From 4f828b924f54507141fb95ebe49dfcd261945e85 Mon Sep 17 00:00:00 2001
From: djm <>
Date: Tue, 27 Jun 2006 05:05:40 +0000
Subject: import of openssl-0.9.7j

---
 src/lib/libcrypto/Attic/Makefile         |   2 +-
 src/lib/libcrypto/asn1/Makefile          |   2 +-
 src/lib/libcrypto/bf/Makefile            |  10 +-
 src/lib/libcrypto/bio/Makefile           |   2 +-
 src/lib/libcrypto/bn/Makefile            |   8 +-
 src/lib/libcrypto/bn/bntest.c            |  56 +++++
 src/lib/libcrypto/bn/expspeed.c          |   2 +-
 src/lib/libcrypto/bn/exptest.c           |  18 +-
 src/lib/libcrypto/buffer/Makefile        |   2 +-
 src/lib/libcrypto/cast/Makefile          |   9 +-
 src/lib/libcrypto/comp/Makefile          |   2 +-
 src/lib/libcrypto/conf/Makefile          |   2 +-
 src/lib/libcrypto/crypto-lib.com         |  23 ++-
 src/lib/libcrypto/des/Makefile           |   2 +-
 src/lib/libcrypto/dh/Makefile            |   2 +-
 src/lib/libcrypto/dh/dhtest.c            |   4 +
 src/lib/libcrypto/dsa/Makefile           |   2 +-
 src/lib/libcrypto/dsa/dsatest.c          |   9 +
 src/lib/libcrypto/dso/Makefile           |   2 +-
 src/lib/libcrypto/dso/dso_dl.c           |  35 +++-
 src/lib/libcrypto/dso/dso_win32.c        |  21 +-
 src/lib/libcrypto/engine/hw_aep.c        |   1 +
 src/lib/libcrypto/engine/hw_atalla.c     |   1 +
 src/lib/libcrypto/engine/hw_cswift.c     | 204 ++++++++++++++-----
 src/lib/libcrypto/engine/hw_ubsec.c      |   1 +
 src/lib/libcrypto/err/Makefile           |   2 +-
 src/lib/libcrypto/evp/Makefile           |   2 +-
 src/lib/libcrypto/evp/c_alld.c           |  10 +
 src/lib/libcrypto/evp/m_sha.c            |   3 +
 src/lib/libcrypto/hmac/Makefile          |   2 +-
 src/lib/libcrypto/idea/Makefile          |  10 +-
 src/lib/libcrypto/lhash/Makefile         |   2 +-
 src/lib/libcrypto/md2/Makefile           |   2 +-
 src/lib/libcrypto/md2/md2_one.c          |   3 +-
 src/lib/libcrypto/md4/Makefile           |   2 +-
 src/lib/libcrypto/md5/Makefile           |   2 +-
 src/lib/libcrypto/mdc2/Makefile          |   2 +-
 src/lib/libcrypto/objects/Makefile       |   2 +-
 src/lib/libcrypto/objects/obj_dat.h      |  99 ++++++---
 src/lib/libcrypto/objects/obj_mac.h      |  65 +++++-
 src/lib/libcrypto/pem/Makefile           |   2 +-
 src/lib/libcrypto/perlasm/x86nasm.pl     |  10 +-
 src/lib/libcrypto/pkcs12/Makefile        |   2 +-
 src/lib/libcrypto/pkcs7/Makefile         |   2 +-
 src/lib/libcrypto/rand/Makefile          |   2 +-
 src/lib/libcrypto/rc2/Makefile           |   4 +-
 src/lib/libcrypto/rc2/rc2speed.c         |   6 +-
 src/lib/libcrypto/rc4/Makefile           |  13 +-
 src/lib/libcrypto/rc4/asm/rc4-ia64.S     |  65 +++---
 src/lib/libcrypto/rc5/Makefile           |   4 +-
 src/lib/libcrypto/ripemd/Makefile        |   2 +-
 src/lib/libcrypto/rsa/Makefile           |  36 +++-
 src/lib/libcrypto/rsa/rsa_test.c         |   5 +-
 src/lib/libcrypto/sha/Makefile           |   2 +-
 src/lib/libcrypto/sha/sha_one.c          |   3 +-
 src/lib/libcrypto/stack/Makefile         |   2 +-
 src/lib/libcrypto/txt_db/Makefile        |   2 +-
 src/lib/libcrypto/util/checkhash.pl      | 222 ++++++++++++++++++++
 src/lib/libcrypto/util/fipslink.pl       |  78 +++++++
 src/lib/libcrypto/util/libeay.num        |  42 +++-
 src/lib/libcrypto/util/mk1mf.pl          | 337 +++++++++++++++++++++++++------
 src/lib/libcrypto/util/mkdef.pl          |  11 +-
 src/lib/libcrypto/util/mkfiles.pl        |  17 +-
 src/lib/libcrypto/util/mklink.pl         |   7 +-
 src/lib/libcrypto/util/pl/BC-32.pl       |  14 +-
 src/lib/libcrypto/util/pl/OS2-EMX.pl     |   1 +
 src/lib/libcrypto/util/pl/VC-32-GMAKE.pl | 222 ++++++++++++++++++++
 src/lib/libcrypto/util/pl/VC-32.pl       |  99 +++++++--
 src/lib/libcrypto/util/pod2man.pl        |   1 +
 src/lib/libcrypto/util/selftest.pl       |  26 ++-
 src/lib/libcrypto/x509/Makefile          |   2 +-
 src/lib/libcrypto/x509v3/Makefile        |   2 +-
 72 files changed, 1587 insertions(+), 286 deletions(-)
 create mode 100644 src/lib/libcrypto/util/checkhash.pl
 create mode 100644 src/lib/libcrypto/util/fipslink.pl
 create mode 100644 src/lib/libcrypto/util/pl/VC-32-GMAKE.pl

(limited to 'src/lib/libcrypto')

diff --git a/src/lib/libcrypto/Attic/Makefile b/src/lib/libcrypto/Attic/Makefile
index cffaeedc5d..cda9de0ac9 100644
--- a/src/lib/libcrypto/Attic/Makefile
+++ b/src/lib/libcrypto/Attic/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/Makefile
+# OpenSSL/crypto/Makefile
 #
 
 DIR=		crypto
diff --git a/src/lib/libcrypto/asn1/Makefile b/src/lib/libcrypto/asn1/Makefile
index b11298d621..d1c2d8f490 100644
--- a/src/lib/libcrypto/asn1/Makefile
+++ b/src/lib/libcrypto/asn1/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/asn1/Makefile
+# OpenSSL/crypto/asn1/Makefile
 #
 
 DIR=	asn1
diff --git a/src/lib/libcrypto/bf/Makefile b/src/lib/libcrypto/bf/Makefile
index 0e2121efdc..42e2c050f8 100644
--- a/src/lib/libcrypto/bf/Makefile
+++ b/src/lib/libcrypto/bf/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/blowfish/Makefile
+# OpenSSL/crypto/blowfish/Makefile
 #
 
 DIR=	bf
@@ -110,7 +110,7 @@ bf_enc.o: ../../include/openssl/opensslconf.h bf_enc.c bf_locl.h
 bf_ofb64.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h
 bf_ofb64.o: ../../include/openssl/opensslconf.h bf_locl.h bf_ofb64.c
 bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/crypto.h
-bf_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-bf_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bf_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bf_skey.o: bf_locl.h bf_pi.h bf_skey.c
+bf_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/fips.h
+bf_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bf_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bf_skey.o: ../../include/openssl/symhacks.h bf_locl.h bf_pi.h bf_skey.c
diff --git a/src/lib/libcrypto/bio/Makefile b/src/lib/libcrypto/bio/Makefile
index 19d9350760..a565154499 100644
--- a/src/lib/libcrypto/bio/Makefile
+++ b/src/lib/libcrypto/bio/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/bio/Makefile
+# OpenSSL/crypto/bio/Makefile
 #
 
 DIR=	bio
diff --git a/src/lib/libcrypto/bn/Makefile b/src/lib/libcrypto/bn/Makefile
index f693d35d87..9969d242cc 100644
--- a/src/lib/libcrypto/bn/Makefile
+++ b/src/lib/libcrypto/bn/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/bn/Makefile
+# OpenSSL/crypto/bn/Makefile
 #
 
 DIR=	bn
@@ -31,12 +31,12 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=	bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
 	bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
 	bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
-	bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c
+	bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_x931p.c
 
 LIBOBJ=	bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
 	bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
 	bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
-	bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o
+	bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_x931p.o
 
 SRC= $(LIBSRC)
 
@@ -329,3 +329,5 @@ bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_word.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bn_word.o: ../cryptlib.h bn_lcl.h bn_word.c
+bn_x931p.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
+bn_x931p.o: ../../include/openssl/opensslconf.h bn_x931p.c
diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c
index 28cd3339da..685007d330 100644
--- a/src/lib/libcrypto/bn/bntest.c
+++ b/src/lib/libcrypto/bn/bntest.c
@@ -86,6 +86,7 @@ int test_mont(BIO *bp,BN_CTX *ctx);
 int test_mod(BIO *bp,BN_CTX *ctx);
 int test_mod_mul(BIO *bp,BN_CTX *ctx);
 int test_mod_exp(BIO *bp,BN_CTX *ctx);
+int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
 int test_exp(BIO *bp,BN_CTX *ctx);
 int test_kron(BIO *bp,BN_CTX *ctx);
 int test_sqrt(BIO *bp,BN_CTX *ctx);
@@ -213,6 +214,10 @@ int main(int argc, char *argv[])
 	if (!test_mod_exp(out,ctx)) goto err;
 	BIO_flush(out);
 
+	message(out,"BN_mod_exp_mont_consttime");
+	if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
+	BIO_flush(out);
+
 	message(out,"BN_exp");
 	if (!test_exp(out,ctx)) goto err;
 	BIO_flush(out);
@@ -813,6 +818,57 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
 	return(1);
 	}
 
+int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*b,*c,*d,*e;
+	int i;
+
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
+	for (i=0; i<num2; i++)
+		{
+		BN_bntest_rand(a,20+i*5,0,0); /**/
+		BN_bntest_rand(b,2+i,0,0); /**/
+
+		if (!BN_mod_exp_mont_consttime(d,a,b,c,ctx,NULL))
+			return(00);
+
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," ^ ");
+				BN_print(bp,b);
+				BIO_puts(bp," % ");
+				BN_print(bp,c);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,d);
+			BIO_puts(bp,"\n");
+			}
+		BN_exp(e,a,b,ctx);
+		BN_sub(e,e,d);
+		BN_div(a,b,e,c,ctx);
+		if(!BN_is_zero(b))
+		    {
+		    fprintf(stderr,"Modulo exponentiation test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
 int test_exp(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM *a,*b,*d,*e,*one;
diff --git a/src/lib/libcrypto/bn/expspeed.c b/src/lib/libcrypto/bn/expspeed.c
index 07a1bcf51c..4d5f221f33 100644
--- a/src/lib/libcrypto/bn/expspeed.c
+++ b/src/lib/libcrypto/bn/expspeed.c
@@ -321,7 +321,7 @@ void do_mul_exp(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *c, BN_CTX *ctx)
 #else /* TEST_SQRT */
 			"2*sqrt [prime == %d (mod 64)] %4d %4d mod %4d"
 #endif
-			" -> %8.3fms %5.1f (%ld)\n",
+			" -> %8.6fms %5.1f (%ld)\n",
 #ifdef TEST_SQRT
 			P_MOD_64,
 #endif
diff --git a/src/lib/libcrypto/bn/exptest.c b/src/lib/libcrypto/bn/exptest.c
index b09cf88705..28aaac2ac1 100644
--- a/src/lib/libcrypto/bn/exptest.c
+++ b/src/lib/libcrypto/bn/exptest.c
@@ -77,7 +77,7 @@ int main(int argc, char *argv[])
 	BIO *out=NULL;
 	int i,ret;
 	unsigned char c;
-	BIGNUM *r_mont,*r_recp,*r_simple,*a,*b,*m;
+	BIGNUM *r_mont,*r_mont_const,*r_recp,*r_simple,*a,*b,*m;
 
 	RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't
 	                                       * even check its return value
@@ -88,6 +88,7 @@ int main(int argc, char *argv[])
 	ctx=BN_CTX_new();
 	if (ctx == NULL) EXIT(1);
 	r_mont=BN_new();
+	r_mont_const=BN_new();
 	r_recp=BN_new();
 	r_simple=BN_new();
 	a=BN_new();
@@ -143,8 +144,17 @@ int main(int argc, char *argv[])
 			EXIT(1);
 			}
 
+		ret=BN_mod_exp_mont_consttime(r_mont_const,a,b,m,ctx,NULL);
+		if (ret <= 0)
+			{
+			printf("BN_mod_exp_mont_consttime() problems\n");
+			ERR_print_errors(out);
+			EXIT(1);
+			}
+
 		if (BN_cmp(r_simple, r_mont) == 0
-		    && BN_cmp(r_simple,r_recp) == 0)
+		    && BN_cmp(r_simple,r_recp) == 0
+			&& BN_cmp(r_simple,r_mont_const) == 0)
 			{
 			printf(".");
 			fflush(stdout);
@@ -153,6 +163,8 @@ int main(int argc, char *argv[])
 		  	{
 			if (BN_cmp(r_simple,r_mont) != 0)
 				printf("\nsimple and mont results differ\n");
+			if (BN_cmp(r_simple,r_mont) != 0)
+				printf("\nsimple and mont const time results differ\n");
 			if (BN_cmp(r_simple,r_recp) != 0)
 				printf("\nsimple and recp results differ\n");
 
@@ -162,11 +174,13 @@ int main(int argc, char *argv[])
 			printf("\nsimple   =");	BN_print(out,r_simple);
 			printf("\nrecp     =");	BN_print(out,r_recp);
 			printf("\nmont     ="); BN_print(out,r_mont);
+			printf("\nmont_ct  ="); BN_print(out,r_mont_const);
 			printf("\n");
 			EXIT(1);
 			}
 		}
 	BN_free(r_mont);
+	BN_free(r_mont_const);
 	BN_free(r_recp);
 	BN_free(r_simple);
 	BN_free(a);
diff --git a/src/lib/libcrypto/buffer/Makefile b/src/lib/libcrypto/buffer/Makefile
index 3911baf513..4b53c595a3 100644
--- a/src/lib/libcrypto/buffer/Makefile
+++ b/src/lib/libcrypto/buffer/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/buffer/Makefile
+# OpenSSL/crypto/buffer/Makefile
 #
 
 DIR=	buffer
diff --git a/src/lib/libcrypto/cast/Makefile b/src/lib/libcrypto/cast/Makefile
index 8b0d04bb7c..b388f6271c 100644
--- a/src/lib/libcrypto/cast/Makefile
+++ b/src/lib/libcrypto/cast/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/cast/Makefile
+# OpenSSL/crypto/cast/Makefile
 #
 
 DIR=	cast
@@ -115,6 +115,7 @@ c_ofb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 c_ofb64.o: c_ofb64.c cast_lcl.h
 c_skey.o: ../../e_os.h ../../include/openssl/cast.h
 c_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-c_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-c_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-c_skey.o: ../../include/openssl/symhacks.h c_skey.c cast_lcl.h cast_s.h
+c_skey.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
+c_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+c_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+c_skey.o: c_skey.c cast_lcl.h cast_s.h
diff --git a/src/lib/libcrypto/comp/Makefile b/src/lib/libcrypto/comp/Makefile
index 68109a8013..df1babec5c 100644
--- a/src/lib/libcrypto/comp/Makefile
+++ b/src/lib/libcrypto/comp/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/comp/Makefile
+# OpenSSL/crypto/comp/Makefile
 #
 
 DIR=	comp
diff --git a/src/lib/libcrypto/conf/Makefile b/src/lib/libcrypto/conf/Makefile
index 6d2f8ffd9a..403d12b28c 100644
--- a/src/lib/libcrypto/conf/Makefile
+++ b/src/lib/libcrypto/conf/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/conf/Makefile
+# OpenSSL/crypto/conf/Makefile
 #
 
 DIR=	conf
diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com
index c044ce0099..427c321f25 100644
--- a/src/lib/libcrypto/crypto-lib.com
+++ b/src/lib/libcrypto/crypto-lib.com
@@ -184,10 +184,10 @@ $ IF F$TRNLNM("OPENSSL_NO_ASM").OR.ARCH.EQS."AXP" THEN LIB_BN_ASM = "bn_asm"
 $ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,"+ -
 	"bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ -
 	"bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ -
-	"bn_recp,bn_mont,bn_mpi,bn_exp2"
+	"bn_recp,bn_mont,bn_mpi,bn_exp2,bn_x931p"
 $ LIB_RSA = "rsa_eay,rsa_gen,rsa_lib,rsa_sign,rsa_saos,rsa_err,"+ -
 	"rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk,rsa_null,"+ -
-	"rsa_asn1"
+	"rsa_pss,rsa_x931,rsa_asn1"
 $ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_recp,ecp_nist,ec_cvt,ec_mult,"+ -
 	"ec_err"
 $ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,dsa_err,dsa_ossl"
@@ -265,10 +265,15 @@ $ LIB_KRB5 = "krb5_asn"
 $!
 $! Setup exceptional compilations
 $!
+$ ! Add definitions for no threads on OpenVMS 7.1 and higher
 $ COMPILEWITH_CC3 = ",bss_rtcp,"
+$ ! Disable the DOLLARID warning
 $ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time,"
+$ ! Disable disjoint optimization
 $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + -
                     "sha_dgst,sha1dgst,rmd_dgst,bf_enc,"
+$ ! Disable the MIXLINKAGE warning
+$ COMPILEWITH_CC6 = ",enc_read,set_key,"
 $!
 $! Figure Out What Other Modules We Are To Build.
 $!
@@ -497,7 +502,12 @@ $       IF COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5
 $       THEN
 $         CC5/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $       ELSE
-$         CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         IF COMPILEWITH_CC6 - FILE_NAME0 .NES. COMPILEWITH_CC6
+$         THEN
+$           CC6/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         ELSE
+$           CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         ENDIF
 $       ENDIF
 $     ENDIF
 $   ENDIF
@@ -960,7 +970,7 @@ $ CCDEFS = "TCPIP_TYPE_''P4',DSO_VMS"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX"
+$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
 $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
 $!
@@ -1077,14 +1087,18 @@ $   THEN
 $     IF CCDISABLEWARNINGS .EQS. ""
 $     THEN
 $       CC4DISABLEWARNINGS = "DOLLARID"
+$       CC6DISABLEWARNINGS = "MIXLINKAGE"
 $     ELSE
 $       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
+$       CC6DISABLEWARNINGS = CCDISABLEWARNINGS + ",MIXLINKAGE"
 $       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
 $     ENDIF
 $     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$     CC6DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC6DISABLEWARNINGS + "))"
 $   ELSE
 $     CCDISABLEWARNINGS = ""
 $     CC4DISABLEWARNINGS = ""
+$     CC6DISABLEWARNINGS = ""
 $   ENDIF
 $   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
 $   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
@@ -1095,6 +1109,7 @@ $   ELSE
 $     CC5 = CC + "/NOOPTIMIZE"
 $   ENDIF
 $   CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
+$   CC6 = CC - CCDISABLEWARNINGS + CC6DISABLEWARNINGS
 $!
 $!  Show user the result
 $!
diff --git a/src/lib/libcrypto/des/Makefile b/src/lib/libcrypto/des/Makefile
index 655f2ea1a8..800af0b123 100644
--- a/src/lib/libcrypto/des/Makefile
+++ b/src/lib/libcrypto/des/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/des/Makefile
+# OpenSSL/crypto/des/Makefile
 #
 
 DIR=	des
diff --git a/src/lib/libcrypto/dh/Makefile b/src/lib/libcrypto/dh/Makefile
index c091a8130a..352678b94a 100644
--- a/src/lib/libcrypto/dh/Makefile
+++ b/src/lib/libcrypto/dh/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dh/Makefile
+# OpenSSL/crypto/dh/Makefile
 #
 
 DIR=	dh
diff --git a/src/lib/libcrypto/dh/dhtest.c b/src/lib/libcrypto/dh/dhtest.c
index d75077f9fa..b76dede771 100644
--- a/src/lib/libcrypto/dh/dhtest.c
+++ b/src/lib/libcrypto/dh/dhtest.c
@@ -136,6 +136,10 @@ int main(int argc, char *argv[])
 	b->g=BN_dup(a->g);
 	if ((b->p == NULL) || (b->g == NULL)) goto err;
 
+	/* Set a to run with normal modexp and b to use constant time */
+	a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME;
+	b->flags |= DH_FLAG_NO_EXP_CONSTTIME;
+
 	if (!DH_generate_key(a)) goto err;
 	BIO_puts(out,"pri 1=");
 	BN_print(out,a->priv_key);
diff --git a/src/lib/libcrypto/dsa/Makefile b/src/lib/libcrypto/dsa/Makefile
index 3a55058973..4f10278039 100644
--- a/src/lib/libcrypto/dsa/Makefile
+++ b/src/lib/libcrypto/dsa/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dsa/Makefile
+# OpenSSL/crypto/dsa/Makefile
 #
 
 DIR=	dsa
diff --git a/src/lib/libcrypto/dsa/dsatest.c b/src/lib/libcrypto/dsa/dsatest.c
index 4734ce4af8..55a3756aff 100644
--- a/src/lib/libcrypto/dsa/dsatest.c
+++ b/src/lib/libcrypto/dsa/dsatest.c
@@ -194,10 +194,19 @@ int main(int argc, char **argv)
 		BIO_printf(bio_err,"g value is wrong\n");
 		goto end;
 		}
+
+	dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME;
 	DSA_generate_key(dsa);
 	DSA_sign(0, str1, 20, sig, &siglen, dsa);
 	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
 		ret=1;
+
+	dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
+	DSA_generate_key(dsa);
+	DSA_sign(0, str1, 20, sig, &siglen, dsa);
+	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
+		ret=1;
+
 end:
 	if (!ret)
 		ERR_print_errors(bio_err);
diff --git a/src/lib/libcrypto/dso/Makefile b/src/lib/libcrypto/dso/Makefile
index 168951bc3e..c16278c3ff 100644
--- a/src/lib/libcrypto/dso/Makefile
+++ b/src/lib/libcrypto/dso/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dso/Makefile
+# OpenSSL/crypto/dso/Makefile
 #
 
 DIR=	dso
diff --git a/src/lib/libcrypto/dso/dso_dl.c b/src/lib/libcrypto/dso/dso_dl.c
index 79d2cb4d8c..f7b4dfc0c3 100644
--- a/src/lib/libcrypto/dso/dso_dl.c
+++ b/src/lib/libcrypto/dso/dso_dl.c
@@ -126,7 +126,8 @@ static int dl_load(DSO *dso)
 		DSOerr(DSO_F_DL_LOAD,DSO_R_NO_FILENAME);
 		goto err;
 		}
-	ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, 0L);
+	ptr = shl_load(filename, BIND_IMMEDIATE |
+		(dso->flags&DSO_FLAG_NO_NAME_TRANSLATION?0:DYNAMIC_PATH), 0L);
 	if(ptr == NULL)
 		{
 		DSOerr(DSO_F_DL_LOAD,DSO_R_LOAD_FAILED);
@@ -281,4 +282,36 @@ static char *dl_name_converter(DSO *dso, const char *filename)
 	return(translated);
 	}
 
+#ifdef OPENSSL_FIPS
+static void dl_ref_point(){}
+
+int DSO_pathbyaddr(void *addr,char *path,int sz)
+	{
+	struct shl_descriptor inf;
+	int i,len;
+
+	if (addr == NULL)
+		{
+		union { void(*f)(); void *p; } t = { dl_ref_point };
+		addr = t.p;
+		}
+
+	for (i=-1;shl_get_r(i,&inf)==0;i++)
+		{
+		if (((size_t)addr >= inf.tstart && (size_t)addr < inf.tend) ||
+		    ((size_t)addr >= inf.dstart && (size_t)addr < inf.dend))
+			{
+			len = (int)strlen(inf.filename);
+			if (sz <= 0) return len+1;
+			if (len >= sz) len=sz-1;
+			memcpy(path,inf.filename,len);
+			path[len++] = 0;
+			return len;
+			}
+		}
+
+	return -1;
+	}
+#endif
+
 #endif /* DSO_DL */
diff --git a/src/lib/libcrypto/dso/dso_win32.c b/src/lib/libcrypto/dso/dso_win32.c
index 3fa90eb27c..cc4ac68696 100644
--- a/src/lib/libcrypto/dso/dso_win32.c
+++ b/src/lib/libcrypto/dso/dso_win32.c
@@ -68,6 +68,25 @@ DSO_METHOD *DSO_METHOD_win32(void)
 	}
 #else
 
+#ifdef _WIN32_WCE
+# if _WIN32_WCE < 300
+static FARPROC GetProcAddressA(HMODULE hModule,LPCSTR lpProcName)
+	{
+	WCHAR lpProcNameW[64];
+	int i;
+
+	for (i=0;lpProcName[i] && i<64;i++)
+		lpProcNameW[i] = (WCHAR)lpProcName[i];
+	if (i==64) return NULL;
+	lpProcNameW[i] = 0;
+
+	return GetProcAddressW(hModule,lpProcNameW);
+	}
+# endif
+# undef GetProcAddress
+# define GetProcAddress GetProcAddressA
+#endif
+
 /* Part of the hack in "win32_load" ... */
 #define DSO_MAX_TRANSLATED_SIZE 256
 
@@ -122,7 +141,7 @@ static int win32_load(DSO *dso)
 		DSOerr(DSO_F_WIN32_LOAD,DSO_R_NO_FILENAME);
 		goto err;
 		}
-	h = LoadLibrary(filename);
+	h = LoadLibraryA(filename);
 	if(h == NULL)
 		{
 		DSOerr(DSO_F_WIN32_LOAD,DSO_R_LOAD_FAILED);
diff --git a/src/lib/libcrypto/engine/hw_aep.c b/src/lib/libcrypto/engine/hw_aep.c
index 8b8380a582..5f1772ea99 100644
--- a/src/lib/libcrypto/engine/hw_aep.c
+++ b/src/lib/libcrypto/engine/hw_aep.c
@@ -474,6 +474,7 @@ static int aep_init(ENGINE *e)
 
 	if(aep_dso)
 		DSO_free(aep_dso);
+	aep_dso = NULL;
 		
 	p_AEP_OpenConnection    = NULL;
 	p_AEP_ModExp            = NULL;
diff --git a/src/lib/libcrypto/engine/hw_atalla.c b/src/lib/libcrypto/engine/hw_atalla.c
index e9eff9fad1..2b8342bbdd 100644
--- a/src/lib/libcrypto/engine/hw_atalla.c
+++ b/src/lib/libcrypto/engine/hw_atalla.c
@@ -375,6 +375,7 @@ static int atalla_init(ENGINE *e)
 err:
 	if(atalla_dso)
 		DSO_free(atalla_dso);
+	atalla_dso = NULL;
 	p_Atalla_GetHardwareConfig = NULL;
 	p_Atalla_RSAPrivateKeyOpFn = NULL;
 	p_Atalla_GetPerformanceStatistics = NULL;
diff --git a/src/lib/libcrypto/engine/hw_cswift.c b/src/lib/libcrypto/engine/hw_cswift.c
index f128ee5a68..1411fd8333 100644
--- a/src/lib/libcrypto/engine/hw_cswift.c
+++ b/src/lib/libcrypto/engine/hw_cswift.c
@@ -90,6 +90,7 @@ static int cswift_destroy(ENGINE *e);
 static int cswift_init(ENGINE *e);
 static int cswift_finish(ENGINE *e);
 static int cswift_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+static int cswift_bn_32copy(SW_LARGENUMBER * out, const BIGNUM * in);
 
 /* BIGNUM stuff */
 static int cswift_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -403,7 +404,10 @@ static int cswift_init(ENGINE *e)
 	return 1;
 err:
 	if(cswift_dso)
+	{
 		DSO_free(cswift_dso);
+		cswift_dso = NULL;
+	}
 	p_CSwift_AcquireAccContext = NULL;
 	p_CSwift_AttachKeyParam = NULL;
 	p_CSwift_SimpleRequest = NULL;
@@ -553,6 +557,29 @@ err:
 	return to_return;
 	}
 
+
+int cswift_bn_32copy(SW_LARGENUMBER * out, const BIGNUM * in)
+{
+	int mod;
+	int numbytes = BN_num_bytes(in);
+
+	mod = 0;
+	while( ((out->nbytes = (numbytes+mod)) % 32) )
+	{
+		mod++;
+	}
+	out->value = (unsigned char*)OPENSSL_malloc(out->nbytes);
+	if(!out->value)
+	{
+		return 0;
+	}
+	BN_bn2bin(in, &out->value[mod]);
+	if(mod)
+		memset(out->value, 0, mod);
+
+	return 1;
+}
+
 /* Un petit mod_exp chinois */
 static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 			const BIGNUM *q, const BIGNUM *dmp1,
@@ -562,15 +589,16 @@ static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	SW_LARGENUMBER arg, res;
 	SW_PARAM sw_param;
 	SW_CONTEXT_HANDLE hac;
-	BIGNUM *rsa_p = NULL;
-	BIGNUM *rsa_q = NULL;
-	BIGNUM *rsa_dmp1 = NULL;
-	BIGNUM *rsa_dmq1 = NULL;
-	BIGNUM *rsa_iqmp = NULL;
-	BIGNUM *argument = NULL;
 	BIGNUM *result = NULL;
+	BIGNUM *argument = NULL;
 	int to_return = 0; /* expect failure */
 	int acquired = 0;
+
+	sw_param.up.crt.p.value = NULL;
+	sw_param.up.crt.q.value = NULL;
+	sw_param.up.crt.dmp1.value = NULL;
+	sw_param.up.crt.dmq1.value = NULL;
+	sw_param.up.crt.iqmp.value = NULL;
  
 	if(!get_context(&hac))
 		{
@@ -578,44 +606,55 @@ static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		goto err;
 		}
 	acquired = 1;
+
 	/* Prepare the params */
-	BN_CTX_start(ctx);
-	rsa_p = BN_CTX_get(ctx);
-	rsa_q = BN_CTX_get(ctx);
-	rsa_dmp1 = BN_CTX_get(ctx);
-	rsa_dmq1 = BN_CTX_get(ctx);
-	rsa_iqmp = BN_CTX_get(ctx);
-	argument = BN_CTX_get(ctx);
-	result = BN_CTX_get(ctx);
-	if(!result)
+	argument = BN_new();
+	result = BN_new();
+	if(!result || !argument)
 		{
 		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_CTX_FULL);
 		goto err;
 		}
-	if(!bn_wexpand(rsa_p, p->top) || !bn_wexpand(rsa_q, q->top) ||
-			!bn_wexpand(rsa_dmp1, dmp1->top) ||
-			!bn_wexpand(rsa_dmq1, dmq1->top) ||
-			!bn_wexpand(rsa_iqmp, iqmp->top) ||
-			!bn_wexpand(argument, a->top) ||
+
+
+	sw_param.type = SW_ALG_CRT;
+	/************************************************************************/
+	/* 04/02/2003                                                           */
+	/* Modified by Frederic Giudicelli (deny-all.com) to overcome the       */
+	/* limitation of cswift with values not a multiple of 32                */
+	/************************************************************************/
+	if(!cswift_bn_32copy(&sw_param.up.crt.p, p))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.q, q))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.dmp1, dmp1))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.dmq1, dmq1))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(!cswift_bn_32copy(&sw_param.up.crt.iqmp, iqmp))
+	{
+		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
+		goto err;
+	}
+	if(	!bn_wexpand(argument, a->top) ||
 			!bn_wexpand(result, p->top + q->top))
 		{
 		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
 		goto err;
 		}
-	sw_param.type = SW_ALG_CRT;
-	sw_param.up.crt.p.nbytes = BN_bn2bin(p, (unsigned char *)rsa_p->d);
-	sw_param.up.crt.p.value = (unsigned char *)rsa_p->d;
-	sw_param.up.crt.q.nbytes = BN_bn2bin(q, (unsigned char *)rsa_q->d);
-	sw_param.up.crt.q.value = (unsigned char *)rsa_q->d;
-	sw_param.up.crt.dmp1.nbytes = BN_bn2bin(dmp1,
-		(unsigned char *)rsa_dmp1->d);
-	sw_param.up.crt.dmp1.value = (unsigned char *)rsa_dmp1->d;
-	sw_param.up.crt.dmq1.nbytes = BN_bn2bin(dmq1,
-		(unsigned char *)rsa_dmq1->d);
-	sw_param.up.crt.dmq1.value = (unsigned char *)rsa_dmq1->d;
-	sw_param.up.crt.iqmp.nbytes = BN_bn2bin(iqmp,
-		(unsigned char *)rsa_iqmp->d);
-	sw_param.up.crt.iqmp.value = (unsigned char *)rsa_iqmp->d;
+
 	/* Attach the key params */
 	sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
 	switch(sw_status)
@@ -654,9 +693,22 @@ static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	BN_bin2bn((unsigned char *)result->d, res.nbytes, r);
 	to_return = 1;
 err:
+	if(sw_param.up.crt.p.value)
+		OPENSSL_free(sw_param.up.crt.p.value);
+	if(sw_param.up.crt.q.value)
+		OPENSSL_free(sw_param.up.crt.q.value);
+	if(sw_param.up.crt.dmp1.value)
+		OPENSSL_free(sw_param.up.crt.dmp1.value);
+	if(sw_param.up.crt.dmq1.value)
+		OPENSSL_free(sw_param.up.crt.dmq1.value);
+	if(sw_param.up.crt.iqmp.value)
+		OPENSSL_free(sw_param.up.crt.iqmp.value);
+	if(result)
+		BN_free(result);
+	if(argument)
+		BN_free(argument);
 	if(acquired)
 		release_context(hac);
-	BN_CTX_end(ctx);
 	return to_return;
 	}
  
@@ -665,6 +717,27 @@ static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	{
 	BN_CTX *ctx;
 	int to_return = 0;
+	const RSA_METHOD * def_rsa_method;
+
+	/* Try the limits of RSA (2048 bits) */
+	if(BN_num_bytes(rsa->p) > 128 ||
+		BN_num_bytes(rsa->q) > 128 ||
+		BN_num_bytes(rsa->dmp1) > 128 ||
+		BN_num_bytes(rsa->dmq1) > 128 ||
+		BN_num_bytes(rsa->iqmp) > 128)
+	{
+#ifdef RSA_NULL
+		def_rsa_method=RSA_null_method();
+#else
+#if 0
+		def_rsa_method=RSA_PKCS1_RSAref();
+#else
+		def_rsa_method=RSA_PKCS1_SSLeay();
+#endif
+#endif
+		if(def_rsa_method)
+			return def_rsa_method->rsa_mod_exp(r0, I, rsa);
+	}
 
 	if((ctx = BN_CTX_new()) == NULL)
 		goto err;
@@ -686,6 +759,26 @@ err:
 static int cswift_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
 	{
+	const RSA_METHOD * def_rsa_method;
+
+	/* Try the limits of RSA (2048 bits) */
+	if(BN_num_bytes(r) > 256 ||
+		BN_num_bytes(a) > 256 ||
+		BN_num_bytes(m) > 256)
+	{
+#ifdef RSA_NULL
+		def_rsa_method=RSA_null_method();
+#else
+#if 0
+		def_rsa_method=RSA_PKCS1_RSAref();
+#else
+		def_rsa_method=RSA_PKCS1_SSLeay();
+#endif
+#endif
+		if(def_rsa_method)
+			return def_rsa_method->bn_mod_exp(r, a, p, m, ctx, m_ctx);
+	}
+
 	return cswift_mod_exp(r, a, p, m, ctx);
 	}
 
@@ -930,9 +1023,10 @@ static int cswift_rand_bytes(unsigned char *buf, int num)
 	SW_CONTEXT_HANDLE hac;
 	SW_STATUS swrc;
 	SW_LARGENUMBER largenum;
-	size_t nbytes = 0;
 	int acquired = 0;
 	int to_return = 0; /* assume failure */
+	unsigned char buf32[1024];
+
 
 	if (!get_context(&hac))
 	{
@@ -941,17 +1035,19 @@ static int cswift_rand_bytes(unsigned char *buf, int num)
 	}
 	acquired = 1;
 
-	while (nbytes < (size_t)num)
+	/************************************************************************/
+	/* 04/02/2003                                                           */
+	/* Modified by Frederic Giudicelli (deny-all.com) to overcome the       */
+	/* limitation of cswift with values not a multiple of 32                */
+	/************************************************************************/
+
+	while(num >= sizeof(buf32))
 	{
+		largenum.value = buf;
+		largenum.nbytes = sizeof(buf32);
 		/* tell CryptoSwift how many bytes we want and where we want it.
 		 * Note: - CryptoSwift cannot do more than 4096 bytes at a time.
 		 *       - CryptoSwift can only do multiple of 32-bits. */
-		largenum.value = (SW_BYTE *) buf + nbytes;
-		if (4096 > num - nbytes)
-			largenum.nbytes = num - nbytes;
-		else
-			largenum.nbytes = 4096;
-
 		swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
 		if (swrc != SW_OK)
 		{
@@ -961,14 +1057,30 @@ static int cswift_rand_bytes(unsigned char *buf, int num)
 			ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf);
 			goto err;
 		}
-
-		nbytes += largenum.nbytes;
+		buf += sizeof(buf32);
+		num -= sizeof(buf32);
+	}
+	if(num)
+	{
+		largenum.nbytes = sizeof(buf32);
+		largenum.value = buf32;
+		swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
+		if (swrc != SW_OK)
+		{
+			char tmpbuf[20];
+			CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_REQUEST_FAILED);
+			sprintf(tmpbuf, "%ld", swrc);
+			ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf);
+			goto err;
+		}
+		memcpy(buf, largenum.value, num);
 	}
-	to_return = 1;  /* success */
 
+	to_return = 1;  /* success */
 err:
 	if (acquired)
 		release_context(hac);
+
 	return to_return;
 }
 
diff --git a/src/lib/libcrypto/engine/hw_ubsec.c b/src/lib/libcrypto/engine/hw_ubsec.c
index 5234a08a07..8fb834af31 100644
--- a/src/lib/libcrypto/engine/hw_ubsec.c
+++ b/src/lib/libcrypto/engine/hw_ubsec.c
@@ -454,6 +454,7 @@ static int ubsec_init(ENGINE *e)
 err:
 	if(ubsec_dso)
 		DSO_free(ubsec_dso);
+	ubsec_dso = NULL;
 	p_UBSEC_ubsec_bytes_to_bits = NULL;
 	p_UBSEC_ubsec_bits_to_bytes = NULL;
 	p_UBSEC_ubsec_open = NULL;
diff --git a/src/lib/libcrypto/err/Makefile b/src/lib/libcrypto/err/Makefile
index 149f3e0eb9..4adec55302 100644
--- a/src/lib/libcrypto/err/Makefile
+++ b/src/lib/libcrypto/err/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/err/Makefile
+# OpenSSL/crypto/err/Makefile
 #
 
 DIR=	err
diff --git a/src/lib/libcrypto/evp/Makefile b/src/lib/libcrypto/evp/Makefile
index 5027a3855a..d1c2a272bb 100644
--- a/src/lib/libcrypto/evp/Makefile
+++ b/src/lib/libcrypto/evp/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/evp/Makefile
+# OpenSSL/crypto/evp/Makefile
 #
 
 DIR=	evp
diff --git a/src/lib/libcrypto/evp/c_alld.c b/src/lib/libcrypto/evp/c_alld.c
index aae7bf7482..929ea56a3e 100644
--- a/src/lib/libcrypto/evp/c_alld.c
+++ b/src/lib/libcrypto/evp/c_alld.c
@@ -99,5 +99,15 @@ void OpenSSL_add_all_digests(void)
 	EVP_add_digest(EVP_ripemd160());
 	EVP_add_digest_alias(SN_ripemd160,"ripemd");
 	EVP_add_digest_alias(SN_ripemd160,"rmd160");
+#endif
+#ifdef OPENSSL_FIPS
+#ifndef OPENSSL_NO_SHA256
+	EVP_add_digest(EVP_sha224());
+	EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+	EVP_add_digest(EVP_sha384());
+	EVP_add_digest(EVP_sha512());
+#endif
 #endif
 	}
diff --git a/src/lib/libcrypto/evp/m_sha.c b/src/lib/libcrypto/evp/m_sha.c
index d1785e5f74..ed54909b16 100644
--- a/src/lib/libcrypto/evp/m_sha.c
+++ b/src/lib/libcrypto/evp/m_sha.c
@@ -59,6 +59,9 @@
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
 #include <stdio.h>
 #include "cryptlib.h"
+/* Including sha.h prior evp.h masks FIPS SHA declarations, but that's
+ * exactly what we want to achieve here... */
+#include <openssl/sha.h>
 #include <openssl/evp.h>
 #include "evp_locl.h"
 #include <openssl/objects.h>
diff --git a/src/lib/libcrypto/hmac/Makefile b/src/lib/libcrypto/hmac/Makefile
index f634dab79d..3d53d8240f 100644
--- a/src/lib/libcrypto/hmac/Makefile
+++ b/src/lib/libcrypto/hmac/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md/Makefile
+# OpenSSL/crypto/md/Makefile
 #
 
 DIR=	hmac
diff --git a/src/lib/libcrypto/idea/Makefile b/src/lib/libcrypto/idea/Makefile
index f652783027..6b8e530d9d 100644
--- a/src/lib/libcrypto/idea/Makefile
+++ b/src/lib/libcrypto/idea/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/idea/Makefile
+# OpenSSL/crypto/idea/Makefile
 #
 
 DIR=	idea
@@ -86,7 +86,7 @@ i_ecb.o: ../../include/openssl/opensslv.h i_ecb.c idea_lcl.h
 i_ofb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
 i_ofb64.o: i_ofb64.c idea_lcl.h
 i_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-i_skey.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
-i_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-i_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-i_skey.o: i_skey.c idea_lcl.h
+i_skey.o: ../../include/openssl/fips.h ../../include/openssl/idea.h
+i_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+i_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+i_skey.o: ../../include/openssl/symhacks.h i_skey.c idea_lcl.h
diff --git a/src/lib/libcrypto/lhash/Makefile b/src/lib/libcrypto/lhash/Makefile
index d325a1644d..cdb0e77fad 100644
--- a/src/lib/libcrypto/lhash/Makefile
+++ b/src/lib/libcrypto/lhash/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/lhash/Makefile
+# OpenSSL/crypto/lhash/Makefile
 #
 
 DIR=	lhash
diff --git a/src/lib/libcrypto/md2/Makefile b/src/lib/libcrypto/md2/Makefile
index 90628511da..9d0351bb2f 100644
--- a/src/lib/libcrypto/md2/Makefile
+++ b/src/lib/libcrypto/md2/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md/Makefile
+# OpenSSL/crypto/md/Makefile
 #
 
 DIR=	md2
diff --git a/src/lib/libcrypto/md2/md2_one.c b/src/lib/libcrypto/md2/md2_one.c
index 835160ef56..8c36ba5779 100644
--- a/src/lib/libcrypto/md2/md2_one.c
+++ b/src/lib/libcrypto/md2/md2_one.c
@@ -69,7 +69,8 @@ unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md)
 	static unsigned char m[MD2_DIGEST_LENGTH];
 
 	if (md == NULL) md=m;
-	MD2_Init(&c);
+	if (!MD2_Init(&c))
+		return NULL;
 #ifndef CHARSET_EBCDIC
 	MD2_Update(&c,d,n);
 #else
diff --git a/src/lib/libcrypto/md4/Makefile b/src/lib/libcrypto/md4/Makefile
index 0b7c8d7ad8..eeb457f20f 100644
--- a/src/lib/libcrypto/md4/Makefile
+++ b/src/lib/libcrypto/md4/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md4/Makefile
+# OpenSSL/crypto/md4/Makefile
 #
 
 DIR=    md4
diff --git a/src/lib/libcrypto/md5/Makefile b/src/lib/libcrypto/md5/Makefile
index 832446fff2..1ed018526f 100644
--- a/src/lib/libcrypto/md5/Makefile
+++ b/src/lib/libcrypto/md5/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md5/Makefile
+# OpenSSL/crypto/md5/Makefile
 #
 
 DIR=    md5
diff --git a/src/lib/libcrypto/mdc2/Makefile b/src/lib/libcrypto/mdc2/Makefile
index 38c785bf95..b8e9a9a4fa 100644
--- a/src/lib/libcrypto/mdc2/Makefile
+++ b/src/lib/libcrypto/mdc2/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/mdc2/Makefile
+# OpenSSL/crypto/mdc2/Makefile
 #
 
 DIR=	mdc2
diff --git a/src/lib/libcrypto/objects/Makefile b/src/lib/libcrypto/objects/Makefile
index e449147129..23b2a69e6d 100644
--- a/src/lib/libcrypto/objects/Makefile
+++ b/src/lib/libcrypto/objects/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/objects/Makefile
+# OpenSSL/crypto/objects/Makefile
 #
 
 DIR=	objects
diff --git a/src/lib/libcrypto/objects/obj_dat.h b/src/lib/libcrypto/objects/obj_dat.h
index 8785127055..cc22152682 100644
--- a/src/lib/libcrypto/objects/obj_dat.h
+++ b/src/lib/libcrypto/objects/obj_dat.h
@@ -62,12 +62,12 @@
  * [including the GNU Public Licence.]
  */
 
-#define NUM_NID 668
-#define NUM_SN 660
-#define NUM_LN 660
-#define NUM_OBJ 624
+#define NUM_NID 676
+#define NUM_SN 669
+#define NUM_LN 669
+#define NUM_OBJ 633
 
-static unsigned char lvalues[4500]={
+static unsigned char lvalues[4575]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -330,9 +330,9 @@ static unsigned char lvalues[4500]={
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x04,     /* [2092] OBJ_ac_auditEntity */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x05,     /* [2100] OBJ_ac_targeting */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x06,     /* [2108] OBJ_aaControls */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2116] OBJ_sbqp_ipAddrBlock */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2124] OBJ_sbqp_autonomousSysNum */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2132] OBJ_sbqp_routerIdentifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2116] OBJ_sbgp_ipAddrBlock */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2124] OBJ_sbgp_autonomousSysNum */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2132] OBJ_sbgp_routerIdentifier */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03,     /* [2140] OBJ_textNotice */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05,     /* [2148] OBJ_ipsecEndSystem */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06,     /* [2156] OBJ_ipsecTunnel */
@@ -691,7 +691,16 @@ static unsigned char lvalues[4500]={
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E,     /* [4467] OBJ_proxyCertInfo */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,     /* [4475] OBJ_id_ppl_anyLanguage */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,     /* [4483] OBJ_id_ppl_inheritAll */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4491] OBJ_Independent */
+0x55,0x1D,0x1E,                              /* [4491] OBJ_name_constraints */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4494] OBJ_Independent */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,/* [4502] OBJ_sha256WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,/* [4511] OBJ_sha384WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0D,/* [4520] OBJ_sha512WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0E,/* [4529] OBJ_sha224WithRSAEncryption */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,/* [4538] OBJ_sha256 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4547] OBJ_sha384 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4556] OBJ_sha512 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4565] OBJ_sha224 */
 };
 
 static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -1134,12 +1143,12 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 	&(lvalues[2092]),0},
 {"ac-targeting","ac-targeting",NID_ac_targeting,8,&(lvalues[2100]),0},
 {"aaControls","aaControls",NID_aaControls,8,&(lvalues[2108]),0},
-{"sbqp-ipAddrBlock","sbqp-ipAddrBlock",NID_sbqp_ipAddrBlock,8,
+{"sbgp-ipAddrBlock","sbgp-ipAddrBlock",NID_sbgp_ipAddrBlock,8,
 	&(lvalues[2116]),0},
-{"sbqp-autonomousSysNum","sbqp-autonomousSysNum",
-	NID_sbqp_autonomousSysNum,8,&(lvalues[2124]),0},
-{"sbqp-routerIdentifier","sbqp-routerIdentifier",
-	NID_sbqp_routerIdentifier,8,&(lvalues[2132]),0},
+{"sbgp-autonomousSysNum","sbgp-autonomousSysNum",
+	NID_sbgp_autonomousSysNum,8,&(lvalues[2124]),0},
+{"sbgp-routerIdentifier","sbgp-routerIdentifier",
+	NID_sbgp_routerIdentifier,8,&(lvalues[2132]),0},
 {"textNotice","textNotice",NID_textNotice,8,&(lvalues[2140]),0},
 {"ipsecEndSystem","IPSec End System",NID_ipsecEndSystem,8,
 	&(lvalues[2148]),0},
@@ -1754,8 +1763,21 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 	&(lvalues[4475]),0},
 {"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8,
 	&(lvalues[4483]),0},
-{NULL,NULL,NID_undef,0,NULL},
-{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4491]),0},
+{"nameConstraints","X509v3 Name Constraints",NID_name_constraints,3,
+	&(lvalues[4491]),0},
+{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4494]),0},
+{"RSA-SHA256","sha256WithRSAEncryption",NID_sha256WithRSAEncryption,9,
+	&(lvalues[4502]),0},
+{"RSA-SHA384","sha384WithRSAEncryption",NID_sha384WithRSAEncryption,9,
+	&(lvalues[4511]),0},
+{"RSA-SHA512","sha512WithRSAEncryption",NID_sha512WithRSAEncryption,9,
+	&(lvalues[4520]),0},
+{"RSA-SHA224","sha224WithRSAEncryption",NID_sha224WithRSAEncryption,9,
+	&(lvalues[4529]),0},
+{"SHA256","sha256",NID_sha256,9,&(lvalues[4538]),0},
+{"SHA384","sha384",NID_sha384,9,&(lvalues[4547]),0},
+{"SHA512","sha512",NID_sha512,9,&(lvalues[4556]),0},
+{"SHA224","sha224",NID_sha224,9,&(lvalues[4565]),0},
 };
 
 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -1881,8 +1903,16 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[42]),/* "RSA-SHA" */
 &(nid_objs[65]),/* "RSA-SHA1" */
 &(nid_objs[115]),/* "RSA-SHA1-2" */
+&(nid_objs[671]),/* "RSA-SHA224" */
+&(nid_objs[668]),/* "RSA-SHA256" */
+&(nid_objs[669]),/* "RSA-SHA384" */
+&(nid_objs[670]),/* "RSA-SHA512" */
 &(nid_objs[41]),/* "SHA" */
 &(nid_objs[64]),/* "SHA1" */
+&(nid_objs[675]),/* "SHA224" */
+&(nid_objs[672]),/* "SHA256" */
+&(nid_objs[673]),/* "SHA384" */
+&(nid_objs[674]),/* "SHA512" */
 &(nid_objs[188]),/* "SMIME" */
 &(nid_objs[167]),/* "SMIME-CAPS" */
 &(nid_objs[100]),/* "SN" */
@@ -2182,6 +2212,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[649]),/* "msUPN" */
 &(nid_objs[481]),/* "nSRecord" */
 &(nid_objs[173]),/* "name" */
+&(nid_objs[666]),/* "nameConstraints" */
 &(nid_objs[369]),/* "noCheck" */
 &(nid_objs[403]),/* "noRevAvail" */
 &(nid_objs[72]),/* "nsBaseUrl" */
@@ -2254,9 +2285,9 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[ 1]),/* "rsadsi" */
 &(nid_objs[482]),/* "sOARecord" */
 &(nid_objs[155]),/* "safeContentsBag" */
-&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
-&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
-&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[291]),/* "sbgp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbgp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
 &(nid_objs[154]),/* "secretBag" */
 &(nid_objs[474]),/* "secretary" */
@@ -2517,6 +2548,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[126]),/* "X509v3 Extended Key Usage" */
 &(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */
 &(nid_objs[83]),/* "X509v3 Key Usage" */
+&(nid_objs[666]),/* "X509v3 Name Constraints" */
 &(nid_objs[403]),/* "X509v3 No Revocation Available" */
 &(nid_objs[401]),/* "X509v3 Policy Constraints" */
 &(nid_objs[84]),/* "X509v3 Private Key Usage Period" */
@@ -2930,9 +2962,9 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[124]),/* "run length compression" */
 &(nid_objs[482]),/* "sOARecord" */
 &(nid_objs[155]),/* "safeContentsBag" */
-&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
-&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
-&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[291]),/* "sbgp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbgp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
 &(nid_objs[154]),/* "secretBag" */
 &(nid_objs[474]),/* "secretary" */
@@ -3059,6 +3091,14 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[64]),/* "sha1" */
 &(nid_objs[115]),/* "sha1WithRSA" */
 &(nid_objs[65]),/* "sha1WithRSAEncryption" */
+&(nid_objs[675]),/* "sha224" */
+&(nid_objs[671]),/* "sha224WithRSAEncryption" */
+&(nid_objs[672]),/* "sha256" */
+&(nid_objs[668]),/* "sha256WithRSAEncryption" */
+&(nid_objs[673]),/* "sha384" */
+&(nid_objs[669]),/* "sha384WithRSAEncryption" */
+&(nid_objs[674]),/* "sha512" */
+&(nid_objs[670]),/* "sha512WithRSAEncryption" */
 &(nid_objs[42]),/* "shaWithRSAEncryption" */
 &(nid_objs[52]),/* "signingTime" */
 &(nid_objs[454]),/* "simpleSecurityObject" */
@@ -3133,6 +3173,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[430]),/* OBJ_hold_instruction_code        2 5 29 23 */
 &(nid_objs[142]),/* OBJ_invalidity_date              2 5 29 24 */
 &(nid_objs[140]),/* OBJ_delta_crl                    2 5 29 27 */
+&(nid_objs[666]),/* OBJ_name_constraints             2 5 29 30 */
 &(nid_objs[103]),/* OBJ_crl_distribution_points      2 5 29 31 */
 &(nid_objs[89]),/* OBJ_certificate_policies         2 5 29 32 */
 &(nid_objs[90]),/* OBJ_authority_key_identifier     2 5 29 35 */
@@ -3383,9 +3424,9 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[287]),/* OBJ_ac_auditEntity               1 3 6 1 5 5 7 1 4 */
 &(nid_objs[288]),/* OBJ_ac_targeting                 1 3 6 1 5 5 7 1 5 */
 &(nid_objs[289]),/* OBJ_aaControls                   1 3 6 1 5 5 7 1 6 */
-&(nid_objs[290]),/* OBJ_sbqp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
-&(nid_objs[291]),/* OBJ_sbqp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
-&(nid_objs[292]),/* OBJ_sbqp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
+&(nid_objs[290]),/* OBJ_sbgp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
+&(nid_objs[291]),/* OBJ_sbgp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
+&(nid_objs[292]),/* OBJ_sbgp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
 &(nid_objs[397]),/* OBJ_ac_proxying                  1 3 6 1 5 5 7 1 10 */
 &(nid_objs[398]),/* OBJ_sinfo_access                 1 3 6 1 5 5 7 1 11 */
 &(nid_objs[663]),/* OBJ_proxyCertInfo                1 3 6 1 5 5 7 1 14 */
@@ -3480,6 +3521,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[ 8]),/* OBJ_md5WithRSAEncryption         1 2 840 113549 1 1 4 */
 &(nid_objs[65]),/* OBJ_sha1WithRSAEncryption        1 2 840 113549 1 1 5 */
 &(nid_objs[644]),/* OBJ_rsaOAEPEncryptionSET         1 2 840 113549 1 1 6 */
+&(nid_objs[668]),/* OBJ_sha256WithRSAEncryption      1 2 840 113549 1 1 11 */
+&(nid_objs[669]),/* OBJ_sha384WithRSAEncryption      1 2 840 113549 1 1 12 */
+&(nid_objs[670]),/* OBJ_sha512WithRSAEncryption      1 2 840 113549 1 1 13 */
+&(nid_objs[671]),/* OBJ_sha224WithRSAEncryption      1 2 840 113549 1 1 14 */
 &(nid_objs[28]),/* OBJ_dhKeyAgreement               1 2 840 113549 1 3 1 */
 &(nid_objs[ 9]),/* OBJ_pbeWithMD2AndDES_CBC         1 2 840 113549 1 5 1 */
 &(nid_objs[10]),/* OBJ_pbeWithMD5AndDES_CBC         1 2 840 113549 1 5 3 */
@@ -3544,6 +3589,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[427]),/* OBJ_aes_256_cbc                  2 16 840 1 101 3 4 1 42 */
 &(nid_objs[428]),/* OBJ_aes_256_ofb128               2 16 840 1 101 3 4 1 43 */
 &(nid_objs[429]),/* OBJ_aes_256_cfb128               2 16 840 1 101 3 4 1 44 */
+&(nid_objs[672]),/* OBJ_sha256                       2 16 840 1 101 3 4 2 1 */
+&(nid_objs[673]),/* OBJ_sha384                       2 16 840 1 101 3 4 2 2 */
+&(nid_objs[674]),/* OBJ_sha512                       2 16 840 1 101 3 4 2 3 */
+&(nid_objs[675]),/* OBJ_sha224                       2 16 840 1 101 3 4 2 4 */
 &(nid_objs[71]),/* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */
 &(nid_objs[72]),/* OBJ_netscape_base_url            2 16 840 1 113730 1 2 */
 &(nid_objs[73]),/* OBJ_netscape_revocation_url      2 16 840 1 113730 1 3 */
diff --git a/src/lib/libcrypto/objects/obj_mac.h b/src/lib/libcrypto/objects/obj_mac.h
index d28894cf41..51bb50047f 100644
--- a/src/lib/libcrypto/objects/obj_mac.h
+++ b/src/lib/libcrypto/objects/obj_mac.h
@@ -241,6 +241,26 @@
 #define NID_sha1WithRSAEncryption		65
 #define OBJ_sha1WithRSAEncryption		OBJ_pkcs1,5L
 
+#define SN_sha256WithRSAEncryption		"RSA-SHA256"
+#define LN_sha256WithRSAEncryption		"sha256WithRSAEncryption"
+#define NID_sha256WithRSAEncryption		668
+#define OBJ_sha256WithRSAEncryption		OBJ_pkcs1,11L
+
+#define SN_sha384WithRSAEncryption		"RSA-SHA384"
+#define LN_sha384WithRSAEncryption		"sha384WithRSAEncryption"
+#define NID_sha384WithRSAEncryption		669
+#define OBJ_sha384WithRSAEncryption		OBJ_pkcs1,12L
+
+#define SN_sha512WithRSAEncryption		"RSA-SHA512"
+#define LN_sha512WithRSAEncryption		"sha512WithRSAEncryption"
+#define NID_sha512WithRSAEncryption		670
+#define OBJ_sha512WithRSAEncryption		OBJ_pkcs1,13L
+
+#define SN_sha224WithRSAEncryption		"RSA-SHA224"
+#define LN_sha224WithRSAEncryption		"sha224WithRSAEncryption"
+#define NID_sha224WithRSAEncryption		671
+#define OBJ_sha224WithRSAEncryption		OBJ_pkcs1,14L
+
 #define SN_pkcs3		"pkcs3"
 #define NID_pkcs3		27
 #define OBJ_pkcs3		OBJ_pkcs,3L
@@ -1048,17 +1068,17 @@
 #define NID_aaControls		289
 #define OBJ_aaControls		OBJ_id_pe,6L
 
-#define SN_sbqp_ipAddrBlock		"sbqp-ipAddrBlock"
-#define NID_sbqp_ipAddrBlock		290
-#define OBJ_sbqp_ipAddrBlock		OBJ_id_pe,7L
+#define SN_sbgp_ipAddrBlock		"sbgp-ipAddrBlock"
+#define NID_sbgp_ipAddrBlock		290
+#define OBJ_sbgp_ipAddrBlock		OBJ_id_pe,7L
 
-#define SN_sbqp_autonomousSysNum		"sbqp-autonomousSysNum"
-#define NID_sbqp_autonomousSysNum		291
-#define OBJ_sbqp_autonomousSysNum		OBJ_id_pe,8L
+#define SN_sbgp_autonomousSysNum		"sbgp-autonomousSysNum"
+#define NID_sbgp_autonomousSysNum		291
+#define OBJ_sbgp_autonomousSysNum		OBJ_id_pe,8L
 
-#define SN_sbqp_routerIdentifier		"sbqp-routerIdentifier"
-#define NID_sbqp_routerIdentifier		292
-#define OBJ_sbqp_routerIdentifier		OBJ_id_pe,9L
+#define SN_sbgp_routerIdentifier		"sbgp-routerIdentifier"
+#define NID_sbgp_routerIdentifier		292
+#define OBJ_sbgp_routerIdentifier		OBJ_id_pe,9L
 
 #define SN_ac_proxying		"ac-proxying"
 #define NID_ac_proxying		397
@@ -1779,6 +1799,11 @@
 #define NID_delta_crl		140
 #define OBJ_delta_crl		OBJ_id_ce,27L
 
+#define SN_name_constraints		"nameConstraints"
+#define LN_name_constraints		"X509v3 Name Constraints"
+#define NID_name_constraints		666
+#define OBJ_name_constraints		OBJ_id_ce,30L
+
 #define SN_crl_distribution_points		"crlDistributionPoints"
 #define LN_crl_distribution_points		"X509v3 CRL Distribution Points"
 #define NID_crl_distribution_points		103
@@ -2081,6 +2106,28 @@
 #define LN_des_ede3_cfb8		"des-ede3-cfb8"
 #define NID_des_ede3_cfb8		659
 
+#define OBJ_nist_hashalgs		OBJ_nistAlgorithms,2L
+
+#define SN_sha256		"SHA256"
+#define LN_sha256		"sha256"
+#define NID_sha256		672
+#define OBJ_sha256		OBJ_nist_hashalgs,1L
+
+#define SN_sha384		"SHA384"
+#define LN_sha384		"sha384"
+#define NID_sha384		673
+#define OBJ_sha384		OBJ_nist_hashalgs,2L
+
+#define SN_sha512		"SHA512"
+#define LN_sha512		"sha512"
+#define NID_sha512		674
+#define OBJ_sha512		OBJ_nist_hashalgs,3L
+
+#define SN_sha224		"SHA224"
+#define LN_sha224		"sha224"
+#define NID_sha224		675
+#define OBJ_sha224		OBJ_nist_hashalgs,4L
+
 #define SN_hold_instruction_code		"holdInstructionCode"
 #define LN_hold_instruction_code		"Hold Instruction Code"
 #define NID_hold_instruction_code		430
diff --git a/src/lib/libcrypto/pem/Makefile b/src/lib/libcrypto/pem/Makefile
index f3dfea2ac8..fbc2b5d056 100644
--- a/src/lib/libcrypto/pem/Makefile
+++ b/src/lib/libcrypto/pem/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pem/Makefile
+# OpenSSL/crypto/pem/Makefile
 #
 
 DIR=	pem
diff --git a/src/lib/libcrypto/perlasm/x86nasm.pl b/src/lib/libcrypto/perlasm/x86nasm.pl
index 5009acb4b3..4bdb3fe180 100644
--- a/src/lib/libcrypto/perlasm/x86nasm.pl
+++ b/src/lib/libcrypto/perlasm/x86nasm.pl
@@ -221,7 +221,15 @@ sub using486
 
 sub main'file
 	{
-	push(@out, "segment .text use32\n");
+	local $tmp;
+	$tmp=<<___;
+%ifdef __omf__
+section	code	use32 class=code
+%else
+section	.text
+%endif
+___
+	push(@out,$tmp);
 	}
 
 sub main'function_begin
diff --git a/src/lib/libcrypto/pkcs12/Makefile b/src/lib/libcrypto/pkcs12/Makefile
index 854b641f7c..bef4f27912 100644
--- a/src/lib/libcrypto/pkcs12/Makefile
+++ b/src/lib/libcrypto/pkcs12/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pkcs12/Makefile
+# OpenSSL/crypto/pkcs12/Makefile
 #
 
 DIR=	pkcs12
diff --git a/src/lib/libcrypto/pkcs7/Makefile b/src/lib/libcrypto/pkcs7/Makefile
index f15c65f690..a213ae2227 100644
--- a/src/lib/libcrypto/pkcs7/Makefile
+++ b/src/lib/libcrypto/pkcs7/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pkcs7/Makefile
+# OpenSSL/crypto/pkcs7/Makefile
 #
 
 DIR=	pkcs7
diff --git a/src/lib/libcrypto/rand/Makefile b/src/lib/libcrypto/rand/Makefile
index 665eaa18e5..b1d1a75f98 100644
--- a/src/lib/libcrypto/rand/Makefile
+++ b/src/lib/libcrypto/rand/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rand/Makefile
+# OpenSSL/crypto/rand/Makefile
 #
 
 DIR=	rand
diff --git a/src/lib/libcrypto/rc2/Makefile b/src/lib/libcrypto/rc2/Makefile
index 18edaca6c6..34080ab741 100644
--- a/src/lib/libcrypto/rc2/Makefile
+++ b/src/lib/libcrypto/rc2/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc2/Makefile
+# OpenSSL/crypto/rc2/Makefile
 #
 
 DIR=	rc2
@@ -82,7 +82,7 @@ rc2_cbc.o: rc2_cbc.c rc2_locl.h
 rc2_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 rc2_ecb.o: ../../include/openssl/rc2.h rc2_ecb.c rc2_locl.h
 rc2_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-rc2_skey.o: ../../include/openssl/opensslconf.h
+rc2_skey.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
 rc2_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
 rc2_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rc2_skey.o: ../../include/openssl/symhacks.h rc2_locl.h rc2_skey.c
diff --git a/src/lib/libcrypto/rc2/rc2speed.c b/src/lib/libcrypto/rc2/rc2speed.c
index 47d34b444e..4d0e1242ea 100644
--- a/src/lib/libcrypto/rc2/rc2speed.c
+++ b/src/lib/libcrypto/rc2/rc2speed.c
@@ -102,10 +102,10 @@ OPENSSL_DECLARE_EXIT
 #ifndef HZ
 #ifndef CLK_TCK
 #define HZ	100.0
-#endif
-#else /* CLK_TCK */
+#else	/* CLK_TCK */
 #define HZ ((double)CLK_TCK)
-#endif
+#endif	/* CLK_TCK */
+#endif	/* HZ */
 
 #define BUFSIZE	((long)1024)
 long run=0;
diff --git a/src/lib/libcrypto/rc4/Makefile b/src/lib/libcrypto/rc4/Makefile
index 64e06924f4..20d078ec87 100644
--- a/src/lib/libcrypto/rc4/Makefile
+++ b/src/lib/libcrypto/rc4/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc4/Makefile
+# OpenSSL/crypto/rc4/Makefile
 #
 
 DIR=	rc4
@@ -66,10 +66,14 @@ asm/rx86bsdi.o: asm/rx86unix.cpp
 asm/rx86unix.cpp: asm/rc4-586.pl ../perlasm/x86asm.pl
 	(cd asm; $(PERL) rc4-586.pl cpp >rx86unix.cpp)
 
-asm/rc4-amd64.s: asm/rc4-amd64.pl;	$(PERL) asm/rc4-amd64.pl $@
+asm/rc4-x86_64.s: asm/rc4-x86_64.pl;	$(PERL) asm/rc4-x86_64.pl $@
 
 asm/rc4-ia64.s: asm/rc4-ia64.S
-	$(CC) $(CFLAGS) -E asm/rc4-ia64.S > $@
+	@case `awk '/^#define RC4_INT/{print$$NF}' $(TOP)/include/openssl/opensslconf.h` in \
+	int)	set -x; $(CC) $(CFLAGS) -DSZ=4 -E asm/rc4-ia64.S > $@ ;; \
+	char)	set -x; $(CC) $(CFLAGS) -DSZ=1 -E asm/rc4-ia64.S > $@ ;; \
+	*)	exit 1 ;; \
+	esac
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -116,7 +120,8 @@ rc4_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h rc4_enc.c rc4_locl.h
 rc4_skey.o: ../../e_os.h ../../include/openssl/bio.h
 rc4_skey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rc4_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-rc4_skey.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rc4_skey.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+rc4_skey.o: ../../include/openssl/opensslconf.h
 rc4_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc4.h
 rc4_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rc4_skey.o: ../../include/openssl/symhacks.h ../cryptlib.h rc4_locl.h
diff --git a/src/lib/libcrypto/rc4/asm/rc4-ia64.S b/src/lib/libcrypto/rc4/asm/rc4-ia64.S
index b517d2e88f..a322d0c718 100644
--- a/src/lib/libcrypto/rc4/asm/rc4-ia64.S
+++ b/src/lib/libcrypto/rc4/asm/rc4-ia64.S
@@ -7,7 +7,7 @@
 // disclaimed.
 // ====================================================================
 
-.ident  "rc4-ia64.S, Version 1.1"
+.ident  "rc4-ia64.S, Version 2.0"
 .ident  "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
 
 // What's wrong with compiler generated code? Because of the nature of
@@ -27,17 +27,10 @@
 // Legitimate "collisions" do occur within every 256^2 bytes window.
 // Fortunately there're enough free instruction slots to keep prior
 // reference to key[x+1], detect "collision" and compensate for it.
-// All this without sacrificing a single clock cycle:-)
-// Furthermore. In order to compress loop body to the minimum, I chose
-// to deploy deposit instruction, which substitutes for the whole
-// key->data+((x&255)<<log2(sizeof(key->data[0]))). This unfortunately
-// requires key->data to be aligned at sizeof(key->data) boundary.
-// This is why you'll find "RC4_INT pad[512-256-2];" addenum to RC4_KEY
-// and "d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1));" in
-// rc4_skey.c [and rc4_enc.c, where it's retained for debugging
-// purposes]. Throughput is ~210MBps on 900MHz CPU, which is is >3x
-// faster than gcc generated code and +30% - if compared to HP-UX C.
-// Unrolling loop below should give >30% on top of that...
+// All this without sacrificing a single clock cycle:-) Throughput is
+// ~210MBps on 900MHz CPU, which is is >3x faster than gcc generated
+// code and +30% - if compared to HP-UX C. Unrolling loop below should
+// give >30% on top of that...
 
 .text
 .explicit
@@ -48,7 +41,9 @@
 # define ADDP	add
 #endif
 
+#ifndef SZ
 #define SZ	4	// this is set to sizeof(RC4_INT)
+#endif
 // SZ==4 seems to be optimal. At least SZ==8 is not any faster, not for
 // assembler implementation, while SZ==1 code is ~30% slower.
 #if SZ==1	// RC4_INT is unsigned char
@@ -101,45 +96,53 @@ RC4:
 	ADDP	out=0,in3
 	brp.loop.imp	.Ltop,.Lexit-16	};;
 { .mmi;	LDKEY	yy=[key]			// load key->y
-	add	ksch=(255+1)*SZ,key		// as ksch will be used with
-						// deposit instruction only,
-						// I don't have to &~255...
+	add	ksch=SZ,key
 	mov	ar.lc=in1		}
 { .mmi;	mov	key_y[1]=r0			// guarantee inequality
 						// in first iteration
 	add	xx=1,xx
 	mov	pr.rot=1<<16		};;
 { .mii;	nop.m	0
-	dep	key_x[1]=xx,ksch,OFF,8
+	dep	key_x[1]=xx,r0,OFF,8
 	mov	ar.ec=3			};;	// note that epilogue counter
 						// is off by 1. I compensate
 						// for this at exit...
 .Ltop:
-// The loop is scheduled for 3*(n+2) spin-rate on Itanium 2, which
+// The loop is scheduled for 4*(n+2) spin-rate on Itanium 2, which
 // theoretically gives asymptotic performance of clock frequency
-// divided by 3 bytes per seconds, or 500MBps on 1.5GHz CPU. Measured
-// performance however is distinctly lower than 1/4:-( The culplrit
-// seems to be *(out++)=dat, which inadvertently splits the bundle,
-// even though there is M-port available... Unrolling is due...
-// Unrolled loop should collect output with variable shift instruction
-// in order to avoid starvation for integer shifter... It should be
-// possible to get pretty close to theoretical peak...
-{ .mmi;	(p16)	LDKEY	tx[0]=[key_x[1]]		// tx=key[xx]
-	(p17)	LDKEY	ty[0]=[key_y[1]]		// ty=key[yy]	
-	(p18)	dep	rnd[1]=rnd[1],ksch,OFF,8}	// &key[(tx+ty)&255]
+// divided by 4 bytes per seconds, or 400MBps on 1.6GHz CPU. This is
+// for sizeof(RC4_INT)==4. For smaller RC4_INT STKEY inadvertently
+// splits the last bundle and you end up with 5*n spin-rate:-(
+// Originally the loop was scheduled for 3*n and relied on key
+// schedule to be aligned at 256*sizeof(RC4_INT) boundary. But
+// *(out++)=dat, which maps to st1, had same effect [inadvertent
+// bundle split] and holded the loop back. Rescheduling for 4*n
+// made it possible to eliminate dependence on specific alignment
+// and allow OpenSSH keep "abusing" our API. Reaching for 3*n would
+// require unrolling, sticking to variable shift instruction for
+// collecting output [to avoid starvation for integer shifter] and
+// copying of key schedule to controlled place in stack [so that
+// deposit instruction can serve as substitute for whole
+// key->data+((x&255)<<log2(sizeof(key->data[0])))]...
 { .mmi;	(p19)	st1	[out]=dat[3],1			// *(out++)=dat
 	(p16)	add	xx=1,xx				// x++
-	(p16)	cmp.ne.unc p20,p21=key_x[1],key_y[1]	};;
+	(p18)	dep	rnd[1]=rnd[1],r0,OFF,8	}	// ((tx+ty)&255)<<OFF
+{ .mmi;	(p16)	add	key_x[1]=ksch,key_x[1]		// &key[xx&255]
+	(p17)	add	key_y[1]=ksch,key_y[1]	};;	// &key[yy&255]	
+{ .mmi;	(p16)	LDKEY	tx[0]=[key_x[1]]		// tx=key[xx]
+	(p17)	LDKEY	ty[0]=[key_y[1]]		// ty=key[yy]	
+	(p16)	dep	key_x[0]=xx,r0,OFF,8	}	// (xx&255)<<OFF
+{ .mmi;	(p18)	add	rnd[1]=ksch,rnd[1]		// &key[(tx+ty)&255]
+	(p16)	cmp.ne.unc p20,p21=key_x[1],key_y[1] };;
 { .mmi;	(p18)	LDKEY	rnd[1]=[rnd[1]]			// rnd=key[(tx+ty)&255]
-	(p16)	ld1	dat[0]=[inp],1			// dat=*(inp++)
-	(p16)	dep	key_x[0]=xx,ksch,OFF,8	}	// &key[xx&255]
+	(p16)	ld1	dat[0]=[inp],1		}	// dat=*(inp++)
 .pred.rel	"mutex",p20,p21
 { .mmi;	(p21)	add	yy=yy,tx[1]			// (p16)
 	(p20)	add	yy=yy,tx[0]			// (p16) y+=tx
 	(p21)	mov	tx[0]=tx[1]		};;	// (p16)
 { .mmi;	(p17)	STKEY	[key_y[1]]=tx[1]		// key[yy]=tx
 	(p17)	STKEY	[key_x[2]]=ty[0]		// key[xx]=ty
-	(p16)	dep	key_y[0]=yy,ksch,OFF,8	}	// &key[yy&255]
+	(p16)	dep	key_y[0]=yy,r0,OFF,8	}	// &key[yy&255]
 { .mmb;	(p17)	add	rnd[0]=tx[1],ty[0]		// tx+=ty
 	(p18)	xor	dat[2]=dat[2],rnd[1]		// dat^=rnd
 	br.ctop.sptk	.Ltop			};;
diff --git a/src/lib/libcrypto/rc5/Makefile b/src/lib/libcrypto/rc5/Makefile
index 3a8d309b29..16e6a60017 100644
--- a/src/lib/libcrypto/rc5/Makefile
+++ b/src/lib/libcrypto/rc5/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc5/Makefile
+# OpenSSL/crypto/rc5/Makefile
 #
 
 DIR=	rc5
@@ -102,7 +102,7 @@ rc5_ecb.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h
 rc5_ecb.o: rc5_ecb.c rc5_locl.h
 rc5_enc.o: ../../include/openssl/rc5.h rc5_enc.c rc5_locl.h
 rc5_skey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-rc5_skey.o: ../../include/openssl/opensslconf.h
+rc5_skey.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
 rc5_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h
 rc5_skey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rc5_skey.o: ../../include/openssl/symhacks.h rc5_locl.h rc5_skey.c
diff --git a/src/lib/libcrypto/ripemd/Makefile b/src/lib/libcrypto/ripemd/Makefile
index dc086e3434..20c8b4d8db 100644
--- a/src/lib/libcrypto/ripemd/Makefile
+++ b/src/lib/libcrypto/ripemd/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/ripemd/Makefile
+# OpenSSL/crypto/ripemd/Makefile
 #
 
 DIR=    ripemd
diff --git a/src/lib/libcrypto/rsa/Makefile b/src/lib/libcrypto/rsa/Makefile
index 5748b0d3d0..8851825250 100644
--- a/src/lib/libcrypto/rsa/Makefile
+++ b/src/lib/libcrypto/rsa/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rsa/Makefile
+# OpenSSL/crypto/rsa/Makefile
 #
 
 DIR=	rsa
@@ -24,10 +24,10 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \
 	rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c \
-	rsa_asn1.c
+	rsa_pss.c rsa_x931.c rsa_asn1.c
 LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \
 	rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o \
-	rsa_asn1.o
+	rsa_pss.o rsa_x931.o rsa_asn1.o
 
 SRC= $(LIBSRC)
 
@@ -184,6 +184,26 @@ rsa_pk1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_pk1.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_pk1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_pk1.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_pk1.c
+rsa_pss.o: ../../e_os.h ../../include/openssl/aes.h
+rsa_pss.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+rsa_pss.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+rsa_pss.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+rsa_pss.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rsa_pss.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+rsa_pss.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+rsa_pss.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rsa_pss.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+rsa_pss.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+rsa_pss.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+rsa_pss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rsa_pss.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rsa_pss.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+rsa_pss.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+rsa_pss.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+rsa_pss.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_pss.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_pss.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+rsa_pss.o: ../../include/openssl/ui_compat.h ../cryptlib.h rsa_pss.c
 rsa_saos.o: ../../e_os.h ../../include/openssl/aes.h
 rsa_saos.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 rsa_saos.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
@@ -237,3 +257,13 @@ rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_ssl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_ssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_ssl.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_ssl.c
+rsa_x931.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_x931.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_x931.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_x931.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_x931.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rsa_x931.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_x931.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_x931.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_x931.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_x931.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_x931.c
diff --git a/src/lib/libcrypto/rsa/rsa_test.c b/src/lib/libcrypto/rsa/rsa_test.c
index 924e9ad1f6..218bb2a39b 100644
--- a/src/lib/libcrypto/rsa/rsa_test.c
+++ b/src/lib/libcrypto/rsa/rsa_test.c
@@ -227,10 +227,10 @@ int main(int argc, char *argv[])
 
     plen = sizeof(ptext_ex) - 1;
 
-    for (v = 0; v < 3; v++)
+    for (v = 0; v < 6; v++)
 	{
 	key = RSA_new();
-	switch (v) {
+	switch (v%3) {
     case 0:
 	clen = key1(key, ctext_ex);
 	break;
@@ -241,6 +241,7 @@ int main(int argc, char *argv[])
 	clen = key3(key, ctext_ex);
 	break;
 	}
+	if (v/3 > 1) key->flags |= RSA_FLAG_NO_EXP_CONSTTIME;
 
 	num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
 				 RSA_PKCS1_PADDING);
diff --git a/src/lib/libcrypto/sha/Makefile b/src/lib/libcrypto/sha/Makefile
index 0426786aa0..46103bbc83 100644
--- a/src/lib/libcrypto/sha/Makefile
+++ b/src/lib/libcrypto/sha/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/sha/Makefile
+# OpenSSL/crypto/sha/Makefile
 #
 
 DIR=    sha
diff --git a/src/lib/libcrypto/sha/sha_one.c b/src/lib/libcrypto/sha/sha_one.c
index e61c63f3e9..d4f4d344df 100644
--- a/src/lib/libcrypto/sha/sha_one.c
+++ b/src/lib/libcrypto/sha/sha_one.c
@@ -68,7 +68,8 @@ unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
 	static unsigned char m[SHA_DIGEST_LENGTH];
 
 	if (md == NULL) md=m;
-	SHA_Init(&c);
+	if (!SHA_Init(&c))
+		return NULL;
 	SHA_Update(&c,d,n);
 	SHA_Final(md,&c);
 	OPENSSL_cleanse(&c,sizeof(c));
diff --git a/src/lib/libcrypto/stack/Makefile b/src/lib/libcrypto/stack/Makefile
index 4d5199a000..711b16832a 100644
--- a/src/lib/libcrypto/stack/Makefile
+++ b/src/lib/libcrypto/stack/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/stack/Makefile
+# OpenSSL/crypto/stack/Makefile
 #
 
 DIR=	stack
diff --git a/src/lib/libcrypto/txt_db/Makefile b/src/lib/libcrypto/txt_db/Makefile
index f91a08f006..3cb550a795 100644
--- a/src/lib/libcrypto/txt_db/Makefile
+++ b/src/lib/libcrypto/txt_db/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/txt_db/Makefile
+# OpenSSL/crypto/txt_db/Makefile
 #
 
 DIR=	txt_db
diff --git a/src/lib/libcrypto/util/checkhash.pl b/src/lib/libcrypto/util/checkhash.pl
new file mode 100644
index 0000000000..c61fa72178
--- /dev/null
+++ b/src/lib/libcrypto/util/checkhash.pl
@@ -0,0 +1,222 @@
+#!/usr/bin/env perl -w
+
+my $package = caller;
+
+if (!(defined $package))
+	{
+	my $retval = check_hashes(@ARGV);
+	exit $retval;
+	}
+
+1;
+
+sub check_hashes
+	{
+
+	my @args = @_;
+
+	my $change_dir = "";
+	my $check_program = "sha/fips_standalone_sha1";
+
+	my $verbose = 0;
+	my $badfiles = 0;
+	my $rebuild = 0;
+	my $force_rewrite = 0;
+	my $hash_file = "fipshashes.c";
+	my $recurse = 0;
+
+	my @fingerprint_files;
+
+	while (@args)
+		{
+		my $arg = $args[0];
+		if ($arg eq "-chdir")
+			{
+			shift @args;
+			$change_dir = shift @args;
+			}
+		elsif ($arg eq "-rebuild")
+			{
+			shift @args;
+			$rebuild = 1;
+			}
+		elsif ($arg eq "-verbose")
+			{
+			shift @args;
+			$verbose = 1;
+			}
+		elsif ($arg eq "-force-rewrite")
+			{
+			shift @args;
+			$force_rewrite = 1;
+			}
+		elsif ($arg eq "-hash_file")
+			{
+			shift @args;
+			$hash_file = shift @args;
+			}
+		elsif ($arg eq "-recurse")
+			{
+			shift @args;
+			$recurse = 1;
+			}
+		elsif ($arg eq "-program_path")
+			{
+			shift @args;
+			$check_program = shift @args;
+			}
+		else
+			{
+			print STDERR "Unknown Option $arg";
+			return 1;
+			}
+
+		}
+
+	chdir $change_dir if $change_dir ne "";
+
+	if ($recurse)
+		{
+		@fingerprint_files = ("fingerprint.sha1",
+					<*/fingerprint.sha1>);
+		}
+	else
+		{
+		push @fingerprint_files, $hash_file;
+		}
+
+	foreach $fp (@fingerprint_files)
+		{
+		if (!open(IN, "$fp"))
+			{
+			print STDERR "Can't open file $fp";
+			return 1;
+			}
+		print STDERR "Opening Fingerprint file $fp\n" if $verbose;
+		my $dir = $fp;
+		$dir =~ s/[^\/]*$//;
+		while (<IN>)
+			{
+			chomp;
+			if (!(($file, $hash) = /^\"HMAC-SHA1\((.*)\)\s*=\s*(\w*)\",$/))
+				{
+				/^\"/ || next;
+				print STDERR "FATAL: Invalid syntax in file $fp\n";
+				print STDERR "Line:\n$_\n";
+				fatal_error();
+				return 1;
+				}
+			if (!$rebuild && length($hash) != 40)
+				{
+				print STDERR "FATAL: Invalid hash length in $fp for file $file\n";
+				fatal_error();
+				return 1;
+				}
+			push @hashed_files, "$dir$file";
+			if (exists $hashes{"$dir$file"})
+				{
+				print STDERR "FATAL: Duplicate Hash file $dir$file\n";
+				fatal_error();
+				return 1;
+				}
+			if (! -r "$dir$file")
+				{
+				print STDERR "FATAL: Can't access $dir$file\n";
+				fatal_error();
+				return 1;
+				}
+			$hashes{"$dir$file"} = $hash;
+			}
+		close IN;
+		}
+
+	@checked_hashes = `$check_program @hashed_files`;
+
+	if ($? != 0)
+		{
+		print STDERR "Error running hash program $check_program\n";
+		fatal_error();
+		return 1;
+		}
+
+	if (@checked_hashes != @hashed_files)
+		{
+		print STDERR "FATAL: hash count incorrect\n";
+		fatal_error();
+		return 1;
+		}
+
+	foreach (@checked_hashes)
+		{
+		chomp;
+		if (!(($file, $hash) = /^HMAC-SHA1\((.*)\)\s*=\s*(\w*)$/))
+			{
+			print STDERR "FATAL: Invalid syntax in file $fp\n";
+			print STDERR "Line:\n$_\n";
+			fatal_error();
+			return 1;
+			}
+		if (length($hash) != 40)
+			{
+			print STDERR "FATAL: Invalid hash length for file $file\n";
+			fatal_error();
+			return 1;
+			}
+		if ($hash ne $hashes{$file})
+			{
+			if ($rebuild)
+				{
+				print STDERR "Updating hash on file $file\n";
+				$hashes{$file} = $hash;
+				}
+			else
+				{
+				print STDERR "Hash check failed for file $file\n";
+				}
+			$badfiles++;
+			}
+		elsif ($verbose)
+			{ print "Hash Check OK for $file\n";}
+		}
+		
+
+	if ($badfiles && !$rebuild)
+		{
+		print STDERR "FATAL: hash mismatch on $badfiles files\n";
+		fatal_error();
+		return 1;
+		}
+
+	if ($badfiles || $force_rewrite)
+		{
+		print "Updating Hash file $hash_file\n";
+		if (!open(OUT, ">$hash_file"))
+			{
+			print STDERR "Error rewriting $hash_file";
+			return 1;
+			}
+		print OUT "const char * const FIPS_source_hashes[] = {\n";
+		foreach (@hashed_files)
+			{
+			print OUT "\"HMAC-SHA1($_)= $hashes{$_}\",\n";
+			}
+		print OUT "};\n";
+		close OUT;
+		}
+
+	if (!$badfiles)
+		{
+		print "FIPS hash check successful\n";
+		}
+
+	return 0;
+
+	}
+
+
+sub fatal_error
+	{
+	print STDERR "*** Your source code does not match the FIPS validated source ***\n";
+	}
+
+
diff --git a/src/lib/libcrypto/util/fipslink.pl b/src/lib/libcrypto/util/fipslink.pl
new file mode 100644
index 0000000000..a893833c5c
--- /dev/null
+++ b/src/lib/libcrypto/util/fipslink.pl
@@ -0,0 +1,78 @@
+#!/usr/bin/perl
+
+sub check_env
+	{
+	my @ret;
+	foreach (@_)
+		{
+		die "Environment variable $_ not defined!\n" unless exists $ENV{$_};
+		push @ret, $ENV{$_};
+		}
+	return @ret;
+	}
+
+
+my ($fips_cc,$fips_cc_args, $fips_link,$fips_target, $fips_libdir, $sha1_exe)
+	 = check_env("FIPS_CC", "FIPS_CC_ARGS", "FIPS_LINK", "FIPS_TARGET",
+	 	"FIPSLIB_D", "FIPS_SHA1_EXE");
+
+
+
+if (exists $ENV{"PREMAIN_DSO_EXE"})
+	{
+	$fips_premain_dso = $ENV{"PREMAIN_DSO_EXE"};
+	}
+	else
+	{
+	$fips_premain_dso = "";
+	}
+
+check_hash($sha1_exe, "fips_premain.c");
+check_hash($sha1_exe, "fipscanister.o");
+
+
+print "Integrity check OK\n";
+
+print "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c\n";
+system "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c";
+die "First stage Compile failure" if $? != 0;
+
+print "$fips_link @ARGV\n";
+system "$fips_link @ARGV";
+die "First stage Link failure" if $? != 0;
+
+
+print "$fips_premain_dso $fips_target\n";
+$fips_hash=`$fips_premain_dso $fips_target`;
+chomp $fips_hash;
+die "Get hash failure" if $? != 0;
+
+
+print "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c\n";
+system "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c";
+die "Second stage Compile failure" if $? != 0;
+
+
+print "$fips_link @ARGV\n";
+system "$fips_link @ARGV";
+die "Second stage Link failure" if $? != 0;
+
+sub check_hash
+	{
+	my ($sha1_exe, $filename) = @_;
+	my ($hashfile, $hashval);
+
+	open(IN, "${fips_libdir}/${filename}.sha1") || die "Cannot open file hash file ${fips_libdir}/${filename}.sha1";
+	$hashfile = <IN>;
+	close IN;
+	$hashval = `$sha1_exe ${fips_libdir}/$filename`;
+	chomp $hashfile;
+	chomp $hashval;
+	$hashfile =~ s/^.*=\s+//;
+	$hashval =~ s/^.*=\s+//;
+	die "Invalid hash syntax in file" if (length($hashfile) != 40);
+	die "Invalid hash received for file" if (length($hashval) != 40);
+	die "***HASH VALUE MISMATCH FOR FILE $filename ***" if ($hashval ne $hashfile); 
+	}
+
+
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 56fb7446e0..4222bef6d6 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -2811,7 +2811,7 @@ EVP_aes_192_cfb8                        3252	EXIST::FUNCTION:AES
 FIPS_mode_set                           3253	EXIST:OPENSSL_FIPS:FUNCTION:
 FIPS_selftest_dsa                       3254	EXIST:OPENSSL_FIPS:FUNCTION:
 EVP_aes_256_cfb8                        3255	EXIST::FUNCTION:AES
-FIPS_allow_md5                          3256	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_allow_md5                          3256	NOEXIST::FUNCTION:
 DES_ede3_cfb_encrypt                    3257	EXIST::FUNCTION:DES
 EVP_des_ede3_cfb8                       3258	EXIST::FUNCTION:DES
 FIPS_rand_seeded                        3259	EXIST:OPENSSL_FIPS:FUNCTION:
@@ -2837,7 +2837,7 @@ FIPS_dsa_check                          3278	EXIST:OPENSSL_FIPS:FUNCTION:
 AES_cfb1_encrypt                        3279	EXIST::FUNCTION:AES
 EVP_des_ede3_cfb1                       3280	EXIST::FUNCTION:DES
 FIPS_rand_check                         3281	EXIST:OPENSSL_FIPS:FUNCTION:
-FIPS_md5_allowed                        3282	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_md5_allowed                        3282	NOEXIST::FUNCTION:
 FIPS_mode                               3283	EXIST:OPENSSL_FIPS:FUNCTION:
 FIPS_selftest_failed                    3284	EXIST:OPENSSL_FIPS:FUNCTION:
 sk_is_sorted                            3285	EXIST::FUNCTION:
@@ -2867,3 +2867,41 @@ PROXY_CERT_INFO_EXTENSION_it            3307	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 PROXY_CERT_INFO_EXTENSION_it            3307	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 PROXY_POLICY_free                       3308	EXIST::FUNCTION:
 PROXY_POLICY_new                        3309	EXIST::FUNCTION:
+BN_MONT_CTX_set_locked                  3310	EXIST::FUNCTION:
+FIPS_selftest_rng                       3311	EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_sha384                              3312	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+EVP_sha512                              3313	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+EVP_sha224                              3314	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+EVP_sha256                              3315	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+FIPS_selftest_hmac                      3316	EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_rng                        3317	EXIST:OPENSSL_FIPS:FUNCTION:
+BN_mod_exp_mont_consttime               3318	EXIST::FUNCTION:
+RSA_X931_hash_id                        3319	EXIST::FUNCTION:RSA
+RSA_padding_check_X931                  3320	EXIST::FUNCTION:RSA
+RSA_verify_PKCS1_PSS                    3321	EXIST::FUNCTION:RSA
+RSA_padding_add_X931                    3322	EXIST::FUNCTION:RSA
+RSA_padding_add_PKCS1_PSS               3323	EXIST::FUNCTION:RSA
+PKCS1_MGF1                              3324	EXIST::FUNCTION:RSA
+BN_X931_generate_Xpq                    3325	EXIST:OPENSSL_FIPS:FUNCTION:
+RSA_X931_generate_key                   3326	EXIST:OPENSSL_FIPS:FUNCTION:RSA
+BN_X931_derive_prime                    3327	EXIST:OPENSSL_FIPS:FUNCTION:
+BN_X931_generate_prime                  3328	EXIST:OPENSSL_FIPS:FUNCTION:
+RSA_X931_derive                         3329	EXIST:OPENSSL_FIPS:FUNCTION:RSA
+SHA512_Update                           3356	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA256_Init                             3479	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA224                                  3510	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA384_Update                           3551	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA224_Final                            3560	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA224_Update                           3562	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA512_Final                            3581	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA224_Init                             3631	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA512_Init                             3633	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA256                                  3654	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA256_Transform                        3664	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA512                                  3669	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA512_Transform                        3675	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA256_Final                            3712	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+SHA384_Init                             3737	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA384_Final                            3740	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA384                                  3745	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
+SHA256_Update                           3765	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index 957264c6b5..05a6086164 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -10,6 +10,20 @@ $OPTIONS="";
 $ssl_version="";
 $banner="\t\@echo Building OpenSSL";
 
+local $zlib_opt = 0;	# 0 = no zlib, 1 = static, 2 = dynamic
+local $zlib_lib = "";
+
+my $fips_canister_path = "";
+my $fips_premain_dso_exe_path = "";
+my $fips_premain_c_path = "";
+my $fips_sha1_exe_path = "";
+
+my $fipslibdir = "";
+my $baseaddr = "";
+
+my $ex_l_libs = "";
+
+
 open(IN,"<Makefile") || die "unable to open Makefile!\n";
 while(<IN>) {
     $ssl_version=$1 if (/^VERSION=(.*)$/);
@@ -24,6 +38,7 @@ $infile="MINFO";
 
 %ops=(
 	"VC-WIN32",   "Microsoft Visual C++ [4-6] - Windows NT or 9X",
+	"VC-WIN32-GMAKE", "Microsoft Visual C++ [4-6] - Windows NT or 9X, GNU make",
 	"VC-CE",   "Microsoft eMbedded Visual C++ 3.0 - Windows CE ONLY",
 	"VC-NT",   "Microsoft Visual C++ [4-6] - Windows NT ONLY",
 	"VC-W31-16",  "Microsoft Visual C++ 1.52 - Windows 3.1 - 286",
@@ -43,6 +58,7 @@ $infile="MINFO";
 	);
 
 $platform="";
+my $xcflags="";
 foreach (@ARGV)
 	{
 	if (!&read_options && !defined($ops{$_}))
@@ -104,8 +120,12 @@ $inc_def="outinc";
 $tmp_def="tmp";
 
 $mkdir="-mkdir";
+$mkcanister="ld -r -o";
+
+$ex_build_targets = "";
 
 ($ssl,$crypto)=("ssl","crypto");
+$cryptocompat = "";
 $ranlib="echo ranlib";
 
 $cc=(defined($VARS{'CC'}))?$VARS{'CC'}:'cc';
@@ -140,6 +160,10 @@ elsif (($platform eq "VC-WIN32") || ($platform eq "VC-NT"))
 	$NT = 1 if $platform eq "VC-NT";
 	require 'VC-32.pl';
 	}
+elsif ($platform eq "VC-WIN32-GMAKE")
+	{
+	require 'VC-32-GMAKE.pl';
+	}
 elsif ($platform eq "VC-CE")
 	{
 	require 'VC-CE.pl';
@@ -210,6 +234,8 @@ $inc_dir=(defined($VARS{'INC'}))?$VARS{'INC'}:$inc_def;
 
 $bin_dir=$bin_dir.$o unless ((substr($bin_dir,-1,1) eq $o) || ($bin_dir eq ''));
 
+$cflags= "$xcflags$cflags" if $xcflags ne "";
+
 $cflags.=" -DOPENSSL_NO_IDEA" if $no_idea;
 $cflags.=" -DOPENSSL_NO_AES"  if $no_aes;
 $cflags.=" -DOPENSSL_NO_RC2"  if $no_rc2;
@@ -239,6 +265,9 @@ $cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
 $cflags.=" -DOPENSSL_FIPS"    if $fips;
 #$cflags.=" -DRSAref"  if $rsaref ne "";
 
+$cflags.= " -DZLIB" if $zlib_opt;
+$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
+
 ## if ($unix)
 ##	{ $cflags="$c_flags" if ($c_flags ne ""); }
 ##else
@@ -246,6 +275,7 @@ $cflags.=" -DOPENSSL_FIPS"    if $fips;
 
 $ex_libs="$l_flags$ex_libs" if ($l_flags ne "");
 
+
 %shlib_ex_cflags=("SSL" => " -DOPENSSL_BUILD_SHLIBSSL",
 		  "CRYPTO" => " -DOPENSSL_BUILD_SHLIBCRYPTO");
 
@@ -262,6 +292,135 @@ $link="$bin_dir$link" if ($link !~ /^\$/);
 
 $INSTALLTOP =~ s|/|$o|g;
 
+#############################################
+# We parse in input file and 'store' info for later printing.
+open(IN,"<$infile") || die "unable to open $infile:$!\n";
+$_=<IN>;
+for (;;)
+	{
+	chop;
+
+	($key,$val)=/^([^=]+)=(.*)/;
+	if ($key eq "RELATIVE_DIRECTORY")
+		{
+		if ($lib ne "")
+			{
+ 			if ($fips && $dir =~ /^fips/)
+ 				{
+ 				$uc = "FIPS";
+ 				}
+ 			else
+ 				{
+ 				$uc=$lib;
+ 				$uc =~ s/^lib(.*)\.a/$1/;
+ 				$uc =~ tr/a-z/A-Z/;
+				}
+			if (($uc ne "FIPS") || $fips_canister_build)
+				{
+				$lib_nam{$uc}=$uc;
+				$lib_obj{$uc}.=$libobj." ";
+				}
+			}
+		last if ($val eq "FINISHED");
+		$lib="";
+		$libobj="";
+		$dir=$val;
+		}
+
+	if ($key eq "KRB5_INCLUDES")
+		{ $cflags .= " $val";}
+
+	if ($key eq "ZLIB_INCLUDE")
+		{ $cflags .= " $val" if $val ne "";}
+
+	if ($key eq "LIBZLIB")
+		{ $zlib_lib = "$val" if $val ne "";}
+
+	if ($key eq "LIBKRB5")
+		{ $ex_libs .= " $val" if $val ne "";}
+
+	if ($key eq "TEST")
+		{ $test.=&var_add($dir,$val); }
+
+	if (($key eq "PROGS") || ($key eq "E_OBJ"))
+		{ $e_exe.=&var_add($dir,$val); }
+
+	if ($key eq "LIB")
+		{
+		$lib=$val;
+		$lib =~ s/^.*\/([^\/]+)$/$1/;
+		}
+
+	if ($key eq "EXHEADER")
+		{ $exheader.=&var_add($dir,$val); }
+
+	if ($key eq "HEADER")
+		{ $header.=&var_add($dir,$val); }
+
+	if ($key eq "LIBOBJ")
+		{ $libobj=&var_add($dir,$val); }
+
+	if ($key eq "FIPSLIBDIR")
+		{ $fipslibdir=$val;}
+
+	if ($key eq "BASEADDR")
+		{ $baseaddr=$val;}
+
+	if (!($_=<IN>))
+		{ $_="RELATIVE_DIRECTORY=FINISHED\n"; }
+	}
+close(IN);
+
+if ($fips_canister_path eq "")
+	{
+	$fips_canister_path = "\$(FIPSLIB_D)${o}fipscanister.o";
+	}
+
+if ($fips_premain_c_path eq "")
+	{
+	$fips_premain_c_path = "\$(FIPSLIB_D)${o}fips_premain.c";
+	}
+
+if ($fips)
+	{
+	if ($fips_sha1_exe_path eq "")
+		{
+		$fips_sha1_exe_path =
+			"\$(BIN_D)${o}fips_standalone_sha1$exep";
+		}
+	}
+	else
+	{
+	$fips_sha1_exe_path = "";
+	}
+
+if ($fips_premain_dso_exe_path eq "")
+	{
+	$fips_premain_dso_exe_path = "\$(BIN_D)${o}fips_premain_dso$exep";
+	}
+
+#	$ex_build_targets .= "\$(BIN_D)${o}\$(E_PREMAIN_DSO)$exep" if ($fips);
+
+if ($fips)
+	{
+	if (!$shlib)
+		{
+		$ex_build_targets .= " \$(LIB_D)$o$crypto_compat \$(PREMAIN_DSO_EXE)";
+		$ex_l_libs .= " \$(O_FIPSCANISTER)";
+		}
+	if ($fipslibdir eq "")
+		{
+		open (IN, "util/fipslib_path.txt") || fipslib_error();
+		$fipslibdir = <IN>;
+		chomp $fipslibdir;
+		close IN;
+		}
+	fips_check_files($fipslibdir,
+			"fipscanister.o", "fipscanister.o.sha1",
+			"fips_premain.c", "fips_premain.c.sha1");
+	}
+	
+
 $defs= <<"EOF";
 # This makefile has been automatically generated from the OpenSSL distribution.
 # This single makefile will build the complete OpenSSL distribution and
@@ -286,6 +445,7 @@ if ($platform eq "VC-CE")
 !INCLUDE <\$(WCECOMPAT)/wcedefs.mak>
 
 EOF
+	$ex_libs .= " $zlib_lib" if $zlib_opt == 1;
 	}
 
 $defs.= <<"EOF";
@@ -308,6 +468,8 @@ EX_LIBS=$ex_libs
 SRC_D=$src_dir
 
 LINK=$link
+PERL=perl
+FIPSLINK=\$(PERL) util${o}fipslink.pl
 LFLAGS=$lflags
 
 BN_ASM_OBJ=$bn_asm_obj
@@ -339,6 +501,9 @@ TMP_D=$tmp_dir
 INC_D=$inc_dir
 INCO_D=$inc_dir${o}openssl
 
+# Directory containing FIPS module
+
+
 CP=$cp
 RM=$rm
 RANLIB=$ranlib
@@ -346,6 +511,18 @@ MKDIR=$mkdir
 MKLIB=$bin_dir$mklib
 MLFLAGS=$mlflags
 ASM=$bin_dir$asm
+MKCANISTER=$mkcanister
+
+# FIPS validated module and support file locations
+
+E_PREMAIN_DSO=fips_premain_dso
+
+FIPSLIB_D=$fipslibdir
+BASEADDR=$baseaddr
+FIPS_PREMAIN_SRC=$fips_premain_c_path
+O_FIPSCANISTER=$fips_canister_path
+FIPS_SHA1_EXE=$fips_sha1_exe_path
+PREMAIN_DSO_EXE=$fips_premain_dso_exe_path
 
 ######################################################
 # You should not need to touch anything below this point
@@ -377,7 +554,7 @@ SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp
 L_SSL=     \$(LIB_D)$o$plib\$(SSL)$libp
 L_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$libp
 
-L_LIBS= \$(L_SSL) \$(L_CRYPTO)
+L_LIBS= \$(L_SSL) \$(L_CRYPTO) $ex_l_libs
 
 ######################################################
 # Don't touch anything below this point
@@ -387,13 +564,13 @@ INC=-I\$(INC_D) -I\$(INCL_D)
 APP_CFLAGS=\$(INC) \$(CFLAG) \$(APP_CFLAG)
 LIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG)
 SHLIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG) \$(SHLIB_CFLAG)
-LIBS_DEP=\$(O_CRYPTO) \$(O_SSL)
+LIBS_DEP=\$(O_CRYPTO) \$(O_SSL) $ex_libs_dep
 
 #############################################
 EOF
 
 $rules=<<"EOF";
-all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe
+all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers \$(FIPS_SHA1_EXE) lib exe $ex_build_targets
 
 banner:
 $banner
@@ -479,57 +656,6 @@ printf OUT "  #define DATE \"%s\"\n", scalar gmtime();
 printf OUT "#endif\n";
 close(OUT);
 
-#############################################
-# We parse in input file and 'store' info for later printing.
-open(IN,"<$infile") || die "unable to open $infile:$!\n";
-$_=<IN>;
-for (;;)
-	{
-	chop;
-
-	($key,$val)=/^([^=]+)=(.*)/;
-	if ($key eq "RELATIVE_DIRECTORY")
-		{
-		if ($lib ne "")
-			{
-			$uc=$lib;
-			$uc =~ s/^lib(.*)\.a/$1/;
-			$uc =~ tr/a-z/A-Z/;
-			$lib_nam{$uc}=$uc;
-			$lib_obj{$uc}.=$libobj." ";
-			}
-		last if ($val eq "FINISHED");
-		$lib="";
-		$libobj="";
-		$dir=$val;
-		}
-
-	if ($key eq "TEST")
-		{ $test.=&var_add($dir,$val); }
-
-	if (($key eq "PROGS") || ($key eq "E_OBJ"))
-		{ $e_exe.=&var_add($dir,$val); }
-
-	if ($key eq "LIB")
-		{
-		$lib=$val;
-		$lib =~ s/^.*\/([^\/]+)$/$1/;
-		}
-
-	if ($key eq "EXHEADER")
-		{ $exheader.=&var_add($dir,$val); }
-
-	if ($key eq "HEADER")
-		{ $header.=&var_add($dir,$val); }
-
-	if ($key eq "LIBOBJ")
-		{ $libobj=&var_add($dir,$val); }
-
-	if (!($_=<IN>))
-		{ $_="RELATIVE_DIRECTORY=FINISHED\n"; }
-	}
-close(IN);
-
 # Strip of trailing ' '
 foreach (keys %lib_obj) { $lib_obj{$_}=&clean_up_ws($lib_obj{$_}); }
 $test=&clean_up_ws($test);
@@ -554,6 +680,29 @@ $rules.=&do_compile_rule("\$(OBJ_D)",$test,"\$(APP_CFLAGS)");
 $defs.=&do_defs("E_OBJ",$e_exe,"\$(OBJ_D)",$obj);
 $rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)');
 
+# Special case rules for fips_start and fips_end fips_premain_dso
+
+if ($fips)
+	{
+	if ($fips_canister_build)
+		{
+		$rules.=&cc_compile_target("\$(OBJ_D)${o}fips_start$obj",
+			"fips-1.0${o}fips_canister.c",
+			"-DFIPS_START \$(SHLIB_CFLAGS)");
+		$rules.=&cc_compile_target("\$(OBJ_D)${o}fips_end$obj",
+			"fips-1.0${o}fips_canister.c", "\$(SHLIB_CFLAGS)");
+		}
+	$rules.=&cc_compile_target("\$(OBJ_D)${o}fips_standalone_sha1$obj",
+		"fips-1.0${o}sha${o}fips_standalone_sha1.c",
+		"\$(SHLIB_CFLAGS)");
+	$rules.=&cc_compile_target("\$(OBJ_D)${o}fips_sha1dgst$obj",
+		"fips-1.0${o}sha${o}fips_sha1dgst.c",
+		"\$(SHLIB_CFLAGS)") unless $fips_canister_build;
+	$rules.=&cc_compile_target("\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj",
+		"fips-1.0${o}fips_premain.c",
+		"-DFINGERPRINT_PREMAIN_DSO_LOAD \$(SHLIB_CFLAGS)");
+	}
+
 foreach (values %lib_nam)
 	{
 	$lib_obj=$lib_obj{$_};
@@ -630,16 +779,42 @@ foreach (split(/\s+/,$test))
 	}
 
 $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
-$rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
+
 
 if ($fips)
 	{
-	$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)","\$(BIN_D)$o.sha1","\$(BIN_D)$o\$(E_EXE)$exep");
+	if ($shlib)
+		{
+		$rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
+			"\$(O_CRYPTO)",
+			"$crypto",
+			$shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
+		}
+	else
+		{
+		$rules.= &do_lib_rule("\$(CRYPTOOBJ)",
+			"\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)", "");
+		$rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
+			"\$(LIB_D)$o$crypto_compat",$crypto,$shlib,"\$(SO_CRYPTO)", "");
+		}
 	}
-else
+	else
 	{
-	$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+	$rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,
+							"\$(SO_CRYPTO)");
 	}
+
+
+if ($fips)
+	{
+	$rules.= &do_rlink_rule("\$(O_FIPSCANISTER)", "\$(OBJ_D)${o}fips_start$obj \$(FIPSOBJ) \$(OBJ_D)${o}fips_end$obj", "\$(FIPSLIB_D)${o}fips_standalone_sha1$exep", "") if $fips_canister_build;
+	$rules.=&do_link_rule("\$(PREMAIN_DSO_EXE)","\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj \$(CRYPTOOBJ) \$(O_FIPSCANISTER)","","\$(EX_LIBS)", 1);
+	
+	$rules.=&do_link_rule("\$(FIPS_SHA1_EXE)","\$(OBJ_D)${o}fips_standalone_sha1$obj \$(OBJ_D)${o}fips_sha1dgst$obj","","", 1);
+	}
+
+	$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)",0);
+
 print $defs;
 
 if ($platform eq "linux-elf") {
@@ -935,6 +1110,24 @@ sub read_options
 	elsif (/^shlib$/)	{ $shlib=1; }
 	elsif (/^dll$/)		{ $shlib=1; }
 	elsif (/^shared$/)	{ } # We just need to ignore it for now...
+ 	elsif (/^zlib$/) { $zlib_opt = 1 if $zlib_opt == 0 }
+	elsif (/^zlib-dynamic$/){ $zlib_opt = 2; }
+	elsif (/^--with-krb5-flavor=(.*)$/)
+		{
+		my $krb5_flavor = $1;
+		if ($krb5_flavor =~ /^force-[Hh]eimdal$/)
+			{
+			$xcflags="-DKRB5_HEIMDAL $xcflags";
+			}
+		elsif ($krb5_flavor =~ /^MIT/i)
+			{
+			$xcflags="-DKRB5_MIT $xcflags";
+		 	if ($krb5_flavor =~ /^MIT[._-]*1[._-]*[01]/i)
+				{
+				$xcflags="-DKRB5_MIT_OLD11 $xcflags"
+				}
+			}
+		}
 	elsif (/^([^=]*)=(.*)$/){ $VARS{$1}=$2; }
 	elsif (/^-[lL].*$/)	{ $l_flags.="$_ "; }
 	elsif ((!/^-help/) && (!/^-h/) && (!/^-\?/) && /^-.*$/)
@@ -942,3 +1135,31 @@ sub read_options
 	else { return(0); }
 	return(1);
 	}
+
+sub fipslib_error
+	{
+	print STDERR "***FIPS module directory sanity check failed***\n";
+	print STDERR "FIPS module build failed, or was deleted\n";
+	print STDERR "Please rebuild FIPS module.\n"; 
+	exit 1;
+	}
+
+sub fips_check_files
+	{
+	my $dir = shift @_;
+	my $ret = 1;
+	if (!-d $dir)
+		{
+		print STDERR "FIPS module directory $dir does not exist\n";
+		fipslib_error();
+		}
+	foreach (@_)
+		{
+		if (!-f "$dir${o}$_")
+			{
+			print STDERR "FIPS module file $_ does not exist!\n";
+			$ret = 0;
+			}
+		}
+	fipslib_error() if ($ret == 0);
+	}
diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl
index 9918c3d549..6c1e53bb14 100644
--- a/src/lib/libcrypto/util/mkdef.pl
+++ b/src/lib/libcrypto/util/mkdef.pl
@@ -83,7 +83,7 @@ my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT",
 my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" );
 my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
 			 "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
-			 "RIPEMD",
+			 "SHA256", "SHA512", "RIPEMD",
 			 "MDC2", "RSA", "DSA", "DH", "EC", "HMAC", "AES",
 			 # Envelope "algorithms"
 			 "EVP", "X509", "ASN1_TYPEDEFS",
@@ -267,7 +267,7 @@ $crypto.=" crypto/ocsp/ocsp.h";
 $crypto.=" crypto/ui/ui.h crypto/ui/ui_compat.h";
 $crypto.=" crypto/krb5/krb5_asn.h";
 $crypto.=" crypto/tmdiff.h";
-$crypto.=" fips/fips.h fips/rand/fips_rand.h";
+$crypto.=" fips-1.0/fips.h fips-1.0/rand/fips_rand.h fips-1.0/sha/fips_sha.h";
 
 my $symhacks="crypto/symhacks.h";
 
@@ -864,6 +864,9 @@ sub do_defs
 			$a .= ",RSA" if($s =~ /PEM_Seal(Final|Init|Update)/);
 			$a .= ",RSA" if($s =~ /RSAPrivateKey/);
 			$a .= ",RSA" if($s =~ /SSLv23?_((client|server)_)?method/);
+			# SHA2 algorithms only defined in FIPS mode for
+			# OpenSSL 0.9.7
+			$p .= "OPENSSL_FIPS" if($s =~ /SHA[235]/);
 
 			$platform{$s} =
 			    &reduce_platforms((defined($platform{$s})?$platform{$s}.',':"").$p);
@@ -1011,7 +1014,7 @@ sub is_valid
 {
 	my ($keywords_txt,$platforms) = @_;
 	my (@keywords) = split /,/,$keywords_txt;
-	my ($falsesum, $truesum) = (0, !grep(/^[^!]/,@keywords));
+	my ($falsesum, $truesum) = (0, 1);
 
 	# Param: one keyword
 	sub recognise
@@ -1079,7 +1082,7 @@ sub is_valid
 		if ($k =~ /^!(.*)$/) {
 			$falsesum += &recognise($1,$platforms);
 		} else {
-			$truesum += &recognise($k,$platforms);
+			$truesum *= &recognise($k,$platforms);
 		}
 	}
 	print STDERR "DEBUG: [",$#keywords,",",$#keywords < 0,"] is_valid($keywords_txt) => (\!$falsesum) && $truesum = ",(!$falsesum) && $truesum,"\n" if $debug;
diff --git a/src/lib/libcrypto/util/mkfiles.pl b/src/lib/libcrypto/util/mkfiles.pl
index 928a274303..bc78510f56 100644
--- a/src/lib/libcrypto/util/mkfiles.pl
+++ b/src/lib/libcrypto/util/mkfiles.pl
@@ -51,14 +51,15 @@ my @dirs = (
 "crypto/ocsp",
 "crypto/ui",
 "crypto/krb5",
-"fips",
-"fips/aes",
-"fips/des",
-"fips/dsa",
-"fips/dh",
-"fips/rand",
-"fips/rsa",
-"fips/sha1",
+"fips-1.0",
+"fips-1.0/aes",
+"fips-1.0/des",
+"fips-1.0/dsa",
+"fips-1.0/dh",
+"fips-1.0/hmac",
+"fips-1.0/rand",
+"fips-1.0/rsa",
+"fips-1.0/sha",
 "ssl",
 "apps",
 "test",
diff --git a/src/lib/libcrypto/util/mklink.pl b/src/lib/libcrypto/util/mklink.pl
index c8653cecc3..182732d959 100644
--- a/src/lib/libcrypto/util/mklink.pl
+++ b/src/lib/libcrypto/util/mklink.pl
@@ -14,13 +14,16 @@
 # not contain symbolic links and that the parent of / is never referenced.
 # Apart from this, this script should be able to handle even the most
 # pathological cases.
+#
+
+use Cwd;
 
 my $from = shift;
 my @files = @ARGV;
 
 my @from_path = split(/[\\\/]/, $from);
-my $pwd = `pwd`;
-chop($pwd);
+my $pwd = getcwd();
+chomp($pwd);
 my @pwd_path = split(/[\\\/]/, $pwd);
 
 my @to_path = ();
diff --git a/src/lib/libcrypto/util/pl/BC-32.pl b/src/lib/libcrypto/util/pl/BC-32.pl
index 897ae9d824..28869c868d 100644
--- a/src/lib/libcrypto/util/pl/BC-32.pl
+++ b/src/lib/libcrypto/util/pl/BC-32.pl
@@ -18,7 +18,7 @@ $out_def="out32";
 $tmp_def="tmp32";
 $inc_def="inc32";
 #enable max error messages, disable most common warnings
-$cflags="-DWIN32_LEAN_AND_MEAN -q -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp ";
+$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp ";
 if ($debug)
 {
     $cflags.="-Od -y -v -vi- -D_DEBUG";
@@ -51,7 +51,7 @@ $lfile='';
 $shlib_ex_obj="";
 $app_ex_obj="c0x32.obj"; 
 
-$asm='nasmw -f obj';
+$asm='nasmw -f obj -d__omf__';
 $asm.=" /Zi" if $debug;
 $afile='-o';
 
@@ -106,9 +106,13 @@ sub do_lib_rule
 	$ret.="$target: $objs\n";
 	if (!$shlib)
 		{
-		#		$ret.="\t\$(RM) \$(O_$Name)\n";
-		$ret.="\techo LIB $<\n";    
-                $ret.="\t&\$(MKLIB) $lfile$target -+\$**\n";
+		$ret.=<<___;
+	-\$(RM) $lfile$target
+	\$(MKLIB) $lfile$target \@&&!
++\$(**: = &^
++)
+!
+___
 		}
 	else
 		{
diff --git a/src/lib/libcrypto/util/pl/OS2-EMX.pl b/src/lib/libcrypto/util/pl/OS2-EMX.pl
index 75d72ebbcb..8dbeaa7a08 100644
--- a/src/lib/libcrypto/util/pl/OS2-EMX.pl
+++ b/src/lib/libcrypto/util/pl/OS2-EMX.pl
@@ -68,6 +68,7 @@ if (!$no_asm && !$fips)
 	$sha1_asm_src="crypto/sha/asm/s1-os2.asm";
 	$rmd160_asm_obj="crypto/ripemd/asm/rm-os2$obj";
 	$rmd160_asm_src="crypto/ripemd/asm/rm-os2.asm";
+	$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DOPENSSL_BN_ASM_PART_WORDS";
 	}
 
 if ($shlib)
diff --git a/src/lib/libcrypto/util/pl/VC-32-GMAKE.pl b/src/lib/libcrypto/util/pl/VC-32-GMAKE.pl
new file mode 100644
index 0000000000..b5bbcac6c2
--- /dev/null
+++ b/src/lib/libcrypto/util/pl/VC-32-GMAKE.pl
@@ -0,0 +1,222 @@
+#!/usr/local/bin/perl
+# VCw32lib.pl - the file for Visual C++ 4.[01] for windows NT, static libraries
+#
+
+
+if ($fips && !$shlib)
+	{
+	$crypto="libeayfips32";
+	$crypto_compat = "libeaycompat32.lib";
+	}
+else
+	{
+	$crypto="libeay32";
+	}
+$ssl=	"ssleay32";
+
+$o='/';
+#$cp='copy nul+';	# Timestamps get stuffed otherwise
+#$rm='del';
+
+$cp='cp';
+$rm='rm';
+
+$zlib_lib="zlib1.lib";
+
+# C compiler stuff
+$cc='cl';
+$cflags=' -MD -W3 -WX -Ox -O2 -Ob2 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
+$cflags.=' -D_CRT_SECURE_NO_DEPRECATE';		# shut up VC8
+$cflags.=' -D_CRT_NONSTDC_NO_DEPRECATE';	# shut up VC8
+$lflags="-nologo -subsystem:console -machine:I386 -opt:ref";
+$mlflags='';
+
+$out_def="gmout32";
+$tmp_def="gmtmp32";
+$inc_def="gminc32";
+
+if ($debug)
+	{
+	$cflags=" -MDd -W3 -WX -Zi -Yd -Od -nologo -DOPENSSL_SYSNAME_WIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32";
+	$lflags.=" -debug";
+	$mlflags.=' -debug';
+	}
+$cflags .= " -DOPENSSL_SYSNAME_WINNT" if $NT == 1;
+
+$obj='.obj';
+$ofile="-Fo";
+
+# EXE linking stuff
+$link="link";
+$efile="-out:";
+$exep='.exe';
+if ($no_sock)
+	{ $ex_libs=""; }
+else	{ $ex_libs="wsock32.lib user32.lib gdi32.lib"; }
+
+# static library stuff
+$mklib='lib';
+$ranlib='';
+$plib="";
+$libp=".lib";
+$shlibp=($shlib)?".dll":".lib";
+$lfile='-out:';
+
+$shlib_ex_obj="";
+$app_ex_obj="setargv.obj";
+if ($nasm) {
+	$asm='nasmw -f win32';
+	$afile='-o ';
+} else {
+	$asm='ml -Cp -coff -c -Cx';
+	$asm.=" -Zi" if $debug;
+	$afile='-Fo';
+}
+
+$bn_asm_obj='';
+$bn_asm_src='';
+$des_enc_obj='';
+$des_enc_src='';
+$bf_enc_obj='';
+$bf_enc_src='';
+
+if (!$no_asm && !$fips)
+	{
+	$bn_asm_obj='crypto/bn/asm/bn_win32.obj';
+	$bn_asm_src='crypto/bn/asm/bn_win32.asm';
+	$des_enc_obj='crypto/des/asm/d_win32.obj crypto/des/asm/y_win32.obj';
+	$des_enc_src='crypto/des/asm/d_win32.asm crypto/des/asm/y_win32.asm';
+	$bf_enc_obj='crypto/bf/asm/b_win32.obj';
+	$bf_enc_src='crypto/bf/asm/b_win32.asm';
+	$cast_enc_obj='crypto/cast/asm/c_win32.obj';
+	$cast_enc_src='crypto/cast/asm/c_win32.asm';
+	$rc4_enc_obj='crypto/rc4/asm/r4_win32.obj';
+	$rc4_enc_src='crypto/rc4/asm/r4_win32.asm';
+	$rc5_enc_obj='crypto/rc5/asm/r5_win32.obj';
+	$rc5_enc_src='crypto/rc5/asm/r5_win32.asm';
+	$md5_asm_obj='crypto/md5/asm/m5_win32.obj';
+	$md5_asm_src='crypto/md5/asm/m5_win32.asm';
+	$sha1_asm_obj='crypto/sha/asm/s1_win32.obj';
+	$sha1_asm_src='crypto/sha/asm/s1_win32.asm';
+	$rmd160_asm_obj='crypto/ripemd/asm/rm_win32.obj';
+	$rmd160_asm_src='crypto/ripemd/asm/rm_win32.asm';
+	$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM";
+	}
+
+if ($shlib)
+	{
+	$mlflags.=" $lflags -dll";
+#	$cflags =~ s| -MD| -MT|;
+	$lib_cflag=" -D_WINDLL";
+	$out_def="gmout32dll";
+	$tmp_def="gmtmp32dll";
+	}
+
+$cflags.=" -Fd$out_def";
+
+sub do_lib_rule
+	{
+	local($objs,$target,$name,$shlib,$ign,$base_addr, $fips_get_sig, $fips_premain_src)=@_;
+	local($ret,$Name);
+
+	$taget =~ s/\//$o/g if $o ne '/';
+	($Name=$name) =~ tr/a-z/A-Z/;
+	my $base_arg;
+	if ($base_addr ne "")
+		{
+		$base_arg= " -base:$base_addr";
+		}
+	else
+		{
+		$base_arg = "";
+		}
+
+
+#	$target="\$(LIB_D)$o$target";
+	if (!$shlib)
+		{
+#		$ret.="\t\$(RM) \$(O_$Name)\n";
+		$ret.="$target: $objs\n";
+		$ex =' advapi32.lib';
+		$ret.="\t\$(MKLIB) $lfile$target $objs $ex\n\n";
+		}
+	else
+		{
+		local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
+		$ex.=' wsock32.lib gdi32.lib advapi32.lib user32.lib';
+ 		$ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
+		if (defined $fips_get_sig)
+			{
+			$ret.="$target: \$(O_FIPSCANISTER) $objs $fips_get_sig\n";
+			$ret.="\tFIPS_LINK=\$(LINK) ";
+			$ret.="FIPS_CC=\$(CC) ";
+			$ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\" ";
+			$ret.="FIPS_PREMAIN_DSO=$fips_get_sig ";
+			$ret.="FIPS_TARGET=$target ";
+			$ret.="FIPS_LIBDIR=\$(FIPSLIB_D) ";
+			$ret.="\$(FIPSLINK) \$(MLFLAGS) $base_arg $efile$target ";
+			$ret.="-def:ms/${Name}.def \$(SHLIB_EX_OBJ) $objs ";
+			$ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n\n";
+			}
+		else
+			{
+			$ret.="$target: $objs\n";
+			$ret.="\t\$(LINK) \$(MLFLAGS) $base_arg $efile$target /def:ms/${Name}.def \$(SHLIB_EX_OBJ) $objs $ex\n\n";
+			}
+		}
+	$ret.="\n";
+	return($ret);
+	}
+
+sub do_link_rule
+	{
+	local($target,$files,$dep_libs,$libs,$standalone)=@_;
+	local($ret,$_);
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($targer);
+	if ($standalone)
+		{
+		$ret.="$target: $files $dep_libs\n";
+		$ret.="\t\$(LINK) \$(LFLAGS) $efile$target ";
+		$ret.="$files $libs\n\n";
+		}
+	elsif ($fips && !$shlib)
+		{
+		$ret.="$target: \$(O_FIPSCANISTER) $files $dep_libs\n";
+		$ret.="\tFIPS_LINK=\$(LINK) ";
+		$ret.="FIPS_CC=\$(CC) ";
+		$ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\" ";
+		$ret.="FIPS_PREMAIN_DSO= ";
+		$ret.="FIPS_TARGET=$target ";
+		$ret.="FIPS_LIBDIR=\$(FIPSLIB_D) ";
+		$ret.=" \$(FIPSLINK) \$(LFLAGS) $efile$target ";
+		$ret.="\$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n\n";
+		}
+	else
+		{
+		$ret.="$target: $files $dep_libs\n";
+		$ret.="\t\$(LINK) \$(LFLAGS) $efile$target ";
+		$ret.="\$(APP_EX_OBJ) $files $libs\n\n";
+		}
+	$ret.="\n";
+	return($ret);
+	}
+
+sub do_rlink_rule
+	{
+	local($target,$files,$check_hash, $deps)=@_;
+	local($ret,$_);
+
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($targer);
+	$ret.="$target: $check_hash $files $deps\n";
+	$ret.="\t\$(PERL) util${o}checkhash.pl -chdir fips-1.0 -program_path ..$o$check_hash\n";
+	$ret.="\t\$(MKCANISTER) $target $files\n";
+	$ret.="\t$check_hash $target > $target.sha1\n";
+	$ret.="\t\$(CP) fips-1.0${o}fips_premain.c \$(FIPSLIB_D)\n";
+	$ret.="\t$check_hash \$(FIPSLIB_D)${o}fips_premain.c > \$(FIPSLIB_D)${o}fips_premain.c.sha1\n\n";
+	return($ret);
+	}
+
+
+1;
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index cf689b9feb..4e97dfa9af 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -3,15 +3,28 @@
 #
 
 $ssl=	"ssleay32";
-$crypto="libeay32";
+
+if ($fips && !$shlib)
+	{
+	$crypto="libeayfips32";
+	$crypto_compat = "libeaycompat32.lib";
+	}
+else
+	{
+	$crypto="libeay32";
+	}
 
 $o='\\';
 $cp='copy nul+';	# Timestamps get stuffed otherwise
 $rm='del';
 
+$zlib_lib="zlib1.lib";
+
 # C compiler stuff
 $cc='cl';
-$cflags=' /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
+$cflags=' /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
+$cflags.=' -D_CRT_SECURE_NO_DEPRECATE';		# shut up VC8
+$cflags.=' -D_CRT_NONSTDC_NO_DEPRECATE';	# shut up VC8
 $lflags="/nologo /subsystem:console /machine:I386 /opt:ref";
 $mlflags='';
 
@@ -100,25 +113,56 @@ $cflags.=" /Fd$out_def";
 
 sub do_lib_rule
 	{
-	local($objs,$target,$name,$shlib)=@_;
+	local($objs,$target,$name,$shlib,$ign,$base_addr) = @_;
 	local($ret,$Name);
 
 	$taget =~ s/\//$o/g if $o ne '/';
 	($Name=$name) =~ tr/a-z/A-Z/;
+	my $base_arg;
+	if ($base_addr ne "")
+		{
+		$base_arg= " /base:$base_addr";
+		}
+	else
+		{
+		$base_arg = "";
+		}
+
 
 #	$target="\$(LIB_D)$o$target";
-	$ret.="$target: $objs\n";
 	if (!$shlib)
 		{
 #		$ret.="\t\$(RM) \$(O_$Name)\n";
+		$ret.="$target: $objs\n";
 		$ex =' advapi32.lib';
+ 		$ex.=" \$(FIPSLIB_D)${o}_chkstk.o" if $fips && $target =~ /O_CRYPTO/;
 		$ret.="\t\$(MKLIB) $lfile$target @<<\n  $objs $ex\n<<\n";
 		}
 	else
 		{
 		local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
-		$ex.=' wsock32.lib gdi32.lib advapi32.lib';
-		$ret.="\t\$(LINK) \$(MLFLAGS) $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+		$ex.=' wsock32.lib gdi32.lib advapi32.lib user32.lib';
+ 		$ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
+ 		if ($fips && $target =~ /O_CRYPTO/)
+			{
+ 			$ex.=" \$(FIPSLIB_D)${o}_chkstk.o";
+			$ret.="$target: $objs \$(PREMAIN_DSO_EXE)\n";
+			$ret.="\tSET FIPS_LINK=\$(LINK)\n";
+			$ret.="\tSET FIPS_CC=\$(CC)\n";
+			$ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
+			$ret.="\tSET PREMAIN_DSO_EXE=\$(PREMAIN_DSO_EXE)\n";
+			$ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
+			$ret.="\tSET FIPS_TARGET=$target\n";
+			$ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
+			$ret.="\t\$(FIPSLINK) \$(MLFLAGS) $base_arg $efile$target ";
+			$ret.="/def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs ";
+			$ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n<<\n";
+			}
+		else
+			{
+			$ret.="$target: $objs\n";
+			$ret.="\t\$(LINK) \$(MLFLAGS) $base_arg $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+			}
 		}
 	$ret.="\n";
 	return($ret);
@@ -126,20 +170,51 @@ sub do_lib_rule
 
 sub do_link_rule
 	{
-	local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_;
+	local($target,$files,$dep_libs,$libs,$standalone)=@_;
 	local($ret,$_);
-	
 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($targer);
 	$ret.="$target: $files $dep_libs\n";
-	$ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n";
-	$ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n";
-	if (defined $sha1file)
+	if ($standalone)
+		{
+		$ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n\t";
+		$ret.="\$(FIPSLIB_D)${o}_chkstk.o " if ($files =~ /O_FIPSCANISTER/);
+		$ret.="$files $libs\n<<\n";
+		}
+	elsif ($fips && !$shlib)
 		{
-		$ret.="  $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file";
+		$ret.="\tSET FIPS_LINK=\$(LINK)\n";
+		$ret.="\tSET FIPS_CC=\$(CC)\n";
+		$ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
+		$ret.="\tSET PREMAIN_DSO_EXE=\n";
+		$ret.="\tSET FIPS_TARGET=$target\n";
+		$ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
+		$ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
+		$ret.="  \$(FIPSLINK) \$(LFLAGS) $efile$target @<<\n";
+		$ret.="  \$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n<<\n";
 		}
+	else
+		{
+		$ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n";
+		$ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n";
+		}
+	$ret.="\n";
+	return($ret);
+	}
+
+sub do_rlink_rule
+	{
+	local($target,$files,$dep_libs,$libs)=@_;
+	local($ret,$_);
+
+	$file =~ s/\//$o/g if $o ne '/';
+	$n=&bname($targer);
+	$ret.="$target: $files $dep_libs\n";
+	$ret.="  \$(MKCANISTER) $target <<\n";
+	$ret.="INPUT($files)\n<<\n";
 	$ret.="\n";
 	return($ret);
 	}
 
+
 1;
diff --git a/src/lib/libcrypto/util/pod2man.pl b/src/lib/libcrypto/util/pod2man.pl
index 657e4e264e..546d1ec186 100644
--- a/src/lib/libcrypto/util/pod2man.pl
+++ b/src/lib/libcrypto/util/pod2man.pl
@@ -425,6 +425,7 @@ if ($name ne 'something') {
 	    }
 	    next if /^=cut\b/;	# DB_File and Net::Ping have =cut before NAME
 	    next if /^=pod\b/;  # It is OK to have =pod before NAME
+	    next if /^=for\s+comment\b/;  # It is OK to have =for comment before NAME
 	    die "$0: Invalid man page - 1st pod line is not NAME in $ARGV[0]\n" unless $lax;
 	}
 	die "$0: Invalid man page - no documentation in $ARGV[0]\n" unless $lax;
diff --git a/src/lib/libcrypto/util/selftest.pl b/src/lib/libcrypto/util/selftest.pl
index e9d5aa8938..4778c5ab01 100644
--- a/src/lib/libcrypto/util/selftest.pl
+++ b/src/lib/libcrypto/util/selftest.pl
@@ -49,7 +49,7 @@ if (open(IN,"<Makefile")) {
 }
 
 $cversion=`$cc -v 2>&1`;
-$cversion=`$cc -V 2>&1` if $cversion =~ "usage";
+$cversion=`$cc -V 2>&1` if $cversion =~ "[Uu]sage";
 $cversion=`$cc -V |head -1` if $cversion =~ "Error";
 $cversion=`$cc --version` if $cversion eq "";
 $cversion =~ s/Reading specs.*\n//;
@@ -130,15 +130,21 @@ if (system("make 2>&1 | tee make.log") > 255) {
     goto err;
 }
 
-$_=$options;
-s/no-asm//;
-s/no-shared//;
-s/no-krb5//;
-if (/no-/)
-{
-    print OUT "Test skipped.\n";
-    goto err;
-}
+# Not sure why this is here.  The tests themselves can detect if their
+# particular feature isn't included, and should therefore skip themselves.
+# To skip *all* tests just because one algorithm isn't included is like
+# shooting mosquito with an elephant gun...
+#                   -- Richard Levitte, inspired by problem report 1089
+#
+#$_=$options;
+#s/no-asm//;
+#s/no-shared//;
+#s/no-krb5//;
+#if (/no-/)
+#{
+#    print OUT "Test skipped.\n";
+#    goto err;
+#}
 
 print "Running make test...\n";
 if (system("make test 2>&1 | tee maketest.log") > 255)
diff --git a/src/lib/libcrypto/x509/Makefile b/src/lib/libcrypto/x509/Makefile
index 5fb774f1c7..ee3f8a4a23 100644
--- a/src/lib/libcrypto/x509/Makefile
+++ b/src/lib/libcrypto/x509/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/x509/Makefile
+# OpenSSL/crypto/x509/Makefile
 #
 
 DIR=	x509
diff --git a/src/lib/libcrypto/x509v3/Makefile b/src/lib/libcrypto/x509v3/Makefile
index ed2f91cbb3..49423f39f7 100644
--- a/src/lib/libcrypto/x509v3/Makefile
+++ b/src/lib/libcrypto/x509v3/Makefile
@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/x509v3/Makefile
+# OpenSSL/crypto/x509v3/Makefile
 #
 
 DIR=	x509v3
-- 
cgit v1.2.3-55-g6feb