116 files changed, 4130 insertions, 2104 deletions

diff --git a/src/lib/libcrypto/aes/aes_cbc.c b/src/lib/libcrypto/aes/aes_cbc.c
index d2ba6bcdb4..373864cd4b 100644
--- a/src/lib/libcrypto/aes/aes_cbc.c
+++ b/src/lib/libcrypto/aes/aes_cbc.c
@@ -59,6 +59,7 @@
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
+#if !defined(OPENSSL_FIPS_AES_ASM)
 void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                      const unsigned long length, const AES_KEY *key,
                      unsigned char *ivec, const int enc) {
@@ -129,3 +130,4 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                 }
         }
 }
+#endif
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index ceaeb4cbe3..0184b475a7 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -962,6 +962,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_DUP                                  111
 #define ASN1_F_ASN1_ENUMERATED_SET                       112
 #define ASN1_F_ASN1_ENUMERATED_TO_BN                     113
+#define ASN1_F_ASN1_FIND_END                             182
 #define ASN1_F_ASN1_GENERALIZEDTIME_SET                  178
 #define ASN1_F_ASN1_GET_OBJECT                           114
 #define ASN1_F_ASN1_HEADER_NEW                           115
@@ -1075,6 +1076,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_MISSING_SECOND_NUMBER                     138
 #define ASN1_R_MSTRING_NOT_UNIVERSAL                     139
 #define ASN1_R_MSTRING_WRONG_TAG                         140
+#define ASN1_R_NESTED_ASN1_STRING                        174
 #define ASN1_R_NON_HEX_CHARACTERS                        141
 #define ASN1_R_NOT_ENOUGH_DATA                           142
 #define ASN1_R_NO_MATCHING_CHOICE_TYPE                   143
diff --git a/src/lib/libcrypto/asn1/asn1_err.c b/src/lib/libcrypto/asn1/asn1_err.c
index 3b57c8fbae..315d0a0807 100644
--- a/src/lib/libcrypto/asn1/asn1_err.c
+++ b/src/lib/libcrypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,169 +64,175 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_ASN1,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_ASN1,0,reason)
+
 static ERR_STRING_DATA ASN1_str_functs[]=
         {
-{ERR_PACK(0,ASN1_F_A2D_ASN1_OBJECT,0),  "a2d_ASN1_OBJECT"},
-{ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0),      "a2i_ASN1_ENUMERATED"},
-{ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0), "a2i_ASN1_INTEGER"},
-{ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0),  "a2i_ASN1_STRING"},
-{ERR_PACK(0,ASN1_F_ASN1_BIT_STRING_SET_BIT,0),  "ASN1_BIT_STRING_set_bit"},
-{ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0),  "ASN1_CHECK_TLEN"},
-{ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0),   "ASN1_COLLATE_PRIMITIVE"},
-{ERR_PACK(0,ASN1_F_ASN1_COLLECT,0),     "ASN1_COLLECT"},
-{ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0),     "ASN1_d2i_bio"},
-{ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0),    "ASN1_D2I_EX_PRIMITIVE"},
-{ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0),      "ASN1_d2i_fp"},
-{ERR_PACK(0,ASN1_F_ASN1_DIGEST,0),      "ASN1_digest"},
-{ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0),      "ASN1_DO_ADB"},
-{ERR_PACK(0,ASN1_F_ASN1_DUP,0), "ASN1_dup"},
-{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0),      "ASN1_ENUMERATED_set"},
-{ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0),    "ASN1_ENUMERATED_to_BN"},
-{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_SET,0), "ASN1_GENERALIZEDTIME_set"},
-{ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0),  "ASN1_get_object"},
-{ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0),  "ASN1_HEADER_new"},
-{ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0),     "ASN1_i2d_bio"},
-{ERR_PACK(0,ASN1_F_ASN1_I2D_FP,0),      "ASN1_i2d_fp"},
-{ERR_PACK(0,ASN1_F_ASN1_INTEGER_SET,0), "ASN1_INTEGER_set"},
-{ERR_PACK(0,ASN1_F_ASN1_INTEGER_TO_BN,0),       "ASN1_INTEGER_to_BN"},
-{ERR_PACK(0,ASN1_F_ASN1_ITEM_EX_D2I,0), "ASN1_ITEM_EX_D2I"},
-{ERR_PACK(0,ASN1_F_ASN1_ITEM_NEW,0),    "ASN1_item_new"},
-{ERR_PACK(0,ASN1_F_ASN1_MBSTRING_COPY,0),       "ASN1_mbstring_copy"},
-{ERR_PACK(0,ASN1_F_ASN1_OBJECT_NEW,0),  "ASN1_OBJECT_new"},
-{ERR_PACK(0,ASN1_F_ASN1_PACK_STRING,0), "ASN1_pack_string"},
-{ERR_PACK(0,ASN1_F_ASN1_PBE_SET,0),     "ASN1_PBE_SET"},
-{ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0),    "ASN1_seq_pack"},
-{ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0),  "ASN1_seq_unpack"},
-{ERR_PACK(0,ASN1_F_ASN1_SIGN,0),        "ASN1_sign"},
-{ERR_PACK(0,ASN1_F_ASN1_STRING_SET,0),  "ASN1_STRING_set"},
-{ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0),    "ASN1_STRING_TABLE_add"},
-{ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0),     "ASN1_STRING_type_new"},
-{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0),        "ASN1_TEMPLATE_D2I"},
-{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_EX_D2I,0),     "ASN1_TEMPLATE_EX_D2I"},
-{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_NEW,0),        "ASN1_TEMPLATE_NEW"},
-{ERR_PACK(0,ASN1_F_ASN1_TIME_SET,0),    "ASN1_TIME_set"},
-{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),    "ASN1_TYPE_get_int_octetstring"},
-{ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),        "ASN1_TYPE_get_octetstring"},
-{ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),       "ASN1_unpack_string"},
-{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_SET,0), "ASN1_UTCTIME_set"},
-{ERR_PACK(0,ASN1_F_ASN1_VERIFY,0),      "ASN1_verify"},
-{ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0),    "BN_to_ASN1_ENUMERATED"},
-{ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0),       "BN_to_ASN1_INTEGER"},
-{ERR_PACK(0,ASN1_F_COLLECT_DATA,0),     "COLLECT_DATA"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_BIT_STRING,0),      "D2I_ASN1_BIT_STRING"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_BOOLEAN,0), "d2i_ASN1_BOOLEAN"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_BYTES,0),   "d2i_ASN1_bytes"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_GENERALIZEDTIME,0), "D2I_ASN1_GENERALIZEDTIME"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_HEADER,0),  "d2i_ASN1_HEADER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_INTEGER,0), "D2I_ASN1_INTEGER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_OBJECT,0),  "d2i_ASN1_OBJECT"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_SET,0),     "d2i_ASN1_SET"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_TYPE_BYTES,0),      "d2i_ASN1_type_bytes"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_UINTEGER,0),        "d2i_ASN1_UINTEGER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_UTCTIME,0), "D2I_ASN1_UTCTIME"},
-{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA,0), "d2i_Netscape_RSA"},
-{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA_2,0),       "D2I_NETSCAPE_RSA_2"},
-{ERR_PACK(0,ASN1_F_D2I_PRIVATEKEY,0),   "d2i_PrivateKey"},
-{ERR_PACK(0,ASN1_F_D2I_PUBLICKEY,0),    "d2i_PublicKey"},
-{ERR_PACK(0,ASN1_F_D2I_X509,0), "D2I_X509"},
-{ERR_PACK(0,ASN1_F_D2I_X509_CINF,0),    "D2I_X509_CINF"},
-{ERR_PACK(0,ASN1_F_D2I_X509_NAME,0),    "D2I_X509_NAME"},
-{ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),    "d2i_X509_PKEY"},
-{ERR_PACK(0,ASN1_F_I2D_ASN1_SET,0),     "i2d_ASN1_SET"},
-{ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),    "I2D_ASN1_TIME"},
-{ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),   "i2d_DSA_PUBKEY"},
-{ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0), "i2d_Netscape_RSA"},
-{ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0),   "i2d_PrivateKey"},
-{ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0),    "i2d_PublicKey"},
-{ERR_PACK(0,ASN1_F_I2D_RSA_PUBKEY,0),   "i2d_RSA_PUBKEY"},
-{ERR_PACK(0,ASN1_F_LONG_C2I,0), "LONG_C2I"},
-{ERR_PACK(0,ASN1_F_OID_MODULE_INIT,0),  "OID_MODULE_INIT"},
-{ERR_PACK(0,ASN1_F_PKCS5_PBE2_SET,0),   "PKCS5_pbe2_set"},
-{ERR_PACK(0,ASN1_F_X509_CINF_NEW,0),    "X509_CINF_NEW"},
-{ERR_PACK(0,ASN1_F_X509_CRL_ADD0_REVOKED,0),    "X509_CRL_add0_revoked"},
-{ERR_PACK(0,ASN1_F_X509_INFO_NEW,0),    "X509_INFO_new"},
-{ERR_PACK(0,ASN1_F_X509_NAME_NEW,0),    "X509_NAME_NEW"},
-{ERR_PACK(0,ASN1_F_X509_NEW,0), "X509_NEW"},
-{ERR_PACK(0,ASN1_F_X509_PKEY_NEW,0),    "X509_PKEY_new"},
+{ERR_FUNC(ASN1_F_A2D_ASN1_OBJECT),      "a2d_ASN1_OBJECT"},
+{ERR_FUNC(ASN1_F_A2I_ASN1_ENUMERATED),  "a2i_ASN1_ENUMERATED"},
+{ERR_FUNC(ASN1_F_A2I_ASN1_INTEGER),     "a2i_ASN1_INTEGER"},
+{ERR_FUNC(ASN1_F_A2I_ASN1_STRING),      "a2i_ASN1_STRING"},
+{ERR_FUNC(ASN1_F_ASN1_BIT_STRING_SET_BIT),      "ASN1_BIT_STRING_set_bit"},
+{ERR_FUNC(ASN1_F_ASN1_CHECK_TLEN),      "ASN1_CHECK_TLEN"},
+{ERR_FUNC(ASN1_F_ASN1_COLLATE_PRIMITIVE),       "ASN1_COLLATE_PRIMITIVE"},
+{ERR_FUNC(ASN1_F_ASN1_COLLECT), "ASN1_COLLECT"},
+{ERR_FUNC(ASN1_F_ASN1_D2I_BIO), "ASN1_d2i_bio"},
+{ERR_FUNC(ASN1_F_ASN1_D2I_EX_PRIMITIVE),        "ASN1_D2I_EX_PRIMITIVE"},
+{ERR_FUNC(ASN1_F_ASN1_D2I_FP),  "ASN1_d2i_fp"},
+{ERR_FUNC(ASN1_F_ASN1_DIGEST),  "ASN1_digest"},
+{ERR_FUNC(ASN1_F_ASN1_DO_ADB),  "ASN1_DO_ADB"},
+{ERR_FUNC(ASN1_F_ASN1_DUP),     "ASN1_dup"},
+{ERR_FUNC(ASN1_F_ASN1_ENUMERATED_SET),  "ASN1_ENUMERATED_set"},
+{ERR_FUNC(ASN1_F_ASN1_ENUMERATED_TO_BN),        "ASN1_ENUMERATED_to_BN"},
+{ERR_FUNC(ASN1_F_ASN1_FIND_END),        "ASN1_FIND_END"},
+{ERR_FUNC(ASN1_F_ASN1_GENERALIZEDTIME_SET),     "ASN1_GENERALIZEDTIME_set"},
+{ERR_FUNC(ASN1_F_ASN1_GET_OBJECT),      "ASN1_get_object"},
+{ERR_FUNC(ASN1_F_ASN1_HEADER_NEW),      "ASN1_HEADER_new"},
+{ERR_FUNC(ASN1_F_ASN1_I2D_BIO), "ASN1_i2d_bio"},
+{ERR_FUNC(ASN1_F_ASN1_I2D_FP),  "ASN1_i2d_fp"},
+{ERR_FUNC(ASN1_F_ASN1_INTEGER_SET),     "ASN1_INTEGER_set"},
+{ERR_FUNC(ASN1_F_ASN1_INTEGER_TO_BN),   "ASN1_INTEGER_to_BN"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I),     "ASN1_ITEM_EX_D2I"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_NEW),        "ASN1_item_new"},
+{ERR_FUNC(ASN1_F_ASN1_MBSTRING_COPY),   "ASN1_mbstring_copy"},
+{ERR_FUNC(ASN1_F_ASN1_OBJECT_NEW),      "ASN1_OBJECT_new"},
+{ERR_FUNC(ASN1_F_ASN1_PACK_STRING),     "ASN1_pack_string"},
+{ERR_FUNC(ASN1_F_ASN1_PBE_SET), "ASN1_PBE_SET"},
+{ERR_FUNC(ASN1_F_ASN1_SEQ_PACK),        "ASN1_seq_pack"},
+{ERR_FUNC(ASN1_F_ASN1_SEQ_UNPACK),      "ASN1_seq_unpack"},
+{ERR_FUNC(ASN1_F_ASN1_SIGN),    "ASN1_sign"},
+{ERR_FUNC(ASN1_F_ASN1_STRING_SET),      "ASN1_STRING_set"},
+{ERR_FUNC(ASN1_F_ASN1_STRING_TABLE_ADD),        "ASN1_STRING_TABLE_add"},
+{ERR_FUNC(ASN1_F_ASN1_STRING_TYPE_NEW), "ASN1_STRING_type_new"},
+{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_D2I),    "ASN1_TEMPLATE_D2I"},
+{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_EX_D2I), "ASN1_TEMPLATE_EX_D2I"},
+{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NEW),    "ASN1_TEMPLATE_NEW"},
+{ERR_FUNC(ASN1_F_ASN1_TIME_SET),        "ASN1_TIME_set"},
+{ERR_FUNC(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING),        "ASN1_TYPE_get_int_octetstring"},
+{ERR_FUNC(ASN1_F_ASN1_TYPE_GET_OCTETSTRING),    "ASN1_TYPE_get_octetstring"},
+{ERR_FUNC(ASN1_F_ASN1_UNPACK_STRING),   "ASN1_unpack_string"},
+{ERR_FUNC(ASN1_F_ASN1_UTCTIME_SET),     "ASN1_UTCTIME_set"},
+{ERR_FUNC(ASN1_F_ASN1_VERIFY),  "ASN1_verify"},
+{ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED),        "BN_to_ASN1_ENUMERATED"},
+{ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER),   "BN_to_ASN1_INTEGER"},
+{ERR_FUNC(ASN1_F_COLLECT_DATA), "COLLECT_DATA"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_BIT_STRING),  "D2I_ASN1_BIT_STRING"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_BOOLEAN),     "d2i_ASN1_BOOLEAN"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_BYTES),       "d2i_ASN1_bytes"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_GENERALIZEDTIME),     "D2I_ASN1_GENERALIZEDTIME"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_HEADER),      "d2i_ASN1_HEADER"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_INTEGER),     "D2I_ASN1_INTEGER"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_OBJECT),      "d2i_ASN1_OBJECT"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_SET), "d2i_ASN1_SET"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_TYPE_BYTES),  "d2i_ASN1_type_bytes"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_UINTEGER),    "d2i_ASN1_UINTEGER"},
+{ERR_FUNC(ASN1_F_D2I_ASN1_UTCTIME),     "D2I_ASN1_UTCTIME"},
+{ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA),     "d2i_Netscape_RSA"},
+{ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA_2),   "D2I_NETSCAPE_RSA_2"},
+{ERR_FUNC(ASN1_F_D2I_PRIVATEKEY),       "d2i_PrivateKey"},
+{ERR_FUNC(ASN1_F_D2I_PUBLICKEY),        "d2i_PublicKey"},
+{ERR_FUNC(ASN1_F_D2I_X509),     "D2I_X509"},
+{ERR_FUNC(ASN1_F_D2I_X509_CINF),        "D2I_X509_CINF"},
+{ERR_FUNC(ASN1_F_D2I_X509_NAME),        "D2I_X509_NAME"},
+{ERR_FUNC(ASN1_F_D2I_X509_PKEY),        "d2i_X509_PKEY"},
+{ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"},
+{ERR_FUNC(ASN1_F_I2D_ASN1_TIME),        "I2D_ASN1_TIME"},
+{ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY),       "i2d_DSA_PUBKEY"},
+{ERR_FUNC(ASN1_F_I2D_NETSCAPE_RSA),     "i2d_Netscape_RSA"},
+{ERR_FUNC(ASN1_F_I2D_PRIVATEKEY),       "i2d_PrivateKey"},
+{ERR_FUNC(ASN1_F_I2D_PUBLICKEY),        "i2d_PublicKey"},
+{ERR_FUNC(ASN1_F_I2D_RSA_PUBKEY),       "i2d_RSA_PUBKEY"},
+{ERR_FUNC(ASN1_F_LONG_C2I),     "LONG_C2I"},
+{ERR_FUNC(ASN1_F_OID_MODULE_INIT),      "OID_MODULE_INIT"},
+{ERR_FUNC(ASN1_F_PKCS5_PBE2_SET),       "PKCS5_pbe2_set"},
+{ERR_FUNC(ASN1_F_X509_CINF_NEW),        "X509_CINF_NEW"},
+{ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED),        "X509_CRL_add0_revoked"},
+{ERR_FUNC(ASN1_F_X509_INFO_NEW),        "X509_INFO_new"},
+{ERR_FUNC(ASN1_F_X509_NAME_NEW),        "X509_NAME_NEW"},
+{ERR_FUNC(ASN1_F_X509_NEW),     "X509_NEW"},
+{ERR_FUNC(ASN1_F_X509_PKEY_NEW),        "X509_PKEY_new"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA ASN1_str_reasons[]=
         {
-{ASN1_R_ADDING_OBJECT                    ,"adding object"},
-{ASN1_R_AUX_ERROR                        ,"aux error"},
-{ASN1_R_BAD_CLASS                        ,"bad class"},
-{ASN1_R_BAD_OBJECT_HEADER                ,"bad object header"},
-{ASN1_R_BAD_PASSWORD_READ                ,"bad password read"},
-{ASN1_R_BAD_TAG                          ,"bad tag"},
-{ASN1_R_BN_LIB                           ,"bn lib"},
-{ASN1_R_BOOLEAN_IS_WRONG_LENGTH          ,"boolean is wrong length"},
-{ASN1_R_BUFFER_TOO_SMALL                 ,"buffer too small"},
-{ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER  ,"cipher has no object identifier"},
-{ASN1_R_DATA_IS_WRONG                    ,"data is wrong"},
-{ASN1_R_DECODE_ERROR                     ,"decode error"},
-{ASN1_R_DECODING_ERROR                   ,"decoding error"},
-{ASN1_R_ENCODE_ERROR                     ,"encode error"},
-{ASN1_R_ERROR_GETTING_TIME               ,"error getting time"},
-{ASN1_R_ERROR_LOADING_SECTION            ,"error loading section"},
-{ASN1_R_ERROR_PARSING_SET_ELEMENT        ,"error parsing set element"},
-{ASN1_R_ERROR_SETTING_CIPHER_PARAMS      ,"error setting cipher params"},
-{ASN1_R_EXPECTING_AN_INTEGER             ,"expecting an integer"},
-{ASN1_R_EXPECTING_AN_OBJECT              ,"expecting an object"},
-{ASN1_R_EXPECTING_A_BOOLEAN              ,"expecting a boolean"},
-{ASN1_R_EXPECTING_A_TIME                 ,"expecting a time"},
-{ASN1_R_EXPLICIT_LENGTH_MISMATCH         ,"explicit length mismatch"},
-{ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED     ,"explicit tag not constructed"},
-{ASN1_R_FIELD_MISSING                    ,"field missing"},
-{ASN1_R_FIRST_NUM_TOO_LARGE              ,"first num too large"},
-{ASN1_R_HEADER_TOO_LONG                  ,"header too long"},
-{ASN1_R_ILLEGAL_CHARACTERS               ,"illegal characters"},
-{ASN1_R_ILLEGAL_NULL                     ,"illegal null"},
-{ASN1_R_ILLEGAL_OPTIONAL_ANY             ,"illegal optional any"},
-{ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE ,"illegal options on item template"},
-{ASN1_R_ILLEGAL_TAGGED_ANY               ,"illegal tagged any"},
-{ASN1_R_INTEGER_TOO_LARGE_FOR_LONG       ,"integer too large for long"},
-{ASN1_R_INVALID_BMPSTRING_LENGTH         ,"invalid bmpstring length"},
-{ASN1_R_INVALID_DIGIT                    ,"invalid digit"},
-{ASN1_R_INVALID_SEPARATOR                ,"invalid separator"},
-{ASN1_R_INVALID_TIME_FORMAT              ,"invalid time format"},
-{ASN1_R_INVALID_UNIVERSALSTRING_LENGTH   ,"invalid universalstring length"},
-{ASN1_R_INVALID_UTF8STRING               ,"invalid utf8string"},
-{ASN1_R_IV_TOO_LARGE                     ,"iv too large"},
-{ASN1_R_LENGTH_ERROR                     ,"length error"},
-{ASN1_R_MISSING_EOC                      ,"missing eoc"},
-{ASN1_R_MISSING_SECOND_NUMBER            ,"missing second number"},
-{ASN1_R_MSTRING_NOT_UNIVERSAL            ,"mstring not universal"},
-{ASN1_R_MSTRING_WRONG_TAG                ,"mstring wrong tag"},
-{ASN1_R_NON_HEX_CHARACTERS               ,"non hex characters"},
-{ASN1_R_NOT_ENOUGH_DATA                  ,"not enough data"},
-{ASN1_R_NO_MATCHING_CHOICE_TYPE          ,"no matching choice type"},
-{ASN1_R_NULL_IS_WRONG_LENGTH             ,"null is wrong length"},
-{ASN1_R_ODD_NUMBER_OF_CHARS              ,"odd number of chars"},
-{ASN1_R_PRIVATE_KEY_HEADER_MISSING       ,"private key header missing"},
-{ASN1_R_SECOND_NUMBER_TOO_LARGE          ,"second number too large"},
-{ASN1_R_SEQUENCE_LENGTH_MISMATCH         ,"sequence length mismatch"},
-{ASN1_R_SEQUENCE_NOT_CONSTRUCTED         ,"sequence not constructed"},
-{ASN1_R_SHORT_LINE                       ,"short line"},
-{ASN1_R_STRING_TOO_LONG                  ,"string too long"},
-{ASN1_R_STRING_TOO_SHORT                 ,"string too short"},
-{ASN1_R_TAG_VALUE_TOO_HIGH               ,"tag value too high"},
-{ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
-{ASN1_R_TOO_LONG                         ,"too long"},
-{ASN1_R_TYPE_NOT_CONSTRUCTED             ,"type not constructed"},
-{ASN1_R_UNABLE_TO_DECODE_RSA_KEY         ,"unable to decode rsa key"},
-{ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"},
-{ASN1_R_UNEXPECTED_EOC                   ,"unexpected eoc"},
-{ASN1_R_UNKNOWN_FORMAT                   ,"unknown format"},
-{ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"},
-{ASN1_R_UNKNOWN_OBJECT_TYPE              ,"unknown object type"},
-{ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE          ,"unknown public key type"},
-{ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE  ,"unsupported any defined by type"},
-{ASN1_R_UNSUPPORTED_CIPHER               ,"unsupported cipher"},
-{ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM ,"unsupported encryption algorithm"},
-{ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE      ,"unsupported public key type"},
-{ASN1_R_WRONG_TAG                        ,"wrong tag"},
-{ASN1_R_WRONG_TYPE                       ,"wrong type"},
+{ERR_REASON(ASN1_R_ADDING_OBJECT)        ,"adding object"},
+{ERR_REASON(ASN1_R_AUX_ERROR)            ,"aux error"},
+{ERR_REASON(ASN1_R_BAD_CLASS)            ,"bad class"},
+{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER)    ,"bad object header"},
+{ERR_REASON(ASN1_R_BAD_PASSWORD_READ)    ,"bad password read"},
+{ERR_REASON(ASN1_R_BAD_TAG)              ,"bad tag"},
+{ERR_REASON(ASN1_R_BN_LIB)               ,"bn lib"},
+{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
+{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL)     ,"buffer too small"},
+{ERR_REASON(ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER),"cipher has no object identifier"},
+{ERR_REASON(ASN1_R_DATA_IS_WRONG)        ,"data is wrong"},
+{ERR_REASON(ASN1_R_DECODE_ERROR)         ,"decode error"},
+{ERR_REASON(ASN1_R_DECODING_ERROR)       ,"decoding error"},
+{ERR_REASON(ASN1_R_ENCODE_ERROR)         ,"encode error"},
+{ERR_REASON(ASN1_R_ERROR_GETTING_TIME)   ,"error getting time"},
+{ERR_REASON(ASN1_R_ERROR_LOADING_SECTION),"error loading section"},
+{ERR_REASON(ASN1_R_ERROR_PARSING_SET_ELEMENT),"error parsing set element"},
+{ERR_REASON(ASN1_R_ERROR_SETTING_CIPHER_PARAMS),"error setting cipher params"},
+{ERR_REASON(ASN1_R_EXPECTING_AN_INTEGER) ,"expecting an integer"},
+{ERR_REASON(ASN1_R_EXPECTING_AN_OBJECT)  ,"expecting an object"},
+{ERR_REASON(ASN1_R_EXPECTING_A_BOOLEAN)  ,"expecting a boolean"},
+{ERR_REASON(ASN1_R_EXPECTING_A_TIME)     ,"expecting a time"},
+{ERR_REASON(ASN1_R_EXPLICIT_LENGTH_MISMATCH),"explicit length mismatch"},
+{ERR_REASON(ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED),"explicit tag not constructed"},
+{ERR_REASON(ASN1_R_FIELD_MISSING)        ,"field missing"},
+{ERR_REASON(ASN1_R_FIRST_NUM_TOO_LARGE)  ,"first num too large"},
+{ERR_REASON(ASN1_R_HEADER_TOO_LONG)      ,"header too long"},
+{ERR_REASON(ASN1_R_ILLEGAL_CHARACTERS)   ,"illegal characters"},
+{ERR_REASON(ASN1_R_ILLEGAL_NULL)         ,"illegal null"},
+{ERR_REASON(ASN1_R_ILLEGAL_OPTIONAL_ANY) ,"illegal optional any"},
+{ERR_REASON(ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE),"illegal options on item template"},
+{ERR_REASON(ASN1_R_ILLEGAL_TAGGED_ANY)   ,"illegal tagged any"},
+{ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
+{ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
+{ERR_REASON(ASN1_R_INVALID_SEPARATOR)    ,"invalid separator"},
+{ERR_REASON(ASN1_R_INVALID_TIME_FORMAT)  ,"invalid time format"},
+{ERR_REASON(ASN1_R_INVALID_UNIVERSALSTRING_LENGTH),"invalid universalstring length"},
+{ERR_REASON(ASN1_R_INVALID_UTF8STRING)   ,"invalid utf8string"},
+{ERR_REASON(ASN1_R_IV_TOO_LARGE)         ,"iv too large"},
+{ERR_REASON(ASN1_R_LENGTH_ERROR)         ,"length error"},
+{ERR_REASON(ASN1_R_MISSING_EOC)          ,"missing eoc"},
+{ERR_REASON(ASN1_R_MISSING_SECOND_NUMBER),"missing second number"},
+{ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL),"mstring not universal"},
+{ERR_REASON(ASN1_R_MSTRING_WRONG_TAG)    ,"mstring wrong tag"},
+{ERR_REASON(ASN1_R_NESTED_ASN1_STRING)   ,"nested asn1 string"},
+{ERR_REASON(ASN1_R_NON_HEX_CHARACTERS)   ,"non hex characters"},
+{ERR_REASON(ASN1_R_NOT_ENOUGH_DATA)      ,"not enough data"},
+{ERR_REASON(ASN1_R_NO_MATCHING_CHOICE_TYPE),"no matching choice type"},
+{ERR_REASON(ASN1_R_NULL_IS_WRONG_LENGTH) ,"null is wrong length"},
+{ERR_REASON(ASN1_R_ODD_NUMBER_OF_CHARS)  ,"odd number of chars"},
+{ERR_REASON(ASN1_R_PRIVATE_KEY_HEADER_MISSING),"private key header missing"},
+{ERR_REASON(ASN1_R_SECOND_NUMBER_TOO_LARGE),"second number too large"},
+{ERR_REASON(ASN1_R_SEQUENCE_LENGTH_MISMATCH),"sequence length mismatch"},
+{ERR_REASON(ASN1_R_SEQUENCE_NOT_CONSTRUCTED),"sequence not constructed"},
+{ERR_REASON(ASN1_R_SHORT_LINE)           ,"short line"},
+{ERR_REASON(ASN1_R_STRING_TOO_LONG)      ,"string too long"},
+{ERR_REASON(ASN1_R_STRING_TOO_SHORT)     ,"string too short"},
+{ERR_REASON(ASN1_R_TAG_VALUE_TOO_HIGH)   ,"tag value too high"},
+{ERR_REASON(ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
+{ERR_REASON(ASN1_R_TOO_LONG)             ,"too long"},
+{ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"},
+{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
+{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
+{ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
+{ERR_REASON(ASN1_R_UNKNOWN_FORMAT)       ,"unknown format"},
+{ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"},
+{ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE)  ,"unknown object type"},
+{ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER)   ,"unsupported cipher"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"},
+{ERR_REASON(ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE),"unsupported public key type"},
+{ERR_REASON(ASN1_R_WRONG_TAG)            ,"wrong tag"},
+{ERR_REASON(ASN1_R_WRONG_TYPE)           ,"wrong type"},
 {0,NULL}
         };
 
@@ -240,8 +246,8 @@ void ERR_load_ASN1_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_ASN1,ASN1_str_functs);
-                ERR_load_strings(ERR_LIB_ASN1,ASN1_str_reasons);
+                ERR_load_strings(0,ASN1_str_functs);
+                ERR_load_strings(0,ASN1_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index 2426cb6253..c22501fc63 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -66,6 +66,7 @@
 #include <openssl/err.h>
 
 static int asn1_check_eoc(unsigned char **in, long len);
+static int asn1_find_end(unsigned char **in, long len, char inf);
 static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass);
 static int collect_data(BUF_MEM *buf, unsigned char **p, long plen);
 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst,
@@ -644,7 +645,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl
                 cont = *in;
                 /* If indefinite length constructed find the real end */
                 if(inf) {
-                        if(!asn1_collect(NULL, &p, plen, inf, -1, -1)) goto err;
+                        if(!asn1_find_end(&p, plen, inf)) goto err;
                         len = p - cont;
                 } else {
                         len = p - cont + plen;
@@ -807,12 +808,66 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char
         return ret;
 }
 
+/* This function finds the end of an ASN1 structure when passed its maximum
+ * length, whether it is indefinite length and a pointer to the content.
+ * This is more efficient than calling asn1_collect because it does not
+ * recurse on each indefinite length header.
+ */
+
+static int asn1_find_end(unsigned char **in, long len, char inf)
+        {
+        int expected_eoc;
+        long plen;
+        unsigned char *p = *in, *q;
+        /* If not indefinite length constructed just add length */
+        if (inf == 0)
+                {
+                *in += len;
+                return 1;
+                }
+        expected_eoc = 1;
+        /* Indefinite length constructed form. Find the end when enough EOCs
+         * are found. If more indefinite length constructed headers
+         * are encountered increment the expected eoc count otherwise justi
+         * skip to the end of the data.
+         */
+        while (len > 0)
+                {
+                if(asn1_check_eoc(&p, len))
+                        {
+                        expected_eoc--;
+                        if (expected_eoc == 0)
+                                break;
+                        len -= 2;
+                        continue;
+                        }
+                q = p;
+                /* Just read in a header: only care about the length */
+                if(!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len,
+                                -1, 0, 0, NULL))
+                        {
+                        ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                        }
+                if (inf)
+                        expected_eoc++;
+                else
+                        p += plen;
+                len -= p - q;
+                }
+        if (expected_eoc)
+                {
+                ASN1err(ASN1_F_ASN1_FIND_END, ASN1_R_MISSING_EOC);
+                return 0;
+                }
+        *in = p;
+        return 1;
+        }
+
 /* This function collects the asn1 data from a constructred string
  * type into a buffer. The values of 'in' and 'len' should refer
  * to the contents of the constructed type and 'inf' should be set
- * if it is indefinite length. If 'buf' is NULL then we just want
- * to find the end of the current structure: useful for indefinite
- * length constructed stuff.
+ * if it is indefinite length.
  */
 
 static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass)
@@ -822,11 +877,6 @@ static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, in
         char cst, ininf;
         p = *in;
         inf &= 1;
-        /* If no buffer and not indefinite length constructed just pass over the encoded data */
-        if(!buf && !inf) {
-                *in += len;
-                return 1;
-        }
         while(len > 0) {
                 q = p;
                 /* Check for EOC */
@@ -845,9 +895,15 @@ static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, in
                 }
                 /* If indefinite length constructed update max length */
                 if(cst) {
-                        if(!asn1_collect(buf, &p, plen, ininf, tag, aclass)) return 0;
+#ifdef OPENSSL_ALLOW_NESTED_ASN1_STRINGS
+                        if (!asn1_collect(buf, &p, plen, ininf, tag, aclass))
+                                return 0;
+#else
+                        ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING);
+                        return 0;
+#endif
                 } else {
-                        if(!collect_data(buf, &p, plen)) return 0;
+                        if(plen && !collect_data(buf, &p, plen)) return 0;
                 }
                 len -= p - q;
         }
diff --git a/src/lib/libcrypto/asn1/tasn_enc.c b/src/lib/libcrypto/asn1/tasn_enc.c
index f6c8ddef0a..c675c3c832 100644
--- a/src/lib/libcrypto/asn1/tasn_enc.c
+++ b/src/lib/libcrypto/asn1/tasn_enc.c
@@ -445,9 +445,12 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_
                 case V_ASN1_BOOLEAN:
                 tbool = (ASN1_BOOLEAN *)pval;
                 if(*tbool == -1) return -1;
-                /* Default handling if value == size field then omit */
-                if(*tbool && (it->size > 0)) return -1;
-                if(!*tbool && !it->size) return -1;
+                if (it->utype != V_ASN1_ANY)
+                        {
+                        /* Default handling if value == size field then omit */
+                        if(*tbool && (it->size > 0)) return -1;
+                        if(!*tbool && !it->size) return -1;
+                        }
                 c = (unsigned char)*tbool;
                 cont = &c;
                 len = 1;
diff --git a/src/lib/libcrypto/bf/bf_skey.c b/src/lib/libcrypto/bf/bf_skey.c
index fc5bebefce..1931aba83f 100644
--- a/src/lib/libcrypto/bf/bf_skey.c
+++ b/src/lib/libcrypto/bf/bf_skey.c
@@ -60,6 +60,7 @@
 #include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/blowfish.h>
+#include <openssl/fips.h>
 #include "bf_locl.h"
 #include "bf_pi.h"
 
diff --git a/src/lib/libcrypto/bio/b_print.c b/src/lib/libcrypto/bio/b_print.c
index c2bb357b4c..165f046295 100644
--- a/src/lib/libcrypto/bio/b_print.c
+++ b/src/lib/libcrypto/bio/b_print.c
@@ -576,7 +576,7 @@ abs_val(LDOUBLE value)
 }
 
 static LDOUBLE
-pow10(int in_exp)
+pow_10(int in_exp)
 {
     LDOUBLE result = 1;
     while (in_exp) {
@@ -639,11 +639,11 @@ fmtfp(
 
     /* we "cheat" by converting the fractional part to integer by
        multiplying by a factor of 10 */
-    fracpart = roundv((pow10(max)) * (ufvalue - intpart));
+    fracpart = roundv((pow_10(max)) * (ufvalue - intpart));
 
-    if (fracpart >= (long)pow10(max)) {
+    if (fracpart >= (long)pow_10(max)) {
         intpart++;
-        fracpart -= (long)pow10(max);
+        fracpart -= (long)pow_10(max);
     }
 
     /* convert integer part */
diff --git a/src/lib/libcrypto/bio/bio_err.c b/src/lib/libcrypto/bio/bio_err.c
index 68a119d895..8859a58ae4 100644
--- a/src/lib/libcrypto/bio/bio_err.c
+++ b/src/lib/libcrypto/bio/bio_err.c
@@ -1,6 +1,6 @@
 /* crypto/bio/bio_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,73 +64,77 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BIO,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BIO,0,reason)
+
 static ERR_STRING_DATA BIO_str_functs[]=
         {
-{ERR_PACK(0,BIO_F_ACPT_STATE,0),        "ACPT_STATE"},
-{ERR_PACK(0,BIO_F_BIO_ACCEPT,0),        "BIO_accept"},
-{ERR_PACK(0,BIO_F_BIO_BER_GET_HEADER,0),        "BIO_BER_GET_HEADER"},
-{ERR_PACK(0,BIO_F_BIO_CTRL,0),  "BIO_ctrl"},
-{ERR_PACK(0,BIO_F_BIO_GETHOSTBYNAME,0), "BIO_gethostbyname"},
-{ERR_PACK(0,BIO_F_BIO_GETS,0),  "BIO_gets"},
-{ERR_PACK(0,BIO_F_BIO_GET_ACCEPT_SOCKET,0),     "BIO_get_accept_socket"},
-{ERR_PACK(0,BIO_F_BIO_GET_HOST_IP,0),   "BIO_get_host_ip"},
-{ERR_PACK(0,BIO_F_BIO_GET_PORT,0),      "BIO_get_port"},
-{ERR_PACK(0,BIO_F_BIO_MAKE_PAIR,0),     "BIO_MAKE_PAIR"},
-{ERR_PACK(0,BIO_F_BIO_NEW,0),   "BIO_new"},
-{ERR_PACK(0,BIO_F_BIO_NEW_FILE,0),      "BIO_new_file"},
-{ERR_PACK(0,BIO_F_BIO_NEW_MEM_BUF,0),   "BIO_new_mem_buf"},
-{ERR_PACK(0,BIO_F_BIO_NREAD,0), "BIO_nread"},
-{ERR_PACK(0,BIO_F_BIO_NREAD0,0),        "BIO_nread0"},
-{ERR_PACK(0,BIO_F_BIO_NWRITE,0),        "BIO_nwrite"},
-{ERR_PACK(0,BIO_F_BIO_NWRITE0,0),       "BIO_nwrite0"},
-{ERR_PACK(0,BIO_F_BIO_PUTS,0),  "BIO_puts"},
-{ERR_PACK(0,BIO_F_BIO_READ,0),  "BIO_read"},
-{ERR_PACK(0,BIO_F_BIO_SOCK_INIT,0),     "BIO_sock_init"},
-{ERR_PACK(0,BIO_F_BIO_WRITE,0), "BIO_write"},
-{ERR_PACK(0,BIO_F_BUFFER_CTRL,0),       "BUFFER_CTRL"},
-{ERR_PACK(0,BIO_F_CONN_CTRL,0), "CONN_CTRL"},
-{ERR_PACK(0,BIO_F_CONN_STATE,0),        "CONN_STATE"},
-{ERR_PACK(0,BIO_F_FILE_CTRL,0), "FILE_CTRL"},
-{ERR_PACK(0,BIO_F_FILE_READ,0), "FILE_READ"},
-{ERR_PACK(0,BIO_F_LINEBUFFER_CTRL,0),   "LINEBUFFER_CTRL"},
-{ERR_PACK(0,BIO_F_MEM_READ,0),  "MEM_READ"},
-{ERR_PACK(0,BIO_F_MEM_WRITE,0), "MEM_WRITE"},
-{ERR_PACK(0,BIO_F_SSL_NEW,0),   "SSL_new"},
-{ERR_PACK(0,BIO_F_WSASTARTUP,0),        "WSASTARTUP"},
+{ERR_FUNC(BIO_F_ACPT_STATE),    "ACPT_STATE"},
+{ERR_FUNC(BIO_F_BIO_ACCEPT),    "BIO_accept"},
+{ERR_FUNC(BIO_F_BIO_BER_GET_HEADER),    "BIO_BER_GET_HEADER"},
+{ERR_FUNC(BIO_F_BIO_CTRL),      "BIO_ctrl"},
+{ERR_FUNC(BIO_F_BIO_GETHOSTBYNAME),     "BIO_gethostbyname"},
+{ERR_FUNC(BIO_F_BIO_GETS),      "BIO_gets"},
+{ERR_FUNC(BIO_F_BIO_GET_ACCEPT_SOCKET), "BIO_get_accept_socket"},
+{ERR_FUNC(BIO_F_BIO_GET_HOST_IP),       "BIO_get_host_ip"},
+{ERR_FUNC(BIO_F_BIO_GET_PORT),  "BIO_get_port"},
+{ERR_FUNC(BIO_F_BIO_MAKE_PAIR), "BIO_MAKE_PAIR"},
+{ERR_FUNC(BIO_F_BIO_NEW),       "BIO_new"},
+{ERR_FUNC(BIO_F_BIO_NEW_FILE),  "BIO_new_file"},
+{ERR_FUNC(BIO_F_BIO_NEW_MEM_BUF),       "BIO_new_mem_buf"},
+{ERR_FUNC(BIO_F_BIO_NREAD),     "BIO_nread"},
+{ERR_FUNC(BIO_F_BIO_NREAD0),    "BIO_nread0"},
+{ERR_FUNC(BIO_F_BIO_NWRITE),    "BIO_nwrite"},
+{ERR_FUNC(BIO_F_BIO_NWRITE0),   "BIO_nwrite0"},
+{ERR_FUNC(BIO_F_BIO_PUTS),      "BIO_puts"},
+{ERR_FUNC(BIO_F_BIO_READ),      "BIO_read"},
+{ERR_FUNC(BIO_F_BIO_SOCK_INIT), "BIO_sock_init"},
+{ERR_FUNC(BIO_F_BIO_WRITE),     "BIO_write"},
+{ERR_FUNC(BIO_F_BUFFER_CTRL),   "BUFFER_CTRL"},
+{ERR_FUNC(BIO_F_CONN_CTRL),     "CONN_CTRL"},
+{ERR_FUNC(BIO_F_CONN_STATE),    "CONN_STATE"},
+{ERR_FUNC(BIO_F_FILE_CTRL),     "FILE_CTRL"},
+{ERR_FUNC(BIO_F_FILE_READ),     "FILE_READ"},
+{ERR_FUNC(BIO_F_LINEBUFFER_CTRL),       "LINEBUFFER_CTRL"},
+{ERR_FUNC(BIO_F_MEM_READ),      "MEM_READ"},
+{ERR_FUNC(BIO_F_MEM_WRITE),     "MEM_WRITE"},
+{ERR_FUNC(BIO_F_SSL_NEW),       "SSL_new"},
+{ERR_FUNC(BIO_F_WSASTARTUP),    "WSASTARTUP"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA BIO_str_reasons[]=
         {
-{BIO_R_ACCEPT_ERROR                      ,"accept error"},
-{BIO_R_BAD_FOPEN_MODE                    ,"bad fopen mode"},
-{BIO_R_BAD_HOSTNAME_LOOKUP               ,"bad hostname lookup"},
-{BIO_R_BROKEN_PIPE                       ,"broken pipe"},
-{BIO_R_CONNECT_ERROR                     ,"connect error"},
-{BIO_R_EOF_ON_MEMORY_BIO                 ,"EOF on memory BIO"},
-{BIO_R_ERROR_SETTING_NBIO                ,"error setting nbio"},
-{BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET,"error setting nbio on accepted socket"},
-{BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET,"error setting nbio on accept socket"},
-{BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET ,"gethostbyname addr is not af inet"},
-{BIO_R_INVALID_ARGUMENT                  ,"invalid argument"},
-{BIO_R_INVALID_IP_ADDRESS                ,"invalid ip address"},
-{BIO_R_IN_USE                            ,"in use"},
-{BIO_R_KEEPALIVE                         ,"keepalive"},
-{BIO_R_NBIO_CONNECT_ERROR                ,"nbio connect error"},
-{BIO_R_NO_ACCEPT_PORT_SPECIFIED          ,"no accept port specified"},
-{BIO_R_NO_HOSTNAME_SPECIFIED             ,"no hostname specified"},
-{BIO_R_NO_PORT_DEFINED                   ,"no port defined"},
-{BIO_R_NO_PORT_SPECIFIED                 ,"no port specified"},
-{BIO_R_NO_SUCH_FILE                      ,"no such file"},
-{BIO_R_NULL_PARAMETER                    ,"null parameter"},
-{BIO_R_TAG_MISMATCH                      ,"tag mismatch"},
-{BIO_R_UNABLE_TO_BIND_SOCKET             ,"unable to bind socket"},
-{BIO_R_UNABLE_TO_CREATE_SOCKET           ,"unable to create socket"},
-{BIO_R_UNABLE_TO_LISTEN_SOCKET           ,"unable to listen socket"},
-{BIO_R_UNINITIALIZED                     ,"uninitialized"},
-{BIO_R_UNSUPPORTED_METHOD                ,"unsupported method"},
-{BIO_R_WRITE_TO_READ_ONLY_BIO            ,"write to read only BIO"},
-{BIO_R_WSASTARTUP                        ,"WSAStartup"},
+{ERR_REASON(BIO_R_ACCEPT_ERROR)          ,"accept error"},
+{ERR_REASON(BIO_R_BAD_FOPEN_MODE)        ,"bad fopen mode"},
+{ERR_REASON(BIO_R_BAD_HOSTNAME_LOOKUP)   ,"bad hostname lookup"},
+{ERR_REASON(BIO_R_BROKEN_PIPE)           ,"broken pipe"},
+{ERR_REASON(BIO_R_CONNECT_ERROR)         ,"connect error"},
+{ERR_REASON(BIO_R_EOF_ON_MEMORY_BIO)     ,"EOF on memory BIO"},
+{ERR_REASON(BIO_R_ERROR_SETTING_NBIO)    ,"error setting nbio"},
+{ERR_REASON(BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET),"error setting nbio on accepted socket"},
+{ERR_REASON(BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET),"error setting nbio on accept socket"},
+{ERR_REASON(BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET),"gethostbyname addr is not af inet"},
+{ERR_REASON(BIO_R_INVALID_ARGUMENT)      ,"invalid argument"},
+{ERR_REASON(BIO_R_INVALID_IP_ADDRESS)    ,"invalid ip address"},
+{ERR_REASON(BIO_R_IN_USE)                ,"in use"},
+{ERR_REASON(BIO_R_KEEPALIVE)             ,"keepalive"},
+{ERR_REASON(BIO_R_NBIO_CONNECT_ERROR)    ,"nbio connect error"},
+{ERR_REASON(BIO_R_NO_ACCEPT_PORT_SPECIFIED),"no accept port specified"},
+{ERR_REASON(BIO_R_NO_HOSTNAME_SPECIFIED) ,"no hostname specified"},
+{ERR_REASON(BIO_R_NO_PORT_DEFINED)       ,"no port defined"},
+{ERR_REASON(BIO_R_NO_PORT_SPECIFIED)     ,"no port specified"},
+{ERR_REASON(BIO_R_NO_SUCH_FILE)          ,"no such file"},
+{ERR_REASON(BIO_R_NULL_PARAMETER)        ,"null parameter"},
+{ERR_REASON(BIO_R_TAG_MISMATCH)          ,"tag mismatch"},
+{ERR_REASON(BIO_R_UNABLE_TO_BIND_SOCKET) ,"unable to bind socket"},
+{ERR_REASON(BIO_R_UNABLE_TO_CREATE_SOCKET),"unable to create socket"},
+{ERR_REASON(BIO_R_UNABLE_TO_LISTEN_SOCKET),"unable to listen socket"},
+{ERR_REASON(BIO_R_UNINITIALIZED)         ,"uninitialized"},
+{ERR_REASON(BIO_R_UNSUPPORTED_METHOD)    ,"unsupported method"},
+{ERR_REASON(BIO_R_WRITE_TO_READ_ONLY_BIO),"write to read only BIO"},
+{ERR_REASON(BIO_R_WSASTARTUP)            ,"WSAStartup"},
 {0,NULL}
         };
 
@@ -144,8 +148,8 @@ void ERR_load_BIO_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_BIO,BIO_str_functs);
-                ERR_load_strings(ERR_LIB_BIO,BIO_str_reasons);
+                ERR_load_strings(0,BIO_str_functs);
+                ERR_load_strings(0,BIO_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/bio/bss_conn.c b/src/lib/libcrypto/bio/bss_conn.c
index f5d0e759e2..216780ed5e 100644
--- a/src/lib/libcrypto/bio/bss_conn.c
+++ b/src/lib/libcrypto/bio/bss_conn.c
@@ -469,7 +469,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
                 break;
         case BIO_C_DO_STATE_MACHINE:
                 /* use this one to start the connection */
-                if (!data->state != BIO_CONN_S_OK)
+                if (data->state != BIO_CONN_S_OK)
                         ret=(long)conn_state(b,data);
                 else
                         ret=1;
diff --git a/src/lib/libcrypto/bn/asm/ppc.pl b/src/lib/libcrypto/bn/asm/ppc.pl
index 307c7ccb35..08e0053473 100644
--- a/src/lib/libcrypto/bn/asm/ppc.pl
+++ b/src/lib/libcrypto/bn/asm/ppc.pl
@@ -116,7 +116,7 @@ if ($opf =~ /32\.s/) {
         $UDIV=  "divwu";        # unsigned divide
         $UCMPI= "cmplwi";       # unsigned compare with immediate
         $UCMP=  "cmplw";        # unsigned compare
-        $COUNTZ="cntlzw";       # count leading zeros
+        $CNTLZ= "cntlzw";       # count leading zeros
         $SHL=   "slw";          # shift left
         $SHR=   "srw";          # unsigned shift right
         $SHRI=  "srwi";         # unsigned shift right by immediate     
@@ -124,6 +124,7 @@ if ($opf =~ /32\.s/) {
         $CLRU=  "clrlwi";       # clear upper bits
         $INSR=  "insrwi";       # insert right
         $ROTL=  "rotlwi";       # rotate left by immediate
+        $TR=    "tw";           # conditional trap
 } elsif ($opf =~ /64\.s/) {
         $BITS=  64;
         $BNSZ=  $BITS/8;
@@ -139,7 +140,7 @@ if ($opf =~ /32\.s/) {
         $UDIV=  "divdu";        # unsigned divide
         $UCMPI= "cmpldi";       # unsigned compare with immediate
         $UCMP=  "cmpld";        # unsigned compare
-        $COUNTZ="cntlzd";       # count leading zeros
+        $CNTLZ= "cntlzd";       # count leading zeros
         $SHL=   "sld";          # shift left
         $SHR=   "srd";          # unsigned shift right
         $SHRI=  "srdi";         # unsigned shift right by immediate     
@@ -147,6 +148,7 @@ if ($opf =~ /32\.s/) {
         $CLRU=  "clrldi";       # clear upper bits
         $INSR=  "insrdi";       # insert right 
         $ROTL=  "rotldi";       # rotate left by immediate
+        $TR=    "td";           # conditional trap
 } else { die "nonsense $opf"; }
 
 ( defined shift || open STDOUT,">$opf" ) || die "can't open $opf: $!";
@@ -1710,17 +1712,12 @@ Lppcasm_add_adios:
         bclr    BO_ALWAYS,CR0_LT        
 Lppcasm_div1:
         xor     r0,r0,r0                #r0=0
-        $COUNTZ r7,r5                   #r7 = num leading 0s in d.
-        subfic  r8,r7,$BITS             #r8 = BN_num_bits_word(d)
-        cmpi    0,0,r8,$BITS            #
-        bc      BO_IF,CR0_EQ,Lppcasm_div2       #proceed if (r8==$BITS) 
-        li      r9,1                    # r9=1
-        $SHL    r10,r9,r8               # r9<<=r8
-        $UCMP   0,r3,r10                #       
-        bc      BO_IF,CR0_GT,Lppcasm_div2       #or if (h > (1<<r8))
-        $UDIV   r3,r3,r0                #if not assert(0) divide by 0!
-                                        #that's how we signal overflow
-        bclr    BO_ALWAYS,CR0_LT        #return. NEVER REACHED.
+        li      r8,$BITS
+        $CNTLZ. r7,r5                   #r7 = num leading 0s in d.
+        bc      BO_IF,CR0_EQ,Lppcasm_div2       #proceed if no leading zeros
+        subf    r8,r7,r8                #r8 = BN_num_bits_word(d)
+        $SHR.   r9,r3,r8                #are there any bits above r8'th?
+        $TR     16,r9,r0                #if there're, signal to dump core...
 Lppcasm_div2:
         $UCMP   0,r3,r5                 #h>=d?
         bc      BO_IF,CR0_LT,Lppcasm_div3       #goto Lppcasm_div3 if not
diff --git a/src/lib/libcrypto/bn/asm/sparcv8plus.S b/src/lib/libcrypto/bn/asm/sparcv8plus.S
index 0074dfdb75..8c56e2e7e7 100644
--- a/src/lib/libcrypto/bn/asm/sparcv8plus.S
+++ b/src/lib/libcrypto/bn/asm/sparcv8plus.S
@@ -162,10 +162,14 @@
  * BN_ULONG w;
  */
 bn_mul_add_words:
+        sra     %o2,%g0,%o2     ! signx %o2
         brgz,a  %o2,.L_bn_mul_add_words_proceed
         lduw    [%o1],%g2
         retl
         clr     %o0
+        nop
+        nop
+        nop
 
 .L_bn_mul_add_words_proceed:
         srl     %o3,%g0,%o3     ! clruw %o3
@@ -260,10 +264,14 @@ bn_mul_add_words:
  * BN_ULONG w;
  */
 bn_mul_words:
+        sra     %o2,%g0,%o2     ! signx %o2
         brgz,a  %o2,.L_bn_mul_words_proceeed
         lduw    [%o1],%g2
         retl
         clr     %o0
+        nop
+        nop
+        nop
 
 .L_bn_mul_words_proceeed:
         srl     %o3,%g0,%o3     ! clruw %o3
@@ -344,10 +352,14 @@ bn_mul_words:
  * int n;
  */
 bn_sqr_words:
+        sra     %o2,%g0,%o2     ! signx %o2
         brgz,a  %o2,.L_bn_sqr_words_proceeed
         lduw    [%o1],%g2
         retl
         clr     %o0
+        nop
+        nop
+        nop
 
 .L_bn_sqr_words_proceeed:
         andcc   %o2,-4,%g0
@@ -445,6 +457,7 @@ bn_div_words:
  * int n;
  */
 bn_add_words:
+        sra     %o3,%g0,%o3     ! signx %o3
         brgz,a  %o3,.L_bn_add_words_proceed
         lduw    [%o1],%o4
         retl
@@ -454,7 +467,6 @@ bn_add_words:
         andcc   %o3,-4,%g0
         bz,pn   %icc,.L_bn_add_words_tail
         addcc   %g0,0,%g0       ! clear carry flag
-        nop
 
 .L_bn_add_words_loop:           ! wow! 32 aligned!
         dec     4,%o3
@@ -523,6 +535,7 @@ bn_add_words:
  * int n;
  */
 bn_sub_words:
+        sra     %o3,%g0,%o3     ! signx %o3
         brgz,a  %o3,.L_bn_sub_words_proceed
         lduw    [%o1],%o4
         retl
@@ -532,7 +545,6 @@ bn_sub_words:
         andcc   %o3,-4,%g0
         bz,pn   %icc,.L_bn_sub_words_tail
         addcc   %g0,0,%g0       ! clear carry flag
-        nop
 
 .L_bn_sub_words_loop:           ! wow! 32 aligned!
         dec     4,%o3
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 3da6d8ced9..1251521c54 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -225,10 +225,23 @@ extern "C" {
 
 #define BN_FLG_MALLOCED         0x01
 #define BN_FLG_STATIC_DATA      0x02
+#define BN_FLG_EXP_CONSTTIME    0x04 /* avoid leaking exponent information through timings
+                                      * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */
 #define BN_FLG_FREE             0x8000  /* used for debuging */
 #define BN_set_flags(b,n)       ((b)->flags|=(n))
 #define BN_get_flags(b,n)       ((b)->flags&(n))
 
+/* get a clone of a BIGNUM with changed flags, for *temporary* use only
+ * (the two BIGNUMs cannot not be used in parallel!) */
+#define BN_with_flags(dest,b,n)  ((dest)->d=(b)->d, \
+                                  (dest)->top=(b)->top, \
+                                  (dest)->dmax=(b)->dmax, \
+                                  (dest)->neg=(b)->neg, \
+                                  (dest)->flags=(((dest)->flags & BN_FLG_MALLOCED) \
+                                                 |  ((b)->flags & ~BN_FLG_MALLOCED) \
+                                                 |  BN_FLG_STATIC_DATA \
+                                                 |  (n)))
+
 typedef struct bignum_st
         {
         BN_ULONG *d;    /* Pointer to an array of 'BN_BITS2' bit chunks. */
@@ -378,6 +391,8 @@ int	BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
         const BIGNUM *m,BN_CTX *ctx);
 int     BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
         const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont);
 int     BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
         const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 int     BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1,
@@ -423,6 +438,19 @@ int	BN_is_prime_fasttest(const BIGNUM *p,int nchecks,
         void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg,
         int do_trial_division);
 
+#ifdef OPENSSL_FIPS
+int BN_X931_derive_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+                        void (*cb)(int, int, void *), void *cb_arg,
+                        const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
+                        const BIGNUM *e, BN_CTX *ctx);
+int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);
+int BN_X931_generate_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+                        BIGNUM *Xp1, BIGNUM *Xp2,
+                        const BIGNUM *Xp,
+                        const BIGNUM *e, BN_CTX *ctx,
+                        void (*cb)(int, int, void *), void *cb_arg);
+#endif
+
 BN_MONT_CTX *BN_MONT_CTX_new(void );
 void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
 int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
@@ -434,6 +462,8 @@ int BN_from_montgomery(BIGNUM *r,const BIGNUM *a,
 void BN_MONT_CTX_free(BN_MONT_CTX *mont);
 int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx);
 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
+                                        const BIGNUM *mod, BN_CTX *ctx);
 
 BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod);
 void BN_BLINDING_free(BN_BLINDING *b);
@@ -510,11 +540,15 @@ void ERR_load_BN_strings(void);
 #define BN_F_BN_CTX_GET                                  116
 #define BN_F_BN_CTX_NEW                                  106
 #define BN_F_BN_DIV                                      107
+#define BN_F_BN_EXP                                      123
 #define BN_F_BN_EXPAND2                                  108
 #define BN_F_BN_EXPAND_INTERNAL                          120
 #define BN_F_BN_MOD_EXP2_MONT                            118
 #define BN_F_BN_MOD_EXP_MONT                             109
+#define BN_F_BN_MOD_EXP_MONT_CONSTTIME                   124
 #define BN_F_BN_MOD_EXP_MONT_WORD                        117
+#define BN_F_BN_MOD_EXP_RECP                             125
+#define BN_F_BN_MOD_EXP_SIMPLE                           126
 #define BN_F_BN_MOD_INVERSE                              110
 #define BN_F_BN_MOD_LSHIFT_QUICK                         119
 #define BN_F_BN_MOD_MUL_RECIPROCAL                       111
diff --git a/src/lib/libcrypto/bn/bn_asm.c b/src/lib/libcrypto/bn/bn_asm.c
index be8aa3ffc5..19978085b2 100644
--- a/src/lib/libcrypto/bn/bn_asm.c
+++ b/src/lib/libcrypto/bn/bn_asm.c
@@ -237,7 +237,7 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
         if (d == 0) return(BN_MASK2);
 
         i=BN_num_bits_word(d);
-        assert((i == BN_BITS2) || (h > (BN_ULONG)1<<i));
+        assert((i == BN_BITS2) || (h <= (BN_ULONG)1<<i));
 
         i=BN_BITS2-i;
         if (h >= d) h-=d;
diff --git a/src/lib/libcrypto/bn/bn_err.c b/src/lib/libcrypto/bn/bn_err.c
index fb84ee96d8..5dfac00c88 100644
--- a/src/lib/libcrypto/bn/bn_err.c
+++ b/src/lib/libcrypto/bn/bn_err.c
@@ -1,6 +1,6 @@
 /* crypto/bn/bn_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,52 +64,60 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BN,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BN,0,reason)
+
 static ERR_STRING_DATA BN_str_functs[]=
         {
-{ERR_PACK(0,BN_F_BN_BLINDING_CONVERT,0),        "BN_BLINDING_convert"},
-{ERR_PACK(0,BN_F_BN_BLINDING_INVERT,0), "BN_BLINDING_invert"},
-{ERR_PACK(0,BN_F_BN_BLINDING_NEW,0),    "BN_BLINDING_new"},
-{ERR_PACK(0,BN_F_BN_BLINDING_UPDATE,0), "BN_BLINDING_update"},
-{ERR_PACK(0,BN_F_BN_BN2DEC,0),  "BN_bn2dec"},
-{ERR_PACK(0,BN_F_BN_BN2HEX,0),  "BN_bn2hex"},
-{ERR_PACK(0,BN_F_BN_CTX_GET,0), "BN_CTX_get"},
-{ERR_PACK(0,BN_F_BN_CTX_NEW,0), "BN_CTX_new"},
-{ERR_PACK(0,BN_F_BN_DIV,0),     "BN_div"},
-{ERR_PACK(0,BN_F_BN_EXPAND2,0), "bn_expand2"},
-{ERR_PACK(0,BN_F_BN_EXPAND_INTERNAL,0), "BN_EXPAND_INTERNAL"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP2_MONT,0),   "BN_mod_exp2_mont"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT,0),    "BN_mod_exp_mont"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT_WORD,0),       "BN_mod_exp_mont_word"},
-{ERR_PACK(0,BN_F_BN_MOD_INVERSE,0),     "BN_mod_inverse"},
-{ERR_PACK(0,BN_F_BN_MOD_LSHIFT_QUICK,0),        "BN_mod_lshift_quick"},
-{ERR_PACK(0,BN_F_BN_MOD_MUL_RECIPROCAL,0),      "BN_mod_mul_reciprocal"},
-{ERR_PACK(0,BN_F_BN_MOD_SQRT,0),        "BN_mod_sqrt"},
-{ERR_PACK(0,BN_F_BN_MPI2BN,0),  "BN_mpi2bn"},
-{ERR_PACK(0,BN_F_BN_NEW,0),     "BN_new"},
-{ERR_PACK(0,BN_F_BN_RAND,0),    "BN_rand"},
-{ERR_PACK(0,BN_F_BN_RAND_RANGE,0),      "BN_rand_range"},
-{ERR_PACK(0,BN_F_BN_USUB,0),    "BN_usub"},
+{ERR_FUNC(BN_F_BN_BLINDING_CONVERT),    "BN_BLINDING_convert"},
+{ERR_FUNC(BN_F_BN_BLINDING_INVERT),     "BN_BLINDING_invert"},
+{ERR_FUNC(BN_F_BN_BLINDING_NEW),        "BN_BLINDING_new"},
+{ERR_FUNC(BN_F_BN_BLINDING_UPDATE),     "BN_BLINDING_update"},
+{ERR_FUNC(BN_F_BN_BN2DEC),      "BN_bn2dec"},
+{ERR_FUNC(BN_F_BN_BN2HEX),      "BN_bn2hex"},
+{ERR_FUNC(BN_F_BN_CTX_GET),     "BN_CTX_get"},
+{ERR_FUNC(BN_F_BN_CTX_NEW),     "BN_CTX_new"},
+{ERR_FUNC(BN_F_BN_DIV), "BN_div"},
+{ERR_FUNC(BN_F_BN_EXP), "BN_exp"},
+{ERR_FUNC(BN_F_BN_EXPAND2),     "bn_expand2"},
+{ERR_FUNC(BN_F_BN_EXPAND_INTERNAL),     "BN_EXPAND_INTERNAL"},
+{ERR_FUNC(BN_F_BN_MOD_EXP2_MONT),       "BN_mod_exp2_mont"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT),        "BN_mod_exp_mont"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT_CONSTTIME),      "BN_mod_exp_mont_consttime"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT_WORD),   "BN_mod_exp_mont_word"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_RECP),        "BN_mod_exp_recp"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_SIMPLE),      "BN_mod_exp_simple"},
+{ERR_FUNC(BN_F_BN_MOD_INVERSE), "BN_mod_inverse"},
+{ERR_FUNC(BN_F_BN_MOD_LSHIFT_QUICK),    "BN_mod_lshift_quick"},
+{ERR_FUNC(BN_F_BN_MOD_MUL_RECIPROCAL),  "BN_mod_mul_reciprocal"},
+{ERR_FUNC(BN_F_BN_MOD_SQRT),    "BN_mod_sqrt"},
+{ERR_FUNC(BN_F_BN_MPI2BN),      "BN_mpi2bn"},
+{ERR_FUNC(BN_F_BN_NEW), "BN_new"},
+{ERR_FUNC(BN_F_BN_RAND),        "BN_rand"},
+{ERR_FUNC(BN_F_BN_RAND_RANGE),  "BN_rand_range"},
+{ERR_FUNC(BN_F_BN_USUB),        "BN_usub"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA BN_str_reasons[]=
         {
-{BN_R_ARG2_LT_ARG3                       ,"arg2 lt arg3"},
-{BN_R_BAD_RECIPROCAL                     ,"bad reciprocal"},
-{BN_R_BIGNUM_TOO_LONG                    ,"bignum too long"},
-{BN_R_CALLED_WITH_EVEN_MODULUS           ,"called with even modulus"},
-{BN_R_DIV_BY_ZERO                        ,"div by zero"},
-{BN_R_ENCODING_ERROR                     ,"encoding error"},
-{BN_R_EXPAND_ON_STATIC_BIGNUM_DATA       ,"expand on static bignum data"},
-{BN_R_INPUT_NOT_REDUCED                  ,"input not reduced"},
-{BN_R_INVALID_LENGTH                     ,"invalid length"},
-{BN_R_INVALID_RANGE                      ,"invalid range"},
-{BN_R_NOT_A_SQUARE                       ,"not a square"},
-{BN_R_NOT_INITIALIZED                    ,"not initialized"},
-{BN_R_NO_INVERSE                         ,"no inverse"},
-{BN_R_P_IS_NOT_PRIME                     ,"p is not prime"},
-{BN_R_TOO_MANY_ITERATIONS                ,"too many iterations"},
-{BN_R_TOO_MANY_TEMPORARY_VARIABLES       ,"too many temporary variables"},
+{ERR_REASON(BN_R_ARG2_LT_ARG3)           ,"arg2 lt arg3"},
+{ERR_REASON(BN_R_BAD_RECIPROCAL)         ,"bad reciprocal"},
+{ERR_REASON(BN_R_BIGNUM_TOO_LONG)        ,"bignum too long"},
+{ERR_REASON(BN_R_CALLED_WITH_EVEN_MODULUS),"called with even modulus"},
+{ERR_REASON(BN_R_DIV_BY_ZERO)            ,"div by zero"},
+{ERR_REASON(BN_R_ENCODING_ERROR)         ,"encoding error"},
+{ERR_REASON(BN_R_EXPAND_ON_STATIC_BIGNUM_DATA),"expand on static bignum data"},
+{ERR_REASON(BN_R_INPUT_NOT_REDUCED)      ,"input not reduced"},
+{ERR_REASON(BN_R_INVALID_LENGTH)         ,"invalid length"},
+{ERR_REASON(BN_R_INVALID_RANGE)          ,"invalid range"},
+{ERR_REASON(BN_R_NOT_A_SQUARE)           ,"not a square"},
+{ERR_REASON(BN_R_NOT_INITIALIZED)        ,"not initialized"},
+{ERR_REASON(BN_R_NO_INVERSE)             ,"no inverse"},
+{ERR_REASON(BN_R_P_IS_NOT_PRIME)         ,"p is not prime"},
+{ERR_REASON(BN_R_TOO_MANY_ITERATIONS)    ,"too many iterations"},
+{ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES),"too many temporary variables"},
 {0,NULL}
         };
 
@@ -123,8 +131,8 @@ void ERR_load_BN_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_BN,BN_str_functs);
-                ERR_load_strings(ERR_LIB_BN,BN_str_reasons);
+                ERR_load_strings(0,BN_str_functs);
+                ERR_load_strings(0,BN_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index afdfd580fb..9e1e88abe8 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -113,6 +113,7 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
+/* maximum precomputation table size for *variable* sliding windows */
 #define TABLE_SIZE      32
 
 /* this one works - simple but works */
@@ -121,6 +122,13 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
         int i,bits,ret=0;
         BIGNUM *v,*rr;
 
+        if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+                {
+                /* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+                BNerr(BN_F_BN_EXP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return -1;
+                }
+
         BN_CTX_start(ctx);
         if ((r == a) || (r == p))
                 rr = BN_CTX_get(ctx);
@@ -204,7 +212,7 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
         if (BN_is_odd(m))
                 {
 #  ifdef MONT_EXP_WORD
-                if (a->top == 1 && !a->neg)
+                if (a->top == 1 && !a->neg && (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) == 0))
                         {
                         BN_ULONG A = a->d[0];
                         ret=BN_mod_exp_mont_word(r,A,p,m,ctx,NULL);
@@ -234,6 +242,13 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
         BIGNUM val[TABLE_SIZE];
         BN_RECP_CTX recp;
 
+        if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+                {
+                /* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+                BNerr(BN_F_BN_MOD_EXP_RECP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return -1;
+                }
+
         bits=BN_num_bits(p);
 
         if (bits == 0)
@@ -361,6 +376,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
         BIGNUM val[TABLE_SIZE];
         BN_MONT_CTX *mont=NULL;
 
+        if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+                {
+                return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
+                }
+
         bn_check_top(a);
         bn_check_top(p);
         bn_check_top(m);
@@ -493,6 +513,212 @@ err:
         return(ret);
         }
 
+
+/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
+ * so that accessing any of these table values shows the same access pattern as far
+ * as cache lines are concerned.  The following functions are used to transfer a BIGNUM
+ * from/to that table. */
+
+static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
+        {
+        size_t i, j;
+
+        if (bn_wexpand(b, top) == NULL)
+                return 0;
+        while (b->top < top)
+                {
+                b->d[b->top++] = 0;
+                }
+        
+        for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
+                {
+                buf[j] = ((unsigned char*)b->d)[i];
+                }
+
+        bn_fix_top(b);
+        return 1;
+        }
+
+static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
+        {
+        size_t i, j;
+
+        if (bn_wexpand(b, top) == NULL)
+                return 0;
+
+        for (i=0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
+                {
+                ((unsigned char*)b->d)[i] = buf[j];
+                }
+
+        b->top = top;
+        bn_fix_top(b);
+        return 1;
+        }       
+
+/* Given a pointer value, compute the next address that is a cache line multiple. */
+#define MOD_EXP_CTIME_ALIGN(x_) \
+        ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
+
+/* This variant of BN_mod_exp_mont() uses fixed windows and the special
+ * precomputation memory layout to limit data-dependency to a minimum
+ * to protect secret exponents (cf. the hyper-threading timing attacks
+ * pointed out by Colin Percival,
+ * http://www.daemonology.net/hyperthreading-considered-harmful/)
+ */
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+                    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+        {
+        int i,bits,ret=0,idx,window,wvalue;
+        int top;
+        BIGNUM *r;
+        const BIGNUM *aa;
+        BN_MONT_CTX *mont=NULL;
+
+        int numPowers;
+        unsigned char *powerbufFree=NULL;
+        int powerbufLen = 0;
+        unsigned char *powerbuf=NULL;
+        BIGNUM *computeTemp=NULL, *am=NULL;
+
+        bn_check_top(a);
+        bn_check_top(p);
+        bn_check_top(m);
+
+        top = m->top;
+
+        if (!(m->d[0] & 1))
+                {
+                BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME,BN_R_CALLED_WITH_EVEN_MODULUS);
+                return(0);
+                }
+        bits=BN_num_bits(p);
+        if (bits == 0)
+                {
+                ret = BN_one(rr);
+                return ret;
+                }
+
+        /* Initialize BIGNUM context and allocate intermediate result */
+        BN_CTX_start(ctx);
+        r = BN_CTX_get(ctx);
+        if (r == NULL) goto err;
+
+        /* Allocate a montgomery context if it was not supplied by the caller.
+         * If this is not done, things will break in the montgomery part.
+         */
+        if (in_mont != NULL)
+                mont=in_mont;
+        else
+                {
+                if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
+                if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
+                }
+
+        /* Get the window size to use with size of p. */
+        window = BN_window_bits_for_ctime_exponent_size(bits);
+
+        /* Allocate a buffer large enough to hold all of the pre-computed
+         * powers of a.
+         */
+        numPowers = 1 << window;
+        powerbufLen = sizeof(m->d[0])*top*numPowers;
+        if ((powerbufFree=(unsigned char*)OPENSSL_malloc(powerbufLen+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)
+                goto err;
+                
+        powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
+        memset(powerbuf, 0, powerbufLen);
+
+        /* Initialize the intermediate result. Do this early to save double conversion,
+         * once each for a^0 and intermediate result.
+         */
+        if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
+        if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers)) goto err;
+
+        /* Initialize computeTemp as a^1 with montgomery precalcs */
+        computeTemp = BN_CTX_get(ctx);
+        am = BN_CTX_get(ctx);
+        if (computeTemp==NULL || am==NULL) goto err;
+
+        if (a->neg || BN_ucmp(a,m) >= 0)
+                {
+                if (!BN_mod(am,a,m,ctx))
+                        goto err;
+                aa= am;
+                }
+        else
+                aa=a;
+        if (!BN_to_montgomery(am,aa,mont,ctx)) goto err;
+        if (!BN_copy(computeTemp, am)) goto err;
+        if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers)) goto err;
+
+        /* If the window size is greater than 1, then calculate
+         * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
+         * (even powers could instead be computed as (a^(i/2))^2
+         * to use the slight performance advantage of sqr over mul).
+         */
+        if (window > 1)
+                {
+                for (i=2; i<numPowers; i++)
+                        {
+                        /* Calculate a^i = a^(i-1) * a */
+                        if (!BN_mod_mul_montgomery(computeTemp,am,computeTemp,mont,ctx))
+                                goto err;
+                        if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, numPowers)) goto err;
+                        }
+                }
+
+        /* Adjust the number of bits up to a multiple of the window size.
+         * If the exponent length is not a multiple of the window size, then
+         * this pads the most significant bits with zeros to normalize the
+         * scanning loop to there's no special cases.
+         *
+         * * NOTE: Making the window size a power of two less than the native
+         * * word size ensures that the padded bits won't go past the last
+         * * word in the internal BIGNUM structure. Going past the end will
+         * * still produce the correct result, but causes a different branch
+         * * to be taken in the BN_is_bit_set function.
+         */
+        bits = ((bits+window-1)/window)*window;
+        idx=bits-1;     /* The top bit of the window */
+
+        /* Scan the exponent one window at a time starting from the most
+         * significant bits.
+         */
+        while (idx >= 0)
+                {
+                wvalue=0; /* The 'value' of the window */
+                
+                /* Scan the window, squaring the result as we go */
+                for (i=0; i<window; i++,idx--)
+                        {
+                        if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))     goto err;
+                        wvalue = (wvalue<<1)+BN_is_bit_set(p,idx);
+                        }
+                
+                /* Fetch the appropriate pre-computed value from the pre-buf */
+                if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(computeTemp, top, powerbuf, wvalue, numPowers)) goto err;
+
+                /* Multiply the result into the intermediate result */
+                if (!BN_mod_mul_montgomery(r,r,computeTemp,mont,ctx)) goto err;
+                }
+
+        /* Convert the final result from montgomery to standard format */
+        if (!BN_from_montgomery(rr,r,mont,ctx)) goto err;
+        ret=1;
+err:
+        if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
+        if (powerbuf!=NULL)
+                {
+                OPENSSL_cleanse(powerbuf,powerbufLen);
+                OPENSSL_free(powerbufFree);
+                }
+        if (am!=NULL) BN_clear(am);
+        if (computeTemp!=NULL) BN_clear(computeTemp);
+        BN_CTX_end(ctx);
+        return(ret);
+        }
+
 int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
         {
@@ -517,6 +743,13 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 #define BN_TO_MONTGOMERY_WORD(r, w, mont) \
                 (BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))
 
+        if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+                {
+                /* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+                BNerr(BN_F_BN_MOD_EXP_MONT_WORD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return -1;
+                }
+
         bn_check_top(p);
         bn_check_top(m);
 
@@ -644,6 +877,13 @@ int BN_mod_exp_simple(BIGNUM *r,
         BIGNUM *d;
         BIGNUM val[TABLE_SIZE];
 
+        if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+                {
+                /* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+                BNerr(BN_F_BN_MOD_EXP_SIMPLE,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return -1;
+                }
+
         bits=BN_num_bits(p);
 
         if (bits == 0)
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index 253e195e23..a84998f2bd 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -177,6 +177,45 @@ struct bignum_ctx
 
 
 
+/* BN_mod_exp_mont_conttime is based on the assumption that the
+ * L1 data cache line width of the target processor is at least
+ * the following value.
+ */
+#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH      ( 64 )
+#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK       (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
+
+/* Window sizes optimized for fixed window size modular exponentiation
+ * algorithm (BN_mod_exp_mont_consttime).
+ *
+ * To achieve the security goals of BN_mode_exp_mont_consttime, the
+ * maximum size of the window must not exceed
+ * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). 
+ *
+ * Window size thresholds are defined for cache line sizes of 32 and 64,
+ * cache line sizes where log_2(32)=5 and log_2(64)=6 respectively. A
+ * window size of 7 should only be used on processors that have a 128
+ * byte or greater cache line size.
+ */
+#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
+
+#  define BN_window_bits_for_ctime_exponent_size(b) \
+                ((b) > 937 ? 6 : \
+                 (b) > 306 ? 5 : \
+                 (b) >  89 ? 4 : \
+                 (b) >  22 ? 3 : 1)
+#  define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE    (6)
+
+#elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32
+
+#  define BN_window_bits_for_ctime_exponent_size(b) \
+                ((b) > 306 ? 5 : \
+                 (b) >  89 ? 4 : \
+                 (b) >  22 ? 3 : 1)
+#  define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE    (5)
+
+#endif
+
+
 /* Pentium pro 16,16,16,32,64 */
 /* Alpha       16,16,16,16.64 */
 #define BN_MULL_SIZE_NORMAL                     (16) /* 32 */
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index b79b1b60da..3572e5a690 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -347,3 +347,23 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
         return(to);
         }
 
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
+                                        const BIGNUM *mod, BN_CTX *ctx)
+        {
+        if (*pmont)
+                return *pmont;
+        CRYPTO_w_lock(lock);
+        if (!*pmont)
+                {
+                *pmont = BN_MONT_CTX_new();
+                if (*pmont && !BN_MONT_CTX_set(*pmont, mod, ctx))
+                        {
+                        BN_MONT_CTX_free(*pmont);
+                        *pmont = NULL;
+                        }
+                }
+        CRYPTO_w_unlock(lock);
+        return *pmont;
+        }
+                
+
diff --git a/src/lib/libcrypto/bn/bn_x931p.c b/src/lib/libcrypto/bn/bn_x931p.c
new file mode 100644
index 0000000000..c64410dd3a
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_x931p.c
@@ -0,0 +1,282 @@
+/* bn_x931p.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/bn.h>
+
+#ifdef OPENSSL_FIPS
+
+/* X9.31 routines for prime derivation */
+
+
+/* X9.31 prime derivation. This is used to generate the primes pi
+ * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd
+ * integers.
+ */
+
+static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx,
+                        void (*cb)(int, int, void *), void *cb_arg)
+        {
+        int i = 0;
+        if (!BN_copy(pi, Xpi))
+                return 0;
+        if (!BN_is_odd(pi) && !BN_add_word(pi, 1))
+                return 0;
+        for(;;)
+                {
+                i++;
+                if (cb)
+                        cb(0, i, cb_arg);
+                /* NB 27 MR is specificed in X9.31 */
+                if (BN_is_prime_fasttest(pi, 27, cb, ctx, cb_arg, 1))
+                        break;
+                if (!BN_add_word(pi, 2))
+                        return 0;
+                }
+        if (cb)
+                cb(2, i, cb_arg);
+        return 1;
+        }
+
+/* This is the main X9.31 prime derivation function. From parameters
+ * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are
+ * not NULL they will be returned too: this is needed for testing.
+ */
+
+int BN_X931_derive_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+                        void (*cb)(int, int, void *), void *cb_arg,
+                        const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
+                        const BIGNUM *e, BN_CTX *ctx)
+        {
+        int ret = 0;
+
+        BIGNUM *t, *p1p2, *pm1;
+
+        /* Only even e supported */
+        if (!BN_is_odd(e))
+                return 0;
+
+        BN_CTX_start(ctx);
+        if (!p1)
+                p1 = BN_CTX_get(ctx);
+
+        if (!p2)
+                p2 = BN_CTX_get(ctx);
+
+        t = BN_CTX_get(ctx);
+
+        p1p2 = BN_CTX_get(ctx);
+
+        pm1 = BN_CTX_get(ctx);
+
+        if (!bn_x931_derive_pi(p1, Xp1, ctx, cb, cb_arg))
+                goto err;
+
+        if (!bn_x931_derive_pi(p2, Xp2, ctx, cb, cb_arg))
+                goto err;
+
+        if (!BN_mul(p1p2, p1, p2, ctx))
+                goto err;
+
+        /* First set p to value of Rp */
+
+        if (!BN_mod_inverse(p, p2, p1, ctx))
+                goto err;
+
+        if (!BN_mul(p, p, p2, ctx))
+                goto err;
+
+        if (!BN_mod_inverse(t, p1, p2, ctx))
+                goto err;
+
+        if (!BN_mul(t, t, p1, ctx))
+                goto err;
+
+        if (!BN_sub(p, p, t))
+                goto err;
+
+        if (p->neg && !BN_add(p, p, p1p2))
+                goto err;
+
+        /* p now equals Rp */
+
+        if (!BN_mod_sub(p, p, Xp, p1p2, ctx))
+                goto err;
+
+        if (!BN_add(p, p, Xp))
+                goto err;
+
+        /* p now equals Yp0 */
+
+        for (;;)
+                {
+                int i = 1;
+                if (cb)
+                        cb(0, i++, cb_arg);
+                if (!BN_copy(pm1, p))
+                        goto err;
+                if (!BN_sub_word(pm1, 1))
+                        goto err;
+                if (!BN_gcd(t, pm1, e, ctx))
+                        goto err;
+                if (BN_is_one(t)
+                /* X9.31 specifies 8 MR and 1 Lucas test or any prime test
+                 * offering similar or better guarantees 50 MR is considerably 
+                 * better.
+                 */
+                        && BN_is_prime_fasttest(p, 50, cb, ctx, cb_arg, 1))
+                        break;
+                if (!BN_add(p, p, p1p2))
+                        goto err;
+                }
+
+        if (cb)
+                cb(3, 0, cb_arg);
+
+        ret = 1;
+
+        err:
+
+        BN_CTX_end(ctx);
+
+        return ret;
+        }
+
+/* Generate pair of paramters Xp, Xq for X9.31 prime generation.
+ * Note: nbits paramter is sum of number of bits in both.
+ */
+
+int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
+        {
+        BIGNUM *t;
+        int i;
+        /* Number of bits for each prime is of the form
+         * 512+128s for s = 0, 1, ...
+         */
+        if ((nbits < 1024) || (nbits & 0xff))
+                return 0;
+        nbits >>= 1;
+        /* The random value Xp must be between sqrt(2) * 2^(nbits-1) and
+         * 2^nbits - 1. By setting the top two bits we ensure that the lower
+         * bound is exceeded.
+         */
+        if (!BN_rand(Xp, nbits, 1, 0))
+                return 0;
+
+        BN_CTX_start(ctx);
+        t = BN_CTX_get(ctx);
+
+        for (i = 0; i < 1000; i++)
+                {
+                if (!BN_rand(Xq, nbits, 1, 0))
+                        return 0;
+                /* Check that |Xp - Xq| > 2^(nbits - 100) */
+                BN_sub(t, Xp, Xq);
+                if (BN_num_bits(t) > (nbits - 100))
+                        break;
+                }
+
+        BN_CTX_end(ctx);
+
+        if (i < 1000)
+                return 1;
+
+        return 0;
+
+        }
+
+/* Generate primes using X9.31 algorithm. Of the values p, p1, p2, Xp1
+ * and Xp2 only 'p' needs to be non-NULL. If any of the others are not NULL
+ * the relevant parameter will be stored in it.
+ *
+ * Due to the fact that |Xp - Xq| > 2^(nbits - 100) must be satisfied Xp and Xq
+ * are generated using the previous function and supplied as input.
+ */
+
+int BN_X931_generate_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+                        BIGNUM *Xp1, BIGNUM *Xp2,
+                        const BIGNUM *Xp,
+                        const BIGNUM *e, BN_CTX *ctx,
+                        void (*cb)(int, int, void *), void *cb_arg)
+        {
+        int ret = 0;
+
+        BN_CTX_start(ctx);
+        if (!Xp1)
+                Xp1 = BN_CTX_get(ctx);
+        if (!Xp2)
+                Xp2 = BN_CTX_get(ctx);
+
+        if (!BN_rand(Xp1, 101, 0, 0))
+                goto error;
+        if (!BN_rand(Xp2, 101, 0, 0))
+                goto error;
+        if (!BN_X931_derive_prime(p, p1, p2, cb, cb_arg,
+                                                Xp, Xp1, Xp2, e, ctx))
+                goto error;
+
+        ret = 1;
+
+        error:
+        BN_CTX_end(ctx);
+
+        return ret;
+
+        }
+
+#endif
diff --git a/src/lib/libcrypto/buffer/buf_err.c b/src/lib/libcrypto/buffer/buf_err.c
index 5eee653e14..1fc32a6861 100644
--- a/src/lib/libcrypto/buffer/buf_err.c
+++ b/src/lib/libcrypto/buffer/buf_err.c
@@ -1,6 +1,6 @@
 /* crypto/buffer/buf_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,11 +64,15 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BUF,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BUF,0,reason)
+
 static ERR_STRING_DATA BUF_str_functs[]=
         {
-{ERR_PACK(0,BUF_F_BUF_MEM_GROW,0),      "BUF_MEM_grow"},
-{ERR_PACK(0,BUF_F_BUF_MEM_NEW,0),       "BUF_MEM_new"},
-{ERR_PACK(0,BUF_F_BUF_STRDUP,0),        "BUF_strdup"},
+{ERR_FUNC(BUF_F_BUF_MEM_GROW),  "BUF_MEM_grow"},
+{ERR_FUNC(BUF_F_BUF_MEM_NEW),   "BUF_MEM_new"},
+{ERR_FUNC(BUF_F_BUF_STRDUP),    "BUF_strdup"},
 {0,NULL}
         };
 
@@ -87,8 +91,8 @@ void ERR_load_BUF_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_BUF,BUF_str_functs);
-                ERR_load_strings(ERR_LIB_BUF,BUF_str_reasons);
+                ERR_load_strings(0,BUF_str_functs);
+                ERR_load_strings(0,BUF_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/cast/c_skey.c b/src/lib/libcrypto/cast/c_skey.c
index dc4791a8cf..db9b7573e0 100644
--- a/src/lib/libcrypto/cast/c_skey.c
+++ b/src/lib/libcrypto/cast/c_skey.c
@@ -57,6 +57,7 @@
  */
 
 #include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include <openssl/cast.h>
 
 #include "cast_lcl.h"
diff --git a/src/lib/libcrypto/cast/cast_lcl.h b/src/lib/libcrypto/cast/cast_lcl.h
index 37f41cc6a4..e756021a33 100644
--- a/src/lib/libcrypto/cast/cast_lcl.h
+++ b/src/lib/libcrypto/cast/cast_lcl.h
@@ -64,11 +64,6 @@
 #endif
 
 
-#ifdef OPENSSL_BUILD_SHLIBCRYPTO
-# undef OPENSSL_EXTERN
-# define OPENSSL_EXTERN OPENSSL_EXPORT
-#endif
-
 #undef c2l
 #define c2l(c,l)        (l =((unsigned long)(*((c)++)))    , \
                          l|=((unsigned long)(*((c)++)))<< 8L, \
@@ -222,11 +217,11 @@
         }
 #endif
 
-OPENSSL_EXTERN const CAST_LONG CAST_S_table0[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table1[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table2[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table3[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table4[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table5[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table6[256];
-OPENSSL_EXTERN const CAST_LONG CAST_S_table7[256];
+extern const CAST_LONG CAST_S_table0[256];
+extern const CAST_LONG CAST_S_table1[256];
+extern const CAST_LONG CAST_S_table2[256];
+extern const CAST_LONG CAST_S_table3[256];
+extern const CAST_LONG CAST_S_table4[256];
+extern const CAST_LONG CAST_S_table5[256];
+extern const CAST_LONG CAST_S_table6[256];
+extern const CAST_LONG CAST_S_table7[256];
diff --git a/src/lib/libcrypto/comp/c_zlib.c b/src/lib/libcrypto/comp/c_zlib.c
index 1bd2850d15..5fcb521ffb 100644
--- a/src/lib/libcrypto/comp/c_zlib.c
+++ b/src/lib/libcrypto/comp/c_zlib.c
@@ -51,30 +51,17 @@ static COMP_METHOD zlib_method={
  */
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
 # include <windows.h>
-
-# define Z_CALLCONV _stdcall
-# define ZLIB_SHARED
-#else
-# define Z_CALLCONV
 #endif /* !(OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32) */
 
 #ifdef ZLIB_SHARED
 #include <openssl/dso.h>
 
-/* Prototypes for built in stubs */
-static int stub_compress(Bytef *dest,uLongf *destLen,
-        const Bytef *source, uLong sourceLen);
-static int stub_inflateEnd(z_streamp strm);
-static int stub_inflate(z_streamp strm, int flush);
-static int stub_inflateInit_(z_streamp strm, const char * version,
-        int stream_size);
-
 /* Function pointers */
-typedef int (Z_CALLCONV *compress_ft)(Bytef *dest,uLongf *destLen,
+typedef int (*compress_ft)(Bytef *dest,uLongf *destLen,
         const Bytef *source, uLong sourceLen);
-typedef int (Z_CALLCONV *inflateEnd_ft)(z_streamp strm);
-typedef int (Z_CALLCONV *inflate_ft)(z_streamp strm, int flush);
-typedef int (Z_CALLCONV *inflateInit__ft)(z_streamp strm,
+typedef int (*inflateEnd_ft)(z_streamp strm);
+typedef int (*inflate_ft)(z_streamp strm, int flush);
+typedef int (*inflateInit__ft)(z_streamp strm,
         const char * version, int stream_size);
 static compress_ft      p_compress=NULL;
 static inflateEnd_ft    p_inflateEnd=NULL;
@@ -84,10 +71,10 @@ static inflateInit__ft	p_inflateInit_=NULL;
 static int zlib_loaded = 0;     /* only attempt to init func pts once */
 static DSO *zlib_dso = NULL;
 
-#define compress                stub_compress
-#define inflateEnd              stub_inflateEnd
-#define inflate                 stub_inflate
-#define inflateInit_            stub_inflateInit_
+#define compress                p_compress
+#define inflateEnd              p_inflateEnd
+#define inflate                 p_inflate
+#define inflateInit_            p_inflateInit_
 #endif /* ZLIB_SHARED */
 
 static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
@@ -191,16 +178,6 @@ COMP_METHOD *COMP_zlib(void)
                 {
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
                 zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0);
-                if (!zlib_dso)
-                        {
-                        zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
-                        if (zlib_dso)
-                                {
-                                /* Clear the errors from the first failed
-                                   DSO_load() */
-                                ERR_clear_error();
-                                }
-                        }
 #else
                 zlib_dso = DSO_load(NULL, "z", NULL, 0);
 #endif
@@ -218,54 +195,21 @@ COMP_METHOD *COMP_zlib(void)
                         p_inflateInit_
                                 = (inflateInit__ft) DSO_bind_func(zlib_dso,
                                         "inflateInit_");
-                        zlib_loaded++;
+
+                        if (p_compress && p_inflateEnd && p_inflate
+                                && p_inflateInit_)
+                                zlib_loaded++;
                         }
                 }
 
 #endif
+#ifdef ZLIB_SHARED
+        if (zlib_loaded)
+#endif
 #if defined(ZLIB) || defined(ZLIB_SHARED)
-        meth = &zlib_method;
+                meth = &zlib_method;
 #endif
 
         return(meth);
         }
 
-#ifdef ZLIB_SHARED
-/* Stubs for each function to be dynamicly loaded */
-static int 
-stub_compress(Bytef *dest,uLongf *destLen,const Bytef *source, uLong sourceLen)
-        {
-        if (p_compress)
-                return(p_compress(dest,destLen,source,sourceLen));
-        else
-                return(Z_MEM_ERROR);
-        }
-
-static int
-stub_inflateEnd(z_streamp strm)
-        {
-        if ( p_inflateEnd )
-                return(p_inflateEnd(strm));
-        else
-                return(Z_MEM_ERROR);
-        }
-
-static int
-stub_inflate(z_streamp strm, int flush)
-        {
-        if ( p_inflate )
-                return(p_inflate(strm,flush));
-        else
-                return(Z_MEM_ERROR);
-        }
-
-static int
-stub_inflateInit_(z_streamp strm, const char * version, int stream_size)
-        {
-        if ( p_inflateInit_ )
-                return(p_inflateInit_(strm,version,stream_size));
-        else
-                return(Z_MEM_ERROR);
-        }
-
-#endif /* ZLIB_SHARED */
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index b5a876ae68..2464f8ed90 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -613,13 +613,13 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
                                 e++;
                                 }
                         /* So at this point we have
-                         * ns which is the start of the name string which is
+                         * np which is the start of the name string which is
                          *   '\0' terminated. 
-                         * cs which is the start of the section string which is
+                         * cp which is the start of the section string which is
                          *   '\0' terminated.
                          * e is the 'next point after'.
-                         * r and s are the chars replaced by the '\0'
-                         * rp and sp is where 'r' and 's' came from.
+                         * r and rr are the chars replaced by the '\0'
+                         * rp and rrp is where 'r' and 'rr' came from.
                          */
                         p=_CONF_get_string(conf,cp,np);
                         if (rrp != NULL) *rrp=rr;
@@ -638,6 +638,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
                            points at.  /RL */
                         len -= e-from;
                         from=e;
+
+                        /* In case there were no braces or parenthesis around
+                           the variable reference, we have to put back the
+                           character that was replaced with a '\0'.  /RL */
+                        *rp = r;
                         }
                 else
                         buf->data[to++]= *(from++);
diff --git a/src/lib/libcrypto/conf/conf_err.c b/src/lib/libcrypto/conf/conf_err.c
index ee07bfe9d9..f5e2ca4bf0 100644
--- a/src/lib/libcrypto/conf/conf_err.c
+++ b/src/lib/libcrypto/conf/conf_err.c
@@ -1,6 +1,6 @@
 /* crypto/conf/conf_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,47 +64,51 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_CONF,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_CONF,0,reason)
+
 static ERR_STRING_DATA CONF_str_functs[]=
         {
-{ERR_PACK(0,CONF_F_CONF_DUMP_FP,0),     "CONF_dump_fp"},
-{ERR_PACK(0,CONF_F_CONF_LOAD,0),        "CONF_load"},
-{ERR_PACK(0,CONF_F_CONF_LOAD_BIO,0),    "CONF_load_bio"},
-{ERR_PACK(0,CONF_F_CONF_LOAD_FP,0),     "CONF_load_fp"},
-{ERR_PACK(0,CONF_F_CONF_MODULES_LOAD,0),        "CONF_modules_load"},
-{ERR_PACK(0,CONF_F_MODULE_INIT,0),      "MODULE_INIT"},
-{ERR_PACK(0,CONF_F_MODULE_LOAD_DSO,0),  "MODULE_LOAD_DSO"},
-{ERR_PACK(0,CONF_F_MODULE_RUN,0),       "MODULE_RUN"},
-{ERR_PACK(0,CONF_F_NCONF_DUMP_BIO,0),   "NCONF_dump_bio"},
-{ERR_PACK(0,CONF_F_NCONF_DUMP_FP,0),    "NCONF_dump_fp"},
-{ERR_PACK(0,CONF_F_NCONF_GET_NUMBER,0), "NCONF_get_number"},
-{ERR_PACK(0,CONF_F_NCONF_GET_NUMBER_E,0),       "NCONF_get_number_e"},
-{ERR_PACK(0,CONF_F_NCONF_GET_SECTION,0),        "NCONF_get_section"},
-{ERR_PACK(0,CONF_F_NCONF_GET_STRING,0), "NCONF_get_string"},
-{ERR_PACK(0,CONF_F_NCONF_LOAD,0),       "NCONF_load"},
-{ERR_PACK(0,CONF_F_NCONF_LOAD_BIO,0),   "NCONF_load_bio"},
-{ERR_PACK(0,CONF_F_NCONF_LOAD_FP,0),    "NCONF_load_fp"},
-{ERR_PACK(0,CONF_F_NCONF_NEW,0),        "NCONF_new"},
-{ERR_PACK(0,CONF_F_STR_COPY,0), "STR_COPY"},
+{ERR_FUNC(CONF_F_CONF_DUMP_FP), "CONF_dump_fp"},
+{ERR_FUNC(CONF_F_CONF_LOAD),    "CONF_load"},
+{ERR_FUNC(CONF_F_CONF_LOAD_BIO),        "CONF_load_bio"},
+{ERR_FUNC(CONF_F_CONF_LOAD_FP), "CONF_load_fp"},
+{ERR_FUNC(CONF_F_CONF_MODULES_LOAD),    "CONF_modules_load"},
+{ERR_FUNC(CONF_F_MODULE_INIT),  "MODULE_INIT"},
+{ERR_FUNC(CONF_F_MODULE_LOAD_DSO),      "MODULE_LOAD_DSO"},
+{ERR_FUNC(CONF_F_MODULE_RUN),   "MODULE_RUN"},
+{ERR_FUNC(CONF_F_NCONF_DUMP_BIO),       "NCONF_dump_bio"},
+{ERR_FUNC(CONF_F_NCONF_DUMP_FP),        "NCONF_dump_fp"},
+{ERR_FUNC(CONF_F_NCONF_GET_NUMBER),     "NCONF_get_number"},
+{ERR_FUNC(CONF_F_NCONF_GET_NUMBER_E),   "NCONF_get_number_e"},
+{ERR_FUNC(CONF_F_NCONF_GET_SECTION),    "NCONF_get_section"},
+{ERR_FUNC(CONF_F_NCONF_GET_STRING),     "NCONF_get_string"},
+{ERR_FUNC(CONF_F_NCONF_LOAD),   "NCONF_load"},
+{ERR_FUNC(CONF_F_NCONF_LOAD_BIO),       "NCONF_load_bio"},
+{ERR_FUNC(CONF_F_NCONF_LOAD_FP),        "NCONF_load_fp"},
+{ERR_FUNC(CONF_F_NCONF_NEW),    "NCONF_new"},
+{ERR_FUNC(CONF_F_STR_COPY),     "STR_COPY"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA CONF_str_reasons[]=
         {
-{CONF_R_ERROR_LOADING_DSO                ,"error loading dso"},
-{CONF_R_MISSING_CLOSE_SQUARE_BRACKET     ,"missing close square bracket"},
-{CONF_R_MISSING_EQUAL_SIGN               ,"missing equal sign"},
-{CONF_R_MISSING_FINISH_FUNCTION          ,"missing finish function"},
-{CONF_R_MISSING_INIT_FUNCTION            ,"missing init function"},
-{CONF_R_MODULE_INITIALIZATION_ERROR      ,"module initialization error"},
-{CONF_R_NO_CLOSE_BRACE                   ,"no close brace"},
-{CONF_R_NO_CONF                          ,"no conf"},
-{CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE  ,"no conf or environment variable"},
-{CONF_R_NO_SECTION                       ,"no section"},
-{CONF_R_NO_SUCH_FILE                     ,"no such file"},
-{CONF_R_NO_VALUE                         ,"no value"},
-{CONF_R_UNABLE_TO_CREATE_NEW_SECTION     ,"unable to create new section"},
-{CONF_R_UNKNOWN_MODULE_NAME              ,"unknown module name"},
-{CONF_R_VARIABLE_HAS_NO_VALUE            ,"variable has no value"},
+{ERR_REASON(CONF_R_ERROR_LOADING_DSO)    ,"error loading dso"},
+{ERR_REASON(CONF_R_MISSING_CLOSE_SQUARE_BRACKET),"missing close square bracket"},
+{ERR_REASON(CONF_R_MISSING_EQUAL_SIGN)   ,"missing equal sign"},
+{ERR_REASON(CONF_R_MISSING_FINISH_FUNCTION),"missing finish function"},
+{ERR_REASON(CONF_R_MISSING_INIT_FUNCTION),"missing init function"},
+{ERR_REASON(CONF_R_MODULE_INITIALIZATION_ERROR),"module initialization error"},
+{ERR_REASON(CONF_R_NO_CLOSE_BRACE)       ,"no close brace"},
+{ERR_REASON(CONF_R_NO_CONF)              ,"no conf"},
+{ERR_REASON(CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE),"no conf or environment variable"},
+{ERR_REASON(CONF_R_NO_SECTION)           ,"no section"},
+{ERR_REASON(CONF_R_NO_SUCH_FILE)         ,"no such file"},
+{ERR_REASON(CONF_R_NO_VALUE)             ,"no value"},
+{ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION),"unable to create new section"},
+{ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME)  ,"unknown module name"},
+{ERR_REASON(CONF_R_VARIABLE_HAS_NO_VALUE),"variable has no value"},
 {0,NULL}
         };
 
@@ -118,8 +122,8 @@ void ERR_load_CONF_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_CONF,CONF_str_functs);
-                ERR_load_strings(ERR_LIB_CONF,CONF_str_reasons);
+                ERR_load_strings(0,CONF_str_functs);
+                ERR_load_strings(0,CONF_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/cpt_err.c b/src/lib/libcrypto/cpt_err.c
index 1b4a1cb4d4..06a6109cce 100644
--- a/src/lib/libcrypto/cpt_err.c
+++ b/src/lib/libcrypto/cpt_err.c
@@ -1,6 +1,6 @@
 /* crypto/cpt_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,23 +64,27 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_CRYPTO,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_CRYPTO,0,reason)
+
 static ERR_STRING_DATA CRYPTO_str_functs[]=
         {
-{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,0),        "CRYPTO_get_ex_new_index"},
-{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID,0),       "CRYPTO_get_new_dynlockid"},
-{ERR_PACK(0,CRYPTO_F_CRYPTO_GET_NEW_LOCKID,0),  "CRYPTO_get_new_lockid"},
-{ERR_PACK(0,CRYPTO_F_CRYPTO_SET_EX_DATA,0),     "CRYPTO_set_ex_data"},
-{ERR_PACK(0,CRYPTO_F_DEF_ADD_INDEX,0),  "DEF_ADD_INDEX"},
-{ERR_PACK(0,CRYPTO_F_DEF_GET_CLASS,0),  "DEF_GET_CLASS"},
-{ERR_PACK(0,CRYPTO_F_INT_DUP_EX_DATA,0),        "INT_DUP_EX_DATA"},
-{ERR_PACK(0,CRYPTO_F_INT_FREE_EX_DATA,0),       "INT_FREE_EX_DATA"},
-{ERR_PACK(0,CRYPTO_F_INT_NEW_EX_DATA,0),        "INT_NEW_EX_DATA"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX),    "CRYPTO_get_ex_new_index"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID),   "CRYPTO_get_new_dynlockid"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_LOCKID),      "CRYPTO_get_new_lockid"},
+{ERR_FUNC(CRYPTO_F_CRYPTO_SET_EX_DATA), "CRYPTO_set_ex_data"},
+{ERR_FUNC(CRYPTO_F_DEF_ADD_INDEX),      "DEF_ADD_INDEX"},
+{ERR_FUNC(CRYPTO_F_DEF_GET_CLASS),      "DEF_GET_CLASS"},
+{ERR_FUNC(CRYPTO_F_INT_DUP_EX_DATA),    "INT_DUP_EX_DATA"},
+{ERR_FUNC(CRYPTO_F_INT_FREE_EX_DATA),   "INT_FREE_EX_DATA"},
+{ERR_FUNC(CRYPTO_F_INT_NEW_EX_DATA),    "INT_NEW_EX_DATA"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA CRYPTO_str_reasons[]=
         {
-{CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK     ,"no dynlock create callback"},
+{ERR_REASON(CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK),"no dynlock create callback"},
 {0,NULL}
         };
 
@@ -94,8 +98,8 @@ void ERR_load_CRYPTO_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_functs);
-                ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_reasons);
+                ERR_load_strings(0,CRYPTO_str_functs);
+                ERR_load_strings(0,CRYPTO_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index fef0afb29f..e63bbe8dba 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -480,6 +480,8 @@ const char *CRYPTO_get_lock_name(int type)
                 return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
         }
 
+int OPENSSL_NONPIC_relocated=0;
+
 #if defined(_WIN32) && defined(_WINDLL)
 
 /* All we really need to do is remove the 'error' state when a thread
@@ -491,6 +493,21 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
         switch(fdwReason)
                 {
         case DLL_PROCESS_ATTACH:
+#if defined(_WIN32_WINNT)
+                {
+                IMAGE_DOS_HEADER *dos_header = (IMAGE_DOS_HEADER *)hinstDLL;
+                IMAGE_NT_HEADERS *nt_headers;
+
+                if (dos_header->e_magic==IMAGE_DOS_SIGNATURE)
+                        {
+                        nt_headers = (IMAGE_NT_HEADERS *)((char *)dos_header
+                                                + dos_header->e_lfanew);
+                        if (nt_headers->Signature==IMAGE_NT_SIGNATURE &&
+                            hinstDLL!=(HINSTANCE)(nt_headers->OptionalHeader.ImageBase))
+                                OPENSSL_NONPIC_relocated=1;
+                        }
+                }
+#endif
                 break;
         case DLL_THREAD_ATTACH:
                 break;
@@ -504,18 +521,160 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
         }
 #endif
 
+#if defined(_WIN32)
+#include <tchar.h>
+
+#if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
+static int IsService(void)
+{ HWINSTA h;
+  DWORD len;
+  WCHAR *name;
+
+    (void)GetDesktopWindow(); /* return value is ignored */
+
+    h = GetProcessWindowStation();
+    if (h==NULL) return -1;
+
+    if (GetUserObjectInformationW (h,UOI_NAME,NULL,0,&len) ||
+        GetLastError() != ERROR_INSUFFICIENT_BUFFER)
+        return -1;
+
+    if (len>512) return -1;             /* paranoia */
+    len++,len&=~1;                      /* paranoia */
+#ifdef _MSC_VER
+    name=(WCHAR *)_alloca(len+sizeof(WCHAR));
+#else
+    name=(WCHAR *)alloca(len+sizeof(WCHAR));
+#endif
+    if (!GetUserObjectInformationW (h,UOI_NAME,name,len,&len))
+        return -1;
+
+    len++,len&=~1;                      /* paranoia */
+    name[len/sizeof(WCHAR)]=L'\0';      /* paranoia */
+#if 1
+    /* This doesn't cover "interactive" services [working with real
+     * WinSta0's] nor programs started non-interactively by Task
+     * Scheduler [those are working with SAWinSta]. */
+    if (wcsstr(name,L"Service-0x"))     return 1;
+#else
+    /* This covers all non-interactive programs such as services. */
+    if (!wcsstr(name,L"WinSta0"))       return 1;
+#endif
+    else                                return 0;
+}
+#endif
+
+void OPENSSL_showfatal (const char *fmta,...)
+{ va_list ap;
+  TCHAR buf[256];
+  const TCHAR *fmt;
+  HANDLE h;
+
+    if ((h=GetStdHandle(STD_ERROR_HANDLE)) != NULL &&
+        GetFileType(h)!=FILE_TYPE_UNKNOWN)
+    {   /* must be console application */
+        va_start (ap,fmta);
+        vfprintf (stderr,fmta,ap);
+        va_end (ap);
+        return;
+    }
+
+    if (sizeof(TCHAR)==sizeof(char))
+        fmt=(const TCHAR *)fmta;
+    else do
+    { int    keepgoing;
+      size_t len_0=strlen(fmta)+1,i;
+      WCHAR *fmtw;
+
+#ifdef _MSC_VER
+        fmtw = (WCHAR *)_alloca (len_0*sizeof(WCHAR));
+#else
+        fmtw = (WCHAR *)alloca (len_0*sizeof(WCHAR));
+#endif
+        if (fmtw == NULL) { fmt=(const TCHAR *)L"no stack?"; break; }
+
+#ifndef OPENSSL_NO_MULTIBYTE
+        if (!MultiByteToWideChar(CP_ACP,0,fmta,len_0,fmtw,len_0))
+#endif
+            for (i=0;i<len_0;i++) fmtw[i]=(WCHAR)fmta[i];
+
+        for (i=0;i<len_0;i++)
+        {   if (fmtw[i]==L'%') do
+            {   keepgoing=0;
+                switch (fmtw[i+1])
+                {   case L'0': case L'1': case L'2': case L'3': case L'4':
+                    case L'5': case L'6': case L'7': case L'8': case L'9':
+                    case L'.': case L'*':
+                    case L'-':  i++; keepgoing=1; break;
+                    case L's':  fmtw[i+1]=L'S';   break;
+                    case L'S':  fmtw[i+1]=L's';   break;
+                    case L'c':  fmtw[i+1]=L'C';   break;
+                    case L'C':  fmtw[i+1]=L'c';   break;
+                }
+            } while (keepgoing);
+        }
+        fmt = (const TCHAR *)fmtw;
+    } while (0);
+
+    va_start (ap,fmta);
+    _vsntprintf (buf,sizeof(buf)/sizeof(TCHAR)-1,fmt,ap);
+    buf [sizeof(buf)/sizeof(TCHAR)-1] = _T('\0');
+    va_end (ap);
+
+#if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
+    /* this -------------v--- guards NT-specific calls */
+    if (GetVersion() < 0x80000000 && IsService())
+    {   HANDLE h = RegisterEventSource(0,_T("OPENSSL"));
+        const TCHAR *pmsg=buf;
+        ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);
+        DeregisterEventSource(h);
+    }
+    else
+#endif
+    {   MSGBOXPARAMS         m;
+
+        m.cbSize             = sizeof(m);
+        m.hwndOwner          = NULL;
+        m.lpszCaption        = _T("OpenSSL: FATAL");
+        m.dwStyle            = MB_OK;
+        m.hInstance          = NULL;
+        m.lpszIcon           = IDI_ERROR;
+        m.dwContextHelpId    = 0;
+        m.lpfnMsgBoxCallback = NULL;
+        m.dwLanguageId       = MAKELANGID(LANG_ENGLISH,SUBLANG_ENGLISH_US);
+        m.lpszText           = buf;
+
+        MessageBoxIndirect (&m);
+    }
+}
+#else
+void OPENSSL_showfatal (const char *fmta,...)
+{ va_list ap;
+
+    va_start (ap,fmta);
+    vfprintf (stderr,fmta,ap);
+    va_end (ap);
+}
+#endif
+
 void OpenSSLDie(const char *file,int line,const char *assertion)
         {
-        fprintf(stderr,
+        OPENSSL_showfatal(
                 "%s(%d): OpenSSL internal error, assertion failed: %s\n",
                 file,line,assertion);
         abort();
         }
 
+void *OPENSSL_stderr(void)      { return stderr; }
+
 #ifdef OPENSSL_FIPS
+
+void fips_w_lock(void)          { CRYPTO_w_lock(CRYPTO_LOCK_FIPS); }
+void fips_w_unlock(void)        { CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); }
+void fips_r_lock(void)          { CRYPTO_r_lock(CRYPTO_LOCK_FIPS); }
+void fips_r_unlock(void)        { CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); }
+
 static int fips_started = 0;
-static int fips_mode = 0;
-static void *fips_rand_check = 0;
 static unsigned long fips_thread = 0;
 
 void fips_set_started(void)
@@ -576,57 +735,10 @@ int fips_clear_owning_thread(void)
         return ret;
         }
 
-void fips_set_mode(int onoff)
-        {
-        int owning_thread = fips_is_owning_thread();
-
-        if (fips_is_started())
-                {
-                if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
-                fips_mode = onoff;
-                if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
-                }
-        }
-
-void fips_set_rand_check(void *rand_check)
-        {
-        int owning_thread = fips_is_owning_thread();
-
-        if (fips_is_started())
-                {
-                if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
-                fips_rand_check = rand_check;
-                if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
-                }
-        }
-
-int FIPS_mode(void)
-        {
-        int ret = 0;
-        int owning_thread = fips_is_owning_thread();
-
-        if (fips_is_started())
-                {
-                if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
-                ret = fips_mode;
-                if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
-                }
-        return ret;
-        }
-
-void *FIPS_rand_check(void)
+unsigned char *fips_signature_witness(void)
         {
-        void *ret = 0;
-        int owning_thread = fips_is_owning_thread();
-
-        if (fips_is_started())
-                {
-                if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
-                ret = fips_rand_check;
-                if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
-                }
-        return ret;
+        extern unsigned char FIPS_signature[];
+        return FIPS_signature;
         }
-
 #endif /* OPENSSL_FIPS */
 
diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h
index 0d6b9d59f0..6f59e08ca6 100644
--- a/src/lib/libcrypto/cryptlib.h
+++ b/src/lib/libcrypto/cryptlib.h
@@ -93,6 +93,10 @@ extern "C" {
 #define DECIMAL_SIZE(type)      ((sizeof(type)*8+2)/3+1)
 #define HEX_SIZE(type)          (sizeof(type)*2)
 
+void OPENSSL_showfatal(const char *,...);
+void *OPENSSL_stderr(void);
+extern int OPENSSL_NONPIC_relocated;
+
 #ifdef  __cplusplus
 }
 #endif
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index 4d1dfac7f1..22fd939e65 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -434,12 +434,9 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);
 
 /* die if we have to */
 void OpenSSLDie(const char *file,int line,const char *assertion);
-#define OPENSSL_assert(e)       ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
+#define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))
 
 #ifdef OPENSSL_FIPS
-int FIPS_mode(void);
-void *FIPS_rand_check(void);
-
 #define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
                 alg " previous FIPS forbidden algorithm error ignored");
 
diff --git a/src/lib/libcrypto/des/des_locl.h b/src/lib/libcrypto/des/des_locl.h
index e44e8e98b2..8f04b18c50 100644
--- a/src/lib/libcrypto/des/des_locl.h
+++ b/src/lib/libcrypto/des/des_locl.h
@@ -421,7 +421,7 @@
         PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
         }
 
-OPENSSL_EXTERN const DES_LONG DES_SPtrans[8][64];
+extern const DES_LONG DES_SPtrans[8][64];
 
 void fcrypt_body(DES_LONG *out,DES_key_schedule *ks,
                  DES_LONG Eswap0, DES_LONG Eswap1);
diff --git a/src/lib/libcrypto/dh/dh.h b/src/lib/libcrypto/dh/dh.h
index 05851f8429..92c7481e10 100644
--- a/src/lib/libcrypto/dh/dh.h
+++ b/src/lib/libcrypto/dh/dh.h
@@ -70,7 +70,14 @@
 #include <openssl/crypto.h>
 #include <openssl/ossl_typ.h>
         
-#define DH_FLAG_CACHE_MONT_P    0x01
+#define DH_FLAG_CACHE_MONT_P     0x01
+#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
+                                       * implementation now uses constant time
+                                       * modular exponentiation for secret exponents
+                                       * by default. This flag causes the
+                                       * faster variable sliding window method to
+                                       * be used for all exponents.
+                                       */
 
 #ifdef  __cplusplus
 extern "C" {
diff --git a/src/lib/libcrypto/dh/dh_err.c b/src/lib/libcrypto/dh/dh_err.c
index c2715044c9..83ccb41221 100644
--- a/src/lib/libcrypto/dh/dh_err.c
+++ b/src/lib/libcrypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /* crypto/dh/dh_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,21 +64,25 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DH,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DH,0,reason)
+
 static ERR_STRING_DATA DH_str_functs[]=
         {
-{ERR_PACK(0,DH_F_DHPARAMS_PRINT,0),     "DHparams_print"},
-{ERR_PACK(0,DH_F_DHPARAMS_PRINT_FP,0),  "DHparams_print_fp"},
-{ERR_PACK(0,DH_F_DH_COMPUTE_KEY,0),     "DH_compute_key"},
-{ERR_PACK(0,DH_F_DH_GENERATE_KEY,0),    "DH_generate_key"},
-{ERR_PACK(0,DH_F_DH_GENERATE_PARAMETERS,0),     "DH_generate_parameters"},
-{ERR_PACK(0,DH_F_DH_NEW_METHOD,0),      "DH_new_method"},
+{ERR_FUNC(DH_F_DHPARAMS_PRINT), "DHparams_print"},
+{ERR_FUNC(DH_F_DHPARAMS_PRINT_FP),      "DHparams_print_fp"},
+{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"},
+{ERR_FUNC(DH_F_DH_GENERATE_KEY),        "DH_generate_key"},
+{ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS), "DH_generate_parameters"},
+{ERR_FUNC(DH_F_DH_NEW_METHOD),  "DH_new_method"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA DH_str_reasons[]=
         {
-{DH_R_BAD_GENERATOR                      ,"bad generator"},
-{DH_R_NO_PRIVATE_VALUE                   ,"no private value"},
+{ERR_REASON(DH_R_BAD_GENERATOR)          ,"bad generator"},
+{ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},
 {0,NULL}
         };
 
@@ -92,8 +96,8 @@ void ERR_load_DH_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_DH,DH_str_functs);
-                ERR_load_strings(ERR_LIB_DH,DH_str_reasons);
+                ERR_load_strings(0,DH_str_functs);
+                ERR_load_strings(0,DH_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index ff125c2296..3a39f7c8ca 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -105,7 +105,7 @@ static int generate_key(DH *dh)
         int generate_new_key=0;
         unsigned l;
         BN_CTX *ctx;
-        BN_MONT_CTX *mont;
+        BN_MONT_CTX *mont=NULL;
         BIGNUM *pub_key=NULL,*priv_key=NULL;
 
         ctx = BN_CTX_new();
@@ -128,21 +128,37 @@ static int generate_key(DH *dh)
         else
                 pub_key=dh->pub_key;
 
-        if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
+
+        if (dh->flags & DH_FLAG_CACHE_MONT_P)
                 {
-                if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
-                                dh->p,ctx)) goto err;
+                mont = BN_MONT_CTX_set_locked(
+                                (BN_MONT_CTX **)&dh->method_mont_p,
+                                CRYPTO_LOCK_DH, dh->p, ctx);
+                if (!mont)
+                        goto err;
                 }
-        mont=(BN_MONT_CTX *)dh->method_mont_p;
 
         if (generate_new_key)
                 {
                 l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
                 if (!BN_rand(priv_key, l, 0, 0)) goto err;
                 }
-        if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont))
-                goto err;
+
+        {
+                BIGNUM local_prk;
+                BIGNUM *prk;
+
+                if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+                        {
+                        BN_init(&local_prk);
+                        prk = &local_prk;
+                        BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+                        }
+                else
+                        prk = priv_key;
+
+                if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err;
+        }
                 
         dh->pub_key=pub_key;
         dh->priv_key=priv_key;
@@ -160,7 +176,7 @@ err:
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         {
         BN_CTX *ctx;
-        BN_MONT_CTX *mont;
+        BN_MONT_CTX *mont=NULL;
         BIGNUM *tmp;
         int ret= -1;
 
@@ -174,14 +190,21 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
                 DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
                 goto err;
                 }
-        if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
+
+        if (dh->flags & DH_FLAG_CACHE_MONT_P)
                 {
-                if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
-                                dh->p,ctx)) goto err;
+                mont = BN_MONT_CTX_set_locked(
+                                (BN_MONT_CTX **)&dh->method_mont_p,
+                                CRYPTO_LOCK_DH, dh->p, ctx);
+                if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+                        {
+                        /* XXX */
+                        BN_set_flags(dh->priv_key, BN_FLG_EXP_CONSTTIME);
+                        }
+                if (!mont)
+                        goto err;
                 }
 
-        mont=(BN_MONT_CTX *)dh->method_mont_p;
         if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
                 {
                 DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);
@@ -190,8 +213,11 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 
         ret=BN_bn2bin(tmp,key);
 err:
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
+        if (ctx != NULL)
+                {
+                BN_CTX_end(ctx);
+                BN_CTX_free(ctx);
+                }
         return(ret);
         }
 
@@ -200,7 +226,10 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
                         const BIGNUM *m, BN_CTX *ctx,
                         BN_MONT_CTX *m_ctx)
         {
-        if (a->top == 1)
+        /* If a is only one word long and constant time is false, use the faster
+         * exponenentiation function.
+         */
+        if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0))
                 {
                 BN_ULONG A = a->d[0];
                 return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx);
diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
index 40e525dd56..8271d3dfc4 100644
--- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod
+++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
@@ -22,7 +22,7 @@ EVP_CIPHER_CTX_set_padding - EVP cipher routines
 
  #include <openssl/evp.h>
 
- int EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
+ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
 
  int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
          ENGINE *impl, unsigned char *key, unsigned char *iv);
@@ -236,8 +236,8 @@ RC5 can be set.
 
 =head1 RETURN VALUES
 
-EVP_CIPHER_CTX_init, EVP_EncryptInit_ex(), EVP_EncryptUpdate() and
-EVP_EncryptFinal_ex() return 1 for success and 0 for failure.
+EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
+return 1 for success and 0 for failure.
 
 EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
 EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
diff --git a/src/lib/libcrypto/doc/OPENSSL_config.pod b/src/lib/libcrypto/doc/OPENSSL_config.pod
index 16600620cc..e7bba2aaca 100644
--- a/src/lib/libcrypto/doc/OPENSSL_config.pod
+++ b/src/lib/libcrypto/doc/OPENSSL_config.pod
@@ -35,7 +35,7 @@ calls OPENSSL_add_all_algorithms() by compiling an application with the
 preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration
 can be added without source changes.
 
-The environment variable B<OPENSSL_CONFIG> can be set to specify the location
+The environment variable B<OPENSSL_CONF> can be set to specify the location
 of the configuration file.
  
 Currently ASN1 OBJECTs and ENGINE configuration can be performed future
diff --git a/src/lib/libcrypto/doc/PKCS7_verify.pod b/src/lib/libcrypto/doc/PKCS7_verify.pod
index 07c9fdad40..3490b5dc82 100644
--- a/src/lib/libcrypto/doc/PKCS7_verify.pod
+++ b/src/lib/libcrypto/doc/PKCS7_verify.pod
@@ -8,7 +8,7 @@ PKCS7_verify - verify a PKCS#7 signedData structure
 
 int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags);
 
-int PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
 
 =head1 DESCRIPTION
 
diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h
index 225ff391f9..851e3f0445 100644
--- a/src/lib/libcrypto/dsa/dsa.h
+++ b/src/lib/libcrypto/dsa/dsa.h
@@ -80,6 +80,20 @@
 #endif
 
 #define DSA_FLAG_CACHE_MONT_P   0x01
+#define DSA_FLAG_NO_EXP_CONSTTIME       0x02 /* new with 0.9.7h; the built-in DSA
+                                              * implementation now uses constant time
+                                              * modular exponentiation for secret exponents
+                                              * by default. This flag causes the
+                                              * faster variable sliding window method to
+                                              * be used for all exponents.
+                                              */
+
+/* If this flag is set external DSA_METHOD callbacks are allowed in FIPS mode
+ * it is then the applications responsibility to ensure the external method
+ * is compliant.
+ */
+
+#define DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW     0x04
 
 #if defined(OPENSSL_FIPS)
 #define FIPS_DSA_SIZE_T int
diff --git a/src/lib/libcrypto/dsa/dsa_err.c b/src/lib/libcrypto/dsa/dsa_err.c
index 79aa4ff526..fd42053572 100644
--- a/src/lib/libcrypto/dsa/dsa_err.c
+++ b/src/lib/libcrypto/dsa/dsa_err.c
@@ -1,6 +1,6 @@
 /* crypto/dsa/dsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,29 +64,33 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSA,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSA,0,reason)
+
 static ERR_STRING_DATA DSA_str_functs[]=
         {
-{ERR_PACK(0,DSA_F_D2I_DSA_SIG,0),       "d2i_DSA_SIG"},
-{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT,0),   "DSAparams_print"},
-{ERR_PACK(0,DSA_F_DSAPARAMS_PRINT_FP,0),        "DSAparams_print_fp"},
-{ERR_PACK(0,DSA_F_DSA_DO_SIGN,0),       "DSA_do_sign"},
-{ERR_PACK(0,DSA_F_DSA_DO_VERIFY,0),     "DSA_do_verify"},
-{ERR_PACK(0,DSA_F_DSA_NEW_METHOD,0),    "DSA_new_method"},
-{ERR_PACK(0,DSA_F_DSA_PRINT,0), "DSA_print"},
-{ERR_PACK(0,DSA_F_DSA_PRINT_FP,0),      "DSA_print_fp"},
-{ERR_PACK(0,DSA_F_DSA_SIGN,0),  "DSA_sign"},
-{ERR_PACK(0,DSA_F_DSA_SIGN_SETUP,0),    "DSA_sign_setup"},
-{ERR_PACK(0,DSA_F_DSA_SIG_NEW,0),       "DSA_SIG_new"},
-{ERR_PACK(0,DSA_F_DSA_VERIFY,0),        "DSA_verify"},
-{ERR_PACK(0,DSA_F_I2D_DSA_SIG,0),       "i2d_DSA_SIG"},
-{ERR_PACK(0,DSA_F_SIG_CB,0),    "SIG_CB"},
+{ERR_FUNC(DSA_F_D2I_DSA_SIG),   "d2i_DSA_SIG"},
+{ERR_FUNC(DSA_F_DSAPARAMS_PRINT),       "DSAparams_print"},
+{ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP),    "DSAparams_print_fp"},
+{ERR_FUNC(DSA_F_DSA_DO_SIGN),   "DSA_do_sign"},
+{ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
+{ERR_FUNC(DSA_F_DSA_NEW_METHOD),        "DSA_new_method"},
+{ERR_FUNC(DSA_F_DSA_PRINT),     "DSA_print"},
+{ERR_FUNC(DSA_F_DSA_PRINT_FP),  "DSA_print_fp"},
+{ERR_FUNC(DSA_F_DSA_SIGN),      "DSA_sign"},
+{ERR_FUNC(DSA_F_DSA_SIGN_SETUP),        "DSA_sign_setup"},
+{ERR_FUNC(DSA_F_DSA_SIG_NEW),   "DSA_SIG_new"},
+{ERR_FUNC(DSA_F_DSA_VERIFY),    "DSA_verify"},
+{ERR_FUNC(DSA_F_I2D_DSA_SIG),   "i2d_DSA_SIG"},
+{ERR_FUNC(DSA_F_SIG_CB),        "SIG_CB"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA DSA_str_reasons[]=
         {
-{DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
-{DSA_R_MISSING_PARAMETERS                ,"missing parameters"},
+{ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
+{ERR_REASON(DSA_R_MISSING_PARAMETERS)    ,"missing parameters"},
 {0,NULL}
         };
 
@@ -100,8 +104,8 @@ void ERR_load_DSA_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_DSA,DSA_str_functs);
-                ERR_load_strings(ERR_LIB_DSA,DSA_str_reasons);
+                ERR_load_strings(0,DSA_str_functs);
+                ERR_load_strings(0,DSA_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index 30607ca579..980b6dc2d3 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -90,8 +90,22 @@ int DSA_generate_key(DSA *dsa)
                 }
         else
                 pub_key=dsa->pub_key;
+        
+        {
+                BIGNUM local_prk;
+                BIGNUM *prk;
+
+                if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+                        {
+                        BN_init(&local_prk);
+                        prk = &local_prk;
+                        BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+                        }
+                else
+                        prk = priv_key;
 
-        if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err;
+                if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err;
+        }
 
         dsa->priv_key=priv_key;
         dsa->pub_key=pub_key;
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index f1a85afcde..12509a7083 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -172,7 +172,7 @@ err:
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
         {
         BN_CTX *ctx;
-        BIGNUM k,*kinv=NULL,*r=NULL;
+        BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
         int ret=0;
 
         if (!dsa->p || !dsa->q || !dsa->g)
@@ -182,6 +182,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                 }
 
         BN_init(&k);
+        BN_init(&kq);
 
         if (ctx_in == NULL)
                 {
@@ -191,22 +192,49 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                 ctx=ctx_in;
 
         if ((r=BN_new()) == NULL) goto err;
-        kinv=NULL;
 
         /* Get random k */
         do
                 if (!BN_rand_range(&k, dsa->q)) goto err;
         while (BN_is_zero(&k));
+        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+                {
+                BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
+                }
 
-        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
                 {
-                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
-                                dsa->p,ctx)) goto err;
+                if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
+                                                CRYPTO_LOCK_DSA,
+                                                dsa->p, ctx))
+                        goto err;
                 }
 
         /* Compute r = (g^k mod p) mod q */
-        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+
+        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+                {
+                if (!BN_copy(&kq, &k)) goto err;
+
+                /* We do not want timing information to leak the length of k,
+                 * so we compute g^k using an equivalent exponent of fixed length.
+                 *
+                 * (This is a kludge that we need because the BN_mod_exp_mont()
+                 * does not let us specify the desired timing behaviour.) */
+
+                if (!BN_add(&kq, &kq, dsa->q)) goto err;
+                if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
+                        {
+                        if (!BN_add(&kq, &kq, dsa->q)) goto err;
+                        }
+
+                K = &kq;
+                }
+        else
+                {
+                K = &k;
+                }
+        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx,
                 (BN_MONT_CTX *)dsa->method_mont_p)) goto err;
         if (!BN_mod(r,r,dsa->q,ctx)) goto err;
 
@@ -229,6 +257,7 @@ err:
         if (ctx_in == NULL) BN_CTX_free(ctx);
         if (kinv != NULL) BN_clear_free(kinv);
         BN_clear_free(&k);
+        BN_clear_free(&kq);
         return(ret);
         }
 
@@ -275,13 +304,15 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
         /* u2 = r * w mod q */
         if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
 
-        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+
+        if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
                 {
-                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
-                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
-                                dsa->p,ctx)) goto err;
+                mont = BN_MONT_CTX_set_locked(
+                                        (BN_MONT_CTX **)&dsa->method_mont_p,
+                                        CRYPTO_LOCK_DSA, dsa->p, ctx);
+                if (!mont)
+                        goto err;
                 }
-        mont=(BN_MONT_CTX *)dsa->method_mont_p;
 
 #if 0
         {
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index 3c9753bac3..37c65efb20 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -72,7 +72,8 @@
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         {
 #ifdef OPENSSL_FIPS
-        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+        if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
+                && !FIPS_dsa_check(dsa))
                 return NULL;
 #endif
         return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
@@ -96,7 +97,8 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
         {
 #ifdef OPENSSL_FIPS
-        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+        if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
+                && !FIPS_dsa_check(dsa))
                 return 0;
 #endif
         return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index 8ef0c45025..c9784bed48 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -74,7 +74,8 @@ int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                   DSA *dsa)
         {
 #ifdef OPENSSL_FIPS
-        if(FIPS_mode() && !FIPS_dsa_check(dsa))
+        if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
+                && !FIPS_dsa_check(dsa))
                 return -1;
 #endif
         return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
diff --git a/src/lib/libcrypto/dso/dso_dlfcn.c b/src/lib/libcrypto/dso/dso_dlfcn.c
index 9d49ebc253..0422a4859a 100644
--- a/src/lib/libcrypto/dso/dso_dlfcn.c
+++ b/src/lib/libcrypto/dso/dso_dlfcn.c
@@ -56,6 +56,10 @@
  *
  */
 
+#ifdef __linux
+#define _GNU_SOURCE
+#endif
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/dso.h>
@@ -228,7 +232,7 @@ static void *dlfcn_bind_var(DSO *dso, const char *symname)
 static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
         {
         void *ptr;
-        DSO_FUNC_TYPE sym;
+        DSO_FUNC_TYPE sym, *tsym = &sym;
 
         if((dso == NULL) || (symname == NULL))
                 {
@@ -246,7 +250,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
                 DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
                 return(NULL);
                 }
-        sym = (DSO_FUNC_TYPE)dlsym(ptr, symname);
+        *(void**)(tsym) = dlsym(ptr, symname);
         if(sym == NULL)
                 {
                 DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
@@ -290,4 +294,32 @@ static char *dlfcn_name_converter(DSO *dso, const char *filename)
         return(translated);
         }
 
+#ifdef OPENSSL_FIPS
+static void dlfcn_ref_point(){}
+
+int DSO_pathbyaddr(void *addr,char *path,int sz)
+        {
+        Dl_info dli;
+        int len;
+
+        if (addr == NULL)
+                {
+                union { void(*f)(void); void *p; } t = { dlfcn_ref_point };
+                addr = t.p;
+                }
+
+        if (dladdr(addr,&dli))
+                {
+                len = (int)strlen(dli.dli_fname);
+                if (sz <= 0) return len+1;
+                if (len >= sz) len=sz-1;
+                memcpy(path,dli.dli_fname,len);
+                path[len++]=0;
+                return len;
+                }
+
+        ERR_add_error_data(4, "dlfcn_pathbyaddr(): ", dlerror());
+        return -1;
+        }
+#endif
 #endif /* DSO_DLFCN */
diff --git a/src/lib/libcrypto/dso/dso_err.c b/src/lib/libcrypto/dso/dso_err.c
index cf452de1aa..581677cc36 100644
--- a/src/lib/libcrypto/dso/dso_err.c
+++ b/src/lib/libcrypto/dso/dso_err.c
@@ -1,6 +1,6 @@
 /* crypto/dso/dso_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,56 +64,60 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSO,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSO,0,reason)
+
 static ERR_STRING_DATA DSO_str_functs[]=
         {
-{ERR_PACK(0,DSO_F_DLFCN_BIND_FUNC,0),   "DLFCN_BIND_FUNC"},
-{ERR_PACK(0,DSO_F_DLFCN_BIND_VAR,0),    "DLFCN_BIND_VAR"},
-{ERR_PACK(0,DSO_F_DLFCN_LOAD,0),        "DLFCN_LOAD"},
-{ERR_PACK(0,DSO_F_DLFCN_NAME_CONVERTER,0),      "DLFCN_NAME_CONVERTER"},
-{ERR_PACK(0,DSO_F_DLFCN_UNLOAD,0),      "DLFCN_UNLOAD"},
-{ERR_PACK(0,DSO_F_DL_BIND_FUNC,0),      "DL_BIND_FUNC"},
-{ERR_PACK(0,DSO_F_DL_BIND_VAR,0),       "DL_BIND_VAR"},
-{ERR_PACK(0,DSO_F_DL_LOAD,0),   "DL_LOAD"},
-{ERR_PACK(0,DSO_F_DL_NAME_CONVERTER,0), "DL_NAME_CONVERTER"},
-{ERR_PACK(0,DSO_F_DL_UNLOAD,0), "DL_UNLOAD"},
-{ERR_PACK(0,DSO_F_DSO_BIND_FUNC,0),     "DSO_bind_func"},
-{ERR_PACK(0,DSO_F_DSO_BIND_VAR,0),      "DSO_bind_var"},
-{ERR_PACK(0,DSO_F_DSO_CONVERT_FILENAME,0),      "DSO_convert_filename"},
-{ERR_PACK(0,DSO_F_DSO_CTRL,0),  "DSO_ctrl"},
-{ERR_PACK(0,DSO_F_DSO_FREE,0),  "DSO_free"},
-{ERR_PACK(0,DSO_F_DSO_GET_FILENAME,0),  "DSO_get_filename"},
-{ERR_PACK(0,DSO_F_DSO_GET_LOADED_FILENAME,0),   "DSO_get_loaded_filename"},
-{ERR_PACK(0,DSO_F_DSO_LOAD,0),  "DSO_load"},
-{ERR_PACK(0,DSO_F_DSO_NEW_METHOD,0),    "DSO_new_method"},
-{ERR_PACK(0,DSO_F_DSO_SET_FILENAME,0),  "DSO_set_filename"},
-{ERR_PACK(0,DSO_F_DSO_SET_NAME_CONVERTER,0),    "DSO_set_name_converter"},
-{ERR_PACK(0,DSO_F_DSO_UP_REF,0),        "DSO_up_ref"},
-{ERR_PACK(0,DSO_F_VMS_BIND_VAR,0),      "VMS_BIND_VAR"},
-{ERR_PACK(0,DSO_F_VMS_LOAD,0),  "VMS_LOAD"},
-{ERR_PACK(0,DSO_F_VMS_UNLOAD,0),        "VMS_UNLOAD"},
-{ERR_PACK(0,DSO_F_WIN32_BIND_FUNC,0),   "WIN32_BIND_FUNC"},
-{ERR_PACK(0,DSO_F_WIN32_BIND_VAR,0),    "WIN32_BIND_VAR"},
-{ERR_PACK(0,DSO_F_WIN32_LOAD,0),        "WIN32_LOAD"},
-{ERR_PACK(0,DSO_F_WIN32_NAME_CONVERTER,0),      "WIN32_NAME_CONVERTER"},
-{ERR_PACK(0,DSO_F_WIN32_UNLOAD,0),      "WIN32_UNLOAD"},
+{ERR_FUNC(DSO_F_DLFCN_BIND_FUNC),       "DLFCN_BIND_FUNC"},
+{ERR_FUNC(DSO_F_DLFCN_BIND_VAR),        "DLFCN_BIND_VAR"},
+{ERR_FUNC(DSO_F_DLFCN_LOAD),    "DLFCN_LOAD"},
+{ERR_FUNC(DSO_F_DLFCN_NAME_CONVERTER),  "DLFCN_NAME_CONVERTER"},
+{ERR_FUNC(DSO_F_DLFCN_UNLOAD),  "DLFCN_UNLOAD"},
+{ERR_FUNC(DSO_F_DL_BIND_FUNC),  "DL_BIND_FUNC"},
+{ERR_FUNC(DSO_F_DL_BIND_VAR),   "DL_BIND_VAR"},
+{ERR_FUNC(DSO_F_DL_LOAD),       "DL_LOAD"},
+{ERR_FUNC(DSO_F_DL_NAME_CONVERTER),     "DL_NAME_CONVERTER"},
+{ERR_FUNC(DSO_F_DL_UNLOAD),     "DL_UNLOAD"},
+{ERR_FUNC(DSO_F_DSO_BIND_FUNC), "DSO_bind_func"},
+{ERR_FUNC(DSO_F_DSO_BIND_VAR),  "DSO_bind_var"},
+{ERR_FUNC(DSO_F_DSO_CONVERT_FILENAME),  "DSO_convert_filename"},
+{ERR_FUNC(DSO_F_DSO_CTRL),      "DSO_ctrl"},
+{ERR_FUNC(DSO_F_DSO_FREE),      "DSO_free"},
+{ERR_FUNC(DSO_F_DSO_GET_FILENAME),      "DSO_get_filename"},
+{ERR_FUNC(DSO_F_DSO_GET_LOADED_FILENAME),       "DSO_get_loaded_filename"},
+{ERR_FUNC(DSO_F_DSO_LOAD),      "DSO_load"},
+{ERR_FUNC(DSO_F_DSO_NEW_METHOD),        "DSO_new_method"},
+{ERR_FUNC(DSO_F_DSO_SET_FILENAME),      "DSO_set_filename"},
+{ERR_FUNC(DSO_F_DSO_SET_NAME_CONVERTER),        "DSO_set_name_converter"},
+{ERR_FUNC(DSO_F_DSO_UP_REF),    "DSO_up_ref"},
+{ERR_FUNC(DSO_F_VMS_BIND_VAR),  "VMS_BIND_VAR"},
+{ERR_FUNC(DSO_F_VMS_LOAD),      "VMS_LOAD"},
+{ERR_FUNC(DSO_F_VMS_UNLOAD),    "VMS_UNLOAD"},
+{ERR_FUNC(DSO_F_WIN32_BIND_FUNC),       "WIN32_BIND_FUNC"},
+{ERR_FUNC(DSO_F_WIN32_BIND_VAR),        "WIN32_BIND_VAR"},
+{ERR_FUNC(DSO_F_WIN32_LOAD),    "WIN32_LOAD"},
+{ERR_FUNC(DSO_F_WIN32_NAME_CONVERTER),  "WIN32_NAME_CONVERTER"},
+{ERR_FUNC(DSO_F_WIN32_UNLOAD),  "WIN32_UNLOAD"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA DSO_str_reasons[]=
         {
-{DSO_R_CTRL_FAILED                       ,"control command failed"},
-{DSO_R_DSO_ALREADY_LOADED                ,"dso already loaded"},
-{DSO_R_FILENAME_TOO_BIG                  ,"filename too big"},
-{DSO_R_FINISH_FAILED                     ,"cleanup method function failed"},
-{DSO_R_LOAD_FAILED                       ,"could not load the shared library"},
-{DSO_R_NAME_TRANSLATION_FAILED           ,"name translation failed"},
-{DSO_R_NO_FILENAME                       ,"no filename"},
-{DSO_R_NULL_HANDLE                       ,"a null shared library handle was used"},
-{DSO_R_SET_FILENAME_FAILED               ,"set filename failed"},
-{DSO_R_STACK_ERROR                       ,"the meth_data stack is corrupt"},
-{DSO_R_SYM_FAILURE                       ,"could not bind to the requested symbol name"},
-{DSO_R_UNLOAD_FAILED                     ,"could not unload the shared library"},
-{DSO_R_UNSUPPORTED                       ,"functionality not supported"},
+{ERR_REASON(DSO_R_CTRL_FAILED)           ,"control command failed"},
+{ERR_REASON(DSO_R_DSO_ALREADY_LOADED)    ,"dso already loaded"},
+{ERR_REASON(DSO_R_FILENAME_TOO_BIG)      ,"filename too big"},
+{ERR_REASON(DSO_R_FINISH_FAILED)         ,"cleanup method function failed"},
+{ERR_REASON(DSO_R_LOAD_FAILED)           ,"could not load the shared library"},
+{ERR_REASON(DSO_R_NAME_TRANSLATION_FAILED),"name translation failed"},
+{ERR_REASON(DSO_R_NO_FILENAME)           ,"no filename"},
+{ERR_REASON(DSO_R_NULL_HANDLE)           ,"a null shared library handle was used"},
+{ERR_REASON(DSO_R_SET_FILENAME_FAILED)   ,"set filename failed"},
+{ERR_REASON(DSO_R_STACK_ERROR)           ,"the meth_data stack is corrupt"},
+{ERR_REASON(DSO_R_SYM_FAILURE)           ,"could not bind to the requested symbol name"},
+{ERR_REASON(DSO_R_UNLOAD_FAILED)         ,"could not unload the shared library"},
+{ERR_REASON(DSO_R_UNSUPPORTED)           ,"functionality not supported"},
 {0,NULL}
         };
 
@@ -127,8 +131,8 @@ void ERR_load_DSO_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_DSO,DSO_str_functs);
-                ERR_load_strings(ERR_LIB_DSO,DSO_str_reasons);
+                ERR_load_strings(0,DSO_str_functs);
+                ERR_load_strings(0,DSO_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/ec/ec_err.c b/src/lib/libcrypto/ec/ec_err.c
index d37b6aba87..5b70f94382 100644
--- a/src/lib/libcrypto/ec/ec_err.c
+++ b/src/lib/libcrypto/ec/ec_err.c
@@ -1,6 +1,6 @@
 /* crypto/ec/ec_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,70 +64,74 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_EC,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_EC,0,reason)
+
 static ERR_STRING_DATA EC_str_functs[]=
         {
-{ERR_PACK(0,EC_F_COMPUTE_WNAF,0),       "COMPUTE_WNAF"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_DECODE,0),   "ec_GFp_mont_field_decode"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_ENCODE,0),   "ec_GFp_mont_field_encode"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_MUL,0),      "ec_GFp_mont_field_mul"},
-{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_SQR,0),      "ec_GFp_mont_field_sqr"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP,0),  "ec_GFp_simple_group_set_curve_GFp"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR,0),  "ec_GFp_simple_group_set_generator"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_MAKE_AFFINE,0),  "ec_GFp_simple_make_affine"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_OCT2POINT,0),    "ec_GFp_simple_oct2point"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT2OCT,0),    "ec_GFp_simple_point2oct"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE,0),   "ec_GFp_simple_points_make_affine"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP,0),     "ec_GFp_simple_point_get_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP,0),     "ec_GFp_simple_point_set_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP,0),       "ec_GFp_simple_set_compressed_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_GROUP_COPY,0),      "EC_GROUP_copy"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET0_GENERATOR,0),    "EC_GROUP_get0_generator"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET_COFACTOR,0),      "EC_GROUP_get_cofactor"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GFP,0),     "EC_GROUP_get_curve_GFp"},
-{ERR_PACK(0,EC_F_EC_GROUP_GET_ORDER,0), "EC_GROUP_get_order"},
-{ERR_PACK(0,EC_F_EC_GROUP_NEW,0),       "EC_GROUP_new"},
-{ERR_PACK(0,EC_F_EC_GROUP_PRECOMPUTE_MULT,0),   "EC_GROUP_precompute_mult"},
-{ERR_PACK(0,EC_F_EC_GROUP_SET_CURVE_GFP,0),     "EC_GROUP_set_curve_GFp"},
-{ERR_PACK(0,EC_F_EC_GROUP_SET_EXTRA_DATA,0),    "EC_GROUP_set_extra_data"},
-{ERR_PACK(0,EC_F_EC_GROUP_SET_GENERATOR,0),     "EC_GROUP_set_generator"},
-{ERR_PACK(0,EC_F_EC_POINTS_MAKE_AFFINE,0),      "EC_POINTs_make_affine"},
-{ERR_PACK(0,EC_F_EC_POINTS_MUL,0),      "EC_POINTs_mul"},
-{ERR_PACK(0,EC_F_EC_POINT_ADD,0),       "EC_POINT_add"},
-{ERR_PACK(0,EC_F_EC_POINT_CMP,0),       "EC_POINT_cmp"},
-{ERR_PACK(0,EC_F_EC_POINT_COPY,0),      "EC_POINT_copy"},
-{ERR_PACK(0,EC_F_EC_POINT_DBL,0),       "EC_POINT_dbl"},
-{ERR_PACK(0,EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP,0),        "EC_POINT_get_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP,0),   "EC_POINT_get_Jprojective_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_IS_AT_INFINITY,0),    "EC_POINT_is_at_infinity"},
-{ERR_PACK(0,EC_F_EC_POINT_IS_ON_CURVE,0),       "EC_POINT_is_on_curve"},
-{ERR_PACK(0,EC_F_EC_POINT_MAKE_AFFINE,0),       "EC_POINT_make_affine"},
-{ERR_PACK(0,EC_F_EC_POINT_NEW,0),       "EC_POINT_new"},
-{ERR_PACK(0,EC_F_EC_POINT_OCT2POINT,0), "EC_POINT_oct2point"},
-{ERR_PACK(0,EC_F_EC_POINT_POINT2OCT,0), "EC_POINT_point2oct"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP,0),        "EC_POINT_set_affine_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP,0),    "EC_POINT_set_compressed_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP,0),   "EC_POINT_set_Jprojective_coordinates_GFp"},
-{ERR_PACK(0,EC_F_EC_POINT_SET_TO_INFINITY,0),   "EC_POINT_set_to_infinity"},
-{ERR_PACK(0,EC_F_GFP_MONT_GROUP_SET_CURVE_GFP,0),       "GFP_MONT_GROUP_SET_CURVE_GFP"},
+{ERR_FUNC(EC_F_COMPUTE_WNAF),   "COMPUTE_WNAF"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_DECODE),       "ec_GFp_mont_field_decode"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_ENCODE),       "ec_GFp_mont_field_encode"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_MUL),  "ec_GFp_mont_field_mul"},
+{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SQR),  "ec_GFp_mont_field_sqr"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP),      "ec_GFp_simple_group_set_curve_GFp"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR),      "ec_GFp_simple_group_set_generator"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE),      "ec_GFp_simple_make_affine"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_OCT2POINT),        "ec_GFp_simple_oct2point"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT2OCT),        "ec_GFp_simple_point2oct"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE),       "ec_GFp_simple_points_make_affine"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP), "ec_GFp_simple_point_get_affine_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP), "ec_GFp_simple_point_set_affine_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP),   "ec_GFp_simple_set_compressed_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_GROUP_COPY),  "EC_GROUP_copy"},
+{ERR_FUNC(EC_F_EC_GROUP_GET0_GENERATOR),        "EC_GROUP_get0_generator"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_COFACTOR),  "EC_GROUP_get_cofactor"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_CURVE_GFP), "EC_GROUP_get_curve_GFp"},
+{ERR_FUNC(EC_F_EC_GROUP_GET_ORDER),     "EC_GROUP_get_order"},
+{ERR_FUNC(EC_F_EC_GROUP_NEW),   "EC_GROUP_new"},
+{ERR_FUNC(EC_F_EC_GROUP_PRECOMPUTE_MULT),       "EC_GROUP_precompute_mult"},
+{ERR_FUNC(EC_F_EC_GROUP_SET_CURVE_GFP), "EC_GROUP_set_curve_GFp"},
+{ERR_FUNC(EC_F_EC_GROUP_SET_EXTRA_DATA),        "EC_GROUP_set_extra_data"},
+{ERR_FUNC(EC_F_EC_GROUP_SET_GENERATOR), "EC_GROUP_set_generator"},
+{ERR_FUNC(EC_F_EC_POINTS_MAKE_AFFINE),  "EC_POINTs_make_affine"},
+{ERR_FUNC(EC_F_EC_POINTS_MUL),  "EC_POINTs_mul"},
+{ERR_FUNC(EC_F_EC_POINT_ADD),   "EC_POINT_add"},
+{ERR_FUNC(EC_F_EC_POINT_CMP),   "EC_POINT_cmp"},
+{ERR_FUNC(EC_F_EC_POINT_COPY),  "EC_POINT_copy"},
+{ERR_FUNC(EC_F_EC_POINT_DBL),   "EC_POINT_dbl"},
+{ERR_FUNC(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP),    "EC_POINT_get_affine_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP),       "EC_POINT_get_Jprojective_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_IS_AT_INFINITY),        "EC_POINT_is_at_infinity"},
+{ERR_FUNC(EC_F_EC_POINT_IS_ON_CURVE),   "EC_POINT_is_on_curve"},
+{ERR_FUNC(EC_F_EC_POINT_MAKE_AFFINE),   "EC_POINT_make_affine"},
+{ERR_FUNC(EC_F_EC_POINT_NEW),   "EC_POINT_new"},
+{ERR_FUNC(EC_F_EC_POINT_OCT2POINT),     "EC_POINT_oct2point"},
+{ERR_FUNC(EC_F_EC_POINT_POINT2OCT),     "EC_POINT_point2oct"},
+{ERR_FUNC(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP),    "EC_POINT_set_affine_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP),        "EC_POINT_set_compressed_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP),       "EC_POINT_set_Jprojective_coordinates_GFp"},
+{ERR_FUNC(EC_F_EC_POINT_SET_TO_INFINITY),       "EC_POINT_set_to_infinity"},
+{ERR_FUNC(EC_F_GFP_MONT_GROUP_SET_CURVE_GFP),   "GFP_MONT_GROUP_SET_CURVE_GFP"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA EC_str_reasons[]=
         {
-{EC_R_BUFFER_TOO_SMALL                   ,"buffer too small"},
-{EC_R_INCOMPATIBLE_OBJECTS               ,"incompatible objects"},
-{EC_R_INVALID_ARGUMENT                   ,"invalid argument"},
-{EC_R_INVALID_COMPRESSED_POINT           ,"invalid compressed point"},
-{EC_R_INVALID_COMPRESSION_BIT            ,"invalid compression bit"},
-{EC_R_INVALID_ENCODING                   ,"invalid encoding"},
-{EC_R_INVALID_FIELD                      ,"invalid field"},
-{EC_R_INVALID_FORM                       ,"invalid form"},
-{EC_R_NOT_INITIALIZED                    ,"not initialized"},
-{EC_R_POINT_AT_INFINITY                  ,"point at infinity"},
-{EC_R_POINT_IS_NOT_ON_CURVE              ,"point is not on curve"},
-{EC_R_SLOT_FULL                          ,"slot full"},
-{EC_R_UNDEFINED_GENERATOR                ,"undefined generator"},
-{EC_R_UNKNOWN_ORDER                      ,"unknown order"},
+{ERR_REASON(EC_R_BUFFER_TOO_SMALL)       ,"buffer too small"},
+{ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS)   ,"incompatible objects"},
+{ERR_REASON(EC_R_INVALID_ARGUMENT)       ,"invalid argument"},
+{ERR_REASON(EC_R_INVALID_COMPRESSED_POINT),"invalid compressed point"},
+{ERR_REASON(EC_R_INVALID_COMPRESSION_BIT),"invalid compression bit"},
+{ERR_REASON(EC_R_INVALID_ENCODING)       ,"invalid encoding"},
+{ERR_REASON(EC_R_INVALID_FIELD)          ,"invalid field"},
+{ERR_REASON(EC_R_INVALID_FORM)           ,"invalid form"},
+{ERR_REASON(EC_R_NOT_INITIALIZED)        ,"not initialized"},
+{ERR_REASON(EC_R_POINT_AT_INFINITY)      ,"point at infinity"},
+{ERR_REASON(EC_R_POINT_IS_NOT_ON_CURVE)  ,"point is not on curve"},
+{ERR_REASON(EC_R_SLOT_FULL)              ,"slot full"},
+{ERR_REASON(EC_R_UNDEFINED_GENERATOR)    ,"undefined generator"},
+{ERR_REASON(EC_R_UNKNOWN_ORDER)          ,"unknown order"},
 {0,NULL}
         };
 
@@ -141,8 +145,8 @@ void ERR_load_EC_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_EC,EC_str_functs);
-                ERR_load_strings(ERR_LIB_EC,EC_str_reasons);
+                ERR_load_strings(0,EC_str_functs);
+                ERR_load_strings(0,EC_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/engine/eng_cnf.c b/src/lib/libcrypto/engine/eng_cnf.c
index cdf670901a..4225760af1 100644
--- a/src/lib/libcrypto/engine/eng_cnf.c
+++ b/src/lib/libcrypto/engine/eng_cnf.c
@@ -158,7 +158,7 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                          */
                         if (!strcmp(ctrlvalue, "EMPTY"))
                                 ctrlvalue = NULL;
-                        else if (!strcmp(ctrlname, "init"))
+                        if (!strcmp(ctrlname, "init"))
                                 {
                                 if (!NCONF_get_number_e(cnf, value, "init", &do_init))
                                         goto err;
diff --git a/src/lib/libcrypto/engine/eng_err.c b/src/lib/libcrypto/engine/eng_err.c
index 814d95ee32..fdc0e7be0f 100644
--- a/src/lib/libcrypto/engine/eng_err.c
+++ b/src/lib/libcrypto/engine/eng_err.c
@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,87 +64,91 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_ENGINE,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_ENGINE,0,reason)
+
 static ERR_STRING_DATA ENGINE_str_functs[]=
         {
-{ERR_PACK(0,ENGINE_F_DYNAMIC_CTRL,0),   "DYNAMIC_CTRL"},
-{ERR_PACK(0,ENGINE_F_DYNAMIC_GET_DATA_CTX,0),   "DYNAMIC_GET_DATA_CTX"},
-{ERR_PACK(0,ENGINE_F_DYNAMIC_LOAD,0),   "DYNAMIC_LOAD"},
-{ERR_PACK(0,ENGINE_F_ENGINE_ADD,0),     "ENGINE_add"},
-{ERR_PACK(0,ENGINE_F_ENGINE_BY_ID,0),   "ENGINE_by_id"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CMD_IS_EXECUTABLE,0),       "ENGINE_cmd_is_executable"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CTRL,0),    "ENGINE_ctrl"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD,0),        "ENGINE_ctrl_cmd"},
-{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD_STRING,0), "ENGINE_ctrl_cmd_string"},
-{ERR_PACK(0,ENGINE_F_ENGINE_FINISH,0),  "ENGINE_finish"},
-{ERR_PACK(0,ENGINE_F_ENGINE_FREE,0),    "ENGINE_free"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_CIPHER,0),      "ENGINE_get_cipher"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_DEFAULT_TYPE,0),        "ENGINE_GET_DEFAULT_TYPE"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_DIGEST,0),      "ENGINE_get_digest"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_NEXT,0),        "ENGINE_get_next"},
-{ERR_PACK(0,ENGINE_F_ENGINE_GET_PREV,0),        "ENGINE_get_prev"},
-{ERR_PACK(0,ENGINE_F_ENGINE_INIT,0),    "ENGINE_init"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LIST_ADD,0),        "ENGINE_LIST_ADD"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LIST_REMOVE,0),     "ENGINE_LIST_REMOVE"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,0),        "ENGINE_load_private_key"},
-{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,0), "ENGINE_load_public_key"},
-{ERR_PACK(0,ENGINE_F_ENGINE_MODULE_INIT,0),     "ENGINE_MODULE_INIT"},
-{ERR_PACK(0,ENGINE_F_ENGINE_NEW,0),     "ENGINE_new"},
-{ERR_PACK(0,ENGINE_F_ENGINE_REMOVE,0),  "ENGINE_remove"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_STRING,0),      "ENGINE_set_default_string"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_TYPE,0),        "ENGINE_SET_DEFAULT_TYPE"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_ID,0),  "ENGINE_set_id"},
-{ERR_PACK(0,ENGINE_F_ENGINE_SET_NAME,0),        "ENGINE_set_name"},
-{ERR_PACK(0,ENGINE_F_ENGINE_TABLE_REGISTER,0),  "ENGINE_TABLE_REGISTER"},
-{ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0),      "ENGINE_UNLOAD_KEY"},
-{ERR_PACK(0,ENGINE_F_ENGINE_UP_REF,0),  "ENGINE_up_ref"},
-{ERR_PACK(0,ENGINE_F_INT_CTRL_HELPER,0),        "INT_CTRL_HELPER"},
-{ERR_PACK(0,ENGINE_F_INT_ENGINE_CONFIGURE,0),   "INT_ENGINE_CONFIGURE"},
-{ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0),    "LOG_MESSAGE"},
-{ERR_PACK(0,ENGINE_F_SET_DATA_CTX,0),   "SET_DATA_CTX"},
+{ERR_FUNC(ENGINE_F_DYNAMIC_CTRL),       "DYNAMIC_CTRL"},
+{ERR_FUNC(ENGINE_F_DYNAMIC_GET_DATA_CTX),       "DYNAMIC_GET_DATA_CTX"},
+{ERR_FUNC(ENGINE_F_DYNAMIC_LOAD),       "DYNAMIC_LOAD"},
+{ERR_FUNC(ENGINE_F_ENGINE_ADD), "ENGINE_add"},
+{ERR_FUNC(ENGINE_F_ENGINE_BY_ID),       "ENGINE_by_id"},
+{ERR_FUNC(ENGINE_F_ENGINE_CMD_IS_EXECUTABLE),   "ENGINE_cmd_is_executable"},
+{ERR_FUNC(ENGINE_F_ENGINE_CTRL),        "ENGINE_ctrl"},
+{ERR_FUNC(ENGINE_F_ENGINE_CTRL_CMD),    "ENGINE_ctrl_cmd"},
+{ERR_FUNC(ENGINE_F_ENGINE_CTRL_CMD_STRING),     "ENGINE_ctrl_cmd_string"},
+{ERR_FUNC(ENGINE_F_ENGINE_FINISH),      "ENGINE_finish"},
+{ERR_FUNC(ENGINE_F_ENGINE_FREE),        "ENGINE_free"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_CIPHER),  "ENGINE_get_cipher"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_DEFAULT_TYPE),    "ENGINE_GET_DEFAULT_TYPE"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_DIGEST),  "ENGINE_get_digest"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_NEXT),    "ENGINE_get_next"},
+{ERR_FUNC(ENGINE_F_ENGINE_GET_PREV),    "ENGINE_get_prev"},
+{ERR_FUNC(ENGINE_F_ENGINE_INIT),        "ENGINE_init"},
+{ERR_FUNC(ENGINE_F_ENGINE_LIST_ADD),    "ENGINE_LIST_ADD"},
+{ERR_FUNC(ENGINE_F_ENGINE_LIST_REMOVE), "ENGINE_LIST_REMOVE"},
+{ERR_FUNC(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY),    "ENGINE_load_private_key"},
+{ERR_FUNC(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY),     "ENGINE_load_public_key"},
+{ERR_FUNC(ENGINE_F_ENGINE_MODULE_INIT), "ENGINE_MODULE_INIT"},
+{ERR_FUNC(ENGINE_F_ENGINE_NEW), "ENGINE_new"},
+{ERR_FUNC(ENGINE_F_ENGINE_REMOVE),      "ENGINE_remove"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_STRING),  "ENGINE_set_default_string"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_TYPE),    "ENGINE_SET_DEFAULT_TYPE"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_ID),      "ENGINE_set_id"},
+{ERR_FUNC(ENGINE_F_ENGINE_SET_NAME),    "ENGINE_set_name"},
+{ERR_FUNC(ENGINE_F_ENGINE_TABLE_REGISTER),      "ENGINE_TABLE_REGISTER"},
+{ERR_FUNC(ENGINE_F_ENGINE_UNLOAD_KEY),  "ENGINE_UNLOAD_KEY"},
+{ERR_FUNC(ENGINE_F_ENGINE_UP_REF),      "ENGINE_up_ref"},
+{ERR_FUNC(ENGINE_F_INT_CTRL_HELPER),    "INT_CTRL_HELPER"},
+{ERR_FUNC(ENGINE_F_INT_ENGINE_CONFIGURE),       "INT_ENGINE_CONFIGURE"},
+{ERR_FUNC(ENGINE_F_LOG_MESSAGE),        "LOG_MESSAGE"},
+{ERR_FUNC(ENGINE_F_SET_DATA_CTX),       "SET_DATA_CTX"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA ENGINE_str_reasons[]=
         {
-{ENGINE_R_ALREADY_LOADED                 ,"already loaded"},
-{ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER       ,"argument is not a number"},
-{ENGINE_R_CMD_NOT_EXECUTABLE             ,"cmd not executable"},
-{ENGINE_R_COMMAND_TAKES_INPUT            ,"command takes input"},
-{ENGINE_R_COMMAND_TAKES_NO_INPUT         ,"command takes no input"},
-{ENGINE_R_CONFLICTING_ENGINE_ID          ,"conflicting engine id"},
-{ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
-{ENGINE_R_DH_NOT_IMPLEMENTED             ,"dh not implemented"},
-{ENGINE_R_DSA_NOT_IMPLEMENTED            ,"dsa not implemented"},
-{ENGINE_R_DSO_FAILURE                    ,"DSO failure"},
-{ENGINE_R_DSO_NOT_FOUND                  ,"dso not found"},
-{ENGINE_R_ENGINES_SECTION_ERROR          ,"engines section error"},
-{ENGINE_R_ENGINE_IS_NOT_IN_LIST          ,"engine is not in the list"},
-{ENGINE_R_ENGINE_SECTION_ERROR           ,"engine section error"},
-{ENGINE_R_FAILED_LOADING_PRIVATE_KEY     ,"failed loading private key"},
-{ENGINE_R_FAILED_LOADING_PUBLIC_KEY      ,"failed loading public key"},
-{ENGINE_R_FINISH_FAILED                  ,"finish failed"},
-{ENGINE_R_GET_HANDLE_FAILED              ,"could not obtain hardware handle"},
-{ENGINE_R_ID_OR_NAME_MISSING             ,"'id' or 'name' missing"},
-{ENGINE_R_INIT_FAILED                    ,"init failed"},
-{ENGINE_R_INTERNAL_LIST_ERROR            ,"internal list error"},
-{ENGINE_R_INVALID_ARGUMENT               ,"invalid argument"},
-{ENGINE_R_INVALID_CMD_NAME               ,"invalid cmd name"},
-{ENGINE_R_INVALID_CMD_NUMBER             ,"invalid cmd number"},
-{ENGINE_R_INVALID_INIT_VALUE             ,"invalid init value"},
-{ENGINE_R_INVALID_STRING                 ,"invalid string"},
-{ENGINE_R_NOT_INITIALISED                ,"not initialised"},
-{ENGINE_R_NOT_LOADED                     ,"not loaded"},
-{ENGINE_R_NO_CONTROL_FUNCTION            ,"no control function"},
-{ENGINE_R_NO_INDEX                       ,"no index"},
-{ENGINE_R_NO_LOAD_FUNCTION               ,"no load function"},
-{ENGINE_R_NO_REFERENCE                   ,"no reference"},
-{ENGINE_R_NO_SUCH_ENGINE                 ,"no such engine"},
-{ENGINE_R_NO_UNLOAD_FUNCTION             ,"no unload function"},
-{ENGINE_R_PROVIDE_PARAMETERS             ,"provide parameters"},
-{ENGINE_R_RSA_NOT_IMPLEMENTED            ,"rsa not implemented"},
-{ENGINE_R_UNIMPLEMENTED_CIPHER           ,"unimplemented cipher"},
-{ENGINE_R_UNIMPLEMENTED_DIGEST           ,"unimplemented digest"},
-{ENGINE_R_VERSION_INCOMPATIBILITY        ,"version incompatibility"},
+{ERR_REASON(ENGINE_R_ALREADY_LOADED)     ,"already loaded"},
+{ERR_REASON(ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER),"argument is not a number"},
+{ERR_REASON(ENGINE_R_CMD_NOT_EXECUTABLE) ,"cmd not executable"},
+{ERR_REASON(ENGINE_R_COMMAND_TAKES_INPUT),"command takes input"},
+{ERR_REASON(ENGINE_R_COMMAND_TAKES_NO_INPUT),"command takes no input"},
+{ERR_REASON(ENGINE_R_CONFLICTING_ENGINE_ID),"conflicting engine id"},
+{ERR_REASON(ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED),"ctrl command not implemented"},
+{ERR_REASON(ENGINE_R_DH_NOT_IMPLEMENTED) ,"dh not implemented"},
+{ERR_REASON(ENGINE_R_DSA_NOT_IMPLEMENTED),"dsa not implemented"},
+{ERR_REASON(ENGINE_R_DSO_FAILURE)        ,"DSO failure"},
+{ERR_REASON(ENGINE_R_DSO_NOT_FOUND)      ,"dso not found"},
+{ERR_REASON(ENGINE_R_ENGINES_SECTION_ERROR),"engines section error"},
+{ERR_REASON(ENGINE_R_ENGINE_IS_NOT_IN_LIST),"engine is not in the list"},
+{ERR_REASON(ENGINE_R_ENGINE_SECTION_ERROR),"engine section error"},
+{ERR_REASON(ENGINE_R_FAILED_LOADING_PRIVATE_KEY),"failed loading private key"},
+{ERR_REASON(ENGINE_R_FAILED_LOADING_PUBLIC_KEY),"failed loading public key"},
+{ERR_REASON(ENGINE_R_FINISH_FAILED)      ,"finish failed"},
+{ERR_REASON(ENGINE_R_GET_HANDLE_FAILED)  ,"could not obtain hardware handle"},
+{ERR_REASON(ENGINE_R_ID_OR_NAME_MISSING) ,"'id' or 'name' missing"},
+{ERR_REASON(ENGINE_R_INIT_FAILED)        ,"init failed"},
+{ERR_REASON(ENGINE_R_INTERNAL_LIST_ERROR),"internal list error"},
+{ERR_REASON(ENGINE_R_INVALID_ARGUMENT)   ,"invalid argument"},
+{ERR_REASON(ENGINE_R_INVALID_CMD_NAME)   ,"invalid cmd name"},
+{ERR_REASON(ENGINE_R_INVALID_CMD_NUMBER) ,"invalid cmd number"},
+{ERR_REASON(ENGINE_R_INVALID_INIT_VALUE) ,"invalid init value"},
+{ERR_REASON(ENGINE_R_INVALID_STRING)     ,"invalid string"},
+{ERR_REASON(ENGINE_R_NOT_INITIALISED)    ,"not initialised"},
+{ERR_REASON(ENGINE_R_NOT_LOADED)         ,"not loaded"},
+{ERR_REASON(ENGINE_R_NO_CONTROL_FUNCTION),"no control function"},
+{ERR_REASON(ENGINE_R_NO_INDEX)           ,"no index"},
+{ERR_REASON(ENGINE_R_NO_LOAD_FUNCTION)   ,"no load function"},
+{ERR_REASON(ENGINE_R_NO_REFERENCE)       ,"no reference"},
+{ERR_REASON(ENGINE_R_NO_SUCH_ENGINE)     ,"no such engine"},
+{ERR_REASON(ENGINE_R_NO_UNLOAD_FUNCTION) ,"no unload function"},
+{ERR_REASON(ENGINE_R_PROVIDE_PARAMETERS) ,"provide parameters"},
+{ERR_REASON(ENGINE_R_RSA_NOT_IMPLEMENTED),"rsa not implemented"},
+{ERR_REASON(ENGINE_R_UNIMPLEMENTED_CIPHER),"unimplemented cipher"},
+{ERR_REASON(ENGINE_R_UNIMPLEMENTED_DIGEST),"unimplemented digest"},
+{ERR_REASON(ENGINE_R_VERSION_INCOMPATIBILITY),"version incompatibility"},
 {0,NULL}
         };
 
@@ -158,8 +162,8 @@ void ERR_load_ENGINE_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_functs);
-                ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_reasons);
+                ERR_load_strings(0,ENGINE_str_functs);
+                ERR_load_strings(0,ENGINE_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/engine/tb_dsa.c b/src/lib/libcrypto/engine/tb_dsa.c
index 80170591f2..7efe181927 100644
--- a/src/lib/libcrypto/engine/tb_dsa.c
+++ b/src/lib/libcrypto/engine/tb_dsa.c
@@ -94,7 +94,7 @@ int ENGINE_set_default_DSA(ENGINE *e)
         {
         if(e->dsa_meth)
                 return engine_table_register(&dsa_table,
-                                engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+                                engine_unregister_all_DSA, e, &dummy_nid, 1, 1);
         return 1;
         }
 
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index c78790a54c..53687d79ab 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -621,7 +621,8 @@ static void err_load_strings(int lib, ERR_STRING_DATA *str)
         {
         while (str->error)
                 {
-                str->error|=ERR_PACK(lib,0,0);
+                if (lib)
+                        str->error|=ERR_PACK(lib,0,0);
                 ERRFN(err_set_item)(str);
                 str++;
                 }
@@ -637,7 +638,8 @@ void ERR_unload_strings(int lib, ERR_STRING_DATA *str)
         {
         while (str->error)
                 {
-                str->error|=ERR_PACK(lib,0,0);
+                if (lib)
+                        str->error|=ERR_PACK(lib,0,0);
                 ERRFN(err_del_item)(str);
                 str++;
                 }
diff --git a/src/lib/libcrypto/err/openssl.ec b/src/lib/libcrypto/err/openssl.ec
index 447a7f87ed..f8cd6937e7 100644
--- a/src/lib/libcrypto/err/openssl.ec
+++ b/src/lib/libcrypto/err/openssl.ec
@@ -27,7 +27,7 @@ L DSO		crypto/dso/dso.h		crypto/dso/dso_err.c
 L ENGINE        crypto/engine/engine.h          crypto/engine/eng_err.c
 L OCSP          crypto/ocsp/ocsp.h              crypto/ocsp/ocsp_err.c
 L UI            crypto/ui/ui.h                  crypto/ui/ui_err.c
-L FIPS          fips/fips.h                     fips/fips_err.h
+L FIPS          fips-1.0/fips.h                 fips-1.0/fips_err.h
 
 # additional header files to be scanned for function names
 L NONE          crypto/x509/x509_vfy.h          NONE
diff --git a/src/lib/libcrypto/evp/bio_enc.c b/src/lib/libcrypto/evp/bio_enc.c
index ab81851503..b8cda1a9f0 100644
--- a/src/lib/libcrypto/evp/bio_enc.c
+++ b/src/lib/libcrypto/evp/bio_enc.c
@@ -71,7 +71,7 @@ static int enc_new(BIO *h);
 static int enc_free(BIO *data);
 static long enc_callback_ctrl(BIO *h, int cmd, bio_info_cb *fps);
 #define ENC_BLOCK_SIZE  (1024*4)
-#define BUF_OFFSET      EVP_MAX_BLOCK_LENGTH
+#define BUF_OFFSET      (EVP_MAX_BLOCK_LENGTH*2)
 
 typedef struct enc_struct
         {
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index f35036c9d7..7b67984fa1 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -86,9 +86,9 @@ IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
 
 #define IMPLEMENT_AES_CFBR(ksize,cbits,flags)   IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags)
 
-IMPLEMENT_AES_CFBR(128,1,0)
-IMPLEMENT_AES_CFBR(192,1,0)
-IMPLEMENT_AES_CFBR(256,1,0)
+IMPLEMENT_AES_CFBR(128,1,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(192,1,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(256,1,EVP_CIPH_FLAG_FIPS)
 
 IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS)
 IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS)
diff --git a/src/lib/libcrypto/evp/encode.c b/src/lib/libcrypto/evp/encode.c
index 08209357ce..33e540087d 100644
--- a/src/lib/libcrypto/evp/encode.c
+++ b/src/lib/libcrypto/evp/encode.c
@@ -313,7 +313,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
                         /* There will never be more than two '=' */
                         }
 
-                if ((v == B64_EOF) || (n >= 64))
+                if ((v == B64_EOF && (n&3) == 0) || (n >= 64))
                         {
                         /* This is needed to work correctly on 64 byte input
                          * lines.  We process the line and then need to
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index 5cde88ae76..56eec23fef 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -84,7 +84,11 @@
 #include <openssl/md5.h>
 #endif
 #ifndef OPENSSL_NO_SHA
+#ifndef OPENSSL_FIPS
 #include <openssl/sha.h>
+#else
+#include <openssl/fips_sha.h>
+#endif
 #endif
 #ifndef OPENSSL_NO_RIPEMD
 #include <openssl/ripemd.h>
@@ -128,7 +132,11 @@
 #define EVP_CAST5_KEY_SIZE              16
 #define EVP_RC5_32_12_16_KEY_SIZE       16
 */
-#define EVP_MAX_MD_SIZE                 (16+20) /* The SSLv3 md5+sha1 type */
+#ifdef OPENSSL_FIPS
+#define EVP_MAX_MD_SIZE                 64      /* longest known SHA512 */
+#else
+#define EVP_MAX_MD_SIZE                 (16+20) /* The SSLv3 md5+sha1 type */
+#endif
 #define EVP_MAX_KEY_LENGTH              32
 #define EVP_MAX_IV_LENGTH               16
 #define EVP_MAX_BLOCK_LENGTH            32
@@ -642,6 +650,16 @@ const EVP_MD *EVP_sha(void);
 const EVP_MD *EVP_sha1(void);
 const EVP_MD *EVP_dss(void);
 const EVP_MD *EVP_dss1(void);
+#ifdef OPENSSL_FIPS
+#ifndef OPENSSL_NO_SHA256
+const EVP_MD *EVP_sha224(void);
+const EVP_MD *EVP_sha256(void);
+#endif
+#ifndef OPENSSL_NO_SHA512
+const EVP_MD *EVP_sha384(void);
+const EVP_MD *EVP_sha512(void);
+#endif
+#endif
 #endif
 #ifndef OPENSSL_NO_MDC2
 const EVP_MD *EVP_mdc2(void);
diff --git a/src/lib/libcrypto/evp/evp_err.c b/src/lib/libcrypto/evp/evp_err.c
index 40135d0729..77eee070d3 100644
--- a/src/lib/libcrypto/evp/evp_err.c
+++ b/src/lib/libcrypto/evp/evp_err.c
@@ -64,88 +64,92 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_EVP,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_EVP,0,reason)
+
 static ERR_STRING_DATA EVP_str_functs[]=
         {
-{ERR_PACK(0,EVP_F_AES_INIT_KEY,0),      "AES_INIT_KEY"},
-{ERR_PACK(0,EVP_F_D2I_PKEY,0),  "D2I_PKEY"},
-{ERR_PACK(0,EVP_F_EVP_ADD_CIPHER,0),    "EVP_add_cipher"},
-{ERR_PACK(0,EVP_F_EVP_ADD_DIGEST,0),    "EVP_add_digest"},
-{ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0),    "EVP_CipherInit"},
-{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0),       "EVP_CIPHER_CTX_ctrl"},
-{ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0),     "EVP_CIPHER_CTX_set_key_length"},
-{ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0),  "EVP_DecryptFinal"},
-{ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0),    "EVP_DigestInit"},
-{ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0),  "EVP_EncryptFinal"},
-{ERR_PACK(0,EVP_F_EVP_GET_CIPHERBYNAME,0),      "EVP_get_cipherbyname"},
-{ERR_PACK(0,EVP_F_EVP_GET_DIGESTBYNAME,0),      "EVP_get_digestbyname"},
-{ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0),   "EVP_MD_CTX_copy"},
-{ERR_PACK(0,EVP_F_EVP_OPENINIT,0),      "EVP_OpenInit"},
-{ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0),   "EVP_PBE_alg_add"},
-{ERR_PACK(0,EVP_F_EVP_PBE_CIPHERINIT,0),        "EVP_PBE_CipherInit"},
-{ERR_PACK(0,EVP_F_EVP_PKCS82PKEY,0),    "EVP_PKCS82PKEY"},
-{ERR_PACK(0,EVP_F_EVP_PKCS8_SET_BROKEN,0),      "EVP_PKCS8_SET_BROKEN"},
-{ERR_PACK(0,EVP_F_EVP_PKEY2PKCS8,0),    "EVP_PKEY2PKCS8"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_COPY_PARAMETERS,0),  "EVP_PKEY_copy_parameters"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_DECRYPT,0),  "EVP_PKEY_decrypt"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_ENCRYPT,0),  "EVP_PKEY_encrypt"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DH,0),  "EVP_PKEY_get1_DH"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DSA,0), "EVP_PKEY_get1_DSA"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_GET1_RSA,0), "EVP_PKEY_get1_RSA"},
-{ERR_PACK(0,EVP_F_EVP_PKEY_NEW,0),      "EVP_PKEY_new"},
-{ERR_PACK(0,EVP_F_EVP_RIJNDAEL,0),      "EVP_RIJNDAEL"},
-{ERR_PACK(0,EVP_F_EVP_SIGNFINAL,0),     "EVP_SignFinal"},
-{ERR_PACK(0,EVP_F_EVP_VERIFYFINAL,0),   "EVP_VerifyFinal"},
-{ERR_PACK(0,EVP_F_PKCS5_PBE_KEYIVGEN,0),        "PKCS5_PBE_keyivgen"},
-{ERR_PACK(0,EVP_F_PKCS5_V2_PBE_KEYIVGEN,0),     "PKCS5_v2_PBE_keyivgen"},
-{ERR_PACK(0,EVP_F_RC2_MAGIC_TO_METH,0), "RC2_MAGIC_TO_METH"},
-{ERR_PACK(0,EVP_F_RC5_CTRL,0),  "RC5_CTRL"},
+{ERR_FUNC(EVP_F_AES_INIT_KEY),  "AES_INIT_KEY"},
+{ERR_FUNC(EVP_F_D2I_PKEY),      "D2I_PKEY"},
+{ERR_FUNC(EVP_F_EVP_ADD_CIPHER),        "EVP_add_cipher"},
+{ERR_FUNC(EVP_F_EVP_ADD_DIGEST),        "EVP_add_digest"},
+{ERR_FUNC(EVP_F_EVP_CIPHERINIT),        "EVP_CipherInit"},
+{ERR_FUNC(EVP_F_EVP_CIPHER_CTX_CTRL),   "EVP_CIPHER_CTX_ctrl"},
+{ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH), "EVP_CIPHER_CTX_set_key_length"},
+{ERR_FUNC(EVP_F_EVP_DECRYPTFINAL),      "EVP_DecryptFinal"},
+{ERR_FUNC(EVP_F_EVP_DIGESTINIT),        "EVP_DigestInit"},
+{ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL),      "EVP_EncryptFinal"},
+{ERR_FUNC(EVP_F_EVP_GET_CIPHERBYNAME),  "EVP_get_cipherbyname"},
+{ERR_FUNC(EVP_F_EVP_GET_DIGESTBYNAME),  "EVP_get_digestbyname"},
+{ERR_FUNC(EVP_F_EVP_MD_CTX_COPY),       "EVP_MD_CTX_copy"},
+{ERR_FUNC(EVP_F_EVP_OPENINIT),  "EVP_OpenInit"},
+{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD),       "EVP_PBE_alg_add"},
+{ERR_FUNC(EVP_F_EVP_PBE_CIPHERINIT),    "EVP_PBE_CipherInit"},
+{ERR_FUNC(EVP_F_EVP_PKCS82PKEY),        "EVP_PKCS82PKEY"},
+{ERR_FUNC(EVP_F_EVP_PKCS8_SET_BROKEN),  "EVP_PKCS8_SET_BROKEN"},
+{ERR_FUNC(EVP_F_EVP_PKEY2PKCS8),        "EVP_PKEY2PKCS8"},
+{ERR_FUNC(EVP_F_EVP_PKEY_COPY_PARAMETERS),      "EVP_PKEY_copy_parameters"},
+{ERR_FUNC(EVP_F_EVP_PKEY_DECRYPT),      "EVP_PKEY_decrypt"},
+{ERR_FUNC(EVP_F_EVP_PKEY_ENCRYPT),      "EVP_PKEY_encrypt"},
+{ERR_FUNC(EVP_F_EVP_PKEY_GET1_DH),      "EVP_PKEY_get1_DH"},
+{ERR_FUNC(EVP_F_EVP_PKEY_GET1_DSA),     "EVP_PKEY_get1_DSA"},
+{ERR_FUNC(EVP_F_EVP_PKEY_GET1_RSA),     "EVP_PKEY_get1_RSA"},
+{ERR_FUNC(EVP_F_EVP_PKEY_NEW),  "EVP_PKEY_new"},
+{ERR_FUNC(EVP_F_EVP_RIJNDAEL),  "EVP_RIJNDAEL"},
+{ERR_FUNC(EVP_F_EVP_SIGNFINAL), "EVP_SignFinal"},
+{ERR_FUNC(EVP_F_EVP_VERIFYFINAL),       "EVP_VerifyFinal"},
+{ERR_FUNC(EVP_F_PKCS5_PBE_KEYIVGEN),    "PKCS5_PBE_keyivgen"},
+{ERR_FUNC(EVP_F_PKCS5_V2_PBE_KEYIVGEN), "PKCS5_v2_PBE_keyivgen"},
+{ERR_FUNC(EVP_F_RC2_MAGIC_TO_METH),     "RC2_MAGIC_TO_METH"},
+{ERR_FUNC(EVP_F_RC5_CTRL),      "RC5_CTRL"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA EVP_str_reasons[]=
         {
-{EVP_R_AES_KEY_SETUP_FAILED              ,"aes key setup failed"},
-{EVP_R_BAD_BLOCK_LENGTH                  ,"bad block length"},
-{EVP_R_BAD_DECRYPT                       ,"bad decrypt"},
-{EVP_R_BAD_KEY_LENGTH                    ,"bad key length"},
-{EVP_R_BN_DECODE_ERROR                   ,"bn decode error"},
-{EVP_R_BN_PUBKEY_ERROR                   ,"bn pubkey error"},
-{EVP_R_CIPHER_PARAMETER_ERROR            ,"cipher parameter error"},
-{EVP_R_CTRL_NOT_IMPLEMENTED              ,"ctrl not implemented"},
-{EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED    ,"ctrl operation not implemented"},
-{EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"},
-{EVP_R_DECODE_ERROR                      ,"decode error"},
-{EVP_R_DIFFERENT_KEY_TYPES               ,"different key types"},
-{EVP_R_DISABLED_FOR_FIPS                 ,"disabled for fips"},
-{EVP_R_ENCODE_ERROR                      ,"encode error"},
-{EVP_R_EVP_PBE_CIPHERINIT_ERROR          ,"evp pbe cipherinit error"},
-{EVP_R_EXPECTING_AN_RSA_KEY              ,"expecting an rsa key"},
-{EVP_R_EXPECTING_A_DH_KEY                ,"expecting a dh key"},
-{EVP_R_EXPECTING_A_DSA_KEY               ,"expecting a dsa key"},
-{EVP_R_INITIALIZATION_ERROR              ,"initialization error"},
-{EVP_R_INPUT_NOT_INITIALIZED             ,"input not initialized"},
-{EVP_R_INVALID_KEY_LENGTH                ,"invalid key length"},
-{EVP_R_IV_TOO_LARGE                      ,"iv too large"},
-{EVP_R_KEYGEN_FAILURE                    ,"keygen failure"},
-{EVP_R_MISSING_PARAMETERS                ,"missing parameters"},
-{EVP_R_NO_CIPHER_SET                     ,"no cipher set"},
-{EVP_R_NO_DIGEST_SET                     ,"no digest set"},
-{EVP_R_NO_DSA_PARAMETERS                 ,"no dsa parameters"},
-{EVP_R_NO_SIGN_FUNCTION_CONFIGURED       ,"no sign function configured"},
-{EVP_R_NO_VERIFY_FUNCTION_CONFIGURED     ,"no verify function configured"},
-{EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE         ,"pkcs8 unknown broken type"},
-{EVP_R_PUBLIC_KEY_NOT_RSA                ,"public key not rsa"},
-{EVP_R_UNKNOWN_PBE_ALGORITHM             ,"unknown pbe algorithm"},
-{EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS       ,"unsuported number of rounds"},
-{EVP_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
-{EVP_R_UNSUPPORTED_KEYLENGTH             ,"unsupported keylength"},
-{EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION,"unsupported key derivation function"},
-{EVP_R_UNSUPPORTED_KEY_SIZE              ,"unsupported key size"},
-{EVP_R_UNSUPPORTED_PRF                   ,"unsupported prf"},
-{EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM ,"unsupported private key algorithm"},
-{EVP_R_UNSUPPORTED_SALT_TYPE             ,"unsupported salt type"},
-{EVP_R_WRONG_FINAL_BLOCK_LENGTH          ,"wrong final block length"},
-{EVP_R_WRONG_PUBLIC_KEY_TYPE             ,"wrong public key type"},
+{ERR_REASON(EVP_R_AES_KEY_SETUP_FAILED)  ,"aes key setup failed"},
+{ERR_REASON(EVP_R_BAD_BLOCK_LENGTH)      ,"bad block length"},
+{ERR_REASON(EVP_R_BAD_DECRYPT)           ,"bad decrypt"},
+{ERR_REASON(EVP_R_BAD_KEY_LENGTH)        ,"bad key length"},
+{ERR_REASON(EVP_R_BN_DECODE_ERROR)       ,"bn decode error"},
+{ERR_REASON(EVP_R_BN_PUBKEY_ERROR)       ,"bn pubkey error"},
+{ERR_REASON(EVP_R_CIPHER_PARAMETER_ERROR),"cipher parameter error"},
+{ERR_REASON(EVP_R_CTRL_NOT_IMPLEMENTED)  ,"ctrl not implemented"},
+{ERR_REASON(EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED),"ctrl operation not implemented"},
+{ERR_REASON(EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH),"data not multiple of block length"},
+{ERR_REASON(EVP_R_DECODE_ERROR)          ,"decode error"},
+{ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES)   ,"different key types"},
+{ERR_REASON(EVP_R_DISABLED_FOR_FIPS)     ,"disabled for fips"},
+{ERR_REASON(EVP_R_ENCODE_ERROR)          ,"encode error"},
+{ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"},
+{ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY)  ,"expecting an rsa key"},
+{ERR_REASON(EVP_R_EXPECTING_A_DH_KEY)    ,"expecting a dh key"},
+{ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY)   ,"expecting a dsa key"},
+{ERR_REASON(EVP_R_INITIALIZATION_ERROR)  ,"initialization error"},
+{ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"},
+{ERR_REASON(EVP_R_INVALID_KEY_LENGTH)    ,"invalid key length"},
+{ERR_REASON(EVP_R_IV_TOO_LARGE)          ,"iv too large"},
+{ERR_REASON(EVP_R_KEYGEN_FAILURE)        ,"keygen failure"},
+{ERR_REASON(EVP_R_MISSING_PARAMETERS)    ,"missing parameters"},
+{ERR_REASON(EVP_R_NO_CIPHER_SET)         ,"no cipher set"},
+{ERR_REASON(EVP_R_NO_DIGEST_SET)         ,"no digest set"},
+{ERR_REASON(EVP_R_NO_DSA_PARAMETERS)     ,"no dsa parameters"},
+{ERR_REASON(EVP_R_NO_SIGN_FUNCTION_CONFIGURED),"no sign function configured"},
+{ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED),"no verify function configured"},
+{ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),"pkcs8 unknown broken type"},
+{ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
+{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
+{ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"},
+{ERR_REASON(EVP_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
+{ERR_REASON(EVP_R_UNSUPPORTED_KEYLENGTH) ,"unsupported keylength"},
+{ERR_REASON(EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION),"unsupported key derivation function"},
+{ERR_REASON(EVP_R_UNSUPPORTED_KEY_SIZE)  ,"unsupported key size"},
+{ERR_REASON(EVP_R_UNSUPPORTED_PRF)       ,"unsupported prf"},
+{ERR_REASON(EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM),"unsupported private key algorithm"},
+{ERR_REASON(EVP_R_UNSUPPORTED_SALT_TYPE) ,"unsupported salt type"},
+{ERR_REASON(EVP_R_WRONG_FINAL_BLOCK_LENGTH),"wrong final block length"},
+{ERR_REASON(EVP_R_WRONG_PUBLIC_KEY_TYPE) ,"wrong public key type"},
 {0,NULL}
         };
 
@@ -159,8 +163,8 @@ void ERR_load_EVP_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_EVP,EVP_str_functs);
-                ERR_load_strings(ERR_LIB_EVP,EVP_str_reasons);
+                ERR_load_strings(0,EVP_str_functs);
+                ERR_load_strings(0,EVP_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/evp/evp_key.c b/src/lib/libcrypto/evp/evp_key.c
index 5f387a94d3..f8650d5df6 100644
--- a/src/lib/libcrypto/evp/evp_key.c
+++ b/src/lib/libcrypto/evp/evp_key.c
@@ -126,7 +126,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
         EVP_MD_CTX_init(&c);
         for (;;)
                 {
-                EVP_DigestInit_ex(&c,md, NULL);
+                if (!EVP_DigestInit_ex(&c,md, NULL))
+                        return 0;
                 if (addmd++)
                         EVP_DigestUpdate(&c,&(md_buf[0]),mds);
                 EVP_DigestUpdate(&c,data,datal);
diff --git a/src/lib/libcrypto/evp/m_dss1.c b/src/lib/libcrypto/evp/m_dss1.c
index f5668ebda0..23b90d0538 100644
--- a/src/lib/libcrypto/evp/m_dss1.c
+++ b/src/lib/libcrypto/evp/m_dss1.c
@@ -67,7 +67,14 @@ static int init(EVP_MD_CTX *ctx)
         { return SHA1_Init(ctx->md_data); }
 
 static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+#ifndef OPENSSL_FIPS
         { return SHA1_Update(ctx->md_data,data,count); }
+#else
+        {
+        OPENSSL_assert(sizeof(count)<=sizeof(size_t));
+        return SHA1_Update(ctx->md_data,data,count);
+        }
+#endif
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
         { return SHA1_Final(md,ctx->md_data); }
@@ -77,7 +84,7 @@ static const EVP_MD dss1_md=
         NID_dsa,
         NID_dsaWithSHA1,
         SHA_DIGEST_LENGTH,
-        0,
+        EVP_MD_FLAG_FIPS,
         init,
         update,
         final,
diff --git a/src/lib/libcrypto/evp/m_sha1.c b/src/lib/libcrypto/evp/m_sha1.c
index fe4402389a..60da93873c 100644
--- a/src/lib/libcrypto/evp/m_sha1.c
+++ b/src/lib/libcrypto/evp/m_sha1.c
@@ -67,7 +67,14 @@ static int init(EVP_MD_CTX *ctx)
         { return SHA1_Init(ctx->md_data); }
 
 static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+#ifndef OPENSSL_FIPS
         { return SHA1_Update(ctx->md_data,data,count); }
+#else
+        {
+        OPENSSL_assert(sizeof(count)<=sizeof(size_t));
+        return SHA1_Update(ctx->md_data,data,count);
+        }
+#endif
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
         { return SHA1_Final(md,ctx->md_data); }
@@ -93,3 +100,115 @@ const EVP_MD *EVP_sha1(void)
         return(&sha1_md);
         }
 #endif
+
+#ifdef OPENSSL_FIPS
+#ifndef OPENSSL_NO_SHA256
+static int init224(EVP_MD_CTX *ctx)
+        { return SHA224_Init(ctx->md_data); }
+static int init256(EVP_MD_CTX *ctx)
+        { return SHA256_Init(ctx->md_data); }
+/*
+ * Even though there're separate SHA224_[Update|Final], we call
+ * SHA256 functions even in SHA224 context. This is what happens
+ * there anyway, so we can spare few CPU cycles:-)
+ */
+static int update256(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        {
+        OPENSSL_assert(sizeof(count)<=sizeof(size_t));
+        return SHA256_Update(ctx->md_data,data,count);
+        }
+static int final256(EVP_MD_CTX *ctx,unsigned char *md)
+        { return SHA256_Final(md,ctx->md_data); }
+
+static const EVP_MD sha224_md=
+        {
+        NID_sha224,
+        NID_sha224WithRSAEncryption,
+        SHA224_DIGEST_LENGTH,
+        EVP_MD_FLAG_FIPS,
+        init224,
+        update256,
+        final256,
+        NULL,
+        NULL,
+        EVP_PKEY_RSA_method,
+        SHA256_CBLOCK,
+        sizeof(EVP_MD *)+sizeof(SHA256_CTX),
+        };
+
+const EVP_MD *EVP_sha224(void)
+        { return(&sha224_md); }
+
+static const EVP_MD sha256_md=
+        {
+        NID_sha256,
+        NID_sha256WithRSAEncryption,
+        SHA256_DIGEST_LENGTH,
+        EVP_MD_FLAG_FIPS,
+        init256,
+        update256,
+        final256,
+        NULL,
+        NULL,
+        EVP_PKEY_RSA_method,
+        SHA256_CBLOCK,
+        sizeof(EVP_MD *)+sizeof(SHA256_CTX),
+        };
+
+const EVP_MD *EVP_sha256(void)
+        { return(&sha256_md); }
+#endif /* ifndef OPENSSL_NO_SHA256 */
+
+#ifndef OPENSSL_NO_SHA512
+static int init384(EVP_MD_CTX *ctx)
+        { return SHA384_Init(ctx->md_data); }
+static int init512(EVP_MD_CTX *ctx)
+        { return SHA512_Init(ctx->md_data); }
+/* See comment in SHA224/256 section */
+static int update512(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        {
+        OPENSSL_assert(sizeof(count)<=sizeof(size_t));
+        return SHA512_Update(ctx->md_data,data,count);
+        }
+static int final512(EVP_MD_CTX *ctx,unsigned char *md)
+        { return SHA512_Final(md,ctx->md_data); }
+
+static const EVP_MD sha384_md=
+        {
+        NID_sha384,
+        NID_sha384WithRSAEncryption,
+        SHA384_DIGEST_LENGTH,
+        EVP_MD_FLAG_FIPS,
+        init384,
+        update512,
+        final512,
+        NULL,
+        NULL,
+        EVP_PKEY_RSA_method,
+        SHA512_CBLOCK,
+        sizeof(EVP_MD *)+sizeof(SHA512_CTX),
+        };
+
+const EVP_MD *EVP_sha384(void)
+        { return(&sha384_md); }
+
+static const EVP_MD sha512_md=
+        {
+        NID_sha512,
+        NID_sha512WithRSAEncryption,
+        SHA512_DIGEST_LENGTH,
+        EVP_MD_FLAG_FIPS,
+        init512,
+        update512,
+        final512,
+        NULL,
+        NULL,
+        EVP_PKEY_RSA_method,
+        SHA512_CBLOCK,
+        sizeof(EVP_MD *)+sizeof(SHA512_CTX),
+        };
+
+const EVP_MD *EVP_sha512(void)
+        { return(&sha512_md); }
+#endif /* ifndef OPENSSL_NO_SHA512 */
+#endif /* ifdef OPENSSL_FIPS */
diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c
index 1f94e1ef88..1d5fabc4b2 100644
--- a/src/lib/libcrypto/evp/p5_crpt2.c
+++ b/src/lib/libcrypto/evp/p5_crpt2.c
@@ -194,11 +194,16 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 
         /* Now decode key derivation function */
 
+        if(!pbe2->keyfunc->parameter ||
+                 (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE))
+                {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+                goto err;
+                }
+
         pbuf = pbe2->keyfunc->parameter->value.sequence->data;
         plen = pbe2->keyfunc->parameter->value.sequence->length;
-        if(!pbe2->keyfunc->parameter ||
-                 (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE) ||
-                                !(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
+        if(!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
                 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
                 goto err;
         }
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index 06ee80761f..6c110bd52b 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -61,6 +61,8 @@
 #include <openssl/hmac.h>
 #include "cryptlib.h"
 
+#ifndef OPENSSL_FIPS
+
 void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
                   const EVP_MD *md, ENGINE *impl)
         {
@@ -77,15 +79,6 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
 
         if (key != NULL)
                 {
-#ifdef OPENSSL_FIPS
-                if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
-                && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-                 || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-                 || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
-                OpenSSLDie(__FILE__,__LINE__,
-                        "HMAC: digest not allowed in FIPS mode");
-#endif
-                
                 reset=1;
                 j=EVP_MD_block_size(md);
                 OPENSSL_assert(j <= sizeof ctx->key);
@@ -187,3 +180,4 @@ void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
         EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
         }
 
+#endif
diff --git a/src/lib/libcrypto/hmac/hmac.h b/src/lib/libcrypto/hmac/hmac.h
index 294ab3b36a..c6489c04c8 100644
--- a/src/lib/libcrypto/hmac/hmac.h
+++ b/src/lib/libcrypto/hmac/hmac.h
@@ -64,7 +64,11 @@
 
 #include <openssl/evp.h>
 
+#ifdef OPENSSL_FIPS
+#define HMAC_MAX_MD_CBLOCK      128
+#else
 #define HMAC_MAX_MD_CBLOCK      64
+#endif
 
 #ifdef  __cplusplus
 extern "C" {
diff --git a/src/lib/libcrypto/md4/md4_one.c b/src/lib/libcrypto/md4/md4_one.c
index 00565507e4..50f79352f6 100644
--- a/src/lib/libcrypto/md4/md4_one.c
+++ b/src/lib/libcrypto/md4/md4_one.c
@@ -71,7 +71,8 @@ unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md)
         static unsigned char m[MD4_DIGEST_LENGTH];
 
         if (md == NULL) md=m;
-        MD4_Init(&c);
+        if (!MD4_Init(&c))
+                return NULL;
 #ifndef CHARSET_EBCDIC
         MD4_Update(&c,d,n);
 #else
diff --git a/src/lib/libcrypto/md5/md5_one.c b/src/lib/libcrypto/md5/md5_one.c
index c5dd2d81db..44c6c455d1 100644
--- a/src/lib/libcrypto/md5/md5_one.c
+++ b/src/lib/libcrypto/md5/md5_one.c
@@ -71,7 +71,8 @@ unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md)
         static unsigned char m[MD5_DIGEST_LENGTH];
 
         if (md == NULL) md=m;
-        MD5_Init(&c);
+        if (!MD5_Init(&c))
+                return NULL;
 #ifndef CHARSET_EBCDIC
         MD5_Update(&c,d,n);
 #else
diff --git a/src/lib/libcrypto/objects/obj_err.c b/src/lib/libcrypto/objects/obj_err.c
index 2b5f43e3cc..0682979b38 100644
--- a/src/lib/libcrypto/objects/obj_err.c
+++ b/src/lib/libcrypto/objects/obj_err.c
@@ -1,6 +1,6 @@
 /* crypto/objects/obj_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,22 +64,26 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OBJ,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OBJ,0,reason)
+
 static ERR_STRING_DATA OBJ_str_functs[]=
         {
-{ERR_PACK(0,OBJ_F_OBJ_ADD_OBJECT,0),    "OBJ_add_object"},
-{ERR_PACK(0,OBJ_F_OBJ_CREATE,0),        "OBJ_create"},
-{ERR_PACK(0,OBJ_F_OBJ_DUP,0),   "OBJ_dup"},
-{ERR_PACK(0,OBJ_F_OBJ_NAME_NEW_INDEX,0),        "OBJ_NAME_new_index"},
-{ERR_PACK(0,OBJ_F_OBJ_NID2LN,0),        "OBJ_nid2ln"},
-{ERR_PACK(0,OBJ_F_OBJ_NID2OBJ,0),       "OBJ_nid2obj"},
-{ERR_PACK(0,OBJ_F_OBJ_NID2SN,0),        "OBJ_nid2sn"},
+{ERR_FUNC(OBJ_F_OBJ_ADD_OBJECT),        "OBJ_add_object"},
+{ERR_FUNC(OBJ_F_OBJ_CREATE),    "OBJ_create"},
+{ERR_FUNC(OBJ_F_OBJ_DUP),       "OBJ_dup"},
+{ERR_FUNC(OBJ_F_OBJ_NAME_NEW_INDEX),    "OBJ_NAME_new_index"},
+{ERR_FUNC(OBJ_F_OBJ_NID2LN),    "OBJ_nid2ln"},
+{ERR_FUNC(OBJ_F_OBJ_NID2OBJ),   "OBJ_nid2obj"},
+{ERR_FUNC(OBJ_F_OBJ_NID2SN),    "OBJ_nid2sn"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA OBJ_str_reasons[]=
         {
-{OBJ_R_MALLOC_FAILURE                    ,"malloc failure"},
-{OBJ_R_UNKNOWN_NID                       ,"unknown nid"},
+{ERR_REASON(OBJ_R_MALLOC_FAILURE)        ,"malloc failure"},
+{ERR_REASON(OBJ_R_UNKNOWN_NID)           ,"unknown nid"},
 {0,NULL}
         };
 
@@ -93,8 +97,8 @@ void ERR_load_OBJ_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_OBJ,OBJ_str_functs);
-                ERR_load_strings(ERR_LIB_OBJ,OBJ_str_reasons);
+                ERR_load_strings(0,OBJ_str_functs);
+                ERR_load_strings(0,OBJ_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 0e64a929ba..84555d936e 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -287,9 +287,9 @@ qcStatements		286
 ac_auditEntity          287
 ac_targeting            288
 aaControls              289
-sbqp_ipAddrBlock                290
-sbqp_autonomousSysNum           291
-sbqp_routerIdentifier           292
+sbgp_ipAddrBlock                290
+sbgp_autonomousSysNum           291
+sbgp_routerIdentifier           292
 textNotice              293
 ipsecEndSystem          294
 ipsecTunnel             295
@@ -663,5 +663,13 @@ id_ppl		662
 proxyCertInfo           663
 id_ppl_anyLanguage              664
 id_ppl_inheritAll               665
-id_ppl_independent              666
+name_constraints                666
 Independent             667
+sha256WithRSAEncryption         668
+sha384WithRSAEncryption         669
+sha512WithRSAEncryption         670
+sha224WithRSAEncryption         671
+sha256          672
+sha384          673
+sha512          674
+sha224          675
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index 50e9031e61..2635c4e667 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -63,6 +63,11 @@ pkcs1 2			: RSA-MD2		: md2WithRSAEncryption
 pkcs1 3                 : RSA-MD4               : md4WithRSAEncryption
 pkcs1 4                 : RSA-MD5               : md5WithRSAEncryption
 pkcs1 5                 : RSA-SHA1              : sha1WithRSAEncryption
+# According to PKCS #1 version 2.1
+pkcs1 11                : RSA-SHA256            : sha256WithRSAEncryption
+pkcs1 12                : RSA-SHA384            : sha384WithRSAEncryption
+pkcs1 13                : RSA-SHA512            : sha512WithRSAEncryption
+pkcs1 14                : RSA-SHA224            : sha224WithRSAEncryption
 
 pkcs 3                  : pkcs3
 pkcs3 1                 :                       : dhKeyAgreement
@@ -341,9 +346,9 @@ id-pe 3			: qcStatements
 id-pe 4                 : ac-auditEntity
 id-pe 5                 : ac-targeting
 id-pe 6                 : aaControls
-id-pe 7                 : sbqp-ipAddrBlock
-id-pe 8                 : sbqp-autonomousSysNum
-id-pe 9                 : sbqp-routerIdentifier
+id-pe 7                 : sbgp-ipAddrBlock
+id-pe 8                 : sbgp-autonomousSysNum
+id-pe 9                 : sbgp-routerIdentifier
 id-pe 10                : ac-proxying
 !Cname sinfo-access
 id-pe 11                : subjectInfoAccess     : Subject Information Access
@@ -584,6 +589,8 @@ id-ce 21		: CRLReason		: X509v3 CRL Reason Code
 id-ce 24                : invalidityDate        : Invalidity Date
 !Cname delta-crl
 id-ce 27                : deltaCRL              : X509v3 Delta CRL Indicator
+!Cname name-constraints
+id-ce 30                : nameConstraints       : X509v3 Name Constraints
 !Cname crl-distribution-points
 id-ce 31                : crlDistributionPoints : X509v3 CRL Distribution Points
 !Cname certificate-policies
@@ -703,6 +710,13 @@ aes 44			: AES-256-CFB		: aes-256-cfb
                         : DES-EDE3-CFB1         : des-ede3-cfb1
                         : DES-EDE3-CFB8         : des-ede3-cfb8
 
+# OIDs for SHA224, SHA256, SHA385 and SHA512, according to x9.84.
+!Alias nist_hashalgs nistAlgorithms 2
+nist_hashalgs 1         : SHA256                : sha256
+nist_hashalgs 2         : SHA384                : sha384
+nist_hashalgs 3         : SHA512                : sha512
+nist_hashalgs 4         : SHA224                : sha224
+
 # Hold instruction CRL entry extension
 !Cname hold-instruction-code
 id-ce 23                : holdInstructionCode   : Hold Instruction Code
diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c
index 4c4d8306f8..65e6093fbc 100644
--- a/src/lib/libcrypto/ocsp/ocsp_err.c
+++ b/src/lib/libcrypto/ocsp/ocsp_err.c
@@ -1,6 +1,6 @@
 /* crypto/ocsp/ocsp_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,60 +64,64 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
+
 static ERR_STRING_DATA OCSP_str_functs[]=
         {
-{ERR_PACK(0,OCSP_F_ASN1_STRING_ENCODE,0),       "ASN1_STRING_encode"},
-{ERR_PACK(0,OCSP_F_CERT_ID_NEW,0),      "CERT_ID_NEW"},
-{ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),   "D2I_OCSP_NONCE"},
-{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),   "OCSP_basic_add1_status"},
-{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0),  "OCSP_basic_sign"},
-{ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),        "OCSP_basic_verify"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),     "OCSP_CHECK_DELEGATED"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),   "OCSP_CHECK_IDS"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0),        "OCSP_CHECK_ISSUER"},
-{ERR_PACK(0,OCSP_F_OCSP_CHECK_VALIDITY,0),      "OCSP_check_validity"},
-{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0),      "OCSP_MATCH_ISSUERID"},
-{ERR_PACK(0,OCSP_F_OCSP_PARSE_URL,0),   "OCSP_parse_url"},
-{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0),        "OCSP_request_sign"},
-{ERR_PACK(0,OCSP_F_OCSP_REQUEST_VERIFY,0),      "OCSP_request_verify"},
-{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"},
-{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"},
-{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0),   "REQUEST_VERIFY"},
+{ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE),   "ASN1_STRING_encode"},
+{ERR_FUNC(OCSP_F_CERT_ID_NEW),  "CERT_ID_NEW"},
+{ERR_FUNC(OCSP_F_D2I_OCSP_NONCE),       "D2I_OCSP_NONCE"},
+{ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS),       "OCSP_basic_add1_status"},
+{ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN),      "OCSP_basic_sign"},
+{ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY),    "OCSP_basic_verify"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "OCSP_CHECK_DELEGATED"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_IDS),       "OCSP_CHECK_IDS"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER),    "OCSP_CHECK_ISSUER"},
+{ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY),  "OCSP_check_validity"},
+{ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID),  "OCSP_MATCH_ISSUERID"},
+{ERR_FUNC(OCSP_F_OCSP_PARSE_URL),       "OCSP_parse_url"},
+{ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN),    "OCSP_request_sign"},
+{ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY),  "OCSP_request_verify"},
+{ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC),     "OCSP_response_get1_basic"},
+{ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO),     "OCSP_sendreq_bio"},
+{ERR_FUNC(OCSP_F_REQUEST_VERIFY),       "REQUEST_VERIFY"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA OCSP_str_reasons[]=
         {
-{OCSP_R_BAD_DATA                         ,"bad data"},
-{OCSP_R_CERTIFICATE_VERIFY_ERROR         ,"certificate verify error"},
-{OCSP_R_DIGEST_ERR                       ,"digest err"},
-{OCSP_R_ERROR_IN_NEXTUPDATE_FIELD        ,"error in nextupdate field"},
-{OCSP_R_ERROR_IN_THISUPDATE_FIELD        ,"error in thisupdate field"},
-{OCSP_R_ERROR_PARSING_URL                ,"error parsing url"},
-{OCSP_R_MISSING_OCSPSIGNING_USAGE        ,"missing ocspsigning usage"},
-{OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE     ,"nextupdate before thisupdate"},
-{OCSP_R_NOT_BASIC_RESPONSE               ,"not basic response"},
-{OCSP_R_NO_CERTIFICATES_IN_CHAIN         ,"no certificates in chain"},
-{OCSP_R_NO_CONTENT                       ,"no content"},
-{OCSP_R_NO_PUBLIC_KEY                    ,"no public key"},
-{OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},
-{OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},
-{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
-{OCSP_R_REQUEST_NOT_SIGNED               ,"request not signed"},
-{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
-{OCSP_R_ROOT_CA_NOT_TRUSTED              ,"root ca not trusted"},
-{OCSP_R_SERVER_READ_ERROR                ,"server read error"},
-{OCSP_R_SERVER_RESPONSE_ERROR            ,"server response error"},
-{OCSP_R_SERVER_RESPONSE_PARSE_ERROR      ,"server response parse error"},
-{OCSP_R_SERVER_WRITE_ERROR               ,"server write error"},
-{OCSP_R_SIGNATURE_FAILURE                ,"signature failure"},
-{OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND     ,"signer certificate not found"},
-{OCSP_R_STATUS_EXPIRED                   ,"status expired"},
-{OCSP_R_STATUS_NOT_YET_VALID             ,"status not yet valid"},
-{OCSP_R_STATUS_TOO_OLD                   ,"status too old"},
-{OCSP_R_UNKNOWN_MESSAGE_DIGEST           ,"unknown message digest"},
-{OCSP_R_UNKNOWN_NID                      ,"unknown nid"},
-{OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE   ,"unsupported requestorname type"},
+{ERR_REASON(OCSP_R_BAD_DATA)             ,"bad data"},
+{ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"},
+{ERR_REASON(OCSP_R_DIGEST_ERR)           ,"digest err"},
+{ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD),"error in nextupdate field"},
+{ERR_REASON(OCSP_R_ERROR_IN_THISUPDATE_FIELD),"error in thisupdate field"},
+{ERR_REASON(OCSP_R_ERROR_PARSING_URL)    ,"error parsing url"},
+{ERR_REASON(OCSP_R_MISSING_OCSPSIGNING_USAGE),"missing ocspsigning usage"},
+{ERR_REASON(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE),"nextupdate before thisupdate"},
+{ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE)   ,"not basic response"},
+{ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN),"no certificates in chain"},
+{ERR_REASON(OCSP_R_NO_CONTENT)           ,"no content"},
+{ERR_REASON(OCSP_R_NO_PUBLIC_KEY)        ,"no public key"},
+{ERR_REASON(OCSP_R_NO_RESPONSE_DATA)     ,"no response data"},
+{ERR_REASON(OCSP_R_NO_REVOKED_TIME)      ,"no revoked time"},
+{ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"},
+{ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED)   ,"request not signed"},
+{ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA),"response contains no revocation data"},
+{ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED)  ,"root ca not trusted"},
+{ERR_REASON(OCSP_R_SERVER_READ_ERROR)    ,"server read error"},
+{ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR),"server response error"},
+{ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR),"server response parse error"},
+{ERR_REASON(OCSP_R_SERVER_WRITE_ERROR)   ,"server write error"},
+{ERR_REASON(OCSP_R_SIGNATURE_FAILURE)    ,"signature failure"},
+{ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND),"signer certificate not found"},
+{ERR_REASON(OCSP_R_STATUS_EXPIRED)       ,"status expired"},
+{ERR_REASON(OCSP_R_STATUS_NOT_YET_VALID) ,"status not yet valid"},
+{ERR_REASON(OCSP_R_STATUS_TOO_OLD)       ,"status too old"},
+{ERR_REASON(OCSP_R_UNKNOWN_MESSAGE_DIGEST),"unknown message digest"},
+{ERR_REASON(OCSP_R_UNKNOWN_NID)          ,"unknown nid"},
+{ERR_REASON(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE),"unsupported requestorname type"},
 {0,NULL}
         };
 
@@ -131,8 +135,8 @@ void ERR_load_OCSP_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_OCSP,OCSP_str_functs);
-                ERR_load_strings(ERR_LIB_OCSP,OCSP_str_reasons);
+                ERR_load_strings(0,OCSP_str_functs);
+                ERR_load_strings(0,OCSP_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 5d5f688edd..e50c1baf00 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x0090707fL
+#define OPENSSL_VERSION_NUMBER  0x009070afL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7g-fips 11 Apr 2005"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7j-fips 04 May 2006"
 #else
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7g 11 Apr 2005"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7j 04 May 2006"
 #endif
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/src/lib/libcrypto/pem/pem_err.c b/src/lib/libcrypto/pem/pem_err.c
index 3b39b84d66..8527028ebc 100644
--- a/src/lib/libcrypto/pem/pem_err.c
+++ b/src/lib/libcrypto/pem/pem_err.c
@@ -1,6 +1,6 @@
 /* crypto/pem/pem_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,52 +64,56 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PEM,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PEM,0,reason)
+
 static ERR_STRING_DATA PEM_str_functs[]=
         {
-{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_BIO,0),   "d2i_PKCS8PrivateKey_bio"},
-{ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_FP,0),    "d2i_PKCS8PrivateKey_fp"},
-{ERR_PACK(0,PEM_F_DEF_CALLBACK,0),      "DEF_CALLBACK"},
-{ERR_PACK(0,PEM_F_LOAD_IV,0),   "LOAD_IV"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_READ,0),     "PEM_ASN1_read"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_READ_BIO,0), "PEM_ASN1_read_bio"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_WRITE,0),    "PEM_ASN1_write"},
-{ERR_PACK(0,PEM_F_PEM_ASN1_WRITE_BIO,0),        "PEM_ASN1_write_bio"},
-{ERR_PACK(0,PEM_F_PEM_DO_HEADER,0),     "PEM_do_header"},
-{ERR_PACK(0,PEM_F_PEM_F_DO_PK8KEY_FP,0),        "PEM_F_DO_PK8KEY_FP"},
-{ERR_PACK(0,PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY,0),   "PEM_F_PEM_WRITE_PKCS8PRIVATEKEY"},
-{ERR_PACK(0,PEM_F_PEM_GET_EVP_CIPHER_INFO,0),   "PEM_get_EVP_CIPHER_INFO"},
-{ERR_PACK(0,PEM_F_PEM_READ,0),  "PEM_read"},
-{ERR_PACK(0,PEM_F_PEM_READ_BIO,0),      "PEM_read_bio"},
-{ERR_PACK(0,PEM_F_PEM_SEALFINAL,0),     "PEM_SealFinal"},
-{ERR_PACK(0,PEM_F_PEM_SEALINIT,0),      "PEM_SealInit"},
-{ERR_PACK(0,PEM_F_PEM_SIGNFINAL,0),     "PEM_SignFinal"},
-{ERR_PACK(0,PEM_F_PEM_WRITE,0), "PEM_write"},
-{ERR_PACK(0,PEM_F_PEM_WRITE_BIO,0),     "PEM_write_bio"},
-{ERR_PACK(0,PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,0),     "PEM_write_bio_PKCS8PrivateKey"},
-{ERR_PACK(0,PEM_F_PEM_X509_INFO_READ,0),        "PEM_X509_INFO_read"},
-{ERR_PACK(0,PEM_F_PEM_X509_INFO_READ_BIO,0),    "PEM_X509_INFO_read_bio"},
-{ERR_PACK(0,PEM_F_PEM_X509_INFO_WRITE_BIO,0),   "PEM_X509_INFO_write_bio"},
+{ERR_FUNC(PEM_F_D2I_PKCS8PRIVATEKEY_BIO),       "d2i_PKCS8PrivateKey_bio"},
+{ERR_FUNC(PEM_F_D2I_PKCS8PRIVATEKEY_FP),        "d2i_PKCS8PrivateKey_fp"},
+{ERR_FUNC(PEM_F_DEF_CALLBACK),  "DEF_CALLBACK"},
+{ERR_FUNC(PEM_F_LOAD_IV),       "LOAD_IV"},
+{ERR_FUNC(PEM_F_PEM_ASN1_READ), "PEM_ASN1_read"},
+{ERR_FUNC(PEM_F_PEM_ASN1_READ_BIO),     "PEM_ASN1_read_bio"},
+{ERR_FUNC(PEM_F_PEM_ASN1_WRITE),        "PEM_ASN1_write"},
+{ERR_FUNC(PEM_F_PEM_ASN1_WRITE_BIO),    "PEM_ASN1_write_bio"},
+{ERR_FUNC(PEM_F_PEM_DO_HEADER), "PEM_do_header"},
+{ERR_FUNC(PEM_F_PEM_F_DO_PK8KEY_FP),    "PEM_F_DO_PK8KEY_FP"},
+{ERR_FUNC(PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY),       "PEM_F_PEM_WRITE_PKCS8PRIVATEKEY"},
+{ERR_FUNC(PEM_F_PEM_GET_EVP_CIPHER_INFO),       "PEM_get_EVP_CIPHER_INFO"},
+{ERR_FUNC(PEM_F_PEM_READ),      "PEM_read"},
+{ERR_FUNC(PEM_F_PEM_READ_BIO),  "PEM_read_bio"},
+{ERR_FUNC(PEM_F_PEM_SEALFINAL), "PEM_SealFinal"},
+{ERR_FUNC(PEM_F_PEM_SEALINIT),  "PEM_SealInit"},
+{ERR_FUNC(PEM_F_PEM_SIGNFINAL), "PEM_SignFinal"},
+{ERR_FUNC(PEM_F_PEM_WRITE),     "PEM_write"},
+{ERR_FUNC(PEM_F_PEM_WRITE_BIO), "PEM_write_bio"},
+{ERR_FUNC(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY), "PEM_write_bio_PKCS8PrivateKey"},
+{ERR_FUNC(PEM_F_PEM_X509_INFO_READ),    "PEM_X509_INFO_read"},
+{ERR_FUNC(PEM_F_PEM_X509_INFO_READ_BIO),        "PEM_X509_INFO_read_bio"},
+{ERR_FUNC(PEM_F_PEM_X509_INFO_WRITE_BIO),       "PEM_X509_INFO_write_bio"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA PEM_str_reasons[]=
         {
-{PEM_R_BAD_BASE64_DECODE                 ,"bad base64 decode"},
-{PEM_R_BAD_DECRYPT                       ,"bad decrypt"},
-{PEM_R_BAD_END_LINE                      ,"bad end line"},
-{PEM_R_BAD_IV_CHARS                      ,"bad iv chars"},
-{PEM_R_BAD_PASSWORD_READ                 ,"bad password read"},
-{PEM_R_ERROR_CONVERTING_PRIVATE_KEY      ,"error converting private key"},
-{PEM_R_NOT_DEK_INFO                      ,"not dek info"},
-{PEM_R_NOT_ENCRYPTED                     ,"not encrypted"},
-{PEM_R_NOT_PROC_TYPE                     ,"not proc type"},
-{PEM_R_NO_START_LINE                     ,"no start line"},
-{PEM_R_PROBLEMS_GETTING_PASSWORD         ,"problems getting password"},
-{PEM_R_PUBLIC_KEY_NO_RSA                 ,"public key no rsa"},
-{PEM_R_READ_KEY                          ,"read key"},
-{PEM_R_SHORT_HEADER                      ,"short header"},
-{PEM_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
-{PEM_R_UNSUPPORTED_ENCRYPTION            ,"unsupported encryption"},
+{ERR_REASON(PEM_R_BAD_BASE64_DECODE)     ,"bad base64 decode"},
+{ERR_REASON(PEM_R_BAD_DECRYPT)           ,"bad decrypt"},
+{ERR_REASON(PEM_R_BAD_END_LINE)          ,"bad end line"},
+{ERR_REASON(PEM_R_BAD_IV_CHARS)          ,"bad iv chars"},
+{ERR_REASON(PEM_R_BAD_PASSWORD_READ)     ,"bad password read"},
+{ERR_REASON(PEM_R_ERROR_CONVERTING_PRIVATE_KEY),"error converting private key"},
+{ERR_REASON(PEM_R_NOT_DEK_INFO)          ,"not dek info"},
+{ERR_REASON(PEM_R_NOT_ENCRYPTED)         ,"not encrypted"},
+{ERR_REASON(PEM_R_NOT_PROC_TYPE)         ,"not proc type"},
+{ERR_REASON(PEM_R_NO_START_LINE)         ,"no start line"},
+{ERR_REASON(PEM_R_PROBLEMS_GETTING_PASSWORD),"problems getting password"},
+{ERR_REASON(PEM_R_PUBLIC_KEY_NO_RSA)     ,"public key no rsa"},
+{ERR_REASON(PEM_R_READ_KEY)              ,"read key"},
+{ERR_REASON(PEM_R_SHORT_HEADER)          ,"short header"},
+{ERR_REASON(PEM_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
+{ERR_REASON(PEM_R_UNSUPPORTED_ENCRYPTION),"unsupported encryption"},
 {0,NULL}
         };
 
@@ -123,8 +127,8 @@ void ERR_load_PEM_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_PEM,PEM_str_functs);
-                ERR_load_strings(ERR_LIB_PEM,PEM_str_reasons);
+                ERR_load_strings(0,PEM_str_functs);
+                ERR_load_strings(0,PEM_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/perlasm/x86asm.pl b/src/lib/libcrypto/perlasm/x86asm.pl
index bef2667079..ea54a1edc5 100644
--- a/src/lib/libcrypto/perlasm/x86asm.pl
+++ b/src/lib/libcrypto/perlasm/x86asm.pl
@@ -90,7 +90,7 @@ $tmp
 #ifdef OUT
 #define OK      1
 #define ALIGN   4
-#if defined(__CYGWIN__) || defined(__DJGPP__)
+#if defined(__CYGWIN__) || defined(__DJGPP__) || defined(__MINGW32__)
 #undef SIZE
 #undef TYPE
 #define SIZE(a,b)
diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c
index 1909f28506..27015dd8c3 100644
--- a/src/lib/libcrypto/pkcs12/p12_add.c
+++ b/src/lib/libcrypto/pkcs12/p12_add.c
@@ -148,7 +148,11 @@ PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
 /* Unpack SAFEBAGS from PKCS#7 data ContentInfo */
 STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
 {
-        if(!PKCS7_type_is_data(p7)) return NULL;
+        if(!PKCS7_type_is_data(p7))
+                {
+                PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+                return NULL;
+                }
         return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
 }
 
@@ -211,5 +215,10 @@ int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes)
 
 STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12)
 {
+        if (!PKCS7_type_is_data(p12->authsafes))
+                {
+                PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+                return NULL;
+                }
         return ASN1_item_unpack(p12->authsafes->d.data, ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
 }
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index 4c36c643ce..40340a7bef 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -76,7 +76,15 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
         unsigned int keyidlen;
 
         /* Set defaults */
-        if(!nid_cert) nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+        if(!nid_cert)
+                {
+#ifdef OPENSSL_FIPS
+                if (FIPS_mode())
+                        nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+                else
+#endif
+                        nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+                }
         if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
         if(!iter) iter = PKCS12_DEFAULT_ITER;
         if(!mac_iter) mac_iter = 1;
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 4886b9b289..140d21155e 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -72,6 +72,12 @@ int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
         unsigned char key[PKCS12_MAC_KEY_LENGTH], *salt;
         int saltlen, iter;
 
+        if (!PKCS7_type_is_data(p12->authsafes))
+                {
+                PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+                return 0;
+                }
+
         salt = p12->mac->salt->data;
         saltlen = p12->mac->salt->length;
         if (!p12->mac->iter) iter = 1;
diff --git a/src/lib/libcrypto/pkcs12/pk12err.c b/src/lib/libcrypto/pkcs12/pk12err.c
index 10ab80502c..a33b37b1c7 100644
--- a/src/lib/libcrypto/pkcs12/pk12err.c
+++ b/src/lib/libcrypto/pkcs12/pk12err.c
@@ -1,6 +1,6 @@
 /* crypto/pkcs12/pk12err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,60 +64,67 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS12,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason)
+
 static ERR_STRING_DATA PKCS12_str_functs[]=
         {
-{ERR_PACK(0,PKCS12_F_PARSE_BAGS,0),     "PARSE_BAGS"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME,0),        "PKCS12_ADD_FRIENDLYNAME"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,0),    "PKCS12_add_friendlyname_asc"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,0),    "PKCS12_add_friendlyname_uni"},
-{ERR_PACK(0,PKCS12_F_PKCS12_ADD_LOCALKEYID,0),  "PKCS12_add_localkeyid"},
-{ERR_PACK(0,PKCS12_F_PKCS12_CREATE,0),  "PKCS12_create"},
-{ERR_PACK(0,PKCS12_F_PKCS12_DECRYPT_D2I,0),     "PKCS12_decrypt_d2i"},
-{ERR_PACK(0,PKCS12_F_PKCS12_GEN_MAC,0), "PKCS12_gen_mac"},
-{ERR_PACK(0,PKCS12_F_PKCS12_I2D_ENCRYPT,0),     "PKCS12_i2d_encrypt"},
-{ERR_PACK(0,PKCS12_F_PKCS12_INIT,0),    "PKCS12_init"},
-{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_ASC,0),     "PKCS12_key_gen_asc"},
-{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_UNI,0),     "PKCS12_key_gen_uni"},
-{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_KEYBAG,0),     "PKCS12_MAKE_KEYBAG"},
-{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_SHKEYBAG,0),   "PKCS12_MAKE_SHKEYBAG"},
-{ERR_PACK(0,PKCS12_F_PKCS12_NEWPASS,0), "PKCS12_newpass"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7DATA,0),     "PKCS12_pack_p7data"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7ENCDATA,0),  "PKCS12_pack_p7encdata"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PACK_SAFEBAG,0),    "PKCS12_pack_safebag"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PARSE,0),   "PKCS12_parse"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PBE_CRYPT,0),       "PKCS12_pbe_crypt"},
-{ERR_PACK(0,PKCS12_F_PKCS12_PBE_KEYIVGEN,0),    "PKCS12_PBE_keyivgen"},
-{ERR_PACK(0,PKCS12_F_PKCS12_SETUP_MAC,0),       "PKCS12_setup_mac"},
-{ERR_PACK(0,PKCS12_F_PKCS12_SET_MAC,0), "PKCS12_set_mac"},
-{ERR_PACK(0,PKCS12_F_PKCS8_ADD_KEYUSAGE,0),     "PKCS8_add_keyusage"},
-{ERR_PACK(0,PKCS12_F_PKCS8_ENCRYPT,0),  "PKCS8_encrypt"},
-{ERR_PACK(0,PKCS12_F_VERIFY_MAC,0),     "VERIFY_MAC"},
+{ERR_FUNC(PKCS12_F_PARSE_BAGS), "PARSE_BAGS"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME),    "PKCS12_ADD_FRIENDLYNAME"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC),        "PKCS12_add_friendlyname_asc"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI),        "PKCS12_add_friendlyname_uni"},
+{ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID),      "PKCS12_add_localkeyid"},
+{ERR_FUNC(PKCS12_F_PKCS12_CREATE),      "PKCS12_create"},
+{ERR_FUNC(PKCS12_F_PKCS12_DECRYPT_D2I), "PKCS12_DECRYPT_D2I"},
+{ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC),     "PKCS12_gen_mac"},
+{ERR_FUNC(PKCS12_F_PKCS12_I2D_ENCRYPT), "PKCS12_I2D_ENCRYPT"},
+{ERR_FUNC(PKCS12_F_PKCS12_INIT),        "PKCS12_init"},
+{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC), "PKCS12_key_gen_asc"},
+{ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI), "PKCS12_key_gen_uni"},
+{ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG), "PKCS12_MAKE_KEYBAG"},
+{ERR_FUNC(PKCS12_F_PKCS12_MAKE_SHKEYBAG),       "PKCS12_MAKE_SHKEYBAG"},
+{ERR_FUNC(PKCS12_F_PKCS12_NEWPASS),     "PKCS12_newpass"},
+{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA), "PKCS12_pack_p7data"},
+{ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA),      "PKCS12_pack_p7encdata"},
+{ERR_FUNC(PKCS12_F_PKCS12_PACK_SAFEBAG),        "PKCS12_PACK_SAFEBAG"},
+{ERR_FUNC(PKCS12_F_PKCS12_PARSE),       "PKCS12_parse"},
+{ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT),   "PKCS12_pbe_crypt"},
+{ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN),        "PKCS12_PBE_keyivgen"},
+{ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC),   "PKCS12_setup_mac"},
+{ERR_FUNC(PKCS12_F_PKCS12_SET_MAC),     "PKCS12_set_mac"},
+{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES),    "PKCS12_unpack_authsafes"},
+{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA),       "PKCS12_unpack_p7data"},
+{ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE), "PKCS8_add_keyusage"},
+{ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT),      "PKCS8_encrypt"},
+{ERR_FUNC(PKCS12_F_VERIFY_MAC), "VERIFY_MAC"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA PKCS12_str_reasons[]=
         {
-{PKCS12_R_CANT_PACK_STRUCTURE            ,"cant pack structure"},
-{PKCS12_R_DECODE_ERROR                   ,"decode error"},
-{PKCS12_R_ENCODE_ERROR                   ,"encode error"},
-{PKCS12_R_ENCRYPT_ERROR                  ,"encrypt error"},
-{PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE,"error setting encrypted data type"},
-{PKCS12_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
-{PKCS12_R_INVALID_NULL_PKCS12_POINTER    ,"invalid null pkcs12 pointer"},
-{PKCS12_R_IV_GEN_ERROR                   ,"iv gen error"},
-{PKCS12_R_KEY_GEN_ERROR                  ,"key gen error"},
-{PKCS12_R_MAC_ABSENT                     ,"mac absent"},
-{PKCS12_R_MAC_GENERATION_ERROR           ,"mac generation error"},
-{PKCS12_R_MAC_SETUP_ERROR                ,"mac setup error"},
-{PKCS12_R_MAC_STRING_SET_ERROR           ,"mac string set error"},
-{PKCS12_R_MAC_VERIFY_ERROR               ,"mac verify error"},
-{PKCS12_R_MAC_VERIFY_FAILURE             ,"mac verify failure"},
-{PKCS12_R_PARSE_ERROR                    ,"parse error"},
-{PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR  ,"pkcs12 algor cipherinit error"},
-{PKCS12_R_PKCS12_CIPHERFINAL_ERROR       ,"pkcs12 cipherfinal error"},
-{PKCS12_R_PKCS12_PBE_CRYPT_ERROR         ,"pkcs12 pbe crypt error"},
-{PKCS12_R_UNKNOWN_DIGEST_ALGORITHM       ,"unknown digest algorithm"},
-{PKCS12_R_UNSUPPORTED_PKCS12_MODE        ,"unsupported pkcs12 mode"},
+{ERR_REASON(PKCS12_R_CANT_PACK_STRUCTURE),"cant pack structure"},
+{ERR_REASON(PKCS12_R_CONTENT_TYPE_NOT_DATA),"content type not data"},
+{ERR_REASON(PKCS12_R_DECODE_ERROR)       ,"decode error"},
+{ERR_REASON(PKCS12_R_ENCODE_ERROR)       ,"encode error"},
+{ERR_REASON(PKCS12_R_ENCRYPT_ERROR)      ,"encrypt error"},
+{ERR_REASON(PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE),"error setting encrypted data type"},
+{ERR_REASON(PKCS12_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
+{ERR_REASON(PKCS12_R_INVALID_NULL_PKCS12_POINTER),"invalid null pkcs12 pointer"},
+{ERR_REASON(PKCS12_R_IV_GEN_ERROR)       ,"iv gen error"},
+{ERR_REASON(PKCS12_R_KEY_GEN_ERROR)      ,"key gen error"},
+{ERR_REASON(PKCS12_R_MAC_ABSENT)         ,"mac absent"},
+{ERR_REASON(PKCS12_R_MAC_GENERATION_ERROR),"mac generation error"},
+{ERR_REASON(PKCS12_R_MAC_SETUP_ERROR)    ,"mac setup error"},
+{ERR_REASON(PKCS12_R_MAC_STRING_SET_ERROR),"mac string set error"},
+{ERR_REASON(PKCS12_R_MAC_VERIFY_ERROR)   ,"mac verify error"},
+{ERR_REASON(PKCS12_R_MAC_VERIFY_FAILURE) ,"mac verify failure"},
+{ERR_REASON(PKCS12_R_PARSE_ERROR)        ,"parse error"},
+{ERR_REASON(PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR),"pkcs12 algor cipherinit error"},
+{ERR_REASON(PKCS12_R_PKCS12_CIPHERFINAL_ERROR),"pkcs12 cipherfinal error"},
+{ERR_REASON(PKCS12_R_PKCS12_PBE_CRYPT_ERROR),"pkcs12 pbe crypt error"},
+{ERR_REASON(PKCS12_R_UNKNOWN_DIGEST_ALGORITHM),"unknown digest algorithm"},
+{ERR_REASON(PKCS12_R_UNSUPPORTED_PKCS12_MODE),"unsupported pkcs12 mode"},
 {0,NULL}
         };
 
@@ -131,8 +138,8 @@ void ERR_load_PKCS12_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_functs);
-                ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_reasons);
+                ERR_load_strings(0,PKCS12_str_functs);
+                ERR_load_strings(0,PKCS12_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index dd338f266c..fb8af82d4f 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -287,12 +287,15 @@ void ERR_load_PKCS12_strings(void);
 #define PKCS12_F_PKCS12_PBE_KEYIVGEN                     120
 #define PKCS12_F_PKCS12_SETUP_MAC                        122
 #define PKCS12_F_PKCS12_SET_MAC                          123
+#define PKCS12_F_PKCS12_UNPACK_AUTHSAFES                 129
+#define PKCS12_F_PKCS12_UNPACK_P7DATA                    130
 #define PKCS12_F_PKCS8_ADD_KEYUSAGE                      124
 #define PKCS12_F_PKCS8_ENCRYPT                           125
 #define PKCS12_F_VERIFY_MAC                              126
 
 /* Reason codes. */
 #define PKCS12_R_CANT_PACK_STRUCTURE                     100
+#define PKCS12_R_CONTENT_TYPE_NOT_DATA                   121
 #define PKCS12_R_DECODE_ERROR                            101
 #define PKCS12_R_ENCODE_ERROR                            102
 #define PKCS12_R_ENCRYPT_ERROR                           103
diff --git a/src/lib/libcrypto/pkcs7/pk7_mime.c b/src/lib/libcrypto/pkcs7/pk7_mime.c
index 5d2a97839d..927b88c3e7 100644
--- a/src/lib/libcrypto/pkcs7/pk7_mime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_mime.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -152,11 +152,12 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
 {
         char bound[33], c;
         int i;
-        char *mime_prefix, *mime_eol;
+        char *mime_prefix, *mime_eol, *msg_type=NULL;
         if (flags & PKCS7_NOOLDMIMETYPE)
                 mime_prefix = "application/pkcs7-";
         else
                 mime_prefix = "application/x-pkcs7-";
+
         if (flags & PKCS7_CRLFEOL)
                 mime_eol = "\r\n";
         else
@@ -198,11 +199,30 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
                                                 mime_eol, mime_eol);
                 return 1;
         }
+
+        /* Determine smime-type header */
+
+        if (PKCS7_type_is_enveloped(p7))
+                msg_type = "enveloped-data";
+        else if (PKCS7_type_is_signed(p7))
+                {
+                /* If we have any signers it is signed-data othewise 
+                 * certs-only.
+                 */
+                STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+                sinfos = PKCS7_get_signer_info(p7);
+                if (sk_PKCS7_SIGNER_INFO_num(sinfos) > 0)
+                        msg_type = "signed-data";
+                else
+                        msg_type = "certs-only";
+                }
         /* MIME headers */
         BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol);
         BIO_printf(bio, "Content-Disposition: attachment;");
         BIO_printf(bio, " filename=\"smime.p7m\"%s", mime_eol);
         BIO_printf(bio, "Content-Type: %smime;", mime_prefix);
+        if (msg_type)
+                BIO_printf(bio, " smime-type=%s;", msg_type);
         BIO_printf(bio, " name=\"smime.p7m\"%s", mime_eol);
         BIO_printf(bio, "Content-Transfer-Encoding: base64%s%s",
                                                 mime_eol, mime_eol);
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index a852b49235..99a0d63f38 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -296,11 +296,9 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
         
         if (tmpin == indata)
                 {
-                if(indata) BIO_pop(p7bio);
-                BIO_free_all(p7bio);
+                if (indata) BIO_pop(p7bio);
                 }
-        else
-                BIO_free_all(tmpin);
+        BIO_free_all(p7bio);
 
         sk_X509_free(signers);
 
diff --git a/src/lib/libcrypto/pkcs7/pkcs7err.c b/src/lib/libcrypto/pkcs7/pkcs7err.c
index 5e51527a40..19894c80a4 100644
--- a/src/lib/libcrypto/pkcs7/pkcs7err.c
+++ b/src/lib/libcrypto/pkcs7/pkcs7err.c
@@ -1,6 +1,6 @@
 /* crypto/pkcs7/pkcs7err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,81 +64,85 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS7,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS7,0,reason)
+
 static ERR_STRING_DATA PKCS7_str_functs[]=
         {
-{ERR_PACK(0,PKCS7_F_B64_READ_PKCS7,0),  "B64_READ_PKCS7"},
-{ERR_PACK(0,PKCS7_F_B64_WRITE_PKCS7,0), "B64_WRITE_PKCS7"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,0),       "PKCS7_add_attrib_smimecap"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_CERTIFICATE,0),   "PKCS7_add_certificate"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_CRL,0),   "PKCS7_add_crl"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_RECIPIENT_INFO,0),        "PKCS7_add_recipient_info"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ADD_SIGNER,0),        "PKCS7_add_signer"},
-{ERR_PACK(0,PKCS7_F_PKCS7_CTRL,0),      "PKCS7_ctrl"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATADECODE,0),        "PKCS7_dataDecode"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATAINIT,0),  "PKCS7_dataInit"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATASIGN,0),  "PKCS7_DATASIGN"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DATAVERIFY,0),        "PKCS7_dataVerify"},
-{ERR_PACK(0,PKCS7_F_PKCS7_DECRYPT,0),   "PKCS7_decrypt"},
-{ERR_PACK(0,PKCS7_F_PKCS7_ENCRYPT,0),   "PKCS7_encrypt"},
-{ERR_PACK(0,PKCS7_F_PKCS7_GET0_SIGNERS,0),      "PKCS7_get0_signers"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SET_CIPHER,0),        "PKCS7_set_cipher"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SET_CONTENT,0),       "PKCS7_set_content"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SET_TYPE,0),  "PKCS7_set_type"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SIGN,0),      "PKCS7_sign"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SIGNATUREVERIFY,0),   "PKCS7_signatureVerify"},
-{ERR_PACK(0,PKCS7_F_PKCS7_SIMPLE_SMIMECAP,0),   "PKCS7_simple_smimecap"},
-{ERR_PACK(0,PKCS7_F_PKCS7_VERIFY,0),    "PKCS7_verify"},
-{ERR_PACK(0,PKCS7_F_SMIME_READ_PKCS7,0),        "SMIME_read_PKCS7"},
-{ERR_PACK(0,PKCS7_F_SMIME_TEXT,0),      "SMIME_text"},
+{ERR_FUNC(PKCS7_F_B64_READ_PKCS7),      "B64_READ_PKCS7"},
+{ERR_FUNC(PKCS7_F_B64_WRITE_PKCS7),     "B64_WRITE_PKCS7"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP),   "PKCS7_add_attrib_smimecap"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_CERTIFICATE),       "PKCS7_add_certificate"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_CRL),       "PKCS7_add_crl"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_RECIPIENT_INFO),    "PKCS7_add_recipient_info"},
+{ERR_FUNC(PKCS7_F_PKCS7_ADD_SIGNER),    "PKCS7_add_signer"},
+{ERR_FUNC(PKCS7_F_PKCS7_CTRL),  "PKCS7_ctrl"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATADECODE),    "PKCS7_dataDecode"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATAINIT),      "PKCS7_dataInit"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATASIGN),      "PKCS7_DATASIGN"},
+{ERR_FUNC(PKCS7_F_PKCS7_DATAVERIFY),    "PKCS7_dataVerify"},
+{ERR_FUNC(PKCS7_F_PKCS7_DECRYPT),       "PKCS7_decrypt"},
+{ERR_FUNC(PKCS7_F_PKCS7_ENCRYPT),       "PKCS7_encrypt"},
+{ERR_FUNC(PKCS7_F_PKCS7_GET0_SIGNERS),  "PKCS7_get0_signers"},
+{ERR_FUNC(PKCS7_F_PKCS7_SET_CIPHER),    "PKCS7_set_cipher"},
+{ERR_FUNC(PKCS7_F_PKCS7_SET_CONTENT),   "PKCS7_set_content"},
+{ERR_FUNC(PKCS7_F_PKCS7_SET_TYPE),      "PKCS7_set_type"},
+{ERR_FUNC(PKCS7_F_PKCS7_SIGN),  "PKCS7_sign"},
+{ERR_FUNC(PKCS7_F_PKCS7_SIGNATUREVERIFY),       "PKCS7_signatureVerify"},
+{ERR_FUNC(PKCS7_F_PKCS7_SIMPLE_SMIMECAP),       "PKCS7_simple_smimecap"},
+{ERR_FUNC(PKCS7_F_PKCS7_VERIFY),        "PKCS7_verify"},
+{ERR_FUNC(PKCS7_F_SMIME_READ_PKCS7),    "SMIME_read_PKCS7"},
+{ERR_FUNC(PKCS7_F_SMIME_TEXT),  "SMIME_text"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA PKCS7_str_reasons[]=
         {
-{PKCS7_R_CERTIFICATE_VERIFY_ERROR        ,"certificate verify error"},
-{PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER ,"cipher has no object identifier"},
-{PKCS7_R_CIPHER_NOT_INITIALIZED          ,"cipher not initialized"},
-{PKCS7_R_CONTENT_AND_DATA_PRESENT        ,"content and data present"},
-{PKCS7_R_DECODE_ERROR                    ,"decode error"},
-{PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH   ,"decrypted key is wrong length"},
-{PKCS7_R_DECRYPT_ERROR                   ,"decrypt error"},
-{PKCS7_R_DIGEST_FAILURE                  ,"digest failure"},
-{PKCS7_R_ERROR_ADDING_RECIPIENT          ,"error adding recipient"},
-{PKCS7_R_ERROR_SETTING_CIPHER            ,"error setting cipher"},
-{PKCS7_R_INVALID_MIME_TYPE               ,"invalid mime type"},
-{PKCS7_R_INVALID_NULL_POINTER            ,"invalid null pointer"},
-{PKCS7_R_MIME_NO_CONTENT_TYPE            ,"mime no content type"},
-{PKCS7_R_MIME_PARSE_ERROR                ,"mime parse error"},
-{PKCS7_R_MIME_SIG_PARSE_ERROR            ,"mime sig parse error"},
-{PKCS7_R_MISSING_CERIPEND_INFO           ,"missing ceripend info"},
-{PKCS7_R_NO_CONTENT                      ,"no content"},
-{PKCS7_R_NO_CONTENT_TYPE                 ,"no content type"},
-{PKCS7_R_NO_MULTIPART_BODY_FAILURE       ,"no multipart body failure"},
-{PKCS7_R_NO_MULTIPART_BOUNDARY           ,"no multipart boundary"},
-{PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE,"no recipient matches certificate"},
-{PKCS7_R_NO_SIGNATURES_ON_DATA           ,"no signatures on data"},
-{PKCS7_R_NO_SIGNERS                      ,"no signers"},
-{PKCS7_R_NO_SIG_CONTENT_TYPE             ,"no sig content type"},
-{PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE,"operation not supported on this type"},
-{PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR       ,"pkcs7 add signature error"},
-{PKCS7_R_PKCS7_DATAFINAL_ERROR           ,"pkcs7 datafinal error"},
-{PKCS7_R_PKCS7_DATASIGN                  ,"pkcs7 datasign"},
-{PKCS7_R_PKCS7_PARSE_ERROR               ,"pkcs7 parse error"},
-{PKCS7_R_PKCS7_SIG_PARSE_ERROR           ,"pkcs7 sig parse error"},
-{PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
-{PKCS7_R_SIGNATURE_FAILURE               ,"signature failure"},
-{PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND    ,"signer certificate not found"},
-{PKCS7_R_SIG_INVALID_MIME_TYPE           ,"sig invalid mime type"},
-{PKCS7_R_SMIME_TEXT_ERROR                ,"smime text error"},
-{PKCS7_R_UNABLE_TO_FIND_CERTIFICATE      ,"unable to find certificate"},
-{PKCS7_R_UNABLE_TO_FIND_MEM_BIO          ,"unable to find mem bio"},
-{PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST   ,"unable to find message digest"},
-{PKCS7_R_UNKNOWN_DIGEST_TYPE             ,"unknown digest type"},
-{PKCS7_R_UNKNOWN_OPERATION               ,"unknown operation"},
-{PKCS7_R_UNSUPPORTED_CIPHER_TYPE         ,"unsupported cipher type"},
-{PKCS7_R_UNSUPPORTED_CONTENT_TYPE        ,"unsupported content type"},
-{PKCS7_R_WRONG_CONTENT_TYPE              ,"wrong content type"},
-{PKCS7_R_WRONG_PKCS7_TYPE                ,"wrong pkcs7 type"},
+{ERR_REASON(PKCS7_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"},
+{ERR_REASON(PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER),"cipher has no object identifier"},
+{ERR_REASON(PKCS7_R_CIPHER_NOT_INITIALIZED),"cipher not initialized"},
+{ERR_REASON(PKCS7_R_CONTENT_AND_DATA_PRESENT),"content and data present"},
+{ERR_REASON(PKCS7_R_DECODE_ERROR)        ,"decode error"},
+{ERR_REASON(PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH),"decrypted key is wrong length"},
+{ERR_REASON(PKCS7_R_DECRYPT_ERROR)       ,"decrypt error"},
+{ERR_REASON(PKCS7_R_DIGEST_FAILURE)      ,"digest failure"},
+{ERR_REASON(PKCS7_R_ERROR_ADDING_RECIPIENT),"error adding recipient"},
+{ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"},
+{ERR_REASON(PKCS7_R_INVALID_MIME_TYPE)   ,"invalid mime type"},
+{ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"},
+{ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"},
+{ERR_REASON(PKCS7_R_MIME_PARSE_ERROR)    ,"mime parse error"},
+{ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"},
+{ERR_REASON(PKCS7_R_MISSING_CERIPEND_INFO),"missing ceripend info"},
+{ERR_REASON(PKCS7_R_NO_CONTENT)          ,"no content"},
+{ERR_REASON(PKCS7_R_NO_CONTENT_TYPE)     ,"no content type"},
+{ERR_REASON(PKCS7_R_NO_MULTIPART_BODY_FAILURE),"no multipart body failure"},
+{ERR_REASON(PKCS7_R_NO_MULTIPART_BOUNDARY),"no multipart boundary"},
+{ERR_REASON(PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE),"no recipient matches certificate"},
+{ERR_REASON(PKCS7_R_NO_SIGNATURES_ON_DATA),"no signatures on data"},
+{ERR_REASON(PKCS7_R_NO_SIGNERS)          ,"no signers"},
+{ERR_REASON(PKCS7_R_NO_SIG_CONTENT_TYPE) ,"no sig content type"},
+{ERR_REASON(PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE),"operation not supported on this type"},
+{ERR_REASON(PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR),"pkcs7 add signature error"},
+{ERR_REASON(PKCS7_R_PKCS7_DATAFINAL_ERROR),"pkcs7 datafinal error"},
+{ERR_REASON(PKCS7_R_PKCS7_DATASIGN)      ,"pkcs7 datasign"},
+{ERR_REASON(PKCS7_R_PKCS7_PARSE_ERROR)   ,"pkcs7 parse error"},
+{ERR_REASON(PKCS7_R_PKCS7_SIG_PARSE_ERROR),"pkcs7 sig parse error"},
+{ERR_REASON(PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"},
+{ERR_REASON(PKCS7_R_SIGNATURE_FAILURE)   ,"signature failure"},
+{ERR_REASON(PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND),"signer certificate not found"},
+{ERR_REASON(PKCS7_R_SIG_INVALID_MIME_TYPE),"sig invalid mime type"},
+{ERR_REASON(PKCS7_R_SMIME_TEXT_ERROR)    ,"smime text error"},
+{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_CERTIFICATE),"unable to find certificate"},
+{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_MEM_BIO),"unable to find mem bio"},
+{ERR_REASON(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST),"unable to find message digest"},
+{ERR_REASON(PKCS7_R_UNKNOWN_DIGEST_TYPE) ,"unknown digest type"},
+{ERR_REASON(PKCS7_R_UNKNOWN_OPERATION)   ,"unknown operation"},
+{ERR_REASON(PKCS7_R_UNSUPPORTED_CIPHER_TYPE),"unsupported cipher type"},
+{ERR_REASON(PKCS7_R_UNSUPPORTED_CONTENT_TYPE),"unsupported content type"},
+{ERR_REASON(PKCS7_R_WRONG_CONTENT_TYPE)  ,"wrong content type"},
+{ERR_REASON(PKCS7_R_WRONG_PKCS7_TYPE)    ,"wrong pkcs7 type"},
 {0,NULL}
         };
 
@@ -152,8 +156,8 @@ void ERR_load_PKCS7_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_functs);
-                ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_reasons);
+                ERR_load_strings(0,PKCS7_str_functs);
+                ERR_load_strings(0,PKCS7_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c
index 95574659ac..97f96e1aee 100644
--- a/src/lib/libcrypto/rand/rand_err.c
+++ b/src/lib/libcrypto/rand/rand_err.c
@@ -1,6 +1,6 @@
 /* crypto/rand/rand_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,22 +64,26 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RAND,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RAND,0,reason)
+
 static ERR_STRING_DATA RAND_str_functs[]=
         {
-{ERR_PACK(0,RAND_F_FIPS_RAND_BYTES,0),  "FIPS_RAND_BYTES"},
-{ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0),     "RAND_get_rand_method"},
-{ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0),        "SSLEAY_RAND_BYTES"},
+{ERR_FUNC(RAND_F_FIPS_RAND_BYTES),      "FIPS_RAND_BYTES"},
+{ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD), "RAND_get_rand_method"},
+{ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES),    "SSLEAY_RAND_BYTES"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA RAND_str_reasons[]=
         {
-{RAND_R_NON_FIPS_METHOD                  ,"non fips method"},
-{RAND_R_PRNG_ASKING_FOR_TOO_MUCH         ,"prng asking for too much"},
-{RAND_R_PRNG_NOT_REKEYED                 ,"prng not rekeyed"},
-{RAND_R_PRNG_NOT_RESEEDED                ,"prng not reseeded"},
-{RAND_R_PRNG_NOT_SEEDED                  ,"PRNG not seeded"},
-{RAND_R_PRNG_STUCK                       ,"prng stuck"},
+{ERR_REASON(RAND_R_NON_FIPS_METHOD)      ,"non fips method"},
+{ERR_REASON(RAND_R_PRNG_ASKING_FOR_TOO_MUCH),"prng asking for too much"},
+{ERR_REASON(RAND_R_PRNG_NOT_REKEYED)     ,"prng not rekeyed"},
+{ERR_REASON(RAND_R_PRNG_NOT_RESEEDED)    ,"prng not reseeded"},
+{ERR_REASON(RAND_R_PRNG_NOT_SEEDED)      ,"PRNG not seeded"},
+{ERR_REASON(RAND_R_PRNG_STUCK)           ,"prng stuck"},
 {0,NULL}
         };
 
@@ -93,8 +97,8 @@ void ERR_load_RAND_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_RAND,RAND_str_functs);
-                ERR_load_strings(ERR_LIB_RAND,RAND_str_reasons);
+                ERR_load_strings(0,RAND_str_functs);
+                ERR_load_strings(0,RAND_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c
index 88f1b56d91..a21bde79de 100644
--- a/src/lib/libcrypto/rand/rand_lib.c
+++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -87,16 +87,6 @@ int RAND_set_rand_method(const RAND_METHOD *meth)
 
 const RAND_METHOD *RAND_get_rand_method(void)
         {
-#ifdef OPENSSL_FIPS
-        if(FIPS_mode()
-                && default_RAND_meth != FIPS_rand_check())
-            {
-            RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
-            return 0;
-            }
-#endif
-
-
         if (!default_RAND_meth)
                 {
 #ifndef OPENSSL_NO_ENGINE
@@ -114,8 +104,22 @@ const RAND_METHOD *RAND_get_rand_method(void)
                         funct_ref = e;
                 else
 #endif
-                        default_RAND_meth = RAND_SSLeay();
+#ifdef OPENSSL_FIPS
+                        if(FIPS_mode())
+                                default_RAND_meth=FIPS_rand_method();
+                        else
+#endif
+                                default_RAND_meth = RAND_SSLeay();
                 }
+
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode()
+                && default_RAND_meth != FIPS_rand_check())
+            {
+            RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
+            return 0;
+            }
+#endif
         return default_RAND_meth;
         }
 
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index c7fba496a8..7183fa32e4 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -57,7 +57,7 @@
  */
 
 /* We need to define this to get macros like S_IFBLK and S_IFCHR */
-#define _XOPEN_SOURCE 1
+#define _XOPEN_SOURCE 500
 
 #include <errno.h>
 #include <stdio.h>
diff --git a/src/lib/libcrypto/rc2/rc2_skey.c b/src/lib/libcrypto/rc2/rc2_skey.c
index 22f372f85c..9652865188 100644
--- a/src/lib/libcrypto/rc2/rc2_skey.c
+++ b/src/lib/libcrypto/rc2/rc2_skey.c
@@ -58,6 +58,7 @@
 
 #include <openssl/rc2.h>
 #include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include "rc2_locl.h"
 
 static unsigned char key_table[256]={
diff --git a/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
new file mode 100755
index 0000000000..b628daca70
--- /dev/null
+++ b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
@@ -0,0 +1,150 @@
+#!/usr/bin/env perl
+#
+# ====================================================================
+# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+# project. Rights for redistribution and usage in source and binary
+# forms are granted according to the OpenSSL license.
+# ====================================================================
+#
+# Unlike 0.9.7f this code expects RC4_CHAR back in config line! See
+# commentary section in corresponding script in development branch
+# for background information about this option carousel. For those
+# who don't have energy to figure out these gory details, here is
+# basis in form of performance matrix relative to the original
+# 0.9.7e C code-base:
+#
+#               0.9.7e  0.9.7f  this
+# AMD64         1x      3.3x    2.4x
+# EM64T         1x      0.8x    1.5x
+#
+# In other words idea is to trade -25% AMD64 performance to compensate
+# for deterioration and gain +90% on EM64T core. Development branch
+# maintains best performance for either target, i.e. 3.3x for AMD64
+# and 1.5x for EM64T.
+
+$output=shift;
+
+open STDOUT,">$output" || die "can't open $output: $!";
+
+$dat="%rdi";        # arg1
+$len="%rsi";        # arg2
+$inp="%rdx";        # arg3
+$out="%rcx";        # arg4
+
+@XX=("%r8","%r10");
+@TX=("%r9","%r11");
+$YY="%r12";
+$TY="%r13";
+
+$code=<<___;;
+.text
+
+.globl  RC4
+.type   RC4,\@function
+.align  16
+RC4:    or      $len,$len
+        jne     .Lentry
+        repret
+.Lentry:
+        push    %r12
+        push    %r13
+
+        add     \$2,$dat
+        movzb   -2($dat),$XX[0]#d
+        movzb   -1($dat),$YY#d
+
+        add     \$1,$XX[0]#b
+        movzb   ($dat,$XX[0]),$TX[0]#d
+        test    \$-8,$len
+        jz      .Lcloop1
+        push    %rbx
+.align  16      # incidentally aligned already
+.Lcloop8:
+        mov     ($inp),%eax
+        mov     4($inp),%ebx
+___
+# unroll 2x4-wise, because 64-bit rotates kill Intel P4...
+for ($i=0;$i<4;$i++) {
+$code.=<<___;
+        add     $TX[0]#b,$YY#b
+        lea     1($XX[0]),$XX[1]
+        movzb   ($dat,$YY),$TY#d
+        movzb   $XX[1]#b,$XX[1]#d
+        movzb   ($dat,$XX[1]),$TX[1]#d
+        movb    $TX[0]#b,($dat,$YY)
+        cmp     $XX[1],$YY
+        movb    $TY#b,($dat,$XX[0])
+        jne     .Lcmov$i                        # Intel cmov is sloooow...
+        mov     $TX[0],$TX[1]
+.Lcmov$i:
+        add     $TX[0]#b,$TY#b
+        xor     ($dat,$TY),%al
+        ror     \$8,%eax
+___
+push(@TX,shift(@TX)); push(@XX,shift(@XX));     # "rotate" registers
+}
+for ($i=4;$i<8;$i++) {
+$code.=<<___;
+        add     $TX[0]#b,$YY#b
+        lea     1($XX[0]),$XX[1]
+        movzb   ($dat,$YY),$TY#d
+        movzb   $XX[1]#b,$XX[1]#d
+        movzb   ($dat,$XX[1]),$TX[1]#d
+        movb    $TX[0]#b,($dat,$YY)
+        cmp     $XX[1],$YY
+        movb    $TY#b,($dat,$XX[0])
+        jne     .Lcmov$i                        # Intel cmov is sloooow...
+        mov     $TX[0],$TX[1]
+.Lcmov$i:
+        add     $TX[0]#b,$TY#b
+        xor     ($dat,$TY),%bl
+        ror     \$8,%ebx
+___
+push(@TX,shift(@TX)); push(@XX,shift(@XX));     # "rotate" registers
+}
+$code.=<<___;
+        lea     -8($len),$len
+        mov     %eax,($out)
+        lea     8($inp),$inp
+        mov     %ebx,4($out)
+        lea     8($out),$out
+
+        test    \$-8,$len
+        jnz     .Lcloop8
+        pop     %rbx
+        cmp     \$0,$len
+        jne     .Lcloop1
+.Lexit:
+        sub     \$1,$XX[0]#b
+        movb    $XX[0]#b,-2($dat)
+        movb    $YY#b,-1($dat)
+
+        pop     %r13
+        pop     %r12
+        repret
+
+.align  16
+.Lcloop1:
+        add     $TX[0]#b,$YY#b
+        movzb   ($dat,$YY),$TY#d
+        movb    $TX[0]#b,($dat,$YY)
+        movb    $TY#b,($dat,$XX[0])
+        add     $TX[0]#b,$TY#b
+        add     \$1,$XX[0]#b
+        movzb   ($dat,$TY),$TY#d
+        movzb   ($dat,$XX[0]),$TX[0]#d
+        xorb    ($inp),$TY#b
+        lea     1($inp),$inp
+        movb    $TY#b,($out)
+        lea     1($out),$out
+        sub     \$1,$len
+        jnz     .Lcloop1
+        jmp     .Lexit
+.size   RC4,.-RC4
+___
+
+$code =~ s/#([bwd])/$1/gm;
+
+$code =~ s/repret/.byte\t0xF3,0xC3/gm;
+
+print $code;
diff --git a/src/lib/libcrypto/rc4/rc4.h b/src/lib/libcrypto/rc4/rc4.h
index dd90d9fde0..ae0cea75b8 100644
--- a/src/lib/libcrypto/rc4/rc4.h
+++ b/src/lib/libcrypto/rc4/rc4.h
@@ -73,10 +73,6 @@ typedef struct rc4_key_st
         {
         RC4_INT x,y;
         RC4_INT data[256];
-#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
-        /* see crypto/rc4/asm/rc4-ia64.S for further details... */
-        RC4_INT pad[512-256-2];
-#endif
         } RC4_KEY;
 
  
diff --git a/src/lib/libcrypto/rc4/rc4_enc.c b/src/lib/libcrypto/rc4/rc4_enc.c
index 81a97ea3b7..d5f18a3a70 100644
--- a/src/lib/libcrypto/rc4/rc4_enc.c
+++ b/src/lib/libcrypto/rc4/rc4_enc.c
@@ -77,10 +77,6 @@ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
         x=key->x;     
         y=key->y;     
         d=key->data; 
-#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
-        /* see crypto/rc4/asm/rc4-ia64.S for further details... */
-        d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));
-#endif
 
 #if defined(RC4_CHUNK)
         /*
diff --git a/src/lib/libcrypto/rc4/rc4_skey.c b/src/lib/libcrypto/rc4/rc4_skey.c
index 07234f061a..60510624fd 100644
--- a/src/lib/libcrypto/rc4/rc4_skey.c
+++ b/src/lib/libcrypto/rc4/rc4_skey.c
@@ -58,6 +58,7 @@
 
 #include <openssl/rc4.h>
 #include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include "rc4_locl.h"
 #include <openssl/opensslv.h>
 
@@ -94,10 +95,6 @@ FIPS_NON_FIPS_VCIPHER_Init(RC4)
         unsigned int i;
         
         d= &(key->data[0]);
-#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
-        /* see crypto/rc4/asm/rc4-ia64.S for further details... */
-        d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));
-#endif
 
         for (i=0; i<256; i++)
                 d[i]=i;
diff --git a/src/lib/libcrypto/ripemd/rmd_one.c b/src/lib/libcrypto/ripemd/rmd_one.c
index f8b580c33a..b88446b267 100644
--- a/src/lib/libcrypto/ripemd/rmd_one.c
+++ b/src/lib/libcrypto/ripemd/rmd_one.c
@@ -68,7 +68,8 @@ unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
         static unsigned char m[RIPEMD160_DIGEST_LENGTH];
 
         if (md == NULL) md=m;
-        RIPEMD160_Init(&c);
+        if (!RIPEMD160_Init(&c))
+                return NULL;
         RIPEMD160_Update(&c,d,n);
         RIPEMD160_Final(md,&c);
         OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index fc3bb5f86d..0b639cd37f 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -157,33 +157,41 @@ struct rsa_st
 #define RSA_3   0x3L
 #define RSA_F4  0x10001L
 
-#define RSA_METHOD_FLAG_NO_CHECK        0x01 /* don't check pub/private match */
+#define RSA_METHOD_FLAG_NO_CHECK        0x0001 /* don't check pub/private match */
 
-#define RSA_FLAG_CACHE_PUBLIC           0x02
-#define RSA_FLAG_CACHE_PRIVATE          0x04
-#define RSA_FLAG_BLINDING               0x08
-#define RSA_FLAG_THREAD_SAFE            0x10
+#define RSA_FLAG_CACHE_PUBLIC           0x0002
+#define RSA_FLAG_CACHE_PRIVATE          0x0004
+#define RSA_FLAG_BLINDING               0x0008
+#define RSA_FLAG_THREAD_SAFE            0x0010
 /* This flag means the private key operations will be handled by rsa_mod_exp
  * and that they do not depend on the private key components being present:
  * for example a key stored in external hardware. Without this flag bn_mod_exp
  * gets called when private key components are absent.
  */
-#define RSA_FLAG_EXT_PKEY               0x20
+#define RSA_FLAG_EXT_PKEY               0x0020
 
 /* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
  */
-#define RSA_FLAG_SIGN_VER               0x40
-
-#define RSA_FLAG_NO_BLINDING            0x80 /* new with 0.9.6j and 0.9.7b; the built-in
-                                              * RSA implementation now uses blinding by
-                                              * default (ignoring RSA_FLAG_BLINDING),
-                                              * but other engines might not need it
-                                              */
+#define RSA_FLAG_SIGN_VER               0x0040
+
+#define RSA_FLAG_NO_BLINDING            0x0080 /* new with 0.9.6j and 0.9.7b; the built-in
+                                                * RSA implementation now uses blinding by
+                                                * default (ignoring RSA_FLAG_BLINDING),
+                                                * but other engines might not need it
+                                                */
+#define RSA_FLAG_NO_EXP_CONSTTIME       0x0100 /* new with 0.9.7h; the built-in RSA
+                                                * implementation now uses constant time
+                                                * modular exponentiation for secret exponents
+                                                * by default. This flag causes the
+                                                * faster variable sliding window method to
+                                                * be used for all exponents.
+                                                */
 
 #define RSA_PKCS1_PADDING       1
 #define RSA_SSLV23_PADDING      2
 #define RSA_NO_PADDING          3
 #define RSA_PKCS1_OAEP_PADDING  4
+#define RSA_X931_PADDING        5
 
 #define RSA_PKCS1_PADDING_SIZE  11
 
@@ -196,6 +204,15 @@ int	RSA_size(const RSA *);
 RSA *   RSA_generate_key(int bits, unsigned long e,void
                 (*callback)(int,int,void *),void *cb_arg);
 int     RSA_check_key(const RSA *);
+#ifdef OPENSSL_FIPS
+int RSA_X931_derive(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
+                        void (*cb)(int, int, void *), void *cb_arg,
+                        const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
+                        const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
+                        const BIGNUM *e);
+RSA *RSA_X931_generate_key(int bits, const BIGNUM *e,
+             void (*cb)(int,int,void *), void *cb_arg);
+#endif
         /* next 4 return -1 on error */
 int     RSA_public_encrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
@@ -268,6 +285,8 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen,
         const unsigned char *f,int fl);
 int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen,
         const unsigned char *f,int fl,int rsa_len);
+int PKCS1_MGF1(unsigned char *mask, long len,
+        const unsigned char *seed, long seedlen, const EVP_MD *dgst);
 int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen,
         const unsigned char *f,int fl,
         const unsigned char *p,int pl);
@@ -282,6 +301,17 @@ int RSA_padding_add_none(unsigned char *to,int tlen,
         const unsigned char *f,int fl);
 int RSA_padding_check_none(unsigned char *to,int tlen,
         const unsigned char *f,int fl,int rsa_len);
+int RSA_padding_add_X931(unsigned char *to,int tlen,
+        const unsigned char *f,int fl);
+int RSA_padding_check_X931(unsigned char *to,int tlen,
+        const unsigned char *f,int fl,int rsa_len);
+int RSA_X931_hash_id(int nid);
+
+int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
+                        const EVP_MD *Hash, const unsigned char *EM, int sLen);
+int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
+                        const unsigned char *mHash,
+                        const EVP_MD *Hash, int sLen);
 
 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
         CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
@@ -311,20 +341,24 @@ void ERR_load_RSA_strings(void);
 #define RSA_F_RSA_NULL                                   124
 #define RSA_F_RSA_PADDING_ADD_NONE                       107
 #define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP                 121
+#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS                  125
 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1               108
 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2               109
 #define RSA_F_RSA_PADDING_ADD_SSLV23                     110
+#define RSA_F_RSA_PADDING_ADD_X931                       127
 #define RSA_F_RSA_PADDING_CHECK_NONE                     111
 #define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP               122
 #define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1             112
 #define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2             113
 #define RSA_F_RSA_PADDING_CHECK_SSLV23                   114
+#define RSA_F_RSA_PADDING_CHECK_X931                     128
 #define RSA_F_RSA_PRINT                                  115
 #define RSA_F_RSA_PRINT_FP                               116
 #define RSA_F_RSA_SIGN                                   117
 #define RSA_F_RSA_SIGN_ASN1_OCTET_STRING                 118
 #define RSA_F_RSA_VERIFY                                 119
 #define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING               120
+#define RSA_F_RSA_VERIFY_PKCS1_PSS                       126
 
 /* Reason codes. */
 #define RSA_R_ALGORITHM_MISMATCH                         100
@@ -344,9 +378,14 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_DMP1_NOT_CONGRUENT_TO_D                    124
 #define RSA_R_DMQ1_NOT_CONGRUENT_TO_D                    125
 #define RSA_R_D_E_NOT_CONGRUENT_TO_1                     123
+#define RSA_R_FIRST_OCTET_INVALID                        133
+#define RSA_R_INVALID_HEADER                             137
 #define RSA_R_INVALID_MESSAGE_LENGTH                     131
+#define RSA_R_INVALID_PADDING                            138
+#define RSA_R_INVALID_TRAILER                            139
 #define RSA_R_IQMP_NOT_INVERSE_OF_Q                      126
 #define RSA_R_KEY_SIZE_TOO_SMALL                         120
+#define RSA_R_LAST_OCTET_INVALID                         134
 #define RSA_R_NULL_BEFORE_BLOCK_MISSING                  113
 #define RSA_R_N_DOES_NOT_EQUAL_P_Q                       127
 #define RSA_R_OAEP_DECODING_ERROR                        121
@@ -354,6 +393,8 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_P_NOT_PRIME                                128
 #define RSA_R_Q_NOT_PRIME                                129
 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED               130
+#define RSA_R_SLEN_CHECK_FAILED                          136
+#define RSA_R_SLEN_RECOVERY_FAILED                       135
 #define RSA_R_SSLV3_ROLLBACK_ATTACK                      115
 #define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
 #define RSA_R_UNKNOWN_ALGORITHM_TYPE                     117
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index d4caab3f95..be4ac96ce3 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -55,6 +55,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include "cryptlib.h"
@@ -145,30 +198,13 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                 goto err;
                 }
 
-        if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
                 {
-                BN_MONT_CTX* bn_mont_ctx;
-                if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-                        goto err;
-                if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
-                        {
-                        BN_MONT_CTX_free(bn_mont_ctx);
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
+                                        CRYPTO_LOCK_RSA, rsa->n, ctx))
                         goto err;
-                        }
-                if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
-                        {
-                        CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-                        if (rsa->_method_mod_n == NULL)
-                                {
-                                rsa->_method_mod_n = bn_mont_ctx;
-                                bn_mont_ctx = NULL;
-                                }
-                        CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-                        }
-                if (bn_mont_ctx)
-                        BN_MONT_CTX_free(bn_mont_ctx);
                 }
-                
+
         if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
                 rsa->_method_mod_n)) goto err;
 
@@ -249,7 +285,7 @@ err:
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
-        BIGNUM f,ret;
+        BIGNUM f,ret, *res;
         int i,j,k,num=0,r= -1;
         unsigned char *buf=NULL;
         BN_CTX *ctx=NULL;
@@ -331,19 +367,43 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                 (rsa->dmp1 != NULL) &&
                 (rsa->dmq1 != NULL) &&
                 (rsa->iqmp != NULL)) )
-                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+                { 
+                if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
+                }
         else
                 {
-                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
+                BIGNUM local_d;
+                BIGNUM *d = NULL;
+                
+                if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+                        {
+                        BN_init(&local_d);
+                        d = &local_d;
+                        BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+                        }
+                else
+                        d = rsa->d;
+                if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err;
                 }
 
         if (blinding)
                 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
 
+        if (padding == RSA_X931_PADDING)
+                {
+                BN_sub(&f, rsa->n, &ret);
+                if (BN_cmp(&ret, &f))
+                        res = &f;
+                else
+                        res = &ret;
+                }
+        else
+                res = &ret;
+
         /* put in leading 0 bytes if the number is less than the
          * length of the modulus */
-        j=BN_num_bytes(&ret);
-        i=BN_bn2bin(&ret,&(to[num-j]));
+        j=BN_num_bytes(res);
+        i=BN_bn2bin(res,&(to[num-j]));
         for (k=0; k<(num-i); k++)
                 to[k]=0;
 
@@ -444,10 +504,22 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                 (rsa->dmp1 != NULL) &&
                 (rsa->dmq1 != NULL) &&
                 (rsa->iqmp != NULL)) )
-                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+                {
+                if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
+                }
         else
                 {
-                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
+                BIGNUM local_d;
+                BIGNUM *d = NULL;
+                
+                if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+                        {
+                        d = &local_d;
+                        BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+                        }
+                else
+                        d = rsa->d;
+                if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL))
                         goto err;
                 }
 
@@ -534,33 +606,20 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                 }
 
         /* do the decrypt */
-        if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
+
+        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
                 {
-                BN_MONT_CTX* bn_mont_ctx;
-                if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-                        goto err;
-                if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
-                        {
-                        BN_MONT_CTX_free(bn_mont_ctx);
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
+                                        CRYPTO_LOCK_RSA, rsa->n, ctx))
                         goto err;
-                        }
-                if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
-                        {
-                        CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-                        if (rsa->_method_mod_n == NULL)
-                                {
-                                rsa->_method_mod_n = bn_mont_ctx;
-                                bn_mont_ctx = NULL;
-                                }
-                        CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-                        }
-                if (bn_mont_ctx)
-                        BN_MONT_CTX_free(bn_mont_ctx);
                 }
-                
+
         if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
                 rsa->_method_mod_n)) goto err;
 
+        if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12))
+                BN_sub(&ret, rsa->n, &ret);
+
         p=buf;
         i=BN_bn2bin(&ret,p);
 
@@ -594,6 +653,8 @@ err:
 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
         {
         BIGNUM r1,m1,vrfy;
+        BIGNUM local_dmp1, local_dmq1;
+        BIGNUM *dmp1, *dmq1;
         int ret=0;
         BN_CTX *ctx;
 
@@ -604,61 +665,34 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 
         if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
                 {
-                if (rsa->_method_mod_p == NULL)
-                        {
-                        BN_MONT_CTX* bn_mont_ctx;
-                        if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-                                goto err;
-                        if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
-                                {
-                                BN_MONT_CTX_free(bn_mont_ctx);
-                                goto err;
-                                }
-                        if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
-                                {
-                                CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-                                if (rsa->_method_mod_p == NULL)
-                                        {
-                                        rsa->_method_mod_p = bn_mont_ctx;
-                                        bn_mont_ctx = NULL;
-                                        }
-                                CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-                                }
-                        if (bn_mont_ctx)
-                                BN_MONT_CTX_free(bn_mont_ctx);
-                        }
-
-                if (rsa->_method_mod_q == NULL)
-                        {
-                        BN_MONT_CTX* bn_mont_ctx;
-                        if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
-                                goto err;
-                        if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
-                                {
-                                BN_MONT_CTX_free(bn_mont_ctx);
-                                goto err;
-                                }
-                        if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
-                                {
-                                CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-                                if (rsa->_method_mod_q == NULL)
-                                        {
-                                        rsa->_method_mod_q = bn_mont_ctx;
-                                        bn_mont_ctx = NULL;
-                                        }
-                                CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-                                }
-                        if (bn_mont_ctx)
-                                BN_MONT_CTX_free(bn_mont_ctx);
-                        }
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
+                                        CRYPTO_LOCK_RSA, rsa->p, ctx))
+                        goto err;
+                if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
+                                        CRYPTO_LOCK_RSA, rsa->q, ctx))
+                        goto err;
                 }
-                
+
         if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
-        if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
+        if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+                {
+                dmq1 = &local_dmq1;
+                BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);
+                }
+        else
+                dmq1 = rsa->dmq1;
+        if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx,
                 rsa->_method_mod_q)) goto err;
 
         if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
-        if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
+        if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+                {
+                dmp1 = &local_dmp1;
+                BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
+                }
+        else
+                dmp1 = rsa->dmp1;
+        if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx,
                 rsa->_method_mod_p)) goto err;
 
         if (!BN_sub(r0,r0,&m1)) goto err;
@@ -693,10 +727,23 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
                 if (vrfy.neg)
                         if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
                 if (!BN_is_zero(&vrfy))
+                        {
                         /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
                          * miscalculated CRT output, just do a raw (slower)
                          * mod_exp and return that instead. */
-                        if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
+
+                        BIGNUM local_d;
+                        BIGNUM *d = NULL;
+                
+                        if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+                                {
+                                d = &local_d;
+                                BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+                                }
+                        else
+                                d = rsa->d;
+                        if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err;
+                        }
                 }
         ret=1;
 err:
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index a7766c3b76..2ec4b30ff7 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -1,6 +1,6 @@
 /* crypto/rsa/rsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,70 +64,85 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
+
 static ERR_STRING_DATA RSA_str_functs[]=
         {
-{ERR_PACK(0,RSA_F_MEMORY_LOCK,0),       "MEMORY_LOCK"},
-{ERR_PACK(0,RSA_F_RSA_CHECK_KEY,0),     "RSA_check_key"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_DECRYPT,0),   "RSA_EAY_PRIVATE_DECRYPT"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PRIVATE_ENCRYPT,0),   "RSA_EAY_PRIVATE_ENCRYPT"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_DECRYPT,0),    "RSA_EAY_PUBLIC_DECRYPT"},
-{ERR_PACK(0,RSA_F_RSA_EAY_PUBLIC_ENCRYPT,0),    "RSA_EAY_PUBLIC_ENCRYPT"},
-{ERR_PACK(0,RSA_F_RSA_GENERATE_KEY,0),  "RSA_generate_key"},
-{ERR_PACK(0,RSA_F_RSA_NEW_METHOD,0),    "RSA_new_method"},
-{ERR_PACK(0,RSA_F_RSA_NULL,0),  "RSA_NULL"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_NONE,0),      "RSA_padding_add_none"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,0),        "RSA_padding_add_PKCS1_OAEP"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,0),      "RSA_padding_add_PKCS1_type_1"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2,0),      "RSA_padding_add_PKCS1_type_2"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_ADD_SSLV23,0),    "RSA_padding_add_SSLv23"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_NONE,0),    "RSA_padding_check_none"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,0),      "RSA_padding_check_PKCS1_OAEP"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,0),    "RSA_padding_check_PKCS1_type_1"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,0),    "RSA_padding_check_PKCS1_type_2"},
-{ERR_PACK(0,RSA_F_RSA_PADDING_CHECK_SSLV23,0),  "RSA_padding_check_SSLv23"},
-{ERR_PACK(0,RSA_F_RSA_PRINT,0), "RSA_print"},
-{ERR_PACK(0,RSA_F_RSA_PRINT_FP,0),      "RSA_print_fp"},
-{ERR_PACK(0,RSA_F_RSA_SIGN,0),  "RSA_sign"},
-{ERR_PACK(0,RSA_F_RSA_SIGN_ASN1_OCTET_STRING,0),        "RSA_sign_ASN1_OCTET_STRING"},
-{ERR_PACK(0,RSA_F_RSA_VERIFY,0),        "RSA_verify"},
-{ERR_PACK(0,RSA_F_RSA_VERIFY_ASN1_OCTET_STRING,0),      "RSA_verify_ASN1_OCTET_STRING"},
+{ERR_FUNC(RSA_F_MEMORY_LOCK),   "MEMORY_LOCK"},
+{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
+{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT),       "RSA_EAY_PRIVATE_DECRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT),       "RSA_EAY_PRIVATE_ENCRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT),        "RSA_EAY_PUBLIC_DECRYPT"},
+{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT),        "RSA_EAY_PUBLIC_ENCRYPT"},
+{ERR_FUNC(RSA_F_RSA_GENERATE_KEY),      "RSA_generate_key"},
+{ERR_FUNC(RSA_F_RSA_NEW_METHOD),        "RSA_new_method"},
+{ERR_FUNC(RSA_F_RSA_NULL),      "RSA_NULL"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE),  "RSA_padding_add_none"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP),    "RSA_padding_add_PKCS1_OAEP"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS),     "RSA_padding_add_PKCS1_PSS"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1),  "RSA_padding_add_PKCS1_type_1"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2),  "RSA_padding_add_PKCS1_type_2"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23),        "RSA_padding_add_SSLv23"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931),  "RSA_padding_add_X931"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE),        "RSA_padding_check_none"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP),  "RSA_padding_check_PKCS1_OAEP"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1),        "RSA_padding_check_PKCS1_type_1"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2),        "RSA_padding_check_PKCS1_type_2"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23),      "RSA_padding_check_SSLv23"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931),        "RSA_padding_check_X931"},
+{ERR_FUNC(RSA_F_RSA_PRINT),     "RSA_print"},
+{ERR_FUNC(RSA_F_RSA_PRINT_FP),  "RSA_print_fp"},
+{ERR_FUNC(RSA_F_RSA_SIGN),      "RSA_sign"},
+{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING),    "RSA_sign_ASN1_OCTET_STRING"},
+{ERR_FUNC(RSA_F_RSA_VERIFY),    "RSA_verify"},
+{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING),  "RSA_verify_ASN1_OCTET_STRING"},
+{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS),  "RSA_verify_PKCS1_PSS"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA RSA_str_reasons[]=
         {
-{RSA_R_ALGORITHM_MISMATCH                ,"algorithm mismatch"},
-{RSA_R_BAD_E_VALUE                       ,"bad e value"},
-{RSA_R_BAD_FIXED_HEADER_DECRYPT          ,"bad fixed header decrypt"},
-{RSA_R_BAD_PAD_BYTE_COUNT                ,"bad pad byte count"},
-{RSA_R_BAD_SIGNATURE                     ,"bad signature"},
-{RSA_R_BLOCK_TYPE_IS_NOT_01              ,"block type is not 01"},
-{RSA_R_BLOCK_TYPE_IS_NOT_02              ,"block type is not 02"},
-{RSA_R_DATA_GREATER_THAN_MOD_LEN         ,"data greater than mod len"},
-{RSA_R_DATA_TOO_LARGE                    ,"data too large"},
-{RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
-{RSA_R_DATA_TOO_LARGE_FOR_MODULUS        ,"data too large for modulus"},
-{RSA_R_DATA_TOO_SMALL                    ,"data too small"},
-{RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE       ,"data too small for key size"},
-{RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY        ,"digest too big for rsa key"},
-{RSA_R_DMP1_NOT_CONGRUENT_TO_D           ,"dmp1 not congruent to d"},
-{RSA_R_DMQ1_NOT_CONGRUENT_TO_D           ,"dmq1 not congruent to d"},
-{RSA_R_D_E_NOT_CONGRUENT_TO_1            ,"d e not congruent to 1"},
-{RSA_R_INVALID_MESSAGE_LENGTH            ,"invalid message length"},
-{RSA_R_IQMP_NOT_INVERSE_OF_Q             ,"iqmp not inverse of q"},
-{RSA_R_KEY_SIZE_TOO_SMALL                ,"key size too small"},
-{RSA_R_NULL_BEFORE_BLOCK_MISSING         ,"null before block missing"},
-{RSA_R_N_DOES_NOT_EQUAL_P_Q              ,"n does not equal p q"},
-{RSA_R_OAEP_DECODING_ERROR               ,"oaep decoding error"},
-{RSA_R_PADDING_CHECK_FAILED              ,"padding check failed"},
-{RSA_R_P_NOT_PRIME                       ,"p not prime"},
-{RSA_R_Q_NOT_PRIME                       ,"q not prime"},
-{RSA_R_RSA_OPERATIONS_NOT_SUPPORTED      ,"rsa operations not supported"},
-{RSA_R_SSLV3_ROLLBACK_ATTACK             ,"sslv3 rollback attack"},
-{RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
-{RSA_R_UNKNOWN_ALGORITHM_TYPE            ,"unknown algorithm type"},
-{RSA_R_UNKNOWN_PADDING_TYPE              ,"unknown padding type"},
-{RSA_R_WRONG_SIGNATURE_LENGTH            ,"wrong signature length"},
+{ERR_REASON(RSA_R_ALGORITHM_MISMATCH)    ,"algorithm mismatch"},
+{ERR_REASON(RSA_R_BAD_E_VALUE)           ,"bad e value"},
+{ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT),"bad fixed header decrypt"},
+{ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT)    ,"bad pad byte count"},
+{ERR_REASON(RSA_R_BAD_SIGNATURE)         ,"bad signature"},
+{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_01)  ,"block type is not 01"},
+{ERR_REASON(RSA_R_BLOCK_TYPE_IS_NOT_02)  ,"block type is not 02"},
+{ERR_REASON(RSA_R_DATA_GREATER_THAN_MOD_LEN),"data greater than mod len"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE)        ,"data too large"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
+{ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS),"data too large for modulus"},
+{ERR_REASON(RSA_R_DATA_TOO_SMALL)        ,"data too small"},
+{ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE),"data too small for key size"},
+{ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY),"digest too big for rsa key"},
+{ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D),"dmp1 not congruent to d"},
+{ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D),"dmq1 not congruent to d"},
+{ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1),"d e not congruent to 1"},
+{ERR_REASON(RSA_R_FIRST_OCTET_INVALID)   ,"first octet invalid"},
+{ERR_REASON(RSA_R_INVALID_HEADER)        ,"invalid header"},
+{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"},
+{ERR_REASON(RSA_R_INVALID_PADDING)       ,"invalid padding"},
+{ERR_REASON(RSA_R_INVALID_TRAILER)       ,"invalid trailer"},
+{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
+{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL)    ,"key size too small"},
+{ERR_REASON(RSA_R_LAST_OCTET_INVALID)    ,"last octet invalid"},
+{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
+{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q)  ,"n does not equal p q"},
+{ERR_REASON(RSA_R_OAEP_DECODING_ERROR)   ,"oaep decoding error"},
+{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED)  ,"salt length recovery failed"},
+{ERR_REASON(RSA_R_PADDING_CHECK_FAILED)  ,"padding check failed"},
+{ERR_REASON(RSA_R_P_NOT_PRIME)           ,"p not prime"},
+{ERR_REASON(RSA_R_Q_NOT_PRIME)           ,"q not prime"},
+{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
+{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
+{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
+{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
+{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE)  ,"unknown padding type"},
+{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
+{ERR_REASON(RSA_R_SLEN_CHECK_FAILED)     ,"salt length check failed"},
 {0,NULL}
         };
 
@@ -141,8 +156,8 @@ void ERR_load_RSA_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_RSA,RSA_str_functs);
-                ERR_load_strings(ERR_LIB_RSA,RSA_str_reasons);
+                ERR_load_strings(0,RSA_str_functs);
+                ERR_load_strings(0,RSA_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index adb5e34da5..dd1422cc98 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -184,7 +184,8 @@ err:
                 RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN);
                 ok=0;
                 }
-        BN_CTX_end(ctx);
+        if (ctx != NULL)
+                BN_CTX_end(ctx);
         BN_CTX_free(ctx);
         BN_CTX_free(ctx2);
         
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index e3f7c608ec..d43ecaca63 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -28,9 +28,6 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 
-int MGF1(unsigned char *mask, long len,
-        const unsigned char *seed, long seedlen);
-
 int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
         const unsigned char *from, int flen,
         const unsigned char *param, int plen)
@@ -76,11 +73,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
            20);
 #endif
 
-        MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
+        PKCS1_MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH,
+                                                                EVP_sha1());
         for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
                 db[i] ^= dbmask[i];
 
-        MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
+        PKCS1_MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH,
+                                                                EVP_sha1());
         for (i = 0; i < SHA_DIGEST_LENGTH; i++)
                 seed[i] ^= seedmask[i];
 
@@ -126,11 +125,11 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
                 return -1;
                 }
 
-        MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
+        PKCS1_MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen, EVP_sha1());
         for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
                 seed[i] ^= from[i - lzero];
   
-        MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
+        PKCS1_MGF1(db, dblen, seed, SHA_DIGEST_LENGTH, EVP_sha1());
         for (i = 0; i < dblen; i++)
                 db[i] ^= maskeddb[i];
 
@@ -170,28 +169,30 @@ decoding_err:
         return -1;
         }
 
-int MGF1(unsigned char *mask, long len,
-        const unsigned char *seed, long seedlen)
+int PKCS1_MGF1(unsigned char *mask, long len,
+        const unsigned char *seed, long seedlen, const EVP_MD *dgst)
         {
         long i, outlen = 0;
         unsigned char cnt[4];
         EVP_MD_CTX c;
-        unsigned char md[SHA_DIGEST_LENGTH];
+        unsigned char md[EVP_MAX_MD_SIZE];
+        int mdlen;
 
         EVP_MD_CTX_init(&c);
+        mdlen = EVP_MD_size(dgst);
         for (i = 0; outlen < len; i++)
                 {
                 cnt[0] = (unsigned char)((i >> 24) & 255);
                 cnt[1] = (unsigned char)((i >> 16) & 255);
                 cnt[2] = (unsigned char)((i >> 8)) & 255;
                 cnt[3] = (unsigned char)(i & 255);
-                EVP_DigestInit_ex(&c,EVP_sha1(), NULL);
+                EVP_DigestInit_ex(&c,dgst, NULL);
                 EVP_DigestUpdate(&c, seed, seedlen);
                 EVP_DigestUpdate(&c, cnt, 4);
-                if (outlen + SHA_DIGEST_LENGTH <= len)
+                if (outlen + mdlen <= len)
                         {
                         EVP_DigestFinal_ex(&c, mask + outlen, NULL);
-                        outlen += SHA_DIGEST_LENGTH;
+                        outlen += mdlen;
                         }
                 else
                         {
@@ -203,4 +204,9 @@ int MGF1(unsigned char *mask, long len,
         EVP_MD_CTX_cleanup(&c);
         return 0;
         }
+
+int MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen)
+        {
+        return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
+        }
 #endif
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
new file mode 100644
index 0000000000..2815628f5f
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -0,0 +1,261 @@
+/* rsa_pss.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
+
+const static unsigned char zeroes[] = {0,0,0,0,0,0,0,0};
+
+int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
+                        const EVP_MD *Hash, const unsigned char *EM, int sLen)
+        {
+        int i;
+        int ret = 0;
+        int hLen, maskedDBLen, MSBits, emLen;
+        const unsigned char *H;
+        unsigned char *DB = NULL;
+        EVP_MD_CTX ctx;
+        unsigned char H_[EVP_MAX_MD_SIZE];
+
+        hLen = EVP_MD_size(Hash);
+        /*
+         * Negative sLen has special meanings:
+         *      -1      sLen == hLen
+         *      -2      salt length is autorecovered from signature
+         *      -N      reserved
+         */
+        if      (sLen == -1)    sLen = hLen;
+        else if (sLen == -2)    sLen = -2;
+        else if (sLen < -2)
+                {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
+                goto err;
+                }
+
+        MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
+        emLen = RSA_size(rsa);
+        if (EM[0] & (0xFF << MSBits))
+                {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_FIRST_OCTET_INVALID);
+                goto err;
+                }
+        if (MSBits == 0)
+                {
+                EM++;
+                emLen--;
+                }
+        if (emLen < (hLen + sLen + 2)) /* sLen can be small negative */
+                {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_DATA_TOO_LARGE);
+                goto err;
+                }
+        if (EM[emLen - 1] != 0xbc)
+                {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_LAST_OCTET_INVALID);
+                goto err;
+                }
+        maskedDBLen = emLen - hLen - 1;
+        H = EM + maskedDBLen;
+        DB = OPENSSL_malloc(maskedDBLen);
+        if (!DB)
+                {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        PKCS1_MGF1(DB, maskedDBLen, H, hLen, Hash);
+        for (i = 0; i < maskedDBLen; i++)
+                DB[i] ^= EM[i];
+        if (MSBits)
+                DB[0] &= 0xFF >> (8 - MSBits);
+        for (i = 0; DB[i] == 0 && i < (maskedDBLen-1); i++) ;
+        if (DB[i++] != 0x1)
+                {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_RECOVERY_FAILED);
+                goto err;
+                }
+        if (sLen >= 0 && (maskedDBLen - i) != sLen)
+                {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
+                goto err;
+                }
+        EVP_MD_CTX_init(&ctx);
+        EVP_DigestInit_ex(&ctx, Hash, NULL);
+        EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
+        EVP_DigestUpdate(&ctx, mHash, hLen);
+        if (maskedDBLen - i)
+                EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i);
+        EVP_DigestFinal(&ctx, H_, NULL);
+        EVP_MD_CTX_cleanup(&ctx);
+        if (memcmp(H_, H, hLen))
+                {
+                RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_SIGNATURE);
+                ret = 0;
+                }
+        else 
+                ret = 1;
+
+        err:
+        if (DB)
+                OPENSSL_free(DB);
+
+        return ret;
+
+        }
+
+int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
+                        const unsigned char *mHash,
+                        const EVP_MD *Hash, int sLen)
+        {
+        int i;
+        int ret = 0;
+        int hLen, maskedDBLen, MSBits, emLen;
+        unsigned char *H, *salt = NULL, *p;
+        EVP_MD_CTX ctx;
+
+        hLen = EVP_MD_size(Hash);
+        /*
+         * Negative sLen has special meanings:
+         *      -1      sLen == hLen
+         *      -2      salt length is maximized
+         *      -N      reserved
+         */
+        if      (sLen == -1)    sLen = hLen;
+        else if (sLen == -2)    sLen = -2;
+        else if (sLen < -2)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS, RSA_R_SLEN_CHECK_FAILED);
+                goto err;
+                }
+
+        MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;
+        emLen = RSA_size(rsa);
+        if (MSBits == 0)
+                {
+                *EM++ = 0;
+                emLen--;
+                }
+        if (sLen == -2)
+                {
+                sLen = emLen - hLen - 2;
+                }
+        else if (emLen < (hLen + sLen + 2))
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
+                   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+                goto err;
+                }
+        if (sLen > 0)
+                {
+                salt = OPENSSL_malloc(sLen);
+                if (!salt)
+                        {
+                        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS,
+                                ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                if (!RAND_bytes(salt, sLen))
+                        goto err;
+                }
+        maskedDBLen = emLen - hLen - 1;
+        H = EM + maskedDBLen;
+        EVP_MD_CTX_init(&ctx);
+        EVP_DigestInit_ex(&ctx, Hash, NULL);
+        EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes);
+        EVP_DigestUpdate(&ctx, mHash, hLen);
+        if (sLen)
+                EVP_DigestUpdate(&ctx, salt, sLen);
+        EVP_DigestFinal(&ctx, H, NULL);
+        EVP_MD_CTX_cleanup(&ctx);
+
+        /* Generate dbMask in place then perform XOR on it */
+        PKCS1_MGF1(EM, maskedDBLen, H, hLen, Hash);
+
+        p = EM;
+
+        /* Initial PS XORs with all zeroes which is a NOP so just update
+         * pointer. Note from a test above this value is guaranteed to
+         * be non-negative.
+         */
+        p += emLen - sLen - hLen - 2;
+        *p++ ^= 0x1;
+        if (sLen > 0)
+                {
+                for (i = 0; i < sLen; i++)
+                        *p++ ^= salt[i];
+                }
+        if (MSBits)
+                EM[0] &= 0xFF >> (8 - MSBits);
+
+        /* H is already in place so just set final 0xbc */
+
+        EM[emLen - 1] = 0xbc;
+
+        ret = 1;
+
+        err:
+        if (salt)
+                OPENSSL_free(salt);
+
+        return ret;
+
+        }
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
new file mode 100644
index 0000000000..df3c45f802
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_x931.c
@@ -0,0 +1,177 @@
+/* rsa_x931.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+
+int RSA_padding_add_X931(unsigned char *to, int tlen,
+             const unsigned char *from, int flen)
+        {
+        int j;
+        unsigned char *p;
+
+        /* Absolute minimum amount of padding is 1 header nibble, 1 padding
+         * nibble and 2 trailer bytes: but 1 hash if is already in 'from'.
+         */
+
+        j = tlen - flen - 2;
+
+        if (j < 0)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_X931,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+                return -1;
+                }
+        
+        p=(unsigned char *)to;
+
+        /* If no padding start and end nibbles are in one byte */
+        if (j == 0)
+                *p++ = 0x6A;
+        else
+                {
+                *p++ = 0x6B;
+                if (j > 1)
+                        {
+                        memset(p, 0xBB, j - 1);
+                        p += j - 1;
+                        }
+                *p++ = 0xBA;
+                }
+        memcpy(p,from,(unsigned int)flen);
+        p += flen;
+        *p = 0xCC;
+        return(1);
+        }
+
+int RSA_padding_check_X931(unsigned char *to, int tlen,
+             const unsigned char *from, int flen, int num)
+        {
+        int i,j;
+        const unsigned char *p;
+
+        p=from;
+        if ((num != flen) || ((*p != 0x6A) && (*p != 0x6B)))
+                {
+                RSAerr(RSA_F_RSA_PADDING_CHECK_X931,RSA_R_INVALID_HEADER);
+                return -1;
+                }
+
+        if (*p++ == 0x6B)
+                {
+                j=flen-3;
+                for (i = 0; i < j; i++)
+                        {
+                        unsigned char c = *p++;
+                        if (c == 0xBA)
+                                break;
+                        if (c != 0xBB)
+                                {
+                                RSAerr(RSA_F_RSA_PADDING_CHECK_X931,
+                                        RSA_R_INVALID_PADDING);
+                                return -1;
+                                }
+                        }
+
+                j -= i;
+
+                if (i == 0)
+                        {
+                        RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_PADDING);
+                        return -1;
+                        }
+
+                }
+        else j = flen - 2;
+
+        if (p[j] != 0xCC)
+                {
+                RSAerr(RSA_F_RSA_PADDING_CHECK_X931, RSA_R_INVALID_TRAILER);
+                return -1;
+                }
+
+        memcpy(to,p,(unsigned int)j);
+
+        return(j);
+        }
+
+/* Translate between X931 hash ids and NIDs */
+
+int RSA_X931_hash_id(int nid)
+        {
+        switch (nid)
+                {
+                case NID_sha1:
+                return 0x33;
+
+                case NID_sha256:
+                return 0x34;
+
+                case NID_sha384:
+                return 0x36;
+
+                case NID_sha512:
+                return 0x35;
+
+                }
+        return -1;
+        }
+
diff --git a/src/lib/libcrypto/sha/sha1_one.c b/src/lib/libcrypto/sha/sha1_one.c
index 20e660c71d..f4694b701b 100644
--- a/src/lib/libcrypto/sha/sha1_one.c
+++ b/src/lib/libcrypto/sha/sha1_one.c
@@ -61,14 +61,15 @@
 #include <openssl/sha.h>
 #include <openssl/crypto.h>
 
-#ifndef OPENSSL_NO_SHA1
+#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_FIPS)
 unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
         {
         SHA_CTX c;
         static unsigned char m[SHA_DIGEST_LENGTH];
 
         if (md == NULL) md=m;
-        SHA1_Init(&c);
+        if (!SHA1_Init(&c))
+                return NULL;
         SHA1_Update(&c,d,n);
         SHA1_Final(md,&c);
         OPENSSL_cleanse(&c,sizeof(c));
diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h
index bd1121c279..6010b7f122 100644
--- a/src/lib/libcrypto/stack/safestack.h
+++ b/src/lib/libcrypto/stack/safestack.h
@@ -55,6 +55,9 @@
 #ifndef HEADER_SAFESTACK_H
 #define HEADER_SAFESTACK_H
 
+typedef void (*openssl_fptr)(void);
+#define openssl_fcast(f) ((openssl_fptr)f)
+
 #include <openssl/stack.h>
 
 #ifdef DEBUG_SAFESTACK
@@ -73,74 +76,74 @@ STACK_OF(type) \
 /* SKM_sk_... stack macros are internal to safestack.h:
  * never use them directly, use sk_<type>_... instead */
 #define SKM_sk_new(type, cmp) \
-        ((STACK_OF(type) * (*)(int (*)(const type * const *, const type * const *)))sk_new)(cmp)
+        ((STACK_OF(type) * (*)(int (*)(const type * const *, const type * const *)))openssl_fcast(sk_new))(cmp)
 #define SKM_sk_new_null(type) \
-        ((STACK_OF(type) * (*)(void))sk_new_null)()
+        ((STACK_OF(type) * (*)(void))openssl_fcast(sk_new_null))()
 #define SKM_sk_free(type, st) \
-        ((void (*)(STACK_OF(type) *))sk_free)(st)
+        ((void (*)(STACK_OF(type) *))openssl_fcast(sk_free))(st)
 #define SKM_sk_num(type, st) \
-        ((int (*)(const STACK_OF(type) *))sk_num)(st)
+        ((int (*)(const STACK_OF(type) *))openssl_fcast(sk_num))(st)
 #define SKM_sk_value(type, st,i) \
-        ((type * (*)(const STACK_OF(type) *, int))sk_value)(st, i)
+        ((type * (*)(const STACK_OF(type) *, int))openssl_fcast(sk_value))(st, i)
 #define SKM_sk_set(type, st,i,val) \
-        ((type * (*)(STACK_OF(type) *, int, type *))sk_set)(st, i, val)
+        ((type * (*)(STACK_OF(type) *, int, type *))openssl_fcast(sk_set))(st, i, val)
 #define SKM_sk_zero(type, st) \
-        ((void (*)(STACK_OF(type) *))sk_zero)(st)
+        ((void (*)(STACK_OF(type) *))openssl_fcast(sk_zero))(st)
 #define SKM_sk_push(type, st,val) \
-        ((int (*)(STACK_OF(type) *, type *))sk_push)(st, val)
+        ((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_push))(st, val)
 #define SKM_sk_unshift(type, st,val) \
-        ((int (*)(STACK_OF(type) *, type *))sk_unshift)(st, val)
+        ((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_unshift))(st, val)
 #define SKM_sk_find(type, st,val) \
-        ((int (*)(STACK_OF(type) *, type *))sk_find)(st, val)
+        ((int (*)(STACK_OF(type) *, type *))openssl_fcast(sk_find))(st, val)
 #define SKM_sk_delete(type, st,i) \
-        ((type * (*)(STACK_OF(type) *, int))sk_delete)(st, i)
+        ((type * (*)(STACK_OF(type) *, int))openssl_fcast(sk_delete))(st, i)
 #define SKM_sk_delete_ptr(type, st,ptr) \
-        ((type * (*)(STACK_OF(type) *, type *))sk_delete_ptr)(st, ptr)
+        ((type * (*)(STACK_OF(type) *, type *))openssl_fcast(sk_delete_ptr))(st, ptr)
 #define SKM_sk_insert(type, st,val,i) \
-        ((int (*)(STACK_OF(type) *, type *, int))sk_insert)(st, val, i)
+        ((int (*)(STACK_OF(type) *, type *, int))openssl_fcast(sk_insert))(st, val, i)
 #define SKM_sk_set_cmp_func(type, st,cmp) \
         ((int (*(*)(STACK_OF(type) *, int (*)(const type * const *, const type * const *))) \
-          (const type * const *, const type * const *))sk_set_cmp_func)\
+          (const type * const *, const type * const *))openssl_fcast(sk_set_cmp_func))\
         (st, cmp)
 #define SKM_sk_dup(type, st) \
-        ((STACK_OF(type) *(*)(STACK_OF(type) *))sk_dup)(st)
+        ((STACK_OF(type) *(*)(STACK_OF(type) *))openssl_fcast(sk_dup))(st)
 #define SKM_sk_pop_free(type, st,free_func) \
-        ((void (*)(STACK_OF(type) *, void (*)(type *)))sk_pop_free)\
+        ((void (*)(STACK_OF(type) *, void (*)(type *)))openssl_fcast(sk_pop_free))\
         (st, free_func)
 #define SKM_sk_shift(type, st) \
-        ((type * (*)(STACK_OF(type) *))sk_shift)(st)
+        ((type * (*)(STACK_OF(type) *))openssl_fcast(sk_shift))(st)
 #define SKM_sk_pop(type, st) \
-        ((type * (*)(STACK_OF(type) *))sk_pop)(st)
+        ((type * (*)(STACK_OF(type) *))openssl_fcast(sk_pop))(st)
 #define SKM_sk_sort(type, st) \
-        ((void (*)(STACK_OF(type) *))sk_sort)(st)
+        ((void (*)(STACK_OF(type) *))openssl_fcast(sk_sort))(st)
 #define SKM_sk_is_sorted(type, st) \
-        ((int (*)(const STACK_OF(type) *))sk_is_sorted)(st)
+        ((int (*)(const STACK_OF(type) *))openssl_fcast(sk_is_sorted))(st)
 
 #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
         ((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \
                                        type *(*)(type **, unsigned char **,long), \
-                                       void (*)(type *), int ,int )) d2i_ASN1_SET) \
+                                       void (*)(type *), int ,int )) openssl_fcast(d2i_ASN1_SET)) \
                                                 (st,pp,length, d2i_func, free_func, ex_tag,ex_class)
 #define SKM_ASN1_SET_OF_i2d(type, st, pp, i2d_func, ex_tag, ex_class, is_set) \
         ((int (*)(STACK_OF(type) *,unsigned char **, \
-                           int (*)(type *,unsigned char **), int , int , int)) i2d_ASN1_SET) \
+                           int (*)(type *,unsigned char **), int , int , int)) openssl_fcast(i2d_ASN1_SET)) \
                                                 (st,pp,i2d_func,ex_tag,ex_class,is_set)
 
 #define SKM_ASN1_seq_pack(type, st, i2d_func, buf, len) \
         ((unsigned char *(*)(STACK_OF(type) *, \
-                                    int (*)(type *,unsigned char **), unsigned char **,int *)) ASN1_seq_pack) \
+                                    int (*)(type *,unsigned char **), unsigned char **,int *)) openssl_fcast(ASN1_seq_pack)) \
                                 (st, i2d_func, buf, len)
 #define SKM_ASN1_seq_unpack(type, buf, len, d2i_func, free_func) \
         ((STACK_OF(type) * (*)(unsigned char *,int, \
                                        type *(*)(type **,unsigned char **, long), \
-                                       void (*)(type *)))ASN1_seq_unpack) \
+                                       void (*)(type *)))openssl_fcast(ASN1_seq_unpack)) \
                                         (buf,len,d2i_func, free_func)
 
 #define SKM_PKCS12_decrypt_d2i(type, algor, d2i_func, free_func, pass, passlen, oct, seq) \
         ((STACK_OF(type) * (*)(X509_ALGOR *, \
                                 type *(*)(type **, unsigned char **, long), void (*)(type *), \
                                 const char *, int, \
-                                ASN1_STRING *, int))PKCS12_decrypt_d2i) \
+                                ASN1_STRING *, int))openssl_fcast(PKCS12_decrypt_d2i)) \
                                 (algor,d2i_func,free_func,pass,passlen,oct,seq)
 
 #else
diff --git a/src/lib/libcrypto/ui/ui_err.c b/src/lib/libcrypto/ui/ui_err.c
index 39a62ae737..d983cdd66f 100644
--- a/src/lib/libcrypto/ui/ui_err.c
+++ b/src/lib/libcrypto/ui/ui_err.c
@@ -1,6 +1,6 @@
 /* crypto/ui/ui_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,32 +64,36 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_UI,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_UI,0,reason)
+
 static ERR_STRING_DATA UI_str_functs[]=
         {
-{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_BOOLEAN,0),   "GENERAL_ALLOCATE_BOOLEAN"},
-{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_PROMPT,0),    "GENERAL_ALLOCATE_PROMPT"},
-{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_STRING,0),    "GENERAL_ALLOCATE_STRING"},
-{ERR_PACK(0,UI_F_UI_CTRL,0),    "UI_ctrl"},
-{ERR_PACK(0,UI_F_UI_DUP_ERROR_STRING,0),        "UI_dup_error_string"},
-{ERR_PACK(0,UI_F_UI_DUP_INFO_STRING,0), "UI_dup_info_string"},
-{ERR_PACK(0,UI_F_UI_DUP_INPUT_BOOLEAN,0),       "UI_dup_input_boolean"},
-{ERR_PACK(0,UI_F_UI_DUP_INPUT_STRING,0),        "UI_dup_input_string"},
-{ERR_PACK(0,UI_F_UI_DUP_VERIFY_STRING,0),       "UI_dup_verify_string"},
-{ERR_PACK(0,UI_F_UI_GET0_RESULT,0),     "UI_get0_result"},
-{ERR_PACK(0,UI_F_UI_NEW_METHOD,0),      "UI_new_method"},
-{ERR_PACK(0,UI_F_UI_SET_RESULT,0),      "UI_set_result"},
+{ERR_FUNC(UI_F_GENERAL_ALLOCATE_BOOLEAN),       "GENERAL_ALLOCATE_BOOLEAN"},
+{ERR_FUNC(UI_F_GENERAL_ALLOCATE_PROMPT),        "GENERAL_ALLOCATE_PROMPT"},
+{ERR_FUNC(UI_F_GENERAL_ALLOCATE_STRING),        "GENERAL_ALLOCATE_STRING"},
+{ERR_FUNC(UI_F_UI_CTRL),        "UI_ctrl"},
+{ERR_FUNC(UI_F_UI_DUP_ERROR_STRING),    "UI_dup_error_string"},
+{ERR_FUNC(UI_F_UI_DUP_INFO_STRING),     "UI_dup_info_string"},
+{ERR_FUNC(UI_F_UI_DUP_INPUT_BOOLEAN),   "UI_dup_input_boolean"},
+{ERR_FUNC(UI_F_UI_DUP_INPUT_STRING),    "UI_dup_input_string"},
+{ERR_FUNC(UI_F_UI_DUP_VERIFY_STRING),   "UI_dup_verify_string"},
+{ERR_FUNC(UI_F_UI_GET0_RESULT), "UI_get0_result"},
+{ERR_FUNC(UI_F_UI_NEW_METHOD),  "UI_new_method"},
+{ERR_FUNC(UI_F_UI_SET_RESULT),  "UI_set_result"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA UI_str_reasons[]=
         {
-{UI_R_COMMON_OK_AND_CANCEL_CHARACTERS    ,"common ok and cancel characters"},
-{UI_R_INDEX_TOO_LARGE                    ,"index too large"},
-{UI_R_INDEX_TOO_SMALL                    ,"index too small"},
-{UI_R_NO_RESULT_BUFFER                   ,"no result buffer"},
-{UI_R_RESULT_TOO_LARGE                   ,"result too large"},
-{UI_R_RESULT_TOO_SMALL                   ,"result too small"},
-{UI_R_UNKNOWN_CONTROL_COMMAND            ,"unknown control command"},
+{ERR_REASON(UI_R_COMMON_OK_AND_CANCEL_CHARACTERS),"common ok and cancel characters"},
+{ERR_REASON(UI_R_INDEX_TOO_LARGE)        ,"index too large"},
+{ERR_REASON(UI_R_INDEX_TOO_SMALL)        ,"index too small"},
+{ERR_REASON(UI_R_NO_RESULT_BUFFER)       ,"no result buffer"},
+{ERR_REASON(UI_R_RESULT_TOO_LARGE)       ,"result too large"},
+{ERR_REASON(UI_R_RESULT_TOO_SMALL)       ,"result too small"},
+{ERR_REASON(UI_R_UNKNOWN_CONTROL_COMMAND),"unknown control command"},
 {0,NULL}
         };
 
@@ -103,8 +107,8 @@ void ERR_load_UI_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_UI,UI_str_functs);
-                ERR_load_strings(ERR_LIB_UI,UI_str_reasons);
+                ERR_load_strings(0,UI_str_functs);
+                ERR_load_strings(0,UI_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/util/mkerr.pl b/src/lib/libcrypto/util/mkerr.pl
index 60e534807e..9678514604 100644
--- a/src/lib/libcrypto/util/mkerr.pl
+++ b/src/lib/libcrypto/util/mkerr.pl
@@ -9,6 +9,9 @@ my $reindex = 0;
 my $dowrite = 0;
 my $staticloader = "";
 
+my $pack_errcode;
+my $load_errcode;
+
 while (@ARGV) {
         my $arg = $ARGV[0];
         if($arg eq "-conf") {
@@ -41,8 +44,8 @@ while (@ARGV) {
 }
 
 if($recurse) {
-        @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>, <fips/*.c>,
-                   <fips/*/*.c>);
+        @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>, <fips-1.0/*.c>,
+                   <fips-1.0/*/*.c>);
 } else {
         @source = @ARGV;
 }
@@ -399,6 +402,20 @@ EOF
                 $hincf = "\"$hfile\"";
         }
 
+        # If static we know the error code at compile time so use it
+        # in error definitions.
+
+        if ($static)
+                {
+                $pack_errcode = "ERR_LIB_${lib}";
+                $load_errcode = "0";
+                }
+        else
+                {
+                $pack_errcode = "0";
+                $load_errcode = "ERR_LIB_${lib}";
+                }
+
 
         open (OUT,">$cfile") || die "Can't open $cfile for writing";
 
@@ -469,6 +486,10 @@ EOF
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK($pack_errcode,func,0)
+#define ERR_REASON(reason) ERR_PACK($pack_errcode,0,reason)
+
 static ERR_STRING_DATA ${lib}_str_functs[]=
         {
 EOF
@@ -480,7 +501,8 @@ EOF
                 if(exists $ftrans{$fn}) {
                         $fn = $ftrans{$fn};
                 }
-                print OUT "{ERR_PACK(0,$i,0),\t\"$fn\"},\n";
+#               print OUT "{ERR_PACK($pack_errcode,$i,0),\t\"$fn\"},\n";
+                print OUT "{ERR_FUNC($i),\t\"$fn\"},\n";
         }
         print OUT <<"EOF";
 {0,NULL}
@@ -492,6 +514,7 @@ EOF
         # Add each reason code.
         foreach $i (@reasons) {
                 my $rn;
+                my $rstr = "ERR_REASON($i)";
                 my $nspc = 0;
                 if (exists $err_reason_strings{$i}) {
                         $rn = $err_reason_strings{$i};
@@ -500,9 +523,9 @@ EOF
                         $rn = $1;
                         $rn =~ tr/_[A-Z]/ [a-z]/;
                 }
-                $nspc = 40 - length($i) unless length($i) > 40;
+                $nspc = 40 - length($rstr) unless length($rstr) > 40;
                 $nspc = " " x $nspc;
-                print OUT "{${i}${nspc},\"$rn\"},\n";
+                print OUT "{${rstr}${nspc},\"$rn\"},\n";
         }
 if($static) {
         print OUT <<"EOF";
@@ -519,8 +542,8 @@ ${staticloader}void ERR_load_${lib}_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_${lib},${lib}_str_functs);
-                ERR_load_strings(ERR_LIB_${lib},${lib}_str_reasons);
+                ERR_load_strings($load_errcode,${lib}_str_functs);
+                ERR_load_strings($load_errcode,${lib}_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 6207340472..ea689aed1a 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -114,7 +114,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
         {
         int ret=0;
         BY_DIR *ld;
-        char *dir;
+        char *dir = NULL;
 
         ld=(BY_DIR *)ctx->method_data;
 
@@ -123,17 +123,16 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
         case X509_L_ADD_DIR:
                 if (argl == X509_FILETYPE_DEFAULT)
                         {
-                        ret=add_cert_dir(ld,X509_get_default_cert_dir(),
-                                X509_FILETYPE_PEM);
+                        dir=(char *)Getenv(X509_get_default_cert_dir_env());
+                        if (dir)
+                                ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
+                        else
+                                ret=add_cert_dir(ld,X509_get_default_cert_dir(),
+                                        X509_FILETYPE_PEM);
                         if (!ret)
                                 {
                                 X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR);
                                 }
-                        else
-                                {
-                                dir=(char *)Getenv(X509_get_default_cert_dir_env());
-                                ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
-                                }
                         }
                 else
                         ret=add_cert_dir(ld,argp,(int)argl);
diff --git a/src/lib/libcrypto/x509/x509_err.c b/src/lib/libcrypto/x509/x509_err.c
index 5bbf4acf76..d44d046027 100644
--- a/src/lib/libcrypto/x509/x509_err.c
+++ b/src/lib/libcrypto/x509/x509_err.c
@@ -1,6 +1,6 @@
 /* crypto/x509/x509_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,77 +64,81 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
+
 static ERR_STRING_DATA X509_str_functs[]=
         {
-{ERR_PACK(0,X509_F_ADD_CERT_DIR,0),     "ADD_CERT_DIR"},
-{ERR_PACK(0,X509_F_BY_FILE_CTRL,0),     "BY_FILE_CTRL"},
-{ERR_PACK(0,X509_F_DIR_CTRL,0), "DIR_CTRL"},
-{ERR_PACK(0,X509_F_GET_CERT_BY_SUBJECT,0),      "GET_CERT_BY_SUBJECT"},
-{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_DECODE,0), "NETSCAPE_SPKI_b64_decode"},
-{ERR_PACK(0,X509_F_NETSCAPE_SPKI_B64_ENCODE,0), "NETSCAPE_SPKI_b64_encode"},
-{ERR_PACK(0,X509_F_X509V3_ADD_EXT,0),   "X509v3_add_ext"},
-{ERR_PACK(0,X509_F_X509_ADD_ATTR,0),    "X509_ADD_ATTR"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_NID,0),     "X509_ATTRIBUTE_create_by_NID"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,0),     "X509_ATTRIBUTE_create_by_OBJ"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,0),     "X509_ATTRIBUTE_create_by_txt"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_GET0_DATA,0), "X509_ATTRIBUTE_get0_data"},
-{ERR_PACK(0,X509_F_X509_ATTRIBUTE_SET1_DATA,0), "X509_ATTRIBUTE_set1_data"},
-{ERR_PACK(0,X509_F_X509_CHECK_PRIVATE_KEY,0),   "X509_check_private_key"},
-{ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_NID,0),     "X509_EXTENSION_create_by_NID"},
-{ERR_PACK(0,X509_F_X509_EXTENSION_CREATE_BY_OBJ,0),     "X509_EXTENSION_create_by_OBJ"},
-{ERR_PACK(0,X509_F_X509_GET_PUBKEY_PARAMETERS,0),       "X509_get_pubkey_parameters"},
-{ERR_PACK(0,X509_F_X509_LOAD_CERT_CRL_FILE,0),  "X509_load_cert_crl_file"},
-{ERR_PACK(0,X509_F_X509_LOAD_CERT_FILE,0),      "X509_load_cert_file"},
-{ERR_PACK(0,X509_F_X509_LOAD_CRL_FILE,0),       "X509_load_crl_file"},
-{ERR_PACK(0,X509_F_X509_NAME_ADD_ENTRY,0),      "X509_NAME_add_entry"},
-{ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_NID,0),    "X509_NAME_ENTRY_create_by_NID"},
-{ERR_PACK(0,X509_F_X509_NAME_ENTRY_CREATE_BY_TXT,0),    "X509_NAME_ENTRY_create_by_txt"},
-{ERR_PACK(0,X509_F_X509_NAME_ENTRY_SET_OBJECT,0),       "X509_NAME_ENTRY_set_object"},
-{ERR_PACK(0,X509_F_X509_NAME_ONELINE,0),        "X509_NAME_oneline"},
-{ERR_PACK(0,X509_F_X509_NAME_PRINT,0),  "X509_NAME_print"},
-{ERR_PACK(0,X509_F_X509_PRINT_FP,0),    "X509_print_fp"},
-{ERR_PACK(0,X509_F_X509_PUBKEY_GET,0),  "X509_PUBKEY_get"},
-{ERR_PACK(0,X509_F_X509_PUBKEY_SET,0),  "X509_PUBKEY_set"},
-{ERR_PACK(0,X509_F_X509_REQ_PRINT,0),   "X509_REQ_print"},
-{ERR_PACK(0,X509_F_X509_REQ_PRINT_FP,0),        "X509_REQ_print_fp"},
-{ERR_PACK(0,X509_F_X509_REQ_TO_X509,0), "X509_REQ_to_X509"},
-{ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),      "X509_STORE_add_cert"},
-{ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),       "X509_STORE_add_crl"},
-{ERR_PACK(0,X509_F_X509_STORE_CTX_INIT,0),      "X509_STORE_CTX_init"},
-{ERR_PACK(0,X509_F_X509_STORE_CTX_NEW,0),       "X509_STORE_CTX_new"},
-{ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0),   "X509_STORE_CTX_purpose_inherit"},
-{ERR_PACK(0,X509_F_X509_TO_X509_REQ,0), "X509_to_X509_REQ"},
-{ERR_PACK(0,X509_F_X509_TRUST_ADD,0),   "X509_TRUST_add"},
-{ERR_PACK(0,X509_F_X509_TRUST_SET,0),   "X509_TRUST_set"},
-{ERR_PACK(0,X509_F_X509_VERIFY_CERT,0), "X509_verify_cert"},
+{ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
+{ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
+{ERR_FUNC(X509_F_DIR_CTRL),     "DIR_CTRL"},
+{ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT),  "GET_CERT_BY_SUBJECT"},
+{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE),     "NETSCAPE_SPKI_b64_decode"},
+{ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE),     "NETSCAPE_SPKI_b64_encode"},
+{ERR_FUNC(X509_F_X509V3_ADD_EXT),       "X509v3_add_ext"},
+{ERR_FUNC(X509_F_X509_ADD_ATTR),        "X509_ADD_ATTR"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_NID), "X509_ATTRIBUTE_create_by_NID"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ), "X509_ATTRIBUTE_create_by_OBJ"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT), "X509_ATTRIBUTE_create_by_txt"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_GET0_DATA),     "X509_ATTRIBUTE_get0_data"},
+{ERR_FUNC(X509_F_X509_ATTRIBUTE_SET1_DATA),     "X509_ATTRIBUTE_set1_data"},
+{ERR_FUNC(X509_F_X509_CHECK_PRIVATE_KEY),       "X509_check_private_key"},
+{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_NID), "X509_EXTENSION_create_by_NID"},
+{ERR_FUNC(X509_F_X509_EXTENSION_CREATE_BY_OBJ), "X509_EXTENSION_create_by_OBJ"},
+{ERR_FUNC(X509_F_X509_GET_PUBKEY_PARAMETERS),   "X509_get_pubkey_parameters"},
+{ERR_FUNC(X509_F_X509_LOAD_CERT_CRL_FILE),      "X509_load_cert_crl_file"},
+{ERR_FUNC(X509_F_X509_LOAD_CERT_FILE),  "X509_load_cert_file"},
+{ERR_FUNC(X509_F_X509_LOAD_CRL_FILE),   "X509_load_crl_file"},
+{ERR_FUNC(X509_F_X509_NAME_ADD_ENTRY),  "X509_NAME_add_entry"},
+{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_NID),        "X509_NAME_ENTRY_create_by_NID"},
+{ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT),        "X509_NAME_ENTRY_create_by_txt"},
+{ERR_FUNC(X509_F_X509_NAME_ENTRY_SET_OBJECT),   "X509_NAME_ENTRY_set_object"},
+{ERR_FUNC(X509_F_X509_NAME_ONELINE),    "X509_NAME_oneline"},
+{ERR_FUNC(X509_F_X509_NAME_PRINT),      "X509_NAME_print"},
+{ERR_FUNC(X509_F_X509_PRINT_FP),        "X509_print_fp"},
+{ERR_FUNC(X509_F_X509_PUBKEY_GET),      "X509_PUBKEY_get"},
+{ERR_FUNC(X509_F_X509_PUBKEY_SET),      "X509_PUBKEY_set"},
+{ERR_FUNC(X509_F_X509_REQ_PRINT),       "X509_REQ_print"},
+{ERR_FUNC(X509_F_X509_REQ_PRINT_FP),    "X509_REQ_print_fp"},
+{ERR_FUNC(X509_F_X509_REQ_TO_X509),     "X509_REQ_to_X509"},
+{ERR_FUNC(X509_F_X509_STORE_ADD_CERT),  "X509_STORE_add_cert"},
+{ERR_FUNC(X509_F_X509_STORE_ADD_CRL),   "X509_STORE_add_crl"},
+{ERR_FUNC(X509_F_X509_STORE_CTX_INIT),  "X509_STORE_CTX_init"},
+{ERR_FUNC(X509_F_X509_STORE_CTX_NEW),   "X509_STORE_CTX_new"},
+{ERR_FUNC(X509_F_X509_STORE_CTX_PURPOSE_INHERIT),       "X509_STORE_CTX_purpose_inherit"},
+{ERR_FUNC(X509_F_X509_TO_X509_REQ),     "X509_to_X509_REQ"},
+{ERR_FUNC(X509_F_X509_TRUST_ADD),       "X509_TRUST_add"},
+{ERR_FUNC(X509_F_X509_TRUST_SET),       "X509_TRUST_set"},
+{ERR_FUNC(X509_F_X509_VERIFY_CERT),     "X509_verify_cert"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA X509_str_reasons[]=
         {
-{X509_R_BAD_X509_FILETYPE                ,"bad x509 filetype"},
-{X509_R_BASE64_DECODE_ERROR              ,"base64 decode error"},
-{X509_R_CANT_CHECK_DH_KEY                ,"cant check dh key"},
-{X509_R_CERT_ALREADY_IN_HASH_TABLE       ,"cert already in hash table"},
-{X509_R_ERR_ASN1_LIB                     ,"err asn1 lib"},
-{X509_R_INVALID_DIRECTORY                ,"invalid directory"},
-{X509_R_INVALID_FIELD_NAME               ,"invalid field name"},
-{X509_R_INVALID_TRUST                    ,"invalid trust"},
-{X509_R_KEY_TYPE_MISMATCH                ,"key type mismatch"},
-{X509_R_KEY_VALUES_MISMATCH              ,"key values mismatch"},
-{X509_R_LOADING_CERT_DIR                 ,"loading cert dir"},
-{X509_R_LOADING_DEFAULTS                 ,"loading defaults"},
-{X509_R_NO_CERT_SET_FOR_US_TO_VERIFY     ,"no cert set for us to verify"},
-{X509_R_SHOULD_RETRY                     ,"should retry"},
-{X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN,"unable to find parameters in chain"},
-{X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY   ,"unable to get certs public key"},
-{X509_R_UNKNOWN_KEY_TYPE                 ,"unknown key type"},
-{X509_R_UNKNOWN_NID                      ,"unknown nid"},
-{X509_R_UNKNOWN_PURPOSE_ID               ,"unknown purpose id"},
-{X509_R_UNKNOWN_TRUST_ID                 ,"unknown trust id"},
-{X509_R_UNSUPPORTED_ALGORITHM            ,"unsupported algorithm"},
-{X509_R_WRONG_LOOKUP_TYPE                ,"wrong lookup type"},
-{X509_R_WRONG_TYPE                       ,"wrong type"},
+{ERR_REASON(X509_R_BAD_X509_FILETYPE)    ,"bad x509 filetype"},
+{ERR_REASON(X509_R_BASE64_DECODE_ERROR)  ,"base64 decode error"},
+{ERR_REASON(X509_R_CANT_CHECK_DH_KEY)    ,"cant check dh key"},
+{ERR_REASON(X509_R_CERT_ALREADY_IN_HASH_TABLE),"cert already in hash table"},
+{ERR_REASON(X509_R_ERR_ASN1_LIB)         ,"err asn1 lib"},
+{ERR_REASON(X509_R_INVALID_DIRECTORY)    ,"invalid directory"},
+{ERR_REASON(X509_R_INVALID_FIELD_NAME)   ,"invalid field name"},
+{ERR_REASON(X509_R_INVALID_TRUST)        ,"invalid trust"},
+{ERR_REASON(X509_R_KEY_TYPE_MISMATCH)    ,"key type mismatch"},
+{ERR_REASON(X509_R_KEY_VALUES_MISMATCH)  ,"key values mismatch"},
+{ERR_REASON(X509_R_LOADING_CERT_DIR)     ,"loading cert dir"},
+{ERR_REASON(X509_R_LOADING_DEFAULTS)     ,"loading defaults"},
+{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),"no cert set for us to verify"},
+{ERR_REASON(X509_R_SHOULD_RETRY)         ,"should retry"},
+{ERR_REASON(X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN),"unable to find parameters in chain"},
+{ERR_REASON(X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY),"unable to get certs public key"},
+{ERR_REASON(X509_R_UNKNOWN_KEY_TYPE)     ,"unknown key type"},
+{ERR_REASON(X509_R_UNKNOWN_NID)          ,"unknown nid"},
+{ERR_REASON(X509_R_UNKNOWN_PURPOSE_ID)   ,"unknown purpose id"},
+{ERR_REASON(X509_R_UNKNOWN_TRUST_ID)     ,"unknown trust id"},
+{ERR_REASON(X509_R_UNSUPPORTED_ALGORITHM),"unsupported algorithm"},
+{ERR_REASON(X509_R_WRONG_LOOKUP_TYPE)    ,"wrong lookup type"},
+{ERR_REASON(X509_R_WRONG_TYPE)           ,"wrong type"},
 {0,NULL}
         };
 
@@ -148,8 +152,8 @@ void ERR_load_X509_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_X509,X509_str_functs);
-                ERR_load_strings(ERR_LIB_X509,X509_str_reasons);
+                ERR_load_strings(0,X509_str_functs);
+                ERR_load_strings(0,X509_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index e43c861ee7..383e082aba 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -944,7 +944,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
                 offset=0;
         else
                 {
-                if ((*str != '+') && (str[5] != '-'))
+                if ((*str != '+') && (*str != '-'))
                         return 0;
                 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
                 offset+=(str[3]-'0')*10+(str[4]-'0');
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
index 0d554f3a2c..867525f336 100644
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ b/src/lib/libcrypto/x509v3/v3_cpols.c
@@ -137,7 +137,15 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
         CONF_VALUE *cnf;
         int i, ia5org;
         pols = sk_POLICYINFO_new_null();
+        if (pols == NULL) {
+                X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
         vals =  X509V3_parse_list(value);
+        if (vals == NULL) {
+                X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
+                goto err;
+        }
         ia5org = 0;
         for(i = 0; i < sk_CONF_VALUE_num(vals); i++) {
                 cnf = sk_CONF_VALUE_value(vals, i);
@@ -176,6 +184,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
         sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
         return pols;
         err:
+        sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
         sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
         return NULL;
 }
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
index 2df0c3ef01..e1edaf5248 100644
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ b/src/lib/libcrypto/x509v3/v3err.c
@@ -64,114 +64,118 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
+
 static ERR_STRING_DATA X509V3_str_functs[]=
         {
-{ERR_PACK(0,X509V3_F_COPY_EMAIL,0),     "COPY_EMAIL"},
-{ERR_PACK(0,X509V3_F_COPY_ISSUER,0),    "COPY_ISSUER"},
-{ERR_PACK(0,X509V3_F_DO_EXT_CONF,0),    "DO_EXT_CONF"},
-{ERR_PACK(0,X509V3_F_DO_EXT_I2D,0),     "DO_EXT_I2D"},
-{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),  "hex_to_string"},
-{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),    "i2s_ASN1_ENUMERATED"},
-{ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0),     "I2S_ASN1_IA5STRING"},
-{ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),       "i2s_ASN1_INTEGER"},
-{ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0),      "I2V_AUTHORITY_INFO_ACCESS"},
-{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"},
-{ERR_PACK(0,X509V3_F_NREF_NOS,0),       "NREF_NOS"},
-{ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"},
-{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),    "R2I_CERTPOL"},
-{ERR_PACK(0,X509V3_F_R2I_PCI,0),        "R2I_PCI"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),     "S2I_ASN1_IA5STRING"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),       "s2i_ASN1_INTEGER"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),  "s2i_ASN1_OCTET_STRING"},
-{ERR_PACK(0,X509V3_F_S2I_ASN1_SKEY_ID,0),       "S2I_ASN1_SKEY_ID"},
-{ERR_PACK(0,X509V3_F_S2I_S2I_SKEY_ID,0),        "S2I_S2I_SKEY_ID"},
-{ERR_PACK(0,X509V3_F_STRING_TO_HEX,0),  "string_to_hex"},
-{ERR_PACK(0,X509V3_F_SXNET_ADD_ASC,0),  "SXNET_ADD_ASC"},
-{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_INTEGER,0),   "SXNET_add_id_INTEGER"},
-{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_ULONG,0),     "SXNET_add_id_ulong"},
-{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ASC,0),       "SXNET_get_id_asc"},
-{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ULONG,0),     "SXNET_get_id_ulong"},
-{ERR_PACK(0,X509V3_F_V2I_ACCESS_DESCRIPTION,0), "V2I_ACCESS_DESCRIPTION"},
-{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),    "V2I_ASN1_BIT_STRING"},
-{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),    "V2I_AUTHORITY_KEYID"},
-{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0),  "V2I_BASIC_CONSTRAINTS"},
-{ERR_PACK(0,X509V3_F_V2I_CRLD,0),       "V2I_CRLD"},
-{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),     "V2I_EXT_KU"},
-{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),       "v2i_GENERAL_NAME"},
-{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),      "v2i_GENERAL_NAMES"},
-{ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0),   "V3_GENERIC_EXTENSION"},
-{ERR_PACK(0,X509V3_F_X509V3_ADD_I2D,0), "X509V3_ADD_I2D"},
-{ERR_PACK(0,X509V3_F_X509V3_ADD_VALUE,0),       "X509V3_add_value"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD,0), "X509V3_EXT_add"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD_ALIAS,0),   "X509V3_EXT_add_alias"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_CONF,0),        "X509V3_EXT_conf"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_I2D,0), "X509V3_EXT_i2d"},
-{ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0),  "X509V3_get_value_bool"},
-{ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0),      "X509V3_parse_list"},
-{ERR_PACK(0,X509V3_F_X509_PURPOSE_ADD,0),       "X509_PURPOSE_add"},
-{ERR_PACK(0,X509V3_F_X509_PURPOSE_SET,0),       "X509_PURPOSE_set"},
+{ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
+{ERR_FUNC(X509V3_F_COPY_ISSUER),        "COPY_ISSUER"},
+{ERR_FUNC(X509V3_F_DO_EXT_CONF),        "DO_EXT_CONF"},
+{ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
+{ERR_FUNC(X509V3_F_HEX_TO_STRING),      "hex_to_string"},
+{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED),        "i2s_ASN1_ENUMERATED"},
+{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
+{ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER),   "i2s_ASN1_INTEGER"},
+{ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS),  "I2V_AUTHORITY_INFO_ACCESS"},
+{ERR_FUNC(X509V3_F_NOTICE_SECTION),     "NOTICE_SECTION"},
+{ERR_FUNC(X509V3_F_NREF_NOS),   "NREF_NOS"},
+{ERR_FUNC(X509V3_F_POLICY_SECTION),     "POLICY_SECTION"},
+{ERR_FUNC(X509V3_F_R2I_CERTPOL),        "R2I_CERTPOL"},
+{ERR_FUNC(X509V3_F_R2I_PCI),    "R2I_PCI"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER),   "s2i_ASN1_INTEGER"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING),      "s2i_ASN1_OCTET_STRING"},
+{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID),   "S2I_ASN1_SKEY_ID"},
+{ERR_FUNC(X509V3_F_S2I_S2I_SKEY_ID),    "S2I_S2I_SKEY_ID"},
+{ERR_FUNC(X509V3_F_STRING_TO_HEX),      "string_to_hex"},
+{ERR_FUNC(X509V3_F_SXNET_ADD_ASC),      "SXNET_ADD_ASC"},
+{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER),       "SXNET_add_id_INTEGER"},
+{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
+{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC),   "SXNET_get_id_asc"},
+{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
+{ERR_FUNC(X509V3_F_V2I_ACCESS_DESCRIPTION),     "V2I_ACCESS_DESCRIPTION"},
+{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING),        "V2I_ASN1_BIT_STRING"},
+{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID),        "V2I_AUTHORITY_KEYID"},
+{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS),      "V2I_BASIC_CONSTRAINTS"},
+{ERR_FUNC(X509V3_F_V2I_CRLD),   "V2I_CRLD"},
+{ERR_FUNC(X509V3_F_V2I_EXT_KU), "V2I_EXT_KU"},
+{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME),   "v2i_GENERAL_NAME"},
+{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES),  "v2i_GENERAL_NAMES"},
+{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION),       "V3_GENERIC_EXTENSION"},
+{ERR_FUNC(X509V3_F_X509V3_ADD_I2D),     "X509V3_ADD_I2D"},
+{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE),   "X509V3_add_value"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_ADD),     "X509V3_EXT_add"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS),       "X509V3_EXT_add_alias"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_CONF),    "X509V3_EXT_conf"},
+{ERR_FUNC(X509V3_F_X509V3_EXT_I2D),     "X509V3_EXT_i2d"},
+{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL),      "X509V3_get_value_bool"},
+{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST),  "X509V3_parse_list"},
+{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD),   "X509_PURPOSE_add"},
+{ERR_FUNC(X509V3_F_X509_PURPOSE_SET),   "X509_PURPOSE_set"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA X509V3_str_reasons[]=
         {
-{X509V3_R_BAD_IP_ADDRESS                 ,"bad ip address"},
-{X509V3_R_BAD_OBJECT                     ,"bad object"},
-{X509V3_R_BN_DEC2BN_ERROR                ,"bn dec2bn error"},
-{X509V3_R_BN_TO_ASN1_INTEGER_ERROR       ,"bn to asn1 integer error"},
-{X509V3_R_DUPLICATE_ZONE_ID              ,"duplicate zone id"},
-{X509V3_R_ERROR_CONVERTING_ZONE          ,"error converting zone"},
-{X509V3_R_ERROR_CREATING_EXTENSION       ,"error creating extension"},
-{X509V3_R_ERROR_IN_EXTENSION             ,"error in extension"},
-{X509V3_R_EXPECTED_A_SECTION_NAME        ,"expected a section name"},
-{X509V3_R_EXTENSION_EXISTS               ,"extension exists"},
-{X509V3_R_EXTENSION_NAME_ERROR           ,"extension name error"},
-{X509V3_R_EXTENSION_NOT_FOUND            ,"extension not found"},
-{X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
-{X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
-{X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
-{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG    ,"incorrect policy syntax tag"},
-{X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
-{X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
-{X509V3_R_INVALID_NAME                   ,"invalid name"},
-{X509V3_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
-{X509V3_R_INVALID_NULL_NAME              ,"invalid null name"},
-{X509V3_R_INVALID_NULL_VALUE             ,"invalid null value"},
-{X509V3_R_INVALID_NUMBER                 ,"invalid number"},
-{X509V3_R_INVALID_NUMBERS                ,"invalid numbers"},
-{X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
-{X509V3_R_INVALID_OPTION                 ,"invalid option"},
-{X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
-{X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"},
-{X509V3_R_INVALID_PROXY_POLICY_SETTING   ,"invalid proxy policy setting"},
-{X509V3_R_INVALID_PURPOSE                ,"invalid purpose"},
-{X509V3_R_INVALID_SECTION                ,"invalid section"},
-{X509V3_R_INVALID_SYNTAX                 ,"invalid syntax"},
-{X509V3_R_ISSUER_DECODE_ERROR            ,"issuer decode error"},
-{X509V3_R_MISSING_VALUE                  ,"missing value"},
-{X509V3_R_NEED_ORGANIZATION_AND_NUMBERS  ,"need organization and numbers"},
-{X509V3_R_NO_CONFIG_DATABASE             ,"no config database"},
-{X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
-{X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
-{X509V3_R_NO_POLICY_IDENTIFIER           ,"no policy identifier"},
-{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"},
-{X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
-{X509V3_R_NO_SUBJECT_DETAILS             ,"no subject details"},
-{X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
-{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"},
-{X509V3_R_POLICY_PATH_LENGTH             ,"policy path length"},
-{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"},
-{X509V3_R_POLICY_SYNTAX_NOT              ,"policy syntax not"},
-{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"},
-{X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"},
-{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS   ,"unable to get issuer details"},
-{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID     ,"unable to get issuer keyid"},
-{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT    ,"unknown bit string argument"},
-{X509V3_R_UNKNOWN_EXTENSION              ,"unknown extension"},
-{X509V3_R_UNKNOWN_EXTENSION_NAME         ,"unknown extension name"},
-{X509V3_R_UNKNOWN_OPTION                 ,"unknown option"},
-{X509V3_R_UNSUPPORTED_OPTION             ,"unsupported option"},
-{X509V3_R_USER_TOO_LONG                  ,"user too long"},
+{ERR_REASON(X509V3_R_BAD_IP_ADDRESS)     ,"bad ip address"},
+{ERR_REASON(X509V3_R_BAD_OBJECT)         ,"bad object"},
+{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR)    ,"bn dec2bn error"},
+{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"},
+{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID)  ,"duplicate zone id"},
+{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"},
+{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"},
+{ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) ,"error in extension"},
+{ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME),"expected a section name"},
+{ERR_REASON(X509V3_R_EXTENSION_EXISTS)   ,"extension exists"},
+{ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR),"extension name error"},
+{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND),"extension not found"},
+{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED),"extension setting not supported"},
+{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR),"extension value error"},
+{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT)  ,"illegal hex digit"},
+{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
+{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
+{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"},
+{ERR_REASON(X509V3_R_INVALID_NAME)       ,"invalid name"},
+{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"},
+{ERR_REASON(X509V3_R_INVALID_NULL_NAME)  ,"invalid null name"},
+{ERR_REASON(X509V3_R_INVALID_NULL_VALUE) ,"invalid null value"},
+{ERR_REASON(X509V3_R_INVALID_NUMBER)     ,"invalid number"},
+{ERR_REASON(X509V3_R_INVALID_NUMBERS)    ,"invalid numbers"},
+{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER),"invalid object identifier"},
+{ERR_REASON(X509V3_R_INVALID_OPTION)     ,"invalid option"},
+{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"},
+{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER),"invalid proxy policy identifier"},
+{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"},
+{ERR_REASON(X509V3_R_INVALID_PURPOSE)    ,"invalid purpose"},
+{ERR_REASON(X509V3_R_INVALID_SECTION)    ,"invalid section"},
+{ERR_REASON(X509V3_R_INVALID_SYNTAX)     ,"invalid syntax"},
+{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"},
+{ERR_REASON(X509V3_R_MISSING_VALUE)      ,"missing value"},
+{ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS),"need organization and numbers"},
+{ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) ,"no config database"},
+{ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE),"no issuer certificate"},
+{ERR_REASON(X509V3_R_NO_ISSUER_DETAILS)  ,"no issuer details"},
+{ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER),"no policy identifier"},
+{ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED),"no proxy cert policy language defined"},
+{ERR_REASON(X509V3_R_NO_PUBLIC_KEY)      ,"no public key"},
+{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) ,"no subject details"},
+{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
+{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED),"policy language alreadty defined"},
+{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
+{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED),"policy path length alreadty defined"},
+{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT)  ,"policy syntax not"},
+{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
+{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
+{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS),"unable to get issuer details"},
+{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID),"unable to get issuer keyid"},
+{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT),"unknown bit string argument"},
+{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION)  ,"unknown extension"},
+{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"},
+{ERR_REASON(X509V3_R_UNKNOWN_OPTION)     ,"unknown option"},
+{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"},
+{ERR_REASON(X509V3_R_USER_TOO_LONG)      ,"user too long"},
 {0,NULL}
         };
 
@@ -185,8 +189,8 @@ void ERR_load_X509V3_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_X509V3,X509V3_str_functs);
-                ERR_load_strings(ERR_LIB_X509V3,X509V3_str_reasons);
+                ERR_load_strings(0,X509V3_str_functs);
+                ERR_load_strings(0,X509V3_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE
index 40277883a5..e6afecc724 100644
--- a/src/lib/libssl/LICENSE
+++ b/src/lib/libssl/LICENSE
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 779e94a35c..86356731ea 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -106,7 +106,7 @@ SSL_METHOD *SSLv23_client_method(void)
 int ssl23_connect(SSL *s)
         {
         BUF_MEM *buf=NULL;
-        unsigned long Time=time(NULL);
+        unsigned long Time=(unsigned long)time(NULL);
         void (*cb)(const SSL *ssl,int type,int val)=NULL;
         int ret= -1;
         int new_state,state;
@@ -220,9 +220,28 @@ static int ssl23_client_hello(SSL *s)
         {
         unsigned char *buf;
         unsigned char *p,*d;
-        int i,ch_len;
+        int i,j,ch_len;
+        unsigned long Time,l;
+        int ssl2_compat;
+        int version = 0, version_major, version_minor;
+        SSL_COMP *comp;
         int ret;
 
+        ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;
+
+        if (!(s->options & SSL_OP_NO_TLSv1))
+                {
+                version = TLS1_VERSION;
+                }
+        else if (!(s->options & SSL_OP_NO_SSLv3))
+                {
+                version = SSL3_VERSION;
+                }
+        else if (!(s->options & SSL_OP_NO_SSLv2))
+                {
+                version = SSL2_VERSION;
+                }
+
         buf=(unsigned char *)s->init_buf->data;
         if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
                 {
@@ -235,19 +254,15 @@ static int ssl23_client_hello(SSL *s)
 #endif
 
                 p=s->s3->client_random;
-                if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
-                    return -1;
-
-                /* Do the message type and length last */
-                d= &(buf[2]);
-                p=d+9;
+                Time=(unsigned long)time(NULL);                 /* Time */
+                l2n(Time,p);
+                if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+                        return -1;
 
-                *(d++)=SSL2_MT_CLIENT_HELLO;
-                if (!(s->options & SSL_OP_NO_TLSv1))
+                if (version == TLS1_VERSION)
                         {
-                        *(d++)=TLS1_VERSION_MAJOR;
-                        *(d++)=TLS1_VERSION_MINOR;
-                        s->client_version=TLS1_VERSION;
+                        version_major = TLS1_VERSION_MAJOR;
+                        version_minor = TLS1_VERSION_MINOR;
                         }
 #ifdef OPENSSL_FIPS
                 else if(FIPS_mode())
@@ -257,17 +272,15 @@ static int ssl23_client_hello(SSL *s)
                         return -1;
                         }
 #endif
-                else if (!(s->options & SSL_OP_NO_SSLv3))
+                else if (version == SSL3_VERSION)
                         {
-                        *(d++)=SSL3_VERSION_MAJOR;
-                        *(d++)=SSL3_VERSION_MINOR;
-                        s->client_version=SSL3_VERSION;
+                        version_major = SSL3_VERSION_MAJOR;
+                        version_minor = SSL3_VERSION_MINOR;
                         }
-                else if (!(s->options & SSL_OP_NO_SSLv2))
+                else if (version == SSL2_VERSION)
                         {
-                        *(d++)=SSL2_VERSION_MAJOR;
-                        *(d++)=SSL2_VERSION_MINOR;
-                        s->client_version=SSL2_VERSION;
+                        version_major = SSL2_VERSION_MAJOR;
+                        version_minor = SSL2_VERSION_MINOR;
                         }
                 else
                         {
@@ -275,59 +288,153 @@ static int ssl23_client_hello(SSL *s)
                         return(-1);
                         }
 
-                /* Ciphers supported */
-                i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p);
-                if (i == 0)
+                s->client_version = version;
+
+                if (ssl2_compat)
                         {
-                        /* no ciphers */
-                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
-                        return(-1);
-                        }
-                s2n(i,d);
-                p+=i;
+                        /* create SSL 2.0 compatible Client Hello */
+
+                        /* two byte record header will be written last */
+                        d = &(buf[2]);
+                        p = d + 9; /* leave space for message type, version, individual length fields */
 
-                /* put in the session-id, zero since there is no
-                 * reuse. */
+                        *(d++) = SSL2_MT_CLIENT_HELLO;
+                        *(d++) = version_major;
+                        *(d++) = version_minor;
+                        
+                        /* Ciphers supported */
+                        i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p,0);
+                        if (i == 0)
+                                {
+                                /* no ciphers */
+                                SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
+                                return -1;
+                                }
+                        s2n(i,d);
+                        p+=i;
+                        
+                        /* put in the session-id length (zero since there is no reuse) */
 #if 0
-                s->session->session_id_length=0;
+                        s->session->session_id_length=0;
 #endif
-                s2n(0,d);
-
-                if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
-                        ch_len=SSL2_CHALLENGE_LENGTH;
+                        s2n(0,d);
+
+                        if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
+                                ch_len=SSL2_CHALLENGE_LENGTH;
+                        else
+                                ch_len=SSL2_MAX_CHALLENGE_LENGTH;
+
+                        /* write out sslv2 challenge */
+                        if (SSL3_RANDOM_SIZE < ch_len)
+                                i=SSL3_RANDOM_SIZE;
+                        else
+                                i=ch_len;
+                        s2n(i,d);
+                        memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
+                        if (RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
+                                return -1;
+
+                        memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+                        p+=i;
+
+                        i= p- &(buf[2]);
+                        buf[0]=((i>>8)&0xff)|0x80;
+                        buf[1]=(i&0xff);
+
+                        /* number of bytes to write */
+                        s->init_num=i+2;
+                        s->init_off=0;
+
+                        ssl3_finish_mac(s,&(buf[2]),i);
+                        }
                 else
-                        ch_len=SSL2_MAX_CHALLENGE_LENGTH;
+                        {
+                        /* create Client Hello in SSL 3.0/TLS 1.0 format */
 
-                /* write out sslv2 challenge */
-                if (SSL3_RANDOM_SIZE < ch_len)
-                        i=SSL3_RANDOM_SIZE;
-                else
-                        i=ch_len;
-                s2n(i,d);
-                memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
-                if(RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
-                        return -1;
+                        /* do the record header (5 bytes) and handshake message header (4 bytes) last */
+                        d = p = &(buf[9]);
+                        
+                        *(p++) = version_major;
+                        *(p++) = version_minor;
+
+                        /* Random stuff */
+                        memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
+                        p += SSL3_RANDOM_SIZE;
+
+                        /* Session ID (zero since there is no reuse) */
+                        *(p++) = 0;
+
+                        /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
+                        i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char);
+                        if (i == 0)
+                                {
+                                SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
+                                return -1;
+                                }
+                        s2n(i,p);
+                        p+=i;
+
+                        /* COMPRESSION */
+                        if (s->ctx->comp_methods == NULL)
+                                j=0;
+                        else
+                                j=sk_SSL_COMP_num(s->ctx->comp_methods);
+                        *(p++)=1+j;
+                        for (i=0; i<j; i++)
+                                {
+                                comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
+                                *(p++)=comp->id;
+                                }
+                        *(p++)=0; /* Add the NULL method */
+                        
+                        l = p-d;
+                        *p = 42;
 
-                memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
-                p+=i;
+                        /* fill in 4-byte handshake header */
+                        d=&(buf[5]);
+                        *(d++)=SSL3_MT_CLIENT_HELLO;
+                        l2n3(l,d);
 
-                i= p- &(buf[2]);
-                buf[0]=((i>>8)&0xff)|0x80;
-                buf[1]=(i&0xff);
+                        l += 4;
+
+                        if (l > SSL3_RT_MAX_PLAIN_LENGTH)
+                                {
+                                SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
+                                return -1;
+                                }
+                        
+                        /* fill in 5-byte record header */
+                        d=buf;
+                        *(d++) = SSL3_RT_HANDSHAKE;
+                        *(d++) = version_major;
+                        *(d++) = version_minor; /* arguably we should send the *lowest* suported version here
+                                                 * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */
+                        s2n((int)l,d);
+
+                        /* number of bytes to write */
+                        s->init_num=p-buf;
+                        s->init_off=0;
+
+                        ssl3_finish_mac(s,&(buf[5]), s->init_num - 5);
+                        }
 
                 s->state=SSL23_ST_CW_CLNT_HELLO_B;
-                /* number of bytes to write */
-                s->init_num=i+2;
                 s->init_off=0;
-
-                ssl3_finish_mac(s,&(buf[2]),i);
                 }
 
         /* SSL3_ST_CW_CLNT_HELLO_B */
         ret = ssl23_write_bytes(s);
-        if (ret >= 2)
-                if (s->msg_callback)
-                        s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg); /* CLIENT-HELLO */
+
+        if ((ret >= 2) && s->msg_callback)
+                {
+                /* Client Hello has been sent; tell msg_callback */
+
+                if (ssl2_compat)
+                        s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg);
+                else
+                        s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data+5, ret-5, s, s->msg_callback_arg);
+                }
+
         return ret;
         }
 
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 92f3391f60..b73abc448f 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -158,7 +158,7 @@ SSL_METHOD *SSLv23_server_method(void)
 int ssl23_accept(SSL *s)
         {
         BUF_MEM *buf;
-        unsigned long Time=time(NULL);
+        unsigned long Time=(unsigned long)time(NULL);
         void (*cb)(const SSL *ssl,int type,int val)=NULL;
         int ret= -1;
         int new_state,state;
@@ -268,9 +268,6 @@ int ssl23_get_client_hello(SSL *s)
         int n=0,j;
         int type=0;
         int v[2];
-#ifndef OPENSSL_NO_RSA
-        int use_sslv2_strong=0;
-#endif
 
         if (s->state == SSL23_ST_SR_CLNT_HELLO_A)
                 {
@@ -528,9 +525,7 @@ int ssl23_get_client_hello(SSL *s)
                         }
 
                 s->state=SSL2_ST_GET_CLIENT_HELLO_A;
-                if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
-                        use_sslv2_strong ||
-                        (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3))
+                if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
                         s->s2->ssl2_rollback=0;
                 else
                         /* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 0969476b25..05194fdb31 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -165,7 +165,7 @@ SSL_METHOD *SSLv3_client_method(void)
 int ssl3_connect(SSL *s)
         {
         BUF_MEM *buf=NULL;
-        unsigned long Time=time(NULL),l;
+        unsigned long Time=(unsigned long)time(NULL),l;
         long num1;
         void (*cb)(const SSL *ssl,int type,int val)=NULL;
         int ret= -1;
@@ -533,7 +533,7 @@ static int ssl3_client_hello(SSL *s)
                 /* else use the pre-loaded session */
 
                 p=s->s3->client_random;
-                Time=time(NULL);                        /* Time */
+                Time=(unsigned long)time(NULL);                 /* Time */
                 l2n(Time,p);
                 if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
                     goto err;
@@ -567,7 +567,7 @@ static int ssl3_client_hello(SSL *s)
                         }
                 
                 /* Ciphers supported */
-                i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]));
+                i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
                 if (i == 0)
                         {
                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 9bf1dbec06..a77588e725 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -835,7 +835,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             TLS1_TXT_RSA_WITH_AES_128_SHA,
             TLS1_CK_RSA_WITH_AES_128_SHA,
             SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
             0,
             128,
             128,
@@ -848,7 +848,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
             TLS1_CK_DH_DSS_WITH_AES_128_SHA,
             SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
             0,
             128,
             128,
@@ -861,7 +861,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
             TLS1_CK_DH_RSA_WITH_AES_128_SHA,
             SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
             0,
             128,
             128,
@@ -874,7 +874,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
             TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
             SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
             0,
             128,
             128,
@@ -887,7 +887,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
             TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
             SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
             0,
             128,
             128,
@@ -900,7 +900,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             TLS1_TXT_ADH_WITH_AES_128_SHA,
             TLS1_CK_ADH_WITH_AES_128_SHA,
             SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+            SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
             0,
             128,
             128,
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index c4a1a71523..36fc39d7f8 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -173,7 +173,7 @@ SSL_METHOD *SSLv3_server_method(void)
 int ssl3_accept(SSL *s)
         {
         BUF_MEM *buf;
-        unsigned long l,Time=time(NULL);
+        unsigned long l,Time=(unsigned long)time(NULL);
         void (*cb)(const SSL *ssl,int type,int val)=NULL;
         long num1;
         int ret= -1;
@@ -954,7 +954,7 @@ static int ssl3_send_server_hello(SSL *s)
                 {
                 buf=(unsigned char *)s->init_buf->data;
                 p=s->s3->server_random;
-                Time=time(NULL);                        /* Time */
+                Time=(unsigned long)time(NULL);                 /* Time */
                 l2n(Time,p);
                 if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
                         return -1;
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 3161f532cf..99e188086b 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -467,7 +467,7 @@ typedef struct ssl_session_st
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x00000008L
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x00000020L
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING                   0x00000040L
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING                   0x00000040L /* no effect since 0.9.7h and 0.9.8b */
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x00000080L
 #define SSL_OP_TLS_D5_BUG                               0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x00000200L
@@ -1567,6 +1567,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_CTRL                                   232
 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                  168
 #define SSL_F_SSL_CTX_NEW                                169
+#define SSL_F_SSL_CTX_SET_CIPHER_LIST                    269
 #define SSL_F_SSL_CTX_SET_PURPOSE                        226
 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT             219
 #define SSL_F_SSL_CTX_SET_SSL_VERSION                    170
@@ -1596,6 +1597,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_SESSION_PRINT_FP                       190
 #define SSL_F_SSL_SESS_CERT_NEW                          225
 #define SSL_F_SSL_SET_CERT                               191
+#define SSL_F_SSL_SET_CIPHER_LIST                        271
 #define SSL_F_SSL_SET_FD                                 192
 #define SSL_F_SSL_SET_PKEY                               193
 #define SSL_F_SSL_SET_PURPOSE                            227
@@ -1674,40 +1676,39 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED              145
 #define SSL_R_DATA_LENGTH_TOO_LONG                       146
 #define SSL_R_DECRYPTION_FAILED                          147
-#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        1109
+#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        281
 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG            148
 #define SSL_R_DIGEST_CHECK_FAILED                        149
 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG                  150
-#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY               1092
+#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY               282
 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST              151
 #define SSL_R_EXCESSIVE_MESSAGE_SIZE                     152
 #define SSL_R_EXTRA_DATA_IN_MESSAGE                      153
 #define SSL_R_GOT_A_FIN_BEFORE_A_CCS                     154
 #define SSL_R_HTTPS_PROXY_REQUEST                        155
 #define SSL_R_HTTP_REQUEST                               156
-#define SSL_R_ILLEGAL_PADDING                            1110
+#define SSL_R_ILLEGAL_PADDING                            283
 #define SSL_R_INVALID_CHALLENGE_LENGTH                   158
 #define SSL_R_INVALID_COMMAND                            280
 #define SSL_R_INVALID_PURPOSE                            278
 #define SSL_R_INVALID_TRUST                              279
-#define SSL_R_KEY_ARG_TOO_LONG                           1112
-#define SSL_R_KRB5                                       1104
-#define SSL_R_KRB5_C_CC_PRINC                            1094
-#define SSL_R_KRB5_C_GET_CRED                            1095
-#define SSL_R_KRB5_C_INIT                                1096
-#define SSL_R_KRB5_C_MK_REQ                              1097
-#define SSL_R_KRB5_S_BAD_TICKET                          1098
-#define SSL_R_KRB5_S_INIT                                1099
-#define SSL_R_KRB5_S_RD_REQ                              1108
-#define SSL_R_KRB5_S_TKT_EXPIRED                         1105
-#define SSL_R_KRB5_S_TKT_NYV                             1106
-#define SSL_R_KRB5_S_TKT_SKEW                            1107
+#define SSL_R_KEY_ARG_TOO_LONG                           284
+#define SSL_R_KRB5                                       285
+#define SSL_R_KRB5_C_CC_PRINC                            286
+#define SSL_R_KRB5_C_GET_CRED                            287
+#define SSL_R_KRB5_C_INIT                                288
+#define SSL_R_KRB5_C_MK_REQ                              289
+#define SSL_R_KRB5_S_BAD_TICKET                          290
+#define SSL_R_KRB5_S_INIT                                291
+#define SSL_R_KRB5_S_RD_REQ                              292
+#define SSL_R_KRB5_S_TKT_EXPIRED                         293
+#define SSL_R_KRB5_S_TKT_NYV                             294
+#define SSL_R_KRB5_S_TKT_SKEW                            295
 #define SSL_R_LENGTH_MISMATCH                            159
 #define SSL_R_LENGTH_TOO_SHORT                           160
 #define SSL_R_LIBRARY_BUG                                274
 #define SSL_R_LIBRARY_HAS_NO_CIPHERS                     161
-#define SSL_R_MASTER_KEY_TOO_LONG                        1112
-#define SSL_R_MESSAGE_TOO_LONG                           1111
+#define SSL_R_MESSAGE_TOO_LONG                           296
 #define SSL_R_MISSING_DH_DSA_CERT                        162
 #define SSL_R_MISSING_DH_KEY                             163
 #define SSL_R_MISSING_DH_RSA_CERT                        164
@@ -1744,7 +1745,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NULL_SSL_CTX                               195
 #define SSL_R_NULL_SSL_METHOD_PASSED                     196
 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED            197
-#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE              1115
+#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE              297
 #define SSL_R_PACKET_LENGTH_TOO_LONG                     198
 #define SSL_R_PATH_TOO_LONG                              270
 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE          199
@@ -1763,7 +1764,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_READ_WRONG_PACKET_TYPE                     212
 #define SSL_R_RECORD_LENGTH_MISMATCH                     213
 #define SSL_R_RECORD_TOO_LARGE                           214
-#define SSL_R_RECORD_TOO_SMALL                           1093
+#define SSL_R_RECORD_TOO_SMALL                           298
 #define SSL_R_REQUIRED_CIPHER_MISSING                    215
 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO                 216
 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO                   217
@@ -1772,8 +1773,8 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_SHORT_READ                                 219
 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE      220
 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE               221
-#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG                1114
-#define SSL_R_SSL3_SESSION_ID_TOO_LONG                   1113
+#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG                299
+#define SSL_R_SSL3_SESSION_ID_TOO_LONG                   300
 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT                  222
 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE                1042
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC                 1020
@@ -1784,20 +1785,15 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE              1040
 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER              1047
 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE                 1041
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE         223
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE      224
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER           225
-#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226
 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE             1010
-#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE      227
 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE        1043
 #define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION         228
 #define SSL_R_SSL_HANDSHAKE_FAILURE                      229
 #define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS                 230
-#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED             1102
-#define SSL_R_SSL_SESSION_ID_CONFLICT                    1103
+#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED             301
+#define SSL_R_SSL_SESSION_ID_CONFLICT                    302
 #define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG            273
-#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH              1101
+#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH              303
 #define SSL_R_SSL_SESSION_ID_IS_DIFFERENT                231
 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED                  1049
 #define SSL_R_TLSV1_ALERT_DECODE_ERROR                   1050
@@ -1838,7 +1834,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNKNOWN_STATE                              255
 #define SSL_R_UNSUPPORTED_CIPHER                         256
 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM          257
-#define SSL_R_UNSUPPORTED_OPTION                         1091
 #define SSL_R_UNSUPPORTED_PROTOCOL                       258
 #define SSL_R_UNSUPPORTED_SSL_VERSION                    259
 #define SSL_R_WRITE_BIO_NOT_SET                          260
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index 4d5900ad2f..fc5fcce108 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -344,7 +344,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char * const *pp,
                 OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
                 }
         else
-                ret->time=time(NULL);
+                ret->time=(unsigned long)time(NULL);
 
         ai.length=0;
         M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2);
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index b8b9bc2390..b779e6bb4d 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -616,14 +616,13 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
         BIO *in;
         X509 *x=NULL;
         X509_NAME *xn=NULL;
-        STACK_OF(X509_NAME) *ret,*sk;
+        STACK_OF(X509_NAME) *ret = NULL,*sk;
 
-        ret=sk_X509_NAME_new_null();
         sk=sk_X509_NAME_new(xname_cmp);
 
         in=BIO_new(BIO_s_file_internal());
 
-        if ((ret == NULL) || (sk == NULL) || (in == NULL))
+        if ((sk == NULL) || (in == NULL))
                 {
                 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
                 goto err;
@@ -636,6 +635,15 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
                 {
                 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
                         break;
+                if (ret == NULL)
+                        {
+                        ret = sk_X509_NAME_new_null();
+                        if (ret == NULL)
+                                {
+                                SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+                        }
                 if ((xn=X509_get_subject_name(x)) == NULL) goto err;
                 /* check for duplicates */
                 xn=X509_NAME_dup(xn);
@@ -658,6 +666,8 @@ err:
         if (sk != NULL) sk_X509_NAME_free(sk);
         if (in != NULL) BIO_free(in);
         if (x != NULL) X509_free(x);
+        if (ret != NULL)
+                ERR_clear_error();
         return(ret);
         }
 #endif
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index b68ed81e52..3df5e2fa80 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -700,9 +700,18 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                         if (!found)
                                 break;  /* ignore this entry */
 
-                        algorithms |= ca_list[j]->algorithms;
+                        /* New algorithms:
+                         *  1 - any old restrictions apply outside new mask
+                         *  2 - any new restrictions apply outside old mask
+                         *  3 - enforce old & new where masks intersect
+                         */
+                        algorithms = (algorithms & ~ca_list[j]->mask) |         /* 1 */
+                                     (ca_list[j]->algorithms & ~mask) |         /* 2 */
+                                     (algorithms & ca_list[j]->algorithms);     /* 3 */
                         mask |= ca_list[j]->mask;
-                        algo_strength |= ca_list[j]->algo_strength;
+                        algo_strength = (algo_strength & ~ca_list[j]->mask_strength) |
+                                        (ca_list[j]->algo_strength & ~mask_strength) |
+                                        (algo_strength & ca_list[j]->algo_strength);
                         mask_strength |= ca_list[j]->mask_strength;
 
                         if (!multi) break;
@@ -756,7 +765,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         {
         int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
         unsigned long disabled_mask;
-        STACK_OF(SSL_CIPHER) *cipherstack;
+        STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
         const char *rule_p;
         CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
         SSL_CIPHER **ca_list = NULL;
@@ -764,7 +773,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         /*
          * Return with error if nothing to do.
          */
-        if (rule_str == NULL) return(NULL);
+        if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
+                return NULL;
 
         if (init_ciphers)
                 {
@@ -875,46 +885,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
                 }
         OPENSSL_free(co_list);  /* Not needed any longer */
 
-        /*
-         * The following passage is a little bit odd. If pointer variables
-         * were supplied to hold STACK_OF(SSL_CIPHER) return information,
-         * the old memory pointed to is free()ed. Then, however, the
-         * cipher_list entry will be assigned just a copy of the returned
-         * cipher stack. For cipher_list_by_id a copy of the cipher stack
-         * will be created. See next comment...
-         */
-        if (cipher_list != NULL)
-                {
-                if (*cipher_list != NULL)
-                        sk_SSL_CIPHER_free(*cipher_list);
-                *cipher_list = cipherstack;
-                }
-
-        if (cipher_list_by_id != NULL)
-                {
-                if (*cipher_list_by_id != NULL)
-                        sk_SSL_CIPHER_free(*cipher_list_by_id);
-                *cipher_list_by_id = sk_SSL_CIPHER_dup(cipherstack);
-                }
-
-        /*
-         * Now it is getting really strange. If something failed during
-         * the previous pointer assignment or if one of the pointers was
-         * not requested, the error condition is met. That might be
-         * discussable. The strange thing is however that in this case
-         * the memory "ret" pointed to is "free()ed" and hence the pointer
-         * cipher_list becomes wild. The memory reserved for
-         * cipher_list_by_id however is not "free()ed" and stays intact.
-         */
-        if (    (cipher_list_by_id == NULL) ||
-                (*cipher_list_by_id == NULL) ||
-                (cipher_list == NULL) ||
-                (*cipher_list == NULL))
+        tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
+        if (tmp_cipher_list == NULL)
                 {
                 sk_SSL_CIPHER_free(cipherstack);
-                return(NULL);
+                return NULL;
                 }
-
+        if (*cipher_list != NULL)
+                sk_SSL_CIPHER_free(*cipher_list);
+        *cipher_list = cipherstack;
+        if (*cipher_list_by_id != NULL)
+                sk_SSL_CIPHER_free(*cipher_list_by_id);
+        *cipher_list_by_id = tmp_cipher_list;
         sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
 
         return(cipherstack);
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 29b8ff4788..4bcf591298 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -64,384 +64,383 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
+
 static ERR_STRING_DATA SSL_str_functs[]=
         {
-{ERR_PACK(0,SSL_F_CLIENT_CERTIFICATE,0),        "CLIENT_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_CLIENT_FINISHED,0),   "CLIENT_FINISHED"},
-{ERR_PACK(0,SSL_F_CLIENT_HELLO,0),      "CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_CLIENT_MASTER_KEY,0), "CLIENT_MASTER_KEY"},
-{ERR_PACK(0,SSL_F_D2I_SSL_SESSION,0),   "d2i_SSL_SESSION"},
-{ERR_PACK(0,SSL_F_DO_SSL3_WRITE,0),     "DO_SSL3_WRITE"},
-{ERR_PACK(0,SSL_F_GET_CLIENT_FINISHED,0),       "GET_CLIENT_FINISHED"},
-{ERR_PACK(0,SSL_F_GET_CLIENT_HELLO,0),  "GET_CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_GET_CLIENT_MASTER_KEY,0),     "GET_CLIENT_MASTER_KEY"},
-{ERR_PACK(0,SSL_F_GET_SERVER_FINISHED,0),       "GET_SERVER_FINISHED"},
-{ERR_PACK(0,SSL_F_GET_SERVER_HELLO,0),  "GET_SERVER_HELLO"},
-{ERR_PACK(0,SSL_F_GET_SERVER_VERIFY,0), "GET_SERVER_VERIFY"},
-{ERR_PACK(0,SSL_F_I2D_SSL_SESSION,0),   "i2d_SSL_SESSION"},
-{ERR_PACK(0,SSL_F_READ_N,0),    "READ_N"},
-{ERR_PACK(0,SSL_F_REQUEST_CERTIFICATE,0),       "REQUEST_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SERVER_FINISH,0),     "SERVER_FINISH"},
-{ERR_PACK(0,SSL_F_SERVER_HELLO,0),      "SERVER_HELLO"},
-{ERR_PACK(0,SSL_F_SERVER_VERIFY,0),     "SERVER_VERIFY"},
-{ERR_PACK(0,SSL_F_SSL23_ACCEPT,0),      "SSL23_ACCEPT"},
-{ERR_PACK(0,SSL_F_SSL23_CLIENT_HELLO,0),        "SSL23_CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_SSL23_CONNECT,0),     "SSL23_CONNECT"},
-{ERR_PACK(0,SSL_F_SSL23_GET_CLIENT_HELLO,0),    "SSL23_GET_CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_SSL23_GET_SERVER_HELLO,0),    "SSL23_GET_SERVER_HELLO"},
-{ERR_PACK(0,SSL_F_SSL23_PEEK,0),        "SSL23_PEEK"},
-{ERR_PACK(0,SSL_F_SSL23_READ,0),        "SSL23_READ"},
-{ERR_PACK(0,SSL_F_SSL23_WRITE,0),       "SSL23_WRITE"},
-{ERR_PACK(0,SSL_F_SSL2_ACCEPT,0),       "SSL2_ACCEPT"},
-{ERR_PACK(0,SSL_F_SSL2_CONNECT,0),      "SSL2_CONNECT"},
-{ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0),     "SSL2_ENC_INIT"},
-{ERR_PACK(0,SSL_F_SSL2_GENERATE_KEY_MATERIAL,0),        "SSL2_GENERATE_KEY_MATERIAL"},
-{ERR_PACK(0,SSL_F_SSL2_PEEK,0), "SSL2_PEEK"},
-{ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"},
-{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0),        "SSL2_READ_INTERNAL"},
-{ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0),      "SSL2_SET_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SSL2_WRITE,0),        "SSL2_WRITE"},
-{ERR_PACK(0,SSL_F_SSL3_ACCEPT,0),       "SSL3_ACCEPT"},
-{ERR_PACK(0,SSL_F_SSL3_CALLBACK_CTRL,0),        "SSL3_CALLBACK_CTRL"},
-{ERR_PACK(0,SSL_F_SSL3_CHANGE_CIPHER_STATE,0),  "SSL3_CHANGE_CIPHER_STATE"},
-{ERR_PACK(0,SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,0),     "SSL3_CHECK_CERT_AND_ALGORITHM"},
-{ERR_PACK(0,SSL_F_SSL3_CLIENT_HELLO,0), "SSL3_CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_SSL3_CONNECT,0),      "SSL3_CONNECT"},
-{ERR_PACK(0,SSL_F_SSL3_CTRL,0), "SSL3_CTRL"},
-{ERR_PACK(0,SSL_F_SSL3_CTX_CTRL,0),     "SSL3_CTX_CTRL"},
-{ERR_PACK(0,SSL_F_SSL3_ENC,0),  "SSL3_ENC"},
-{ERR_PACK(0,SSL_F_SSL3_GENERATE_KEY_BLOCK,0),   "SSL3_GENERATE_KEY_BLOCK"},
-{ERR_PACK(0,SSL_F_SSL3_GET_CERTIFICATE_REQUEST,0),      "SSL3_GET_CERTIFICATE_REQUEST"},
-{ERR_PACK(0,SSL_F_SSL3_GET_CERT_VERIFY,0),      "SSL3_GET_CERT_VERIFY"},
-{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_CERTIFICATE,0),       "SSL3_GET_CLIENT_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_HELLO,0),     "SSL3_GET_CLIENT_HELLO"},
-{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,0),      "SSL3_GET_CLIENT_KEY_EXCHANGE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_FINISHED,0), "SSL3_GET_FINISHED"},
-{ERR_PACK(0,SSL_F_SSL3_GET_KEY_EXCHANGE,0),     "SSL3_GET_KEY_EXCHANGE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_MESSAGE,0),  "SSL3_GET_MESSAGE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_RECORD,0),   "SSL3_GET_RECORD"},
-{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_CERTIFICATE,0),       "SSL3_GET_SERVER_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0),      "SSL3_GET_SERVER_DONE"},
-{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0),     "SSL3_GET_SERVER_HELLO"},
-{ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0),    "SSL3_OUTPUT_CERT_CHAIN"},
-{ERR_PACK(0,SSL_F_SSL3_PEEK,0), "SSL3_PEEK"},
-{ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0),   "SSL3_READ_BYTES"},
-{ERR_PACK(0,SSL_F_SSL3_READ_N,0),       "SSL3_READ_N"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0),     "SSL3_SEND_CERTIFICATE_REQUEST"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,0),      "SSL3_SEND_CLIENT_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,0),     "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_VERIFY,0),   "SSL3_SEND_CLIENT_VERIFY"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_CERTIFICATE,0),      "SSL3_SEND_SERVER_CERTIFICATE"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_HELLO,0),    "SSL3_SEND_SERVER_HELLO"},
-{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,0),     "SSL3_SEND_SERVER_KEY_EXCHANGE"},
-{ERR_PACK(0,SSL_F_SSL3_SETUP_BUFFERS,0),        "SSL3_SETUP_BUFFERS"},
-{ERR_PACK(0,SSL_F_SSL3_SETUP_KEY_BLOCK,0),      "SSL3_SETUP_KEY_BLOCK"},
-{ERR_PACK(0,SSL_F_SSL3_WRITE_BYTES,0),  "SSL3_WRITE_BYTES"},
-{ERR_PACK(0,SSL_F_SSL3_WRITE_PENDING,0),        "SSL3_WRITE_PENDING"},
-{ERR_PACK(0,SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,0),        "SSL_add_dir_cert_subjects_to_stack"},
-{ERR_PACK(0,SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,0),       "SSL_add_file_cert_subjects_to_stack"},
-{ERR_PACK(0,SSL_F_SSL_BAD_METHOD,0),    "SSL_BAD_METHOD"},
-{ERR_PACK(0,SSL_F_SSL_BYTES_TO_CIPHER_LIST,0),  "SSL_BYTES_TO_CIPHER_LIST"},
-{ERR_PACK(0,SSL_F_SSL_CERT_DUP,0),      "SSL_CERT_DUP"},
-{ERR_PACK(0,SSL_F_SSL_CERT_INST,0),     "SSL_CERT_INST"},
-{ERR_PACK(0,SSL_F_SSL_CERT_INSTANTIATE,0),      "SSL_CERT_INSTANTIATE"},
-{ERR_PACK(0,SSL_F_SSL_CERT_NEW,0),      "SSL_CERT_NEW"},
-{ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0),     "SSL_check_private_key"},
-{ERR_PACK(0,SSL_F_SSL_CIPHER_PROCESS_RULESTR,0),        "SSL_CIPHER_PROCESS_RULESTR"},
-{ERR_PACK(0,SSL_F_SSL_CIPHER_STRENGTH_SORT,0),  "SSL_CIPHER_STRENGTH_SORT"},
-{ERR_PACK(0,SSL_F_SSL_CLEAR,0), "SSL_clear"},
-{ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0),   "SSL_COMP_add_compression_method"},
-{ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0),    "SSL_CREATE_CIPHER_LIST"},
-{ERR_PACK(0,SSL_F_SSL_CTRL,0),  "SSL_ctrl"},
-{ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0), "SSL_CTX_check_private_key"},
-{ERR_PACK(0,SSL_F_SSL_CTX_NEW,0),       "SSL_CTX_new"},
-{ERR_PACK(0,SSL_F_SSL_CTX_SET_PURPOSE,0),       "SSL_CTX_set_purpose"},
-{ERR_PACK(0,SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,0),    "SSL_CTX_set_session_id_context"},
-{ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0),   "SSL_CTX_set_ssl_version"},
-{ERR_PACK(0,SSL_F_SSL_CTX_SET_TRUST,0), "SSL_CTX_set_trust"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE,0),   "SSL_CTX_use_certificate"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,0),      "SSL_CTX_use_certificate_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,0),        "SSL_CTX_use_certificate_chain_file"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,0),      "SSL_CTX_use_certificate_file"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY,0),    "SSL_CTX_use_PrivateKey"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1,0),       "SSL_CTX_use_PrivateKey_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,0),       "SSL_CTX_use_PrivateKey_file"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY,0), "SSL_CTX_use_RSAPrivateKey"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1,0),    "SSL_CTX_use_RSAPrivateKey_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE,0),    "SSL_CTX_use_RSAPrivateKey_file"},
-{ERR_PACK(0,SSL_F_SSL_DO_HANDSHAKE,0),  "SSL_do_handshake"},
-{ERR_PACK(0,SSL_F_SSL_GET_NEW_SESSION,0),       "SSL_GET_NEW_SESSION"},
-{ERR_PACK(0,SSL_F_SSL_GET_PREV_SESSION,0),      "SSL_GET_PREV_SESSION"},
-{ERR_PACK(0,SSL_F_SSL_GET_SERVER_SEND_CERT,0),  "SSL_GET_SERVER_SEND_CERT"},
-{ERR_PACK(0,SSL_F_SSL_GET_SIGN_PKEY,0), "SSL_GET_SIGN_PKEY"},
-{ERR_PACK(0,SSL_F_SSL_INIT_WBIO_BUFFER,0),      "SSL_INIT_WBIO_BUFFER"},
-{ERR_PACK(0,SSL_F_SSL_LOAD_CLIENT_CA_FILE,0),   "SSL_load_client_CA_file"},
-{ERR_PACK(0,SSL_F_SSL_NEW,0),   "SSL_new"},
-{ERR_PACK(0,SSL_F_SSL_READ,0),  "SSL_read"},
-{ERR_PACK(0,SSL_F_SSL_RSA_PRIVATE_DECRYPT,0),   "SSL_RSA_PRIVATE_DECRYPT"},
-{ERR_PACK(0,SSL_F_SSL_RSA_PUBLIC_ENCRYPT,0),    "SSL_RSA_PUBLIC_ENCRYPT"},
-{ERR_PACK(0,SSL_F_SSL_SESSION_NEW,0),   "SSL_SESSION_new"},
-{ERR_PACK(0,SSL_F_SSL_SESSION_PRINT_FP,0),      "SSL_SESSION_print_fp"},
-{ERR_PACK(0,SSL_F_SSL_SESS_CERT_NEW,0), "SSL_SESS_CERT_NEW"},
-{ERR_PACK(0,SSL_F_SSL_SET_CERT,0),      "SSL_SET_CERT"},
-{ERR_PACK(0,SSL_F_SSL_SET_FD,0),        "SSL_set_fd"},
-{ERR_PACK(0,SSL_F_SSL_SET_PKEY,0),      "SSL_SET_PKEY"},
-{ERR_PACK(0,SSL_F_SSL_SET_PURPOSE,0),   "SSL_set_purpose"},
-{ERR_PACK(0,SSL_F_SSL_SET_RFD,0),       "SSL_set_rfd"},
-{ERR_PACK(0,SSL_F_SSL_SET_SESSION,0),   "SSL_set_session"},
-{ERR_PACK(0,SSL_F_SSL_SET_SESSION_ID_CONTEXT,0),        "SSL_set_session_id_context"},
-{ERR_PACK(0,SSL_F_SSL_SET_TRUST,0),     "SSL_set_trust"},
-{ERR_PACK(0,SSL_F_SSL_SET_WFD,0),       "SSL_set_wfd"},
-{ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0),      "SSL_shutdown"},
-{ERR_PACK(0,SSL_F_SSL_UNDEFINED_CONST_FUNCTION,0),      "SSL_UNDEFINED_CONST_FUNCTION"},
-{ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0),    "SSL_UNDEFINED_FUNCTION"},
-{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0),       "SSL_use_certificate"},
-{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0),  "SSL_use_certificate_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_FILE,0),  "SSL_use_certificate_file"},
-{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY,0),        "SSL_use_PrivateKey"},
-{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY_ASN1,0),   "SSL_use_PrivateKey_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_USE_PRIVATEKEY_FILE,0),   "SSL_use_PrivateKey_file"},
-{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY,0),     "SSL_use_RSAPrivateKey"},
-{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,0),        "SSL_use_RSAPrivateKey_ASN1"},
-{ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,0),        "SSL_use_RSAPrivateKey_file"},
-{ERR_PACK(0,SSL_F_SSL_VERIFY_CERT_CHAIN,0),     "SSL_VERIFY_CERT_CHAIN"},
-{ERR_PACK(0,SSL_F_SSL_WRITE,0), "SSL_write"},
-{ERR_PACK(0,SSL_F_TLS1_CHANGE_CIPHER_STATE,0),  "TLS1_CHANGE_CIPHER_STATE"},
-{ERR_PACK(0,SSL_F_TLS1_ENC,0),  "TLS1_ENC"},
-{ERR_PACK(0,SSL_F_TLS1_SETUP_KEY_BLOCK,0),      "TLS1_SETUP_KEY_BLOCK"},
-{ERR_PACK(0,SSL_F_WRITE_PENDING,0),     "WRITE_PENDING"},
+{ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),    "CLIENT_CERTIFICATE"},
+{ERR_FUNC(SSL_F_CLIENT_FINISHED),       "CLIENT_FINISHED"},
+{ERR_FUNC(SSL_F_CLIENT_HELLO),  "CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_CLIENT_MASTER_KEY),     "CLIENT_MASTER_KEY"},
+{ERR_FUNC(SSL_F_D2I_SSL_SESSION),       "d2i_SSL_SESSION"},
+{ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"},
+{ERR_FUNC(SSL_F_GET_CLIENT_FINISHED),   "GET_CLIENT_FINISHED"},
+{ERR_FUNC(SSL_F_GET_CLIENT_HELLO),      "GET_CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY), "GET_CLIENT_MASTER_KEY"},
+{ERR_FUNC(SSL_F_GET_SERVER_FINISHED),   "GET_SERVER_FINISHED"},
+{ERR_FUNC(SSL_F_GET_SERVER_HELLO),      "GET_SERVER_HELLO"},
+{ERR_FUNC(SSL_F_GET_SERVER_VERIFY),     "GET_SERVER_VERIFY"},
+{ERR_FUNC(SSL_F_I2D_SSL_SESSION),       "i2d_SSL_SESSION"},
+{ERR_FUNC(SSL_F_READ_N),        "READ_N"},
+{ERR_FUNC(SSL_F_REQUEST_CERTIFICATE),   "REQUEST_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"},
+{ERR_FUNC(SSL_F_SERVER_HELLO),  "SERVER_HELLO"},
+{ERR_FUNC(SSL_F_SERVER_VERIFY), "SERVER_VERIFY"},
+{ERR_FUNC(SSL_F_SSL23_ACCEPT),  "SSL23_ACCEPT"},
+{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO),    "SSL23_CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_SSL23_CONNECT), "SSL23_CONNECT"},
+{ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO),        "SSL23_GET_CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO),        "SSL23_GET_SERVER_HELLO"},
+{ERR_FUNC(SSL_F_SSL23_PEEK),    "SSL23_PEEK"},
+{ERR_FUNC(SSL_F_SSL23_READ),    "SSL23_READ"},
+{ERR_FUNC(SSL_F_SSL23_WRITE),   "SSL23_WRITE"},
+{ERR_FUNC(SSL_F_SSL2_ACCEPT),   "SSL2_ACCEPT"},
+{ERR_FUNC(SSL_F_SSL2_CONNECT),  "SSL2_CONNECT"},
+{ERR_FUNC(SSL_F_SSL2_ENC_INIT), "SSL2_ENC_INIT"},
+{ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL),    "SSL2_GENERATE_KEY_MATERIAL"},
+{ERR_FUNC(SSL_F_SSL2_PEEK),     "SSL2_PEEK"},
+{ERR_FUNC(SSL_F_SSL2_READ),     "SSL2_READ"},
+{ERR_FUNC(SSL_F_SSL2_READ_INTERNAL),    "SSL2_READ_INTERNAL"},
+{ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE),  "SSL2_SET_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SSL2_WRITE),    "SSL2_WRITE"},
+{ERR_FUNC(SSL_F_SSL3_ACCEPT),   "SSL3_ACCEPT"},
+{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL),    "SSL3_CALLBACK_CTRL"},
+{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE),      "SSL3_CHANGE_CIPHER_STATE"},
+{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
+{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO),     "SSL3_CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_SSL3_CONNECT),  "SSL3_CONNECT"},
+{ERR_FUNC(SSL_F_SSL3_CTRL),     "SSL3_CTRL"},
+{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
+{ERR_FUNC(SSL_F_SSL3_ENC),      "SSL3_ENC"},
+{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK),       "SSL3_GENERATE_KEY_BLOCK"},
+{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),  "SSL3_GET_CERTIFICATE_REQUEST"},
+{ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY),  "SSL3_GET_CERT_VERIFY"},
+{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE),   "SSL3_GET_CLIENT_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"},
+{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE),  "SSL3_GET_CLIENT_KEY_EXCHANGE"},
+{ERR_FUNC(SSL_F_SSL3_GET_FINISHED),     "SSL3_GET_FINISHED"},
+{ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"},
+{ERR_FUNC(SSL_F_SSL3_GET_MESSAGE),      "SSL3_GET_MESSAGE"},
+{ERR_FUNC(SSL_F_SSL3_GET_RECORD),       "SSL3_GET_RECORD"},
+{ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE),   "SSL3_GET_SERVER_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE),  "SSL3_GET_SERVER_DONE"},
+{ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "SSL3_GET_SERVER_HELLO"},
+{ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN),        "SSL3_OUTPUT_CERT_CHAIN"},
+{ERR_FUNC(SSL_F_SSL3_PEEK),     "SSL3_PEEK"},
+{ERR_FUNC(SSL_F_SSL3_READ_BYTES),       "SSL3_READ_BYTES"},
+{ERR_FUNC(SSL_F_SSL3_READ_N),   "SSL3_READ_N"},
+{ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"},
+{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE),  "SSL3_SEND_CLIENT_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
+{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY),       "SSL3_SEND_CLIENT_VERIFY"},
+{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE),  "SSL3_SEND_SERVER_CERTIFICATE"},
+{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO),        "SSL3_SEND_SERVER_HELLO"},
+{ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE), "SSL3_SEND_SERVER_KEY_EXCHANGE"},
+{ERR_FUNC(SSL_F_SSL3_SETUP_BUFFERS),    "SSL3_SETUP_BUFFERS"},
+{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK),  "SSL3_SETUP_KEY_BLOCK"},
+{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES),      "SSL3_WRITE_BYTES"},
+{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING),    "SSL3_WRITE_PENDING"},
+{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK),    "SSL_add_dir_cert_subjects_to_stack"},
+{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK),   "SSL_add_file_cert_subjects_to_stack"},
+{ERR_FUNC(SSL_F_SSL_BAD_METHOD),        "SSL_BAD_METHOD"},
+{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST),      "SSL_BYTES_TO_CIPHER_LIST"},
+{ERR_FUNC(SSL_F_SSL_CERT_DUP),  "SSL_CERT_DUP"},
+{ERR_FUNC(SSL_F_SSL_CERT_INST), "SSL_CERT_INST"},
+{ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE),  "SSL_CERT_INSTANTIATE"},
+{ERR_FUNC(SSL_F_SSL_CERT_NEW),  "SSL_CERT_NEW"},
+{ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"},
+{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR),    "SSL_CIPHER_PROCESS_RULESTR"},
+{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT),      "SSL_CIPHER_STRENGTH_SORT"},
+{ERR_FUNC(SSL_F_SSL_CLEAR),     "SSL_clear"},
+{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),       "SSL_COMP_add_compression_method"},
+{ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST),        "SSL_CREATE_CIPHER_LIST"},
+{ERR_FUNC(SSL_F_SSL_CTRL),      "SSL_ctrl"},
+{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),     "SSL_CTX_check_private_key"},
+{ERR_FUNC(SSL_F_SSL_CTX_NEW),   "SSL_CTX_new"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST),       "SSL_CTX_set_cipher_list"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE),   "SSL_CTX_set_purpose"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT),        "SSL_CTX_set_session_id_context"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION),       "SSL_CTX_set_ssl_version"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST),     "SSL_CTX_set_trust"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE),       "SSL_CTX_use_certificate"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1),  "SSL_CTX_use_certificate_ASN1"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE),    "SSL_CTX_use_certificate_chain_file"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE),  "SSL_CTX_use_certificate_file"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY),        "SSL_CTX_use_PrivateKey"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1),   "SSL_CTX_use_PrivateKey_ASN1"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE),   "SSL_CTX_use_PrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY),     "SSL_CTX_use_RSAPrivateKey"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1),        "SSL_CTX_use_RSAPrivateKey_ASN1"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE),        "SSL_CTX_use_RSAPrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE),      "SSL_do_handshake"},
+{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION),   "SSL_GET_NEW_SESSION"},
+{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION),  "SSL_GET_PREV_SESSION"},
+{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT),      "SSL_GET_SERVER_SEND_CERT"},
+{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY),     "SSL_GET_SIGN_PKEY"},
+{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER),  "SSL_INIT_WBIO_BUFFER"},
+{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),       "SSL_load_client_CA_file"},
+{ERR_FUNC(SSL_F_SSL_NEW),       "SSL_new"},
+{ERR_FUNC(SSL_F_SSL_READ),      "SSL_read"},
+{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT),       "SSL_RSA_PRIVATE_DECRYPT"},
+{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT),        "SSL_RSA_PUBLIC_ENCRYPT"},
+{ERR_FUNC(SSL_F_SSL_SESSION_NEW),       "SSL_SESSION_new"},
+{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP),  "SSL_SESSION_print_fp"},
+{ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW),     "SSL_SESS_CERT_NEW"},
+{ERR_FUNC(SSL_F_SSL_SET_CERT),  "SSL_SET_CERT"},
+{ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST),   "SSL_set_cipher_list"},
+{ERR_FUNC(SSL_F_SSL_SET_FD),    "SSL_set_fd"},
+{ERR_FUNC(SSL_F_SSL_SET_PKEY),  "SSL_SET_PKEY"},
+{ERR_FUNC(SSL_F_SSL_SET_PURPOSE),       "SSL_set_purpose"},
+{ERR_FUNC(SSL_F_SSL_SET_RFD),   "SSL_set_rfd"},
+{ERR_FUNC(SSL_F_SSL_SET_SESSION),       "SSL_set_session"},
+{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT),    "SSL_set_session_id_context"},
+{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
+{ERR_FUNC(SSL_F_SSL_SET_WFD),   "SSL_set_wfd"},
+{ERR_FUNC(SSL_F_SSL_SHUTDOWN),  "SSL_shutdown"},
+{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION),  "SSL_UNDEFINED_CONST_FUNCTION"},
+{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION),        "SSL_UNDEFINED_FUNCTION"},
+{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE),   "SSL_use_certificate"},
+{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1),      "SSL_use_certificate_ASN1"},
+{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE),      "SSL_use_certificate_file"},
+{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY),    "SSL_use_PrivateKey"},
+{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1),       "SSL_use_PrivateKey_ASN1"},
+{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE),       "SSL_use_PrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
+{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1),    "SSL_use_RSAPrivateKey_ASN1"},
+{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE),    "SSL_use_RSAPrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"},
+{ERR_FUNC(SSL_F_SSL_WRITE),     "SSL_write"},
+{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE),      "TLS1_CHANGE_CIPHER_STATE"},
+{ERR_FUNC(SSL_F_TLS1_ENC),      "TLS1_ENC"},
+{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK),  "TLS1_SETUP_KEY_BLOCK"},
+{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA SSL_str_reasons[]=
         {
-{SSL_R_APP_DATA_IN_HANDSHAKE             ,"app data in handshake"},
-{SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT,"attempt to reuse session in different context"},
-{SSL_R_BAD_ALERT_RECORD                  ,"bad alert record"},
-{SSL_R_BAD_AUTHENTICATION_TYPE           ,"bad authentication type"},
-{SSL_R_BAD_CHANGE_CIPHER_SPEC            ,"bad change cipher spec"},
-{SSL_R_BAD_CHECKSUM                      ,"bad checksum"},
-{SSL_R_BAD_DATA_RETURNED_BY_CALLBACK     ,"bad data returned by callback"},
-{SSL_R_BAD_DECOMPRESSION                 ,"bad decompression"},
-{SSL_R_BAD_DH_G_LENGTH                   ,"bad dh g length"},
-{SSL_R_BAD_DH_PUB_KEY_LENGTH             ,"bad dh pub key length"},
-{SSL_R_BAD_DH_P_LENGTH                   ,"bad dh p length"},
-{SSL_R_BAD_DIGEST_LENGTH                 ,"bad digest length"},
-{SSL_R_BAD_DSA_SIGNATURE                 ,"bad dsa signature"},
-{SSL_R_BAD_HELLO_REQUEST                 ,"bad hello request"},
-{SSL_R_BAD_LENGTH                        ,"bad length"},
-{SSL_R_BAD_MAC_DECODE                    ,"bad mac decode"},
-{SSL_R_BAD_MESSAGE_TYPE                  ,"bad message type"},
-{SSL_R_BAD_PACKET_LENGTH                 ,"bad packet length"},
-{SSL_R_BAD_PROTOCOL_VERSION_NUMBER       ,"bad protocol version number"},
-{SSL_R_BAD_RESPONSE_ARGUMENT             ,"bad response argument"},
-{SSL_R_BAD_RSA_DECRYPT                   ,"bad rsa decrypt"},
-{SSL_R_BAD_RSA_ENCRYPT                   ,"bad rsa encrypt"},
-{SSL_R_BAD_RSA_E_LENGTH                  ,"bad rsa e length"},
-{SSL_R_BAD_RSA_MODULUS_LENGTH            ,"bad rsa modulus length"},
-{SSL_R_BAD_RSA_SIGNATURE                 ,"bad rsa signature"},
-{SSL_R_BAD_SIGNATURE                     ,"bad signature"},
-{SSL_R_BAD_SSL_FILETYPE                  ,"bad ssl filetype"},
-{SSL_R_BAD_SSL_SESSION_ID_LENGTH         ,"bad ssl session id length"},
-{SSL_R_BAD_STATE                         ,"bad state"},
-{SSL_R_BAD_WRITE_RETRY                   ,"bad write retry"},
-{SSL_R_BIO_NOT_SET                       ,"bio not set"},
-{SSL_R_BLOCK_CIPHER_PAD_IS_WRONG         ,"block cipher pad is wrong"},
-{SSL_R_BN_LIB                            ,"bn lib"},
-{SSL_R_CA_DN_LENGTH_MISMATCH             ,"ca dn length mismatch"},
-{SSL_R_CA_DN_TOO_LONG                    ,"ca dn too long"},
-{SSL_R_CCS_RECEIVED_EARLY                ,"ccs received early"},
-{SSL_R_CERTIFICATE_VERIFY_FAILED         ,"certificate verify failed"},
-{SSL_R_CERT_LENGTH_MISMATCH              ,"cert length mismatch"},
-{SSL_R_CHALLENGE_IS_DIFFERENT            ,"challenge is different"},
-{SSL_R_CIPHER_CODE_WRONG_LENGTH          ,"cipher code wrong length"},
-{SSL_R_CIPHER_OR_HASH_UNAVAILABLE        ,"cipher or hash unavailable"},
-{SSL_R_CIPHER_TABLE_SRC_ERROR            ,"cipher table src error"},
-{SSL_R_COMPRESSED_LENGTH_TOO_LONG        ,"compressed length too long"},
-{SSL_R_COMPRESSION_FAILURE               ,"compression failure"},
-{SSL_R_COMPRESSION_LIBRARY_ERROR         ,"compression library error"},
-{SSL_R_CONNECTION_ID_IS_DIFFERENT        ,"connection id is different"},
-{SSL_R_CONNECTION_TYPE_NOT_SET           ,"connection type not set"},
-{SSL_R_DATA_BETWEEN_CCS_AND_FINISHED     ,"data between ccs and finished"},
-{SSL_R_DATA_LENGTH_TOO_LONG              ,"data length too long"},
-{SSL_R_DECRYPTION_FAILED                 ,"decryption failed"},
-{SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC,"decryption failed or bad record mac"},
-{SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG   ,"dh public value length is wrong"},
-{SSL_R_DIGEST_CHECK_FAILED               ,"digest check failed"},
-{SSL_R_ENCRYPTED_LENGTH_TOO_LONG         ,"encrypted length too long"},
-{SSL_R_ERROR_GENERATING_TMP_RSA_KEY      ,"error generating tmp rsa key"},
-{SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST     ,"error in received cipher list"},
-{SSL_R_EXCESSIVE_MESSAGE_SIZE            ,"excessive message size"},
-{SSL_R_EXTRA_DATA_IN_MESSAGE             ,"extra data in message"},
-{SSL_R_GOT_A_FIN_BEFORE_A_CCS            ,"got a fin before a ccs"},
-{SSL_R_HTTPS_PROXY_REQUEST               ,"https proxy request"},
-{SSL_R_HTTP_REQUEST                      ,"http request"},
-{SSL_R_ILLEGAL_PADDING                   ,"illegal padding"},
-{SSL_R_INVALID_CHALLENGE_LENGTH          ,"invalid challenge length"},
-{SSL_R_INVALID_COMMAND                   ,"invalid command"},
-{SSL_R_INVALID_PURPOSE                   ,"invalid purpose"},
-{SSL_R_INVALID_TRUST                     ,"invalid trust"},
-{SSL_R_KEY_ARG_TOO_LONG                  ,"key arg too long"},
-{SSL_R_KRB5                              ,"krb5"},
-{SSL_R_KRB5_C_CC_PRINC                   ,"krb5 client cc principal (no tkt?)"},
-{SSL_R_KRB5_C_GET_CRED                   ,"krb5 client get cred"},
-{SSL_R_KRB5_C_INIT                       ,"krb5 client init"},
-{SSL_R_KRB5_C_MK_REQ                     ,"krb5 client mk_req (expired tkt?)"},
-{SSL_R_KRB5_S_BAD_TICKET                 ,"krb5 server bad ticket"},
-{SSL_R_KRB5_S_INIT                       ,"krb5 server init"},
-{SSL_R_KRB5_S_RD_REQ                     ,"krb5 server rd_req (keytab perms?)"},
-{SSL_R_KRB5_S_TKT_EXPIRED                ,"krb5 server tkt expired"},
-{SSL_R_KRB5_S_TKT_NYV                    ,"krb5 server tkt not yet valid"},
-{SSL_R_KRB5_S_TKT_SKEW                   ,"krb5 server tkt skew"},
-{SSL_R_LENGTH_MISMATCH                   ,"length mismatch"},
-{SSL_R_LENGTH_TOO_SHORT                  ,"length too short"},
-{SSL_R_LIBRARY_BUG                       ,"library bug"},
-{SSL_R_LIBRARY_HAS_NO_CIPHERS            ,"library has no ciphers"},
-{SSL_R_MASTER_KEY_TOO_LONG               ,"master key too long"},
-{SSL_R_MESSAGE_TOO_LONG                  ,"message too long"},
-{SSL_R_MISSING_DH_DSA_CERT               ,"missing dh dsa cert"},
-{SSL_R_MISSING_DH_KEY                    ,"missing dh key"},
-{SSL_R_MISSING_DH_RSA_CERT               ,"missing dh rsa cert"},
-{SSL_R_MISSING_DSA_SIGNING_CERT          ,"missing dsa signing cert"},
-{SSL_R_MISSING_EXPORT_TMP_DH_KEY         ,"missing export tmp dh key"},
-{SSL_R_MISSING_EXPORT_TMP_RSA_KEY        ,"missing export tmp rsa key"},
-{SSL_R_MISSING_RSA_CERTIFICATE           ,"missing rsa certificate"},
-{SSL_R_MISSING_RSA_ENCRYPTING_CERT       ,"missing rsa encrypting cert"},
-{SSL_R_MISSING_RSA_SIGNING_CERT          ,"missing rsa signing cert"},
-{SSL_R_MISSING_TMP_DH_KEY                ,"missing tmp dh key"},
-{SSL_R_MISSING_TMP_RSA_KEY               ,"missing tmp rsa key"},
-{SSL_R_MISSING_TMP_RSA_PKEY              ,"missing tmp rsa pkey"},
-{SSL_R_MISSING_VERIFY_MESSAGE            ,"missing verify message"},
-{SSL_R_NON_SSLV2_INITIAL_PACKET          ,"non sslv2 initial packet"},
-{SSL_R_NO_CERTIFICATES_RETURNED          ,"no certificates returned"},
-{SSL_R_NO_CERTIFICATE_ASSIGNED           ,"no certificate assigned"},
-{SSL_R_NO_CERTIFICATE_RETURNED           ,"no certificate returned"},
-{SSL_R_NO_CERTIFICATE_SET                ,"no certificate set"},
-{SSL_R_NO_CERTIFICATE_SPECIFIED          ,"no certificate specified"},
-{SSL_R_NO_CIPHERS_AVAILABLE              ,"no ciphers available"},
-{SSL_R_NO_CIPHERS_PASSED                 ,"no ciphers passed"},
-{SSL_R_NO_CIPHERS_SPECIFIED              ,"no ciphers specified"},
-{SSL_R_NO_CIPHER_LIST                    ,"no cipher list"},
-{SSL_R_NO_CIPHER_MATCH                   ,"no cipher match"},
-{SSL_R_NO_CLIENT_CERT_RECEIVED           ,"no client cert received"},
-{SSL_R_NO_COMPRESSION_SPECIFIED          ,"no compression specified"},
-{SSL_R_NO_METHOD_SPECIFIED               ,"no method specified"},
-{SSL_R_NO_PRIVATEKEY                     ,"no privatekey"},
-{SSL_R_NO_PRIVATE_KEY_ASSIGNED           ,"no private key assigned"},
-{SSL_R_NO_PROTOCOLS_AVAILABLE            ,"no protocols available"},
-{SSL_R_NO_PUBLICKEY                      ,"no publickey"},
-{SSL_R_NO_SHARED_CIPHER                  ,"no shared cipher"},
-{SSL_R_NO_VERIFY_CALLBACK                ,"no verify callback"},
-{SSL_R_NULL_SSL_CTX                      ,"null ssl ctx"},
-{SSL_R_NULL_SSL_METHOD_PASSED            ,"null ssl method passed"},
-{SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED   ,"old session cipher not returned"},
-{SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE     ,"only tls allowed in fips mode"},
-{SSL_R_PACKET_LENGTH_TOO_LONG            ,"packet length too long"},
-{SSL_R_PATH_TOO_LONG                     ,"path too long"},
-{SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"},
-{SSL_R_PEER_ERROR                        ,"peer error"},
-{SSL_R_PEER_ERROR_CERTIFICATE            ,"peer error certificate"},
-{SSL_R_PEER_ERROR_NO_CERTIFICATE         ,"peer error no certificate"},
-{SSL_R_PEER_ERROR_NO_CIPHER              ,"peer error no cipher"},
-{SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,"peer error unsupported certificate type"},
-{SSL_R_PRE_MAC_LENGTH_TOO_LONG           ,"pre mac length too long"},
-{SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS ,"problems mapping cipher functions"},
-{SSL_R_PROTOCOL_IS_SHUTDOWN              ,"protocol is shutdown"},
-{SSL_R_PUBLIC_KEY_ENCRYPT_ERROR          ,"public key encrypt error"},
-{SSL_R_PUBLIC_KEY_IS_NOT_RSA             ,"public key is not rsa"},
-{SSL_R_PUBLIC_KEY_NOT_RSA                ,"public key not rsa"},
-{SSL_R_READ_BIO_NOT_SET                  ,"read bio not set"},
-{SSL_R_READ_WRONG_PACKET_TYPE            ,"read wrong packet type"},
-{SSL_R_RECORD_LENGTH_MISMATCH            ,"record length mismatch"},
-{SSL_R_RECORD_TOO_LARGE                  ,"record too large"},
-{SSL_R_RECORD_TOO_SMALL                  ,"record too small"},
-{SSL_R_REQUIRED_CIPHER_MISSING           ,"required cipher missing"},
-{SSL_R_REUSE_CERT_LENGTH_NOT_ZERO        ,"reuse cert length not zero"},
-{SSL_R_REUSE_CERT_TYPE_NOT_ZERO          ,"reuse cert type not zero"},
-{SSL_R_REUSE_CIPHER_LIST_NOT_ZERO        ,"reuse cipher list not zero"},
-{SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED  ,"session id context uninitialized"},
-{SSL_R_SHORT_READ                        ,"short read"},
-{SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
-{SSL_R_SSL23_DOING_SESSION_ID_REUSE      ,"ssl23 doing session id reuse"},
-{SSL_R_SSL2_CONNECTION_ID_TOO_LONG       ,"ssl2 connection id too long"},
-{SSL_R_SSL3_SESSION_ID_TOO_LONG          ,"ssl3 session id too long"},
-{SSL_R_SSL3_SESSION_ID_TOO_SHORT         ,"ssl3 session id too short"},
-{SSL_R_SSLV3_ALERT_BAD_CERTIFICATE       ,"sslv3 alert bad certificate"},
-{SSL_R_SSLV3_ALERT_BAD_RECORD_MAC        ,"sslv3 alert bad record mac"},
-{SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED   ,"sslv3 alert certificate expired"},
-{SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED   ,"sslv3 alert certificate revoked"},
-{SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN   ,"sslv3 alert certificate unknown"},
-{SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE ,"sslv3 alert decompression failure"},
-{SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE     ,"sslv3 alert handshake failure"},
-{SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER     ,"sslv3 alert illegal parameter"},
-{SSL_R_SSLV3_ALERT_NO_CERTIFICATE        ,"sslv3 alert no certificate"},
-{SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE,"sslv3 alert peer error certificate"},
-{SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE,"sslv3 alert peer error no certificate"},
-{SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER  ,"sslv3 alert peer error no cipher"},
-{SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE,"sslv3 alert peer error unsupported certificate type"},
-{SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE    ,"sslv3 alert unexpected message"},
-{SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE,"sslv3 alert unknown remote error type"},
-{SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE,"sslv3 alert unsupported certificate"},
-{SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION,"ssl ctx has no default ssl version"},
-{SSL_R_SSL_HANDSHAKE_FAILURE             ,"ssl handshake failure"},
-{SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS        ,"ssl library has no ciphers"},
-{SSL_R_SSL_SESSION_ID_CALLBACK_FAILED    ,"ssl session id callback failed"},
-{SSL_R_SSL_SESSION_ID_CONFLICT           ,"ssl session id conflict"},
-{SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG   ,"ssl session id context too long"},
-{SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH     ,"ssl session id has bad length"},
-{SSL_R_SSL_SESSION_ID_IS_DIFFERENT       ,"ssl session id is different"},
-{SSL_R_TLSV1_ALERT_ACCESS_DENIED         ,"tlsv1 alert access denied"},
-{SSL_R_TLSV1_ALERT_DECODE_ERROR          ,"tlsv1 alert decode error"},
-{SSL_R_TLSV1_ALERT_DECRYPTION_FAILED     ,"tlsv1 alert decryption failed"},
-{SSL_R_TLSV1_ALERT_DECRYPT_ERROR         ,"tlsv1 alert decrypt error"},
-{SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION    ,"tlsv1 alert export restriction"},
-{SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY ,"tlsv1 alert insufficient security"},
-{SSL_R_TLSV1_ALERT_INTERNAL_ERROR        ,"tlsv1 alert internal error"},
-{SSL_R_TLSV1_ALERT_NO_RENEGOTIATION      ,"tlsv1 alert no renegotiation"},
-{SSL_R_TLSV1_ALERT_PROTOCOL_VERSION      ,"tlsv1 alert protocol version"},
-{SSL_R_TLSV1_ALERT_RECORD_OVERFLOW       ,"tlsv1 alert record overflow"},
-{SSL_R_TLSV1_ALERT_UNKNOWN_CA            ,"tlsv1 alert unknown ca"},
-{SSL_R_TLSV1_ALERT_USER_CANCELLED        ,"tlsv1 alert user cancelled"},
-{SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER,"tls client cert req with anon cipher"},
-{SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST,"tls peer did not respond with certificate list"},
-{SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG,"tls rsa encrypted value length is wrong"},
-{SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER   ,"tried to use unsupported cipher"},
-{SSL_R_UNABLE_TO_DECODE_DH_CERTS         ,"unable to decode dh certs"},
-{SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY      ,"unable to extract public key"},
-{SSL_R_UNABLE_TO_FIND_DH_PARAMETERS      ,"unable to find dh parameters"},
-{SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS,"unable to find public key parameters"},
-{SSL_R_UNABLE_TO_FIND_SSL_METHOD         ,"unable to find ssl method"},
-{SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES  ,"unable to load ssl2 md5 routines"},
-{SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES  ,"unable to load ssl3 md5 routines"},
-{SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES ,"unable to load ssl3 sha1 routines"},
-{SSL_R_UNEXPECTED_MESSAGE                ,"unexpected message"},
-{SSL_R_UNEXPECTED_RECORD                 ,"unexpected record"},
-{SSL_R_UNINITIALIZED                     ,"uninitialized"},
-{SSL_R_UNKNOWN_ALERT_TYPE                ,"unknown alert type"},
-{SSL_R_UNKNOWN_CERTIFICATE_TYPE          ,"unknown certificate type"},
-{SSL_R_UNKNOWN_CIPHER_RETURNED           ,"unknown cipher returned"},
-{SSL_R_UNKNOWN_CIPHER_TYPE               ,"unknown cipher type"},
-{SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE         ,"unknown key exchange type"},
-{SSL_R_UNKNOWN_PKEY_TYPE                 ,"unknown pkey type"},
-{SSL_R_UNKNOWN_PROTOCOL                  ,"unknown protocol"},
-{SSL_R_UNKNOWN_REMOTE_ERROR_TYPE         ,"unknown remote error type"},
-{SSL_R_UNKNOWN_SSL_VERSION               ,"unknown ssl version"},
-{SSL_R_UNKNOWN_STATE                     ,"unknown state"},
-{SSL_R_UNSUPPORTED_CIPHER                ,"unsupported cipher"},
-{SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM ,"unsupported compression algorithm"},
-{SSL_R_UNSUPPORTED_OPTION                ,"unsupported option"},
-{SSL_R_UNSUPPORTED_PROTOCOL              ,"unsupported protocol"},
-{SSL_R_UNSUPPORTED_SSL_VERSION           ,"unsupported ssl version"},
-{SSL_R_WRITE_BIO_NOT_SET                 ,"write bio not set"},
-{SSL_R_WRONG_CIPHER_RETURNED             ,"wrong cipher returned"},
-{SSL_R_WRONG_MESSAGE_TYPE                ,"wrong message type"},
-{SSL_R_WRONG_NUMBER_OF_KEY_BITS          ,"wrong number of key bits"},
-{SSL_R_WRONG_SIGNATURE_LENGTH            ,"wrong signature length"},
-{SSL_R_WRONG_SIGNATURE_SIZE              ,"wrong signature size"},
-{SSL_R_WRONG_SSL_VERSION                 ,"wrong ssl version"},
-{SSL_R_WRONG_VERSION_NUMBER              ,"wrong version number"},
-{SSL_R_X509_LIB                          ,"x509 lib"},
-{SSL_R_X509_VERIFICATION_SETUP_PROBLEMS  ,"x509 verification setup problems"},
+{ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"},
+{ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"},
+{ERR_REASON(SSL_R_BAD_ALERT_RECORD)      ,"bad alert record"},
+{ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
+{ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
+{ERR_REASON(SSL_R_BAD_CHECKSUM)          ,"bad checksum"},
+{ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),"bad data returned by callback"},
+{ERR_REASON(SSL_R_BAD_DECOMPRESSION)     ,"bad decompression"},
+{ERR_REASON(SSL_R_BAD_DH_G_LENGTH)       ,"bad dh g length"},
+{ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) ,"bad dh pub key length"},
+{ERR_REASON(SSL_R_BAD_DH_P_LENGTH)       ,"bad dh p length"},
+{ERR_REASON(SSL_R_BAD_DIGEST_LENGTH)     ,"bad digest length"},
+{ERR_REASON(SSL_R_BAD_DSA_SIGNATURE)     ,"bad dsa signature"},
+{ERR_REASON(SSL_R_BAD_HELLO_REQUEST)     ,"bad hello request"},
+{ERR_REASON(SSL_R_BAD_LENGTH)            ,"bad length"},
+{ERR_REASON(SSL_R_BAD_MAC_DECODE)        ,"bad mac decode"},
+{ERR_REASON(SSL_R_BAD_MESSAGE_TYPE)      ,"bad message type"},
+{ERR_REASON(SSL_R_BAD_PACKET_LENGTH)     ,"bad packet length"},
+{ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER),"bad protocol version number"},
+{ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) ,"bad response argument"},
+{ERR_REASON(SSL_R_BAD_RSA_DECRYPT)       ,"bad rsa decrypt"},
+{ERR_REASON(SSL_R_BAD_RSA_ENCRYPT)       ,"bad rsa encrypt"},
+{ERR_REASON(SSL_R_BAD_RSA_E_LENGTH)      ,"bad rsa e length"},
+{ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH),"bad rsa modulus length"},
+{ERR_REASON(SSL_R_BAD_RSA_SIGNATURE)     ,"bad rsa signature"},
+{ERR_REASON(SSL_R_BAD_SIGNATURE)         ,"bad signature"},
+{ERR_REASON(SSL_R_BAD_SSL_FILETYPE)      ,"bad ssl filetype"},
+{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
+{ERR_REASON(SSL_R_BAD_STATE)             ,"bad state"},
+{ERR_REASON(SSL_R_BAD_WRITE_RETRY)       ,"bad write retry"},
+{ERR_REASON(SSL_R_BIO_NOT_SET)           ,"bio not set"},
+{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"},
+{ERR_REASON(SSL_R_BN_LIB)                ,"bn lib"},
+{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"},
+{ERR_REASON(SSL_R_CA_DN_TOO_LONG)        ,"ca dn too long"},
+{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY)    ,"ccs received early"},
+{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"},
+{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH)  ,"cert length mismatch"},
+{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"},
+{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"},
+{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"},
+{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
+{ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
+{ERR_REASON(SSL_R_COMPRESSION_FAILURE)   ,"compression failure"},
+{ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
+{ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
+{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
+{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
+{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG)  ,"data length too long"},
+{ERR_REASON(SSL_R_DECRYPTION_FAILED)     ,"decryption failed"},
+{ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
+{ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
+{ERR_REASON(SSL_R_DIGEST_CHECK_FAILED)   ,"digest check failed"},
+{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
+{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"},
+{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"},
+{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
+{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
+{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
+{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   ,"https proxy request"},
+{ERR_REASON(SSL_R_HTTP_REQUEST)          ,"http request"},
+{ERR_REASON(SSL_R_ILLEGAL_PADDING)       ,"illegal padding"},
+{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
+{ERR_REASON(SSL_R_INVALID_COMMAND)       ,"invalid command"},
+{ERR_REASON(SSL_R_INVALID_PURPOSE)       ,"invalid purpose"},
+{ERR_REASON(SSL_R_INVALID_TRUST)         ,"invalid trust"},
+{ERR_REASON(SSL_R_KEY_ARG_TOO_LONG)      ,"key arg too long"},
+{ERR_REASON(SSL_R_KRB5)                  ,"krb5"},
+{ERR_REASON(SSL_R_KRB5_C_CC_PRINC)       ,"krb5 client cc principal (no tkt?)"},
+{ERR_REASON(SSL_R_KRB5_C_GET_CRED)       ,"krb5 client get cred"},
+{ERR_REASON(SSL_R_KRB5_C_INIT)           ,"krb5 client init"},
+{ERR_REASON(SSL_R_KRB5_C_MK_REQ)         ,"krb5 client mk_req (expired tkt?)"},
+{ERR_REASON(SSL_R_KRB5_S_BAD_TICKET)     ,"krb5 server bad ticket"},
+{ERR_REASON(SSL_R_KRB5_S_INIT)           ,"krb5 server init"},
+{ERR_REASON(SSL_R_KRB5_S_RD_REQ)         ,"krb5 server rd_req (keytab perms?)"},
+{ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED)    ,"krb5 server tkt expired"},
+{ERR_REASON(SSL_R_KRB5_S_TKT_NYV)        ,"krb5 server tkt not yet valid"},
+{ERR_REASON(SSL_R_KRB5_S_TKT_SKEW)       ,"krb5 server tkt skew"},
+{ERR_REASON(SSL_R_LENGTH_MISMATCH)       ,"length mismatch"},
+{ERR_REASON(SSL_R_LENGTH_TOO_SHORT)      ,"length too short"},
+{ERR_REASON(SSL_R_LIBRARY_BUG)           ,"library bug"},
+{ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS),"library has no ciphers"},
+{ERR_REASON(SSL_R_MESSAGE_TOO_LONG)      ,"message too long"},
+{ERR_REASON(SSL_R_MISSING_DH_DSA_CERT)   ,"missing dh dsa cert"},
+{ERR_REASON(SSL_R_MISSING_DH_KEY)        ,"missing dh key"},
+{ERR_REASON(SSL_R_MISSING_DH_RSA_CERT)   ,"missing dh rsa cert"},
+{ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT),"missing dsa signing cert"},
+{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),"missing export tmp dh key"},
+{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),"missing export tmp rsa key"},
+{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},
+{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"},
+{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"},
+{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY)    ,"missing tmp dh key"},
+{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY)   ,"missing tmp rsa key"},
+{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY)  ,"missing tmp rsa pkey"},
+{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
+{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
+{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
+{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
+{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"},
+{ERR_REASON(SSL_R_NO_CERTIFICATE_SET)    ,"no certificate set"},
+{ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED),"no certificate specified"},
+{ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE)  ,"no ciphers available"},
+{ERR_REASON(SSL_R_NO_CIPHERS_PASSED)     ,"no ciphers passed"},
+{ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED)  ,"no ciphers specified"},
+{ERR_REASON(SSL_R_NO_CIPHER_LIST)        ,"no cipher list"},
+{ERR_REASON(SSL_R_NO_CIPHER_MATCH)       ,"no cipher match"},
+{ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
+{ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
+{ERR_REASON(SSL_R_NO_METHOD_SPECIFIED)   ,"no method specified"},
+{ERR_REASON(SSL_R_NO_PRIVATEKEY)         ,"no privatekey"},
+{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
+{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
+{ERR_REASON(SSL_R_NO_PUBLICKEY)          ,"no publickey"},
+{ERR_REASON(SSL_R_NO_SHARED_CIPHER)      ,"no shared cipher"},
+{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK)    ,"no verify callback"},
+{ERR_REASON(SSL_R_NULL_SSL_CTX)          ,"null ssl ctx"},
+{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
+{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
+{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
+{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
+{ERR_REASON(SSL_R_PATH_TOO_LONG)         ,"path too long"},
+{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
+{ERR_REASON(SSL_R_PEER_ERROR)            ,"peer error"},
+{ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE),"peer error certificate"},
+{ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE),"peer error no certificate"},
+{ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER)  ,"peer error no cipher"},
+{ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"peer error unsupported certificate type"},
+{ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG),"pre mac length too long"},
+{ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS),"problems mapping cipher functions"},
+{ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN)  ,"protocol is shutdown"},
+{ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR),"public key encrypt error"},
+{ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) ,"public key is not rsa"},
+{ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
+{ERR_REASON(SSL_R_READ_BIO_NOT_SET)      ,"read bio not set"},
+{ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE),"read wrong packet type"},
+{ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
+{ERR_REASON(SSL_R_RECORD_TOO_LARGE)      ,"record too large"},
+{ERR_REASON(SSL_R_RECORD_TOO_SMALL)      ,"record too small"},
+{ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
+{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
+{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
+{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
+{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
+{ERR_REASON(SSL_R_SHORT_READ)            ,"short read"},
+{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
+{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
+{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"},
+{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG),"ssl3 session id too long"},
+{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),"ssl3 session id too short"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),"sslv3 alert bad certificate"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),"sslv3 alert bad record mac"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),"sslv3 alert certificate expired"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),"sslv3 alert certificate revoked"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),"sslv3 alert certificate unknown"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),"sslv3 alert decompression failure"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),"sslv3 alert handshake failure"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),"sslv3 alert illegal parameter"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE),"sslv3 alert no certificate"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),"sslv3 alert unexpected message"},
+{ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),"sslv3 alert unsupported certificate"},
+{ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),"ssl ctx has no default ssl version"},
+{ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) ,"ssl handshake failure"},
+{ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),"ssl library has no ciphers"},
+{ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),"ssl session id callback failed"},
+{ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT),"ssl session id conflict"},
+{ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),"ssl session id context too long"},
+{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),"ssl session id has bad length"},
+{ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT),"ssl session id is different"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),"tlsv1 alert access denied"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR),"tlsv1 alert decode error"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION),"tlsv1 alert protocol version"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),"tlsv1 alert record overflow"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA),"tlsv1 alert unknown ca"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED),"tlsv1 alert user cancelled"},
+{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
+{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
+{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"},
+{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"},
+{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"},
+{ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY),"unable to extract public key"},
+{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),"unable to find dh parameters"},
+{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),"unable to find public key parameters"},
+{ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),"unable to find ssl method"},
+{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES),"unable to load ssl2 md5 routines"},
+{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),"unable to load ssl3 md5 routines"},
+{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),"unable to load ssl3 sha1 routines"},
+{ERR_REASON(SSL_R_UNEXPECTED_MESSAGE)    ,"unexpected message"},
+{ERR_REASON(SSL_R_UNEXPECTED_RECORD)     ,"unexpected record"},
+{ERR_REASON(SSL_R_UNINITIALIZED)         ,"uninitialized"},
+{ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE)    ,"unknown alert type"},
+{ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
+{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
+{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE)   ,"unknown cipher type"},
+{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"},
+{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE)     ,"unknown pkey type"},
+{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL)      ,"unknown protocol"},
+{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
+{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
+{ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
+{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
+{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
+{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL)  ,"unsupported protocol"},
+{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
+{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET)     ,"write bio not set"},
+{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
+{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE)    ,"wrong message type"},
+{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"},
+{ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
+{ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE)  ,"wrong signature size"},
+{ERR_REASON(SSL_R_WRONG_SSL_VERSION)     ,"wrong ssl version"},
+{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER)  ,"wrong version number"},
+{ERR_REASON(SSL_R_X509_LIB)              ,"x509 lib"},
+{ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
 {0,NULL}
         };
 
@@ -455,8 +454,8 @@ void ERR_load_SSL_strings(void)
                 {
                 init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_SSL,SSL_str_functs);
-                ERR_load_strings(ERR_LIB_SSL,SSL_str_reasons);
+                ERR_load_strings(0,SSL_str_functs);
+                ERR_load_strings(0,SSL_str_reasons);
 #endif
 
                 }
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 631229558f..2bd9a5af86 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -125,7 +125,7 @@
 
 const char *SSL_version_str=OPENSSL_VERSION_TEXT;
 
-OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
+SSL3_ENC_METHOD ssl3_undef_enc_method={
         /* evil casts, but these functions are only called if there's a library bug */
         (int (*)(SSL *,int))ssl_undefined_function,
         (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
@@ -1130,8 +1130,21 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
         
         sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
                 &ctx->cipher_list_by_id,str);
-/* XXXX */
-        return((sk == NULL)?0:1);
+        /* ssl_create_cipher_list may return an empty stack if it
+         * was unable to find a cipher matching the given rule string
+         * (for example if the rule string specifies a cipher which
+         * has been disabled). This is not an error as far as 
+         * ssl_create_cipher_list is concerned, and hence 
+         * ctx->cipher_list and ctx->cipher_list_by_id has been
+         * updated. */
+        if (sk == NULL)
+                return 0;
+        else if (sk_SSL_CIPHER_num(sk) == 0)
+                {
+                SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
+                return 0;
+                }
+        return 1;
         }
 
 /** specify the ciphers to be used by the SSL */
@@ -1141,8 +1154,15 @@ int SSL_set_cipher_list(SSL *s,const char *str)
         
         sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
                 &s->cipher_list_by_id,str);
-/* XXXX */
-        return((sk == NULL)?0:1);
+        /* see comment in SSL_CTX_set_cipher_list */
+        if (sk == NULL)
+                return 0;
+        else if (sk_SSL_CIPHER_num(sk) == 0)
+                {
+                SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
+                return 0;
+                }
+        return 1;
         }
 
 /* works well for SSLv2, not so good for SSLv3 */
@@ -1181,7 +1201,8 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
         return(buf);
         }
 
-int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
+int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
+                             int (*put_cb)(const SSL_CIPHER *, unsigned char *))
         {
         int i,j=0;
         SSL_CIPHER *c;
@@ -1200,7 +1221,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
                 if ((c->algorithms & SSL_KRB5) && nokrb5)
                     continue;
 #endif /* OPENSSL_NO_KRB5 */                    
-                j=ssl_put_cipher_by_char(s,c,p);
+
+                j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
                 p+=j;
                 }
         return(p-q);
@@ -1694,7 +1716,7 @@ void ssl_update_cache(SSL *s,int mode)
                         ?s->ctx->stats.sess_connect_good
                         :s->ctx->stats.sess_accept_good) & 0xff) == 0xff)
                         {
-                        SSL_CTX_flush_sessions(s->ctx,time(NULL));
+                        SSL_CTX_flush_sessions(s->ctx,(unsigned long)time(NULL));
                         }
                 }
         }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 25a144a0d0..6a0b7595f4 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -462,7 +462,7 @@ typedef struct ssl3_comp_st
         COMP_METHOD *method; /* The method :-) */
         } SSL3_COMP;
 
-OPENSSL_EXTERN SSL3_ENC_METHOD ssl3_undef_enc_method;
+extern SSL3_ENC_METHOD ssl3_undef_enc_method;
 OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[];
 OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
 
@@ -493,7 +493,8 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
                         const SSL_CIPHER * const *bp);
 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
                                                STACK_OF(SSL_CIPHER) **skp);
-int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p);
+int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
+                             int (*put_cb)(const SSL_CIPHER *, unsigned char *));
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
                                              STACK_OF(SSL_CIPHER) **pref,
                                              STACK_OF(SSL_CIPHER) **sorted,
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 5f12aa361c..2ba8b9612e 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -118,7 +118,7 @@ SSL_SESSION *SSL_SESSION_new(void)
         ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
         ss->references=1;
         ss->timeout=60*5+4; /* 5 minute timeout by default */
-        ss->time=time(NULL);
+        ss->time=(unsigned long)time(NULL);
         ss->prev=NULL;
         ss->next=NULL;
         ss->compress_meth=0;
@@ -377,7 +377,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
         CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
 #endif
 
-        if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
+        if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
                 {
                 s->ctx->stats.sess_timeout++;
                 /* remove it from the cache */