {
+                for (uj=0; uj < (int)princ->data[i].length; uj++)  {
                        putchar(princ->data[i].data[uj]);
                        }
                printf("\n");
diff --git a/src/lib/libssl/src/ssl/kssl.h b/src/lib/libssl/src/ssl/kssl.h
index 19a689b089..a3d20e1ccb 100644
--- a/src/lib/libssl/src/ssl/kssl.h
+++ b/src/lib/libssl/src/ssl/kssl.h
@@ -82,6 +82,12 @@ extern "C" {
 #ifdef KRB5_HEIMDAL
 typedef unsigned char krb5_octet;
 #define FAR
+#else
+#ifndef FAR
+#define FAR
+#endif
 #endif
 /*      Uncomment this to debug kssl problems or
diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c
index 64ee4269ec..779e94a35c 100644
--- a/src/lib/libssl/src/ssl/s23_clnt.c
+++ b/src/lib/libssl/src/ssl/s23_clnt.c
@@ -235,7 +235,8 @@ static int ssl23_client_hello(SSL *s)
 #endif
                p=s->s3->client_random;
-                RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE);
+                if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
+                    return -1;
                /* Do the message type and length last */
                d= &(buf[2]);
@@ -248,6 +249,14 @@ static int ssl23_client_hello(SSL *s)
                        *(d++)=TLS1_VERSION_MINOR;
                        s->client_version=TLS1_VERSION;
                        }
+#ifdef OPENSSL_FIPS
+                else if(FIPS_mode())
+                        {
+                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                        return -1;
+                        }
+#endif
                else if (!(s->options & SSL_OP_NO_SSLv3))
                        {
                        *(d++)=SSL3_VERSION_MAJOR;
@@ -296,7 +305,9 @@ static int ssl23_client_hello(SSL *s)
                        i=ch_len;
                s2n(i,d);
                memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
-                RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+                if(RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
+                        return -1;
                memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
                p+=i;
@@ -426,6 +437,14 @@ static int ssl23_get_server_hello(SSL *s)
                if ((p[2] == SSL3_VERSION_MINOR) &&
                        !(s->options & SSL_OP_NO_SSLv3))
                        {
+#ifdef OPENSSL_FIPS
+                        if(FIPS_mode())
+                                {
+                                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                                goto err;
+                                }
+#endif
                        s->version=SSL3_VERSION;
                        s->method=SSLv3_client_method();
                        }
diff --git a/src/lib/libssl/src/ssl/s23_lib.c b/src/lib/libssl/src/ssl/s23_lib.c
index b70002a647..8d7dbcf569 100644
--- a/src/lib/libssl/src/ssl/s23_lib.c
+++ b/src/lib/libssl/src/ssl/s23_lib.c
@@ -87,7 +87,7 @@ static SSL_METHOD SSLv23_data= {
        ssl3_ctx_ctrl,
        ssl23_get_cipher_by_char,
        ssl23_put_cipher_by_char,
-        ssl_undefined_function,
+        ssl_undefined_const_function,
        ssl23_num_ciphers,
        ssl23_get_cipher,
        ssl_bad_method,
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c
index c5404ca0bc..92f3391f60 100644
--- a/src/lib/libssl/src/ssl/s23_srvr.c
+++ b/src/lib/libssl/src/ssl/s23_srvr.c
@@ -407,6 +407,15 @@ int ssl23_get_client_hello(SSL *s)
                        }
                }
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (s->version < TLS1_VERSION))
+                {
+                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                goto err;
+                }
+#endif
        if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
                {
                /* we have SSLv3/TLSv1 in an SSLv2 header
diff --git a/src/lib/libssl/src/ssl/s2_clnt.c b/src/lib/libssl/src/ssl/s2_clnt.c
index 43b32eb415..c67829f495 100644
--- a/src/lib/libssl/src/ssl/s2_clnt.c
+++ b/src/lib/libssl/src/ssl/s2_clnt.c
@@ -612,7 +612,8 @@ static int client_hello(SSL *s)
                s->s2->challenge_length=SSL2_CHALLENGE_LENGTH;
                s2n(SSL2_CHALLENGE_LENGTH,p);           /* challenge length */
                /*challenge id data*/
-                RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH);
+                if(RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH) <= 0)
+                        return -1;
                memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH);
                d+=SSL2_CHALLENGE_LENGTH;
@@ -660,7 +661,9 @@ static int client_master_key(SSL *s)
                        SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
                        return -1;
                        }
-                if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
+                if (i > 0)
+                        if(RAND_pseudo_bytes(sess->key_arg,i) <= 0)
+                                return -1;
                /* make a master key */
                i=EVP_CIPHER_key_length(c);
diff --git a/src/lib/libssl/src/ssl/s2_lib.c b/src/lib/libssl/src/ssl/s2_lib.c
index edcef4dda2..26ce8c8d98 100644
--- a/src/lib/libssl/src/ssl/s2_lib.c
+++ b/src/lib/libssl/src/ssl/s2_lib.c
@@ -263,7 +263,7 @@ SSL_CIPHER *ssl2_get_cipher(unsigned int u)
                return(NULL);
        }
-int ssl2_pending(SSL *s)
+int ssl2_pending(const SSL *s)
        {
        return SSL_in_init(s) ? 0 : s->s2->ract_data_length;
        }
diff --git a/src/lib/libssl/src/ssl/s2_srvr.c b/src/lib/libssl/src/ssl/s2_srvr.c
index 5da2a54af3..853871f28c 100644
--- a/src/lib/libssl/src/ssl/s2_srvr.c
+++ b/src/lib/libssl/src/ssl/s2_srvr.c
@@ -498,7 +498,8 @@ static int get_client_master_key(SSL *s)
                        i=ek;
                else
                        i=EVP_CIPHER_key_length(c);
-                RAND_pseudo_bytes(p,i);
+                if(RAND_pseudo_bytes(p,i) <= 0)
+                    return 0;
                }
 #else
        if (i < 0)
@@ -804,7 +805,8 @@ static int server_hello(SSL *s)
                /* make and send conn_id */
                s2n(SSL2_CONNECTION_ID_LENGTH,p);       /* add conn_id length */
                s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
-                RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length);
+                if(RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length) <= 0)
+                    return -1;
                memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
                d+=SSL2_CONNECTION_ID_LENGTH;
@@ -949,7 +951,8 @@ static int request_certificate(SSL *s)
                p=(unsigned char *)s->init_buf->data;
                *(p++)=SSL2_MT_REQUEST_CERTIFICATE;
                *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
-                RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+                if(RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
+                        return -1;
                memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
                s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 36f4a8b4c3..ebf83b0322 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -117,6 +117,7 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/md5.h>
+#include <openssl/fips.h>
 static SSL_METHOD *ssl3_get_client_method(int ver);
 static int ssl3_client_hello(SSL *s);
@@ -534,7 +535,8 @@ static int ssl3_client_hello(SSL *s)
                p=s->s3->client_random;
                Time=time(NULL);                        /* Time */
                l2n(Time,p);
-                RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+                if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+                    goto err;
                /* Do the message type and length last */
                d=p= &(buf[4]);
@@ -1160,11 +1162,14 @@ static int ssl3_get_key_exchange(SSL *s)
                        q=md_buf;
                        for (num=2; num > 0; num--)
                                {
+                                EVP_MD_CTX_set_flags(&md_ctx,
+                                        EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                EVP_DigestInit_ex(&md_ctx,(num == 2)
                                        ?s->ctx->md5:s->ctx->sha1, NULL);
                                EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
                                EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
                                EVP_DigestUpdate(&md_ctx,param,param_len);
+                                
                                EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
                                q+=i;
                                j+=i;
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index 92efb9597d..a012d3f2b5 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -146,6 +146,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 #endif
        k=0;
        EVP_MD_CTX_init(&m5);
+        EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        EVP_MD_CTX_init(&s1);
        for (i=0; i<num; i+=MD5_DIGEST_LENGTH)
                {
@@ -501,6 +502,8 @@ int ssl3_enc(SSL *s, int send)
 void ssl3_init_finished_mac(SSL *s)
        {
+        EVP_MD_CTX_set_flags(&(s->s3->finish_dgst1),
+                EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
        EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
        }
@@ -641,6 +644,7 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
        unsigned int n;
        EVP_MD_CTX_init(&ctx);
+        EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        for (i=0; i<3; i++)
                {
                EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL);
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index d04096016c..9bf1dbec06 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_NULL_SHA,
        SSL3_CK_RSA_NULL_SHA,
        SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_STRONG_NONE,
+        SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
        0,
        0,
        0,
@@ -183,7 +183,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_ADH_DES_40_CBC_SHA,
        SSL3_CK_ADH_DES_40_CBC_SHA,
        SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        128,
@@ -196,7 +196,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_ADH_DES_64_CBC_SHA,
        SSL3_CK_ADH_DES_64_CBC_SHA,
        SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -209,7 +209,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_ADH_DES_192_CBC_SHA,
        SSL3_CK_ADH_DES_192_CBC_SHA,
        SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -291,7 +291,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_DES_40_CBC_SHA,
        SSL3_CK_RSA_DES_40_CBC_SHA,
        SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -304,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_DES_64_CBC_SHA,
        SSL3_CK_RSA_DES_64_CBC_SHA,
        SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_DES_192_CBC3_SHA,
        SSL3_CK_RSA_DES_192_CBC3_SHA,
        SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -332,7 +332,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
        SSL3_CK_DH_DSS_DES_40_CBC_SHA,
        SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -345,7 +345,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
        SSL3_CK_DH_DSS_DES_64_CBC_SHA,
        SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -358,7 +358,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
        SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
        SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -371,7 +371,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
        SSL3_CK_DH_RSA_DES_40_CBC_SHA,
        SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -384,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
        SSL3_CK_DH_RSA_DES_64_CBC_SHA,
        SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -397,7 +397,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
        SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
        SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -412,7 +412,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
        SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
        SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
        SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
        SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -438,7 +438,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
        SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
        SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -451,7 +451,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
        SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
        SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -464,7 +464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
        SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
        SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -477,7 +477,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
        SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
        SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -541,7 +541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_KRB5_DES_64_CBC_SHA,
        SSL3_CK_KRB5_DES_64_CBC_SHA,
        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_LOW,
+        SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
        0,
        56,
        56,
@@ -555,7 +555,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_KRB5_DES_192_CBC3_SHA,
        SSL3_CK_KRB5_DES_192_CBC3_SHA,
        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
-        SSL_NOT_EXP|SSL_HIGH,
+        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        112,
        168,
@@ -653,7 +653,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_KRB5_DES_40_CBC_SHA,
        SSL3_CK_KRB5_DES_40_CBC_SHA,
        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-        SSL_EXPORT|SSL_EXP40,
+        SSL_EXPORT|SSL_EXP40|SSL_FIPS,
        0,
        40,
        56,
@@ -767,7 +767,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
            TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
            SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56,
+            SSL_EXPORT|SSL_EXP56|SSL_FIPS,
            0,
            56,
            56,
@@ -780,7 +780,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
            TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
            SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56,
+            SSL_EXPORT|SSL_EXP56|SSL_FIPS,
            0,
            56,
            56,
@@ -835,7 +835,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_RSA_WITH_AES_128_SHA,
            TLS1_CK_RSA_WITH_AES_128_SHA,
            SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -848,7 +848,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
            TLS1_CK_DH_DSS_WITH_AES_128_SHA,
            SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -861,7 +861,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
            TLS1_CK_DH_RSA_WITH_AES_128_SHA,
            SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -874,7 +874,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
            TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
            SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -887,7 +887,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
            TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
            SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -900,7 +900,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_ADH_WITH_AES_128_SHA,
            TLS1_CK_ADH_WITH_AES_128_SHA,
            SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM,
+            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
            0,
            128,
            128,
@@ -914,7 +914,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_RSA_WITH_AES_256_SHA,
            TLS1_CK_RSA_WITH_AES_256_SHA,
            SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -927,7 +927,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
            TLS1_CK_DH_DSS_WITH_AES_256_SHA,
            SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -940,7 +940,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
            TLS1_CK_DH_RSA_WITH_AES_256_SHA,
            SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -953,7 +953,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
            TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
            SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -966,7 +966,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
            TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
            SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -979,7 +979,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
            TLS1_TXT_ADH_WITH_AES_256_SHA,
            TLS1_CK_ADH_WITH_AES_256_SHA,
            SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
            0,
            256,
            256,
@@ -1057,7 +1057,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u)
                return(NULL);
        }
-int ssl3_pending(SSL *s)
+int ssl3_pending(const SSL *s)
        {
        if (s->rstate == SSL_ST_READ_BODY)
                return 0;
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index 9f3e5139ad..cb0b12b400 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -862,7 +862,7 @@ start:
                {
                al=SSL_AD_UNEXPECTED_MESSAGE;
                SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
-                goto err;
+                goto f_err;
                }
        /* If the other end has shut down, throw anything we read away
@@ -969,7 +969,7 @@ start:
                        {
                        al=SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
-                        goto err;
+                        goto f_err;
                        }
                if (s->msg_callback)
@@ -1080,17 +1080,17 @@ start:
                if (    (rr->length != 1) || (rr->off != 0) ||
                        (rr->data[0] != SSL3_MT_CCS))
                        {
-                        i=SSL_AD_ILLEGAL_PARAMETER;
+                        al=SSL_AD_ILLEGAL_PARAMETER;
                        SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
-                        goto err;
+                        goto f_err;
                        }
                /* Check we have a cipher to change to */
                if (s->s3->tmp.new_cipher == NULL)
                        {
-                        i=SSL_AD_UNEXPECTED_MESSAGE;
+                        al=SSL_AD_UNEXPECTED_MESSAGE;
                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
-                        goto err;
+                        goto f_err;
                        }
                rr->length=0;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index deb3cffabe..c4a1a71523 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -125,6 +125,7 @@
 #include <openssl/krb5_asn.h>
 #endif
 #include <openssl/md5.h>
+#include <openssl/fips.h>
 static SSL_METHOD *ssl3_get_server_method(int ver);
 static int ssl3_get_client_hello(SSL *s);
@@ -955,7 +956,8 @@ static int ssl3_send_server_hello(SSL *s)
                p=s->s3->server_random;
                Time=time(NULL);                        /* Time */
                l2n(Time,p);
-                RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+                if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+                        return -1;
                /* Do the message type and length last */
                d=p= &(buf[4]);
@@ -1211,6 +1213,8 @@ static int ssl3_send_server_key_exchange(SSL *s)
                                j=0;
                                for (num=2; num > 0; num--)
                                        {
+                                        EVP_MD_CTX_set_flags(&md_ctx,
+                                                EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                        EVP_DigestInit_ex(&md_ctx,(num == 2)
                                                ?s->ctx->md5:s->ctx->sha1, NULL);
                                        EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1491,7 +1495,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
                        i = SSL_MAX_MASTER_KEY_LENGTH;
                        p[0] = s->client_version >> 8;
                        p[1] = s->client_version & 0xff;
-                        RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
+                        if(RAND_pseudo_bytes(p+2, i-2) <= 0)  /* should be RAND_bytes, but we cannot work around a failure */
+                                goto err;
                        }
        
                s->session->master_key_length=
@@ -1589,7 +1594,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                enc_ticket.length = i;
-                if (n < enc_ticket.length + 6)
+                if (n < (long)enc_ticket.length + 6)
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1602,7 +1607,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                authenticator.length = i;
-                if (n < enc_ticket.length + authenticator.length + 6)
+                if (n < (long)(enc_ticket.length + authenticator.length + 6))
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1627,8 +1632,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
                        goto err;
                        }
-                if (n != enc_ticket.length + authenticator.length +
+                if (n != (long)(enc_ticket.length + authenticator.length +
-                                                enc_pms.length + 6)
+                                                enc_pms.length + 6))
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                SSL_R_DATA_LENGTH_TOO_LONG);
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index 913bd40eea..3161f532cf 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -239,6 +239,7 @@ extern "C" {
 #define SSL_TXT_LOW             "LOW"
 #define SSL_TXT_MEDIUM          "MEDIUM"
 #define SSL_TXT_HIGH            "HIGH"
+#define SSL_TXT_FIPS            "FIPS"
 #define SSL_TXT_kFZA            "kFZA"
 #define SSL_TXT_aFZA            "aFZA"
 #define SSL_TXT_eFZA            "eFZA"
@@ -372,7 +373,7 @@ typedef struct ssl_method_st
        long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
        SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
        int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
-        int (*ssl_pending)(SSL *s);
+        int (*ssl_pending)(const SSL *s);
        int (*num_ciphers)(void);
        SSL_CIPHER *(*get_cipher)(unsigned ncipher);
        struct ssl_method_st *(*get_ssl_method)(int version);
@@ -998,8 +999,8 @@ extern "C" {
 *   -- that we sent (SSL_get_finished)
 *   -- that we expected from peer (SSL_get_peer_finished).
 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
-size_t SSL_get_finished(SSL *s, void *buf, size_t count);
+size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
-size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
+size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 /* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
 * are 'ored' with SSL_VERIFY_PEER if they are desired */
@@ -1171,26 +1172,26 @@ int	SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
 SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
 void    SSL_CTX_free(SSL_CTX *);
 long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
-long SSL_CTX_get_timeout(SSL_CTX *ctx);
+long SSL_CTX_get_timeout(const SSL_CTX *ctx);
-X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *);
+X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
 void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
-int SSL_want(SSL *s);
+int SSL_want(const SSL *s);
 int     SSL_clear(SSL *s);
 void    SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
-SSL_CIPHER *SSL_get_current_cipher(SSL *s);
+SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
-int     SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits);
+int     SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
-char *  SSL_CIPHER_get_version(SSL_CIPHER *c);
+char *  SSL_CIPHER_get_version(const SSL_CIPHER *c);
-const char *    SSL_CIPHER_get_name(SSL_CIPHER *c);
+const char *    SSL_CIPHER_get_name(const SSL_CIPHER *c);
-int     SSL_get_fd(SSL *s);
+int     SSL_get_fd(const SSL *s);
-int     SSL_get_rfd(SSL *s);
+int     SSL_get_rfd(const SSL *s);
-int     SSL_get_wfd(SSL *s);
+int     SSL_get_wfd(const SSL *s);
-const char  * SSL_get_cipher_list(SSL *s,int n);
+const char  * SSL_get_cipher_list(const SSL *s,int n);
-char *  SSL_get_shared_ciphers(SSL *s, char *buf, int len);
+char *  SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
-int     SSL_get_read_ahead(SSL * s);
+int     SSL_get_read_ahead(const SSL * s);
-int     SSL_pending(SSL *s);
+int     SSL_pending(const SSL *s);
 #ifndef OPENSSL_NO_SOCK
 int     SSL_set_fd(SSL *s, int fd);
 int     SSL_set_rfd(SSL *s, int fd);
@@ -1198,14 +1199,14 @@ int	SSL_set_wfd(SSL *s, int fd);
 #endif
 #ifndef OPENSSL_NO_BIO
 void    SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
-BIO *   SSL_get_rbio(SSL *s);
+BIO *   SSL_get_rbio(const SSL *s);
-BIO *   SSL_get_wbio(SSL *s);
+BIO *   SSL_get_wbio(const SSL *s);
 #endif
 int     SSL_set_cipher_list(SSL *s, const char *str);
 void    SSL_set_read_ahead(SSL *s, int yes);
-int     SSL_get_verify_mode(SSL *s);
+int     SSL_get_verify_mode(const SSL *s);
-int     SSL_get_verify_depth(SSL *s);
+int     SSL_get_verify_depth(const SSL *s);
-int     (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *);
+int     (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
 void    SSL_set_verify(SSL *s, int mode,
                       int (*callback)(int ok,X509_STORE_CTX *ctx));
 void    SSL_set_verify_depth(SSL *s, int depth);
@@ -1243,20 +1244,20 @@ const char *SSL_state_string(const SSL *s);
 const char *SSL_rstate_string(const SSL *s);
 const char *SSL_state_string_long(const SSL *s);
 const char *SSL_rstate_string_long(const SSL *s);
-long    SSL_SESSION_get_time(SSL_SESSION *s);
+long    SSL_SESSION_get_time(const SSL_SESSION *s);
 long    SSL_SESSION_set_time(SSL_SESSION *s, long t);
-long    SSL_SESSION_get_timeout(SSL_SESSION *s);
+long    SSL_SESSION_get_timeout(const SSL_SESSION *s);
 long    SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
-void    SSL_copy_session_id(SSL *to,SSL *from);
+void    SSL_copy_session_id(SSL *to,const SSL *from);
 SSL_SESSION *SSL_SESSION_new(void);
-unsigned long SSL_SESSION_hash(SSL_SESSION *a);
+unsigned long SSL_SESSION_hash(const SSL_SESSION *a);
-int     SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b);
+int     SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b);
 #ifndef OPENSSL_NO_FP_API
-int     SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses);
+int     SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
 #endif
 #ifndef OPENSSL_NO_BIO
-int     SSL_SESSION_print(BIO *fp,SSL_SESSION *ses);
+int     SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
 #endif
 void    SSL_SESSION_free(SSL_SESSION *ses);
 int     i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
@@ -1267,17 +1268,18 @@ int	SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
 int     SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
 int     SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
                                        unsigned int id_len);
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length);
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char * const *pp,
+                             long length);
 #ifdef HEADER_X509_H
-X509 *  SSL_get_peer_certificate(SSL *s);
+X509 *  SSL_get_peer_certificate(const SSL *s);
 #endif
-STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s);
+STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
-int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
+int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
-int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
+int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
-int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *);
+int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
 void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
                        int (*callback)(int, X509_STORE_CTX *));
 void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
@@ -1295,8 +1297,8 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
-int SSL_CTX_check_private_key(SSL_CTX *ctx);
+int SSL_CTX_check_private_key(const SSL_CTX *ctx);
-int SSL_check_private_key(SSL *ctx);
+int SSL_check_private_key(const SSL *ctx);
 int     SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
                                       unsigned int sid_ctx_len);
@@ -1321,8 +1323,8 @@ long	SSL_callback_ctrl(SSL *, int, void (*)());
 long    SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
 long    SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
-int     SSL_get_error(SSL *s,int ret_code);
+int     SSL_get_error(const SSL *s,int ret_code);
-const char *SSL_get_version(SSL *s);
+const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
@@ -1343,7 +1345,7 @@ SSL_METHOD *TLSv1_method(void);		/* TLSv1.0 */
 SSL_METHOD *TLSv1_server_method(void);  /* TLSv1.0 */
 SSL_METHOD *TLSv1_client_method(void);  /* TLSv1.0 */
-STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s);
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
 int SSL_do_handshake(SSL *s);
 int SSL_renegotiate(SSL *s);
@@ -1359,15 +1361,15 @@ const char *SSL_alert_desc_string(int value);
 void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
 void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s);
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
 int SSL_add_client_CA(SSL *ssl,X509 *x);
 int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
 void SSL_set_connect_state(SSL *s);
 void SSL_set_accept_state(SSL *s);
-long SSL_get_default_timeout(SSL *s);
+long SSL_get_default_timeout(const SSL *s);
 int SSL_library_init(void );
@@ -1376,43 +1378,43 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
 SSL *SSL_dup(SSL *ssl);
-X509 *SSL_get_certificate(SSL *ssl);
+X509 *SSL_get_certificate(const SSL *ssl);
 /* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
-int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
+int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
 void SSL_set_quiet_shutdown(SSL *ssl,int mode);
-int SSL_get_quiet_shutdown(SSL *ssl);
+int SSL_get_quiet_shutdown(const SSL *ssl);
 void SSL_set_shutdown(SSL *ssl,int mode);
-int SSL_get_shutdown(SSL *ssl);
+int SSL_get_shutdown(const SSL *ssl);
-int SSL_version(SSL *ssl);
+int SSL_version(const SSL *ssl);
 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
        const char *CApath);
 #define SSL_get0_session SSL_get_session /* just peek at pointer */
-SSL_SESSION *SSL_get_session(SSL *ssl);
+SSL_SESSION *SSL_get_session(const SSL *ssl);
 SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
-SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
+SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
 void SSL_set_info_callback(SSL *ssl,
                           void (*cb)(const SSL *ssl,int type,int val));
-void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val);
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
-int SSL_state(SSL *ssl);
+int SSL_state(const SSL *ssl);
 void SSL_set_verify_result(SSL *ssl,long v);
-long SSL_get_verify_result(SSL *ssl);
+long SSL_get_verify_result(const SSL *ssl);
 int SSL_set_ex_data(SSL *ssl,int idx,void *data);
-void *SSL_get_ex_data(SSL *ssl,int idx);
+void *SSL_get_ex_data(const SSL *ssl,int idx);
 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
-void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
+void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
 int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
-void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
+void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
@@ -1603,6 +1605,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_SET_TRUST                              228
 #define SSL_F_SSL_SET_WFD                                196
 #define SSL_F_SSL_SHUTDOWN                               224
+#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION               243
 #define SSL_F_SSL_UNDEFINED_FUNCTION                     197
 #define SSL_F_SSL_USE_CERTIFICATE                        198
 #define SSL_F_SSL_USE_CERTIFICATE_ASN1                   199
@@ -1741,6 +1744,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NULL_SSL_CTX                               195
 #define SSL_R_NULL_SSL_METHOD_PASSED                     196
 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED            197
+#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE              1115
 #define SSL_R_PACKET_LENGTH_TOO_LONG                     198
 #define SSL_R_PATH_TOO_LONG                              270
 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE          199
diff --git a/src/lib/libssl/src/ssl/ssl_asn1.c b/src/lib/libssl/src/ssl/ssl_asn1.c
index d8ff8fc4a3..4d5900ad2f 100644
--- a/src/lib/libssl/src/ssl/ssl_asn1.c
+++ b/src/lib/libssl/src/ssl/ssl_asn1.c
@@ -226,7 +226,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
        M_ASN1_I2D_finish();
        }
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char * const *pp,
             long length)
        {
        int version,ssl_version=0,i;
@@ -266,7 +266,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
                        ((unsigned long)os.data[1]<< 8L)|
                         (unsigned long)os.data[2];
                }
-        else if ((ssl_version>>8) == 3)
+        else if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
                {
                if (os.length != 2)
                        {
@@ -287,9 +287,9 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
        ret->cipher_id=id;
        M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
-        if ((ssl_version>>8) == SSL3_VERSION)
+        if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
                i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
-        else /* if (ssl_version == SSL2_VERSION) */
+        else /* if (ssl_version == SSL2_VERSION_MAJOR) */
                i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
        if (os.length > i)
diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c
index 2cfb615878..b8b9bc2390 100644
--- a/src/lib/libssl/src/ssl/ssl_cert.c
+++ b/src/lib/libssl/src/ssl/ssl_cert.c
@@ -117,6 +117,7 @@
 #if defined(WIN32)
 #include <windows.h>
+#include <tchar.h>
 #endif
 #ifdef NeXT
@@ -129,6 +130,7 @@
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
 #include "ssl_locl.h"
+#include <openssl/fips.h>
 int SSL_get_ex_data_X509_STORE_CTX_idx(void)
        {
@@ -542,12 +544,12 @@ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
        set_client_CA_list(&(ctx->client_CA),name_list);
        }
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx)
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
        {
        return(ctx->client_CA);
        }
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s)
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
        {
        if (s->type == SSL_ST_CONNECT)
                { /* we are in the client */
@@ -783,36 +785,54 @@ err:
 #else /* OPENSSL_SYS_WIN32 */
+#if defined(_WIN32_WCE)
+# ifndef UNICODE
+#  error "WinCE comes in UNICODE flavor only..."
+# endif
+# if _WIN32_WCE<101 && !defined(OPENSSL_NO_MULTIBYTE)
+#  define OPENSSL_NO_MULTIBYTE
+# endif
+# ifndef  FindFirstFile
+#  define FindFirstFile FindFirstFileW
+# endif
+# ifndef  FindNextFile
+#  define FindNextFile FindNextFileW
+# endif
+#endif
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                                       const char *dir)
        {
        WIN32_FIND_DATA FindFileData;
        HANDLE hFind;
-        int ret = 0;
+        int    ret = 0;
-#ifdef OPENSSL_SYS_WINCE
+        TCHAR *wdir = NULL;
-        WCHAR* wdir = NULL;
+        size_t i,len_0 = strlen(dir)+1; /* len_0 accounts for trailing 0 */
-#endif
+        char   buf[1024],*slash;
+        if (len_0 > (sizeof(buf)-14))   /* 14 is just some value... */
+                {
+                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
+                return ret;
+                }
        CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
-        
-#ifdef OPENSSL_SYS_WINCE
+        if (sizeof(TCHAR) != sizeof(char))
-        /* convert strings to UNICODE */
+                {
-        {
+                wdir = (TCHAR *)malloc(len_0*sizeof(TCHAR));
-                BOOL result = FALSE;
-                int i;
-                wdir = malloc((strlen(dir)+1)*2);
                if (wdir == NULL)
                        goto err_noclose;
-                for (i=0; i<(int)strlen(dir)+1; i++)
+#ifndef OPENSSL_NO_MULTIBYTE
-                        wdir[i] = (short)dir[i];
+                if (!MultiByteToWideChar(CP_ACP,0,dir,len_0,
-        }
+                                        (WCHAR *)wdir,len_0))
 #endif
+                        for (i=0;i<len_0;i++) wdir[i]=(TCHAR)dir[i];
+                hFind = FindFirstFile(wdir, &FindFileData);
+                }
+        else    hFind = FindFirstFile((const TCHAR *)dir, &FindFileData);
-#ifdef OPENSSL_SYS_WINCE
-        hFind = FindFirstFile(wdir, &FindFileData);
-#else
-        hFind = FindFirstFile(dir, &FindFileData);
-#endif
        /* Note that a side effect is that the CAs will be sorted by name */
        if(hFind == INVALID_HANDLE_VALUE)
                {
@@ -821,25 +841,34 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
                goto err_noclose;
                }
-        
-        do 
+        strncpy(buf,dir,sizeof(buf));   /* strcpy is safe too... */
-                {
+        buf[len_0-1]='/';               /* no trailing zero!     */
-                char buf[1024];
+        slash=buf+len_0;
-                int r;
-                
+        do      {
-#ifdef OPENSSL_SYS_WINCE
+                const TCHAR *fnam=FindFileData.cFileName;
-                if(strlen(dir)+_tcslen(FindFileData.cFileName)+2 > sizeof buf)
+                size_t flen_0=_tcslen(fnam)+1;
-#else
-                if(strlen(dir)+strlen(FindFileData.cFileName)+2 > sizeof buf)
+                if (flen_0 > (sizeof(buf)-len_0))
-#endif
                        {
                        SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
                        goto err;
                        }
-                
+                /* else strcpy would be safe too... */
-                r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,FindFileData.cFileName);
-                if (r <= 0 || r >= sizeof buf)
+                if (sizeof(TCHAR) != sizeof(char))
-                        goto err;
+                        {
+#ifndef OPENSSL_NO_MULTIBYTE
+                        if (!WideCharToMultiByte(CP_ACP,0,
+                                                (WCHAR *)fnam,flen_0,
+                                                slash,sizeof(buf)-len_0,
+                                                NULL,0))
+#endif
+                                for (i=0;i<flen_0;i++) slash[i]=(char)fnam[i];
+                        }
+                else    strncpy(slash,(const char *)fnam,sizeof(buf)-len_0);
                if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
                        goto err;
                }
@@ -849,10 +878,9 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 err:    
        FindClose(hFind);
 err_noclose:
-#ifdef OPENSSL_SYS_WINCE
        if (wdir != NULL)
                free(wdir);
-#endif
        CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
        return ret;
        }
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 2d6eab20c3..a7ccefa30c 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <openssl/objects.h>
 #include <openssl/comp.h>
+#include <openssl/fips.h>
 #include "ssl_locl.h"
 #define SSL_ENC_DES_IDX         0
@@ -153,13 +154,13 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
        {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
        {0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
+        {0,SSL_TXT_FIPS,  0, 0,  SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
        };
 static int init_ciphers=1;
 static void load_ciphers(void)
        {
-        init_ciphers=0;
        ssl_cipher_methods[SSL_ENC_DES_IDX]= 
                EVP_get_cipherbyname(SN_des_cbc);
        ssl_cipher_methods[SSL_ENC_3DES_IDX]=
@@ -183,9 +184,10 @@ static void load_ciphers(void)
                EVP_get_digestbyname(SN_md5);
        ssl_digest_methods[SSL_MD_SHA1_IDX]=
                EVP_get_digestbyname(SN_sha1);
+        init_ciphers=0;
        }
-int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc,
+int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
             const EVP_MD **md, SSL_COMP **comp)
        {
        int i;
@@ -359,7 +361,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                {
                c = ssl_method->get_cipher(i);
                /* drop those that use any of that is not available */
+#ifdef OPENSSL_FIPS
+                if ((c != NULL) && c->valid && !(c->algorithms & mask)
+                        && (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
+#else
                if ((c != NULL) && c->valid && !(c->algorithms & mask))
+#endif
                        {
                        co_list[co_list_num].cipher = c;
                        co_list[co_list_num].next = NULL;
@@ -854,7 +861,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         */
        for (curr = head; curr != NULL; curr = curr->next)
                {
+#ifdef OPENSSL_FIPS
+                if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
+#else
                if (curr->active)
+#endif
                        {
                        sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
@@ -1054,7 +1065,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
        return(buf);
        }
-char *SSL_CIPHER_get_version(SSL_CIPHER *c)
+char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
        {
        int i;
@@ -1069,7 +1080,7 @@ char *SSL_CIPHER_get_version(SSL_CIPHER *c)
        }
 /* return the actual cipher being used */
-const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
+const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
        {
        if (c != NULL)
                return(c->name);
@@ -1077,7 +1088,7 @@ const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
        }
 /* number of bits for symmetric cipher */
-int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits)
+int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
        {
        int ret=0;
diff --git a/src/lib/libssl/src/ssl/ssl_err.c b/src/lib/libssl/src/ssl/ssl_err.c
index d2cb181503..29b8ff4788 100644
--- a/src/lib/libssl/src/ssl/ssl_err.c
+++ b/src/lib/libssl/src/ssl/ssl_err.c
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -193,6 +193,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_PACK(0,SSL_F_SSL_SET_TRUST,0),     "SSL_set_trust"},
 {ERR_PACK(0,SSL_F_SSL_SET_WFD,0),       "SSL_set_wfd"},
 {ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0),      "SSL_shutdown"},
+{ERR_PACK(0,SSL_F_SSL_UNDEFINED_CONST_FUNCTION,0),      "SSL_UNDEFINED_CONST_FUNCTION"},
 {ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0),    "SSL_UNDEFINED_FUNCTION"},
 {ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0),       "SSL_use_certificate"},
 {ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0),  "SSL_use_certificate_ASN1"},
@@ -334,6 +335,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_NULL_SSL_CTX                      ,"null ssl ctx"},
 {SSL_R_NULL_SSL_METHOD_PASSED            ,"null ssl method passed"},
 {SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED   ,"old session cipher not returned"},
+{SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE     ,"only tls allowed in fips mode"},
 {SSL_R_PACKET_LENGTH_TOO_LONG            ,"packet length too long"},
 {SSL_R_PATH_TOO_LONG                     ,"path too long"},
 {SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"},
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index ee9a82d586..631229558f 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -121,6 +121,7 @@
 #include <openssl/objects.h>
 #include <openssl/lhash.h>
 #include <openssl/x509v3.h>
+#include <openssl/fips.h>
 const char *SSL_version_str=OPENSSL_VERSION_TEXT;
@@ -500,18 +501,18 @@ void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
        s->wbio=wbio;
        }
-BIO *SSL_get_rbio(SSL *s)
+BIO *SSL_get_rbio(const SSL *s)
        { return(s->rbio); }
-BIO *SSL_get_wbio(SSL *s)
+BIO *SSL_get_wbio(const SSL *s)
        { return(s->wbio); }
-int SSL_get_fd(SSL *s)
+int SSL_get_fd(const SSL *s)
        {
        return(SSL_get_rfd(s));
        }
-int SSL_get_rfd(SSL *s)
+int SSL_get_rfd(const SSL *s)
        {
        int ret= -1;
        BIO *b,*r;
@@ -523,7 +524,7 @@ int SSL_get_rfd(SSL *s)
        return(ret);
        }
-int SSL_get_wfd(SSL *s)
+int SSL_get_wfd(const SSL *s)
        {
        int ret= -1;
        BIO *b,*r;
@@ -605,7 +606,7 @@ err:
 /* return length of latest Finished message we sent, copy to 'buf' */
-size_t SSL_get_finished(SSL *s, void *buf, size_t count)
+size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
        {
        size_t ret = 0;
        
@@ -620,7 +621,7 @@ size_t SSL_get_finished(SSL *s, void *buf, size_t count)
        }
 /* return length of latest Finished message we expected, copy to 'buf' */
-size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
+size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
        {
        size_t ret = 0;
        
@@ -635,32 +636,32 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
        }
-int SSL_get_verify_mode(SSL *s)
+int SSL_get_verify_mode(const SSL *s)
        {
        return(s->verify_mode);
        }
-int SSL_get_verify_depth(SSL *s)
+int SSL_get_verify_depth(const SSL *s)
        {
        return(s->verify_depth);
        }
-int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
+int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
        {
        return(s->verify_callback);
        }
-int SSL_CTX_get_verify_mode(SSL_CTX *ctx)
+int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
        {
        return(ctx->verify_mode);
        }
-int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
+int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
        {
        return(ctx->verify_depth);
        }
-int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
+int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
        {
        return(ctx->default_verify_callback);
        }
@@ -683,12 +684,12 @@ void SSL_set_read_ahead(SSL *s,int yes)
        s->read_ahead=yes;
        }
-int SSL_get_read_ahead(SSL *s)
+int SSL_get_read_ahead(const SSL *s)
        {
        return(s->read_ahead);
        }
-int SSL_pending(SSL *s)
+int SSL_pending(const SSL *s)
        {
        /* SSL_pending cannot work properly if read-ahead is enabled
         * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
@@ -700,7 +701,7 @@ int SSL_pending(SSL *s)
        return(s->method->ssl_pending(s));
        }
-X509 *SSL_get_peer_certificate(SSL *s)
+X509 *SSL_get_peer_certificate(const SSL *s)
        {
        X509 *r;
        
@@ -716,7 +717,7 @@ X509 *SSL_get_peer_certificate(SSL *s)
        return(r);
        }
-STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
+STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
        {
        STACK_OF(X509) *r;
        
@@ -733,7 +734,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
 /* Now in theory, since the calling process own 't' it should be safe to
 * modify.  We need to be able to read f without being hassled */
-void SSL_copy_session_id(SSL *t,SSL *f)
+void SSL_copy_session_id(SSL *t,const SSL *f)
        {
        CERT *tmp;
@@ -762,7 +763,7 @@ void SSL_copy_session_id(SSL *t,SSL *f)
        }
 /* Fix this so it checks all the valid key/cert options */
-int SSL_CTX_check_private_key(SSL_CTX *ctx)
+int SSL_CTX_check_private_key(const SSL_CTX *ctx)
        {
        if (    (ctx == NULL) ||
                (ctx->cert == NULL) ||
@@ -780,7 +781,7 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx)
        }
 /* Fix this function so that it takes an optional type parameter */
-int SSL_check_private_key(SSL *ssl)
+int SSL_check_private_key(const SSL *ssl)
        {
        if (ssl == NULL)
                {
@@ -824,7 +825,7 @@ int SSL_connect(SSL *s)
        return(s->method->ssl_connect(s));
        }
-long SSL_get_default_timeout(SSL *s)
+long SSL_get_default_timeout(const SSL *s)
        {
        return(s->method->get_timeout());
        }
@@ -1071,7 +1072,7 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
 /** return a STACK of the ciphers available for the SSL and in order of
 * preference */
-STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
        {
        if (s != NULL)
                {
@@ -1108,7 +1109,7 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
        }
 /** The old interface to get the same thing as SSL_get_ciphers() */
-const char *SSL_get_cipher_list(SSL *s,int n)
+const char *SSL_get_cipher_list(const SSL *s,int n)
        {
        SSL_CIPHER *c;
        STACK_OF(SSL_CIPHER) *sk;
@@ -1145,7 +1146,7 @@ int SSL_set_cipher_list(SSL *s,const char *str)
        }
 /* works well for SSLv2, not so good for SSLv3 */
-char *SSL_get_shared_ciphers(SSL *s,char *buf,int len)
+char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
        {
        char *p;
        const char *cp;
@@ -1249,7 +1250,7 @@ err:
        return(NULL);
        }
-unsigned long SSL_SESSION_hash(SSL_SESSION *a)
+unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
        {
        unsigned long l;
@@ -1266,7 +1267,7 @@ unsigned long SSL_SESSION_hash(SSL_SESSION *a)
 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
 * able to construct an SSL_SESSION that will collide with any existing session
 * with a matching session ID. */
-int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b)
+int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
        {
        if (a->ssl_version != b->ssl_version)
                return(1);
@@ -1292,6 +1293,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
                return(NULL);
                }
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (meth->version < TLS1_VERSION))      
+                {
+                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                return NULL;
+                }
+#endif
        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1722,7 +1731,7 @@ int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
        return(ret);
        }
-int SSL_get_error(SSL *s,int i)
+int SSL_get_error(const SSL *s,int i)
        {
        int reason;
        unsigned long l;
@@ -1856,13 +1865,19 @@ int ssl_undefined_function(SSL *s)
        return(0);
        }
+int ssl_undefined_const_function(const SSL *s)
+        {
+        SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+        return(0);
+        }
 SSL_METHOD *ssl_bad_method(int ver)
        {
        SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
        return(NULL);
        }
-const char *SSL_get_version(SSL *s)
+const char *SSL_get_version(const SSL *s)
        {
        if (s->version == TLS1_VERSION)
                return("TLSv1");
@@ -2031,7 +2046,7 @@ void ssl_clear_cipher_ctx(SSL *s)
        }
 /* Fix this function so that it takes an optional type parameter */
-X509 *SSL_get_certificate(SSL *s)
+X509 *SSL_get_certificate(const SSL *s)
        {
        if (s->cert != NULL)
                return(s->cert->key->x509);
@@ -2048,7 +2063,7 @@ EVP_PKEY *SSL_get_privatekey(SSL *s)
                return(NULL);
        }
-SSL_CIPHER *SSL_get_current_cipher(SSL *s)
+SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
        {
        if ((s->session != NULL) && (s->session->cipher != NULL))
                return(s->session->cipher);
@@ -2112,7 +2127,7 @@ void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
        ctx->quiet_shutdown=mode;
        }
-int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx)
+int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
        {
        return(ctx->quiet_shutdown);
        }
@@ -2122,7 +2137,7 @@ void SSL_set_quiet_shutdown(SSL *s,int mode)
        s->quiet_shutdown=mode;
        }
-int SSL_get_quiet_shutdown(SSL *s)
+int SSL_get_quiet_shutdown(const SSL *s)
        {
        return(s->quiet_shutdown);
        }
@@ -2132,17 +2147,17 @@ void SSL_set_shutdown(SSL *s,int mode)
        s->shutdown=mode;
        }
-int SSL_get_shutdown(SSL *s)
+int SSL_get_shutdown(const SSL *s)
        {
        return(s->shutdown);
        }
-int SSL_version(SSL *s)
+int SSL_version(const SSL *s)
        {
        return(s->version);
        }
-SSL_CTX *SSL_get_SSL_CTX(SSL *ssl)
+SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
        {
        return(ssl->ctx);
        }
@@ -2156,7 +2171,9 @@ int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
                const char *CApath)
        {
-        return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
+        int r;
+        r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath);
+        return r;
        }
 #endif
@@ -2166,12 +2183,12 @@ void SSL_set_info_callback(SSL *ssl,
        ssl->info_callback=cb;
        }
-void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val)
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val)
        {
        return ssl->info_callback;
        }
-int SSL_state(SSL *ssl)
+int SSL_state(const SSL *ssl)
        {
        return(ssl->state);
        }
@@ -2181,7 +2198,7 @@ void SSL_set_verify_result(SSL *ssl,long arg)
        ssl->verify_result=arg;
        }
-long SSL_get_verify_result(SSL *ssl)
+long SSL_get_verify_result(const SSL *ssl)
        {
        return(ssl->verify_result);
        }
@@ -2198,7 +2215,7 @@ int SSL_set_ex_data(SSL *s,int idx,void *arg)
        return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
        }
-void *SSL_get_ex_data(SSL *s,int idx)
+void *SSL_get_ex_data(const SSL *s,int idx)
        {
        return(CRYPTO_get_ex_data(&s->ex_data,idx));
        }
@@ -2215,7 +2232,7 @@ int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
        return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
        }
-void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx)
+void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
        {
        return(CRYPTO_get_ex_data(&s->ex_data,idx));
        }
@@ -2225,7 +2242,7 @@ int ssl_ok(SSL *s)
        return(1);
        }
-X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
+X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
        {
        return(ctx->cert_store);
        }
@@ -2237,7 +2254,7 @@ void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
        ctx->cert_store=store;
        }
-int SSL_want(SSL *s)
+int SSL_want(const SSL *s)
        {
        return(s->rwstate);
        }
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index dd6c7a7323..25a144a0d0 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -302,8 +302,9 @@
 #define SSL_LOW                 0x00000020L
 #define SSL_MEDIUM              0x00000040L
 #define SSL_HIGH                0x00000080L
+#define SSL_FIPS                0x00000100L
-/* we have used 000000ff - 24 bits left to go */
+/* we have used 000001ff - 23 bits left to go */
 /*
 * Macros to check the export status and cipher strength for export ciphers.
@@ -498,10 +499,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
                                             STACK_OF(SSL_CIPHER) **sorted,
                                             const char *rule_str);
 void ssl_update_cache(SSL *s, int mode);
-int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md,
+int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
-                       SSL_COMP **comp);
+                       const EVP_MD **md,SSL_COMP **comp);
 int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
 int ssl_undefined_function(SSL *s);
+int ssl_undefined_const_function(const SSL *s);
 X509 *ssl_get_server_send_cert(SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
@@ -535,7 +537,7 @@ long	ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
 long    ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
 long    ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
 long    ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
-int     ssl2_pending(SSL *s);
+int     ssl2_pending(const SSL *s);
 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
@@ -583,7 +585,7 @@ long	ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
 long    ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
 long    ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
 long    ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
-int     ssl3_pending(SSL *s);
+int     ssl3_pending(const SSL *s);
 int ssl23_accept(SSL *s);
 int ssl23_connect(SSL *s);
diff --git a/src/lib/libssl/src/ssl/ssl_rsa.c b/src/lib/libssl/src/ssl/ssl_rsa.c
index 330390519b..fb0bd4d045 100644
--- a/src/lib/libssl/src/ssl/ssl_rsa.c
+++ b/src/lib/libssl/src/ssl/ssl_rsa.c
@@ -804,7 +804,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
                /* When the while loop ends, it's usually just EOF. */
                err = ERR_peek_last_error();
                if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
-                        (void)ERR_get_error();
+                        ERR_clear_error();
                else 
                        ret = 0; /* some real error */
                }
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index 7016c87d3b..5f12aa361c 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -65,7 +65,7 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
 static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
-SSL_SESSION *SSL_get_session(SSL *ssl)
+SSL_SESSION *SSL_get_session(const SSL *ssl)
 /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
        {
        return(ssl->session);
@@ -98,7 +98,7 @@ int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
        return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
        }
-void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx)
+void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
        {
        return(CRYPTO_get_ex_data(&s->ex_data,idx));
        }
@@ -141,7 +141,8 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id,
 {
        unsigned int retry = 0;
        do
-                RAND_pseudo_bytes(id, *id_len);
+                if(RAND_pseudo_bytes(id, *id_len) <= 0)
+                        return 0;
        while(SSL_has_matching_session_id(ssl, id, *id_len) &&
                (++retry < MAX_SESS_ID_ATTEMPTS));
        if(retry < MAX_SESS_ID_ATTEMPTS)
@@ -609,13 +610,13 @@ long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
        return(1);
        }
-long SSL_SESSION_get_timeout(SSL_SESSION *s)
+long SSL_SESSION_get_timeout(const SSL_SESSION *s)
        {
        if (s == NULL) return(0);
        return(s->timeout);
        }
-long SSL_SESSION_get_time(SSL_SESSION *s)
+long SSL_SESSION_get_time(const SSL_SESSION *s)
        {
        if (s == NULL) return(0);
        return(s->time);
@@ -637,7 +638,7 @@ long SSL_CTX_set_timeout(SSL_CTX *s, long t)
        return(l);
        }
-long SSL_CTX_get_timeout(SSL_CTX *s)
+long SSL_CTX_get_timeout(const SSL_CTX *s)
        {
        if (s == NULL) return(0);
        return(s->session_timeout);
diff --git a/src/lib/libssl/src/ssl/ssl_txt.c b/src/lib/libssl/src/ssl/ssl_txt.c
index 40b76b1b26..8655a31333 100644
--- a/src/lib/libssl/src/ssl/ssl_txt.c
+++ b/src/lib/libssl/src/ssl/ssl_txt.c
@@ -61,7 +61,7 @@
 #include "ssl_locl.h"
 #ifndef OPENSSL_NO_FP_API
-int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x)
+int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
        {
        BIO *b;
        int ret;
@@ -78,7 +78,7 @@ int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x)
        }
 #endif
-int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
+int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
        {
        unsigned int i;
        char *s;
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index 033f309ffe..3a0db0cb51 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -120,6 +120,7 @@
 #include <string.h>
 #include <time.h>
 #include <inttypes.h>
+#include <ctype.h>
 #define USE_SOCKETS
 #include "e_os.h"
@@ -128,12 +129,14 @@
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/ssl.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/fips.h>
 #define _XOPEN_SOURCE_EXTENDED  1 /* Or gethostname won't be declared properly
                                     on Compaq platforms (at least with DEC C).
@@ -169,8 +172,15 @@ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
 static void free_tmp_rsa(void);
 #endif
 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
-#define APP_CALLBACK "Test Callback Argument"
+#define APP_CALLBACK_STRING "Test Callback Argument"
-static char *app_verify_arg = APP_CALLBACK;
+struct app_verify_arg
+        {
+        char *string;
+        int app_verify;
+        int allow_proxy_certs;
+        char *proxy_auth;
+        char *proxy_cond;
+        };
 #ifndef OPENSSL_NO_DH
 static DH *get_dh512(void);
@@ -199,8 +209,14 @@ static void sv_usage(void)
        {
        fprintf(stderr,"usage: ssltest [args ...]\n");
        fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+        fprintf(stderr,"-F             - run test in FIPS mode\n");
+#endif
        fprintf(stderr," -server_auth  - check server certificate\n");
        fprintf(stderr," -client_auth  - do client authentication\n");
+        fprintf(stderr," -proxy        - allow proxy certificates\n");
+        fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
+        fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
        fprintf(stderr," -v            - more output\n");
        fprintf(stderr," -d            - debug output\n");
        fprintf(stderr," -reuse        - use session-id reuse\n");
@@ -350,7 +366,8 @@ int main(int argc, char *argv[])
        int tls1=0,ssl2=0,ssl3=0,ret=1;
        int client_auth=0;
        int server_auth=0,i;
-        int app_verify=0;
+        struct app_verify_arg app_verify_arg =
+                { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
        char *server_cert=TEST_SERVER_CERT;
        char *server_key=NULL;
        char *client_cert=TEST_CLIENT_CERT;
@@ -370,6 +387,10 @@ int main(int argc, char *argv[])
        clock_t s_time = 0, c_time = 0;
        int comp = 0;
        COMP_METHOD *cm = NULL;
+#ifdef OPENSSL_FIPS
+        int fips_mode=0;
+        const char *path=argv[0];
+#endif
        verbose = 0;
        debug = 0;
@@ -401,10 +422,29 @@ int main(int argc, char *argv[])
        while (argc >= 1)
                {
-                if      (strcmp(*argv,"-server_auth") == 0)
+                if(!strcmp(*argv,"-F"))
+                        {
+#ifdef OPENSSL_FIPS
+                        fips_mode=1;
+#else
+                        fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+                        EXIT(0);
+#endif
+                        }
+                else if (strcmp(*argv,"-server_auth") == 0)
                        server_auth=1;
                else if (strcmp(*argv,"-client_auth") == 0)
                        client_auth=1;
+                else if (strcmp(*argv,"-proxy_auth") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        app_verify_arg.proxy_auth= *(++argv);
+                        }
+                else if (strcmp(*argv,"-proxy_cond") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        app_verify_arg.proxy_cond= *(++argv);
+                        }
                else if (strcmp(*argv,"-v") == 0)
                        verbose=1;
                else if (strcmp(*argv,"-d") == 0)
@@ -517,7 +557,11 @@ int main(int argc, char *argv[])
                        }
                else if (strcmp(*argv,"-app_verify") == 0)
                        {
-                        app_verify = 1;
+                        app_verify_arg.app_verify = 1;
+                        }
+                else if (strcmp(*argv,"-proxy") == 0)
+                        {
+                        app_verify_arg.allow_proxy_certs = 1;
                        }
                else
                        {
@@ -535,6 +579,7 @@ bad:
                goto end;
                }
        if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
                {
                fprintf(stderr, "This case cannot work.  Use -f to perform "
@@ -544,6 +589,20 @@ bad:
                EXIT(1);
                }
+#ifdef OPENSSL_FIPS
+        if(fips_mode)
+                {
+                if(!FIPS_mode_set(1,path))
+                        {
+                        ERR_load_crypto_strings();
+                        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+                        EXIT(1);
+                        }
+                else
+                        fprintf(stderr,"*** IN FIPS MODE ***\n");
+                }
+#endif
        if (print_time)
                {
                if (!bio_pair)
@@ -677,20 +736,14 @@ bad:
                SSL_CTX_set_verify(s_ctx,
                        SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
                        verify_callback);
-                if (app_verify) 
+                SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
-                        {
-                        SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
-                        }
                }
        if (server_auth)
                {
                BIO_printf(bio_err,"server authentication\n");
                SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
                        verify_callback);
-                if (app_verify) 
+                SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
-                        {
-                        SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
-                        }
                }
        
        {
@@ -1472,6 +1525,22 @@ err:
        return(ret);
        }
+static int get_proxy_auth_ex_data_idx(void)
+        {
+        static volatile int idx = -1;
+        if (idx < 0)
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+                if (idx < 0)
+                        {
+                        idx = X509_STORE_CTX_get_ex_new_index(0,
+                                "SSLtest for verify callback", NULL,NULL,NULL);
+                        }
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+                }
+        return idx;
+        }
 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
        {
        char *s,buf[256];
@@ -1481,42 +1550,467 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
        if (s != NULL)
                {
                if (ok)
-                        fprintf(stderr,"depth=%d %s\n",ctx->error_depth,buf);
+                        fprintf(stderr,"depth=%d %s\n",
+                                ctx->error_depth,buf);
                else
+                        {
                        fprintf(stderr,"depth=%d error=%d %s\n",
                                ctx->error_depth,ctx->error,buf);
+                        }
                }
        if (ok == 0)
                {
+                fprintf(stderr,"Error string: %s\n",
+                        X509_verify_cert_error_string(ctx->error));
                switch (ctx->error)
                        {
                case X509_V_ERR_CERT_NOT_YET_VALID:
                case X509_V_ERR_CERT_HAS_EXPIRED:
                case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+                        fprintf(stderr,"  ... ignored.\n");
                        ok=1;
                        }
                }
+        if (ok == 1)
+                {
+                X509 *xs = ctx->current_cert;
+#if 0
+                X509 *xi = ctx->current_issuer;
+#endif
+                if (xs->ex_flags & EXFLAG_PROXY)
+                        {
+                        unsigned int *letters =
+                                X509_STORE_CTX_get_ex_data(ctx,
+                                        get_proxy_auth_ex_data_idx());
+                        if (letters)
+                                {
+                                int found_any = 0;
+                                int i;
+                                PROXY_CERT_INFO_EXTENSION *pci =
+                                        X509_get_ext_d2i(xs, NID_proxyCertInfo,
+                                                NULL, NULL);
+                                switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
+                                        {
+                                case NID_Independent:
+                                        /* Completely meaningless in this
+                                           program, as there's no way to
+                                           grant explicit rights to a
+                                           specific PrC.  Basically, using
+                                           id-ppl-Independent is the perfect
+                                           way to grant no rights at all. */
+                                        fprintf(stderr, "  Independent proxy certificate");
+                                        for (i = 0; i < 26; i++)
+                                                letters[i] = 0;
+                                        break;
+                                case NID_id_ppl_inheritAll:
+                                        /* This is basically a NOP, we
+                                           simply let the current rights
+                                           stand as they are. */
+                                        fprintf(stderr, "  Proxy certificate inherits all");
+                                        break;
+                                default:
+                                        s = (char *)
+                                                pci->proxyPolicy->policy->data;
+                                        i = pci->proxyPolicy->policy->length;
+                                        /* The algorithm works as follows:
+                                           it is assumed that previous
+                                           iterations or the initial granted
+                                           rights has already set some elements
+                                           of `letters'.  What we need to do is
+                                           to clear those that weren't granted
+                                           by the current PrC as well.  The
+                                           easiest way to do this is to add 1
+                                           to all the elements whose letters
+                                           are given with the current policy.
+                                           That way, all elements that are set
+                                           by the current policy and were
+                                           already set by earlier policies and
+                                           through the original grant of rights
+                                           will get the value 2 or higher.
+                                           The last thing to do is to sweep
+                                           through `letters' and keep the
+                                           elements having the value 2 as set,
+                                           and clear all the others. */
+                                        fprintf(stderr, "  Certificate proxy rights = %*.*s", i, i, s);
+                                        while(i-- > 0)
+                                                {
+                                                char c = *s++;
+                                                if (isascii(c) && isalpha(c))
+                                                        {
+                                                        if (islower(c))
+                                                                c = toupper(c);
+                                                        letters[c - 'A']++;
+                                                        }
+                                                }
+                                        for (i = 0; i < 26; i++)
+                                                if (letters[i] < 2)
+                                                        letters[i] = 0;
+                                                else
+                                                        letters[i] = 1;
+                                        }
+                                found_any = 0;
+                                fprintf(stderr,
+                                        ", resulting proxy rights = ");
+                                for(i = 0; i < 26; i++)
+                                        if (letters[i])
+                                                {
+                                                fprintf(stderr, "%c", i + 'A');
+                                                found_any = 1;
+                                                }
+                                if (!found_any)
+                                        fprintf(stderr, "none");
+                                fprintf(stderr, "\n");
+                                PROXY_CERT_INFO_EXTENSION_free(pci);
+                                }
+                        }
+                }
        return(ok);
        }
+static void process_proxy_debug(int indent, const char *format, ...)
+        {
+        static const char indentation[] =
+                ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
+                ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
+        char my_format[256];
+        va_list args;
+        BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
+                indent, indent, indentation, format);
+        va_start(args, format);
+        vfprintf(stderr, my_format, args);
+        va_end(args);
+        }
+/* Priority levels:
+   0    [!]var, ()
+   1    & ^
+   2    |
+*/
+static int process_proxy_cond_adders(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent);
+static int process_proxy_cond_val(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent)
+        {
+        char c;
+        int ok = 1;
+        int negate = 0;
+        while(isspace(*cond))
+                {
+                cond++; (*pos)++;
+                }
+        c = *cond;
+        if (debug)
+                process_proxy_debug(indent,
+                        "Start process_proxy_cond_val at position %d: %s\n",
+                        *pos, cond);
+        while(c == '!')
+                {
+                negate = !negate;
+                cond++; (*pos)++;
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                }
+        if (c == '(')
+                {
+                cond++; (*pos)++;
+                ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
+                        indent + 1);
+                cond = *cond_end;
+                if (ok < 0)
+                        goto end;
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                if (c != ')')
+                        {
+                        fprintf(stderr,
+                                "Weird condition character in position %d: "
+                                "%c\n", *pos, c);
+                        ok = -1;
+                        goto end;
+                        }
+                cond++; (*pos)++;
+                }
+        else if (isascii(c) && isalpha(c))
+                {
+                if (islower(c))
+                        c = toupper(c);
+                ok = letters[c - 'A'];
+                cond++; (*pos)++;
+                }
+        else
+                {
+                fprintf(stderr,
+                        "Weird condition character in position %d: "
+                        "%c\n", *pos, c);
+                ok = -1;
+                goto end;
+                }
+ end:
+        *cond_end = cond;
+        if (ok >= 0 && negate)
+                ok = !ok;
+        if (debug)
+                process_proxy_debug(indent,
+                        "End process_proxy_cond_val at position %d: %s, returning %d\n",
+                        *pos, cond, ok);
+        return ok;
+        }
+static int process_proxy_cond_multipliers(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent)
+        {
+        int ok;
+        char c;
+        if (debug)
+                process_proxy_debug(indent,
+                        "Start process_proxy_cond_multipliers at position %d: %s\n",
+                        *pos, cond);
+        ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
+        cond = *cond_end;
+        if (ok < 0)
+                goto end;
+        while(ok >= 0)
+                {
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                switch(c)
+                        {
+                case '&':
+                case '^':
+                        {
+                        int save_ok = ok;
+                        cond++; (*pos)++;
+                        ok = process_proxy_cond_val(letters,
+                                cond, cond_end, pos, indent + 1);
+                        cond = *cond_end;
+                        if (ok < 0)
+                                break;
+                        switch(c)
+                                {
+                        case '&':
+                                ok &= save_ok;
+                                break;
+                        case '^':
+                                ok ^= save_ok;
+                                break;
+                        default:
+                                fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
+                                        " STOPPING\n");
+                                EXIT(1);
+                                }
+                        }
+                        break;
+                default:
+                        goto end;
+                        }
+                }
+ end:
+        if (debug)
+                process_proxy_debug(indent,
+                        "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
+                        *pos, cond, ok);
+        *cond_end = cond;
+        return ok;
+        }
+static int process_proxy_cond_adders(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent)
+        {
+        int ok;
+        char c;
+        if (debug)
+                process_proxy_debug(indent,
+                        "Start process_proxy_cond_adders at position %d: %s\n",
+                        *pos, cond);
+        ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
+                indent + 1);
+        cond = *cond_end;
+        if (ok < 0)
+                goto end;
+        while(ok >= 0)
+                {
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                switch(c)
+                        {
+                case '|':
+                        {
+                        int save_ok = ok;
+                        cond++; (*pos)++;
+                        ok = process_proxy_cond_multipliers(letters,
+                                cond, cond_end, pos, indent + 1);
+                        cond = *cond_end;
+                        if (ok < 0)
+                                break;
+                        switch(c)
+                                {
+                        case '|':
+                                ok |= save_ok;
+                                break;
+                        default:
+                                fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
+                                        " STOPPING\n");
+                                EXIT(1);
+                                }
+                        }
+                        break;
+                default:
+                        goto end;
+                        }
+                }
+ end:
+        if (debug)
+                process_proxy_debug(indent,
+                        "End process_proxy_cond_adders at position %d: %s, returning %d\n",
+                        *pos, cond, ok);
+        *cond_end = cond;
+        return ok;
+        }
+static int process_proxy_cond(unsigned int letters[26],
+        const char *cond, const char **cond_end)
+        {
+        int pos = 1;
+        return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
+        }
 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
        {
-        char *s = NULL,buf[256];
        int ok=1;
+        struct app_verify_arg *cb_arg = arg;
+        unsigned int letters[26]; /* only used with proxy_auth */
-        fprintf(stderr, "In app_verify_callback, allowing cert. ");
+        if (cb_arg->app_verify)
-        fprintf(stderr, "Arg is: %s\n", (char *)arg);
-        fprintf(stderr, "Finished printing do we have a context? 0x%lx a cert? 0x%lx\n",
-                        (uintptr_t)ctx, (uintptr_t)ctx->cert);
-        if (ctx->cert)
-                s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
-        if (s != NULL)
                {
+                char *s = NULL,buf[256];
+                fprintf(stderr, "In app_verify_callback, allowing cert. ");
+                fprintf(stderr, "Arg is: %s\n", cb_arg->string);
+                fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
+                        (unsigned int)ctx, (unsigned int)ctx->cert);
+                if (ctx->cert)
+                        s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
+                if (s != NULL)
+                        {
                        fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
+                        }
+                return(1);
                }
+        if (cb_arg->proxy_auth)
+                {
+                int found_any = 0, i;
+                char *sp;
+                for(i = 0; i < 26; i++)
+                        letters[i] = 0;
+                for(sp = cb_arg->proxy_auth; *sp; sp++)
+                        {
+                        char c = *sp;
+                        if (isascii(c) && isalpha(c))
+                                {
+                                if (islower(c))
+                                        c = toupper(c);
+                                letters[c - 'A'] = 1;
+                                }
+                        }
+                fprintf(stderr,
+                        "  Initial proxy rights = ");
+                for(i = 0; i < 26; i++)
+                        if (letters[i])
+                                {
+                                fprintf(stderr, "%c", i + 'A');
+                                found_any = 1;
+                                }
+                if (!found_any)
+                        fprintf(stderr, "none");
+                fprintf(stderr, "\n");
+                X509_STORE_CTX_set_ex_data(ctx,
+                        get_proxy_auth_ex_data_idx(),letters);
+                }
+        if (cb_arg->allow_proxy_certs)
+                {
+                X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+                }
+#ifndef OPENSSL_NO_X509_VERIFY
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(1);
+# endif
+        ok = X509_verify_cert(ctx);
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(0);
+# endif
+#endif
+        if (cb_arg->proxy_auth)
+                {
+                if (ok)
+                        {
+                        const char *cond_end = NULL;
+                        ok = process_proxy_cond(letters,
+                                cb_arg->proxy_cond, &cond_end);
+                        if (ok < 0)
+                                EXIT(3);
+                        if (*cond_end)
+                                {
+                                fprintf(stderr, "Stopped processing condition before it's end.\n");
+                                ok = 0;
+                                }
+                        if (!ok)
+                                fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
+                                        cb_arg->proxy_cond);
+                        else
+                                fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
+                                        cb_arg->proxy_cond);
+                        }
+                }
        return(ok);
        }
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index 271e247eea..2c6246abf5 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -115,6 +115,7 @@
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/md5.h>
+#include <openssl/fips.h>
 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
                        int sec_len, unsigned char *seed, int seed_len,
@@ -131,6 +132,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
        HMAC_CTX_init(&ctx);
        HMAC_CTX_init(&ctx_tmp);
+        HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+        HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
        HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
        HMAC_Update(&ctx,seed,seed_len);
@@ -177,7 +180,6 @@ static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
        S2= &(sec[len]);
        len+=(slen&1); /* add for odd, make longer */
-        
        tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
        tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
diff --git a/src/lib/libssl/src/test/bctest b/src/lib/libssl/src/test/bctest
index bdb3218f7a..e81fc0733a 100644
--- a/src/lib/libssl/src/test/bctest
+++ b/src/lib/libssl/src/test/bctest
@@ -1,6 +1,6 @@
 #!/bin/sh
-# This script is used by test/Makefile.ssl to check whether a sane 'bc'
+# This script is used by test/Makefile to check whether a sane 'bc'
 # is installed.
 # ('make test_bn' should not try to run 'bc' if it does not exist or if
 # it is a broken 'bc' version that is known to cause trouble.)
diff --git a/src/lib/libssl/src/test/maketests.com b/src/lib/libssl/src/test/maketests.com
index 7c44e4545a..dfbfef7b1b 100644
--- a/src/lib/libssl/src/test/maketests.com
+++ b/src/lib/libssl/src/test/maketests.com
@@ -615,7 +615,7 @@ $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
         THEN CC = "CC/DECC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
           "/NOLIST/PREFIX=ALL" + -
-           "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+           "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
@@ -648,7 +648,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-           "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+           "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $     CCDEFS = CCDEFS + ",""VAXC"""
 $!
 $!    Define <sys> As SYS$COMMON:[SYSLIB]
@@ -679,7 +679,7 @@ $!
 $!    Use GNU C...
 $!
 $     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-           "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+           "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
diff --git a/src/lib/libssl/src/test/tcrl b/src/lib/libssl/src/test/tcrl
index f71ef7a863..3ffed12a03 100644
--- a/src/lib/libssl/src/test/tcrl
+++ b/src/lib/libssl/src/test/tcrl
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl crl'
+cmd='../util/shlib_wrap.sh ../apps/openssl crl'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/src/test/testca b/src/lib/libssl/src/test/testca
index 8215ebb5d1..5b2faa78f1 100644
--- a/src/lib/libssl/src/test/testca
+++ b/src/lib/libssl/src/test/testca
@@ -11,6 +11,9 @@ export SH PATH
 SSLEAY_CONFIG="-config CAss.cnf"
 export SSLEAY_CONFIG
+OPENSSL="`pwd`/../util/shlib_wrap.sh openssl"
+export OPENSSL
 /bin/rm -fr demoCA
 $SH ../apps/CA.sh -newca <<EOF
 EOF
diff --git a/src/lib/libssl/src/test/testenc b/src/lib/libssl/src/test/testenc
index 0656c7f525..4571ea2875 100644
--- a/src/lib/libssl/src/test/testenc
+++ b/src/lib/libssl/src/test/testenc
@@ -1,14 +1,14 @@
 #!/bin/sh
-testsrc=Makefile.ssl
+testsrc=Makefile
 test=./p
-cmd=../apps/openssl
+cmd="../util/shlib_wrap.sh ../apps/openssl"
 cat $testsrc >$test;
 echo cat
-$cmd enc < $test > $test.cipher
+$cmd enc -non-fips-allow < $test > $test.cipher
-$cmd enc < $test.cipher >$test.clear
+$cmd enc -non-fips-allow < $test.cipher >$test.clear
 cmp $test $test.clear
 if [ $? != 0 ]
 then
@@ -17,8 +17,8 @@ else
        /bin/rm $test.cipher $test.clear
 fi
 echo base64
-$cmd enc -a -e < $test > $test.cipher
+$cmd enc -non-fips-allow -a -e < $test > $test.cipher
-$cmd enc -a -d < $test.cipher >$test.clear
+$cmd enc -non-fips-allow -a -d < $test.cipher >$test.clear
 cmp $test $test.clear
 if [ $? != 0 ]
 then
@@ -30,8 +30,8 @@ fi
 for i in `$cmd list-cipher-commands`
 do
        echo $i
-        $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher
+        $cmd $i -non-fips-allow -bufsize 113 -e -k test < $test > $test.$i.cipher
-        $cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
+        $cmd $i -non-fips-allow -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
        cmp $test $test.$i.clear
        if [ $? != 0 ]
        then
@@ -41,8 +41,8 @@ do
        fi
        echo $i base64
-        $cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher
+        $cmd $i -non-fips-allow -bufsize 113 -a -e -k test < $test > $test.$i.cipher
-        $cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
+        $cmd $i -non-fips-allow -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
        cmp $test $test.$i.clear
        if [ $? != 0 ]
        then
diff --git a/src/lib/libssl/src/test/testenc.com b/src/lib/libssl/src/test/testenc.com
index c24fa388c0..5e6f521f9d 100644
--- a/src/lib/libssl/src/test/testenc.com
+++ b/src/lib/libssl/src/test/testenc.com
@@ -4,7 +4,7 @@ $	__arch := VAX
 $       if f$getsyi("cpu") .ge. 128 then __arch := AXP
 $       exe_dir := sys$disk:[-.'__arch'.exe.apps]
 $
-$       testsrc := makefile.ssl
+$       testsrc := makefile.
 $       test := p.txt
 $       cmd := mcr 'exe_dir'openssl
 $
diff --git a/src/lib/libssl/src/test/testgen b/src/lib/libssl/src/test/testgen
index 3798543e04..524c0d134c 100644
--- a/src/lib/libssl/src/test/testgen
+++ b/src/lib/libssl/src/test/testgen
@@ -17,7 +17,7 @@ echo "generating certificate request"
 echo "string to make the random number generator think it has entropy" >> ./.rnd
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  req_new='-newkey dsa:../apps/dsa512.pem'
 else
  req_new='-new'
@@ -29,13 +29,13 @@ echo "This could take some time."
 rm -f testkey.pem testreq.pem
-../apps/openssl req -config test.cnf $req_new -out testreq.pem
+../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem
 if [ $? != 0 ]; then
 echo problems creating request
 exit 1
 fi
-../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
+../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
 if [ $? != 0 ]; then
 echo signature on req is wrong
 exit 1
diff --git a/src/lib/libssl/src/test/testss b/src/lib/libssl/src/test/testss
index 8d3557f356..1a426857d3 100644
--- a/src/lib/libssl/src/test/testss
+++ b/src/lib/libssl/src/test/testss
@@ -1,9 +1,9 @@
 #!/bin/sh
-digest='-md5'
+digest='-sha1'
-reqcmd="../apps/openssl req"
+reqcmd="../util/shlib_wrap.sh ../apps/openssl req"
-x509cmd="../apps/openssl x509 $digest"
+x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest"
-verifycmd="../apps/openssl verify"
+verifycmd="../util/shlib_wrap.sh ../apps/openssl verify"
 dummycnf="../apps/openssl.cnf"
 CAkey="keyCA.ss"
@@ -17,12 +17,24 @@ Ukey="keyU.ss"
 Ureq="reqU.ss"
 Ucert="certU.ss"
+P1conf="P1ss.cnf"
+P1key="keyP1.ss"
+P1req="reqP1.ss"
+P1cert="certP1.ss"
+P1intermediate="tmp_intP1.ss"
+P2conf="P2ss.cnf"
+P2key="keyP2.ss"
+P2req="reqP2.ss"
+P2cert="certP2.ss"
+P2intermediate="tmp_intP2.ss"
 echo
 echo "make a certificate request using 'req'"
 echo "string to make the random number generator think it has entropy" >> ./.rnd
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  req_new='-newkey dsa:../apps/dsa512.pem'
 else
  req_new='-new'
@@ -35,7 +47,7 @@ if [ $? != 0 ]; then
 fi
 echo
 echo "convert the certificate request into a self signed certificate using 'x509'"
-$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss
+$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss
 if [ $? != 0 ]; then
        echo "error using 'x509' to self sign a certificate request"
        exit 1
@@ -68,18 +80,18 @@ if [ $? != 0 ]; then
 fi
 echo
-echo "make another certificate request using 'req'"
+echo "make a user certificate request using 'req'"
 $reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
 if [ $? != 0 ]; then
-        echo "error using 'req' to generate a certificate request"
+        echo "error using 'req' to generate a user certificate request"
        exit 1
 fi
 echo
-echo "sign certificate request with the just created CA via 'x509'"
+echo "sign user certificate request with the just created CA via 'x509'"
-$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss
+$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss
 if [ $? != 0 ]; then
-        echo "error using 'x509' to sign a certificate request"
+        echo "error using 'x509' to sign a user certificate request"
        exit 1
 fi
@@ -89,11 +101,63 @@ echo "Certificate details"
 $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
 echo
+echo "make a proxy certificate request using 'req'"
+$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'req' to generate a proxy certificate request"
+        exit 1
+fi
+echo
+echo "sign proxy certificate request with the just created user certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'x509' to sign a proxy certificate request"
+        exit 1
+fi
+cat $Ucert > $P1intermediate
+$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert
+echo
+echo "make another proxy certificate request using 'req'"
+$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'req' to generate another proxy certificate request"
+        exit 1
+fi
+echo
+echo "sign second proxy certificate request with the first proxy certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'x509' to sign a second proxy certificate request"
+        exit 1
+fi
+cat $Ucert $P1cert > $P2intermediate
+$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert
+echo
 echo The generated CA certificate is $CAcert
 echo The generated CA private key is $CAkey
 echo The generated user certificate is $Ucert
 echo The generated user private key is $Ukey
+echo The first generated proxy certificate is $P1cert
+echo The first generated proxy private key is $P1key
+echo The second generated proxy certificate is $P2cert
+echo The second generated proxy private key is $P2key
 /bin/rm err.ss
+#/bin/rm $P1intermediate
+#/bin/rm $P2intermediate
 exit 0
diff --git a/src/lib/libssl/src/test/testssl b/src/lib/libssl/src/test/testssl
index ca8e718022..8ac90ae5ee 100644
--- a/src/lib/libssl/src/test/testssl
+++ b/src/lib/libssl/src/test/testssl
@@ -10,9 +10,9 @@ if [ "$2" = "" ]; then
 else
  cert="$2"
 fi
-ssltest="./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
+ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
-if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
+if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
  dsa_cert=YES
 else
  dsa_cert=NO
@@ -121,24 +121,24 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
 #############################################################################
-if ../apps/openssl no-dh; then
+if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
  echo skipping anonymous DH tests
 else
  echo test tls1 with 1024bit anonymous DH, multiple handshakes
  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
 fi
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  echo skipping RSA tests
 else
  echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
-  ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
+  ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
-  if ../apps/openssl no-dh; then
+  if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
    echo skipping RSA+DHE tests
  else
    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
-    ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+    ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
  fi
 fi
diff --git a/src/lib/libssl/src/test/tpkcs7 b/src/lib/libssl/src/test/tpkcs7
index cf3bd9fadb..79bb6e0edf 100644
--- a/src/lib/libssl/src/test/tpkcs7
+++ b/src/lib/libssl/src/test/tpkcs7
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl pkcs7'
+cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/src/test/tpkcs7d b/src/lib/libssl/src/test/tpkcs7d
index 18f9311b06..20394b34c4 100644
--- a/src/lib/libssl/src/test/tpkcs7d
+++ b/src/lib/libssl/src/test/tpkcs7d
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl pkcs7'
+cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/src/test/treq b/src/lib/libssl/src/test/treq
index 47a8273cde..7e020210a5 100644
--- a/src/lib/libssl/src/test/treq
+++ b/src/lib/libssl/src/test/treq
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl req -config ../apps/openssl.cnf'
+cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/src/test/trsa b/src/lib/libssl/src/test/trsa
index 413e2ec0a0..67b4a98841 100644
--- a/src/lib/libssl/src/test/trsa
+++ b/src/lib/libssl/src/test/trsa
@@ -7,12 +7,12 @@ else
 fi
 export PATH
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  echo skipping rsa conversion test
  exit 0
 fi
-cmd='../apps/openssl rsa'
+cmd='../util/shlib_wrap.sh ../apps/openssl rsa'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/src/test/tsid b/src/lib/libssl/src/test/tsid
index 40a1dfa97c..fb4a7213b9 100644
--- a/src/lib/libssl/src/test/tsid
+++ b/src/lib/libssl/src/test/tsid
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl sess_id'
+cmd='../util/shlib_wrap.sh ../apps/openssl sess_id'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/src/test/tverify.com b/src/lib/libssl/src/test/tverify.com
index f97e71478f..2060184d1e 100644
--- a/src/lib/libssl/src/test/tverify.com
+++ b/src/lib/libssl/src/test/tverify.com
@@ -15,12 +15,15 @@ $	f = f$search("[-.certs]*.pem")
 $       if f .nes. "" .and. f .nes. old_f
 $       then
 $           certs = certs + " [-.certs]" + f$parse(f,,,"NAME") + ".pem"
-$           if f$length(certs) .lt. 180 then goto loop_certs2
 $           c := YES
+$           if f$length(certs) .lt. 180 then goto loop_certs2
 $       endif
 $       certs = certs - " "
 $
-$       mcr 'exe_dir'openssl verify "-CAfile" certs.tmp 'certs'
+$       if c
-$       if c then goto loop_certs
+$       then
+$           mcr 'exe_dir'openssl verify "-CAfile" certs.tmp 'certs'
+$           goto loop_certs
+$       endif
 $
 $       delete certs.tmp;*
diff --git a/src/lib/libssl/src/test/tx509 b/src/lib/libssl/src/test/tx509
index d380963abc..1b9c8661f3 100644
--- a/src/lib/libssl/src/test/tx509
+++ b/src/lib/libssl/src/test/tx509
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl x509'
+cmd='../util/shlib_wrap.sh ../apps/openssl x509'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/src/tools/c_issuer b/src/lib/libssl/src/tools/c_issuer
index 4c691201bb..55821ab740 100644
--- a/src/lib/libssl/src/tools/c_issuer
+++ b/src/lib/libssl/src/tools/c_issuer
@@ -6,5 +6,5 @@
 for i in $*
 do
        n=`openssl x509 -issuer -noout -in $i`
-        echo "$i\t$n"
+        echo "$i        $n"
 done
diff --git a/src/lib/libssl/src/util/cygwin.sh b/src/lib/libssl/src/util/cygwin.sh
index 930f766b4f..7f791d47f4 100644
--- a/src/lib/libssl/src/util/cygwin.sh
+++ b/src/lib/libssl/src/util/cygwin.sh
@@ -21,11 +21,11 @@ function cleanup()
 function get_openssl_version()
 {
-  eval `grep '^VERSION=' Makefile.ssl`
+  eval `grep '^VERSION=' Makefile`
  if [ -z "${VERSION}" ]
  then
-    echo "Error: Couldn't retrieve OpenSSL version from Makefile.ssl."
+    echo "Error: Couldn't retrieve OpenSSL version from Makefile."
-    echo "       Check value of variable VERSION in Makefile.ssl."
+    echo "       Check value of variable VERSION in Makefile."
    exit 1
  fi
 }
@@ -39,7 +39,7 @@ function base_install()
 function doc_install()
 {
-  DOC_DIR=${INSTALL_PREFIX}/usr/doc/openssl
+  DOC_DIR=${INSTALL_PREFIX}/usr/share/doc/openssl
  mkdir -p ${DOC_DIR}
  cp CHANGES CHANGES.SSLeay INSTALL LICENSE NEWS README ${DOC_DIR}
@@ -49,7 +49,7 @@ function doc_install()
 function create_cygwin_readme()
 {
-  README_DIR=${INSTALL_PREFIX}/usr/doc/Cygwin
+  README_DIR=${INSTALL_PREFIX}/usr/share/doc/Cygwin
  README_FILE=${README_DIR}/openssl-${VERSION}.README
  mkdir -p ${README_DIR}
@@ -112,8 +112,8 @@ cd ${INSTALL_PREFIX}
 strip usr/bin/*.exe usr/bin/*.dll
 # Runtime package
-find etc usr/bin usr/doc usr/ssl/certs usr/ssl/man/man[157] usr/ssl/misc \
+find etc usr/bin usr/share/doc usr/ssl/certs usr/ssl/man/man[157] \
-     usr/ssl/openssl.cnf usr/ssl/private -empty -o \! -type d |
+     usr/ssl/misc usr/ssl/openssl.cnf usr/ssl/private -empty -o \! -type d |
 tar cjfT openssl-${VERSION}-${SUBVERSION}.tar.bz2 -
 # Development package
 find usr/include usr/lib usr/ssl/man/man3 -empty -o \! -type d |
diff --git a/src/lib/libssl/src/util/domd b/src/lib/libssl/src/util/domd
index 49310bbdd1..5610521f0b 100644
--- a/src/lib/libssl/src/util/domd
+++ b/src/lib/libssl/src/util/domd
@@ -11,7 +11,7 @@ if [ "$1" = "-MD" ]; then
 fi
 if [ "$MAKEDEPEND" = "" ]; then MAKEDEPEND=makedepend; fi
-cp Makefile.ssl Makefile.save
+cp Makefile Makefile.save
 # fake the presence of Kerberos
 touch $TOP/krb5.h
 if [ "$MAKEDEPEND" = "gcc" ]; then
@@ -20,15 +20,15 @@ if [ "$MAKEDEPEND" = "gcc" ]; then
        if [ "$1" != "--" ]; then args="$args $1"; fi
        shift
    done
-    sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp
+    sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp
    echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
    gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp
    ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
    rm -f Makefile.tmp
 else
-    ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile.ssl $@
+    ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile $@
-    ${PERL} $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
+    ${PERL} $TOP/util/clean-depend.pl < Makefile > Makefile.new
 fi
-mv Makefile.new Makefile.ssl
+mv Makefile.new Makefile
 # unfake the presence of Kerberos
 rm $TOP/krb5.h
diff --git a/src/lib/libssl/src/util/libeay.num b/src/lib/libssl/src/util/libeay.num
index 203c7713e7..56fb7446e0 100644
--- a/src/lib/libssl/src/util/libeay.num
+++ b/src/lib/libssl/src/util/libeay.num
@@ -284,20 +284,20 @@ EVP_add_alias                           291	NOEXIST::FUNCTION:
 EVP_add_cipher                          292     EXIST::FUNCTION:
 EVP_add_digest                          293     EXIST::FUNCTION:
 EVP_bf_cbc                              294     EXIST::FUNCTION:BF
-EVP_bf_cfb                              295     EXIST::FUNCTION:BF
+EVP_bf_cfb64                            295     EXIST::FUNCTION:BF
 EVP_bf_ecb                              296     EXIST::FUNCTION:BF
 EVP_bf_ofb                              297     EXIST::FUNCTION:BF
 EVP_cleanup                             298     EXIST::FUNCTION:
 EVP_des_cbc                             299     EXIST::FUNCTION:DES
-EVP_des_cfb                             300     EXIST::FUNCTION:DES
+EVP_des_cfb64                           300     EXIST::FUNCTION:DES
 EVP_des_ecb                             301     EXIST::FUNCTION:DES
 EVP_des_ede                             302     EXIST::FUNCTION:DES
 EVP_des_ede3                            303     EXIST::FUNCTION:DES
 EVP_des_ede3_cbc                        304     EXIST::FUNCTION:DES
-EVP_des_ede3_cfb                        305     EXIST::FUNCTION:DES
+EVP_des_ede3_cfb64                      305     EXIST::FUNCTION:DES
 EVP_des_ede3_ofb                        306     EXIST::FUNCTION:DES
 EVP_des_ede_cbc                         307     EXIST::FUNCTION:DES
-EVP_des_ede_cfb                         308     EXIST::FUNCTION:DES
+EVP_des_ede_cfb64                       308     EXIST::FUNCTION:DES
 EVP_des_ede_ofb                         309     EXIST::FUNCTION:DES
 EVP_des_ofb                             310     EXIST::FUNCTION:DES
 EVP_desx_cbc                            311     EXIST::FUNCTION:DES
@@ -308,14 +308,14 @@ EVP_get_cipherbyname                    315	EXIST::FUNCTION:
 EVP_get_digestbyname                    316     EXIST::FUNCTION:
 EVP_get_pw_prompt                       317     EXIST::FUNCTION:
 EVP_idea_cbc                            318     EXIST::FUNCTION:IDEA
-EVP_idea_cfb                            319     EXIST::FUNCTION:IDEA
+EVP_idea_cfb64                          319     EXIST::FUNCTION:IDEA
 EVP_idea_ecb                            320     EXIST::FUNCTION:IDEA
 EVP_idea_ofb                            321     EXIST::FUNCTION:IDEA
 EVP_md2                                 322     EXIST::FUNCTION:MD2
 EVP_md5                                 323     EXIST::FUNCTION:MD5
 EVP_md_null                             324     EXIST::FUNCTION:
 EVP_rc2_cbc                             325     EXIST::FUNCTION:RC2
-EVP_rc2_cfb                             326     EXIST::FUNCTION:RC2
+EVP_rc2_cfb64                           326     EXIST::FUNCTION:RC2
 EVP_rc2_ecb                             327     EXIST::FUNCTION:RC2
 EVP_rc2_ofb                             328     EXIST::FUNCTION:RC2
 EVP_rc4                                 329     EXIST::FUNCTION:RC4
@@ -962,7 +962,7 @@ i2t_ASN1_OBJECT                         979	EXIST::FUNCTION:
 BN_BLINDING_new                         980     EXIST::FUNCTION:
 BN_BLINDING_free                        981     EXIST::FUNCTION:
 EVP_cast5_cbc                           983     EXIST::FUNCTION:CAST
-EVP_cast5_cfb                           984     EXIST::FUNCTION:CAST
+EVP_cast5_cfb64                         984     EXIST::FUNCTION:CAST
 EVP_cast5_ecb                           985     EXIST::FUNCTION:CAST
 EVP_cast5_ofb                           986     EXIST::FUNCTION:CAST
 BF_decrypt                              987     EXIST::FUNCTION:BF
@@ -1057,7 +1057,7 @@ EVP_CIPHER_param_to_asn1                1084	EXIST::FUNCTION:
 EVP_CIPHER_get_asn1_iv                  1085    EXIST::FUNCTION:
 EVP_CIPHER_set_asn1_iv                  1086    EXIST::FUNCTION:
 EVP_rc5_32_12_16_cbc                    1087    EXIST::FUNCTION:RC5
-EVP_rc5_32_12_16_cfb                    1088    EXIST::FUNCTION:RC5
+EVP_rc5_32_12_16_cfb64                  1088    EXIST::FUNCTION:RC5
 EVP_rc5_32_12_16_ecb                    1089    EXIST::FUNCTION:RC5
 EVP_rc5_32_12_16_ofb                    1090    EXIST::FUNCTION:RC5
 asn1_add_error                          1091    EXIST::FUNCTION:
@@ -2776,10 +2776,10 @@ ENGINE_load_4758cca                     3218	EXIST::FUNCTION:ENGINE
 _ossl_096_des_random_seed               3219    EXIST::FUNCTION:DES
 EVP_aes_256_ofb                         3220    EXIST::FUNCTION:AES
 EVP_aes_192_ofb                         3221    EXIST::FUNCTION:AES
-EVP_aes_128_cfb                         3222    EXIST::FUNCTION:AES
+EVP_aes_128_cfb128                      3222    EXIST::FUNCTION:AES
-EVP_aes_256_cfb                         3223    EXIST::FUNCTION:AES
+EVP_aes_256_cfb128                      3223    EXIST::FUNCTION:AES
 EVP_aes_128_ofb                         3224    EXIST::FUNCTION:AES
-EVP_aes_192_cfb                         3225    EXIST::FUNCTION:AES
+EVP_aes_192_cfb128                      3225    EXIST::FUNCTION:AES
 CONF_modules_free                       3226    EXIST::FUNCTION:
 NCONF_default                           3227    EXIST::FUNCTION:
 OPENSSL_no_config                       3228    EXIST::FUNCTION:
@@ -2803,3 +2803,67 @@ OpenSSLDie                              3244	EXIST::FUNCTION:
 OPENSSL_cleanse                         3245    EXIST::FUNCTION:
 ENGINE_setup_bsd_cryptodev              3246    EXIST:__FreeBSD__:FUNCTION:ENGINE
 ERR_release_err_state_table             3247    EXIST::FUNCTION:LHASH
+EVP_aes_128_cfb8                        3248    EXIST::FUNCTION:AES
+FIPS_corrupt_rsa                        3249    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_des                       3250    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_aes_128_cfb1                        3251    EXIST::FUNCTION:AES
+EVP_aes_192_cfb8                        3252    EXIST::FUNCTION:AES
+FIPS_mode_set                           3253    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_dsa                       3254    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_aes_256_cfb8                        3255    EXIST::FUNCTION:AES
+FIPS_allow_md5                          3256    EXIST:OPENSSL_FIPS:FUNCTION:
+DES_ede3_cfb_encrypt                    3257    EXIST::FUNCTION:DES
+EVP_des_ede3_cfb8                       3258    EXIST::FUNCTION:DES
+FIPS_rand_seeded                        3259    EXIST:OPENSSL_FIPS:FUNCTION:
+AES_cfbr_encrypt_block                  3260    EXIST::FUNCTION:AES
+AES_cfb8_encrypt                        3261    EXIST::FUNCTION:AES
+FIPS_rand_seed                          3262    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_des                        3263    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_aes_192_cfb1                        3264    EXIST::FUNCTION:AES
+FIPS_selftest_aes                       3265    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_set_prng_key                       3266    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_des_cfb8                            3267    EXIST::FUNCTION:DES
+FIPS_corrupt_dsa                        3268    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_test_mode                          3269    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_rand_method                        3270    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_aes_256_cfb1                        3271    EXIST::FUNCTION:AES
+ERR_load_FIPS_strings                   3272    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_aes                        3273    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_sha1                      3274    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_rsa                       3275    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_sha1                       3276    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_des_cfb1                            3277    EXIST::FUNCTION:DES
+FIPS_dsa_check                          3278    EXIST:OPENSSL_FIPS:FUNCTION:
+AES_cfb1_encrypt                        3279    EXIST::FUNCTION:AES
+EVP_des_ede3_cfb1                       3280    EXIST::FUNCTION:DES
+FIPS_rand_check                         3281    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_md5_allowed                        3282    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_mode                               3283    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_failed                    3284    EXIST:OPENSSL_FIPS:FUNCTION:
+sk_is_sorted                            3285    EXIST::FUNCTION:
+X509_check_ca                           3286    EXIST::FUNCTION:
+private_idea_set_encrypt_key            3287    EXIST:OPENSSL_FIPS:FUNCTION:IDEA
+HMAC_CTX_set_flags                      3288    EXIST::FUNCTION:HMAC
+private_SHA_Init                        3289    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA0
+private_CAST_set_key                    3290    EXIST:OPENSSL_FIPS:FUNCTION:CAST
+private_RIPEMD160_Init                  3291    EXIST:OPENSSL_FIPS:FUNCTION:RIPEMD
+private_RC5_32_set_key                  3292    EXIST:OPENSSL_FIPS:FUNCTION:RC5
+private_MD5_Init                        3293    EXIST:OPENSSL_FIPS:FUNCTION:MD5
+private_RC4_set_key                     3294    EXIST:OPENSSL_FIPS:FUNCTION:RC4
+private_MDC2_Init                       3295    EXIST:OPENSSL_FIPS:FUNCTION:MDC2
+private_RC2_set_key                     3296    EXIST:OPENSSL_FIPS:FUNCTION:RC2
+private_MD4_Init                        3297    EXIST:OPENSSL_FIPS:FUNCTION:MD4
+private_BF_set_key                      3298    EXIST:OPENSSL_FIPS:FUNCTION:BF
+private_MD2_Init                        3299    EXIST:OPENSSL_FIPS:FUNCTION:MD2
+d2i_PROXY_CERT_INFO_EXTENSION           3300    EXIST::FUNCTION:
+PROXY_POLICY_it                         3301    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PROXY_POLICY_it                         3301    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+i2d_PROXY_POLICY                        3302    EXIST::FUNCTION:
+i2d_PROXY_CERT_INFO_EXTENSION           3303    EXIST::FUNCTION:
+d2i_PROXY_POLICY                        3304    EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_new           3305    EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_free          3306    EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_it            3307    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PROXY_CERT_INFO_EXTENSION_it            3307    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+PROXY_POLICY_free                       3308    EXIST::FUNCTION:
+PROXY_POLICY_new                        3309    EXIST::FUNCTION:
diff --git a/src/lib/libssl/src/util/mk1mf.pl b/src/lib/libssl/src/util/mk1mf.pl
index b4bc0457e5..957264c6b5 100644
--- a/src/lib/libssl/src/util/mk1mf.pl
+++ b/src/lib/libssl/src/util/mk1mf.pl
@@ -10,7 +10,7 @@ $OPTIONS="";
 $ssl_version="";
 $banner="\t\@echo Building OpenSSL";
-open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n";
+open(IN,"<Makefile") || die "unable to open Makefile!\n";
 while(<IN>) {
    $ssl_version=$1 if (/^VERSION=(.*)$/);
    $OPTIONS=$1 if (/^OPTIONS=(.*)$/);
@@ -18,7 +18,7 @@ while(<IN>) {
 }
 close(IN);
-die "Makefile.ssl is not the toplevel Makefile!\n" if $ssl_version eq "";
+die "Makefile is not the toplevel Makefile!\n" if $ssl_version eq "";
 $infile="MINFO";
@@ -222,7 +222,7 @@ $cflags.=" -DOPENSSL_NO_SHA"  if $no_sha;
 $cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1;
 $cflags.=" -DOPENSSL_NO_RIPEMD" if $no_ripemd;
 $cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2;
-$cflags.=" -DOPENSSL_NO_BF"  if $no_bf;
+$cflags.=" -DOPENSSL_NO_BF"   if $no_bf;
 $cflags.=" -DOPENSSL_NO_CAST" if $no_cast;
 $cflags.=" -DOPENSSL_NO_DES"  if $no_des;
 $cflags.=" -DOPENSSL_NO_RSA"  if $no_rsa;
@@ -236,6 +236,7 @@ $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
 $cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
 $cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
 $cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
+$cflags.=" -DOPENSSL_FIPS"    if $fips;
 #$cflags.=" -DRSAref"  if $rsaref ne "";
 ## if ($unix)
@@ -631,15 +632,21 @@ foreach (split(/\s+/,$test))
 $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
 $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
-$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+if ($fips)
+        {
+        $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)","\$(BIN_D)$o.sha1","\$(BIN_D)$o\$(E_EXE)$exep");
+        }
+else
+        {
+        $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+        }
 print $defs;
 if ($platform eq "linux-elf") {
    print <<"EOF";
 # Generate perlasm output files
 %.cpp:
-        (cd \$(\@D)/..; PERL=perl make -f Makefile.ssl asm/\$(\@F))
+        (cd \$(\@D)/..; PERL=perl make -f Makefile asm/\$(\@F))
 EOF
 }
 print "###################################################################\n";
@@ -921,6 +928,7 @@ sub read_options
                                  $no_aes=1; }
        elsif (/^rsaref$/)      { }
+        elsif (/^fips$/)        { $fips=1; }
        elsif (/^gcc$/)         { $gcc=1; }
        elsif (/^debug$/)       { $debug=1; }
        elsif (/^profile$/)     { $profile=1; }
diff --git a/src/lib/libssl/src/util/mkdef.pl b/src/lib/libssl/src/util/mkdef.pl
index 01a1bfda19..9918c3d549 100644
--- a/src/lib/libssl/src/util/mkdef.pl
+++ b/src/lib/libssl/src/util/mkdef.pl
@@ -79,7 +79,7 @@ my $OS2=0;
 my $safe_stack_def = 0;
 my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT",
-                        "EXPORT_VAR_AS_FUNCTION" );
+                        "EXPORT_VAR_AS_FUNCTION", "OPENSSL_FIPS" );
 my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" );
 my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                         "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
@@ -94,7 +94,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                         "FP_API", "STDIO", "SOCK", "KRB5", "ENGINE", "HW" );
 my $options="";
-open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n";
+open(IN,"<Makefile") || die "unable to open Makefile!\n";
 while(<IN>) {
    $options=$1 if (/^OPTIONS=(.*)$/);
 }
@@ -109,6 +109,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
 my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
 my $no_ec; my $no_engine; my $no_hw;
 my $no_fp_api;
+my $fips;
 foreach (@ARGV, split(/ /, $options))
        {
@@ -129,6 +130,7 @@ foreach (@ARGV, split(/ /, $options))
        }
        $VMS=1 if $_ eq "VMS";
        $OS2=1 if $_ eq "OS2";
+        $fips=1 if $_ eq "fips";
        $do_ssl=1 if $_ eq "ssleay";
        if ($_ eq "ssl") {
@@ -265,6 +267,7 @@ $crypto.=" crypto/ocsp/ocsp.h";
 $crypto.=" crypto/ui/ui.h crypto/ui/ui_compat.h";
 $crypto.=" crypto/krb5/krb5_asn.h";
 $crypto.=" crypto/tmdiff.h";
+$crypto.=" fips/fips.h fips/rand/fips_rand.h";
 my $symhacks="crypto/symhacks.h";
@@ -469,7 +472,7 @@ sub do_defs
                                        push(@tag,$1);
                                        $tag{$1}=-1;
                                }
-                        } elsif (/^\#\s*ifdef\s+(.*)/) {
+                        } elsif (/^\#\s*ifdef\s+(\S*)/) {
                                push(@tag,"-");
                                push(@tag,$1);
                                $tag{$1}=1;
@@ -794,7 +797,7 @@ sub do_defs
                }
                close(IN);
-                my $algs;
+                my $algs = '';
                my $plays;
                print STDERR "DEBUG: postprocessing ----------\n" if $debug;
@@ -864,6 +867,7 @@ sub do_defs
                        $platform{$s} =
                            &reduce_platforms((defined($platform{$s})?$platform{$s}.',':"").$p);
+                        $algorithm{$s} = '' if !defined $algorithm{$s};
                        $algorithm{$s} .= ','.$a;
                        if (defined($variant{$s})) {
@@ -1028,6 +1032,9 @@ sub is_valid
                        if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32 || $W16)) {
                                return 1;
                        }
+                        if ($keyword eq "OPENSSL_FIPS" && $fips) {
+                                return 1;
+                        }
                        return 0;
                } else {
                        # algorithms
@@ -1119,7 +1126,7 @@ sub print_test_file
 sub get_version {
   local *MF;
   my $v = '?';
-   open MF, 'Makefile.ssl' or return $v;
+   open MF, 'Makefile' or return $v;
   while (<MF>) {
     $v = $1, last if /^VERSION=(.*?)\s*$/;
   }
diff --git a/src/lib/libssl/src/util/mkerr.pl b/src/lib/libssl/src/util/mkerr.pl
index 1b2915c767..60e534807e 100644
--- a/src/lib/libssl/src/util/mkerr.pl
+++ b/src/lib/libssl/src/util/mkerr.pl
@@ -41,7 +41,8 @@ while (@ARGV) {
 }
 if($recurse) {
-        @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>);
+        @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>, <fips/*.c>,
+                   <fips/*/*.c>);
 } else {
        @source = @ARGV;
 }
@@ -262,7 +263,7 @@ foreach $lib (keys %csrc)
        } else {
            push @out,
 "/* ====================================================================\n",
-" * Copyright (c) 2001-2003 The OpenSSL Project.  All rights reserved.\n",
+" * Copyright (c) 2001-2005 The OpenSSL Project.  All rights reserved.\n",
 " *\n",
 " * Redistribution and use in source and binary forms, with or without\n",
 " * modification, are permitted provided that the following conditions\n",
@@ -404,7 +405,7 @@ EOF
        print OUT <<"EOF";
 /* $cfile */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
diff --git a/src/lib/libssl/src/util/mkfiles.pl b/src/lib/libssl/src/util/mkfiles.pl
index 29e1404c69..928a274303 100644
--- a/src/lib/libssl/src/util/mkfiles.pl
+++ b/src/lib/libssl/src/util/mkfiles.pl
@@ -51,6 +51,14 @@ my @dirs = (
 "crypto/ocsp",
 "crypto/ui",
 "crypto/krb5",
+"fips",
+"fips/aes",
+"fips/des",
+"fips/dsa",
+"fips/dh",
+"fips/rand",
+"fips/rsa",
+"fips/sha1",
 "ssl",
 "apps",
 "test",
@@ -58,7 +66,7 @@ my @dirs = (
 );
 foreach (@dirs) {
-        &files_dir ($_, "Makefile.ssl");
+        &files_dir ($_, "Makefile");
 }
 exit(0);
diff --git a/src/lib/libssl/src/util/mklink.pl b/src/lib/libssl/src/util/mklink.pl
index 9386da7aa4..c8653cecc3 100644
--- a/src/lib/libssl/src/util/mklink.pl
+++ b/src/lib/libssl/src/util/mklink.pl
@@ -52,6 +52,7 @@ $symlink_exists=eval {symlink("",""); 1};
 foreach $file (@files) {
    my $err = "";
    if ($symlink_exists) {
+        unlink "$from/$file";
        symlink("$to/$file", "$from/$file") or $err = " [$!]";
    } else {
        unlink "$from/$file"; 
diff --git a/src/lib/libssl/src/util/mkstack.pl b/src/lib/libssl/src/util/mkstack.pl
index 085c50f790..0ca9eb6a76 100644
--- a/src/lib/libssl/src/util/mkstack.pl
+++ b/src/lib/libssl/src/util/mkstack.pl
@@ -84,6 +84,7 @@ while(<IN>) {
 #define sk_${type_thing}_shift(st) SKM_sk_shift($type_thing, (st))
 #define sk_${type_thing}_pop(st) SKM_sk_pop($type_thing, (st))
 #define sk_${type_thing}_sort(st) SKM_sk_sort($type_thing, (st))
+#define sk_${type_thing}_is_sorted(st) SKM_sk_is_sorted($type_thing, (st))
 EOF
        }
        foreach $type_thing (sort @asn1setlst) {
diff --git a/src/lib/libssl/src/util/pl/BC-16.pl b/src/lib/libssl/src/util/pl/BC-16.pl
index 2033f524ca..8030653daa 100644
--- a/src/lib/libssl/src/util/pl/BC-16.pl
+++ b/src/lib/libssl/src/util/pl/BC-16.pl
@@ -64,7 +64,7 @@ $lfile='';
 $asm='bcc -c -B -Tml';
 $afile='/o';
-if ($no_asm)
+if ($no_asm || $fips)
        {
        $bn_asm_obj='';
        $bn_asm_src='';
@@ -119,11 +119,11 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$f,$_,@f);
-        
        $file =~ s/\//$o/g if $o ne '/';
-        $n=&bname($targer);
+        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
        $ret.="  \$(LINK) @&&|";
        
@@ -139,7 +139,12 @@ sub do_link_rule
                }
        else
                { $ret.="\n $r \$(APP_EX_OBJ) $files\n"; }
-        $ret.="  $target\n\n  $libs\n\n|\n\n";
+        $ret.="  $target\n\n  $libs\n\n|\n";
+        if (defined $sha1file)
+                {
+                $ret.="  $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libssl/src/util/pl/BC-32.pl b/src/lib/libssl/src/util/pl/BC-32.pl
index e83b336190..897ae9d824 100644
--- a/src/lib/libssl/src/util/pl/BC-32.pl
+++ b/src/lib/libssl/src/util/pl/BC-32.pl
@@ -62,7 +62,7 @@ $des_enc_src='';
 $bf_enc_obj='';
 $bf_enc_src='';
-if (!$no_asm)
+if (!$no_asm && !$fips)
        {
        $bn_mulw_obj='crypto\bn\asm\bn_win32.obj';
        $bn_mulw_src='crypto\bn\asm\bn_win32.asm';
@@ -122,13 +122,18 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
-        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($targer);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n\n";
+        $ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libssl/src/util/pl/Mingw32.pl b/src/lib/libssl/src/util/pl/Mingw32.pl
index 4bee638c4a..b9bb24d21d 100644
--- a/src/lib/libssl/src/util/pl/Mingw32.pl
+++ b/src/lib/libssl/src/util/pl/Mingw32.pl
@@ -21,7 +21,7 @@ if ($debug)
 else
        { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -mcpu=i486 -Wall"; }
-if ($gaswin and !$no_asm)
+if ($gaswin and !$no_asm and !$fips)
        {
        $bn_asm_obj='$(OBJ_D)\bn-win32.o';
        $bn_asm_src='crypto/bn/asm/bn-win32.s';
@@ -92,13 +92,18 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
 1;
diff --git a/src/lib/libssl/src/util/pl/OS2-EMX.pl b/src/lib/libssl/src/util/pl/OS2-EMX.pl
index ddb3524210..75d72ebbcb 100644
--- a/src/lib/libssl/src/util/pl/OS2-EMX.pl
+++ b/src/lib/libssl/src/util/pl/OS2-EMX.pl
@@ -48,7 +48,7 @@ $des_enc_src="";
 $bf_enc_obj="";
 $bf_enc_src="";
-if (!$no_asm)
+if (!$no_asm && !$fips)
        {
        $bn_asm_obj="crypto/bn/asm/bn-os2$obj crypto/bn/asm/co-os2$obj";
        $bn_asm_src="crypto/bn/asm/bn-os2.asm crypto/bn/asm/co-os2.asm";
@@ -106,13 +106,18 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files $libs\n\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libssl/src/util/pl/VC-16.pl b/src/lib/libssl/src/util/pl/VC-16.pl
index 7cda5e67a9..564ba3fd08 100644
--- a/src/lib/libssl/src/util/pl/VC-16.pl
+++ b/src/lib/libssl/src/util/pl/VC-16.pl
@@ -61,7 +61,7 @@ if ($shlib)
 else
        { $mlflags=''; }
-$app_ex_obj="setargv.obj";
+$app_ex_obj="";
 $obj='.obj';
 $ofile="/Fo";
@@ -90,7 +90,7 @@ $des_enc_src='';
 $bf_enc_obj='';
 $bf_enc_src='';
-if (!$no_asm)
+if (!$no_asm && !$fips)
        {
        if ($asmbits == 32)
                {
@@ -147,7 +147,7 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$f,$_,@f);
        
        $file =~ s/\//$o/g if $o ne '/';
@@ -165,7 +165,12 @@ sub do_link_rule
                }
        else
                { $ret.="  \$(APP_EX_OBJ) $files"; }
-        $ret.="\n  $target\n\n  $libs\n\n<<\n\n";
+        $ret.="\n  $target\n\n  $libs\n\n<<\n";
+        if (defined $sha1file)
+                {
+                $ret.="  $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libssl/src/util/pl/VC-32.pl b/src/lib/libssl/src/util/pl/VC-32.pl
index 285990c589..cf689b9feb 100644
--- a/src/lib/libssl/src/util/pl/VC-32.pl
+++ b/src/lib/libssl/src/util/pl/VC-32.pl
@@ -64,7 +64,7 @@ $des_enc_src='';
 $bf_enc_obj='';
 $bf_enc_src='';
-if (!$no_asm)
+if (!$no_asm && !$fips)
        {
        $bn_asm_obj='crypto\bn\asm\bn_win32.obj';
        $bn_asm_src='crypto\bn\asm\bn_win32.asm';
@@ -126,14 +126,19 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($targer);
        $ret.="$target: $files $dep_libs\n";
        $ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n";
-        $ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n\n";
+        $ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n";
+        if (defined $sha1file)
+                {
+                $ret.="  $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libssl/src/util/pl/linux.pl b/src/lib/libssl/src/util/pl/linux.pl
index 8924ed5480..df05c40526 100644
--- a/src/lib/libssl/src/util/pl/linux.pl
+++ b/src/lib/libssl/src/util/pl/linux.pl
@@ -72,13 +72,18 @@ sub do_shlib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libssl/src/util/pl/ultrix.pl b/src/lib/libssl/src/util/pl/ultrix.pl
index ea370c71f9..447b854708 100644
--- a/src/lib/libssl/src/util/pl/ultrix.pl
+++ b/src/lib/libssl/src/util/pl/ultrix.pl
@@ -17,7 +17,7 @@ else
 $cflags.=" -std1 -DL_ENDIAN";
-if (!$no_asm)
+if (!$no_asm && !$fips)
        {
        $bn_asm_obj='$(OBJ_D)/mips1.o';
        $bn_asm_src='crypto/bn/asm/mips1.s';
@@ -25,13 +25,18 @@ if (!$no_asm)
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libssl/src/util/pl/unix.pl b/src/lib/libssl/src/util/pl/unix.pl
index 146611ad99..bbd1798a2e 100644
--- a/src/lib/libssl/src/util/pl/unix.pl
+++ b/src/lib/libssl/src/util/pl/unix.pl
@@ -70,13 +70,18 @@ sub do_lib_rule
 sub do_link_rule
        {
-        local($target,$files,$dep_libs,$libs)=@_;
+        local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
        local($ret,$_);
        
        $file =~ s/\//$o/g if $o ne '/';
        $n=&bname($target);
        $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n";
+        if (defined $sha1file)
+                {
+                $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+                }
+        $ret.="\n";
        return($ret);
        }
diff --git a/src/lib/libssl/src/util/selftest.pl b/src/lib/libssl/src/util/selftest.pl
index 276b81183d..e9d5aa8938 100644
--- a/src/lib/libssl/src/util/selftest.pl
+++ b/src/lib/libssl/src/util/selftest.pl
@@ -34,9 +34,9 @@ foreach $_ (split("\n",$c)) {
    $platform0=$1 if (/Configuring for (.*)$/);
 }
-system "sh config" if (! -f "Makefile.ssl");
+system "sh config" if (! -f "Makefile");
-if (open(IN,"<Makefile.ssl")) {
+if (open(IN,"<Makefile")) {
    while (<IN>) {
        $version=$1 if (/^VERSION=(.*)$/);
        $platform=$1 if (/^PLATFORM=(.*)$/);
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 913bd40eea..3161f532cf 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -239,6 +239,7 @@ extern "C" {
 #define SSL_TXT_LOW             "LOW"
 #define SSL_TXT_MEDIUM          "MEDIUM"
 #define SSL_TXT_HIGH            "HIGH"
+#define SSL_TXT_FIPS            "FIPS"
 #define SSL_TXT_kFZA            "kFZA"
 #define SSL_TXT_aFZA            "aFZA"
 #define SSL_TXT_eFZA            "eFZA"
@@ -372,7 +373,7 @@ typedef struct ssl_method_st
        long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
        SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
        int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
-        int (*ssl_pending)(SSL *s);
+        int (*ssl_pending)(const SSL *s);
        int (*num_ciphers)(void);
        SSL_CIPHER *(*get_cipher)(unsigned ncipher);
        struct ssl_method_st *(*get_ssl_method)(int version);
@@ -998,8 +999,8 @@ extern "C" {
 *   -- that we sent (SSL_get_finished)
 *   -- that we expected from peer (SSL_get_peer_finished).
 * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
-size_t SSL_get_finished(SSL *s, void *buf, size_t count);
+size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
-size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
+size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 /* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
 * are 'ored' with SSL_VERIFY_PEER if they are desired */
@@ -1171,26 +1172,26 @@ int	SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
 SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
 void    SSL_CTX_free(SSL_CTX *);
 long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
-long SSL_CTX_get_timeout(SSL_CTX *ctx);
+long SSL_CTX_get_timeout(const SSL_CTX *ctx);
-X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *);
+X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
 void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
-int SSL_want(SSL *s);
+int SSL_want(const SSL *s);
 int     SSL_clear(SSL *s);
 void    SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
-SSL_CIPHER *SSL_get_current_cipher(SSL *s);
+SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
-int     SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits);
+int     SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
-char *  SSL_CIPHER_get_version(SSL_CIPHER *c);
+char *  SSL_CIPHER_get_version(const SSL_CIPHER *c);
-const char *    SSL_CIPHER_get_name(SSL_CIPHER *c);
+const char *    SSL_CIPHER_get_name(const SSL_CIPHER *c);
-int     SSL_get_fd(SSL *s);
+int     SSL_get_fd(const SSL *s);
-int     SSL_get_rfd(SSL *s);
+int     SSL_get_rfd(const SSL *s);
-int     SSL_get_wfd(SSL *s);
+int     SSL_get_wfd(const SSL *s);
-const char  * SSL_get_cipher_list(SSL *s,int n);
+const char  * SSL_get_cipher_list(const SSL *s,int n);
-char *  SSL_get_shared_ciphers(SSL *s, char *buf, int len);
+char *  SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
-int     SSL_get_read_ahead(SSL * s);
+int     SSL_get_read_ahead(const SSL * s);
-int     SSL_pending(SSL *s);
+int     SSL_pending(const SSL *s);
 #ifndef OPENSSL_NO_SOCK
 int     SSL_set_fd(SSL *s, int fd);
 int     SSL_set_rfd(SSL *s, int fd);
@@ -1198,14 +1199,14 @@ int	SSL_set_wfd(SSL *s, int fd);
 #endif
 #ifndef OPENSSL_NO_BIO
 void    SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
-BIO *   SSL_get_rbio(SSL *s);
+BIO *   SSL_get_rbio(const SSL *s);
-BIO *   SSL_get_wbio(SSL *s);
+BIO *   SSL_get_wbio(const SSL *s);
 #endif
 int     SSL_set_cipher_list(SSL *s, const char *str);
 void    SSL_set_read_ahead(SSL *s, int yes);
-int     SSL_get_verify_mode(SSL *s);
+int     SSL_get_verify_mode(const SSL *s);
-int     SSL_get_verify_depth(SSL *s);
+int     SSL_get_verify_depth(const SSL *s);
-int     (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *);
+int     (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
 void    SSL_set_verify(SSL *s, int mode,
                       int (*callback)(int ok,X509_STORE_CTX *ctx));
 void    SSL_set_verify_depth(SSL *s, int depth);
@@ -1243,20 +1244,20 @@ const char *SSL_state_string(const SSL *s);
 const char *SSL_rstate_string(const SSL *s);
 const char *SSL_state_string_long(const SSL *s);
 const char *SSL_rstate_string_long(const SSL *s);
-long    SSL_SESSION_get_time(SSL_SESSION *s);
+long    SSL_SESSION_get_time(const SSL_SESSION *s);
 long    SSL_SESSION_set_time(SSL_SESSION *s, long t);
-long    SSL_SESSION_get_timeout(SSL_SESSION *s);
+long    SSL_SESSION_get_timeout(const SSL_SESSION *s);
 long    SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
-void    SSL_copy_session_id(SSL *to,SSL *from);
+void    SSL_copy_session_id(SSL *to,const SSL *from);
 SSL_SESSION *SSL_SESSION_new(void);
-unsigned long SSL_SESSION_hash(SSL_SESSION *a);
+unsigned long SSL_SESSION_hash(const SSL_SESSION *a);
-int     SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b);
+int     SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b);
 #ifndef OPENSSL_NO_FP_API
-int     SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses);
+int     SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
 #endif
 #ifndef OPENSSL_NO_BIO
-int     SSL_SESSION_print(BIO *fp,SSL_SESSION *ses);
+int     SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
 #endif
 void    SSL_SESSION_free(SSL_SESSION *ses);
 int     i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
@@ -1267,17 +1268,18 @@ int	SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
 int     SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
 int     SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
                                        unsigned int id_len);
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length);
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char * const *pp,
+                             long length);
 #ifdef HEADER_X509_H
-X509 *  SSL_get_peer_certificate(SSL *s);
+X509 *  SSL_get_peer_certificate(const SSL *s);
 #endif
-STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s);
+STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
-int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
+int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
-int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
+int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
-int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *);
+int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
 void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
                        int (*callback)(int, X509_STORE_CTX *));
 void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
@@ -1295,8 +1297,8 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
-int SSL_CTX_check_private_key(SSL_CTX *ctx);
+int SSL_CTX_check_private_key(const SSL_CTX *ctx);
-int SSL_check_private_key(SSL *ctx);
+int SSL_check_private_key(const SSL *ctx);
 int     SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
                                       unsigned int sid_ctx_len);
@@ -1321,8 +1323,8 @@ long	SSL_callback_ctrl(SSL *, int, void (*)());
 long    SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
 long    SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
-int     SSL_get_error(SSL *s,int ret_code);
+int     SSL_get_error(const SSL *s,int ret_code);
-const char *SSL_get_version(SSL *s);
+const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
@@ -1343,7 +1345,7 @@ SSL_METHOD *TLSv1_method(void);		/* TLSv1.0 */
 SSL_METHOD *TLSv1_server_method(void);  /* TLSv1.0 */
 SSL_METHOD *TLSv1_client_method(void);  /* TLSv1.0 */
-STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s);
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
 int SSL_do_handshake(SSL *s);
 int SSL_renegotiate(SSL *s);
@@ -1359,15 +1361,15 @@ const char *SSL_alert_desc_string(int value);
 void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
 void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s);
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
 int SSL_add_client_CA(SSL *ssl,X509 *x);
 int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
 void SSL_set_connect_state(SSL *s);
 void SSL_set_accept_state(SSL *s);
-long SSL_get_default_timeout(SSL *s);
+long SSL_get_default_timeout(const SSL *s);
 int SSL_library_init(void );
@@ -1376,43 +1378,43 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
 SSL *SSL_dup(SSL *ssl);
-X509 *SSL_get_certificate(SSL *ssl);
+X509 *SSL_get_certificate(const SSL *ssl);
 /* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
-int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
+int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
 void SSL_set_quiet_shutdown(SSL *ssl,int mode);
-int SSL_get_quiet_shutdown(SSL *ssl);
+int SSL_get_quiet_shutdown(const SSL *ssl);
 void SSL_set_shutdown(SSL *ssl,int mode);
-int SSL_get_shutdown(SSL *ssl);
+int SSL_get_shutdown(const SSL *ssl);
-int SSL_version(SSL *ssl);
+int SSL_version(const SSL *ssl);
 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
        const char *CApath);
 #define SSL_get0_session SSL_get_session /* just peek at pointer */
-SSL_SESSION *SSL_get_session(SSL *ssl);
+SSL_SESSION *SSL_get_session(const SSL *ssl);
 SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
-SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
+SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
 void SSL_set_info_callback(SSL *ssl,
                           void (*cb)(const SSL *ssl,int type,int val));
-void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val);
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
-int SSL_state(SSL *ssl);
+int SSL_state(const SSL *ssl);
 void SSL_set_verify_result(SSL *ssl,long v);
-long SSL_get_verify_result(SSL *ssl);
+long SSL_get_verify_result(const SSL *ssl);
 int SSL_set_ex_data(SSL *ssl,int idx,void *data);
-void *SSL_get_ex_data(SSL *ssl,int idx);
+void *SSL_get_ex_data(const SSL *ssl,int idx);
 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
-void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
+void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
 int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
-void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
+void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
@@ -1603,6 +1605,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_SET_TRUST                              228
 #define SSL_F_SSL_SET_WFD                                196
 #define SSL_F_SSL_SHUTDOWN                               224
+#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION               243
 #define SSL_F_SSL_UNDEFINED_FUNCTION                     197
 #define SSL_F_SSL_USE_CERTIFICATE                        198
 #define SSL_F_SSL_USE_CERTIFICATE_ASN1                   199
@@ -1741,6 +1744,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NULL_SSL_CTX                               195
 #define SSL_R_NULL_SSL_METHOD_PASSED                     196
 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED            197
+#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE              1115
 #define SSL_R_PACKET_LENGTH_TOO_LONG                     198
 #define SSL_R_PATH_TOO_LONG                              270
 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE          199
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index d8ff8fc4a3..4d5900ad2f 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -226,7 +226,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
        M_ASN1_I2D_finish();
        }
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char * const *pp,
             long length)
        {
        int version,ssl_version=0,i;
@@ -266,7 +266,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
                        ((unsigned long)os.data[1]<< 8L)|
                         (unsigned long)os.data[2];
                }
-        else if ((ssl_version>>8) == 3)
+        else if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
                {
                if (os.length != 2)
                        {
@@ -287,9 +287,9 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
        ret->cipher_id=id;
        M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
-        if ((ssl_version>>8) == SSL3_VERSION)
+        if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
                i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
-        else /* if (ssl_version == SSL2_VERSION) */
+        else /* if (ssl_version == SSL2_VERSION_MAJOR) */
                i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
        if (os.length > i)
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 2cfb615878..b8b9bc2390 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -117,6 +117,7 @@
 #if defined(WIN32)
 #include <windows.h>
+#include <tchar.h>
 #endif
 #ifdef NeXT
@@ -129,6 +130,7 @@
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
 #include "ssl_locl.h"
+#include <openssl/fips.h>
 int SSL_get_ex_data_X509_STORE_CTX_idx(void)
        {
@@ -542,12 +544,12 @@ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
        set_client_CA_list(&(ctx->client_CA),name_list);
        }
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx)
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
        {
        return(ctx->client_CA);
        }
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s)
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
        {
        if (s->type == SSL_ST_CONNECT)
                { /* we are in the client */
@@ -783,36 +785,54 @@ err:
 #else /* OPENSSL_SYS_WIN32 */
+#if defined(_WIN32_WCE)
+# ifndef UNICODE
+#  error "WinCE comes in UNICODE flavor only..."
+# endif
+# if _WIN32_WCE<101 && !defined(OPENSSL_NO_MULTIBYTE)
+#  define OPENSSL_NO_MULTIBYTE
+# endif
+# ifndef  FindFirstFile
+#  define FindFirstFile FindFirstFileW
+# endif
+# ifndef  FindNextFile
+#  define FindNextFile FindNextFileW
+# endif
+#endif
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                                       const char *dir)
        {
        WIN32_FIND_DATA FindFileData;
        HANDLE hFind;
-        int ret = 0;
+        int    ret = 0;
-#ifdef OPENSSL_SYS_WINCE
+        TCHAR *wdir = NULL;
-        WCHAR* wdir = NULL;
+        size_t i,len_0 = strlen(dir)+1; /* len_0 accounts for trailing 0 */
-#endif
+        char   buf[1024],*slash;
+        if (len_0 > (sizeof(buf)-14))   /* 14 is just some value... */
+                {
+                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
+                return ret;
+                }
        CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
-        
-#ifdef OPENSSL_SYS_WINCE
+        if (sizeof(TCHAR) != sizeof(char))
-        /* convert strings to UNICODE */
+                {
-        {
+                wdir = (TCHAR *)malloc(len_0*sizeof(TCHAR));
-                BOOL result = FALSE;
-                int i;
-                wdir = malloc((strlen(dir)+1)*2);
                if (wdir == NULL)
                        goto err_noclose;
-                for (i=0; i<(int)strlen(dir)+1; i++)
+#ifndef OPENSSL_NO_MULTIBYTE
-                        wdir[i] = (short)dir[i];
+                if (!MultiByteToWideChar(CP_ACP,0,dir,len_0,
-        }
+                                        (WCHAR *)wdir,len_0))
 #endif
+                        for (i=0;i<len_0;i++) wdir[i]=(TCHAR)dir[i];
+                hFind = FindFirstFile(wdir, &FindFileData);
+                }
+        else    hFind = FindFirstFile((const TCHAR *)dir, &FindFileData);
-#ifdef OPENSSL_SYS_WINCE
-        hFind = FindFirstFile(wdir, &FindFileData);
-#else
-        hFind = FindFirstFile(dir, &FindFileData);
-#endif
        /* Note that a side effect is that the CAs will be sorted by name */
        if(hFind == INVALID_HANDLE_VALUE)
                {
@@ -821,25 +841,34 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
                goto err_noclose;
                }
-        
-        do 
+        strncpy(buf,dir,sizeof(buf));   /* strcpy is safe too... */
-                {
+        buf[len_0-1]='/';               /* no trailing zero!     */
-                char buf[1024];
+        slash=buf+len_0;
-                int r;
-                
+        do      {
-#ifdef OPENSSL_SYS_WINCE
+                const TCHAR *fnam=FindFileData.cFileName;
-                if(strlen(dir)+_tcslen(FindFileData.cFileName)+2 > sizeof buf)
+                size_t flen_0=_tcslen(fnam)+1;
-#else
-                if(strlen(dir)+strlen(FindFileData.cFileName)+2 > sizeof buf)
+                if (flen_0 > (sizeof(buf)-len_0))
-#endif
                        {
                        SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
                        goto err;
                        }
-                
+                /* else strcpy would be safe too... */
-                r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,FindFileData.cFileName);
-                if (r <= 0 || r >= sizeof buf)
+                if (sizeof(TCHAR) != sizeof(char))
-                        goto err;
+                        {
+#ifndef OPENSSL_NO_MULTIBYTE
+                        if (!WideCharToMultiByte(CP_ACP,0,
+                                                (WCHAR *)fnam,flen_0,
+                                                slash,sizeof(buf)-len_0,
+                                                NULL,0))
+#endif
+                                for (i=0;i<flen_0;i++) slash[i]=(char)fnam[i];
+                        }
+                else    strncpy(slash,(const char *)fnam,sizeof(buf)-len_0);
                if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
                        goto err;
                }
@@ -849,10 +878,9 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 err:    
        FindClose(hFind);
 err_noclose:
-#ifdef OPENSSL_SYS_WINCE
        if (wdir != NULL)
                free(wdir);
-#endif
        CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
        return ret;
        }
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 2d6eab20c3..a7ccefa30c 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <openssl/objects.h>
 #include <openssl/comp.h>
+#include <openssl/fips.h>
 #include "ssl_locl.h"
 #define SSL_ENC_DES_IDX         0
@@ -153,13 +154,13 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
        {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
        {0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
+        {0,SSL_TXT_FIPS,  0, 0,  SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
        };
 static int init_ciphers=1;
 static void load_ciphers(void)
        {
-        init_ciphers=0;
        ssl_cipher_methods[SSL_ENC_DES_IDX]= 
                EVP_get_cipherbyname(SN_des_cbc);
        ssl_cipher_methods[SSL_ENC_3DES_IDX]=
@@ -183,9 +184,10 @@ static void load_ciphers(void)
                EVP_get_digestbyname(SN_md5);
        ssl_digest_methods[SSL_MD_SHA1_IDX]=
                EVP_get_digestbyname(SN_sha1);
+        init_ciphers=0;
        }
-int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc,
+int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
             const EVP_MD **md, SSL_COMP **comp)
        {
        int i;
@@ -359,7 +361,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                {
                c = ssl_method->get_cipher(i);
                /* drop those that use any of that is not available */
+#ifdef OPENSSL_FIPS
+                if ((c != NULL) && c->valid && !(c->algorithms & mask)
+                        && (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
+#else
                if ((c != NULL) && c->valid && !(c->algorithms & mask))
+#endif
                        {
                        co_list[co_list_num].cipher = c;
                        co_list[co_list_num].next = NULL;
@@ -854,7 +861,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         */
        for (curr = head; curr != NULL; curr = curr->next)
                {
+#ifdef OPENSSL_FIPS
+                if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
+#else
                if (curr->active)
+#endif
                        {
                        sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
@@ -1054,7 +1065,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
        return(buf);
        }
-char *SSL_CIPHER_get_version(SSL_CIPHER *c)
+char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
        {
        int i;
@@ -1069,7 +1080,7 @@ char *SSL_CIPHER_get_version(SSL_CIPHER *c)
        }
 /* return the actual cipher being used */
-const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
+const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
        {
        if (c != NULL)
                return(c->name);
@@ -1077,7 +1088,7 @@ const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
        }
 /* number of bits for symmetric cipher */
-int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits)
+int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
        {
        int ret=0;
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index d2cb181503..29b8ff4788 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -193,6 +193,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_PACK(0,SSL_F_SSL_SET_TRUST,0),     "SSL_set_trust"},
 {ERR_PACK(0,SSL_F_SSL_SET_WFD,0),       "SSL_set_wfd"},
 {ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0),      "SSL_shutdown"},
+{ERR_PACK(0,SSL_F_SSL_UNDEFINED_CONST_FUNCTION,0),      "SSL_UNDEFINED_CONST_FUNCTION"},
 {ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0),    "SSL_UNDEFINED_FUNCTION"},
 {ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0),       "SSL_use_certificate"},
 {ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0),  "SSL_use_certificate_ASN1"},
@@ -334,6 +335,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_NULL_SSL_CTX                      ,"null ssl ctx"},
 {SSL_R_NULL_SSL_METHOD_PASSED            ,"null ssl method passed"},
 {SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED   ,"old session cipher not returned"},
+{SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE     ,"only tls allowed in fips mode"},
 {SSL_R_PACKET_LENGTH_TOO_LONG            ,"packet length too long"},
 {SSL_R_PATH_TOO_LONG                     ,"path too long"},
 {SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index ee9a82d586..631229558f 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -121,6 +121,7 @@
 #include <openssl/objects.h>
 #include <openssl/lhash.h>
 #include <openssl/x509v3.h>
+#include <openssl/fips.h>
 const char *SSL_version_str=OPENSSL_VERSION_TEXT;
@@ -500,18 +501,18 @@ void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
        s->wbio=wbio;
        }
-BIO *SSL_get_rbio(SSL *s)
+BIO *SSL_get_rbio(const SSL *s)
        { return(s->rbio); }
-BIO *SSL_get_wbio(SSL *s)
+BIO *SSL_get_wbio(const SSL *s)
        { return(s->wbio); }
-int SSL_get_fd(SSL *s)
+int SSL_get_fd(const SSL *s)
        {
        return(SSL_get_rfd(s));
        }
-int SSL_get_rfd(SSL *s)
+int SSL_get_rfd(const SSL *s)
        {
        int ret= -1;
        BIO *b,*r;
@@ -523,7 +524,7 @@ int SSL_get_rfd(SSL *s)
        return(ret);
        }
-int SSL_get_wfd(SSL *s)
+int SSL_get_wfd(const SSL *s)
        {
        int ret= -1;
        BIO *b,*r;
@@ -605,7 +606,7 @@ err:
 /* return length of latest Finished message we sent, copy to 'buf' */
-size_t SSL_get_finished(SSL *s, void *buf, size_t count)
+size_t SSL_get_finished(const SSL *s, void *buf, size_t count)
        {
        size_t ret = 0;
        
@@ -620,7 +621,7 @@ size_t SSL_get_finished(SSL *s, void *buf, size_t count)
        }
 /* return length of latest Finished message we expected, copy to 'buf' */
-size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
+size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
        {
        size_t ret = 0;
        
@@ -635,32 +636,32 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
        }
-int SSL_get_verify_mode(SSL *s)
+int SSL_get_verify_mode(const SSL *s)
        {
        return(s->verify_mode);
        }
-int SSL_get_verify_depth(SSL *s)
+int SSL_get_verify_depth(const SSL *s)
        {
        return(s->verify_depth);
        }
-int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *)
+int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *)
        {
        return(s->verify_callback);
        }
-int SSL_CTX_get_verify_mode(SSL_CTX *ctx)
+int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
        {
        return(ctx->verify_mode);
        }
-int SSL_CTX_get_verify_depth(SSL_CTX *ctx)
+int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
        {
        return(ctx->verify_depth);
        }
-int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *)
+int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *)
        {
        return(ctx->default_verify_callback);
        }
@@ -683,12 +684,12 @@ void SSL_set_read_ahead(SSL *s,int yes)
        s->read_ahead=yes;
        }
-int SSL_get_read_ahead(SSL *s)
+int SSL_get_read_ahead(const SSL *s)
        {
        return(s->read_ahead);
        }
-int SSL_pending(SSL *s)
+int SSL_pending(const SSL *s)
        {
        /* SSL_pending cannot work properly if read-ahead is enabled
         * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
@@ -700,7 +701,7 @@ int SSL_pending(SSL *s)
        return(s->method->ssl_pending(s));
        }
-X509 *SSL_get_peer_certificate(SSL *s)
+X509 *SSL_get_peer_certificate(const SSL *s)
        {
        X509 *r;
        
@@ -716,7 +717,7 @@ X509 *SSL_get_peer_certificate(SSL *s)
        return(r);
        }
-STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
+STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
        {
        STACK_OF(X509) *r;
        
@@ -733,7 +734,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
 /* Now in theory, since the calling process own 't' it should be safe to
 * modify.  We need to be able to read f without being hassled */
-void SSL_copy_session_id(SSL *t,SSL *f)
+void SSL_copy_session_id(SSL *t,const SSL *f)
        {
        CERT *tmp;
@@ -762,7 +763,7 @@ void SSL_copy_session_id(SSL *t,SSL *f)
        }
 /* Fix this so it checks all the valid key/cert options */
-int SSL_CTX_check_private_key(SSL_CTX *ctx)
+int SSL_CTX_check_private_key(const SSL_CTX *ctx)
        {
        if (    (ctx == NULL) ||
                (ctx->cert == NULL) ||
@@ -780,7 +781,7 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx)
        }
 /* Fix this function so that it takes an optional type parameter */
-int SSL_check_private_key(SSL *ssl)
+int SSL_check_private_key(const SSL *ssl)
        {
        if (ssl == NULL)
                {
@@ -824,7 +825,7 @@ int SSL_connect(SSL *s)
        return(s->method->ssl_connect(s));
        }
-long SSL_get_default_timeout(SSL *s)
+long SSL_get_default_timeout(const SSL *s)
        {
        return(s->method->get_timeout());
        }
@@ -1071,7 +1072,7 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
 /** return a STACK of the ciphers available for the SSL and in order of
 * preference */
-STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s)
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
        {
        if (s != NULL)
                {
@@ -1108,7 +1109,7 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
        }
 /** The old interface to get the same thing as SSL_get_ciphers() */
-const char *SSL_get_cipher_list(SSL *s,int n)
+const char *SSL_get_cipher_list(const SSL *s,int n)
        {
        SSL_CIPHER *c;
        STACK_OF(SSL_CIPHER) *sk;
@@ -1145,7 +1146,7 @@ int SSL_set_cipher_list(SSL *s,const char *str)
        }
 /* works well for SSLv2, not so good for SSLv3 */
-char *SSL_get_shared_ciphers(SSL *s,char *buf,int len)
+char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
        {
        char *p;
        const char *cp;
@@ -1249,7 +1250,7 @@ err:
        return(NULL);
        }
-unsigned long SSL_SESSION_hash(SSL_SESSION *a)
+unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
        {
        unsigned long l;
@@ -1266,7 +1267,7 @@ unsigned long SSL_SESSION_hash(SSL_SESSION *a)
 * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
 * able to construct an SSL_SESSION that will collide with any existing session
 * with a matching session ID. */
-int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b)
+int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
        {
        if (a->ssl_version != b->ssl_version)
                return(1);
@@ -1292,6 +1293,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
                return(NULL);
                }
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (meth->version < TLS1_VERSION))      
+                {
+                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                return NULL;
+                }
+#endif
        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1722,7 +1731,7 @@ int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth)
        return(ret);
        }
-int SSL_get_error(SSL *s,int i)
+int SSL_get_error(const SSL *s,int i)
        {
        int reason;
        unsigned long l;
@@ -1856,13 +1865,19 @@ int ssl_undefined_function(SSL *s)
        return(0);
        }
+int ssl_undefined_const_function(const SSL *s)
+        {
+        SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+        return(0);
+        }
 SSL_METHOD *ssl_bad_method(int ver)
        {
        SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
        return(NULL);
        }
-const char *SSL_get_version(SSL *s)
+const char *SSL_get_version(const SSL *s)
        {
        if (s->version == TLS1_VERSION)
                return("TLSv1");
@@ -2031,7 +2046,7 @@ void ssl_clear_cipher_ctx(SSL *s)
        }
 /* Fix this function so that it takes an optional type parameter */
-X509 *SSL_get_certificate(SSL *s)
+X509 *SSL_get_certificate(const SSL *s)
        {
        if (s->cert != NULL)
                return(s->cert->key->x509);
@@ -2048,7 +2063,7 @@ EVP_PKEY *SSL_get_privatekey(SSL *s)
                return(NULL);
        }
-SSL_CIPHER *SSL_get_current_cipher(SSL *s)
+SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
        {
        if ((s->session != NULL) && (s->session->cipher != NULL))
                return(s->session->cipher);
@@ -2112,7 +2127,7 @@ void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode)
        ctx->quiet_shutdown=mode;
        }
-int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx)
+int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
        {
        return(ctx->quiet_shutdown);
        }
@@ -2122,7 +2137,7 @@ void SSL_set_quiet_shutdown(SSL *s,int mode)
        s->quiet_shutdown=mode;
        }
-int SSL_get_quiet_shutdown(SSL *s)
+int SSL_get_quiet_shutdown(const SSL *s)
        {
        return(s->quiet_shutdown);
        }
@@ -2132,17 +2147,17 @@ void SSL_set_shutdown(SSL *s,int mode)
        s->shutdown=mode;
        }
-int SSL_get_shutdown(SSL *s)
+int SSL_get_shutdown(const SSL *s)
        {
        return(s->shutdown);
        }
-int SSL_version(SSL *s)
+int SSL_version(const SSL *s)
        {
        return(s->version);
        }
-SSL_CTX *SSL_get_SSL_CTX(SSL *ssl)
+SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
        {
        return(ssl->ctx);
        }
@@ -2156,7 +2171,9 @@ int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
                const char *CApath)
        {
-        return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
+        int r;
+        r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath);
+        return r;
        }
 #endif
@@ -2166,12 +2183,12 @@ void SSL_set_info_callback(SSL *ssl,
        ssl->info_callback=cb;
        }
-void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val)
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val)
        {
        return ssl->info_callback;
        }
-int SSL_state(SSL *ssl)
+int SSL_state(const SSL *ssl)
        {
        return(ssl->state);
        }
@@ -2181,7 +2198,7 @@ void SSL_set_verify_result(SSL *ssl,long arg)
        ssl->verify_result=arg;
        }
-long SSL_get_verify_result(SSL *ssl)
+long SSL_get_verify_result(const SSL *ssl)
        {
        return(ssl->verify_result);
        }
@@ -2198,7 +2215,7 @@ int SSL_set_ex_data(SSL *s,int idx,void *arg)
        return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
        }
-void *SSL_get_ex_data(SSL *s,int idx)
+void *SSL_get_ex_data(const SSL *s,int idx)
        {
        return(CRYPTO_get_ex_data(&s->ex_data,idx));
        }
@@ -2215,7 +2232,7 @@ int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
        return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
        }
-void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx)
+void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx)
        {
        return(CRYPTO_get_ex_data(&s->ex_data,idx));
        }
@@ -2225,7 +2242,7 @@ int ssl_ok(SSL *s)
        return(1);
        }
-X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
+X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx)
        {
        return(ctx->cert_store);
        }
@@ -2237,7 +2254,7 @@ void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
        ctx->cert_store=store;
        }
-int SSL_want(SSL *s)
+int SSL_want(const SSL *s)
        {
        return(s->rwstate);
        }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index dd6c7a7323..25a144a0d0 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -302,8 +302,9 @@
 #define SSL_LOW                 0x00000020L
 #define SSL_MEDIUM              0x00000040L
 #define SSL_HIGH                0x00000080L
+#define SSL_FIPS                0x00000100L
-/* we have used 000000ff - 24 bits left to go */
+/* we have used 000001ff - 23 bits left to go */
 /*
 * Macros to check the export status and cipher strength for export ciphers.
@@ -498,10 +499,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
                                             STACK_OF(SSL_CIPHER) **sorted,
                                             const char *rule_str);
 void ssl_update_cache(SSL *s, int mode);
-int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md,
+int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
-                       SSL_COMP **comp);
+                       const EVP_MD **md,SSL_COMP **comp);
 int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
 int ssl_undefined_function(SSL *s);
+int ssl_undefined_const_function(const SSL *s);
 X509 *ssl_get_server_send_cert(SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
@@ -535,7 +537,7 @@ long	ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
 long    ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
 long    ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
 long    ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
-int     ssl2_pending(SSL *s);
+int     ssl2_pending(const SSL *s);
 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
@@ -583,7 +585,7 @@ long	ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
 long    ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
 long    ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
 long    ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
-int     ssl3_pending(SSL *s);
+int     ssl3_pending(const SSL *s);
 int ssl23_accept(SSL *s);
 int ssl23_connect(SSL *s);
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 330390519b..fb0bd4d045 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -804,7 +804,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
                /* When the while loop ends, it's usually just EOF. */
                err = ERR_peek_last_error();
                if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
-                        (void)ERR_get_error();
+                        ERR_clear_error();
                else 
                        ret = 0; /* some real error */
                }
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 7016c87d3b..5f12aa361c 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -65,7 +65,7 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
 static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
-SSL_SESSION *SSL_get_session(SSL *ssl)
+SSL_SESSION *SSL_get_session(const SSL *ssl)
 /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
        {
        return(ssl->session);
@@ -98,7 +98,7 @@ int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
        return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
        }
-void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx)
+void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
        {
        return(CRYPTO_get_ex_data(&s->ex_data,idx));
        }
@@ -141,7 +141,8 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id,
 {
        unsigned int retry = 0;
        do
-                RAND_pseudo_bytes(id, *id_len);
+                if(RAND_pseudo_bytes(id, *id_len) <= 0)
+                        return 0;
        while(SSL_has_matching_session_id(ssl, id, *id_len) &&
                (++retry < MAX_SESS_ID_ATTEMPTS));
        if(retry < MAX_SESS_ID_ATTEMPTS)
@@ -609,13 +610,13 @@ long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
        return(1);
        }
-long SSL_SESSION_get_timeout(SSL_SESSION *s)
+long SSL_SESSION_get_timeout(const SSL_SESSION *s)
        {
        if (s == NULL) return(0);
        return(s->timeout);
        }
-long SSL_SESSION_get_time(SSL_SESSION *s)
+long SSL_SESSION_get_time(const SSL_SESSION *s)
        {
        if (s == NULL) return(0);
        return(s->time);
@@ -637,7 +638,7 @@ long SSL_CTX_set_timeout(SSL_CTX *s, long t)
        return(l);
        }
-long SSL_CTX_get_timeout(SSL_CTX *s)
+long SSL_CTX_get_timeout(const SSL_CTX *s)
        {
        if (s == NULL) return(0);
        return(s->session_timeout);
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
index 40b76b1b26..8655a31333 100644
--- a/src/lib/libssl/ssl_txt.c
+++ b/src/lib/libssl/ssl_txt.c
@@ -61,7 +61,7 @@
 #include "ssl_locl.h"
 #ifndef OPENSSL_NO_FP_API
-int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x)
+int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
        {
        BIO *b;
        int ret;
@@ -78,7 +78,7 @@ int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x)
        }
 #endif
-int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
+int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
        {
        unsigned int i;
        char *s;
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 271e247eea..2c6246abf5 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -115,6 +115,7 @@
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/md5.h>
+#include <openssl/fips.h>
 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
                        int sec_len, unsigned char *seed, int seed_len,
@@ -131,6 +132,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
        HMAC_CTX_init(&ctx);
        HMAC_CTX_init(&ctx_tmp);
+        HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+        HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
        HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
        HMAC_Update(&ctx,seed,seed_len);
@@ -177,7 +180,6 @@ static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
        S2= &(sec[len]);
        len+=(slen&1); /* add for odd, make longer */
-        
        tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
        tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
diff --git a/src/lib/libssl/test/bctest b/src/lib/libssl/test/bctest
index bdb3218f7a..e81fc0733a 100644
--- a/src/lib/libssl/test/bctest
+++ b/src/lib/libssl/test/bctest
@@ -1,6 +1,6 @@
 #!/bin/sh
-# This script is used by test/Makefile.ssl to check whether a sane 'bc'
+# This script is used by test/Makefile to check whether a sane 'bc'
 # is installed.
 # ('make test_bn' should not try to run 'bc' if it does not exist or if
 # it is a broken 'bc' version that is known to cause trouble.)
diff --git a/src/lib/libssl/test/maketests.com b/src/lib/libssl/test/maketests.com
index 7c44e4545a..dfbfef7b1b 100644
--- a/src/lib/libssl/test/maketests.com
+++ b/src/lib/libssl/test/maketests.com
@@ -615,7 +615,7 @@ $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
         THEN CC = "CC/DECC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
           "/NOLIST/PREFIX=ALL" + -
-           "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+           "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
@@ -648,7 +648,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-           "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+           "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $     CCDEFS = CCDEFS + ",""VAXC"""
 $!
 $!    Define <sys> As SYS$COMMON:[SYSLIB]
@@ -679,7 +679,7 @@ $!
 $!    Use GNU C...
 $!
 $     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-           "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+           "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
diff --git a/src/lib/libssl/test/tcrl b/src/lib/libssl/test/tcrl
index f71ef7a863..3ffed12a03 100644
--- a/src/lib/libssl/test/tcrl
+++ b/src/lib/libssl/test/tcrl
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl crl'
+cmd='../util/shlib_wrap.sh ../apps/openssl crl'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/testca b/src/lib/libssl/test/testca
index 8215ebb5d1..5b2faa78f1 100644
--- a/src/lib/libssl/test/testca
+++ b/src/lib/libssl/test/testca
@@ -11,6 +11,9 @@ export SH PATH
 SSLEAY_CONFIG="-config CAss.cnf"
 export SSLEAY_CONFIG
+OPENSSL="`pwd`/../util/shlib_wrap.sh openssl"
+export OPENSSL
 /bin/rm -fr demoCA
 $SH ../apps/CA.sh -newca <<EOF
 EOF
diff --git a/src/lib/libssl/test/testenc b/src/lib/libssl/test/testenc
index 0656c7f525..4571ea2875 100644
--- a/src/lib/libssl/test/testenc
+++ b/src/lib/libssl/test/testenc
@@ -1,14 +1,14 @@
 #!/bin/sh
-testsrc=Makefile.ssl
+testsrc=Makefile
 test=./p
-cmd=../apps/openssl
+cmd="../util/shlib_wrap.sh ../apps/openssl"
 cat $testsrc >$test;
 echo cat
-$cmd enc < $test > $test.cipher
+$cmd enc -non-fips-allow < $test > $test.cipher
-$cmd enc < $test.cipher >$test.clear
+$cmd enc -non-fips-allow < $test.cipher >$test.clear
 cmp $test $test.clear
 if [ $? != 0 ]
 then
@@ -17,8 +17,8 @@ else
        /bin/rm $test.cipher $test.clear
 fi
 echo base64
-$cmd enc -a -e < $test > $test.cipher
+$cmd enc -non-fips-allow -a -e < $test > $test.cipher
-$cmd enc -a -d < $test.cipher >$test.clear
+$cmd enc -non-fips-allow -a -d < $test.cipher >$test.clear
 cmp $test $test.clear
 if [ $? != 0 ]
 then
@@ -30,8 +30,8 @@ fi
 for i in `$cmd list-cipher-commands`
 do
        echo $i
-        $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher
+        $cmd $i -non-fips-allow -bufsize 113 -e -k test < $test > $test.$i.cipher
-        $cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
+        $cmd $i -non-fips-allow -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
        cmp $test $test.$i.clear
        if [ $? != 0 ]
        then
@@ -41,8 +41,8 @@ do
        fi
        echo $i base64
-        $cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher
+        $cmd $i -non-fips-allow -bufsize 113 -a -e -k test < $test > $test.$i.cipher
-        $cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
+        $cmd $i -non-fips-allow -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
        cmp $test $test.$i.clear
        if [ $? != 0 ]
        then
diff --git a/src/lib/libssl/test/testenc.com b/src/lib/libssl/test/testenc.com
index c24fa388c0..5e6f521f9d 100644
--- a/src/lib/libssl/test/testenc.com
+++ b/src/lib/libssl/test/testenc.com
@@ -4,7 +4,7 @@ $	__arch := VAX
 $       if f$getsyi("cpu") .ge. 128 then __arch := AXP
 $       exe_dir := sys$disk:[-.'__arch'.exe.apps]
 $
-$       testsrc := makefile.ssl
+$       testsrc := makefile.
 $       test := p.txt
 $       cmd := mcr 'exe_dir'openssl
 $
diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen
index 3798543e04..524c0d134c 100644
--- a/src/lib/libssl/test/testgen
+++ b/src/lib/libssl/test/testgen
@@ -17,7 +17,7 @@ echo "generating certificate request"
 echo "string to make the random number generator think it has entropy" >> ./.rnd
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  req_new='-newkey dsa:../apps/dsa512.pem'
 else
  req_new='-new'
@@ -29,13 +29,13 @@ echo "This could take some time."
 rm -f testkey.pem testreq.pem
-../apps/openssl req -config test.cnf $req_new -out testreq.pem
+../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem
 if [ $? != 0 ]; then
 echo problems creating request
 exit 1
 fi
-../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
+../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
 if [ $? != 0 ]; then
 echo signature on req is wrong
 exit 1
diff --git a/src/lib/libssl/test/testss b/src/lib/libssl/test/testss
index 8d3557f356..1a426857d3 100644
--- a/src/lib/libssl/test/testss
+++ b/src/lib/libssl/test/testss
@@ -1,9 +1,9 @@
 #!/bin/sh
-digest='-md5'
+digest='-sha1'
-reqcmd="../apps/openssl req"
+reqcmd="../util/shlib_wrap.sh ../apps/openssl req"
-x509cmd="../apps/openssl x509 $digest"
+x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest"
-verifycmd="../apps/openssl verify"
+verifycmd="../util/shlib_wrap.sh ../apps/openssl verify"
 dummycnf="../apps/openssl.cnf"
 CAkey="keyCA.ss"
@@ -17,12 +17,24 @@ Ukey="keyU.ss"
 Ureq="reqU.ss"
 Ucert="certU.ss"
+P1conf="P1ss.cnf"
+P1key="keyP1.ss"
+P1req="reqP1.ss"
+P1cert="certP1.ss"
+P1intermediate="tmp_intP1.ss"
+P2conf="P2ss.cnf"
+P2key="keyP2.ss"
+P2req="reqP2.ss"
+P2cert="certP2.ss"
+P2intermediate="tmp_intP2.ss"
 echo
 echo "make a certificate request using 'req'"
 echo "string to make the random number generator think it has entropy" >> ./.rnd
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  req_new='-newkey dsa:../apps/dsa512.pem'
 else
  req_new='-new'
@@ -35,7 +47,7 @@ if [ $? != 0 ]; then
 fi
 echo
 echo "convert the certificate request into a self signed certificate using 'x509'"
-$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss
+$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss
 if [ $? != 0 ]; then
        echo "error using 'x509' to self sign a certificate request"
        exit 1
@@ -68,18 +80,18 @@ if [ $? != 0 ]; then
 fi
 echo
-echo "make another certificate request using 'req'"
+echo "make a user certificate request using 'req'"
 $reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
 if [ $? != 0 ]; then
-        echo "error using 'req' to generate a certificate request"
+        echo "error using 'req' to generate a user certificate request"
        exit 1
 fi
 echo
-echo "sign certificate request with the just created CA via 'x509'"
+echo "sign user certificate request with the just created CA via 'x509'"
-$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss
+$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss
 if [ $? != 0 ]; then
-        echo "error using 'x509' to sign a certificate request"
+        echo "error using 'x509' to sign a user certificate request"
        exit 1
 fi
@@ -89,11 +101,63 @@ echo "Certificate details"
 $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
 echo
+echo "make a proxy certificate request using 'req'"
+$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'req' to generate a proxy certificate request"
+        exit 1
+fi
+echo
+echo "sign proxy certificate request with the just created user certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'x509' to sign a proxy certificate request"
+        exit 1
+fi
+cat $Ucert > $P1intermediate
+$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert
+echo
+echo "make another proxy certificate request using 'req'"
+$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'req' to generate another proxy certificate request"
+        exit 1
+fi
+echo
+echo "sign second proxy certificate request with the first proxy certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'x509' to sign a second proxy certificate request"
+        exit 1
+fi
+cat $Ucert $P1cert > $P2intermediate
+$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert
+echo
 echo The generated CA certificate is $CAcert
 echo The generated CA private key is $CAkey
 echo The generated user certificate is $Ucert
 echo The generated user private key is $Ukey
+echo The first generated proxy certificate is $P1cert
+echo The first generated proxy private key is $P1key
+echo The second generated proxy certificate is $P2cert
+echo The second generated proxy private key is $P2key
 /bin/rm err.ss
+#/bin/rm $P1intermediate
+#/bin/rm $P2intermediate
 exit 0
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
index ca8e718022..8ac90ae5ee 100644
--- a/src/lib/libssl/test/testssl
+++ b/src/lib/libssl/test/testssl
@@ -10,9 +10,9 @@ if [ "$2" = "" ]; then
 else
  cert="$2"
 fi
-ssltest="./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
+ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
-if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
+if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
  dsa_cert=YES
 else
  dsa_cert=NO
@@ -121,24 +121,24 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
 #############################################################################
-if ../apps/openssl no-dh; then
+if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
  echo skipping anonymous DH tests
 else
  echo test tls1 with 1024bit anonymous DH, multiple handshakes
  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
 fi
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  echo skipping RSA tests
 else
  echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
-  ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
+  ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
-  if ../apps/openssl no-dh; then
+  if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
    echo skipping RSA+DHE tests
  else
    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
-    ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+    ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
  fi
 fi
diff --git a/src/lib/libssl/test/tpkcs7 b/src/lib/libssl/test/tpkcs7
index cf3bd9fadb..79bb6e0edf 100644
--- a/src/lib/libssl/test/tpkcs7
+++ b/src/lib/libssl/test/tpkcs7
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl pkcs7'
+cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/tpkcs7d b/src/lib/libssl/test/tpkcs7d
index 18f9311b06..20394b34c4 100644
--- a/src/lib/libssl/test/tpkcs7d
+++ b/src/lib/libssl/test/tpkcs7d
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl pkcs7'
+cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/treq b/src/lib/libssl/test/treq
index 47a8273cde..7e020210a5 100644
--- a/src/lib/libssl/test/treq
+++ b/src/lib/libssl/test/treq
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl req -config ../apps/openssl.cnf'
+cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/trsa b/src/lib/libssl/test/trsa
index 413e2ec0a0..67b4a98841 100644
--- a/src/lib/libssl/test/trsa
+++ b/src/lib/libssl/test/trsa
@@ -7,12 +7,12 @@ else
 fi
 export PATH
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  echo skipping rsa conversion test
  exit 0
 fi
-cmd='../apps/openssl rsa'
+cmd='../util/shlib_wrap.sh ../apps/openssl rsa'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/tsid b/src/lib/libssl/test/tsid
index 40a1dfa97c..fb4a7213b9 100644
--- a/src/lib/libssl/test/tsid
+++ b/src/lib/libssl/test/tsid
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl sess_id'
+cmd='../util/shlib_wrap.sh ../apps/openssl sess_id'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/tverify.com b/src/lib/libssl/test/tverify.com
index f97e71478f..2060184d1e 100644
--- a/src/lib/libssl/test/tverify.com
+++ b/src/lib/libssl/test/tverify.com
@@ -15,12 +15,15 @@ $	f = f$search("[-.certs]*.pem")
 $       if f .nes. "" .and. f .nes. old_f
 $       then
 $           certs = certs + " [-.certs]" + f$parse(f,,,"NAME") + ".pem"
-$           if f$length(certs) .lt. 180 then goto loop_certs2
 $           c := YES
+$           if f$length(certs) .lt. 180 then goto loop_certs2
 $       endif
 $       certs = certs - " "
 $
-$       mcr 'exe_dir'openssl verify "-CAfile" certs.tmp 'certs'
+$       if c
-$       if c then goto loop_certs
+$       then
+$           mcr 'exe_dir'openssl verify "-CAfile" certs.tmp 'certs'
+$           goto loop_certs
+$       endif
 $
 $       delete certs.tmp;*
diff --git a/src/lib/libssl/test/tx509 b/src/lib/libssl/test/tx509
index d380963abc..1b9c8661f3 100644
--- a/src/lib/libssl/test/tx509
+++ b/src/lib/libssl/test/tx509
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl x509'
+cmd='../util/shlib_wrap.sh ../apps/openssl x509'
 if [ "$1"x != "x" ]; then
        t=$1